Re: Port 555 scan

[Alex Luketa <A.S.Luketa () BRADFORD AC UK>]

I have heard that the trojans - Ini Killer/Phase Zero and Stealth Spy 
listen on port 555, if thats any help.

Alex

----- Original Message ----- 
From: "Ryan Russell" <ryan () SECURITYFOCUS COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Saturday, February 10, 2001 3:01 AM
Subject: Re: Port 555 scan


> On Fri, 9 Feb 2001 me () SOMEWHERE NET wrote:
>
> > Just got swept by a scan for port 555.
> >
> > Feb  9 06:04:24 XXX kernel: Packet log: input REJECT eth0 PROTO=6
> > 211.193.34.30:4247 my.host.net:555 L=60 S=0x00 I=48749 F=0x4000 
T=48 SYN
> > (#25)
>
> Everything else is consistent with the Raman worm.  I don't know why 
port
> 555.  I would expect 515 looking for the lprng daemon, among other
> ports...
>
> > If you go tto the http server running, you see this
> >                                               RameN Crew
> >                                   Hackers looooooooooooooooove 
noodles.T
> Pretty clearly been nailed by Ramen.
>
> > root      2178  0.9  0.0  1404    60  ?  R NFeb  3  82:11 ./synscan
> > 33.65 .heh eth0 t1 21
>
> Part of Ramen, I believe.  Are you in the 33.65 address space?
>
> > root     12260 29.8  0.0  1112   188  ?  R  Feb  8 
560:39 ./luckscan-a
> > 163 555
>
> That looks like your port 555 scanner.  I don't remember that being
> mentioned before.  Perhaps you've found a Ramen variant, or perhaps 
that's
> evidence of the box having been rooted on a separate occasion.
>
> I'm finding zero matches on any sort of web search for luckscan.
>
> > This box is so full of holes and poses a danger to everyone.
>
> Indeed.
>
> Ryan