[svlug] worms -n stuff

Alvin Oga alvin at planet.fef.com
Sun Jun 3 16:43:01 PDT 2001


hi ya

since its sorta quiet... thought i'd rattle the cage ... :-)

- found a hacker in one of my boxes ... sorta harmless ....
	- kinda fun to do some checking and poking around
	-
	- kinda funt o not find any reference to some files in google
	( so hopefully it will show up now ...

- they sniffed user passwds to other machines ..
	but they got into my "sitting duck" .. 
	(donno if via old bind or ftp ... more to do later...
 
	- moral of the issue... 
	  - even if you run ssh ... it dont really matter  ...
	  - even if you run insecure ftp/pop3 .. it dont really matter

	  - they gonna go after something they can get into
	  and than poke around to do more stuff

- i think the damage was minimized by having a small / partition
	- they created a 20Mb killall file... whatever it does...
		- i aint gonna open it or run it...
		- its NOT the same as your default normal killall command

- the worm replaced:
	- ls, netstat, ifconfig, top
	- it comes with its own tar and obviously its hacking tools

- if you're curious ...  see if you find some "famous" worm files

	find / \( -name pt07 -o -name maniac-Rk -o -name mailrc -o -name pine.out \
	-o -name ptyxx -o adore.o -o -name 1i0n.sh -o -name scan.sh -o -name hack.sh \) -ls

	- note that looking for they worm-dependent files will only check
	for that particular one worm...
		- you  should run tripwire to find all new/added/changed files

- google didnt find some of the keywords i wanted
	-  maniac-Rk ava bnc.gz grabbb.gz pine.out
	( a new mutated rootkit ???

	( maybe now it will find some more hits from this mailing list

- and there's many  huge collection of howto exploits out there...

have fun
alvin
http://Lsec.Linux-Sec.net





More information about the svlug mailing list