[svlug] worms -n stuff
dagmar at dsurreal.org
Mon Jun 4 16:04:02 PDT 2001
On Sun, 3 Jun 2001, Alvin Oga wrote:
> hi ya
> since its sorta quiet... thought i'd rattle the cage ... :-)
> - found a hacker in one of my boxes ... sorta harmless ....
> - kinda fun to do some checking and poking around
> - kinda funt o not find any reference to some files in google
> ( so hopefully it will show up now ...
> - they sniffed user passwds to other machines ..
> but they got into my "sitting duck" ..
> (donno if via old bind or ftp ... more to do later...
> - moral of the issue...
> - even if you run ssh ... it dont really matter ...
> - even if you run insecure ftp/pop3 .. it dont really matter
> - they gonna go after something they can get into
> and than poke around to do more stuff
> - i think the damage was minimized by having a small / partition
> - they created a 20Mb killall file... whatever it does...
> - i aint gonna open it or run it...
> - its NOT the same as your default normal killall command
> - the worm replaced:
> - ls, netstat, ifconfig, top
> - it comes with its own tar and obviously its hacking tools
> - if you're curious ... see if you find some "famous" worm files
> find / \( -name pt07 -o -name maniac-Rk -o -name mailrc -o -name pine.out \
> -o -name ptyxx -o adore.o -o -name 1i0n.sh -o -name scan.sh -o -name hack.sh \) -ls
> - note that looking for they worm-dependent files will only check
> for that particular one worm...
> - you should run tripwire to find all new/added/changed files
> - google didnt find some of the keywords i wanted
> - maniac-Rk ava bnc.gz grabbb.gz pine.out
> ( a new mutated rootkit ???
> ( maybe now it will find some more hits from this mailing list
> - and there's many huge collection of howto exploits out there...
You're being fairly vague here, Alan. Was it a worm that got into your
system or a script kiddie?
More information about the svlug