what else you can do with worm networks...fun, profit, etc

From: Anton A. Chuvakin (antonat_private)
Date: Mon Dec 09 2002 - 10:27:24 PST

Next message: H C: "Re: netbios vuln"

Previous message: Jefferson Ogata: "Re: Spam via proxy"
In reply to: Chip Mefford: "Re: Incident tracking database"
Next in thread: Steven Hong: "Re: Incident tracking database"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,

Just saw something rather amusing brought by the worm tide :-) A little
nasty daemon (named "httpd") was deployed by whoever hit our Apache/SSL
honeypot. Another mod of the good ole slapper, but! here are some funny
strings from the binary:

...
find /|grep -i "order"
search.log
rm -rf search.log
...
and some hard coded addresses on where to send the stuff...

The telltale sign in the /tmp: ".fontunix" (with no dash unlike the real
thing).

Get paid from collecting order data from lame web servers - heh, an idea?

Best,
-- 
  Anton A. Chuvakin, Ph.D., GCIA
     http://www.chuvakin.org
   http://www.info-secure.org


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: H C: "Re: netbios vuln"
Previous message: Jefferson Ogata: "Re: Spam via proxy"
In reply to: Chip Mefford: "Re: Incident tracking database"
Next in thread: Steven Hong: "Re: Incident tracking database"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 09 2002 - 21:28:49 PST