Vik Bajaj on Sat, 29 Jul 2000 13:45:20 -0400 (EDT)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] update on Russian trojan (fwd)


Forwarded message:
> From owner-sug@LISTS.UPENN.EDU Sat Jul 29 08:58:53 2000
> Delivered-To: vikram@CPU1894.ADSL.BELLGLOBAL.COM
> X-Mailer: ELM [version 2.5 PL1]
> MIME-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> Message-ID:  <200007290847.EAA13872@cpu1894.adsl.bellglobal.com>
> Date:         Sat, 29 Jul 2000 04:47:28 -0400
> Reply-To: Vik Bajaj <vbajaj@SAS.UPENN.EDU>
> Sender: Super Users Group <SUG@LISTS.UPENN.EDU>
> From: Vik Bajaj <vbajaj@SAS.UPENN.EDU>
> Subject:      update on Russian trojan
> To: SUG@LISTS.UPENN.EDU
> In-Reply-To:  <3.0.6.32.20000728222720.0139e490@localhost> from "Dave Millar"
>               at Jul 28, 2000 10:27:20 PM
> 
> My investigation thus far points to an aggressive SYN scanning effort
> from 194.87.*, coupled with tcp connect() scans to tcp/8080 from
> 194.87.6/24 in particular.  I have had five incidents reported to me,
> and GIAC/CERT have had approximately 30-40 reported to them.  The
> connect() scans are proxy requests to www.commission-junction.com.
> I have also been able to determine that the Russian class B subnet is weak
> and heavily compromised.  Still, I would regard these activities as
> benign and not harmful.
> 
> There was initial suspicion of a trojan due to outbound connections
> observed from putatively compromised hosts to this Russian subnet.
> Unfortunately, there have been only two reports, and a third which was
> reported to me by one of my clients is unreliable and unrelated.  I am
> assembling a test network currently, but there is a good possibility
> that these events are products of non-compliant and/or broken
> implementations such as Conseal Personal Firewall.  If anyone is familiar
> with the internals of this product, I would appreciate some advice.
> 
> Given the timing of these incidents, it would be wise to take light
> precautions.  GIAC should be posting another formal annoucement in the
> morning.
> 
> Truly,
> Vik Bajaj
> 
> 
> >
> > We haven't seen any reports of this sort of activity.
> >
> > If anyone does, please report it to virus@isc.upenn.edu.
> >
> 






______________________________________________________________________
Philadelphia Linux Users Group       -       http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion   -   http://lists.phillylinux.org/mail/listinfo/plug