OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Sean Brown (srbrownAPPGEO.COM)
Date: Wed Jan 17 2001 - 07:24:39 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I've been sending a boiler-plated email with log and WHOIS entries to
    the postmaster/abuse/admin account for the registered domain as well as
    their upstream ISP. For US and Canadian domains, I've gotten very
    positive responses ("We've taken the box offline and are investigating",
    "Our box was rooted, thanks for calling this to our attention").
    Foriegn registered domains (Korea, Japan, some European domains) have
    been less responsive but it makes me feel better. YMMV.

    Sean

    Magnus Ullberg wrote:
    >
    > I checked our logs and it seems likve we've had 10-20 different ip addresses
    > scan for tcp/111, tcp/21, or tcp/27374
    > Whats the standard approach? Just leave it alone since it doesn't affect
    > your network or contact the people the scan came from?
    > One of the sites resolve to mailgate.lostinspace-hub.com.. that sounds like
    > a box they don't want rooted.. so I will probably email them.. but what
    > about the other? There are misc. home/dialup addresses, etc.
    >
    > Thanks,
    > Magnus Ullberg
    > Network Coordinator
    >
    > Area Bancshares Corporation
    > Networking Department
    > 230 Frederica St.
    > Owensboro, KY 42301
    >
    > -----Original Message-----
    > From: Steve Clement [SMTP:steveALDIGITAL.CO.UK]
    > Sent: Tuesday, January 16, 2001 7:39 AM
    > To: INCIDENTSSECURITYFOCUS.COM
    > Subject: Re: FTP and RPC based worms [was anyone else ...]
    >
    > Russell Fulton wrote:
    > >
    > > On Mon, 15 Jan 2001 14:40:16 +0200 Mihai Moldovanu
    > <mihaimPROFM.RO>
    > > wrote:
    > >
    > > All fairly standard stuff except that the whole process took under
    > 2
    > > minutes from initial probe to launching the scanner.
    > >
    > > I conclude that what we have here is a worm spreading via ftp.
    > >
    > > I have port scanned the compromised system and it is listening on
    > port
    > > 27374, the same as the one on 194.163.254.235 where it got its
    > tools
    > > from. When I connected to this port via telnet I got a large
    > amount
    > > of binary data dumped to the terminal. No other unusual ports
    > open.
    > >
    > > I have not examined the compromised system myself yet, its in
    > another
    > > department across campus.
    > >
    > > I scanned our network traffic for the last couple of days looking
    > for
    > > traffic to tcp 27374 and found a very slow scans going from one
    > address.
    > >
    > > 194.163.254.235 also probed tcp 111 on machines that responded to
    > > the ftp scan but were not vulnerable to their ftp exploit.
    > >
    >
    > No wonder they've been hacked with a out of the box redhat 7.0
    > Install..., that site's hostname is btw: sms.convidis.de a very nice
    > sms
    > portal, it delivered my sms to the uk in under 5sec's, someone
    > should
    > contact them and make them aware of the fact that they' ve been
    > hacked... http://www.convidis.de if theres trouble with germa I
    > could
    > probably help out...
    >
    > cheers steve
    >
    > --
    > Steve
    > A.L. Digital Ltd.
    > Voysey House
    > Barley Mow Passage
    > London W4 4GB mailto:stevealdigital.co.uk
    > UNITED KINGDOM PGP key on keyservers 

    --
~~~~~~~~~~~~~~~
Sean R. Brown - srbrownappgeo.com
System Administrator   Applied Geographics, Inc.   Boston, MA