All things related to multicast

[Al Adler <>]

Bill Owens wrote:

> At 16:24 -0500 1/17/01, Marshall Eubanks wrote:
> >Greg et al;
> >
> >    We had a real MSDP storm today from UMASS / 5 College - at one
> >point AS 1249 was reporting ~15,000 (S,G). Here are
> >a few
> >
> >. . .
> >As you can see, the G are sequential and the S is assigned to UMass.
> >Any idea what this
> >could be ?
>
> Looking briefly at the machine, it is a RedHat 6.2 box with lots of
> services running, including a vulnerable wu-ftpd:
>
> Connected to 128.119.240.205.
> 220 localhost.localdomain FTP server (Version wu-2.6.0(1) Mon Feb 28
> 10:30:36 EST 2000) ready.
>
> My guess is that it was rooted by the so-called ramen worm, which has
> been seen in the wild for the first time in the last few days. It
> uses a program called synscan to look for vulnerable wu-ftpd servers
> to infect. That jives with Mark Fullmer's observation that an earlier
> storm source was an FTP scanner. That other machine is now off the
> air, but I'm willing to bet that it was also a RedHat 6.2 or 7.0 box
> with a vulnerable wu-ftpd.
>
> I posted a note to one of the mailing lists that is discussing the
> ramen worm, to see if someone who has it in captivity can confirm
> that it scans the multicast address space.
>
> Bill.
>
> PS - the scanner noted above is now off the air too. . .

>From the stanford hack that just occured - I didn't even know there was
a wu-ftp 2.6.1

Connected to 171.64.48.112.
220 patio.stanford.edu FTP server (Version wu-2.6.1(1) Wed Aug 9
05:54:50 EDT 2000) ready.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (171.64.48.112:root):

Al