Security Incidents mailing list archives
Port 555 scan
From: me () SOMEWHERE NET
Date: Fri, 9 Feb 2001 15:00:39 -0500
Just got swept by a scan for port 555.
Feb 9 06:04:24 XXX kernel: Packet log: input REJECT eth0 PROTO=6
211.193.34.30:4247 my.host.net:555 L=60 S=0x00 I=48749 F=0x4000 T=48 SYN
(#25)
The IP address belongs to Korea Network Information Center, but I can
get no whois info on the box.
Definitely/Possibly/probably rooted Linux Box, they are running a bunch
of services-
Port State Protocol Service
21 open tcp ftp
23 open tcp telnet
25 open tcp smtp
53 open tcp domain If the box owner
is the one doing the scanning then
79 open tcp finger they sure don't
know how to lock down their own machine.
80 open tcp http
98 open tcp linuxconf
111 open tcp sunrpc
137 filtered tcp netbios-ns
138 filtered tcp netbios-dgm
139 filtered tcp netbios-ssn
513 open tcp login
514 open tcp shell
515 open tcp printer
1024 open tcp unknown
1026 open tcp nterm
If you go tto the http server running, you see this
RameN Crew
Hackers looooooooooooooooove noodles.
Telnet'd and Ftp'd straight into the box with the username i got from
their finger and used it as passwd as well.
look at the ps -aux seems they are sysscanning everyone
USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND
bin 348 0.0 0.0 1216 216 ? S Jan 26 0:00 portmap
daemon 468 0.0 0.0 1144 112 ? S Jan 26 0:00 /usr/sbin/atd
named 515 0.0 0.4 2772 1124 ? S Jan 26 0:16 named -u named
nobody 3509 0.0 0.7 7256 1660 ? S Feb 8 0:00 httpd
nobody 3512 0.0 0.7 7320 1808 ? S Feb 8 0:00 httpd
nobody 3513 0.0 0.7 7256 1732 ? S Feb 8 0:00 httpd
nobody 3526 0.0 0.7 7256 1732 ? S Feb 8 0:00 httpd
nobody 3534 0.0 0.8 7368 1876 ? S Feb 8 0:00 httpd
nobody 3535 0.0 0.7 7256 1672 ? S Feb 8 0:00 httpd
nobody 3566 0.0 0.7 7256 1828 ? S Feb 8 0:00 httpd
nobody 3567 0.0 0.7 7256 1712 ? S Feb 8 0:00 httpd
nobody 3568 0.0 0.7 7256 1740 ? S Feb 8 0:00 httpd
nobody 3577 0.0 0.7 7256 1740 ? S Feb 8 0:00 httpd
nobody 5154 0.0 0.8 7272 2056 ? S Feb 3 0:00 httpd
nobody 5155 0.0 0.7 7256 1744 ? S Feb 3 0:00 httpd
nobody 5156 0.0 1.0 7312 2340 ? S Feb 3 0:00 httpd
nobody 5157 0.0 0.5 7256 1244 ? S Feb 3 0:00 httpd
nobody 5159 0.0 0.5 7256 1220 ? S Feb 3 0:00 httpd
nobody 5160 0.0 0.7 7256 1716 ? S Feb 3 0:00 httpd
nobody 5161 0.0 0.7 7256 1708 ? S Feb 3 0:00 httpd
predac 734 0.0 0.0 1744 0 1 SW Jan 26 0:00 (bash)
predac 765 0.0 0.0 1680 0 1 SW Jan 26 0:00 (startx)
predac 772 0.0 0.0 2316 0 1 SW Jan 26 0:00 (xinit)
predac 777 0.0 0.4 7052 1012 1 S Jan 26 0:01
/usr/bin/gnome-session
predac 800 0.0 0.1 5736 260 1 S Jan 26 0:02 gnome-smproxy
--sm-client-id default0
predac 810 0.0 0.4 7388 940 1 S Jan 26 9:32
(enlightenment)
predac 835 0.0 1.0 8880 2300 1 S Jan 26 0:30 panel
--sm-client-id default8
predac 837 0.0 0.2 3196 632 1 S Jan 26 0:17 xscreensaver
-no-splash -timeout 20 -nice 10
predac 845 0.0 0.0 5800 0 1 SW Jan 26 0:00 (ami)
predac 847 0.0 1.0 9896 2424 1 S Jan 26 0:07 gmc
