[ISN] *MAJOR SECURITY BREACH AT CCBILL**

From: InfoSec News (isnat_private)
Date: Wed Dec 19 2001 - 22:23:21 PST

  • Next message: InfoSec News: "Re: [ISN] Adopt A Soldier, or something like that..."

    Forwarded from: Ryan W. Maple <ryanat_private>
    
    ---------- Forwarded message ----------
    Date: Wed, 19 Dec 2001 04:14:48 -0500
    From: Dayne Jordan <djordanat_private>
    To: incidentsat_private
    Subject: *MAJOR SECURITY BREACH AT CCBILL**
    
    It appears that perhaps tens of thousands of username/passwords for
    valid shell logins ALL ACROSS THE NET may have been compromised at
    CCBILL, a large internet credit card/check processor used for
    e-commerce and adult sites, read carefully!!
    
    Well, after the user complaint below, we began some investigation and
    found about 6 of these IRC bots running on our network as well. All
    with a fartone.conf and fartone eggdrop irc daemon listening on port
    9872... this is across 6 different machines alone in our server farm,
    so far that we have found, we are scanning right now to find out if
    there are more listening on port 9872 in our address spaces.
    
    Interestingly enough, the common tie between all these compromised
    accounts is that they are ALL CCBILL customers. Being CCBILL
    customers, they have all their userid and password information to ssh
    to their website(s)/server(s) to update scripts and databases as
    required. Was CCBILL hacked? OR do they have someone inside who has
    released the user information abroad? We called a couple other hosts
    whom we communicate with and voila.. they have boxes with IRC bots
    running on port 9872 as well... also CCBILL clients.
    
    It appears whomever has obtained the CCBILL list of
    usernames/passwords systematically SSH's into their customers server,
    installs the irc eggdrop bot and leaves.
    
    I have found no instances of root kits, or anything else malicious
    being performed or installed. In fact, in all 6 instances they left
    all their .tar and config files, AND their .history files intact.
    Looking thru normal daily log files would not tip you off to any sort
    of compromise at all -No multiple password failures, etc etc because
    they already have the correct password to login :)
    
    It is my opinion that Cavecreek/CCBILL has had a breach of security
    thus releasing user ids and logins on various servers around the
    internet. CCBILLS customer base is in the tens of thousands.
    
    It appears the bots are merely sitting and listening waiting for
    commands for perhaps a large distributed DoS attack, it does not
    appear that they are logging any sensitive data transmitted thru the
    server(s). I tcpdumped the port and logged in and out of the server to
    make sure it wasnt transmitting any data elsewhere. I also confirmed
    that the bots were not logging anything locally either.
    
    I have attached a sample output of strings on the binary file called
    'fartone' for your review, please note there are *several* cavecreek
    machines who are listed as well as many others. ALL these machines
    below have been verified to have port 9872 open and listening with
    perhaps this same type IRC Eggdrop bot running. Also please note, all
    these servers/domains listed below are current CCBILL subscribers:
    
    ares# strings fartone
    #4v: eggdrop v1.6.7 -- betty -- written Wed Dec 19 02:00:00 2001
    goldeneye  - bfoN                    
    --BOTADDR insecure.nl:4567/4567
    --BOTFL ghp
    --HOSTS *!*laggat_private
    --LASTON 1008733201 #(_(_)============D
    --XTRA created 1008544330
    --PASS 0dz32ajse1wsg
    arsch      - bfoN                    
    --HOSTS *!*jb@*.t-dialin.net
    --LASTON 1008721551 #testtest
    --BOTADDR 123.123.123.123:25432/25432
    --XTRA created 1008687422
    --PASS fnh4psb7x07rnr
    Nitallica  - bfoN                    
    --HOSTS *!*maulat_private
    --LASTON 1008723944 #torisbots
    --BOTADDR smtp.webpipe.net:6000/6000
    --XTRA created 1008687422
    --PASS 29tuhow2of
    FrauAntje  - bfoN                    
    --HOSTS *!*cfat_private
    --BOTADDR cc118955-b.groni1.gr.nl.home.com:5555/5555
    --XTRA created 1008687422
    --LASTON 1008715911 #fattool
    --PASS 6qgkm19qzmqr41
    hispa      - bfoN                    
    --HOSTS *!*hispaat_private
    --HOSTS *!*hispaat_private
    --LASTON 1008727382 #(_(_)============D
    --BOTADDR thunder2.cwihosting.com:9872/9872
    --XTRA created 1008687422
    --PASS 4rg6kei8cz
    livedom    - bfoN                    
    --HOSTS *!*livedomat_private
    --HOSTS *!*livedomat_private
    --BOTADDR s1.ss.klmz.mi.voyager.net:9872/9872
    --XTRA created 1008687422
    --PASS chahi5e10yz
    fetishUSA  - bfoN                    
    --HOSTS *!*etishUSAat_private
    --HOSTS *!*etishUSA@fetish-usa.com
    --BOTADDR fetish-usa.com:9872/9872
    --XTRA created 1008687422
    --LASTON 1008714534 #fattool.-user
    --PASS el44md4jsx
    edik       - bfoN                    
    --HOSTS *!edikat_private
    --HOSTS *!*eve3at_private
    --LASTON 1008721551 #testtest
    --BOTADDR 216.143.123.202:9872/9872
    --XTRA created 1008687422
    --PASS lpk748otq4
    undergrou  - bfoN                    
    --HOSTS *!undergrouat_private
    --LASTON 1008721551 #testtest
    --BOTADDR undergroundmpegs.com:9872/9872
    --XTRA created 1008687422
    --PASS h9raa3sbzib1isl
    cartoon-x  - bfoN                    
    --HOSTS *!cartoon-xat_private
    --HOSTS *!*rtoon-xat_private
    --LASTON 1008721551 #testtest
    --BOTADDR dynamic.cavecreek.net:9872/9872
    --XTRA created 1008687422
    --PASS jsuf82v4gity
    plump      - bfoN                    
    --HOSTS *!plumpat_private
    --HOSTS *!*lumpat_private
    --LASTON 1008727382 #(_(_)============D
    --BOTADDR viper.acceleratedweb.net:9872/9872
    --XTRA created 1008687422
    --PASS 01rc6sicoh9
    dara       - bfoN                    
    --HOSTS *!daraat_private
    --HOSTS *!*daraat_private
    --HOSTS *!*araat_private
    --LASTON 1008721551 #testtest
    --BOTADDR 209.67.61.60:9872/9872
    --XTRA created 1008687422
    --PASS 1r52f5hl8ua3
    asian      - bfoN                    
    --HOSTS *!asianat_private
    --LASTON 1008727382 #(_(_)============D
    --BOTADDR asianpornoground.com:9872/9872
    --XTRA created 1008687422
    --PASS 8kbbvw1d82r
    flashx     - bfoN                    
    --HOSTS *!flashxat_private
    --LASTON 1008721551 #testtest
    --BOTADDR flashdiet.net:9872/9872
    --XTRA created 1008687422
    --PASS r1mict2o4p3m2g
    bonker     - bfoN                    
    --HOSTS *!bonkerat_private
    --BOTADDR la2.reliablehosting.com:9872/9872
    --XTRA created 1008687422
    --LASTON 1008689564 #fattool
    --PASS mstz9bj3w1
    cypo       - bfoN                    
    --HOSTS *!cypoat_private
    --LASTON 1008727382 #(_(_)============D
    --BOTADDR 66.78.56.62:9872/9872
    --XTRA created 1008687422
    --PASS b051yatpxv78
    adult      - bfoN                    
    --HOSTS *!adultat_private
    --LASTON 1008721551 #testtest
    --BOTADDR 216.66.37.130:9872/9872
    --XTRA created 1008687422
    --PASS 8vk58u93xm0cp
    steenbok   - bfoN                    
    --HOSTS *!steenbokat_private-h-e.com
    --LASTON 1008727382 #(_(_)============D
    --BOTADDR navajo.b-h-e.com:9872/9872
    --XTRA created 1008687422
    --PASS ky613fzu65pt9
    betty      - bfoN                    
    --HOSTS *!bettyat_private
    --BOTADDR 216.226.153.165:9872/9872
    --XTRA created 1008687422
    --PASS svhcr3jpb98bk88
    silky      - bfoN                    
    --HOSTS *!silkyat_private
    --LASTON 1008721551 #testtest
    --BOTADDR www36.mediaserve.net:9872/9872
    --XTRA created 1008703816
    vixie      - bfoN                    
    --HOSTS *!vixieat_private
    --LASTON 1008721551 #testtest
    --BOTADDR zeus.envex.net:9872/9872
    --XTRA created 1008703839
    c0wboy     - bfoN                    
    --HOSTS *!c0wboyat_private
    --LASTON 1008737794 #(_(_)============D
    --BOTADDR arizonasex.com:9872/9872
    --XTRA created 1008703859
    reddawg    - bfoN                    
    --HOSTS *!reddawgat_private
    --LASTON 1008727382 #(_(_)============D
    --BOTADDR 216.215.232.6.nw.nuvox.net:9872/9872
    --XTRA created 1008703890
    blaq       - bfoN                    
    --HOSTS *!blaqat_private
    --HOSTS *!*ronudesat_private
    --LASTON 1008727382 #(_(_)============D
    --BOTADDR www.retronudes.com:9872/9872
    --XTRA created 1008704719
    bigdick    - bfoN                    
    --HOSTS *!bigdickat_private
    --HOSTS *!*yguyat_private
    --LASTON 1008727382 #(_(_)============D
    --BOTADDR playawhile.com:9872/9872
    --XTRA created 1008705304
    serve      - bfoN                    
    --HOSTS *!serveat_private
    --HOSTS *!*erveat_private
    --LASTON 1008731356 #(_(_)============D
    --BOTADDR server.iicinternet.com:9872/9872
    --XTRA created 1008706464
    pedal      - bfoN                    
    --HOSTS *!pedalat_private
    --BOTADDR www1.leftcoast.net:9872/9872
    --XTRA created 1008707679
    sizco      - bfoN                    
    --HOSTS *!cremeat_private
    --HOSTS *!*tcremeat_private
    --LASTON 1008737609 #(_(_)============D
    --BOTADDR virtual1.sizco.net:9872/9872
    --XTRA created 1008708744
    melody     - bfoN                    
    --HOSTS *!melodyat_private
    --LASTON 1008727382 #(_(_)============D
    --BOTADDR 64.242.242.9:9872/9872
    --XTRA created 1008710553
    cukinsin   - bfoN                    
    --HOSTS *!cukinsinat_private
    --LASTON 1008727382 #(_(_)============D
    --BOTADDR 209.115.38.113:9872/9872
    --XTRA created 1008711094
    slettebak  - bfoN                    
    --HOSTS *!slettebakat_private
    --HOSTS *!*ettebakat_private
    --LASTON 1008737670 #(_(_)============D
    --BOTADDR stgeorge.janey1.net:9872/9872
    --XTRA created 1008712167
    tussy      - bfoN                    
    --HOSTS *!tussyat_private
    --LASTON 1008721551 #testtest
    --BOTADDR fs2.reliablehosting.com:9872/9872
    --XTRA created 1008712187
    hrm        - bfoN                    
    --HOSTS *!hrmat_private
    --BOTADDR infiniti.isprime.com:9872/9872
    --XTRA created 1008713730
    --LASTON 1008713966 #jungbusch
    fister     - bfoN                    
    --HOSTS *!fisterat_private
    --LASTON 1008727382 #(_(_)============D
    --BOTADDR or9.reliablehosting.com:9872/9872
    --XTRA created 1008713748
    buttfuck   - bfoN                    
    --HOSTS *!buttfuckat_private
    --HOSTS *!*uttfuckat_private
    --LASTON 1008727382 #(_(_)============D
    --BOTADDR www.bridgetfox.com:9872/9872
    --XTRA created 1008715635
    nude       - bfoN                    
    --HOSTS *!*nudeat_private
    --LASTON 1008727382 #(_(_)============D
    --BOTADDR host210.southwestmedia.com:9872/9872
    --XTRA created 1008717613
    kippe      - bfoN                    
    --HOSTS *!*kippeat_private
    --LASTON 1008727382 #(_(_)============D
    --BOTADDR 207.71.95.100@9872:3333/3333
    --XTRA created 1008718483
    lecker     - bfoN                    
    --HOSTS *!*leckerat_private
    --LASTON 1008723944 #torisbots
    --BOTADDR ladynylons.com@9872:3333/3333
    --XTRA created 1008718866
    cf         - hjmnoptx                
    --HOSTS -telnet!*@*
    --HOSTS cfat_private
    --PASS +kqP.7.9x36e.
    --XTRA created 1008425222
    cf_        - fhjmnoptxZ              
    --HOSTS *!cfat_private
    --LASTON 1008727068 @bums
    --PASS +SO3pi.h66XB1
    --XTRA created 1008426075
    chumash    - fhpYZ                   
    --HOSTS *!nitaisaat_private
    --HOSTS *!nitaisaat_private
    --PASS +ghTan/8SXJw1
    --COMMENT 1st Offense Badword
    --XTRA created 1008426757
    m00b       - h                       
    --HOSTS *!b00m@*.planet.arrakis.cz
