Re: *MAJOR SECURITY BREACH AT CCBILL**

From: Matthew S. Hallacy (poptixat_private)
Date: Mon Dec 24 2001 - 03:50:12 PST

Next message: Loki: "NT Compromise -- UPDATE (UDP Flood SRC=53)"

Previous message: Sebastian Jaenicke: "Re: some "scanned with SSH-1.0-SSH_Version_Mapper. Don't panic." in syslog"
In reply to: Dayne Jordan: "*MAJOR SECURITY BREACH AT CCBILL**"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello.

On Wed, Dec 19, 2001 at 04:14:48AM -0500, Dayne Jordan wrote:
[snip]
> ares# strings fartone
> #4v: eggdrop v1.6.7 -- betty -- written Wed Dec 19 02:00:00 2001
> goldeneye  - bfoN                    
> --BOTADDR insecure.nl:4567/4567
> --BOTFL ghp
> --HOSTS *!*laggat_private
> --LASTON 1008733201 #(_(_)============D
> --XTRA created 1008544330
> --PASS 0dz32ajse1wsg

This entry is interesting due to the fact that it's the sharehub for the bots, this means
it was setup first, and all the bots were instructed to automatically connect to it and download
userfiles, it's also listening on a different port, and probably was not a hacked account.

> cf         - hjmnoptx                
> --HOSTS -telnet!*@*
> --HOSTS cfat_private
> --PASS +kqP.7.9x36e.
> --XTRA created 1008425222
> cf_        - fhjmnoptxZ              
> --HOSTS *!cfat_private
> --LASTON 1008727068 @bums
> --PASS +SO3pi.h66XB1
> --XTRA created 1008426075

This person is an "owner" (the mn in hjmnoptx mean 'master' and 'owner') and is actually on IRC:

uiu cf_ cfat_private
uiu  ircname  : Illich Ramirez Sanchez
uiu  channels : @#0dayxxxpasswords
uiu  server   : efnet.vuurwerk.nl [Riders on the Storm]
uiu End of WHOIS

pain.killer is obviously not a valid hostname, which means the server they're using
fakes it for them, or they're cache poisoning. The person when spoken to was acting
rather clueless.

[snip]
> sr         - hjmnoptx                
> --HOSTS *!figgeat_private
> --LASTON 1008715929 @goldeneye
> --PASS +9fX2h.WNiV41
> --XTRA created 1008539610
[snip]

I wasn't able to find this person, although the host is probably one of the affected sites.

It's amazing how law enforcement sits around doing nothing while these people
trade usernames/passwords, leaving such incriminating evidence in userfiles.

On another note, I'd like to ask that in any informational releases such as this one
that people make it clear than Eggdrop is not a DoS tool, a hacker tool, or anything
else malicious, it's being misused just like 'nc' or perl are misused for a lot of exploits,
anyone needing help gathering information from Eggdrop's running on compromised accounts
(including ones using encrypted userfiles/config files/etc) should feel free to contact me,
i've been very successful in accessing the bots and shutting down quite a few botnets spawned
from things like this.

				Thanks,
				Matthew S. Hallacy
				(Eggdrop Coder, CVS maintainer)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Loki: "NT Compromise -- UPDATE (UDP Flood SRC=53)"
Previous message: Sebastian Jaenicke: "Re: some "scanned with SSH-1.0-SSH_Version_Mapper. Don't panic." in syslog"
In reply to: Dayne Jordan: "*MAJOR SECURITY BREACH AT CCBILL**"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 24 2001 - 09:26:23 PST