Noticed new unicode exploit methods

From: Brad Doctor (bdoctor@ps-ax.com)
Date: Sun May 06 2001 - 09:36:17 PDT

Next message: Eyes to the Skies.: "Re: DNS ports and scans"

Previous message: Jens Hektor: "DNS-Worm, was: slow scans to random IPs on port 53 (and other ports0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've noticed two sun/solaris (2.6) machines in the last 24 hours running a 
unicode exploit similar in principle to the lion worms in that they 
generate random IP addresses, and then try to run the exploit.  The exploit 
primarily consists of a perl script, however it also creates a .rhosts 
within root's directory, open to the world.  The package is untarred to 
/dev/cuc, originating from /tmp/uni.tar.  Of course, the processes do not 
appear in normal 'ps' output, however they do appear in the root shell 
listening on port 600.

Both of these machines were wide open with no apparent regard for any 
security.  If anyone is interested in the package, I have most of it, so 
let me know if you would like it.

-brad

Next message: Eyes to the Skies.: "Re: DNS ports and scans"
Previous message: Jens Hektor: "DNS-Worm, was: slow scans to random IPs on port 53 (and other ports0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 14 2001 - 08:48:54 PDT