Educause Security Discussion
mailing list archives
Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers
From: "James J. Barlow" <jbarlow () NCSA UIUC EDU>
Date: Wed, 24 Jan 2007 18:16:19 -0600
Good writeup and thanks for the info. I just have a couple things to
add since what Brian Smith-Sweeney from NYU replied with is spot on to
what we have seen here at NCSA.
As for the sample binary or script that attacks port 6000, we caught
one of these scanning out of our network with a compromised account.
The malware that they were using was pretty basic (this may or may not be
similar to what was on your network). A script runs a binary which would
do a scan given a network block and port then would put the open IP's
into a file. Script then feeds those IP addresses into another binary
that would attach to port 6000 of the remote host and start keystroke
logging to a file. The last script would check the keystroke files for
ssh, telnet, and rlogin attempts.
We have this package if you are interested, and have used it to scan
our network on occassion to see if there are open X-servers (and it's
amazing how many one can actually find). We were just surprised that
they were not looking for more juicy stuff like SSH RSA passphrases,
PGP passphrases, or grid cert passphrases.
On Wed, Jan 24, 2007 at 04:42:36PM -0500, Warren Petrofsky wrote:
On several of our machines we found scripts and IRC bots installed in
obfuscated directories like /dev/shm/ /someDirName or
/var/samba/ /samba/.. /someDirName. (note the spaces and dots). We
have yet to find a sample of the binary or script attacking port 6000.
James J. Barlow <jbarlow () ncsa uiuc edu>
Head of Security Operations and Incident Response
National Center for Supercomputing Applications Voice : (217)244-6403
1205 West Clark Street, Urbana, IL 61801 Cell : (217)840-0601
http://www.ncsa.uiuc.edu/~jbarlow Fax : (217)244-1987
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Roger Safian (Jan 24)
- <Possible follow-ups>
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Brian Smith-Sweeney (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers James J. Barlow (Jan 25)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Wes Young (Jan 25)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Warren Petrofsky (Jan 25)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Valdis Kletnieks (Jan 25)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Chris Edwards (Jan 26)