Security Incidents mailing list archives
Re: *MAJOR SECURITY BREACH AT CCBILL**
From: Dayne Jordan <djordan () completeweb net>
Date: Wed, 19 Dec 2001 15:14:40 -0500
**UPDATE** Since we first broke this story, I have some further info... It appears that the entire process of ssh'ing/telnet'ing to the machine that they have userids/passwords for is an automated process, perhaps scripted from several sources. The automated script has been preloaded with a vast list of username/passwords and server addresses and it systematically goes thru the list and ftp's the eggdrop and TCL tar files to the users directory. It then attempts to un tar and configure both programs, if it's successful, then it starts the eggdrop program and put it onto the IRC channel at EFNet. IF it's unsuccessful then someone(human) visits the machine via ssh/telnet and compiles the failed eggdrop or TCL programs manually and launches the eggdrop. We've seen evidence of this on 2 other machines. D. ======== ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- *MAJOR SECURITY BREACH AT CCBILL** Dayne Jordan (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** H C (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** Dayne Jordan (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** l0rtamus Prime (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** Robert van der Meulen (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** Dayne Jordan (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** H C (Dec 19)
- RE: *MAJOR SECURITY BREACH AT CCBILL** Rick Darsey (Dec 19)
- Contacting t-dialin {MAJOR SECURITY BREACH AT CCBILL} Christian Vogel (Dec 20)
- Re: Contacting t-dialin {MAJOR SECURITY BREACH AT CCBILL} Damir Rajnovic (Dec 21)
- Contacting t-dialin {MAJOR SECURITY BREACH AT CCBILL} Christian Vogel (Dec 20)
- Re: *MAJOR SECURITY BREACH AT CCBILL** Matthew S. Hallacy (Dec 24)
- <Possible follow-ups>
- RE: *MAJOR SECURITY BREACH AT CCBILL** NESTING, DAVID M (SBCSI) (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** Dayne Jordan (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** Dayne Jordan (Dec 19)
- RE: *MAJOR SECURITY BREACH AT CCBILL** robh (Dec 20)
- RE: *MAJOR SECURITY BREACH AT CCBILL** jlewis (Dec 20)