Security Incidents mailing list archives
Re: Slow scan, the rest of the story
From: hektor () RZ RWTH-AACHEN DE (Jens Hektor)
Date: Wed, 24 May 2000 16:03:54 -0000
Hi, thanks for the answers to my posting, maybe the rest is also interesting. Of course I had informed the WHOIS given contact and later the day they gave positive feedback and scanning stoppped. One hour later the whole started again now from two machines located in Japan and Estonia. Admin contacts as well as CERT's have been informed, no feedback from estonia until now, but scanning has stopped. A little investigation revealed the Japanese machine as root-shelled, the process was found and here is additional info: The slow scan was caused by an aprox. 240Mbyte file of all 137.-IP's sorted by incrementing the 3rd byte, then the 2nd byte and finally the 4th byte. The login was trojaned giving access if the DISPLAY variable contained a special string. Other trojans were found also. Seemed that the attacker came from Slovenia. Bye, Jens
Current thread:
- udp traffic to port 137 tobias wigand (May 19)
- network.exe -- was -- Re: udp traffic to port 137 Walt (May 20)
- Hmmm... named again. Bugtraq List (May 22)
- Slow scan Jens Hektor (May 22)
- Re: Slow scan, the rest of the story Jens Hektor (May 24)
- Re: udp traffic to port 137 Robert Saraceno, Jr. (May 22)