Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Can anyone explain this compromise?

From: Fredrik Ostergren <fredrik.ostergren () FREEBOX COM>
Date: Sat, 12 Aug 2000 13:24:15 -0000
Hello!

Blackhand is an ircnet crew. They probably runs bots on 
your server, atleast according to the logs. I think that 
some "enemy" ircnet crew mailed these logs, we've seen such 
attempts to "kill" other ircnet crews before. However, if 
you wan't my help to look thru the binaries, just send me 
an email and i'll be happy to help you out. 

Cheers.

/ Fredrik.

Hi all,

We have been receiving messages like below from sites
around the world warning us that "ourhost.dom.com.au" has
been compromised. Here is one of the messages:

<FONT COLOR="#222255">>Your shells have been hacked by a 
group called</FONT>
<FONT COLOR="#222255">> > BlackHand. They hack shells and 
then they root and</FONT>
<FONT COLOR="#222255">>do</FONT>
<FONT COLOR="#222255">> > illegal things like run illegal 
backgrounds in</FONT>
<FONT COLOR="#222255">>servers</FONT>
<FONT COLOR="#222255">> > smurf scan etc. Here is some 
proof:</FONT>
<FONT COLOR="#222255">> ></FONT>
<FONT COLOR="#222255">>SNK- is <A 
HREF="mailto:snk () ourhost dom com au">snk () ourhost dom com au<
/A> * Do whois if you</FONT>
<FONT COLOR="#222255">>are a gay</FONT>
<FONT COLOR="#222255">>SNK- using *.au 
[0:0:0:0:0:ffff:203.37.45.3] TI IRC</FONT>
<FONT COLOR="#222255">>Server</FONT>
<FONT COLOR="#222255">>SNK- End of WHOIS list.</FONT>
<FONT COLOR="#222255">></FONT>

Other messages are exactly the same but in adition include
stuff like "you have been r00ted and trojan login, ps, su
binaries inserted"

Any ideas?

Thanks,
Max

Max Steel
Omega-Xpress
____________________________________________________________
____________
Get Your Private, Free E-mail from MSN Hotmail at <A 
TARGET=nonlocal 
HREF="/external/http://www.hotmail.com";>http://www.hotmail.c
om</A>
Previous By Date Next
Previous By Thread Next

Current thread: