Security Basics mailing list archives
Re: Monitored.By.hAcxFtpScan
From: khayes () eastbay com
Date: Fri, 6 Dec 2002 12:24:31 -0600
I did a little digging and found that "hAcxFtpScan" is NOT a Warez Group but rather a utility a given group (or groups) use to make sure nobody screws with a site that they have already hacked. The utility also monitors the traffic to/from the site and other fun items. You can actually download the application AND join the IRC channel supporting the utility at (http://scakirca.tripod.com/arama.htm) The link is on the top row center. Primarily these types of "pubstros" (hacked systems hosting an FTPD in stealth mode) are being shared openly via IRC channels. In particular they are sharing them with anyone who wants to get a copy of the list of sites having been compromised. I don't know Joris' IP address so I can't confirm if their site made it on these lists or if luck was on their side and caught the folks before it was used to serve/distribute files. Finding these lists is extremely easy to find once you have an idea where to look. I don't want to include URLs for compromised sites here but if you do a simple search for "hAcxFtpScan" on Yahoo or Google and ignore the hits that result from our running thread here, you should be able to get a good idea of what's going on. In particular, there is one site being hosted out of Belgium that's freely giving this information out. Running a WHOIS on the domain revealed all sorts of information on the site should someone be interested in following up on it. Guess they're not too worried about security themselves. (smirk) Ken Hayes Network Administrator Eastbay / Footlocker.com Wausau, WI Offices (715) 261-9573 khayes () eastbay com To: security-basics () securityfocus com cc: Thomas Sjögren Subject: Re: Monitored.By.hAcxFtpScan <thomas@northernsecurity.n et> 12/04/2002 11:13 AM Please respond to thomas On Tuesday 03 December 2002 20.52, Joris De Donder wrote:
I found a un-managed ftp server floating around our network. I am quite sure the machine itself had not been compromised completely, but I found a directory in there with the above name.
If you really interested in knowing what's going on isolate the server from your network and turn it into a honeypot. /Thomas -- thomas () northernsecurity net thomas () se linux org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The information in this e-mail, and any attachment therein, is confidential and for use by the addressee only. If you are not the intended recipient, please return the e-mail to the sender and delete it from your computer. Although the Company attempts to sweep e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result of viruses.
Current thread:
- Monitored.By.hAcxFtpScan James McGee (Dec 03)
- Re: Monitored.By.hAcxFtpScan Gene Barlow (Dec 05)
- Re: Monitored.By.hAcxFtpScan Thomas Sjögren (Dec 06)
- Re: Monitored.By.hAcxFtpScan news (Dec 05)
- <Possible follow-ups>
- RE: Monitored.By.hAcxFtpScan Krueger Lawrence (Dec 04)
- Monitored.By.hAcxFtpScan charles lindsay (Dec 04)
- Re: Monitored.By.hAcxFtpScan Joris De Donder (Dec 04)
- Re: Monitored.By.hAcxFtpScan Thomas Sjögren (Dec 05)
- re: Monitored.By.hAcxFtpScan H C (Dec 04)
- Re: Monitored.By.hAcxFtpScan khayes (Dec 06)
- Re: Monitored.By.hAcxFtpScan Gene Barlow (Dec 05)