All things related to multicast

[Bill Owens <>]

At 16:24 -0500 1/17/01, Marshall Eubanks wrote:
> Greg et al;
>
>    We had a real MSDP storm today from UMASS / 5 College - at one 
> point AS 1249 was reporting ~15,000 (S,G). Here are
> a few
>
> . . .
> As you can see, the G are sequential and the S is assigned to UMass. 
> Any idea what this
> could be ?

Looking briefly at the machine, it is a RedHat 6.2 box with lots of 
services running, including a vulnerable wu-ftpd:

Connected to 128.119.240.205.
220 localhost.localdomain FTP server (Version wu-2.6.0(1) Mon Feb 28 
10:30:36 EST 2000) ready.

My guess is that it was rooted by the so-called ramen worm, which has 
been seen in the wild for the first time in the last few days. It 
uses a program called synscan to look for vulnerable wu-ftpd servers 
to infect. That jives with Mark Fullmer's observation that an earlier 
storm source was an FTP scanner. That other machine is now off the 
air, but I'm willing to bet that it was also a RedHat 6.2 or 7.0 box 
with a vulnerable wu-ftpd.

I posted a note to one of the mailing lists that is discussing the 
ramen worm, to see if someone who has it in captivity can confirm 
that it scans the multicast address space.

Bill.

PS - the scanner noted above is now off the air too. . .