Re: backdoor or bot?

[Patrick Oonk <patrick () pine nl>]

On Wed, Dec 27, 2000 at 02:41:04PM -0500, Jon Lewis wrote:
> On Wed, 27 Dec 2000, Brian Caswell wrote:
>
> > > painkeeper login:
> > >
> > > My guess is, this is a backdoor.
> >
> > Nah, its most likely someone script kiddie has added an issue.net onto
> > his ub3r ch3llz b0xz cause it he thinks it looks reet. Remember Hanlon's
> > Razor : Never attribute to malice that which can be adequately explained
> > by stupidity.
>
> Sure...it could be a bot...but the bigger picture suggests to me that it's
> not, or that even if it is, it's still an owned system.  Here we have a
> Red Hat box in Korea.  It appears to be doing no access control (via
> ipchains or tcp_wrappers) for the standard services, most of which have
> been left running.  It's scanning portions of the internet for other
> systems to break into (that's how I found it).  It has a couple things
> listening for connections on odd ports, including what looks like sshd on
> port 7879, yet there's no sshd on port 22.
>
> This tells me someone has broken in, installed some scanning software,
> perhaps setup a bot, and probably installed a backdoor version of ssh so
> they can't be watched via a packet sniffer.

I see scans from machines like you mention in Korea almost twice a week.
CERT-KR responds pretty quick to them though.
(http://www.certcc.or.kr/certcc/cert-2.htm).
This article in the Korea Herald
(http://www.koreaherald.co.kr/SITE/data/html_dir/2000/12/27/200012270081.asp) explains
that it is a large concern to them too.

        p.


--
 Patrick Oonk -  PO1-6BONE -  patrick () pine nl -  www.pine.nl/~patrick
 Pine Internet  -  PAT31337-RIPE  -   Hushmail: p.oonk () my security nl
 Tel: +31-70-3111010  -   Fax: +31-70-3111011   -  http://security.nl
 PGPID 155C3934 fp DD29 1787 8F49 51B8 4FDF  2F64 A65C 42AE 155C 3934
            * looking for modules for a USR TotalSwitch *
 Excuse of the day: CPU needs bearings repacked