All things related to multicast

[Al Adler <>]

Bill Owens wrote:

> At 16:24 -0500 1/17/01, Marshall Eubanks wrote:
> >Greg et al;
> >
> >    We had a real MSDP storm today from UMASS / 5 College - at one
> >point AS 1249 was reporting ~15,000 (S,G). Here are
> >a few
> >
> >. . .
> >As you can see, the G are sequential and the S is assigned to UMass.
> >Any idea what this
> >could be ?
>
> Looking briefly at the machine, it is a RedHat 6.2 box with lots of
> services running, including a vulnerable wu-ftpd:
>
> Connected to 128.119.240.205.
> 220 localhost.localdomain FTP server (Version wu-2.6.0(1) Mon Feb 28
> 10:30:36 EST 2000) ready.
>
> My guess is that it was rooted by the so-called ramen worm, which has
> been seen in the wild for the first time in the last few days. It
> uses a program called synscan to look for vulnerable wu-ftpd servers
> to infect. That jives with Mark Fullmer's observation that an earlier
> storm source was an FTP scanner. That other machine is now off the
> air, but I'm willing to bet that it was also a RedHat 6.2 or 7.0 box
> with a vulnerable wu-ftpd.
>
> I posted a note to one of the mailing lists that is discussing the
> ramen worm, to see if someone who has it in captivity can confirm
> that it scans the multicast address space.
>
> Bill.
>
> PS - the scanner noted above is now off the air too. . .

That version of wu-ftp is supposed to be the "fixed" one according to
redhat. The ramen worm also attempts to exploit rpc.statd -we've seen
what appeared to be a successful exploit against what redhat called the
"fixed" version of statd. This could need some additional fixes...
Al