Security Incidents mailing list archives
Port 555 scan
From: me () SOMEWHERE NET
Date: Fri, 9 Feb 2001 15:00:39 -0500
Just got swept by a scan for port 555. Feb 9 06:04:24 XXX kernel: Packet log: input REJECT eth0 PROTO=6 211.193.34.30:4247 my.host.net:555 L=60 S=0x00 I=48749 F=0x4000 T=48 SYN (#25) The IP address belongs to Korea Network Information Center, but I can get no whois info on the box. Definitely/Possibly/probably rooted Linux Box, they are running a bunch of services- Port State Protocol Service 21 open tcp ftp 23 open tcp telnet 25 open tcp smtp 53 open tcp domain If the box owner is the one doing the scanning then 79 open tcp finger they sure don't know how to lock down their own machine. 80 open tcp http 98 open tcp linuxconf 111 open tcp sunrpc 137 filtered tcp netbios-ns 138 filtered tcp netbios-dgm 139 filtered tcp netbios-ssn 513 open tcp login 514 open tcp shell 515 open tcp printer 1024 open tcp unknown 1026 open tcp nterm If you go tto the http server running, you see this RameN Crew Hackers looooooooooooooooove noodles. Telnet'd and Ftp'd straight into the box with the username i got from their finger and used it as passwd as well. look at the ps -aux seems they are sysscanning everyone USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND bin 348 0.0 0.0 1216 216 ? S Jan 26 0:00 portmap daemon 468 0.0 0.0 1144 112 ? S Jan 26 0:00 /usr/sbin/atd named 515 0.0 0.4 2772 1124 ? S Jan 26 0:16 named -u named nobody 3509 0.0 0.7 7256 1660 ? S Feb 8 0:00 httpd nobody 3512 0.0 0.7 7320 1808 ? S Feb 8 0:00 httpd nobody 3513 0.0 0.7 7256 1732 ? S Feb 8 0:00 httpd nobody 3526 0.0 0.7 7256 1732 ? S Feb 8 0:00 httpd nobody 3534 0.0 0.8 7368 1876 ? S Feb 8 0:00 httpd nobody 3535 0.0 0.7 7256 1672 ? S Feb 8 0:00 httpd nobody 3566 0.0 0.7 7256 1828 ? S Feb 8 0:00 httpd nobody 3567 0.0 0.7 7256 1712 ? S Feb 8 0:00 httpd nobody 3568 0.0 0.7 7256 1740 ? S Feb 8 0:00 httpd nobody 3577 0.0 0.7 7256 1740 ? S Feb 8 0:00 httpd nobody 5154 0.0 0.8 7272 2056 ? S Feb 3 0:00 httpd nobody 5155 0.0 0.7 7256 1744 ? S Feb 3 0:00 httpd nobody 5156 0.0 1.0 7312 2340 ? S Feb 3 0:00 httpd nobody 5157 0.0 0.5 7256 1244 ? S Feb 3 0:00 httpd nobody 5159 0.0 0.5 7256 1220 ? S Feb 3 0:00 httpd nobody 5160 0.0 0.7 7256 1716 ? S Feb 3 0:00 httpd nobody 5161 0.0 0.7 7256 1708 ? S Feb 3 0:00 httpd predac 734 0.0 0.0 1744 0 1 SW Jan 26 0:00 (bash) predac 765 0.0 0.0 1680 0 1 SW Jan 26 0:00 (startx) predac 772 0.0 0.0 2316 0 1 SW Jan 26 0:00 (xinit) predac 777 0.0 0.4 7052 1012 1 S Jan 26 0:01 /usr/bin/gnome-session predac 800 0.0 0.1 5736 260 1 S Jan 26 0:02 gnome-smproxy --sm-client-id default0 predac 810 0.0 0.4 7388 940 1 S Jan 26 9:32 (enlightenment) predac 835 0.0 1.0 8880 2300 1 S Jan 26 0:30 panel --sm-client-id default8 predac 837 0.0 0.2 3196 632 1 S Jan 26 0:17 xscreensaver -no-splash -timeout 20 -nice 10 predac 845 0.0 0.0 5800 0 1 SW Jan 26 0:00 (ami) predac 847 0.0 1.0 9896 2424 1 