Skip to Content.
Sympa Menu

wg-multicast - Re: MSDP Storm

Subject: All things related to multicast

List archive

Re: MSDP Storm


Chronological Thread 
  • From: Marshall Eubanks <>
  • To:
  • Cc: Greg Shepherd <>, zaid <>, Matthew Davy <>, Philip Pishioneri <>, , mbone mail list <>, ,
  • Subject: Re: MSDP Storm
  • Date: Wed, 17 Jan 2001 17:09:36 -0500


http://news.cnet.com/news/0-1003-201-4508359-0.html?tag=st.ne.1002.thed.sf



Al Adler wrote:

> Bill Owens wrote:
>
> > At 16:24 -0500 1/17/01, Marshall Eubanks wrote:
> > >Greg et al;
> > >
> > > We had a real MSDP storm today from UMASS / 5 College - at one
> > >point AS 1249 was reporting ~15,000 (S,G). Here are
> > >a few
> > >
> > >. . .
> > >As you can see, the G are sequential and the S is assigned to UMass.
> > >Any idea what this
> > >could be ?
> >
> > Looking briefly at the machine, it is a RedHat 6.2 box with lots of
> > services running, including a vulnerable wu-ftpd:
> >
> > Connected to 128.119.240.205.
> > 220 localhost.localdomain FTP server (Version wu-2.6.0(1) Mon Feb 28
> > 10:30:36 EST 2000) ready.
> >
> > My guess is that it was rooted by the so-called ramen worm, which has
> > been seen in the wild for the first time in the last few days. It
> > uses a program called synscan to look for vulnerable wu-ftpd servers
> > to infect. That jives with Mark Fullmer's observation that an earlier
> > storm source was an FTP scanner. That other machine is now off the
> > air, but I'm willing to bet that it was also a RedHat 6.2 or 7.0 box
> > with a vulnerable wu-ftpd.
> >
> > I posted a note to one of the mailing lists that is discussing the
> > ramen worm, to see if someone who has it in captivity can confirm
> > that it scans the multicast address space.
> >
> > Bill.
> >
> > PS - the scanner noted above is now off the air too. . .
>
> That version of wu-ftp is supposed to be the "fixed" one according to
> redhat. The ramen worm also attempts to exploit rpc.statd -we've seen
> what appeared to be a successful exploit against what redhat called the
> "fixed" version of statd. This could need some additional fixes...
> Al




--
Regards
Marshall Eubanks



T.M. Eubanks
Multicast Technologies, Inc
10301 Democracy Lane, Suite 410
Fairfax, Virginia 22030
Phone : 703-293-9624
Fax : 703-293-9609
e-mail :




http://www.on-the-i.com http://www.buzzwaves.com





Archive powered by MHonArc 2.6.16.

Top of Page