On Wed, Apr 25, 2001 at 11:27:58PM -0500, Chris Baker wrote: > Date: Wed, 25 Apr 2001 23:27:58 -0500 > From: Chris Baker <extremisat_private> > To: INCIDENTSat_private > Subject: Re: TCP/1008 port scans > Mail-Followup-To: INCIDENTSat_private > > On Wed, Apr 25, 2001 at 05:52:42AM -0000, Jeff Nieusma wrote: > > X-Mailer: Security Focus > > Date: Wed, 25 Apr 2001 05:52:42 -0000 > > From: Jeff Nieusma <nieusmaat_private> > > Subject: TCP/1008 port scans > > To: INCIDENTSat_private > > > > anyone else getting TCP scans directed at port > > 1008? My solaris system says: > > Some flavors of the crew.tgz (lion worm) do not include the t0rn rootkit, and > bind a root shell to tcp/1008. What you are most likely seeing is trolling for > these types of compromised hosts. > Correction: There is no dependancy on the 'flavor', because the root shell that is bound to port 1008 is part of the initial steps of the lion worm. > > > > - solaris7$ grep 1008 /etc/services > > ufsd 1008/tcp ufsd # UFS-aware > > server > > ufsd 1008/udp ufsd > > > > I've seen 215 log entries this month from 9 Internet > > hosts aimed at 177 internal hosts behind a filter that > > denies port 1008. Anyone know anything about this? > > > > Thanks, > > - Jeff > >
This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 08:54:42 PDT