search for: gimmieip

...bug, although it is fairly easy to make it exploit ANY remote vulnerability. (Put in BSD/Sun exploits and it wouldn't be too linux specific anymore. :&) Ben Cantrick (Macky Stingray) wrote: > How it picks the IP addresses to scan is not > presently known to me. Presumably, the "gimmieip" binary takes care > of that. Someone with more time can dissect it and post the results. True, it will start with a random IP number, then scan sequentially onwards, e.g. 1.1.1.1 1.1.1.2 etc. and re-start at 255.255.255.255. The infection routine works like this (shell script): ./gimmeip...

...AP ports. It also seems to be scanning POP, rsh/rlogin, telnet and FTP ports, finger, gopher, etc... Once it's into your system, the worm presumably begins to scan and look for vunerable machines again. How it picks the IP addresses to scan is not presently known to me. Presumably, the "gimmieip" binary takes care of that. Someone with more time can dissect it and post the results. Here is a file I found on the infected machine called "/tmp/outro" - it appears to be a log that the worm kept as it probed some system. ----- Load the config file... Mail Test CGI Test Telne...