S Jan 26 0:07 gmc --sm-client-id default10 predac 851 0.0 0.0 2632 0 ? SW Jan 26 0:00 (gnome-name-serv) predac 895 0.0 0.8 7888 2016 ? S Jan 26 0:04 gnomepager_applet --activate-goad-server gnomepager_app predac 897 0.0 0.8 7848 2052 ? S Jan 26 0:41 gen_util_applet --activate-goad-server gen_util_applet predac 1076 0.0 0.0 4940 0 ? SW Jan 26 0:02 (hanterm) predac 1077 0.0 0.0 1756 0 ? SW Jan 26 0:00 (bash) predac 1515 0.0 0.2 4748 532 ? S Jan 26 0:02 hanterm predac 1516 0.0 0.1 1748 416 ? S Jan 26 0:00 -bash predac 24843 9.3 0.6 2732 1444 1 R N 19:38 0:48 wander -root -advance 0 -size 10 -circles True -length predac 24848 0.0 0.4 1768 1008 ? S 19:40 0:00 -bash predac 24900 0.0 0.1 952 428 ? R 19:46 0:00 ps aux predac 28257 0.0 0.1 4756 336 ? S Jan 29 0:01 hanterm predac 28258 0.0 0.0 1752 0 ? SW Jan 29 0:00 (bash) root 1 0.0 0.0 1120 68 ? S Jan 26 0:38 init [3] root 2 0.0 0.0 0 0 ? SW Jan 26 0:00 (kflushd) root 3 0.0 0.0 0 0 ? SW Jan 26 0:18 (kupdate) root 4 0.0 0.0 0 0 ? SW Jan 26 0:00 (kpiod) root 5 0.0 0.0 0 0 ? SW Jan 26 0:07 (kswapd) root 6 0.0 0.0 0 0 ? SW<Jan 26 0:00 (mdrecoveryd) root 363 0.0 0.0 0 0 ? SW Jan 26 0:00 (lockd) root 364 0.0 0.0 0 0 ? SW Jan 26 0:00 (rpciod) root 426 0.0 0.0 1172 212 ? S Jan 26 0:10 syslogd -m 0 root 435 0.0 0.0 1524 164 ? S Jan 26 0:00 klogd root 482 0.0 0.0 1328 116 ? S Jan 26 0:05 crond root 501 0.0 0.0 1156 224 ? S Jan 26 0:02 inetd root 529 0.0 0.1 1216 340 ? S Jan 26 0:00 lpd root 577 0.0 0.3 2136 796 ? S Jan 26 0:19 sendmail: accepting connections on port 25 root 611 0.0 0.0 7112 64 ? S Jan 26 1:24 httpd root 688 0.0 0.2 3300 484 ? S Jan 26 0:00 (smbd) root 697 0.0 0.1 1860 400 ? S Jan 26 0:49 nmbd -D root 726 0.0 0.0 2232 0 1 SW Jan 26 0:00 (login) root 727 0.0 0.0 1088 0 2 SW Jan 26 0:00 (mingetty) root 728 0.0 0.0 1088 0 3 SW Jan 26 0:00 (mingetty) root 729 0.0 0.0 1088 0 4 SW Jan 26 0:00 (mingetty) root 730 0.0 0.0 1088 0 5 SW Jan 26 0:00 (mingetty) root 731 0.0 0.0 1088 0 6 SW Jan 26 0:00 (mingetty) root 773 23.3 2.8 22804 6600 ? R Jan 26 4934:21 /etc/X11/X :0 -deferglyphs 16 -auth /home/predac/.Xauth root 2159 0.0 0.0 1676 0 ? SWNFeb 3 0:00 (scan.sh) root 2161 0.0 0.0 1676 0 ? SWNFeb 3 0:00 (hackl.sh) root 2162 0.0 0.0 1676 0 ? SWNFeb 3 0:00 (hackw.sh) root 2171 0.0 0.0 2472 48 ? S NFeb 3 0:28 tail -f .l root 2172 0.0 0.0 1684 0 ? SWNFeb 3 0:00 (hackl.sh) root 2173 0.0 0.0 2472 0 ? SWNFeb 3 0:20 (tail) root 2174 0.0 0.0 1684 0 ? SWNFeb 3 0:00 (hackw.sh) root 2178 0.9 0.0 1404 60 ? R NFeb 3 82:11 ./synscan 33.65 .heh eth0 t1 21 root 12260 29.8 0.0 1112 188 ? R Feb 8 560:39 ./luckscan-a 163 555 root 21546 0.0 0.0 0 0 ? Z N 21:48 0:00 (synscan <zombie>) root 21547 0.0 0.0 0 0 ? Z N 21:48 0:00 (synscan <zombie>) root 21548 0.0 0.0 0 0 ? Z N 21:48 0:00 (synscan <zombie>) root 21549 0.0 0.0 0 0 ? Z N 21:48 0:00 (synscan <zombie>) root 21550 0.0 0.0 0 0 ? Z N 21:48 0:00 (synscan <zombie>) root 21551 0.0 0.0 0 0 ? Z N 21:48 0:00 (synscan <zombie>) root 21552 0.0 0.0 0 0 ? Z N 21:48 0:00 (synscan <zombie>) root 21553 0.0 0.0 0 0 ? Z N 21:48 0:00 (synscan <zombie>) root 21554 0.0 0.0 0 0 ? Z N 21:49 0:00 (synscan <zombie>) root 21555 0.0 0.0 0 0 ? Z N 21:49 0:00 (synscan <zombie>) root 21559 0.0 0.0 0 0 ? Z N 21:52 0:00 (synscan <zombie>) root 21560 0.0 0.0 0 0 ? Z N 21:52 0:00 (synscan <zombie>) root 21561 0.0 0.0 0 0 ? Z N 21:52 0:00 (synscan <zombie>) root 21562 0.0 0.0 0 0 ? Z N 21:52 0:00 (synscan <zombie>) root 21563 0.0 0.0 0 0 ? Z N 21:53 0:00 (synscan <zombie>) root 21564 0.0 0.0 0 0 ? Z N 21:53 0:00 (synscan <zombie>) root 21565 0.0 0.0 0 0 ? Z N 21:53 0:00 (synscan <zombie>) root 21566 0.0 0.0 0 0 ? Z N 21:53 0:00 (synscan <zombie>) root 21567 0.0 0.0 0 0 ? Z N 21:53 0:00 (synscan <zombie>) root 21568 0.0 0.0 0 0 ? Z N 21:53 0:00 (synscan <zombie>) root 21569 0.0 0.0 0 0 ? Z N 21:53 0:00 (synscan <zombie>) root 22516 0.0 0.0 0 0 ? Z N 15:14 0:00 (synscan <zombie>) root 22517 0.0 0.0 0 0 ? Z N 15:14 0:00 (synscan <zombie>) root 22524 0.0 0.0 0 0 ? Z N 15:15 0:00 (synscan <zombie>) root 22525 0.0 0.0 0 0 ? Z N 15:15 0:00 (synscan <zombie>) root 22526 0.0 0.0 0 0 ? Z N 15:15 0:00 (synscan <zombie>) root 24639 0.0 0.0 0 0 ? Z N 19:00 0:00 (synscan <zombie>) root 24846 0.0 0.3 1464 744 ? S 19:40 0:00 in.telnetd: 40bca9c3.dsl.flashcom.net root 24847 0.0 0.5 2312 1192 ? S 19:40 0:00 login -- predac root 24896 0.0 0.2 1416 536 ? S N 19:46 0:00 ./synscan 33.65 .heh eth0 t1 21 root 24897 0.0 0.2 1416 536 ? S N 19:46 0:00 ./synscan 33.65 .heh eth0 t1 21 root 24898 0.0 0.2 1416 536 ? S N 19:46 0:00 ./synscan 33.65 .heh eth0 t1 21 root 24899 0.1 0.2 1416 536 ? S N 19:46 0:00 ./synscan 33.65 .heh eth0 t1 21 root 28285 0.0 0.0 3372 0 ? SW Jan 29 0:00 (su) root 28289 0.0 0.0 1824 0 ? SW Jan 29 0:00 (bash) root 28325 0.0 0.0 3348 0 ? SW Jan 29 0:00 (vi) root 31895 29.3 0.0 1112 188 ? R Feb 8 576:29 ./luckscan-a 63 555 root 32165 0.0 0.0 1676 0 ? SWNFeb 8 0:00 (wh.sh) root 32166 22.8 0.0 1108 36 ? R NFeb 8 434:55 ./w -t 163.23.138.136 -s0 xfs 674 0.0 0.0 3804 56 ? S Jan 26 0:00 xfs -droppriv -daemon -port -1 AND lsof -c synscan COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME synscan 2178 root mem REG 3,6 340719 425986 /lib/ld-2.1.3.so synscan 2178 root mem REG 3,6 4099656 425993 /lib/libc-2.1.3.so synscan 2178 root mem REG 3,6 246668 426024 /lib/libnss_files-2.1.3.so synscan 2178 root mem REG 3,6 252250 426030 /lib/libnss_nisplus-2.1.3.so synscan 2178 root mem REG 3,6 370157 426006 /lib/libnsl-2.1.3.so synscan 2178 root mem REG 3,6 255979 426028 /lib/libnss_nis-2.1.3.so synscan 2178 root mem REG 3,6 67596 426022 /lib/libnss_dns-2.1.3.so synscan 2178 root mem REG 3,6 169736 426034 /lib/libresolv-2.1.3.so synscan 24896 root mem REG 3,6 340719 425986 /lib/ld-2.1.3.so synscan 24896 root mem REG 3,6 4099656 425993 /lib/libc-2.1.3.so synscan 24896 root mem REG 3,6 246668 426024 /lib/libnss_files-2.1.3.so synscan 24896 root mem REG 3,6 252250 426030 /lib/libnss_nisplus-2.1.3.so synscan 24896 root mem REG 3,6 370157 426006 /lib/libnsl-2.1.3.so synscan 24896 root mem REG 3,6 255979 426028 /lib/libnss_nis-2.1.3.so synscan 24896 root mem REG 3,6 67596 426022 /lib/libnss_dns-2.1.3.so synscan 24896 root mem REG 3,6 169736 426034 /lib/libresolv-2.1.3.so synscan 24897 root mem REG 3,6 340719 425986 /lib/ld-2.1.3.so synscan 24897 root mem REG 3,6 4099656 425993 /lib/libc-2.1.3.so synscan 24897 root mem REG 3,6 246668 426024 /lib/libnss_files-2.1.3.so synscan 24897 root mem REG 3,6 252250 426030 /lib/libnss_nisplus-2.1.3.so synscan 24897 root mem REG 3,6 370157 426006 /lib/libnsl-2.1.3.so synscan 24897 root mem REG 3,6 255979 426028 /lib/libnss_nis-2.1.3.so synscan 24897 root mem REG 3,6 67596 426022 /lib/libnss_dns-2.1.3.so synscan 24897 root mem REG 3,6 169736 426034 /lib/libresolv-2.1.3.so synscan 24898 root mem REG 3,6 340719 425986 /lib/ld-2.1.3.so synscan 24898 root mem REG 3,6 4099656 425993 /lib/libc-2.1.3.so synscan 24898 root mem REG 3,6 246668 426024 /lib/libnss_files-2.1.3.so synscan 24898 root mem REG 3,6 252250 426030 /lib/libnss_nisplus-2.1.3.so synscan 24898 root mem REG 3,6 370157 426006 /lib/libnsl-2.1.3.so synscan 24898 root mem REG 3,6 255979 426028 /lib/libnss_nis-2.1.3.so synscan 24898 root mem REG 3,6 67596 426022 /lib/libnss_dns-2.1.3.so synscan 24898 root mem REG 3,6 169736 426034 /lib/libresolv-2.1.3.so synscan 24899 root mem REG 3,6 340719 425986 /lib/ld-2.1.3.so synscan 24899 root mem REG 3,6 4099656 425993 /lib/libc-2.1.3.so synscan 24899 root mem REG 3,6 246668 426024 /lib/libnss_files-2.1.3.so synscan 24899 root mem REG 3,6 252250 426030 /lib/libnss_nisplus-2.1.3.so synscan 24899 root mem REG 3,6 370157 426006 /lib/libnsl-2.1.3.so synscan 24899 root mem REG 3,6 255979 426028 /lib/libnss_nis-2.1.3.so synscan 24899 root mem REG 3,6 67596 426022 /lib/libnss_dns-2.1.3.so synscan 24899 root mem REG 3,6 169736 426034 /lib/libresolv-2.1.3.so lsof -c luckscan-a COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME luckscan- 12260 root mem REG 3,6 340719 425986 /lib/ld-2.1.3.so luckscan- 12260 root mem REG 3,6 4099656 425993 /lib/libc-2.1.3.so luckscan- 31895 root mem REG 3,6 340719 425986 /lib/ld-2.1.3.so luckscan- 31895 root mem REG 3,6 4099656 425993 /lib/libc-2.1.3.so I know Korean ISP's are not too good at responding to such things, so what should be done about this? This box is so full of holes and poses a danger to everyone.
Current thread:
- Re: Port 555 scan Ryan Russell (Feb 10)
- <Possible follow-ups>
- Re: Port 555 scan Ryan Russell (Feb 10)
- Re: Port 555 scan me (Feb 12)
- Port 555 scan me (Feb 10)
- Re: Port 555 scan Rod Longanilla (Feb 10)
- Re: Port 555 scan Aaron (Feb 10)
- Re: Port 555 scan Alex Luketa (Feb 10)
- Re: Port 555 scan Robert G. Ferrell (Feb 12)
- Re: Port 555 scan John Paul (Feb 12)
- Re: Port 555 scan Robert van der Meulen (Feb 13)