From: Matthew S. Hallacy (poptixat_private)
Date: Mon Dec 24 2001 - 03:50:12 PST

  • Next message: Loki: "NT Compromise -- UPDATE (UDP Flood SRC=53)"

    On Wed, Dec 19, 2001 at 04:14:48AM -0500, Dayne Jordan wrote:
    > ares# strings fartone
    > #4v: eggdrop v1.6.7 -- betty -- written Wed Dec 19 02:00:00 2001
    > goldeneye  - bfoN                    
    > --BOTADDR
    > --BOTFL ghp
    > --HOSTS *!*laggat_private
    > --LASTON 1008733201 #(_(_)============D
    > --XTRA created 1008544330
    > --PASS 0dz32ajse1wsg
    This entry is interesting due to the fact that it's the sharehub for the bots, this means
    it was setup first, and all the bots were instructed to automatically connect to it and download
    userfiles, it's also listening on a different port, and probably was not a hacked account.
    > cf         - hjmnoptx                
    > --HOSTS -telnet!*@*
    > --HOSTS cfat_private
    > --PASS +kqP.7.9x36e.
    > --XTRA created 1008425222
    > cf_        - fhjmnoptxZ              
    > --HOSTS *!cfat_private
    > --LASTON 1008727068 @bums
    > --PASS +SO3pi.h66XB1
    > --XTRA created 1008426075
    This person is an "owner" (the mn in hjmnoptx mean 'master' and 'owner') and is actually on IRC:
    uiu cf_ cfat_private
    uiu  ircname  : Illich Ramirez Sanchez
    uiu  channels : @#0dayxxxpasswords
    uiu  server   : [Riders on the Storm]
    uiu End of WHOIS
    pain.killer is obviously not a valid hostname, which means the server they're using
    fakes it for them, or they're cache poisoning. The person when spoken to was acting
    rather clueless.
    > sr         - hjmnoptx                
    > --HOSTS *!figgeat_private
    > --LASTON 1008715929 @goldeneye
    > --PASS +9fX2h.WNiV41
    > --XTRA created 1008539610
    I wasn't able to find this person, although the host is probably one of the affected sites.
    It's amazing how law enforcement sits around doing nothing while these people
    trade usernames/passwords, leaving such incriminating evidence in userfiles.
    On another note, I'd like to ask that in any informational releases such as this one
    that people make it clear than Eggdrop is not a DoS tool, a hacker tool, or anything
    else malicious, it's being misused just like 'nc' or perl are misused for a lot of exploits,
    anyone needing help gathering information from Eggdrop's running on compromised accounts
    (including ones using encrypted userfiles/config files/etc) should feel free to contact me,
    i've been very successful in accessing the bots and shutting down quite a few botnets spawned
    from things like this.
    				Matthew S. Hallacy
    				(Eggdrop Coder, CVS maintainer)
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Mon Dec 24 2001 - 09:26:23 PST