Security Incidents mailing list archives

Re: Can anyone explain this compromise?

From: Ryan Sweat <h3xm3 () SWBELL NET>
Date: Thu, 10 Aug 2000 20:08:33 -0500

    blackhand is a wargroup on ircnet.  if you are getting email from angry
people on irc, then they are probably right, and you have been hacked.
Suspect login trojans and ddos clients. (Stacheldrauht) or similar.
Sir Scriptzalot wrote:

Hi all,

We have been receiving messages like below from sites
around the world warning us that "ourhost.dom.com.au" has
been compromised. Here is one of the messages:

Your shells have been hacked by a group called

BlackHand. They hack shells and then they root and

do

illegal things like run illegal backgrounds in

servers

smurf scan etc. Here is some proof:

SNK- is snk () ourhost dom com au * Do whois if you
are a gay
SNK- using *.au [0:0:0:0:0:ffff:203.37.45.3] TI IRC
Server
SNK- End of WHOIS list.


Other messages are exactly the same but in adition include
stuff like "you have been r00ted and trojan login, ps, su
binaries inserted"

Any ideas?

Thanks,
Max

Max Steel
Omega-Xpress
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com

Current thread:

Can anyone explain this compromise? Sir Scriptzalot (Aug 10)
- Re: Can anyone explain this compromise? Osvaldo Janeri Filho (Aug 13)
- Re: Can anyone explain this compromise? Fredrik Ostergren (Aug 13)
- Re: Can anyone explain this compromise? Ryan Sweat (Aug 13)
- <Possible follow-ups>
- Re: Can anyone explain this compromise? Luke Dudney (Aug 13)
- Re: Can anyone explain this compromise? apa The (Aug 13)