[unisog] New worm?
Peter Van Epp
vanepp at sfu.ca
Thu Apr 14 16:00:23 GMT 2005
On Thu, Apr 14, 2005 at 10:16:57AM -0400, Pete Hickey wrote:
> Not sure if this is a worm or just some hacker.
> We've had a couple Unix boxes compromised. A dictionary (userid/password)
> attack on ssh. Once he gets a good password, a program is run,
> which does the same thing against other machines.
> There is no attempt at trying to cover tracks: no rootkit
> installed, logs intact, etc. The process is not run as root,
> but as the user for which the password was guessed. This
> type of behavior makes me think it is a worm, rather than
> someone doing a one-off hack. Oh yeah. It also attempts
> a (probably) IRC connection to 126.96.36.199 (our default
> firewall blocks port 6667)
> What makes me not think this is a worm, is that I only saw
> three addresses scanning our address space on port 22.
> Anyone else seeing this?
> Pete Hickey /~\ The ASCII
> The University of Ottawa \ / Ribbon Campaign
> Ottawa, Ontario X Against HTML
> Canada / \ Email!
> unisog mailing list
> unisog at lists.sans.org
My sense is the remote scans for 22 are about normal (a couple per day
for varying chunks of our address spaces) and more importantly nothing internal
scanning outwards on 22. A check indicated no connections to 188.8.131.52
in the last day or two.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the unisog