From: InfoSec News (isnat_private)
Date: Mon Dec 24 2001 - 00:16:01 PST

  • Next message: InfoSec News: "[ISN] The crime of distributed computing"

    Forwarded from: Jason Ware <jwareat_private>
    This is someone's eggdrop botnet, the first part of the dump is the
    user file.  The -bfoN is the user flags set, and b means another bot.  
    The port it listens to, 9872, is the port the bots will use to connect
    to each other, using telnet or DCC, so that they can communicate.  
    The first bot listed, goldeneye, is the hub bot, "--BOTFL ghp" means
    this bot will listen to goldeneye for any changes to user or channel
    records and will always try and connect to it.  You can find more
    information about eggdrop bots and botnets at  
    Incidentally, this botnet is running the netbots set of scripts (the N
    flag means it's a netbots bot).  This scripts maker is the one running, but he would not be involved in this mess, it is a very
    common and useful set of scripts for eggdrop bots.  Eggdrop bots are
    mostly harmless, they are used to hold and guard chat channels on IRC,
    but they can be modified very easily and run TCL scripts to do some
    nasty or wonderful things.
    -----Original Message-----
    From: InfoSec News [mailto:isnat_private]
    Sent: Wednesday, December 19, 2001 10:23 PM
    To: isnat_private
    Forwarded from: Ryan W. Maple <ryanat_private>
    ---------- Forwarded message ----------
    Date: Wed, 19 Dec 2001 04:14:48 -0500
    From: Dayne Jordan <djordanat_private>
    To: incidentsat_private
    It appears that perhaps tens of thousands of username/passwords for
    valid shell logins ALL ACROSS THE NET may have been compromised at
    CCBILL, a large internet credit card/check processor used for
    e-commerce and adult sites, read carefully!!
    Well, after the user complaint below, we began some investigation and
    found about 6 of these IRC bots running on our network as well. All
    with a fartone.conf and fartone eggdrop irc daemon listening on port
    9872... this is across 6 different machines alone in our server farm,
    so far that we have found, we are scanning right now to find out if
    there are more listening on port 9872 in our address spaces.
    Interestingly enough, the common tie between all these compromised
    accounts is that they are ALL CCBILL customers. Being CCBILL
    customers, they have all their userid and password information to ssh
    to their website(s)/server(s) to update scripts and databases as
    required. Was CCBILL hacked? OR do they have someone inside who has
    released the user information abroad? We called a couple other hosts
    whom we communicate with and voila.. they have boxes with IRC bots
    running on port 9872 as well... also CCBILL clients.
    It appears whomever has obtained the CCBILL list of
    usernames/passwords systematically SSH's into their customers server,
    installs the irc eggdrop bot and leaves.
    I have found no instances of root kits, or anything else malicious
    being performed or installed. In fact, in all 6 instances they left
    all their .tar and config files, AND their .history files intact.
    Looking thru normal daily log files would not tip you off to any sort
    of compromise at all -No multiple password failures, etc etc because
    they already have the correct password to login :)
    It is my opinion that Cavecreek/CCBILL has had a breach of security
    thus releasing user ids and logins on various servers around the
    internet. CCBILLS customer base is in the tens of thousands.
    It appears the bots are merely sitting and listening waiting for
    commands for perhaps a large distributed DoS attack, it does not
    appear that they are logging any sensitive data transmitted thru the
    server(s). I tcpdumped the port and logged in and out of the server to
    make sure it wasnt transmitting any data elsewhere. I also confirmed
    that the bots were not logging anything locally either.
