> -----Original Message----- > From: Jens Hektor [mailto:hektorat_private-AACHEN.DE] > > I had two scans last night from two different > machines with some indication that > they were searching for backdoors. One scan > included ingreslock & 1008 > the other one just 1008. Might be that the cisco's > logging, which is rate-limited, > did not catchup all tested ports. But the > similarities between the two scans is stunning. The attacker is looking for 1i0n: Apr 21 08:39:02 MDT denied tcp 209.112.47.7 (4879) -> 10.37.138.100 (1008) Apr 21 08:54:23 MDT denied tcp 209.112.47.7 (2318) -> 10.37.139.33 (1008) Apr 21 10:54:34 MDT denied tcp 209.112.47.7 (1593) -> 10.37.137.217 (1008) Apr 21 11:58:57 MDT denied tcp 209.112.47.7 (4529) -> 10.37.138.217 (1008) Apr 21 12:04:05 MDT denied tcp 209.112.47.7 (4529) -> 10.37.138.217 (1008) Apr 21 16:45:57 MDT denied tcp 209.112.47.7 (1725) -> 10.37.135.203 (1008) Apr 22 00:21:44 MDT denied tcp 209.112.47.7 (2784) -> 10.37.141.213 (1008) Apr 22 00:49:22 MDT denied tcp 209.112.47.7 (4058) -> 10.168.141.168 (1008) Apr 23 13:45:30 MDT denied tcp 209.112.47.7 (4034) -> 10.37.142.206 (1008) Apr 23 21:31:27 MDT denied tcp 209.112.47.7 (3595) -> 10.7.175.157 (1008) Apr 24 05:13:11 MDT denied tcp 209.112.47.7 (2524) -> 10.174.184.197 (1008) Apr 24 11:41:16 MDT denied tcp 209.112.47.7 (1855) -> 10.37.143.77 (1008) Apr 24 12:55:35 MDT denied tcp 209.112.47.7 (4297) -> 10.37.141.12 (1008) Apr 24 12:59:52 MDT denied tcp 209.112.47.7 (4297) -> 10.37.141.12 (1008) Apr 24 14:55:50 MDT denied tcp 209.112.47.7 (4083) -> 10.168.143.79 (1008) Apr 24 15:15:53 MDT denied tcp 209.112.47.7 (4587) -> 10.168.141.221 (1008) Apr 24 16:59:16 MDT denied tcp 209.112.47.7 (3311) -> 10.174.184.180 (1008) Apr 24 20:57:56 MDT denied tcp 209.112.47.7 (2941) -> 10.174.134.222 (1008) Apr 25 12:27:42 MDT denied tcp 209.112.47.7 (4934) -> 10.174.205.171 (1008) Apr 25 14:56:32 MDT denied tcp 209.112.47.7 (3290) -> 10.174.204.43 (1008) Apr 25 21:10:40 MDT denied tcp 209.112.47.7 (1940) -> 10.7.175.149 (1008) Apr 26 03:32:34 MDT denied tcp 209.112.47.7 (2136) -> 10.168.140.188 (1008) Apr 26 05:18:03 MDT denied tcp 209.112.47.7 (4252) -> 10.174.184.202 (1008) Source of trace: This log segment came from ISP border router logs and represent addresses in four different class A network ranges Detect was generated by: Cisco access list logs slightly reformatted and sanitized Probability the source address was spoofed Not very likely. This attack would need to get responses in order to be successful. Description of attack: This scan is looking for a root shell left behind by the 1i0n worm. The lion worm exploits the recently announced BIND vulnerability (CAN-2001-0010) and leaves a root shell running at port 1008 by adding a line to /etc/inetd.conf. Attack mechanism: By looking at the times and source port information, this seems to be either a manual attack or it is coming from an extremely busy machine. Either the source ports are randomized, or there is a huge amount of traffic coming from this attacker. Unfortunately, we only have the packet filter logs and cannot look at the packet traces to get a better understanding of the methodology. Correlation: Information about the lion worm can be found at http://www.whitehats.com/library/worms/lion/index.html Evidence of active targeting: While it is readily apparent that the attacker is looking for root shells, the target addresses seem to be fairly random.
This archive was generated by hypermail 2b30 : Sun Apr 29 2001 - 07:26:37 PDT