Security Incidents mailing list archives

Re: Machine compromised, rootkit and DDoS tools installed.

From: Chris Keladis <Chris.Keladis () CMC CWO NET AU>
Date: Mon, 25 Sep 2000 01:24:52 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 04:56 PM 9/21/00 -0500, Jeremy L. Gaddis wrote:

Oh, one last bit, a file named "shitc.tgz" was found on the
filesystem.  I also noticed a message in sendmail's logs
from root to "shitc () altavista com."



Interesting.

I had the displeasure of dealing with the "shitc" (??) rootkit.

I'm still poking around the various bins, and i don't have a Linux box
handy to test it all on, but at first glance i did not see any TFN daemons
in my copy.

I noticed alot of "script-kids" are getting hotmail & yahoo accounts for
"reconnissance".

I wonder what their AUP says about that?




Regards,

Chris



-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOc+0lCEx0akmf5vwEQITWgCgvdiHASOgNnvcgazoGqXluRREw4MAoIe/
yIZC6SpkaYlE7d4FIjfM6vgf
=xcwW
-----END PGP SIGNATURE-----

Current thread:

Machine compromised, rootkit and DDoS tools installed. Jeremy L. Gaddis (Sep 22)
- Re: Machine compromised, rootkit and DDoS tools installed. Chris Keladis (Sep 25)
  - Re: Machine compromised, rootkit and DDoS tools installed. Ben Belchak (Sep 25)
- <Possible follow-ups>
- Re: Machine compromised, rootkit and DDoS tools installed. H Carvey (Sep 24)
- Re: Machine compromised, rootkit and DDoS tools installed. Jeremy L. Gaddis (Sep 24)