[unisog] New worm?

Peter Van Epp vanepp at sfu.ca
Thu Apr 14 16:00:23 GMT 2005


On Thu, Apr 14, 2005 at 10:16:57AM -0400, Pete Hickey wrote:
> Not sure if this is a worm or just some hacker.
> 
> We've had a couple Unix boxes compromised.  A dictionary (userid/password)
> attack on ssh.  Once he gets a good password, a program is run,
> which does the same thing against other machines.
> 
> There is no attempt at trying to cover tracks:  no rootkit
> installed, logs intact, etc.  The process is not run as root,
> but as the user for which the password was guessed.  This
> type of behavior makes me think it is a worm, rather than
> someone doing a one-off hack.  Oh yeah.  It also attempts
> a (probably) IRC connection to 62.79.27.107 (our default
> firewall blocks port 6667)
> 
> What makes me not think this is a worm, is that I only saw 
> three addresses scanning our address space on port 22.
> 
> Anyone else seeing this?
> 
> -- 
> Pete Hickey                                       /~\  The ASCII
> The University of Ottawa                          \ /  Ribbon Campaign
> Ottawa, Ontario                                    X   Against HTML
> Canada                                            / \  Email!
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

	My sense is the remote scans for 22 are about normal (a couple per day 
for varying chunks of our address spaces) and more importantly nothing internal
scanning outwards on 22. A check indicated no connections to 62.79.27.107
in the last day or two.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


More information about the unisog mailing list