OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Tracey Losco (tal1ACF3.NYU.EDU)
Date: Tue Apr 03 2001 - 14:51:34 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I sent a message to SANS regarding the traffic that everyone has been
    seeing and here is the response that I got back:

    >Tracey,
    >
    >I think what you are seeing is the red worm. I am working on the
    >full analysis on it now. You can find the brief info
    > http://www.sans.org/current.htm
    >
    >Matt

    At Tuesday 4/3/2001 12:15 PM, Tracey Losco wrote:
    >There's been alot of email going back and forth on the Security
    >Focus mailing list about the possibility of a new exploit/worm out.
    >
    >Has anyone seem this type of traffic between last night and on into today?
    >We've had the same thing going on here at NYU since last night.
    >Scanning on 515 and then 3879. Scanning addresses seemed to be:
    >
    >166.104.44.169
    >206.71.87.172
    >24.112.153.186
    >132.229.227.138
    >202.39.21.155
    >213.97.29.6
    >
    >and a bunch of .edu addresses which are probably compromised
    >machines. Has anyone heard anything concrete about this?
    >

    At 12:14 AM -0600 4/3/01, Brett Glass wrote:
    >I believe that this is an attempt to exploit a format string
    >vulnerability in lprng, which can be run on a wide variety
    >of platforms. See
    >
    >http://www.cert.org/advisories/CA-2000-22.html
    >
    >--Brett
    >
    >At 11:57 AM 4/2/2001, Radu Brumariu wrote:
    >
    >>Hi all,
    >>I got this strange entries in /var/adm/messages this morning.
    >>
    >>Apr 2 11:30:12 xxxxx inetd[201]: printer[15797] from 149.76.5.20 1537
    >>Apr 2 11:30:12 xxxxx bsd-gw[15797]: Invalid protocol request (66):
    >>BBBXXXXXXXXXXXXXXXXXX%.144u%300$n%.44u%301$n%.254u%302$n%.192u%303$n
    >>111F1f1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin/sh
    >>
    >>and it is repeated a lot of times. It looks like and automated tool,
    >>judging by the time difference between two consecutive entries.
    >>
    >>If someone knows what this is, please respond as soon as possible.
    >>I already checked CERT's website, but couldn't find something recent and
    >>related to the problem.
    >>Could it be a modified version of Ramen?
    >>The OS is Solaris 2.6.
    >>
    >>
    >>Thank you,
    >>Radu 

    --
--------------------------------------------------------------------
Tracey Losco
Network Services			securitynyu.edu
Information Technology Services		http://www.nyu.edu/its/security
New York University			(212) 998 - 3433

    PGP Fingerprint: 8FFB FE47 6156 7BF0  B19E 462B 9DFE 51F5