Hi Russel & the others, > Over the last week I have detected an increasing > number of machines > probing random addressess in our address space > on udp port 53. [...] this is a (new ?) worm. Some of the probing machines have varying backdoors which were probed some days ago. This was reported here also. Furthermore some of the machines have port 12321 open which is a httpd serving the wormkit. Doing a "wget" do that port gives you the worm. This is exactly how the worm replicates. Scanning is done for randomly generated IPs. Probed are the wellknown bindbugs. I have a list of 263 (until now) possible candidates, 168 probing us multiple times. Of the latter ones are 18 already probed positive for wormkit delivery (process continues). Quick analysis: Temporarily open "ingreslock" backdoor. If "wget" or "lynx" exist: "Securing" ftp & rpc.statd by deleting some files. Downloading sshd trojan (listening on port 12345) and installing in /tmp/.ssh Closing ingreslock backdoor. Download of named (trojan or secured ?) and installation of it. If "wget" or "lynx" do not exist, "ingreslock" remains open. Start scanning for more vunerable DNSs. "chattr" of all file in "/bin" & "/usr/bin". Installation of trojans for "ls", "ps", "du". Bye, Jens Hektor
This archive was generated by hypermail 2b30 : Mon May 14 2001 - 08:24:02 PDT