Forwarded from: Jason Ware <jwareat_private> This is someone's eggdrop botnet, the first part of the dump is the user file. The -bfoN is the user flags set, and b means another bot. The port it listens to, 9872, is the port the bots will use to connect to each other, using telnet or DCC, so that they can communicate. The first bot listed, goldeneye, is the hub bot, "--BOTFL ghp" means this bot will listen to goldeneye for any changes to user or channel records and will always try and connect to it. You can find more information about eggdrop bots and botnets at http://www.egghelp.org. Incidentally, this botnet is running the netbots set of scripts (the N flag means it's a netbots bot). This scripts maker is the one running egghelp.org, but he would not be involved in this mess, it is a very common and useful set of scripts for eggdrop bots. Eggdrop bots are mostly harmless, they are used to hold and guard chat channels on IRC, but they can be modified very easily and run TCL scripts to do some nasty or wonderful things. -----Original Message----- From: InfoSec News [mailto:isnat_private] Sent: Wednesday, December 19, 2001 10:23 PM To: isnat_private Subject: [ISN] *MAJOR SECURITY BREACH AT CCBILL** Forwarded from: Ryan W. Maple <ryanat_private> ---------- Forwarded message ---------- Date: Wed, 19 Dec 2001 04:14:48 -0500 From: Dayne Jordan <djordanat_private> To: incidentsat_private Subject: *MAJOR SECURITY BREACH AT CCBILL** It appears that perhaps tens of thousands of username/passwords for valid shell logins ALL ACROSS THE NET may have been compromised at CCBILL, a large internet credit card/check processor used for e-commerce and adult sites, read carefully!! Well, after the user complaint below, we began some investigation and found about 6 of these IRC bots running on our network as well. All with a fartone.conf and fartone eggdrop irc daemon listening on port 9872... this is across 6 different machines alone in our server farm, so far that we have found, we are scanning right now to find out if there are more listening on port 9872 in our address spaces. Interestingly enough, the common tie between all these compromised accounts is that they are ALL CCBILL customers. Being CCBILL customers, they have all their userid and password information to ssh to their website(s)/server(s) to update scripts and databases as required. Was CCBILL hacked? OR do they have someone inside who has released the user information abroad? We called a couple other hosts whom we communicate with and voila.. they have boxes with IRC bots running on port 9872 as well... also CCBILL clients. It appears whomever has obtained the CCBILL list of usernames/passwords systematically SSH's into their customers server, installs the irc eggdrop bot and leaves. I have found no instances of root kits, or anything else malicious being performed or installed. In fact, in all 6 instances they left all their .tar and config files, AND their .history files intact. Looking thru normal daily log files would not tip you off to any sort of compromise at all -No multiple password failures, etc etc because they already have the correct password to login :) It is my opinion that Cavecreek/CCBILL has had a breach of security thus releasing user ids and logins on various servers around the internet. CCBILLS customer base is in the tens of thousands. It appears the bots are merely sitting and listening waiting for commands for perhaps a large distributed DoS attack, it does not appear that they are logging any sensitive data transmitted thru the server(s). I tcpdumped the port and logged in and out of the server to make sure it wasnt transmitting any data elsewhere. I also confirmed that the bots were not logging anything locally either. I have attached a sample output of strings on the binary file called 'fartone' for your review, please note there are *several* cavecreek machines who are listed as well as many others. ALL these machines below have been verified to have port 9872 open and listening with perhaps this same type IRC Eggdrop bot running. Also please note, all these servers/domains listed below are current CCBILL subscribers: ares# strings fartone #4v: eggdrop v1.6.7 -- betty -- written Wed Dec 19 02:00:00 2001 goldeneye - bfoN --BOTADDR insecure.nl:4567/4567 --BOTFL ghp --HOSTS *!*laggat_private --LASTON 1008733201 #(_(_)============D --XTRA created 1008544330 --PASS 0dz32ajse1wsg arsch - bfoN --HOSTS *!*jb@*.t-dialin.net --LASTON 1008721551 #testtest --BOTADDR 123.123.123.123:25432/25432 --XTRA created 1008687422 --PASS fnh4psb7x07rnr Nitallica - bfoN --HOSTS *!*maulat_private --LASTON 1008723944 #torisbots --BOTADDR smtp.webpipe.net:6000/6000 --XTRA created 1008687422 --PASS 29tuhow2of FrauAntje - bfoN --HOSTS *!*cfat_private --BOTADDR cc118955-b.groni1.gr.nl.home.com:5555/5555 --XTRA created 1008687422 --LASTON 1008715911 #fattool --PASS 6qgkm19qzmqr41 hispa - bfoN --HOSTS *!*hispaat_private --HOSTS *!*hispaat_private --LASTON 1008727382 #(_(_)============D --BOTADDR thunder2.cwihosting.com:9872/9872 --XTRA created 1008687422 --PASS 4rg6kei8cz livedom - bfoN --HOSTS *!*livedomat_private --HOSTS *!*livedomat_private --BOTADDR s1.ss.klmz.mi.voyager.net:9872/9872 --XTRA created 1008687422 --PASS chahi5e10yz fetishUSA - bfoN --HOSTS *!*etishUSAat_private --HOSTS *!*etishUSA@fetish-usa.com --BOTADDR fetish-usa.com:9872/9872 --XTRA created 1008687422 --LASTON 1008714534 #fattool.-user --PASS el44md4jsx edik - bfoN --HOSTS *!edikat_private --HOSTS *!*eve3at_private --LASTON 1008721551 #testtest --BOTADDR 216.143.123.202:9872/9872 --XTRA created 1008687422 --PASS lpk748otq4 undergrou - bfoN --HOSTS *!undergrouat_private --LASTON 1008721551 #testtest --BOTADDR undergroundmpegs.com:9872/9872 --XTRA created 1008687422 --PASS h9raa3sbzib1isl cartoon-x - bfoN --HOSTS *!cartoon-xat_private --HOSTS *!*rtoon-xat_private --LASTON 1008721551 #testtest --BOTADDR dynamic.cavecreek.net:9872/9872 --XTRA created 1008687422 --PASS jsuf82v4gity plump - bfoN --HOSTS *!plumpat_private --HOSTS *!*lumpat_private --LASTON 1008727382 #(_(_)============D --BOTADDR viper.acceleratedweb.net:9872/9872 --XTRA created 1008687422 --PASS 01rc6sicoh9 dara - bfoN --HOSTS *!daraat_private --HOSTS *!*daraat_private --HOSTS *!*araat_private --LASTON 1008721551 #testtest --BOTADDR 209.67.61.60:9872/9872 --XTRA created 1008687422 --PASS 1r52f5hl8ua3 asian - bfoN --HOSTS *!asianat_private --LASTON 1008727382 #(_(_)============D --BOTADDR asianpornoground.com:9872/9872 --XTRA created 1008687422 --PASS 8kbbvw1d82r flashx - bfoN --HOSTS *!flashxat_private --LASTON 1008721551 #testtest --BOTADDR flashdiet.net:9872/9872 --XTRA created 1008687422 --PASS r1mict2o4p3m2g bonker - bfoN --HOSTS *!bonkerat_private --BOTADDR la2.reliablehosting.com:9872/9872 --XTRA created 1008687422 --LASTON 1008689564 #fattool --PASS mstz9bj3w1 cypo - bfoN --HOSTS *!cypoat_private --LASTON 1008727382 #(_(_)============D --BOTADDR 66.78.56.62:9872/9872 --XTRA created 1008687422 --PASS b051yatpxv78 adult - bfoN --HOSTS *!adultat_private --LASTON 1008721551 #testtest --BOTADDR 216.66.37.130:9872/9872 --XTRA created 1008687422 --PASS 8vk58u93xm0cp steenbok - bfoN --HOSTS *!steenbokat_private-h-e.com --LASTON 1008727382 #(_(_)============D --BOTADDR navajo.b-h-e.com:9872/9872 --XTRA created 1008687422 --PASS ky613fzu65pt9 betty - bfoN --HOSTS *!bettyat_private --BOTADDR 216.226.153.165:9872/9872 --XTRA created 1008687422 --PASS svhcr3jpb98bk88 silky - bfoN --HOSTS *!silkyat_private --LASTON 1008721551 #testtest --BOTADDR www36.mediaserve.net:9872/9872 --XTRA created 1008703816 vixie - bfoN --HOSTS *!vixieat_private --LASTON 1008721551 #testtest --BOTADDR zeus.envex.net:9872/9872 --XTRA created 1008703839 c0wboy - bfoN --HOSTS *!c0wboyat_private --LASTON 1008737794 #(_(_)============D --BOTADDR arizonasex.com:9872/9872 --XTRA created 1008703859 reddawg - bfoN --HOSTS *!reddawgat_private --LASTON 1008727382 #(_(_)============D --BOTADDR 216.215.232.6.nw.nuvox.net:9872/9872 --XTRA created 1008703890 blaq - bfoN --HOSTS *!blaqat_private --HOSTS *!*ronudesat_private --LASTON 1008727382 #(_(_)============D --BOTADDR www.retronudes.com:9872/9872 --XTRA created 1008704719 bigdick - bfoN --HOSTS *!bigdickat_private --HOSTS *!*yguyat_private --LASTON 1008727382 #(_(_)============D --BOTADDR playawhile.com:9872/9872 --XTRA created 1008705304 serve - bfoN --HOSTS *!serveat_private --HOSTS *!*erveat_private --LASTON 1008731356 #(_(_)============D --BOTADDR server.iicinternet.com:9872/9872 --XTRA created 1008706464 pedal - bfoN --HOSTS *!pedalat_private --BOTADDR www1.leftcoast.net:9872/9872 --XTRA created 1008707679 sizco - bfoN --HOSTS *!cremeat_private --HOSTS *!*tcremeat_private --LASTON 1008737609 #(_(_)============D --BOTADDR virtual1.sizco.net:9872/9872 --XTRA created 1008708744 melody - bfoN --HOSTS *!melodyat_private --LASTON 1008727382 #(_(_)============D --BOTADDR 64.242.242.9:9872/9872 --XTRA created 1008710553 cukinsin - bfoN --HOSTS *!cukinsinat_private --LASTON 1008727382 #(_(_)============D --BOTADDR 209.115.38.113:9872/9872 --XTRA created 1008711094 slettebak - bfoN --HOSTS *!slettebakat_private --HOSTS *!*ettebakat_private --LASTON 1008737670 #(_(_)============D --BOTADDR stgeorge.janey1.net:9872/9872 --XTRA created 1008712167 tussy - bfoN --HOSTS *!tussyat_private --LASTON 1008721551 #testtest --BOTADDR fs2.reliablehosting.com:9872/9872 --XTRA created 1008712187 hrm - bfoN --HOSTS *!hrmat_private --BOTADDR infiniti.isprime.com:9872/9872 --XTRA created 1008713730 --LASTON 1008713966 #jungbusch fister - bfoN --HOSTS *!fisterat_private --LASTON 1008727382 #(_(_)============D --BOTADDR or9.reliablehosting.com:9872/9872 --XTRA created 1008713748 buttfuck - bfoN --HOSTS *!buttfuckat_private --HOSTS *!*uttfuckat_private --LASTON 1008727382 #(_(_)============D --BOTADDR www.bridgetfox.com:9872/9872 --XTRA created 1008715635 nude - bfoN --HOSTS *!*nudeat_private --LASTON 1008727382 #(_(_)============D --BOTADDR host210.southwestmedia.com:9872/9872 --XTRA created 1008717613 kippe - bfoN --HOSTS *!*kippeat_private --LASTON 1008727382 #(_(_)============D --BOTADDR 207.71.95.100@9872:3333/3333 --XTRA created 1008718483 lecker - bfoN --HOSTS *!*leckerat_private --LASTON 1008723944 #torisbots --BOTADDR ladynylons.com@9872:3333/3333 --XTRA created 1008718866 cf - hjmnoptx --HOSTS -telnet!*@* --HOSTS cfat_private --PASS +kqP.7.9x36e. --XTRA created 1008425222 cf_ - fhjmnoptxZ --HOSTS *!cfat_private --LASTON 1008727068 @bums --PASS +SO3pi.h66XB1 --XTRA created 1008426075 chumash - fhpYZ --HOSTS *!nitaisaat_private --HOSTS *!nitaisaat_private --PASS +ghTan/8SXJw1 --COMMENT 1st Offense Badword --XTRA created 1008426757 m00b - h --HOSTS *!b00m@*.planet.arrakis.cz --LASTON 1008733043 #0dayxxxpasswords --PASS +REjnv1Q0DAf/ --XTRA created 1008440044 Cyberwolf - h --HOSTS *!Blah@*.rr.com --PASS +HPw7k0X0/X51 --XTRA created 1008442445 w33d - hY --HOSTS *!dopeat_private* --PASS +w/e/c.r8kog/ --XTRA created 1008455421 --COMMENT 1st Offense Badword _maddog_ - hY --HOSTS *!*ouchabl@*.dial.net4b.pt --PASS +w/e/c.r8kog/ --COMMENT 1st Offense Badword --XTRA created 1008459615 undernetx - hY --HOSTS *!*dernetx@*.east.verizon.net --PASS +w/e/c.r8kog/ --COMMENT 1st Offense Badword --XTRA created 1008460443 O2B3 - hY --HOSTS *!*frischr@*.xtra.co.nz --PASS +w/e/c.r8kog/ --COMMENT 1st Offense Badword --XTRA created 1008460560 xxxxx - hY --HOSTS *!cf@*.and.shine --PASS +w/e/c.r8kog/ --COMMENT 1st Offense Badword --XTRA created 1008465019 ^[FTO1]^ - hY --HOSTS *![FTO1]^@*.astound.net --PASS +w/e/c.r8kog/ --XTRA created 1008465619 --COMMENT 1st Offense Badword showty - hE --HOSTS *!dfioajat_private* --PASS +w/e/c.r8kog/ --COMMENT 2 Bad Word Offenses --XTRA created 1008470243 _mysdick - hY --HOSTS *!mysticalat_private --LASTON 1008732953 #0dayxxxpasswords --PASS +w/e/c.r8kog/ --COMMENT 1st Offense Badword --XTRA created 1008473951 Shareef_A - hY --HOSTS *!Ultimaat_private* --PASS +w/e/c.r8kog/ --COMMENT 1st Offense Badword --XTRA created 1008477957 aHiMz - hY --HOSTS *!toophatat_private* --PASS +w/e/c.r8kog/ --COMMENT 1st Offense Badword --XTRA created 1008480641 sr - hjmnoptx --HOSTS *!figgeat_private --LASTON 1008715929 @goldeneye --PASS +9fX2h.WNiV41 --XTRA created 1008539610 bigwave - h --HOSTS *!*tchbustat_private --LASTON 1008704750 #jungbusch --PASS +shNEb1VEXSl1 --XTRA created 1008541504 qon - h --HOSTS *!jbcqon@*.t-dialin.net --LASTON 1008701006 #jungbusch --PASS +HUtku0I/W6R. --XTRA created 1008678075 qonbot - h --HOSTS *!qon@*.t-dialin.net --HOSTS *!*achgott@*.t-dialin.net --LASTON 1008701417 #jungbusch --PASS +HUtku0I/W6R. --XTRA created 1008678105 ice2k - h ! #jungbusch 1008706286 fov --HOSTS *!fisch@*.t-dialin.net --LASTON 1008706286 #jungbusch --PASS +riut8.jEw3u0 --XTRA created 1008705970 stiffy - bfoN --HOSTS *!*stiffyat_private --BOTADDR otis.siteprotect.com@9872:3333/3333 --XTRA created 1008720570 moese - bfoV --HOSTS *!*moeseat_private --BOTADDR ns14.reliablehosting.com@9872:3333/3333 --XTRA created 1008721358 moepsy - bfoN --HOSTS *!*moepsyat_private --LASTON 1008723455 #fattool --BOTADDR katarina.super.nu@9872:3333/3333 --XTRA created 1008723363 sicker - bfoN --HOSTS *!*sicker@1-nude-girls-sex-pictures.com --LASTON 1008726564 #0dayxxxpasswords --BOTADDR 1-nude-girls-sex-pictures.com@9872:3333/3333 --XTRA created 1008724705 pullo - bfoN --HOSTS *!*pulloat_private --LASTON 1008727313 #0dayxxxpasswords --BOTADDR co60.reliablehosting.com@9872:3333/3333 --XTRA created 1008725430 wixer - bfoN --HOSTS *!*wixerat_private --LASTON 1008727314 #0dayxxxpasswords --BOTADDR co60.reliablehosting.com@9871:3333/3333 --XTRA created 1008725589 bums - bfoN --HOSTS *!*bumsat_private --BOTADDR 365host.com@9872:3333/3333 --XTRA created 1008726771 gretl - bfoN --HOSTS *!*gretlat_private --LASTON 1008727314 #0dayxxxpasswords --BOTADDR saturn.iwebhosting.com@9871:3333/3333 --XTRA created 1008726906 Please note the .history file just from this one account, and this is merely a small sample, please note, these are all CCBILL accounts: ssh -l f215109 www.extremeteens.net telnet www.extremeteens.net ssh -l amfight www.amfight.com ssh -l sm-online www.sm-online.net telnet www.musicchief.com telnet www.studspa.com ssh -l gmill www.G2mil.com ssh -l sweetcreme www.sweetcreme.com ssh -l roach www.exposedfantasy.com ssh -l tfi0080192 www.whores.telinco.co.uk ftp www.whores.telinco.co.uk ssh -l jen11sex www.jensex.com ssh -l webusr www.asianvixens.net ssh -l freakfest www.chicagofreakfest.com telnet www.gangbang-wife.com ftp gangbang-wife.com ssh -l gangbang ganbang-wife.com ssh -l gangbang gangbang-wife.com ssh -l norfun www.norfun.com ssh -l doublejay doublejay.ultraadult.com ftp ultraadult.com ftp www.internetpleasure.net telnet www.internetpleasure.net ssh -l admin www.internetpleasure.net ftp www.internetpleasure.net mail w ftp www.teenpussy2001.com w ssh -l livedom www.livedom.com ssh -l dmartin2 www.sweetcuties.com w ssh -l fetish www.fetish-usa.com ssh -l dodger www.dodger.co.uk ssh -l beavis www.eroticamazon.com w ls ssh -l www.thebondagechanne www.thebondagechannel.com ftp www.thebondagechannel.com ssh -l hispa hispamagic.com ssh -l dodger www.dodger.co.uk ssh -l livedom www.livedom.com ssh -l fetish www.fetish-usa.com ssh -l jen11sex www.jensex.com ssh -l stephenp www.thefun-times.com ssh -l barbie www.VoyeurCamCondo.com ssh -l eve3 www.strumpfhosen-girls.com ssh -l melody www.undergroundmpegs.com mail telnet www.AMAHO.COM ssh -l blueflamedesigns www.blueflamedesigns.com ssh -l dynamic www.cartoon-x.net ssh -l u1498 www.plumptious.com ssh -l rowan55 www.dirtydara.com ssh -l barbara www.asianpornoground.com ssh -l alenko www.alenko.com ssh -l hispa hispamagic.com ssh -l livedom www.livedom.com ssh -l melody www.undergroundmpegs.com ssh -l u1498 www.plumptious.com ssh -l rowan55 www.dirtydara.com ssh -l rburdwood www.southcouple.com ssh -l flashdiet flashdiet.net ssh -l cypo www.cypo.com ssh -l u44048 adultfrontier.com ssh -l u44048 www.adultfrontier.com ssh -l avrcon avrcon.com ssh -l sara www.boobtique.com ssh -l extreme-g www.xtreme-girls.com ssh -l lynnol www.lynncarroll.net exit ssh -l www.extremeteens.net /bin/bash ssh -l websex www.websex.org ssh -l playsi www.silkyplay.com ssh -l linda www.nastylinda.com ssh -l ndevine www.nikkidevine.com ssh -l belleleigh www.belleleigh.com ssh -l gtdfor www.arizonasex.com ssh -l voyearexpo www.voyeurexpo.com /bin/bash ssh -l voyeurexpo www.voyeurexpo.com ssh -l markiemark www.profitbusiness.com telnet www.analaddiction.com ssh -l pplump www.proudly-plump.com ssh -l taboo www.incesttaboo.com