Security Incidents mailing list archives
Re: Port 555 scan
From: Alex Luketa <A.S.Luketa () BRADFORD AC UK>
Date: Sat, 10 Feb 2001 21:01:30 +0000
I have heard that the trojans - Ini Killer/Phase Zero and Stealth Spy listen on port 555, if thats any help. Alex ----- Original Message ----- From: "Ryan Russell" <ryan () SECURITYFOCUS COM> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Saturday, February 10, 2001 3:01 AM Subject: Re: Port 555 scan
On Fri, 9 Feb 2001 me () SOMEWHERE NET wrote:Just got swept by a scan for port 555. Feb 9 06:04:24 XXX kernel: Packet log: input REJECT eth0 PROTO=6 211.193.34.30:4247 my.host.net:555 L=60 S=0x00 I=48749 F=0x4000
T=48 SYN
(#25)Everything else is consistent with the Raman worm. I don't know why
port
555. I would expect 515 looking for the lprng daemon, among other ports...If you go tto the http server running, you see this RameN Crew Hackers looooooooooooooooove
noodles.T
Pretty clearly been nailed by Ramen.root 2178 0.9 0.0 1404 60 ? R NFeb 3 82:11 ./synscan 33.65 .heh eth0 t1 21Part of Ramen, I believe. Are you in the 33.65 address space?root 12260 29.8 0.0 1112 188 ? R Feb 8
560:39 ./luckscan-a
163 555That looks like your port 555 scanner. I don't remember that being mentioned before. Perhaps you've found a Ramen variant, or perhaps
that's
evidence of the box having been rooted on a separate occasion. I'm finding zero matches on any sort of web search for luckscan.This box is so full of holes and poses a danger to everyone.Indeed. Ryan
Current thread:
- Re: Port 555 scan Ryan Russell (Feb 10)
- <Possible follow-ups>
- Re: Port 555 scan Ryan Russell (Feb 10)
- Re: Port 555 scan me (Feb 12)
- Port 555 scan me (Feb 10)
- Re: Port 555 scan Rod Longanilla (Feb 10)
- Re: Port 555 scan Aaron (Feb 10)
- Re: Port 555 scan Alex Luketa (Feb 10)
- Re: Port 555 scan Robert G. Ferrell (Feb 12)
- Re: Port 555 scan John Paul (Feb 12)
- Re: Port 555 scan Robert van der Meulen (Feb 13)