Re: Rooted Boxes

["Christian W. Zuckschwerdt" <zany () TRIQ NET>]

Hi,

On Mon, 15 Jan 2001, Brian Houk wrote:

> Say, you don't by chance have port 911 TCP running from their rootkit to
> you?

As far as I've been told the machine is down for forensic analysis. The
data our IDS picked up indicated rootkits in /dev/hdb0 and /dev/ptyas

The rootkits were (automatically) install on 2001-01-14 and the abuse from
multiple telnet connected host (and users) was on 2001-01-15

The created login's were: wormboy adm test sky web aki dani
Thought I share that info although it's not likely to be suitable for
pattern detection?


On Tue, 16 Jan 2001, Robert van der Meulen wrote:

> Either you're new on the list, or you haven't read the (huge)
> 'Finding out who owns particular IP addresses' thread.
> I suggest you look it up in the list archives, and contact them ( all
> domains _should_ have active security and abuse contacts, hope these do

Well I managed to locate each responsible ISP. The thread you mentioned
was technically centred. My specific question was about your opinion on
general practice in contacting each ISP's.

Is it okay to send a report to abuse@each-isp or perhaps a more suitable
address?


  cu.
    :
    Christian