--sm-client-id default10
predac 851 0.0 0.0 2632 0 ? SW Jan 26 0:00
(gnome-name-serv)
predac 895 0.0 0.8 7888 2016 ? S Jan 26 0:04
gnomepager_applet --activate-goad-server gnomepager_app
predac 897 0.0 0.8 7848 2052 ? S Jan 26 0:41
gen_util_applet --activate-goad-server gen_util_applet
predac 1076 0.0 0.0 4940 0 ? SW Jan 26 0:02 (hanterm)
predac 1077 0.0 0.0 1756 0 ? SW Jan 26 0:00 (bash)
predac 1515 0.0 0.2 4748 532 ? S Jan 26 0:02 hanterm
predac 1516 0.0 0.1 1748 416 ? S Jan 26 0:00 -bash
predac 24843 9.3 0.6 2732 1444 1 R N 19:38 0:48 wander -root
-advance 0 -size 10 -circles True -length
predac 24848 0.0 0.4 1768 1008 ? S 19:40 0:00 -bash
predac 24900 0.0 0.1 952 428 ? R 19:46 0:00 ps aux
predac 28257 0.0 0.1 4756 336 ? S Jan 29 0:01 hanterm
predac 28258 0.0 0.0 1752 0 ? SW Jan 29 0:00 (bash)
root 1 0.0 0.0 1120 68 ? S Jan 26 0:38 init [3]
root 2 0.0 0.0 0 0 ? SW Jan 26 0:00 (kflushd)
root 3 0.0 0.0 0 0 ? SW Jan 26 0:18 (kupdate)
root 4 0.0 0.0 0 0 ? SW Jan 26 0:00 (kpiod)
root 5 0.0 0.0 0 0 ? SW Jan 26 0:07 (kswapd)
root 6 0.0 0.0 0 0 ? SW<Jan 26 0:00 (mdrecoveryd)
root 363 0.0 0.0 0 0 ? SW Jan 26 0:00 (lockd)
root 364 0.0 0.0 0 0 ? SW Jan 26 0:00 (rpciod)
root 426 0.0 0.0 1172 212 ? S Jan 26 0:10 syslogd -m 0
root 435 0.0 0.0 1524 164 ? S Jan 26 0:00 klogd
root 482 0.0 0.0 1328 116 ? S Jan 26 0:05 crond
root 501 0.0 0.0 1156 224 ? S Jan 26 0:02 inetd
root 529 0.0 0.1 1216 340 ? S Jan 26 0:00 lpd
root 577 0.0 0.3 2136 796 ? S Jan 26 0:19 sendmail:
accepting connections on port 25
root 611 0.0 0.0 7112 64 ? S Jan 26 1:24 httpd
root 688 0.0 0.2 3300 484 ? S Jan 26 0:00 (smbd)
root 697 0.0 0.1 1860 400 ? S Jan 26 0:49 nmbd -D
root 726 0.0 0.0 2232 0 1 SW Jan 26 0:00 (login)
root 727 0.0 0.0 1088 0 2 SW Jan 26 0:00 (mingetty)
root 728 0.0 0.0 1088 0 3 SW Jan 26 0:00 (mingetty)
root 729 0.0 0.0 1088 0 4 SW Jan 26 0:00 (mingetty)
root 730 0.0 0.0 1088 0 5 SW Jan 26 0:00 (mingetty)
root 731 0.0 0.0 1088 0 6 SW Jan 26 0:00 (mingetty)
root 773 23.3 2.8 22804 6600 ? R Jan 26 4934:21 /etc/X11/X :0
-deferglyphs 16 -auth /home/predac/.Xauth
root 2159 0.0 0.0 1676 0 ? SWNFeb 3 0:00 (scan.sh)
root 2161 0.0 0.0 1676 0 ? SWNFeb 3 0:00 (hackl.sh)
root 2162 0.0 0.0 1676 0 ? SWNFeb 3 0:00 (hackw.sh)
root 2171 0.0 0.0 2472 48 ? S NFeb 3 0:28 tail -f .l
root 2172 0.0 0.0 1684 0 ? SWNFeb 3 0:00 (hackl.sh)
root 2173 0.0 0.0 2472 0 ? SWNFeb 3 0:20 (tail)
root 2174 0.0 0.0 1684 0 ? SWNFeb 3 0:00 (hackw.sh)
root 2178 0.9 0.0 1404 60 ? R NFeb 3 82:11 ./synscan
33.65 .heh eth0 t1 21
root 12260 29.8 0.0 1112 188 ? R Feb 8 560:39 ./luckscan-a
163 555
root 21546 0.0 0.0 0 0 ? Z N 21:48 0:00 (synscan
<zombie>)
root 21547 0.0 0.0 0 0 ? Z N 21:48 0:00 (synscan
<zombie>)
root 21548 0.0 0.0 0 0 ? Z N 21:48 0:00 (synscan
<zombie>)
root 21549 0.0 0.0 0 0 ? Z N 21:48 0:00 (synscan
<zombie>)
root 21550 0.0 0.0 0 0 ? Z N 21:48 0:00 (synscan
<zombie>)
root 21551 0.0 0.0 0 0 ? Z N 21:48 0:00 (synscan
