[svlug] worms -n stuff

[Dagmar d'Surreal]

On Sun, 3 Jun 2001, Alvin Oga wrote:

> 
> hi ya
> 
> since its sorta quiet... thought i'd rattle the cage ... :-)
> 
> - found a hacker in one of my boxes ... sorta harmless ....
> 	- kinda fun to do some checking and poking around
> 	-
> 	- kinda funt o not find any reference to some files in google
> 	( so hopefully it will show up now ...
> 
> - they sniffed user passwds to other machines ..
> 	but they got into my "sitting duck" .. 
> 	(donno if via old bind or ftp ... more to do later...
>  
> 	- moral of the issue... 
> 	  - even if you run ssh ... it dont really matter  ...
> 	  - even if you run insecure ftp/pop3 .. it dont really matter
> 
> 	  - they gonna go after something they can get into
> 	  and than poke around to do more stuff
> 
> - i think the damage was minimized by having a small / partition
> 	- they created a 20Mb killall file... whatever it does...
> 		- i aint gonna open it or run it...
> 		- its NOT the same as your default normal killall command
> 
> - the worm replaced:
> 	- ls, netstat, ifconfig, top
> 	- it comes with its own tar and obviously its hacking tools
> 
> - if you're curious ...  see if you find some "famous" worm files
> 
> 	find / \( -name pt07 -o -name maniac-Rk -o -name mailrc -o -name pine.out \
> 	-o -name ptyxx -o adore.o -o -name 1i0n.sh -o -name scan.sh -o -name hack.sh \) -ls
> 
> 	- note that looking for they worm-dependent files will only check
> 	for that particular one worm...
> 		- you  should run tripwire to find all new/added/changed files
> 
> - google didnt find some of the keywords i wanted
> 	-  maniac-Rk ava bnc.gz grabbb.gz pine.out
> 	( a new mutated rootkit ???
> 
> 	( maybe now it will find some more hits from this mailing list
> 
> - and there's many  huge collection of howto exploits out there...

You're being fairly vague here, Alan.  Was it a worm that got into your
system or a script kiddie?