[Snort-users] Port 10008/tcp ?

Bunter, Matthew Matthew.Bunter at ...2008...
Tue May 22 05:05:36 EDT 2001


FYI :

It has been observed in public and private reports a recent pattern of
activity surrounding probes to TCP port 10008.    An artifact called the
'cheese worm', has been obtained,  which may contribute to the pattern.

Description:

The 'cheese worm' is a worm designed to remove all inetd services
referencing '/bin/sh' from systems with root shells listening on
                 TCP port 10008. In reality, the 'cheese worm' will
attempt to execute a series of shell commands on any host which accepts
TCP
                 connections on TCP port 10008.

                 The 'cheese worm' perpetuates its attack cycle across
multiple hosts by copying itself from attacking host to victim host and
                 self-initiating another attack cycle. Thus, no human
intervention is required to perpetuate the cycle once the worm has begun
to
                 propagate.
Solution:

Sites are encouraged to review hosts infected with the 'cheese worm' for
other signs of intrusion and take appropriate  steps to insure the
security of impacted systems.

                 In particular, certain versions of the BIND TSIG
exploit discussed in


http://www.cert.org/incident_notes/IN-2001-03.html  -( Exploitation of
BIND Vulnerabilities)

                 create a backdoor root shell on TCP port 10008. Such an
exploit was bundled into at least one version of the '1i0n' worm. A
                 detailed analysis of the '1i0n' worm was published by
Max Vision and is available at


http://www.whitehats.com/library/worms/lion/index.html

                 The Korea Computer Emergency Response Team Coordination
Center (CERTCC-KR) has published CERTCC-KR-IN-01-007
                 discussing the 'cheese' worm in Korean.

                 If you believe a host under your control has been
compromised, you may wish to refer to

                      Steps for Recovering From a Root Compromise

                      IN-2001-03, Exploitation of BIND Vulnerabilities

                 create a backdoor root shell on TCP port 10008. Such an
exploit was bundled into at least one version of the '1i0n' worm. A
                 detailed analysis of the '1i0n' worm was published by
Max Vision and is available at


http://www.whitehats.com/library/worms/lion/index.html

                 The Korea Computer Emergency Response Team Coordination
Center (CERTCC-KR) has published CERTCC-KR-IN-01-007
                 discussing the 'cheese' worm in Korean.

                 If you believe a host under your control has been
compromised, you may wish to refer to

                      Steps for Recovering From a Root Compromise


> -----Original Message-----
> From:	Jason Lewis [SMTP:jlewis at ...1831...]
> Sent:	16 May 2001 02:54
> To:	'Bunter, Matthew'; snort-users at lists.sourceforge.net
> Subject:	RE: [Snort-users] Port 10008/tcp ?
> 
> This is from the Incidents list at Securityfocus.com
> 
> On Tue, 15 May 2001, Joerg Weber wrote:
> 
> > my FW-Logs went insane last night with gazillions of connection attempts
> to
> > port 10008.
> > FW-1 does unfortunately not log dropped packets, so I've no idea about
> flags
> > et al, but the scan looks like this:
> > SourcePort = Increases with each scan
> > DestPort   = 10008
> 
> I got some scans on port 10008 as well.  The really odd thing is this.  If
> you port scan them back, you'll find that on some high TCP port, if you
> connect and send a few newlines, it'll reply with a uuencoded cheese.tgz
> file.  I took a very brief look at the contents of cheese.tgz.  The
> comments say it's a cleaner, written to remove root shells from
> inetd.conf.  There's alot more than that in the code though.  Looks like a
> trojan that's really a scanner.
> 
> Jason Lewis
> http://www.packetnexus.com
> "All you can do is manage the risks. There is no security."
> 
> 
> 
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Bunter,
> Matthew
> Sent: Tuesday, May 15, 2001 12:26 PM
> To: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Port 10008/tcp ?
> 
> 
> Just in case you did a typo (not accusing you or anything)
> 10007 is for mvs capacity and 10080 is for something called amanda
> Nothing for 10007
> 
> Matt
> 
> > -----Original Message-----
> > From:	Tudor Panaitescu [SMTP:tpanaitescu at ...2032...]
> > Sent:	15 May 2001 16:46
> > To:	snort-users at lists.sourceforge.net
> > Subject:	[Snort-users] Port 10008/tcp ?
> >
> > Hello everyone !
> >
> > Does anybody know what is this port, 10008/tcp for ?
> >
> > I've got some attempts, allways 2 at a time from the same source
> address.
> >
> > TIA,
> > Tudor
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> **********************************************************************
> This message may contain information which is confidential or privileged.
> If you are not the intended recipient, please advise the sender
> immediately
> by reply e-mail and delete this message and any attachments
> without retaining a copy.
> 
> **********************************************************************
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list