<zombie>)
root 21552 0.0 0.0 0 0 ? Z N 21:48 0:00 (synscan
<zombie>)
root 21553 0.0 0.0 0 0 ? Z N 21:48 0:00 (synscan
<zombie>)
root 21554 0.0 0.0 0 0 ? Z N 21:49 0:00 (synscan
<zombie>)
root 21555 0.0 0.0 0 0 ? Z N 21:49 0:00 (synscan
<zombie>)
root 21559 0.0 0.0 0 0 ? Z N 21:52 0:00 (synscan
<zombie>)
root 21560 0.0 0.0 0 0 ? Z N 21:52 0:00 (synscan
<zombie>)
root 21561 0.0 0.0 0 0 ? Z N 21:52 0:00 (synscan
<zombie>)
root 21562 0.0 0.0 0 0 ? Z N 21:52 0:00 (synscan
<zombie>)
root 21563 0.0 0.0 0 0 ? Z N 21:53 0:00 (synscan
<zombie>)
root 21564 0.0 0.0 0 0 ? Z N 21:53 0:00 (synscan
<zombie>)
root 21565 0.0 0.0 0 0 ? Z N 21:53 0:00 (synscan
<zombie>)
root 21566 0.0 0.0 0 0 ? Z N 21:53 0:00 (synscan
<zombie>)
root 21567 0.0 0.0 0 0 ? Z N 21:53 0:00 (synscan
<zombie>)
root 21568 0.0 0.0 0 0 ? Z N 21:53 0:00 (synscan
<zombie>)
root 21569 0.0 0.0 0 0 ? Z N 21:53 0:00 (synscan
<zombie>)
root 22516 0.0 0.0 0 0 ? Z N 15:14 0:00 (synscan
<zombie>)
root 22517 0.0 0.0 0 0 ? Z N 15:14 0:00 (synscan
<zombie>)
root 22524 0.0 0.0 0 0 ? Z N 15:15 0:00 (synscan
<zombie>)
root 22525 0.0 0.0 0 0 ? Z N 15:15 0:00 (synscan
<zombie>)
root 22526 0.0 0.0 0 0 ? Z N 15:15 0:00 (synscan
<zombie>)
root 24639 0.0 0.0 0 0 ? Z N 19:00 0:00 (synscan
<zombie>)
root 24846 0.0 0.3 1464 744 ? S 19:40 0:00 in.telnetd:
40bca9c3.dsl.flashcom.net
root 24847 0.0 0.5 2312 1192 ? S 19:40 0:00 login --
predac
root 24896 0.0 0.2 1416 536 ? S N 19:46 0:00 ./synscan
33.65 .heh eth0 t1 21
root 24897 0.0 0.2 1416 536 ? S N 19:46 0:00 ./synscan
33.65 .heh eth0 t1 21
root 24898 0.0 0.2 1416 536 ? S N 19:46 0:00 ./synscan
33.65 .heh eth0 t1 21
root 24899 0.1 0.2 1416 536 ? S N 19:46 0:00 ./synscan
33.65 .heh eth0 t1 21
root 28285 0.0 0.0 3372 0 ? SW Jan 29 0:00 (su)
root 28289 0.0 0.0 1824 0 ? SW Jan 29 0:00 (bash)
root 28325 0.0 0.0 3348 0 ? SW Jan 29 0:00 (vi)
root 31895 29.3 0.0 1112 188 ? R Feb 8 576:29 ./luckscan-a
63 555
root 32165 0.0 0.0 1676 0 ? SWNFeb 8 0:00 (wh.sh)
root 32166 22.8 0.0 1108 36 ? R NFeb 8 434:55 ./w -t
163.23.138.136 -s0
xfs 674 0.0 0.0 3804 56 ? S Jan 26 0:00 xfs -droppriv
-daemon -port -1
AND
lsof -c synscan
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
synscan 2178 root mem REG 3,6 340719 425986 /lib/ld-2.1.3.so
synscan 2178 root mem REG 3,6 4099656 425993 /lib/libc-2.1.3.so
synscan 2178 root mem REG 3,6 246668 426024
/lib/libnss_files-2.1.3.so
synscan 2178 root mem REG 3,6 252250 426030
/lib/libnss_nisplus-2.1.3.so
synscan 2178 root mem REG 3,6 370157 426006 /lib/libnsl-2.1.3.so
synscan 2178 root mem REG 3,6 255979 426028
/lib/libnss_nis-2.1.3.so
synscan 2178 root mem REG 3,6 67596 426022
/lib/libnss_dns-2.1.3.so
synscan 2178 root mem REG 3,6 169736 426034
/lib/libresolv-2.1.3.so
synscan 24896 root mem REG 3,6 340719 425986 /lib/ld-2.1.3.so
synscan 24896 root mem REG 3,6 4099656 425993 /lib/libc-2.1.3.so
synscan 24896 root mem REG 3,6 246668 426024
/lib/libnss_files-2.1.3.so
synscan 24896 root mem REG 3,6 252250 426030
/lib/libnss_nisplus-2.1.3.so
synscan 24896 root mem REG 3,6 370157 426006 /lib/libnsl-2.1.3.so
synscan 24896 root mem REG 3,6 255979 426028
/lib/libnss_nis-2.1.3.so
synscan 24896 root mem REG 3,6 67596 426022
/lib/libnss_dns-2.1.3.so
synscan 24896 root mem REG 3,6 169736 426034
/lib/libresolv-2.1.3.so
synscan 24897 root mem REG 3,6 340719 425986 /lib/ld-2.1.3.so
synscan 24897 root mem REG 3,6 4099656 425993 /lib/libc-2.1.3.so
synscan 24897 root mem REG 3,6 246668 426024
/lib/libnss_files-2.1.3.so
synscan 24897 root mem REG 3,6 252250 426030
/lib/libnss_nisplus-2.1.3.so
synscan 24897 root mem REG 3,6 370157 426006 /lib/libnsl-2.1.3.so
synscan 24897 root mem REG 3,6 255979 426028
/lib/libnss_nis-2.1.3.so
synscan 24897 root mem REG 3,6 67596 426022
/lib/libnss_dns-2.1.3.so
synscan 24897 root mem REG 3,6 169736 426034
/lib/libresolv-2.1.3.so
synscan 24898 root mem REG 3,6 340719 425986 /lib/ld-2.1.3.so
synscan 24898 root mem REG 3,6 4099656 425993 /lib/libc-2.1.3.so
synscan 24898 root mem REG 3,6 246668 426024
/lib/libnss_files-2.1.3.so
synscan 24898 root mem REG 3,6 252250 426030
/lib/libnss_nisplus-2.1.3.so
synscan 24898 root mem REG 3,6 370157 426006 /lib/libnsl-2.1.3.so
synscan 24898 root mem REG 3,6 255979 426028
/lib/libnss_nis-2.1.3.so
synscan 24898 root mem REG 3,6 67596 426022
/lib/libnss_dns-2.1.3.so
synscan 24898 root mem REG 3,6 169736 426034
/lib/libresolv-2.1.3.so
synscan 24899 root mem REG 3,6 340719 425986 /lib/ld-2.1.3.so
synscan 24899 root mem REG 3,6 4099656 425993 /lib/libc-2.1.3.so
synscan 24899 root mem REG 3,6 246668 426024
/lib/libnss_files-2.1.3.so
synscan 24899 root mem REG 3,6 252250 426030
/lib/libnss_nisplus-2.1.3.so
synscan 24899 root mem REG 3,6 370157 426006 /lib/libnsl-2.1.3.so
synscan 24899 root mem REG 3,6 255979 426028
/lib/libnss_nis-2.1.3.so
synscan 24899 root mem REG 3,6 67596 426022
/lib/libnss_dns-2.1.3.so
synscan 24899 root mem REG 3,6 169736 426034
/lib/libresolv-2.1.3.so
lsof -c luckscan-a
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
luckscan- 12260 root mem REG 3,6 340719 425986 /lib/ld-2.1.3.so
luckscan- 12260 root mem REG 3,6 4099656 425993 /lib/libc-2.1.3.so
luckscan- 31895 root mem REG 3,6 340719 425986 /lib/ld-2.1.3.so
luckscan- 31895 root mem REG 3,6 4099656 425993 /lib/libc-2.1.3.so
I know Korean ISP's are not too good at responding to such things, so
what should be done about this?
This box is so full of holes and poses a danger to everyone.
Current thread:
- Re: Port 555 scan Ryan Russell (Feb 10)
- <Possible follow-ups>
- Re: Port 555 scan Ryan Russell (Feb 10)
- Re: Port 555 scan me (Feb 12)
- Port 555 scan me (Feb 10)
- Re: Port 555 scan Rod Longanilla (Feb 10)
- Re: Port 555 scan Aaron (Feb 10)
- Re: Port 555 scan Alex Luketa (Feb 10)
- Re: Port 555 scan Robert G. Ferrell (Feb 12)
- Re: Port 555 scan John Paul (Feb 12)
- Re: Port 555 scan Robert van der Meulen (Feb 13)