On Sun, 2003-01-19 at 03:34, Ralph Slooten wrote: > Hiya all again, > > My webserver is running portsentry, and has, on a daily basis been > blocking and banning all connection attemps from an Australian IP, > running on the connect.com.au network. >
Ha! It ain't me! (g) > -= Reason for the block =- > Port-scanning on port 635 > > -= What is relevance is Port 635 =- > Name: ADM worm > Aliases: ADM Inet w0rm, Linux.ADM.Worm, > Ports: 21, 23, 37, 53, 70, 79, 109, 110, 111, 113, 143, 513, 514, 635, > 31337 Files: Admw0rm-v1.tar.gz - 7,427 bytes Admw0rm.tgz - Admw0rm - > 1,725 bytes Gimmeip - 545 bytes Gimmerand.c - 314 bytes Incremental - > 765 bytes Named_admv2.c - 5,892 bytes Remotecmd.c - 4,098 bytes > Scanconnect.c - 1,483 bytes Startup - 670 bytes Testvuln.c - 4,299 bytes > Created: May 1998 Requires: > Actions: Worm / Rootkit / Backdoor > Registers: > Notes: Works on Unix (Linux). Affects Linux RedHat 4.0 to 5.2 > Whoever is running RH 4 - 5.2 surely ain't done any of the security updates/upgrades... > > I'm presuming this is a dial-up system, as there aren't too many Linux > systems running those old versions of Redhat, but it maybe someone's > server or something. My guess is that it's someone on this list trying > to access my webserver http://axljab.homelinux.org:8080/ on a daily > basis, as it's some coincedence that I get 1 block every day from the > same network. > After looking at http://www.connect.com.au, I'd reckon this person is on a dial up as well - because if they were using ADSL, they'd have a helluva time getting RH 4 - 5.2 to work on it... > IP: Well, there is no real point in publicising the IP, as every day > it's different (hence the dial-up theory), but in total about 75% of all > my blocks / bans come from the connect.com.au network. > > It doesn't bother me, but it may be bothering you as I'm sure my server > won't be the only one blocking/banning all connections from you, so the > better option is to find and get rid of this problem. > Mate, have you considered reporting the IP to administration at Connect.com.au? Because being that this is against their "Acceptable User Policy", whoever the culprit is would be sent a nasty email from them stating that there's a problem on their machine...ya reckon? > Please, if any of you are on this network, and suspect you may be > infected, or are just worried if it's you, contact me (privately), and > we can see if we can find a solution for this. > > As to the security breach of this trojan, I'm not sure. But it's not > good anyway, considering it's a trojan ;-) > All trojans are bad - and this is how "ancient" bugs are kept alive to this day. This affects the entire online community and community members should do their best to alert the "culprit" in a nice manner... > Look, I may be wrong, as it may be the ISP itself, but before I alert > them, I think you guys concerned should maybe have a browse around and > check it ain't you. > Mate, if YOU don't want to alert them, I'll be more than happy to both write them and call them (they're in my state - even though they're a sad ISP - but gives me someone to yell at)...ha! -- Sun Jan 19 07:15:01 EST 2003 7:15am up 2 days, 16:58, 4 users, load average: 0.10, 0.21, 0.18 ------------------------------------------------------------------ | __ __ | kuhn media australia | | / ,, /| |'-. | http://kma.0catch.com | | .\__/ || | | |=================================| | _ / `._ \|_|_.-' | stephen kuhn | | | / \__.`=._) (_ | email: [EMAIL PROTECTED] | | |/ ._/ |"""""""""| | email: [EMAIL PROTECTED] | | |'. `\ | | | icq: 5483808 | | ;"""/ / | | | | | smk ) /_/| |.-------.| | mobile: 0410-728-389 | | ' `-`' " " | Berkeley, New South Wales, AU | ------------------------------------------------------------------ linux user:267497 * RH 8.0 * PC/Mac/Linux/Networking/Consulting ------------------------------------------------------------------ I have no doubt that it is a part of the destiny of the human race, in its gradual improvement, to leave off eating animals. -- Thoreau
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com