RE: DoS worm

From: Thor Larholm (thor_at_pivx.com)
Date: 10/21/04

  • Next message: David Gillett: "RE: DoS worm" 
    Date: Thu, 21 Oct 2004 02:05:36 -0700
To: <gillettdavid@fhda.edu>, <incidents@securityfocus.com>

    From your description your six machines are now compromised by a random
    Trojan being controlled by shaman.exodus.ro - I take it you perhaps took
    some capture logs of the SSH connections, the SYN flooding and the SMB
    probing? That would be invaluable to knowing whether this is a new SMB
    vulnerability or whether the worm simply connects using insecure
    administrator passwords.

    Thor

    -----Original Message-----
    From: David Gillett [mailto:gillettdavid@fhda.edu]
    Sent: Wednesday, October 20, 2004 10:48 PM
    To: incidents@securityfocus.com
    Subject: DoS worm

      Yesterday, someone (we believe it was one of our students)
    unplugged a lab Mac from the campus network and plugged in a
    PC (laptop, we assume). Besides whatever the user wanted, it
    apparently did three things:

    1. Attempt to open a lot of connections (port 22, SSH) to
    shaman.exodus.ro (62.80.109.128), then

    2. Send a SYN flood, spoofing the source address as 0.0.0.0,
    to ports 22 and 80 of weed.powered.at (195.149.115.18), and

    3. Probe random addresses in our Class B space (port 445, CIFS);
    if it got a connection, it tried various SMB-type things amongst
    which I was able to pick out the string "IPC". Five other machines
    in our space eventually demonstrated similar symptoms.

      I don't know what this beast is. I infer that #2 is a DoS attack
    which is perhaps the purpose of the worm, and that #3 is its spread
    vector via the IPC$ share.

      Anybody recognize this?

    Dave Gillett

  • Next message: David Gillett: "RE: DoS worm"

    Relevant Pages

    • Port TCP/IP 445
      ... This worm, similar to previous worms on TCP445, spreads via network ... Machines connected to raw Internet connections when out of the ... Machines which use VPN connections into the corporate network but are ...
      (microsoft.public.win2000.security)
    • Alert: New Worm - W32/Deloder on TCP445
      ... This worm, similar to previous worms on TCP445, spreads via network ... Machines connected to raw Internet connections when out of the ... Machines which use VPN connections into the corporate network but are ...
      (NT-Bugtraq)
    • Re: Vast Spy System Loots Computers in 103 Countries
      ... A Plan to Catch the Conficker Worm ... infected millions of machines worldwide, ... signs of infection. ... it presents itself to the wider network. ...
      (sci.military.naval)
    • CERT Advisory CA-2001-20
      ... in compromises of home user machines. ... to date with security patches and workarounds, ... worm after it has infected a victim system. ... used to initially compromise the machine may not be enough. ...
      (Cert)
    • Re: [Full-disclosure] RE: Bening Worms (Cosmin Stejerean)
      ... with a worm or virus label on it is unacceptable, ... >>Blast on their networks especially from laptop machines that were infected. ... > posed a risk to the rest of their network BUT the Stanford IT folk had ...
      (Full-Disclosure)