    --LASTON 1008733043 #0dayxxxpasswords
    --PASS +REjnv1Q0DAf/
    --XTRA created 1008440044
    Cyberwolf  - h                       
    --HOSTS *!Blah@*.rr.com
    --PASS +HPw7k0X0/X51
    --XTRA created 1008442445
    w33d       - hY                      
    --HOSTS *!dopeat_private*
    --PASS +w/e/c.r8kog/
    --XTRA created 1008455421
    --COMMENT 1st Offense Badword
    _maddog_   - hY                      
    --HOSTS *!*ouchabl@*.dial.net4b.pt
    --PASS +w/e/c.r8kog/
    --COMMENT 1st Offense Badword
    --XTRA created 1008459615
    undernetx  - hY                      
    --HOSTS *!*dernetx@*.east.verizon.net
    --PASS +w/e/c.r8kog/
    --COMMENT 1st Offense Badword
    --XTRA created 1008460443
    O2B3       - hY                      
    --HOSTS *!*frischr@*.xtra.co.nz
    --PASS +w/e/c.r8kog/
    --COMMENT 1st Offense Badword
    --XTRA created 1008460560
    xxxxx      - hY                      
    --HOSTS *!cf@*.and.shine
    --PASS +w/e/c.r8kog/
    --COMMENT 1st Offense Badword
    --XTRA created 1008465019
    ^[FTO1]^   - hY                      
    --HOSTS *![FTO1]^@*.astound.net
    --PASS +w/e/c.r8kog/
    --XTRA created 1008465619
    --COMMENT 1st Offense Badword
    showty     - hE                      
    --HOSTS *!dfioajat_private*
    --PASS +w/e/c.r8kog/
    --COMMENT 2 Bad Word Offenses
    --XTRA created 1008470243
    _mysdick   - hY                      
    --HOSTS *!mysticalat_private
    --LASTON 1008732953 #0dayxxxpasswords
    --PASS +w/e/c.r8kog/
    --COMMENT 1st Offense Badword
    --XTRA created 1008473951
    Shareef_A  - hY                      
    --HOSTS *!Ultimaat_private*
    --PASS +w/e/c.r8kog/
    --COMMENT 1st Offense Badword
    --XTRA created 1008477957
    aHiMz      - hY                      
    --HOSTS *!toophatat_private*
    --PASS +w/e/c.r8kog/
    --COMMENT 1st Offense Badword
    --XTRA created 1008480641
    sr         - hjmnoptx                
    --HOSTS *!figgeat_private
    --LASTON 1008715929 @goldeneye
    --PASS +9fX2h.WNiV41
    --XTRA created 1008539610
    bigwave    - h                       
    --HOSTS *!*tchbustat_private
    --LASTON 1008704750 #jungbusch
    --PASS +shNEb1VEXSl1
    --XTRA created 1008541504
    qon        - h                       
    --HOSTS *!jbcqon@*.t-dialin.net
    --LASTON 1008701006 #jungbusch
    --PASS +HUtku0I/W6R.
    --XTRA created 1008678075
    qonbot     - h                       
    --HOSTS *!qon@*.t-dialin.net
    --HOSTS *!*achgott@*.t-dialin.net
    --LASTON 1008701417 #jungbusch
    --PASS +HUtku0I/W6R.
    --XTRA created 1008678105
    ice2k      - h                       
    ! #jungbusch           1008706286 fov        
    --HOSTS *!fisch@*.t-dialin.net
    --LASTON 1008706286 #jungbusch
    --PASS +riut8.jEw3u0
    --XTRA created 1008705970
    stiffy     - bfoN                    
    --HOSTS *!*stiffyat_private
    --BOTADDR otis.siteprotect.com@9872:3333/3333
    --XTRA created 1008720570
    moese      - bfoV                    
    --HOSTS *!*moeseat_private
    --BOTADDR ns14.reliablehosting.com@9872:3333/3333
    --XTRA created 1008721358
    moepsy     - bfoN                    
    --HOSTS *!*moepsyat_private
    --LASTON 1008723455 #fattool
    --BOTADDR katarina.super.nu@9872:3333/3333
    --XTRA created 1008723363
    sicker     - bfoN                    
    --HOSTS *!*sicker@1-nude-girls-sex-pictures.com
    --LASTON 1008726564 #0dayxxxpasswords
    --BOTADDR 1-nude-girls-sex-pictures.com@9872:3333/3333
    --XTRA created 1008724705
    pullo      - bfoN                    
    --HOSTS *!*pulloat_private
    --LASTON 1008727313 #0dayxxxpasswords
    --BOTADDR co60.reliablehosting.com@9872:3333/3333
    --XTRA created 1008725430
    wixer      - bfoN                    
    --HOSTS *!*wixerat_private
    --LASTON 1008727314 #0dayxxxpasswords
    --BOTADDR co60.reliablehosting.com@9871:3333/3333
    --XTRA created 1008725589
    bums       - bfoN                    
    --HOSTS *!*bumsat_private
    --BOTADDR 365host.com@9872:3333/3333
    --XTRA created 1008726771
    gretl      - bfoN                    
    --HOSTS *!*gretlat_private
    --LASTON 1008727314 #0dayxxxpasswords
    --BOTADDR saturn.iwebhosting.com@9871:3333/3333
    --XTRA created 1008726906
    