ssh -l legendaryreddog www.legendaryreddog.com telnet www.adultamateursexpictures.com ssh -l miami miamistudios.com ssh -l envex www.envex.net ssh -l voyeurmyth www.voyeurmyth.com ssh -l netpimp www.exhibitionfetish.com ssh -l teressam www.teressamoss.com ssh -l gospeltr www.gospeltribune.com ssh -l mcooper www.findfreefiles.com telnet www.retronudes.com ssh -l nyguy www.playawhile.com ssh -l wickedgamers www.wickedgamers.net ssh -l wengle www.hentaidimension.com ssh -l nudistphotogallery www.nudistphotogallery.net stanat_private wrote: > > > Here is a message regarding a hack attempt. They have stated that the > hack was also from our server 216.226.xxx.xxx. How can we check who/what > happened from that server. The details from there logs are below. > > Stan > **** > > -------- Original Message -------- > From: - Tue Dec 18 21:57:22 2001 > X-UIDL: c531b934e8e90feedce1e9ab85425a46 > X-Mozilla-Status: 0001 > X-Mozilla-Status2: 00000000 > Received: from gelt.cavecreek.net (gelt.cavecreek.net [64.38.195.170]) > by zeus.xxxxxxxxxx (8.8.5/8.8.5) with ESMTP id AAA22149 for > <stan@xxxxxxxxxx>; Wed, 19 Dec 2001 00:49:52 -0500 (EST) > Received: from biz-link.com (cx832301-d.chnd1.az.home.com > [24.14.253.216]) by gelt.cavecreek.net (8.11.2/8.11.1) with ESMTP id > fBJ5thY93497; Tue, 18 Dec 2001 22:55:44 -0700 (MST) (envelope-from > wolkove@biz-link.com) > Message-ID: <3C202C0C.CDD0D35D@biz-link.com> > Date: Tue, 18 Dec 2001 22:56:28 -0700 > From: Jeff Wolkove <wolkove@biz-link.com> > Reply-To: wolkove@biz-link.com > Organization: SVM > X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) > X-Accept-Language: en > MIME-Version: 1.0 > To: abuseat_private, stan@xxxxxxxxx > CC: supportat_private > Subject: Illegal hacking activity > Content-Type: text/plain; charset=us-ascii > Content-Transfer-Encoding: 7bit > X-UIDL: c531b934e8e90feedce1e9ab85425a46 > > LEGAL NOTICE TO abuseat_private and stan@xxxxxxxxxx > Courtesy Copy To: supportat_private > > One of your users illegally accessed a server I own and illegally > installed and ran software on it. The hacker gained access to the > system using a hacked or stolen password and installed "eggdrop" > an IRC bot with the capability of launching distributed denial > of service attacks. > > This hacker accessed my system from cc118955-a.groni1.gr.nl.home.com > by FTP as per the following entry in my system FTP logs. All times > are Mountain Standard Time (Arizona, USA). > > Dec 18 11:48:04 gelt ftpd[23349]: connection from > cc118955-a.groni1.gr.nl.home.com (213.51.147.235) > > The user also accessed the system using interactive SSH from > 216.226.xxx.xxx > according to the following entries in syslog > > Dec 18 11:37:51 gelt sshd2[16845]: DNS lookup failed for > "216.226.xxx.xxx". > Dec 18 11:38:02 gelt sshd2[16845]: User gtdfor's local password > accepted. > Dec 18 11:38:02 gelt sshd2[16845]: Password authentication for user > gtdfor accepted. > Dec 18 11:38:02 gelt sshd2[16845]: User gtdfor, coming from > 216.226.xxx.xxx, authenticated. > > This is a private server and the gtdfor user ID is used only by myself, > the system administrator. This is a unix-level login, not a web site > account. This(these) user(s) therefore gained access illegally. > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Dec 24 2001 - 06:07:41 PST