Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Mihai Moldovanu (mihaimPROFM.RO)
Date: Mon Jan 15 2001 - 06:40:16 CST
Jason Lewis wrote:
> I couldn't find any of those addresses, but I have similar scans in my logs.
Yes . The same problem here . But not only 111 . 21 also.
We deployed a honnypot and waited to be compromised. It took 12 hours to be
compromised. I took it out of the network
and this is what i found on it :
It seemns like a worm that installs StatDXscan ( Class B rpc.statd scanner) ,
wu-ftpd scanner , a modified t0rn rootkit along with Adore LKM rootkit , and
tools : Sl2 , smurf5 , tojaned sshd running on port 48480 )
t0rnscan has inside it the following string: irc.webbernet.net:6667
-- Lead programmer, Mihai Moldovanu (mihaimprofm.ro) WEB: http://tfm.profm.ro/ http://www.developers.ro/