[PLUG] update on Russian trojan (fwd)

Vik Bajaj on Sat, 29 Jul 2000 13:45:20 -0400 (EDT)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] update on Russian trojan (fwd)

From: Vik Bajaj <vbajaj@sas.upenn.edu>

To: plug@lists.phillylinux.org

Subject: [PLUG] update on Russian trojan (fwd)

Date: Sat, 29 Jul 2000 13:45:08 -0400 (EDT)

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

Forwarded message: > From owner-sug@LISTS.UPENN.EDU Sat Jul 29 08:58:53 2000 > Delivered-To: vikram@CPU1894.ADSL.BELLGLOBAL.COM > X-Mailer: ELM [version 2.5 PL1] > MIME-Version: 1.0 > Content-Type: text/plain; charset=us-ascii > Content-Transfer-Encoding: 7bit > Message-ID: <200007290847.EAA13872@cpu1894.adsl.bellglobal.com> > Date: Sat, 29 Jul 2000 04:47:28 -0400 > Reply-To: Vik Bajaj <vbajaj@SAS.UPENN.EDU> > Sender: Super Users Group <SUG@LISTS.UPENN.EDU> > From: Vik Bajaj <vbajaj@SAS.UPENN.EDU> > Subject: update on Russian trojan > To: SUG@LISTS.UPENN.EDU > In-Reply-To: <3.0.6.32.20000728222720.0139e490@localhost> from "Dave Millar" > at Jul 28, 2000 10:27:20 PM > > My investigation thus far points to an aggressive SYN scanning effort > from 194.87.*, coupled with tcp connect() scans to tcp/8080 from > 194.87.6/24 in particular. I have had five incidents reported to me, > and GIAC/CERT have had approximately 30-40 reported to them. The > connect() scans are proxy requests to www.commission-junction.com. > I have also been able to determine that the Russian class B subnet is weak > and heavily compromised. Still, I would regard these activities as > benign and not harmful. > > There was initial suspicion of a trojan due to outbound connections > observed from putatively compromised hosts to this Russian subnet. > Unfortunately, there have been only two reports, and a third which was > reported to me by one of my clients is unreliable and unrelated. I am > assembling a test network currently, but there is a good possibility > that these events are products of non-compliant and/or broken > implementations such as Conseal Personal Firewall. If anyone is familiar > with the internals of this product, I would appreciate some advice. > > Given the timing of these incidents, it would be wise to take light > precautions. GIAC should be posting another formal annoucement in the > morning. > > Truly, > Vik Bajaj > > > > > > We haven't seen any reports of this sort of activity. > > > > If anyone does, please report it to virus@isc.upenn.edu. > > > ______________________________________________________________________ Philadelphia Linux Users Group - http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mail/listinfo/plug-announce General Discussion - http://lists.phillylinux.org/mail/listinfo/plug

Prev by Date: Re: [PLUG] 'goto' in C code

Next by Date: Re: [PLUG] internationalization with Java?

Previous by thread: [PLUG] sendmail genericstable

Next by thread: [PLUG] 2.4 Kernal

Index(es):

Date

Thread