Re: Printer exploit?

From: HyunWoo Lee (lotusat_private)
Date: Thu Jun 28 2001 - 21:49:20 PDT

Next message: Mark Hollow: "solaris hack info required"

Previous message: gattacaat_private: "Re: Attempted unicode scans. on network"
In reply to: Vangelis Haniotakis: "Re: Printer exploit?"
Next in thread: Rocket Downing: "RE: Printer exploit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We've also noticed a sudden increase of tcp 515 port scan from 19th Jun.
You can see a graph in the below link

    http://www.certcc.or.kr/statistics/rtsd/rtsd_scandetect.html

One of the affector of this increase we've recently found is red worm.

It scans 515 port intensively including bind and rpc.statd vulnerabilities also.

The worm distributor site of this code(red.tar) is "go.163.com", it should be shutdown immediately.

As time goes by, We are seeing some compromised hosts by this worm.

We will issue incident note for this case. But sorry for korean version only. anyway check out our site a little later.

    http://www.certcc.or.kr/paper/paper-2.htm

A short evidences to find this worm.

   Directory : /usr/lib/lib,
   Files : /usr/bin/kfm, /sbin/kfm, /usr/bin/td, /usr/bin/adore, etc.
   Related open ports : tcp 1522, tcp 39168

Hope, It will help.

--
----------------------------------------------------
Hyunwoo Lee / CCNA      E-mail : lotusat_private
CERTCC-KR                   Web : http://www.certcc.or.kr

           Get Ready Against New Attack?
----------------------------------------------------

Vangelis Haniotakis wrote:

> On 28 Jun 2001, John Leach wrote:
>
> > We've noticed a sudden influx of tcp 515 printer port scans over the
> > last month on nearly all of our boxes (different sites, different isps)
> >
> > We *do* have a *really* good HP colour laserjet, I guess the word got
> > out.
>
>  Hmm, guess our printers must look tasty as well.
>
>  We got hit by 3 different attackers today, all looking for port 515 on
> random IP's. A total of about 60,000 probes launched towards all of our
> class B network.
>
>  Is this beginning to look a bit worrying?
>
> --
> Vangelis Haniotakis - Network & Communications Centre, University of Crete
>
> ----------------------------------------------------------------------------
>
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see:
>
> http://aris.securityfocus.com

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: Mark Hollow: "solaris hack info required"
Previous message: gattacaat_private: "Re: Attempted unicode scans. on network"
In reply to: Vangelis Haniotakis: "Re: Printer exploit?"
Next in thread: Rocket Downing: "RE: Printer exploit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 29 2001 - 08:40:37 PDT