wg-multicast - Re: MSDP Storm
Subject: All things related to multicast
List archive
- From: "Lucy E. Lynch" <>
- To: <>
- Cc: Bill Owens <>, <>, Greg Shepherd <>, zaid <>, Matthew Davy <>, Philip Pishioneri <>, <>, mbone mail list <>, <>, <>, Al Adler <>
- Subject: Re: MSDP Storm
- Date: Wed, 17 Jan 2001 15:45:06 -0800 (PST)
a bit more info on ramen here:
http://members.home.net/dtmartin24/ramen_worm.txt
"And now, the contents of that ramen.tgz file: All the binaries are in the
archive twice, with RedHat 6.2 and RedHat 7.0 versions. Numerous binaries
were not stripped, which makes the job of taking them apart easier."
asp: An xinetd config. file that will start up the fake webserver
Used on RedHat 7.0 victim machines.
asp62: HTTP/0.9-compatible server that always serves out the file
/tmp/ramen.tgz to any request - NOT stripped
asp7: RedHat 7-compiled version - NOT stripped
bd62.sh: Does the setup (installing wormserver, removing vulnerable
programs, adding ftp users) for RedHat 6.2
bd7.sh: Same for RedHat 7.0
getip.sh: Utility script to get the main external IP address
hackl.sh: Driver to read the .l file and pass addresses to lh.sh
hackw.sh: Driver to read the .w file and pass addresses to wh.sh
index.html: HTML document text
l62: LPRng format string exploit program - NOT stripped
l7: Same but compiled for RedHat 7 - stripped
lh.sh: Driver script to execute the LPRng exploit with several
different options
randb62: Picks a random class-B subnet to scan on - NOT stripped
randb7: Same but compiled for RedHat 7 - NOT stripped
s62: statdx exploit - NOT stripped
s7: Same but compiled for RedHat 7 - stripped
scan.sh: get a classB network from randb and run synscan
start.sh: Replace any index.html with the one from the worm; run getip;
determine if we're RedHat 6.2 or 7.0 and run the appropriate
bd*.sh and start*.sh
start62.sh: start (backgrounded) scan.sh, hackl.sh, and hackw.sh
start7.sh: Same as start62.sh
synscan62: Modified synscan tool - records to .w and .l files - stripped
synscan7: Same but compiled for RedHat 7 - stripped
w62: venglin wu-ftpd exploit - stripped
w7: Same but compiled for RedHat 7 - stripped
wh.sh: Driver script to call the "s" and "w" binaries against a given
target
wu62: Apparently only included by mistake. "strings" shows it to be
very similar to w62; nowhere is this binary ever invoked.
Lucy E. Lynch Academic User Services
Computing Center University of Oregon
(541) 346-1774
Cell: (541) 912-7998
Key fingerprint = 2C 80 2F 8C 5F 68 37 E3 AC 16 09 F1 36 E4 61 15
On Wed, 17 Jan 2001, Al Adler wrote:
> Bill Owens wrote:
>
> > At 16:24 -0500 1/17/01, Marshall Eubanks wrote:
> > >Greg et al;
> > >
> > > We had a real MSDP storm today from UMASS / 5 College - at one
> > >point AS 1249 was reporting ~15,000 (S,G). Here are
> > >a few
> > >
> > >. . .
> > >As you can see, the G are sequential and the S is assigned to UMass.
> > >Any idea what this
> > >could be ?
> >
> > Looking briefly at the machine, it is a RedHat 6.2 box with lots of
> > services running, including a vulnerable wu-ftpd:
> >
> > Connected to 128.119.240.205.
> > 220 localhost.localdomain FTP server (Version wu-2.6.0(1) Mon Feb 28
> > 10:30:36 EST 2000) ready.
> >
> > My guess is that it was rooted by the so-called ramen worm, which has
> > been seen in the wild for the first time in the last few days. It
> > uses a program called synscan to look for vulnerable wu-ftpd servers
> > to infect. That jives with Mark Fullmer's observation that an earlier
> > storm source was an FTP scanner. That other machine is now off the
> > air, but I'm willing to bet that it was also a RedHat 6.2 or 7.0 box
> > with a vulnerable wu-ftpd.
> >
> > I posted a note to one of the mailing lists that is discussing the
> > ramen worm, to see if someone who has it in captivity can confirm
> > that it scans the multicast address space.
> >
> > Bill.
> >
> > PS - the scanner noted above is now off the air too. . .
>
> >From the stanford hack that just occured - I didn't even know there was
> a wu-ftp 2.6.1
>
> Connected to 171.64.48.112.
> 220 patio.stanford.edu FTP server (Version wu-2.6.1(1) Wed Aug 9
> 05:54:50 EDT 2000) ready.
> 530 Please login with USER and PASS.
> 530 Please login with USER and PASS.
> KERBEROS_V4 rejected as an authentication type
> Name (171.64.48.112:root):
>
> Al
>
- Re: MSDP Storm, (continued)
- Re: MSDP Storm, Jared Mauch, 01/19/2001
- Re: MSDP Storm, Philip Pishioneri, 01/19/2001
- Re: MSDP Storm, Magnus Danielson, 01/22/2001
- Re: MSDP Storm, Beau Williamson, 01/18/2001
- Re: MSDP Storm, Toerless Eckert, 01/17/2001
- Re: MSDP Storm, David Meyer, 01/17/2001
- Re: MSDP Storm, Marshall Eubanks, 01/17/2001
- Re: MSDP Storm, Lucy E. Lynch, 01/17/2001
Archive powered by MHonArc 2.6.16.