What we've found so far:
a "..." directory somewhere on the system containing sscan.tgz a directory
scan/luckscanx, luckstatx, x
Seems to grab scan.log, read a class-a address, delete scan.log and proceed
to scan the entire class-A on port 111 - while some incoming things happen
on port 21 and one (non-existant) host will stay in wait state on local 110
port.
Sometimes the ... directory is hidden and sometimes not. Seems like more
than one point of origin - although, since Jan 25, I've had the following:
ip (or 216.90.222.219) in the following state: (continually reconnecting and
going into wait.
tcp 0 0 my.network.com:110 216.90.222.220:3504
TIME_WAIT -
and, I have a load of named failures from the same IP with bad referral
(again either .219 or .220).
daemon:Jan 25 17:40:44 xxx named[8863]: bad referral
(222.90.216.in-addr.arpa !< 219.222.90.216.IN-ADDR.ARPA)
Seems to kick off about the same time every night (around 8-8:30 CST) -
including re-installation of the rootkit. Don't know the name of the
rootkit. This particular luckscanx attack is signed luciffer_at_luciffer.org
and rht.com (Romanian Hacking Team). It replaces ps, top, named, netstat,
etc....... all the goodies. Runs in background.
At the same time I get a lot of anon ftp requests(failed) from one cable
modem or another (or dsl).
I'm still looking for the entry point - any help anyone can offer will be
gladly appreciated.
Jay
----- Original Message -----
From: "Lic. Rodolfo Gonzalez Gonzalez" <rgg_at_SOLARIUM.CS.BUAP.MX>
To: <INCIDENTS_at_SECURITYFOCUS.COM>
Sent: Tuesday, February 06, 2001 12:34 AM
Subject: Re: Crazy port 111 scans
> On Mon, 5 Feb 2001, Reeves, Mike wrote:
>
> > I have had more 111 scans this past 5 days than in the last 2 months. Is
> > there some new RPC exploit or something?
> > Anyone else seeing these hosts?
>
> It could be Ramen, couldn't be?. I've seen tons of scans to 111 and 515
> and 21 :o
>
> Regards.
Received on Feb 06 2001
Intro
