Security Incidents mailing list archives
inquiry re: hacker communication methods
From: Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>
Date: Fri, 13 Oct 2000 19:46:23 -0400
hi all, a quick inquiry i want to get from you all. i'm investigating a box that got compromised this morning (some more details will be forthcoming later this weekend, i hope) and i have found their kits and tools. some of it looks pretty standard, and some of it may be a bit more sophisticated than i would have first given them credit for. basic log wiping utils, no rootkit (ie trojanned basis system stuff like ls, but some login mechanisms), standard FTPd exploit not even lost. and this was all preceeded by a huge FTPd service sweep (have already contacted the upstream, but they're outside of the country) of the campus. the machine was announced on an IRC channel as compromised, again common and unsophisticated. all of this looks rather script kiddyish to me. here's the kicker: the files on the system that match the compromise (inodes in the same series, owner and group id's the same, etc) all have usenet/innd type stuff going on. posting messages, grabbing and decoding messages. i recenly read in the caezar's challenges that usenet is a fantastic method of communication, as the sender could be whoever and the reader is never known. is it likely, in your esteemed estimation, that they're using Usenet to bound information back and forth? thanks. jose nazario jose () biochemistry cwru edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- inquiry re: hacker communication methods Jose Nazario (Oct 15)
- Re: inquiry re: hacker communication methods Missouri FreeNet Administration (Oct 16)
- incident log software The Picard (Oct 16)
- Re: incident log software Steve (Oct 17)
- incident log software The Picard (Oct 16)
- Re: inquiry re: hacker communication methods Jose Nazario (Oct 16)
- Re: inquiry re: hacker communication methods Missouri FreeNet Administration (Oct 16)