    I have attached a sample output of strings on the binary file called
    'fartone' for your review, please note there are *several* cavecreek
    machines who are listed as well as many others. ALL these machines
    below have been verified to have port 9872 open and listening with
    perhaps this same type IRC Eggdrop bot running. Also please note, all
    these servers/domains listed below are current CCBILL subscribers:
    ares# strings fartone
    #4v: eggdrop v1.6.7 -- betty -- written Wed Dec 19 02:00:00 2001
    goldeneye  - bfoN                    
    --BOTFL ghp
    --HOSTS *!*laggat_private
    --LASTON 1008733201 #(_(_)============D
    --XTRA created 1008544330
    --PASS 0dz32ajse1wsg
    arsch      - bfoN                    
    --HOSTS *!*jb@*
    --LASTON 1008721551 #testtest
    --XTRA created 1008687422
    --PASS fnh4psb7x07rnr
    Nitallica  - bfoN                    
    --HOSTS *!*maulat_private
    --LASTON 1008723944 #torisbots
    --XTRA created 1008687422
    --PASS 29tuhow2of
    FrauAntje  - bfoN                    
    --HOSTS *!*cfat_private
    --XTRA created 1008687422
    --LASTON 1008715911 #fattool
    --PASS 6qgkm19qzmqr41
    hispa      - bfoN                    
    --HOSTS *!*hispaat_private
    --HOSTS *!*hispaat_private
    --LASTON 1008727382 #(_(_)============D
    --XTRA created 1008687422
    --PASS 4rg6kei8cz
    livedom    - bfoN                    
    --HOSTS *!*livedomat_private
    --HOSTS *!*livedomat_private
    --XTRA created 1008687422
    --PASS chahi5e10yz
    fetishUSA  - bfoN                    
    --HOSTS *!*etishUSAat_private
    --HOSTS *!*
    --XTRA created 1008687422
    --LASTON 1008714534 #fattool.-user
    --PASS el44md4jsx
    edik       - bfoN                    
    --HOSTS *!edikat_private
    --HOSTS *!*eve3at_private
    --LASTON 1008721551 #testtest
    --XTRA created 1008687422
    --PASS lpk748otq4
    undergrou  - bfoN                    
    --HOSTS *!undergrouat_private
    --LASTON 1008721551 #testtest
    --XTRA created 1008687422
    --PASS h9raa3sbzib1isl
    cartoon-x  - bfoN                    
    --HOSTS *!cartoon-xat_private
    --HOSTS *!*rtoon-xat_private
    --LASTON 1008721551 #testtest
    --XTRA created 1008687422
    --PASS jsuf82v4gity
    plump      - bfoN                    
    --HOSTS *!plumpat_private
    --HOSTS *!*lumpat_private
    --LASTON 1008727382 #(_(_)============D
    --XTRA created 1008687422
    --PASS 01rc6sicoh9
    dara       - bfoN                    
    --HOSTS *!daraat_private
    --HOSTS *!*daraat_private
    --HOSTS *!*araat_private
    --LASTON 1008721551 #testtest
    --XTRA created 1008687422
    --PASS 1r52f5hl8ua3
    asian      - bfoN                    
    --HOSTS *!asianat_private
    --LASTON 1008727382 #(_(_)============D
    --XTRA created 1008687422
    --PASS 8kbbvw1d82r
    flashx     - bfoN                    
    --HOSTS *!flashxat_private
    --LASTON 1008721551 #testtest
    --XTRA created 1008687422
    --PASS r1mict2o4p3m2g
    bonker     - bfoN                    
    --HOSTS *!bonkerat_private
    --XTRA created 1008687422
    --LASTON 1008689564 #fattool
    --PASS mstz9bj3w1
    cypo       - bfoN                    
    --HOSTS *!cypoat_private
    --LASTON 1008727382 #(_(_)============D
    --XTRA created 1008687422
    --PASS b051yatpxv78
    adult      - bfoN                    
    --HOSTS *!adultat_private
    --LASTON 1008721551 #testtest
    --XTRA created 1008687422
    --PASS 8vk58u93xm0cp
    steenbok   - bfoN                    
    --HOSTS *!
    --LASTON 1008727382 #(_(_)============D
    --XTRA created 1008687422
    --PASS ky613fzu65pt9
    betty      - bfoN                    
    --HOSTS *!bettyat_private
    --XTRA created 1008687422
    --PASS svhcr3jpb98bk88
    silky      - bfoN                    
    --HOSTS *!silkyat_private
    --LASTON 1008721551 #testtest
    --XTRA created 1008703816
    vixie      - bfoN                    
    --HOSTS *!vixieat_private
    --LASTON 1008721551 #testtest
    --XTRA created 1008703839
    c0wboy     - bfoN                    
    --HOSTS *!c0wboyat_private
    --LASTON 1008737794 #(_(_)============D
    --XTRA created 1008703859
    reddawg    - bfoN                    
    --HOSTS *!reddawgat_private
    --LASTON 1008727382 #(_(_)============D
    --XTRA created 1008703890
    blaq       - bfoN                    
    --HOSTS *!blaqat_private
    --HOSTS *!*ronudesat_private
    --LASTON 1008727382 #(_(_)============D
    --XTRA created 1008704719
    bigdick    - bfoN                    
    --HOSTS *!bigdickat_private
    --HOSTS *!*yguyat_private
    --LASTON 1008727382 #(_(_)============D
    --XTRA created 1008705304
    serve      - bfoN                    
    --HOSTS *!serveat_private
    --HOSTS *!*erveat_private
    --LASTON 1008731356 #(_(_)============D
    --XTRA created 1008706464
    pedal      - bfoN                    
    --HOSTS *!pedalat_private
    --XTRA created 1008707679
    sizco      - bfoN                    
    --HOSTS *!cremeat_private
    --HOSTS *!*tcremeat_private
    --LASTON 1008737609 #(_(_)============D
    --XTRA created 1008708744
    melody     - bfoN                    
    --HOSTS *!melodyat_private
    --LASTON 1008727382 #(_(_)============D
    --XTRA created 1008710553
    cukinsin   - bfoN                    
    --HOSTS *!cukinsinat_private
    --LASTON 1008727382 #(_(_)============D
    --XTRA created 1008711094
    slettebak  - bfoN                    
    --HOSTS *!slettebakat_private
    --HOSTS *!*ettebakat_private
    --LASTON 1008737670 #(_(_)============D
    --XTRA created 1008712167
    tussy      - bfoN                    
    --HOSTS *!tussyat_private
    --LASTON 1008721551 #testtest
    --XTRA created 1008712187
    hrm        - bfoN                    
    --HOSTS *!hrmat_private
    --XTRA created 1008713730
    --LASTON 1008713966 #jungbusch
    fister     - bfoN                    
    --HOSTS *!fisterat_private
    --LASTON 1008727382 #(_(_)============D
    --XTRA created 1008713748
    buttfuck   - bfoN                    
    --HOSTS *!buttfuckat_private
    --HOSTS *!*uttfuckat_private
    --LASTON 1008727382 #(_(_)============D
    --XTRA created 1008715635
    nude       - bfoN                    
    --HOSTS *!*nudeat_private
    --LASTON 1008727382 #(_(_)============D
    --XTRA created 1008717613
    kippe      - bfoN                    
    --HOSTS *!*kippeat_private
    --LASTON 1008727382 #(_(_)============D
    --XTRA created 1008718483
    lecker     - bfoN                    
    --HOSTS *!*leckerat_private
    --LASTON 1008723944 #torisbots
    --XTRA created 1008718866
    cf         - hjmnoptx                
    --HOSTS -telnet!*@*
    --HOSTS cfat_private
    --PASS +kqP.7.9x36e.
    --XTRA created 1008425222
    cf_        - fhjmnoptxZ              
    --HOSTS *!cfat_private
    --LASTON 1008727068 @bums
    --PASS +SO3pi.h66XB1
    --XTRA created 1008426075
    chumash    - fhpYZ                   
    --HOSTS *!nitaisaat_private
    --HOSTS *!nitaisaat_private
    --PASS +ghTan/8SXJw1
    --COMMENT 1st Offense Badword
    --XTRA created 1008426757
    m00b       - h                       
    --HOSTS *!b00m@*
    --LASTON 1008733043 #0dayxxxpasswords
    --PASS +REjnv1Q0DAf/
    --XTRA created 1008440044
    Cyberwolf  - h                       
    --HOSTS *!Blah@*
    --PASS +HPw7k0X0/X51
    --XTRA created 1008442445
    w33d       - hY                      
    --HOSTS *!dopeat_private*
    --PASS +w/e/c.r8kog/
    --XTRA created 1008455421
    --COMMENT 1st Offense Badword
    _maddog_   - hY                      
    --HOSTS *!*ouchabl@*
    --PASS +w/e/c.r8kog/
    --COMMENT 1st Offense Badword
    --XTRA created 1008459615
    undernetx  - hY                      
    --HOSTS *!*dernetx@*
    --PASS +w/e/c.r8kog/
    --COMMENT 1st Offense Badword
    --XTRA created 1008460443
    O2B3       - hY                      
    --HOSTS *!*frischr@*
    --PASS +w/e/c.r8kog/
    --COMMENT 1st Offense Badword
    --XTRA created 1008460560
    xxxxx      - hY                      
    --HOSTS *!cf@*.and.shine
    --PASS +w/e/c.r8kog/
    --COMMENT 1st Offense Badword
    --XTRA created 1008465019
    ^[FTO1]^   - hY                      
    --HOSTS *![FTO1]^@*
    --PASS +w/e/c.r8kog/
    --XTRA created 1008465619
    --COMMENT 1st Offense Badword
    showty     - hE                      
    --HOSTS *!dfioajat_private*
    --PASS +w/e/c.r8kog/
    --COMMENT 2 Bad Word Offenses
    --XTRA created 1008470243
    _mysdick   - hY                      
    --HOSTS *!mysticalat_private
    --LASTON 1008732953 #0dayxxxpasswords
    --PASS +w/e/c.r8kog/
    --COMMENT 1st Offense Badword
    --XTRA created 1008473951
    Shareef_A  - hY                      
    --HOSTS *!Ultimaat_private*
    --PASS +w/e/c.r8kog/
    --COMMENT 1st Offense Badword
    --XTRA created 1008477957
    aHiMz      - hY                      
    --HOSTS *!toophatat_private*
    --PASS +w/e/c.r8kog/
    --COMMENT 1st Offense Badword
    --XTRA created 1008480641
    sr         - hjmnoptx                
    --HOSTS *!figgeat_private
    --LASTON 1008715929 @goldeneye
    --PASS +9fX2h.WNiV41
    --XTRA created 1008539610
    bigwave    - h                       
    --HOSTS *!*tchbustat_private
    --LASTON 1008704750 #jungbusch
    --PASS +shNEb1VEXSl1
    --XTRA created 1008541504
    qon        - h                       
    --HOSTS *!jbcqon@*
    --LASTON 1008701006 #jungbusch
    --PASS +HUtku0I/W6R.
    --XTRA created 1008678075
    qonbot     - h                       
    --HOSTS *!qon@*
    --HOSTS *!*achgott@*
    --LASTON 1008701417 #jungbusch
    --PASS +HUtku0I/W6R.
    --XTRA created 1008678105
    ice2k      - h                       
    ! #jungbusch           1008706286 fov        
    --HOSTS *!fisch@*
    --LASTON 1008706286 #jungbusch
    --PASS +riut8.jEw3u0
    --XTRA created 1008705970
    stiffy     - bfoN                    
    --HOSTS *!*stiffyat_private
    --XTRA created 1008720570
    moese      - bfoV                    
    --HOSTS *!*moeseat_private
    --XTRA created 1008721358
    moepsy     - bfoN                    
    --HOSTS *!*moepsyat_private
    --LASTON 1008723455 #fattool
    --XTRA created 1008723363
    sicker     - bfoN                    
    --HOSTS *!*
    --LASTON 1008726564 #0dayxxxpasswords
    --XTRA created 1008724705
    pullo      - bfoN                    
    --HOSTS *!*pulloat_private
    --LASTON 1008727313 #0dayxxxpasswords
    --XTRA created 1008725430
    wixer      - bfoN                    
    --HOSTS *!*wixerat_private
    --LASTON 1008727314 #0dayxxxpasswords
    --XTRA created 1008725589
    bums       - bfoN                    
    --HOSTS *!*bumsat_private
    --XTRA created 1008726771
    gretl      - bfoN                    
    --HOSTS *!*gretlat_private
    --LASTON 1008727314 #0dayxxxpasswords
    --XTRA created 1008726906
    Please note the .history file just from this one account,
    and this is merely a small sample, please note, these are
    all CCBILL accounts:
    ssh -l f215109
    ssh -l amfight
    ssh -l sm-online
    ssh -l gmill
    ssh -l sweetcreme
    ssh -l roach
    ssh -l tfi0080192
    ssh -l jen11sex
    ssh -l webusr 
    ssh -l freakfest
    ssh -l gangbang
