Cheese worm found around 14th May. It scans 10008 port which opened by 1i0n worm. and removes rootshells from inetd.conf It says # removes rootshells running from /etc/inetd.conf # after a l10n infection... (to stop pesky haqz0rs # messing up your box even worse than it is already) # This code was not written with malicious intent. # Infact, it was written to try and do some good. Funny ? It was found in the directory "/tmp/.cheese/" and following files are found in this directory ADL cheese cheese.uue psm Bryan Andersen wrote: > Joerg Weber wrote: > > > > Hello everyone, > > > > my FW-Logs went insane last night with gazillions of connection attempts to > > port 10008. > > FW-1 does unfortunately not log dropped packets, so I've no idea about flags > > et al, but the scan looks like this: > > SourcePort = Increases with each scan > > DestPort = 10008 > > > > This looks like an automated tool to me, as the whole scan took about a > > second or two. > > Any ideas? > > No ideas other than likely looking for already exploited machines. I've > seen 10008 scans before. > > These three scan sets came in yesterday. Times are -500/US Central. > Note: different scanning hosts but otherwise the same. Tcpdump info > follows. > > May 14 11:03:57 gateway kernel: Packet log: input DENY eth0 PROTO=6 > 216.36.78.235:3894 208.42.22.16:10008 L=60 S=0x00 I=50210 F=0x4000 T=48 > May 14 11:03:57 gateway kernel: Packet log: input DENY eth0 PROTO=6 > 216.36.78.235:3895 208.42.22.17:10008 L=60 S=0x00 I=50211 F=0x4000 T=48 > May 14 11:03:57 gateway kernel: Packet log: input DENY eth0 PROTO=6 > 216.36.78.235:3897 208.42.22.19:10008 L=60 S=0x00 I=50213 F=0x4000 T=48 > May 14 11:04:00 gateway kernel: Packet log: input DENY eth0 PROTO=6 > 216.36.78.235:3894 208.42.22.16:10008 L=60 S=0x00 I=50605 F=0x4000 T=48 > May 14 11:04:00 gateway kernel: Packet log: input DENY eth0 PROTO=6 > 216.36.78.235:3895 208.42.22.17:10008 L=60 S=0x00 I=50606 F=0x4000 T=48 > May 14 11:04:00 gateway kernel: Packet log: input DENY eth0 PROTO=6 > 216.36.78.235:3897 208.42.22.19:10008 L=60 S=0x00 I=50608 F=0x4000 T=48 > > May 14 16:06:16 gateway kernel: Packet log: input DENY eth0 PROTO=6 > 217.0.224.200:2937 208.42.22.16:10008 L=60 S=0x00 I=60931 F=0x4000 T=50 > May 14 16:06:16 gateway kernel: Packet log: input DENY eth0 PROTO=6 > 217.0.224.200:2938 208.42.22.17:10008 L=60 S=0x00 I=60932 F=0x4000 T=50 > May 14 16:06:16 gateway kernel: Packet log: input DENY eth0 PROTO=6 > 217.0.224.200:2940 208.42.22.19:10008 L=60 S=0x00 I=60934 F=0x4000 T=50 > May 14 16:06:20 gateway kernel: Packet log: input DENY eth0 PROTO=6 > 217.0.224.200:2937 208.42.22.16:10008 L=60 S=0x00 I=61118 F=0x4000 T=50 > May 14 16:06:20 gateway kernel: Packet log: input DENY eth0 PROTO=6 > 217.0.224.200:2938 208.42.22.17:10008 L=60 S=0x00 I=61119 F=0x4000 T=50 > May 14 16:06:20 gateway kernel: Packet log: input DENY eth0 PROTO=6 > 217.0.224.200:2940 208.42.22.19:10008 L=60 S=0x00 I=61121 F=0x4000 T=50 > > May 14 16:54:25 gateway kernel: Packet log: input DENY eth0 PROTO=6 > 210.208.240.2:3011 208.42.22.16:10008 L=60 S=0x00 I=60689 F=0x4000 T=48 > May 14 16:54:25 gateway kernel: Packet log: input DENY eth0 PROTO=6 > 210.208.240.2:3012 208.42.22.17:10008 L=60 S=0x00 I=60690 F=0x4000 T=48 > May 14 