Security Incidents mailing list archives
possible bind worm?
From: roelof () SENSEPOST COM (Roelof Temmingh)
Date: Wed, 26 Apr 2000 00:21:34 +0200
I was getting a port 53 host scan from an IP today. source: 209.31.226.26 (w026.z209031226.sjc-ca.dsl.cnc.net) srcport: 53 dstport: 53 dst IP: all the hosts behind my firewall I did some checking: ~> dig @209.31.226.26 version.bind chaos txt ; <<>> DiG 8.2 <<>> @209.31.226.26 version.bind chaos txt --cut-- VERSION.BIND. 0S CHAOS TXT "8.2.2-P3" --cut--- and: Trying 209.31.226.26... Connected to w026.z209031226.sjc-ca.dsl.cnc.net. Escape character is '^]'. Red Hat Linux release 5.1 (Manhattan) Kernel 2.0.35 on an i486 Now - with all the other incidents regarding an 8.2.2-P3 and P5 out there, should we not start to think in terms of a worm? The 8.2 and 8.2.1 exploit was packaged in worm form by ADM: ~/hack/exploittools/bind/w0rm# more README ---cut-- the adm inet w0rm... the w0rm is a linux/x86 spef he exploit the bind/iquery vuln --cut--- Maybe we have a 8.2.2-PX worm at work? Could those that receive this message maybe have a quick look at those hosts doing host scans on port 53? Just check if they are running a 8.2.2-PX and Linux RH 5/6. It seems that this is the right combination. I could be totally wrong - but I think its worth while checking... Feedback anyone? Regards, Roelof. ------------------------------------------------------ Roelof W Temmingh SensePost IT security roelof () sensepost com +27 83 448 6996 http://www.sensepost.com
Current thread:
- regulary 137 and 524 port scan, (continued)
- regulary 137 and 524 port scan Cho Yongsang (Apr 27)
- huge scans from www.oix.com jose (Apr 28)
- I am popular today... Dirk Koopman (Apr 28)
- Re: I am popular today... Ryan Sweat (Apr 28)
- Analysis: AboveNet attacks Robert Graham (Apr 28)
- Re: I am popular today... Ville (Apr 29)
- Lots netbios scans (udp 137) Russell Fulton (Apr 30)
- High port UDP probe? Damian Gerow (Apr 25)
- Re: High port UDP probe? Mark Rowe (Apr 26)
- Lots of scan on port 9520 Erick Perez (Apr 25)
- possible bind worm? Roelof Temmingh (Apr 25)
- Re: Rooted through in.identd on Red Hat 6.0 Erich Meier (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Brett Glass (Apr 20)
- Tools to analyze "captured" binaries? -Reply Network Security (Apr 20)
- Re: Tools to analyze "captured" binaries? -Reply Ex Machina (Apr 22)
- Port 137 scans on the rise Bryan Andersen (Apr 20)
- Re: Port 137 scans on the rise horio shoichi (Apr 22)