Full Disclosure mailing list archives
(no subject)
From: pauls () utdallas edu (Schmehl, Paul L)
Date: Thu, 3 Oct 2002 09:26:20 -0500
The chances are extremely good that the IP you're seeing is JAHB (just another hacked box.) Paul Schmehl (pauls () utdallas edu) Department Coordinator The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Francisco Guerreiro Sent: Thursday, October 03, 2002 7:59 AM To: full-disclosure () lists netsys com Subject: [Full-disclosure] (no subject) hi folks.. I was meddling in a friend's box when I came across a weird file in /tmp with apache perms. I thought it was a exploit to obtain root since the machine was vuln to the openssl problem, but it turned out to be something else. attached I send the stuff I found, it's quite self explanatory. I've looked at it for a few minutes, it's the slaper code, with some comments and a shell script that ghaters info about the box and send's it to an email account at yahoo.com . The ip that is written on the worm resolves to an adsl acount on some ISP, i guess it is somekind of target since it would be quite stupid to put your home ip on a worm.
Current thread:
- (no subject) Francisco Guerreiro (Oct 03)
- <Possible follow-ups>
- (no subject) Schmehl, Paul L (Oct 03)
- RE: (no subject) Anonymous (Oct 03)
- (no subject) blake () mc net (Oct 11)