16:54:25 gateway kernel: Packet log: input DENY eth0 PROTO=6 > 210.208.240.2:3014 208.42.22.19:10008 L=60 S=0x00 I=60692 F=0x4000 T=48 > May 14 16:54:28 gateway kernel: Packet log: input DENY eth0 PROTO=6 > 210.208.240.2:3011 208.42.22.16:10008 L=60 S=0x00 I=60871 F=0x4000 T=48 > May 14 16:54:28 gateway kernel: Packet log: input DENY eth0 PROTO=6 > 210.208.240.2:3012 208.42.22.17:10008 L=60 S=0x00 I=60872 F=0x4000 T=48 > May 14 16:54:28 gateway kernel: Packet log: input DENY eth0 PROTO=6 > 210.208.240.2:3014 208.42.22.19:10008 L=60 S=0x00 I=60874 F=0x4000 T=48 > > File tcp.2001-05-14_11 > 11:03:57.720310 216.36.78.235.3894 > 208.42.22.16.10008: S > 2646016419:2646016419(0) win 32120 <mss 1460,sackOK,timestamp 762060710 > 0,nop,wscale 0> (DF) > 4500 003c c422 4000 3006 794f d824 4eeb > d02a 1610 0f36 2718 9db7 01a3 0000 0000 > a002 7d78 9a89 0000 0204 05b4 0402 080a > 2d6c 1fa6 0000 0000 0103 0300 > 11:03:57.721665 216.36.78.235.3895 > 208.42.22.17.10008: S > 2646139096:2646139096(0) win 32120 <mss 1460,sackOK,timestamp 762060710 > 0,nop,wscale 0> (DF) > 4500 003c c423 4000 3006 794d d824 4eeb > d02a 1611 0f37 2718 9db8 e0d8 0000 0000 > a002 7d78 bb50 0000 0204 05b4 0402 080a > 2d6c 1fa6 0000 0000 0103 0300 > 11:03:57.725081 216.36.78.235.3897 > 208.42.22.19.10008: S > 2655769124:2655769124(0) win 32120 <mss 1460,sackOK,timestamp 762060710 > 0,nop,wscale 0> (DF) > 4500 003c c425 4000 3006 7949 d824 4eeb > d02a 1613 0f39 2718 9e4b d224 0000 0000 > a002 7d78 c96d 0000 0204 05b4 0402 080a > 2d6c 1fa6 0000 0000 0103 0300 > 11:04:00.712215 216.36.78.235.3894 > 208.42.22.16.10008: S > 2646016419:2646016419(0) win 32120 <mss 1460,sackOK,timestamp 762061010 > 0,nop,wscale 0> (DF) > 4500 003c c5ad 4000 3006 77c4 d824 4eeb > d02a 1610 0f36 2718 9db7 01a3 0000 0000 > a002 7d78 995d 0000 0204 05b4 0402 080a > 2d6c 20d2 0000 0000 0103 0300 > 11:04:00.713570 216.36.78.235.3895 > 208.42.22.17.10008: S > 2646139096:2646139096(0) win 32120 <mss 1460,sackOK,timestamp 762061010 > 0,nop,wscale 0> (DF) > 4500 003c c5ae 4000 3006 77c2 d824 4eeb > d02a 1611 0f37 2718 9db8 e0d8 0000 0000 > a002 7d78 ba24 0000 0204 05b4 0402 080a > 2d6c 20d2 0000 0000 0103 0300 > 11:04:00.716358 216.36.78.235.3897 > 208.42.22.19.10008: S > 2655769124:2655769124(0) win 32120 <mss 1460,sackOK,timestamp 762061010 > 0,nop,wscale 0> (DF) > 4500 003c c5b0 4000 3006 77be d824 4eeb > d02a 1613 0f39 2718 9e4b d224 0000 0000 > a002 7d78 c841 0000 0204 05b4 0402 080a > 2d6c 20d2 0000 0000 0103 0300 > > File tcp.2001-05-14_16 > 16:06:16.938028 217.0.224.200.2937 > 208.42.22.16.10008: S > 300290299:300290299(0) win 31900 <mss 1450,sackOK,timestamp 47186197 > 0,nop,wscale 0> (DF) > 4500 003c ee03 4000 3206 bab4 d900 e0c8 > d02a 1610 0b79 2718 11e6 10fb 0000 0000 > a002 7c9c d219 0000 0204 05aa 0402 080a > 02d0 0115 0000 0000 0103 0300 > 16:06:16.939376 217.0.224.200.2938 > 208.42.22.17.10008: S > 298340939:298340939(0) win 31900 <mss 1450,sackOK,timestamp 47186197 > 0,nop,wscale 0> (DF) > 4500 003c ee04 4000 3206 bab2 d900 e0c8 > d02a 1611 0b7a 2718 11c8 524b 0000 0000 > a002 7c9c 90e5 0000 0204 05aa 0402 080a > 02d0 0115 0000 0000 0103 0300 > 16:06:16.956082 217.0.224.200.2940 > 208.42.22.19.10008: S > 296964866:296964866(0) win 31900 <mss 1450,sackOK,timestamp 