    Please note the .history file just from this one account,
    and this is merely a small sample, please note, these are
    all CCBILL accounts:
    
    ssh -l f215109 www.extremeteens.net
    telnet www.extremeteens.net
    ssh -l amfight www.amfight.com
    ssh -l sm-online www.sm-online.net
    telnet www.musicchief.com
    telnet www.studspa.com
    ssh -l gmill www.G2mil.com
    ssh -l sweetcreme www.sweetcreme.com
    ssh -l roach www.exposedfantasy.com
    ssh -l tfi0080192 www.whores.telinco.co.uk
    ftp www.whores.telinco.co.uk
    ssh -l jen11sex www.jensex.com
    ssh -l webusr www.asianvixens.net 
    ssh -l freakfest www.chicagofreakfest.com
    telnet www.gangbang-wife.com
    ftp gangbang-wife.com
    ssh -l gangbang ganbang-wife.com
    ssh -l gangbang gangbang-wife.com
    ssh -l norfun www.norfun.com
    ssh -l doublejay doublejay.ultraadult.com
    ftp ultraadult.com
    ftp www.internetpleasure.net
    telnet www.internetpleasure.net
    ssh -l admin www.internetpleasure.net
    ftp www.internetpleasure.net
    mail
    w
    ftp www.teenpussy2001.com
    w
    ssh -l livedom www.livedom.com
    ssh -l dmartin2 www.sweetcuties.com
    w
    ssh -l fetish www.fetish-usa.com
    ssh -l dodger www.dodger.co.uk
    ssh -l beavis www.eroticamazon.com
    w
    ls
    ssh -l www.thebondagechanne www.thebondagechannel.com
    ftp www.thebondagechannel.com
    ssh -l hispa hispamagic.com
    ssh -l dodger www.dodger.co.uk
    ssh -l livedom www.livedom.com 
    ssh -l fetish www.fetish-usa.com
    ssh -l jen11sex www.jensex.com
    ssh -l stephenp www.thefun-times.com
    ssh -l barbie www.VoyeurCamCondo.com
    ssh -l eve3 www.strumpfhosen-girls.com
    ssh -l melody www.undergroundmpegs.com
    mail
    telnet www.AMAHO.COM
    ssh -l blueflamedesigns www.blueflamedesigns.com
    ssh -l dynamic www.cartoon-x.net
    ssh -l u1498 www.plumptious.com
    ssh -l rowan55 www.dirtydara.com
    ssh -l barbara www.asianpornoground.com
    ssh -l alenko www.alenko.com
    ssh -l hispa hispamagic.com
    ssh -l livedom www.livedom.com
    ssh -l melody www.undergroundmpegs.com
    ssh -l u1498 www.plumptious.com
    ssh -l rowan55 www.dirtydara.com
    ssh -l rburdwood www.southcouple.com
    ssh -l flashdiet flashdiet.net
    ssh -l cypo www.cypo.com
    ssh -l u44048 adultfrontier.com
    ssh -l u44048 www.adultfrontier.com
    ssh -l avrcon avrcon.com
    ssh -l sara www.boobtique.com
    ssh -l extreme-g www.xtreme-girls.com
    ssh -l lynnol www.lynncarroll.net
    exit
    ssh -l www.extremeteens.net
    /bin/bash
    ssh -l websex www.websex.org
    ssh -l playsi www.silkyplay.com
    ssh -l linda www.nastylinda.com
    ssh -l ndevine www.nikkidevine.com
    ssh -l belleleigh www.belleleigh.com
    ssh -l gtdfor www.arizonasex.com
    ssh -l voyearexpo www.voyeurexpo.com
    /bin/bash
    ssh -l voyeurexpo www.voyeurexpo.com
    ssh -l markiemark www.profitbusiness.com
    telnet www.analaddiction.com
    ssh -l pplump www.proudly-plump.com
    ssh -l taboo www.incesttaboo.com
    ssh -l legendaryreddog www.legendaryreddog.com
    telnet www.adultamateursexpictures.com
    ssh -l miami miamistudios.com
    ssh -l envex www.envex.net
    ssh -l voyeurmyth www.voyeurmyth.com
    ssh -l netpimp www.exhibitionfetish.com
    ssh -l teressam www.teressamoss.com
    ssh -l gospeltr www.gospeltribune.com
    ssh -l mcooper www.findfreefiles.com
    telnet www.retronudes.com
    ssh -l nyguy www.playawhile.com
    ssh -l wickedgamers www.wickedgamers.net
    ssh -l wengle www.hentaidimension.com
    ssh -l nudistphotogallery www.nudistphotogallery.net
    
