On Tue, 15 May 2001, Joerg Weber wrote: > my FW-Logs went insane last night with gazillions of connection attempts to > port 10008. > FW-1 does unfortunately not log dropped packets, so I've no idea about flags > et al, but the scan looks like this: > SourcePort = Increases with each scan > DestPort = 10008 I got some scans on port 10008 as well. The really odd thing is this. If you port scan them back, you'll find that on some high TCP port, if you connect and send a few newlines, it'll reply with a uuencoded cheese.tgz file. I took a very brief look at the contents of cheese.tgz. The comments say it's a cleaner, written to remove root shells from inetd.conf. There's alot more than that in the code though. Looks like a trojan that's really a scanner. -- ---------------------------------------------------------------------- Jon Lewis *jlewisat_private*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
This archive was generated by hypermail 2b30 : Tue May 15 2001 - 09:39:27 PDT