Hi all, Just saw something rather amusing brought by the worm tide :-) A little nasty daemon (named "httpd") was deployed by whoever hit our Apache/SSL honeypot. Another mod of the good ole slapper, but! here are some funny strings from the binary: ... find /|grep -i "order" search.log rm -rf search.log ... and some hard coded addresses on where to send the stuff... The telltale sign in the /tmp: ".fontunix" (with no dash unlike the real thing). Get paid from collecting order data from lame web servers - heh, an idea? Best, -- Anton A. Chuvakin, Ph.D., GCIA http://www.chuvakin.org http://www.info-secure.org ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Dec 09 2002 - 21:28:49 PST