Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: *MAJOR SECURITY BREACH AT CCBILL**

From: Dayne Jordan <djordan () completeweb net>
Date: Wed, 19 Dec 2001 15:14:40 -0500
**UPDATE**

Since we first broke this story, I have some further info...

It appears that the entire process of ssh'ing/telnet'ing to
the machine that they have userids/passwords for is an
automated process, perhaps scripted from several sources.

The automated script has been preloaded with a vast list
of username/passwords and server addresses and it systematically
goes thru the list and ftp's the eggdrop and TCL tar files
to the users directory. It then attempts to un tar and configure
both programs, if it's successful, then it starts the eggdrop
program and put it onto the IRC channel at EFNet. IF it's
unsuccessful then someone(human) visits the machine via ssh/telnet
and compiles the failed eggdrop or TCL programs manually and
launches the eggdrop.

We've seen evidence of this on 2 other machines.

D.
========

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: