Ralph Slooten wrote:
Ralph,Hiya all again,My webserver is running portsentry, and has, on a daily basis been blocking and banning all connection attemps from an Australian IP, running on the connect.com.au network. -= Reason for the block =- Port-scanning on port 635 -= What is relevance is Port 635 =- Name: ADM worm Aliases: ADM Inet w0rm, Linux.ADM.Worm, Ports: 21, 23, 37, 53, 70, 79, 109, 110, 111, 113, 143, 513, 514, 635, 31337 Files: Admw0rm-v1.tar.gz - 7,427 bytes Admw0rm.tgz - Admw0rm - 1,725 bytes Gimmeip - 545 bytes Gimmerand.c - 314 bytes Incremental - 765 bytes Named_admv2.c - 5,892 bytes Remotecmd.c - 4,098 bytes Scanconnect.c - 1,483 bytes Startup - 670 bytes Testvuln.c - 4,299 bytes Created: May 1998 Requires: Actions: Worm / Rootkit / Backdoor Registers: Notes: Works on Unix (Linux). Affects Linux RedHat 4.0 to 5.2 I'm presuming this is a dial-up system, as there aren't too many Linux systems running those old versions of Redhat, but it maybe someone's server or something. My guess is that it's someone on this list trying to access my webserver http://axljab.homelinux.org:8080/ on a daily basis, as it's some coincedence that I get 1 block every day from the same network. IP: Well, there is no real point in publicising the IP, as every day it's different (hence the dial-up theory), but in total about 75% of all my blocks / bans come from the connect.com.au network. It doesn't bother me, but it may be bothering you as I'm sure my server won't be the only one blocking/banning all connections from you, so the better option is to find and get rid of this problem. Please, if any of you are on this network, and suspect you may be infected, or are just worried if it's you, contact me (privately), and we can see if we can find a solution for this. As to the security breach of this trojan, I'm not sure. But it's not good anyway, considering it's a trojan ;-) Look, I may be wrong, as it may be the ISP itself, but before I alert them, I think you guys concerned should maybe have a browse around and check it ain't you. Thanks Ralph
have you done the leg work in tracking these connections and reported to the ISP they're coming from yet? That _should_ be the first place to begin. If your theory is correct then the sooner they know about it the better for all concerned all the way around.
--
Mark
-----------------------------------------------------------
Paid for by Penguins against modern appliances(R)
Linux User Since 1996
Powered by Mandrake Linux 8.2 & 9.0
ICQ# 27816299
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com