inquiry re: hacker communication methods

[Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>]

hi all,

a quick inquiry i want to get from you all.

i'm investigating a box that got compromised this morning (some more
details will be forthcoming later this weekend, i hope) and i have found
their kits and tools. some of it looks pretty standard, and some of it may
be a bit more sophisticated than i would have first given them credit for.

basic log wiping utils, no rootkit (ie trojanned basis system stuff like
ls, but some login mechanisms), standard FTPd exploit not even lost. and
this was all preceeded by a huge FTPd service sweep (have already
contacted the upstream, but they're outside of the country) of the campus.
the machine was announced on an IRC channel as compromised, again common
and unsophisticated.

all of this looks rather script kiddyish to me.

here's the kicker: the files on the system that match the compromise
(inodes in the same series, owner and group id's the same, etc) all have
usenet/innd type stuff going on. posting messages, grabbing and decoding
messages.

i recenly read in the caezar's challenges that usenet is a fantastic
method of communication, as the sender could be whoever and the reader is
never known.

is it likely, in your esteemed estimation, that they're using Usenet to
bound information back and forth?

thanks.

jose nazario                                    jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc