RE: DoS worm
From: David Gillett (gillettdavid_at_fhda.edu)
Date: 10/21/04
- Previous message: Thor Larholm: "RE: DoS worm"
- In reply to: Thor Larholm: "RE: DoS worm"
- Next in thread: Jeffrey Denton: "Re: Systems compromised with ShellBOT perl script - part 2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Thor Larholm'" <thor@pivx.com>, <incidents@securityfocus.com> Date: Thu, 21 Oct 2004 09:05:45 -0700
I have the SMB probing; although I strongly suspect weak admin
passwords, I don't see anything that looks like brute-forcing through
a list. (Maybe it's trying to avoid triggering account lockout?) I
could provide these in .pkt (EtherPeek) format if that would be useful.
The only SSH connections I saw were unanswered SYNs, but I don't know
that there weren't others that did get answers.
David Gillett
> -----Original Message-----
> From: Thor Larholm [mailto:thor@pivx.com]
> Sent: Thursday, October 21, 2004 2:06 AM
> To: gillettdavid@fhda.edu; incidents@securityfocus.com
> Subject: RE: DoS worm
>
>
> >From your description your six machines are now compromised
> by a random
> Trojan being controlled by shaman.exodus.ro - I take it you
> perhaps took
> some capture logs of the SSH connections, the SYN flooding and the SMB
> probing? That would be invaluable to knowing whether this is a new SMB
> vulnerability or whether the worm simply connects using insecure
> administrator passwords.
>
>
> Thor
>
> -----Original Message-----
> From: David Gillett [mailto:gillettdavid@fhda.edu]
> Sent: Wednesday, October 20, 2004 10:48 PM
> To: incidents@securityfocus.com
> Subject: DoS worm
>
> Yesterday, someone (we believe it was one of our students)
> unplugged a lab Mac from the campus network and plugged in a
> PC (laptop, we assume). Besides whatever the user wanted, it
> apparently did three things:
>
> 1. Attempt to open a lot of connections (port 22, SSH) to
> shaman.exodus.ro (62.80.109.128), then
>
> 2. Send a SYN flood, spoofing the source address as 0.0.0.0,
> to ports 22 and 80 of weed.powered.at (195.149.115.18), and
>
> 3. Probe random addresses in our Class B space (port 445, CIFS);
> if it got a connection, it tried various SMB-type things amongst
> which I was able to pick out the string "IPC". Five other machines
> in our space eventually demonstrated similar symptoms.
>
> I don't know what this beast is. I infer that #2 is a DoS attack
> which is perhaps the purpose of the worm, and that #3 is its spread
> vector via the IPC$ share.
>
> Anybody recognize this?
>
> Dave Gillett
>
>
- application/ms-tnef attachment: winmail.dat
- Previous message: Thor Larholm: "RE: DoS worm"
- In reply to: Thor Larholm: "RE: DoS worm"
- Next in thread: Jeffrey Denton: "Re: Systems compromised with ShellBOT perl script - part 2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