    ssh -l gangbang
    ssh -l norfun
    ssh -l doublejay
    ssh -l admin
    ssh -l livedom
    ssh -l dmartin2
    ssh -l fetish
    ssh -l dodger
    ssh -l beavis
    ssh -l www.thebondagechanne
    ssh -l hispa
    ssh -l dodger
    ssh -l livedom 
    ssh -l fetish
    ssh -l jen11sex
    ssh -l stephenp
    ssh -l barbie
    ssh -l eve3
    ssh -l melody
    telnet www.AMAHO.COM
    ssh -l blueflamedesigns
    ssh -l dynamic
    ssh -l u1498
    ssh -l rowan55
    ssh -l barbara
    ssh -l alenko
    ssh -l hispa
    ssh -l livedom
    ssh -l melody
    ssh -l u1498
    ssh -l rowan55
    ssh -l rburdwood
    ssh -l flashdiet
    ssh -l cypo
    ssh -l u44048
    ssh -l u44048
    ssh -l avrcon
    ssh -l sara
    ssh -l extreme-g
    ssh -l lynnol
    ssh -l
    ssh -l websex
    ssh -l playsi
    ssh -l linda
    ssh -l ndevine
    ssh -l belleleigh
    ssh -l gtdfor
    ssh -l voyearexpo
    ssh -l voyeurexpo
    ssh -l markiemark
    ssh -l pplump
    ssh -l taboo
    ssh -l legendaryreddog
    ssh -l miami
    ssh -l envex
    ssh -l voyeurmyth
    ssh -l netpimp
    ssh -l teressam
    ssh -l gospeltr
    ssh -l mcooper
    ssh -l nyguy
    ssh -l wickedgamers
    ssh -l wengle
    ssh -l nudistphotogallery
    stanat_private wrote:
    > Here is a message regarding a hack attempt. They have stated that the
    > hack was also from our server How can we check who/what
    > happened from that server. The details from there logs are below.
    > Stan
    > ****
    > -------- Original Message --------
    > From: - Tue Dec 18 21:57:22 2001
    > X-UIDL: c531b934e8e90feedce1e9ab85425a46
    > X-Mozilla-Status: 0001
    > X-Mozilla-Status2: 00000000
    > Received: from ( [])
    > by zeus.xxxxxxxxxx (8.8.5/8.8.5) with ESMTP id AAA22149 for
    > <stan@xxxxxxxxxx>; Wed, 19 Dec 2001 00:49:52 -0500 (EST)
    > Received: from (
    > []) by (8.11.2/8.11.1) with ESMTP id
    > fBJ5thY93497; Tue, 18 Dec 2001 22:55:44 -0700 (MST) (envelope-from
    > Message-ID: <>
    > Date: Tue, 18 Dec 2001 22:56:28 -0700
    > From: Jeff Wolkove <>
    > Reply-To:
    > Organization: SVM
    > X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U)
    > X-Accept-Language: en
    > MIME-Version: 1.0
    > To: abuseat_private, stan@xxxxxxxxx
    > CC: supportat_private
    > Subject: Illegal hacking activity
    > Content-Type: text/plain; charset=us-ascii
    > Content-Transfer-Encoding: 7bit
    > X-UIDL: c531b934e8e90feedce1e9ab85425a46
    > LEGAL NOTICE TO abuseat_private and stan@xxxxxxxxxx
    > Courtesy Copy To: supportat_private
    > One of your users illegally accessed a server I own and illegally
    > installed and ran software on it. The hacker gained access to the
    > system using a hacked or stolen password and installed "eggdrop"
    > an IRC bot with the capability of launching distributed denial
    > of service attacks.
    > This hacker accessed my system from
    > by FTP as per the following entry in my system FTP logs. All times
    > are Mountain Standard Time (Arizona, USA).
    > Dec 18 11:48:04 gelt ftpd[23349]: connection from
    > (
    > The user also accessed the system using interactive SSH from
    > according to the following entries in syslog
    > Dec 18 11:37:51 gelt sshd2[16845]: DNS lookup failed for
    > "".
    > Dec 18 11:38:02 gelt sshd2[16845]: User gtdfor's local password
    > accepted.
    > Dec 18 11:38:02 gelt sshd2[16845]: Password authentication for user
    > gtdfor accepted.
    > Dec 18 11:38:02 gelt sshd2[16845]: User gtdfor, coming from
    >, authenticated.
    > This is a private server and the gtdfor user ID is used only by myself,
    > the system administrator. This is a unix-level login, not a web site
    > account. This(these) user(s) therefore gained access illegally.
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Dec 24 2001 - 06:07:41 PST