hola,
having seen this too, past few days it is originating
most from pacbell.net hostnames, but it also
consists lpd in my case, w0rm is my guess. I think
t0rn or whoever is behind this too since my machine
was hacked as i posted few weeks ago i have
managed to find the dir used for this ..
it was /lib/ldd.so where was tksb "sauber" and
tks "sniffer". and it turns out it was t0rnkit behind it the
new one... is there more information on this kit ?
certain dirs / ports / analyis ? anything ?

ciao

> On Mon, 15 Jan 2001 14:40:16 +0200 Mihai
Moldovanu <mihaimPROFM.RO>
> wrote:
>
> >
> > Yes . The same problem here . But not only 111 .
21 also.
> > We deployed a honnypot and waited to be
compromised. It took 12 hours to be
> > compromised. I took it out of the network
> > and this is what i found on it :
> > It seemns like a worm that installs StatDXscan (
Class B rpc.statd scanner) ,
> > wu-ftpd scanner , a modified t0rn rootkit along
with Adore LKM rootkit , and
> > flood
> > tools : Sl2 , smurf5 , tojaned sshd running on port
48480 )
> > t0rnscan has inside it the following string:
irc.webbernet.net:6667
> >
>
> We had a machine compromised in the early hours
of this morning via
> wu-ftpd.
>
> Here are the network traffic logs as generated by
argus interleaved with
> my interpetation:
>
> initial FIN/SYN scan packet
> 16 Jan 01 01:06:48 tcp 194.163.254.235.21
<o> 130.216.7.109.21 2 1 0
0 FSR_SA
> Grab ftp banner:
> 16 Jan 01 01:06:49 tcp 194.163.254.235.1239 -
> 130.216.7.109.21 6 5 0
95 FSRA_FSPA
> compromise via site exec (recorded independently
by snort)
> 16 Jan 01 01:08:00 tcp 194.163.254.235.1255
o> 130.216.7.109.21 19 17 1678
2051 SRPA_SPA
> get tools to install from 'home'
> 16 Jan 01 01:08:15 tcp 130.216.7.109.2846 ->
194.163.254.235.27374 39 69 545
95282 FSPA_FSPA
> launch scanner on 156.82.0.0/8
> 16 Jan 01 01:08:22 tcp 130.216.7.109.21
o> 156.82.0.1.21 1 0 0 0
FS_
> 16 Jan 01 01:08:22 tcp 130.216.7.109.21
o> 156.82.0.2.21 1 0 0 0
FS_
> 16 Jan 01 01:08:22 tcp 130.216.7.109.21
o> 156.82.0.3.21 1 0 0 0
FS_
> 16 Jan 01 01:08:22 tcp 130.216.7.109.21
o> 156.82.0.4.21 1 0 0 0
FS_
> 16 Jan 01 01:08:22 tcp 130.216.7.109.21
o> 156.82.0.5.21 1 0 0 0
FS_
> 16 Jan 01 01:08:22 tcp 130.216.7.109.21
o> 156.82.0.6.21 1 0 0 0
FS_
> 16 Jan 01 01:08:22 tcp 130.216.7.109.21
o> 156.82.0.7.21 1 0 0 0
FS_
> 16 Jan 01 01:08:22 tcp 130.216.7.109.21
o> 156.82.0.8.21 1 0 0 0
FS_
> 16 Jan 01 01:08:22 tcp 130.216.7.109.21
o> 156.82.0.9.21 1 0 0 0
FS_
> 16 Jan 01 01:08:22 tcp 130.216.7.109.21
o> 156.82.0.10.21 1 0 0 0
FS_
>
> All fairly standard stuff except that the whole
process took under 2
> minutes from initial probe to launching the scanner.
>
> I conclude that what we have here is a worm
spreading via ftp.
>
> I have port scanned the compromised system and
it is listening on port
> 27374, the same as the one on 194.163.254.235
where it got its tools
> from. When I connected to this port via telnet I got
a large amount
> of binary data dumped to the terminal. No other
unusual ports open.
>
> I have not examined the compromised system
myself yet, its in another
> department across campus.
>
> I scanned our network traffic for the last couple of
days looking for
> traffic to tcp 27374 and found a very slow scans
going from one address.
>
> 194.163.254.235 also probed tcp 111 on machines
that responded to
> the ftp scan but were not vulnerable to their ftp
exploit.
>
> Cheers, Russell.
>
> Russell Fulton, Computer and Network Security
Officer
> The University of Auckland, New Zealand.
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]