[unisog] New worm?

Lois Lehman LOIS.LEHMAN at asu.edu
Thu Apr 14 21:04:11 GMT 2005


I have been monitoring this activity here and we had one unix box
compromised because there was a default password on an account.  We were
alerted to this box by an admin off campus because our box was scanning
their network.  

When I went searching for answers I found this thread:

http://www.dslreports.com/forum/remark,10854834~mode=flat~days=9999

You'll notice that on #4 of this thread someone had a box 

I do know that some of the attacks looking for default passwords here
were preceded with an ssh CRC32 overflow filler.  When that wasn't
successful the ssh login script started.  I have been seeing this since
this last summer at about the same time the thread above started.

There are at least two or more sources working this script against our
network daily.  Since I know that the sources are probably themselves
compromised, I send out alerts to the whois entries for them.  I try to
be a good internet neighbor.   

Lois Lehman
Arizona State University
College of Liberal Arts & Sciences IT
Computing Manager
Information Assurance Coordinator
480-965-3139


-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Peter Van Epp
Sent: Thursday, April 14, 2005 9:00 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] New worm?

On Thu, Apr 14, 2005 at 10:16:57AM -0400, Pete Hickey wrote:
> Not sure if this is a worm or just some hacker.
> 
> We've had a couple Unix boxes compromised.  A dictionary
(userid/password)
> attack on ssh.  Once he gets a good password, a program is run,
> which does the same thing against other machines.
> 
> There is no attempt at trying to cover tracks:  no rootkit
> installed, logs intact, etc.  The process is not run as root,
> but as the user for which the password was guessed.  This
> type of behavior makes me think it is a worm, rather than
> someone doing a one-off hack.  Oh yeah.  It also attempts
> a (probably) IRC connection to 62.79.27.107 (our default
> firewall blocks port 6667)
> 
> What makes me not think this is a worm, is that I only saw 
> three addresses scanning our address space on port 22.
> 
> Anyone else seeing this?
> 
> -- 
> Pete Hickey                                       /~\  The ASCII
> The University of Ottawa                          \ /  Ribbon Campaign
> Ottawa, Ontario                                    X   Against HTML
> Canada                                            / \  Email!
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

	My sense is the remote scans for 22 are about normal (a couple
per day 
for varying chunks of our address spaces) and more importantly nothing
internal
scanning outwards on 22. A check indicated no connections to
62.79.27.107
in the last day or two.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list