[Snort-users] Linux worm: stuff.tgz, CHAOS/TXT

Ian Jones ian at ...686...
Sat Jun 23 16:57:27 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Is this something that has been around for a while? There is a worm
spreading via bind (suprise!) which scans for victims using CHAOS/TXT
queries. After finding and compromising the victim it establishes a
webserver on tcp port 12321 on the victim to serve files to future victims.
I checked my packet dumps and found several infected hosts.

If you want to poke at it, the following hosts is currently up, but I did
notify the whois contact.
http://203.85.223.195:12321/stuff.tgz

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Making the world safe for geeks.

iQA/AwUBOzUCtcAVSpfzXItKEQI4KQCg81erarwmgGCXUvr3/pLNqBMjD0oAoPa6
Lx+vbSzHDc95pgOKDR7NiqSC
=F3Qz
-----END PGP SIGNATURE-----






More information about the Snort-users mailing list