Slow DNS scans, backdoor scans, both worming

From: Jens Hektor (hektorat_private-AACHEN.DE)
Date: Mon May 07 2001 - 07:15:13 PDT

Next message: Jens Hektor: "DNS-Worm, was: slow scans to random IPs on port 53 (and other ports0"

Previous message: Zen: "Revival of sunrpc scans?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

the recently reported slow dns and backdoor scans are both variants of
the lionworm.

I examined in the today 318 machines possibly slow scanning us
on 53/udp, 78 were open on port 12321 serving via http a w0rmkit slightly
different from that of lion.

IP data were sent to the German CERT.

The same holds true for the backdoor scanners. Same port, but slightly
different kit (more adore like).

Looks like worms are the new technology for the kids.

Bye, Jens

--
Jens Hektor, RWTH Aachen, Rechenzentrum, Seffenter Weg 23, 52074 Aachen
Computing Center Technical University Aachen, firewalls/network security
mailto:hektorat_private-Aachen.DE, Tel.: +49 241 80 4866, Raum: 2.35
Private: Rochusstr. 26, D52062 Aachen, Fon: +49 241 29888, Fax: % 29889

Next message: Jens Hektor: "DNS-Worm, was: slow scans to random IPs on port 53 (and other ports0"
Previous message: Zen: "Revival of sunrpc scans?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 11 2001 - 06:46:35 PDT