Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Linux worm: stuff.tgz, CHAOS/TXT

From: "Ian Jones" <ian () dsl081-056-052 dsl-isp net>
Date: Sat, 23 Jun 2001 13:57:27 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Is this something that has been around for a while? There is a worm
spreading via bind (suprise!) which scans for victims using CHAOS/TXT
queries. After finding and compromising the victim it establishes a
webserver on tcp port 12321 on the victim to serve files to future victims.
I checked my packet dumps and found several infected hosts.

If you want to poke at it, the following hosts is currently up, but I did
notify the whois contact.
http://203.85.223.195:12321/stuff.tgz

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Making the world safe for geeks.

iQA/AwUBOzUCtcAVSpfzXItKEQI4KQCg81erarwmgGCXUvr3/pLNqBMjD0oAoPa6
Lx+vbSzHDc95pgOKDR7NiqSC
=F3Qz
-----END PGP SIGNATURE-----



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: