On Thu, Apr 12, 2001 at 02:34:14PM +0300, root wrote: > On Thu, 12 Apr 2001, Jon O. wrote: > > Heya,i'm Dani... > "dispari" means "get lost" in Romanian.the other i think is polish... > Take care,all..and fight against the lame script-kiddies. Hi, I gathered as much. Fortunately they did not hack into our machine, however some people responded saying that you could use /bin/sh as a password. I'm still wandering if this backdoor is related to the other stuff we saw. Grtz, Arthur > > > > > This may be 'hacker speak' from a language other than english. > > > > > asdr56tg as > > > > > > prompt, and the > > > > > > dispari i > > > > > > goodbye message if I type the wrong password. > > > > > > Below is a snippet of a rant found with strings inside another trojan. The > > language is Bulgarian and it has been roughly translated by another party: > > > > T0Wa nE E Pr0sT0 hAkErSkA AtAkA SrEsHtU BTC A 0tMyShTeNiE I WyZmEzDiE. > > This isn't just a hacker's attack on BTC, but <two pompous equivalents of > > "revenge"> > > > > nIe, SyZdAtE1ItE Na t0zI BaCi1 PrEdPrIeMaMe t0zI NaChIn nA B0RbA > > No, creation of this virus is undertaken <oh, dear!> to start a struggle > > <wow> > > > > S NaCi0nA1NiQ PrEsTyPnIk BTC s cE1 dA Mu > > with national criminal <WTF singular?> BTC with the goal of > > > > nAp0mNiM, cHe aK0 tQ E CaR Na tE1Ef0nItE I > > remining <shit, he's good> that as thou<they? sounds like an archaic form > > and > > I'm not sure which one it is> are<art?> the tzar in telephony and > > > > K0MuNiKaCiItE W Bu1gArIa, T0 nIe sMe cArEtE > > communtications in Bulgaria don't (you) dare to ???? > > > > > > As you can see, replacing certain letters with number and being in another > > language can cause some confusion. > > > > Let us know what you find. > > > > > > On Thu, 12 Apr 2001, Sean Kelly wrote: > > > > > This is *exactly* the characteristic of a rooted RedHat Linux box > > > I have been investigating. I thought the new port shown using netstat was > > > an SSH-kind back door, but I get both the > > > > > > asdr56tg as > > > > > > prompt, and the > > > > > > dispari i > > > > > > goodbye message if I type the wrong password. > > > > > > I'll go re-investigate this box this weekend and try running > > > strings on a few binaries to see if /bin/sh is the password for my box. > > > > > > My box looks like it was rooted from a Romanian host. > > > > > > -- > > > Sean > > > > > > > > > On Thu, 12 Apr 2001, warning3at_private wrote: > > > > > > > [..snip...] > > > > > $ nc -v -n xxx.xxx.xxx.xxx 59388 > > > > > (UNKNOWN) [xxx.xxx.xxx.xxx] 59388 (?) open > > > > > asdr56tg as > > > > > > > > > > After we enter <ENTER> we got a goodbye message like this: > > > > > > > > > > dispari i > > > > > -- /* Disclaimer : you hire my skills, not my opinions, those are mine ! */ /* email : arthurat_private Security 'Me ? I'm not me ! I'm just a */ /* phone : (+31) 50 549 2701 is not a computer simulation of me' */ /* URL http://www.reseau.nl dirty word Red Dwarf, First Episode */
This archive was generated by hypermail 2b30 : Sat Apr 14 2001 - 14:14:31 PDT