[svlug] worms -n stuff - who
alvin at planet.fef.com
Mon Jun 4 20:40:02 PDT 2001
i can swe what they were running....
./pine.out and ./mailrc
they havent been back since i moved the binaries round on them
and closed off one of the 2 holes i know of... maybe they'll find
other ways to get in...maybe they weill go away ... dont know...
( spent more time on the followup emails than the actual "new rootkit" cleanup
> Dagmar d'Surreal wrote:
> Oh! One last thing. bnc is an IRC proxy. Usually it's the way script
> kiddies will check to see if they still have control of a host, since they
> can run it on a high TCP port and almost no one logs a singular SYN packet
> to a high port. They'll also IRC through it at the drop of a hat if they
> think they haven't been found out yet. BNC supports encrypting the
> passwords used to access it, but it doesn't encrypt any traffic going
> through it, and typically won't log any connection or use. If you'd known
> which port they were running it on, THAT would be the best place to stage
> your own little recon procedure.
More information about the svlug