[svlug] worms -n stuff - who

Alvin Oga alvin at planet.fef.com
Mon Jun 4 20:40:02 PDT 2001

Previous message: [svlug] cnet talking smack...
Next message: [svlug] Convincing Rationale URL for Old Man to Shorten Email Line Length?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi ya..

i can swe what they were running....
./pine.out and ./mailrc

they havent been back since i moved the binaries round on them
and closed off one of the 2 holes i know of... maybe they'll find
other ways to get in...maybe they weill go away ... dont know...
( spent more time on the followup emails than the actual "new rootkit" cleanup

c ya
alvin

> Dagmar d'Surreal wrote:
> 
> Oh!  One last thing.  bnc is an IRC proxy.  Usually it's the way script
> kiddies will check to see if they still have control of a host, since they
> can run it on a high TCP port and almost no one logs a singular SYN packet
> to a high port.  They'll also IRC through it at the drop of a hat if they
> think they haven't been found out yet.  BNC supports encrypting the
> passwords used to access it, but it doesn't encrypt any traffic going
> through it, and typically won't log any connection or use.  If you'd known
> which port they were running it on, THAT would be the best place to stage
> your own little recon procedure.
> 
>

Previous message: [svlug] cnet talking smack...
Next message: [svlug] Convincing Rationale URL for Old Man to Shorten Email Line Length?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the svlug mailing list