    
    stanat_private wrote:
    > 
    > 
    > Here is a message regarding a hack attempt. They have stated that the
    > hack was also from our server 216.226.xxx.xxx. How can we check who/what
    > happened from that server. The details from there logs are below.
    > 
    > Stan
    > ****
    > 
    > -------- Original Message --------
    > From: - Tue Dec 18 21:57:22 2001
    > X-UIDL: c531b934e8e90feedce1e9ab85425a46
    > X-Mozilla-Status: 0001
    > X-Mozilla-Status2: 00000000
    > Received: from gelt.cavecreek.net (gelt.cavecreek.net [64.38.195.170])
    > by zeus.xxxxxxxxxx (8.8.5/8.8.5) with ESMTP id AAA22149 for
    > <stan@xxxxxxxxxx>; Wed, 19 Dec 2001 00:49:52 -0500 (EST)
    > Received: from biz-link.com (cx832301-d.chnd1.az.home.com
    > [24.14.253.216]) by gelt.cavecreek.net (8.11.2/8.11.1) with ESMTP id
    > fBJ5thY93497; Tue, 18 Dec 2001 22:55:44 -0700 (MST) (envelope-from
    > wolkove@biz-link.com)
    > Message-ID: <3C202C0C.CDD0D35D@biz-link.com>
    > Date: Tue, 18 Dec 2001 22:56:28 -0700
    > From: Jeff Wolkove <wolkove@biz-link.com>
    > Reply-To: wolkove@biz-link.com
    > Organization: SVM
    > X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U)
    > X-Accept-Language: en
    > MIME-Version: 1.0
    > To: abuseat_private, stan@xxxxxxxxx
    > CC: supportat_private
    > Subject: Illegal hacking activity
    > Content-Type: text/plain; charset=us-ascii
    > Content-Transfer-Encoding: 7bit
    > X-UIDL: c531b934e8e90feedce1e9ab85425a46
    > 
    > LEGAL NOTICE TO abuseat_private and stan@xxxxxxxxxx
    > Courtesy Copy To: supportat_private
    > 
    > One of your users illegally accessed a server I own and illegally
    > installed and ran software on it. The hacker gained access to the
    > system using a hacked or stolen password and installed "eggdrop"
    > an IRC bot with the capability of launching distributed denial
    > of service attacks.
    > 
    > This hacker accessed my system from cc118955-a.groni1.gr.nl.home.com
    > by FTP as per the following entry in my system FTP logs. All times
    > are Mountain Standard Time (Arizona, USA).
    > 
    > Dec 18 11:48:04 gelt ftpd[23349]: connection from
    > cc118955-a.groni1.gr.nl.home.com (213.51.147.235)
    > 
    > The user also accessed the system using interactive SSH from
    > 216.226.xxx.xxx
    > according to the following entries in syslog
    > 
    > Dec 18 11:37:51 gelt sshd2[16845]: DNS lookup failed for
    > "216.226.xxx.xxx".
    > Dec 18 11:38:02 gelt sshd2[16845]: User gtdfor's local password
    > accepted.
    > Dec 18 11:38:02 gelt sshd2[16845]: Password authentication for user
    > gtdfor accepted.
    > Dec 18 11:38:02 gelt sshd2[16845]: User gtdfor, coming from
    > 216.226.xxx.xxx, authenticated.
    > 
    > This is a private server and the gtdfor user ID is used only by myself,
    > the system administrator. This is a unix-level login, not a web site
    > account. This(these) user(s) therefore gained access illegally.
    >
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Dec 20 2001 - 15:27:09 PST