Re: Yet another Linux bind worm ?

From: root (rootat_private)
Date: Thu Apr 12 2001 - 04:34:14 PDT

Next message: dmitriw@Home: "Fw: Help with a home computer problem."

Previous message: Arthur Donkers: "Re: Yet another Linux bind worm ?"
In reply to: Jon O.: "Re: Yet another Linux bind worm ?"
Next in thread: Arthur Donkers: "Re: Yet another Linux bind worm ?"
Reply: Arthur Donkers: "Re: Yet another Linux bind worm ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 12 Apr 2001, Jon O. wrote:

Heya,i'm Dani...
"dispari" means "get lost" in Romanian.the other i think is polish...
Take care,all..and fight against the lame script-kiddies.



> This may be 'hacker speak' from a language other than english.
>
> >  asdr56tg as
> >
> > prompt, and the
> >
> >               dispari i
> >
> > goodbye message if I type the wrong password.
>
>
> Below is a snippet of a rant found with strings inside another trojan. The
> language is Bulgarian and it has been roughly translated by another party:
>
> T0Wa nE E Pr0sT0 hAkErSkA AtAkA SrEsHtU BTC A 0tMyShTeNiE I WyZmEzDiE.
> This isn't just a hacker's attack on BTC, but <two pompous equivalents of
> "revenge">
>
> nIe, SyZdAtE1ItE Na t0zI BaCi1 PrEdPrIeMaMe t0zI NaChIn nA B0RbA
> No, creation of this virus is undertaken <oh, dear!> to start a struggle
> <wow>
>
> S NaCi0nA1NiQ PrEsTyPnIk BTC s cE1 dA Mu
> with national criminal <WTF singular?> BTC with the goal of
>
> nAp0mNiM, cHe aK0 tQ E CaR Na tE1Ef0nItE I
> remining <shit, he's good> that as thou<they? sounds like an archaic form
> and
> I'm not sure which one it is> are<art?> the tzar in telephony and
>
> K0MuNiKaCiItE W Bu1gArIa, T0 nIe sMe cArEtE
> communtications in Bulgaria don't (you) dare to ????
>
>
> As you can see, replacing certain letters with number and being in another
> language can cause some confusion.
>
> Let us know what you find.
>
>
> On Thu, 12 Apr 2001, Sean Kelly wrote:
>
> > 	This is *exactly* the characteristic of a rooted RedHat Linux box
> > I have been investigating.  I thought the new port shown using netstat was
> > an SSH-kind back door, but I get both the
> >
> > 		asdr56tg as
> >
> > prompt, and the
> >
> > 		dispari i
> >
> > goodbye message if I type the wrong password.
> >
> > 	I'll go re-investigate this box this weekend and try running
> > strings on a few binaries to see if /bin/sh is the password for my box.
> >
> > 	My box looks like it was rooted from a Romanian host.
> >
> > --
> > Sean
> >
> >
> > On Thu, 12 Apr 2001, warning3at_private wrote:
> >
> > > [..snip...]
> > > > $ nc -v -n xxx.xxx.xxx.xxx 59388
> > > > (UNKNOWN) [xxx.xxx.xxx.xxx] 59388 (?) open
> > > > asdr56tg as
> > > >
> > > > After we enter <ENTER> we got a goodbye message like this:
> > > >
> > > > dispari i
> >
>

Next message: dmitriw@Home: "Fw: Help with a home computer problem."
Previous message: Arthur Donkers: "Re: Yet another Linux bind worm ?"
In reply to: Jon O.: "Re: Yet another Linux bind worm ?"
Next in thread: Arthur Donkers: "Re: Yet another Linux bind worm ?"
Reply: Arthur Donkers: "Re: Yet another Linux bind worm ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Apr 14 2001 - 14:30:58 PDT