This may be 'hacker speak' from a language other than english. > asdr56tg as > > prompt, and the > > dispari i > > goodbye message if I type the wrong password. Below is a snippet of a rant found with strings inside another trojan. The language is Bulgarian and it has been roughly translated by another party: T0Wa nE E Pr0sT0 hAkErSkA AtAkA SrEsHtU BTC A 0tMyShTeNiE I WyZmEzDiE. This isn't just a hacker's attack on BTC, but <two pompous equivalents of "revenge"> nIe, SyZdAtE1ItE Na t0zI BaCi1 PrEdPrIeMaMe t0zI NaChIn nA B0RbA No, creation of this virus is undertaken <oh, dear!> to start a struggle <wow> S NaCi0nA1NiQ PrEsTyPnIk BTC s cE1 dA Mu with national criminal <WTF singular?> BTC with the goal of nAp0mNiM, cHe aK0 tQ E CaR Na tE1Ef0nItE I remining <shit, he's good> that as thou<they? sounds like an archaic form and I'm not sure which one it is> are<art?> the tzar in telephony and K0MuNiKaCiItE W Bu1gArIa, T0 nIe sMe cArEtE communtications in Bulgaria don't (you) dare to ???? As you can see, replacing certain letters with number and being in another language can cause some confusion. Let us know what you find. On Thu, 12 Apr 2001, Sean Kelly wrote: > This is *exactly* the characteristic of a rooted RedHat Linux box > I have been investigating. I thought the new port shown using netstat was > an SSH-kind back door, but I get both the > > asdr56tg as > > prompt, and the > > dispari i > > goodbye message if I type the wrong password. > > I'll go re-investigate this box this weekend and try running > strings on a few binaries to see if /bin/sh is the password for my box. > > My box looks like it was rooted from a Romanian host. > > -- > Sean > > > On Thu, 12 Apr 2001, warning3at_private wrote: > > > [..snip...] > > > $ nc -v -n xxx.xxx.xxx.xxx 59388 > > > (UNKNOWN) [xxx.xxx.xxx.xxx] 59388 (?) open > > > asdr56tg as > > > > > > After we enter <ENTER> we got a goodbye message like this: > > > > > > dispari i >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:58:05 PDT