47186197 > 0,nop,wscale 0> (DF) > 4500 003c ee06 4000 3206 baae d900 e0c8 > d02a 1613 0b7c 2718 11b3 5302 0000 0000 > a002 7c9c 903f 0000 0204 05aa 0402 080a > 02d0 0115 0000 0000 0103 0300 > 16:06:20.263842 217.0.224.200.2937 > 208.42.22.16.10008: S > 300290299:300290299(0) win 31900 <mss 1450,sackOK,timestamp 47186497 > 0,nop,wscale 0> (DF) > 4500 003c eebe 4000 3206 b9f9 d900 e0c8 > d02a 1610 0b79 2718 11e6 10fb 0000 0000 > a002 7c9c d0ed 0000 0204 05aa 0402 080a > 02d0 0241 0000 0000 0103 0300 > 16:06:20.265192 217.0.224.200.2938 > 208.42.22.17.10008: S > 298340939:298340939(0) win 31900 <mss 1450,sackOK,timestamp 47186497 > 0,nop,wscale 0> (DF) > 4500 003c eebf 4000 3206 b9f7 d900 e0c8 > d02a 1611 0b7a 2718 11c8 524b 0000 0000 > a002 7c9c 8fb9 0000 0204 05aa 0402 080a > 02d0 0241 0000 0000 0103 0300 > 16:06:20.281198 217.0.224.200.2940 > 208.42.22.19.10008: S > 296964866:296964866(0) win 31900 <mss 1450,sackOK,timestamp 47186497 > 0,nop,wscale 0> (DF) > 4500 003c eec1 4000 3206 b9f3 d900 e0c8 > d02a 1613 0b7c 2718 11b3 5302 0000 0000 > a002 7c9c 8f13 0000 0204 05aa 0402 080a > 02d0 0241 0000 0000 0103 0300 > > 16:54:25.170824 210.208.240.2.3011 > 208.42.22.16.10008: S > 3606915073:3606915073(0) win 32120 <mss 1460,sackOK,timestamp 456887999 > 0,nop,wscale 0> (DF) > 4500 003c ed11 4000 3006 b49c d2d0 f002 > d02a 1610 0bc3 2718 d6fd 2801 0000 0000 > a002 7d78 45ac 0000 0204 05b4 0402 080a > 1b3b 8ebf 0000 0000 0103 0300 > 16:54:25.174139 210.208.240.2.3012 > 208.42.22.17.10008: S > 3609501232:3609501232(0) win 32120 <mss 1460,sackOK,timestamp 456887999 > 0,nop,wscale 0> (DF) > 4500 003c ed12 4000 3006 b49a d2d0 f002 > d02a 1611 0bc4 2718 d724 9e30 0000 0000 > a002 7d78 cf53 0000 0204 05b4 0402 080a > 1b3b 8ebf 0000 0000 0103 0300 > 16:54:25.178268 210.208.240.2.3014 > 208.42.22.19.10008: S > 3610836087:3610836087(0) win 32120 <mss 1460,sackOK,timestamp 456887999 > 0,nop,wscale 0> (DF) > 4500 003c ed14 4000 3006 b496 d2d0 f002 > d02a 1613 0bc6 2718 d738 fc77 0000 0000 > a002 7d78 70f4 0000 0204 05b4 0402 080a > 1b3b 8ebf 0000 0000 0103 0300 > 16:54:28.164009 210.208.240.2.3011 > 208.42.22.16.10008: S > 3606915073:3606915073(0) win 32120 <mss 1460,sackOK,timestamp 456888299 > 0,nop,wscale 0> (DF) > 4500 003c edc7 4000 3006 b3e6 d2d0 f002 > d02a 1610 0bc3 2718 d6fd 2801 0000 0000 > a002 7d78 4480 0000 0204 05b4 0402 080a > 1b3b 8feb 0000 0000 0103 0300 > 16:54:28.167363 210.208.240.2.3012 > 208.42.22.17.10008: S > 3609501232:3609501232(0) win 32120 <mss 1460,sackOK,timestamp 456888299 > 0,nop,wscale 0> (DF) > 4500 003c edc8 4000 3006 b3e4 d2d0 f002 > d02a 1611 0bc4 2718 d724 9e30 0000 0000 > a002 7d78 ce27 0000 0204 05b4 0402 080a > 1b3b 8feb 0000 0000 0103 0300 > 16:54:28.172085 210.208.240.2.3014 > 208.42.22.19.10008: S > 3610836087:3610836087(0) win 32120 <mss 1460,sackOK,timestamp 456888299 > 0,nop,wscale 0> (DF) > 4500 003c edca 4000 3006 b3e0 d2d0 f002 > d02a 1613 0bc6 2718 d738 fc77 0000 0000 > a002 7d78 6fc8 0000 0204 05b4 0402 080a > 1b3b 8feb 0000 0000 0103 0300 > > -- > | Bryan Andersen | bryanat_private | http://www.nerdvest.com | > | Buzzwords are like annoying little flies that deserve to be swatted. | > | -Bryan Andersen |
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 09:18:24 PDT