[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Port scan from ftp-data to 5665?
A repost from [email protected] (I'll also add these to my list on securitystats.com this week sometime): _________________________________ Date: Wed, 18 Oct 2000 11:23:20 -0400 Sender: Incidents Mailing List <[email protected]> From: josh <[email protected]> Subject: RedHat 6.2 boxes root'ed, shitc.tgz installed To: [email protected] A client of our companies had 5 or so RedHat 6.2 boxes rooted (default install, everything enabled - that's what they get for not letting us build 'em ;) The attackers left behind a tarball called 'shitc.tgz' in /usr/bin/.../.terminfo There is a modified sshd /bin/fgry which listens on port 5665 and /bin/in.slogind that listens on port 19000. There was also a bouncer, mdidentd, etc. Plus a litle shell script called "die" to install all the good stuff for you. It left text files in /dev/hdaa, /dev/ddth3, /dev/ddtz1 that are config files for the modified programs to ignore. Binaries replaced are: ls, named, nc, netstat, ps, pstree, rpc.statd, sloging, syslogd, and top. The tarball also came with some DoS tools - boink, bonk, citra, flip, frag, jolt, lod, land, land2, land2, moyari13, nestea, ntear, smbquery, ssping, syndrop, tear2, teardrop, w2, whisper, ww. The rootkit also came with a bunch of network scanning utilities and the like. Just a heads up - scan your boxes for ports 5665 and 19000. There also could be processes listening on ports 24, 63, 1900, and 6667. (If you don't already have ircd running) -- josh _____________________________________ Hope this helps! Jason At 11:11 AM 10/30/00 -0500, Gross, Jason D wrote: > >Just curious to know if anyone has heard of a trojan or other nasty thing >that might be listening on TCP 5665? > >Our network had a huge scan performed by a host in Germany (212.172.54.252). >The source port was TCP 20 and the destination port was 5665. > >I've looked through Bugtraq and the trojan lists but have come up empty. > >If anyone has any info or can point me to something that has the info, I'd >appreciate it. > >--------------------------------------------------------------------- >Jason Gross >Network & Communications Services >Platform Engineering & Operations Services >United Space Alliance > >[email protected] >V:F:> > > > >=========================================================================== ===== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html >=========================================================================== ===== > > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|