Re: Port 10008

From: jlewisat_private
Date: Tue May 15 2001 - 08:48:11 PDT

  • Next message: Tracey Losco: "Re: Port 10008"

    On Tue, 15 May 2001, Joerg Weber wrote:
    
    > my FW-Logs went insane last night with gazillions of connection attempts to
    > port 10008.
    > FW-1 does unfortunately not log dropped packets, so I've no idea about flags
    > et al, but the scan looks like this:
    > SourcePort = Increases with each scan
    > DestPort   = 10008
    
    I got some scans on port 10008 as well.  The really odd thing is this.  If
    you port scan them back, you'll find that on some high TCP port, if you
    connect and send a few newlines, it'll reply with a uuencoded cheese.tgz
    file.  I took a very brief look at the contents of cheese.tgz.  The
    comments say it's a cleaner, written to remove root shells from
    inetd.conf.  There's alot more than that in the code though.  Looks like a
    trojan that's really a scanner.
    
    
    -- 
    ----------------------------------------------------------------------
     Jon Lewis *jlewisat_private*|  I route
     System Administrator        |  therefore you are
     Atlantic Net                |
    _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
    



    This archive was generated by hypermail 2b30 : Tue May 15 2001 - 09:39:27 PDT