NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2001-01

From: Mihai Moldovanu (mihaimPROFM.RO)
Date: Mon Jan 15 2001 - 06:40:16 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jason Lewis wrote:

> I couldn't find any of those addresses, but I have similar scans in my logs.
>
> 63.91.6.36
> 64.32.209.213
> 64.21.114.2
> 66.22.62.2
> 216.98.160.251

Yes . The same problem here . But not only 111 . 21 also.
We deployed a honnypot and waited to be compromised. It took 12 hours to be
compromised. I took it out of the network
and this is what i found on it :
It seemns like a worm that installs StatDXscan ( Class B rpc.statd scanner) ,
wu-ftpd scanner , a modified t0rn rootkit along with Adore LKM rootkit , and
flood
tools : Sl2 , smurf5 , tojaned sshd running on port 48480 )
t0rnscan has inside it the following string: irc.webbernet.net:6667

--
Lead programmer,
Mihai Moldovanu (mihaimprofm.ro)
WEB:    http://tfm.profm.ro/
             http://www.developers.ro/

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]