[svlug] worms -n stuff
alvin at planet.fef.com
Sun Jun 3 16:43:01 PDT 2001
since its sorta quiet... thought i'd rattle the cage ... :-)
- found a hacker in one of my boxes ... sorta harmless ....
- kinda fun to do some checking and poking around
- kinda funt o not find any reference to some files in google
( so hopefully it will show up now ...
- they sniffed user passwds to other machines ..
but they got into my "sitting duck" ..
(donno if via old bind or ftp ... more to do later...
- moral of the issue...
- even if you run ssh ... it dont really matter ...
- even if you run insecure ftp/pop3 .. it dont really matter
- they gonna go after something they can get into
and than poke around to do more stuff
- i think the damage was minimized by having a small / partition
- they created a 20Mb killall file... whatever it does...
- i aint gonna open it or run it...
- its NOT the same as your default normal killall command
- the worm replaced:
- ls, netstat, ifconfig, top
- it comes with its own tar and obviously its hacking tools
- if you're curious ... see if you find some "famous" worm files
find / \( -name pt07 -o -name maniac-Rk -o -name mailrc -o -name pine.out \
-o -name ptyxx -o adore.o -o -name 1i0n.sh -o -name scan.sh -o -name hack.sh \) -ls
- note that looking for they worm-dependent files will only check
for that particular one worm...
- you should run tripwire to find all new/added/changed files
- google didnt find some of the keywords i wanted
- maniac-Rk ava bnc.gz grabbb.gz pine.out
( a new mutated rootkit ???
( maybe now it will find some more hits from this mailing list
- and there's many huge collection of howto exploits out there...
More information about the svlug