Hi, the recently reported slow dns and backdoor scans are both variants of the lionworm. I examined in the today 318 machines possibly slow scanning us on 53/udp, 78 were open on port 12321 serving via http a w0rmkit slightly different from that of lion. IP data were sent to the German CERT. The same holds true for the backdoor scanners. Same port, but slightly different kit (more adore like). Looks like worms are the new technology for the kids. Bye, Jens -- Jens Hektor, RWTH Aachen, Rechenzentrum, Seffenter Weg 23, 52074 Aachen Computing Center Technical University Aachen, firewalls/network security mailto:hektorat_private-Aachen.DE, Tel.: +49 241 80 4866, Raum: 2.35 Private: Rochusstr. 26, D52062 Aachen, Fon: +49 241 29888, Fax: % 29889
This archive was generated by hypermail 2b30 : Fri May 11 2001 - 06:46:35 PDT