[svlug] worms -n stuff

Marc MERLIN marc_news at valinux.com
Sun Jun 3 21:00:01 PDT 2001


On Sun, Jun 03, 2001 at 04:38:08PM -0700, Alvin Oga wrote:
> 
> hi ya
> 
> since its sorta quiet... thought i'd rattle the cage ... :-)
> 
> - found a hacker in one of my boxes ... sorta harmless ....

Was he writing code on your machine?

> 	- moral of the issue... 
> 	  - even if you run ssh ... it dont really matter  ...
> 	  - even if you run insecure ftp/pop3 .. it dont really matter
 
It  does. Unencrypted connections  are of  course to  avoid completely,  but
crypted  authentication doesn't  mean that  you're safe  (especially if  the
other end is compromized and runs a trojanned ssh)
 
> 	  - they gonna go after something they can get into
> 	  and than poke around to do more stuff

Well, duh!

> - i think the damage was minimized by having a small / partition
> 	- they created a 20Mb killall file... whatever it does...

That's a pretty big binary :-)

> 	- note that looking for they worm-dependent files will only check
> 	for that particular one worm...
> 		- you  should run tripwire to find all new/added/changed files
 
I know a place where they ran touch against the whole filesystem.
 
Marc
-- 
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking
  
Home page: http://marc.merlins.org/   |   Finger marc_f at merlins.org for PGP key




More information about the svlug mailing list