Security Incidents mailing list archives
Re: *MAJOR SECURITY BREACH AT CCBILL**
From: "Matthew S. Hallacy" <poptix () techmonkeys org>
Date: Mon, 24 Dec 2001 05:50:12 -0600
Hello. On Wed, Dec 19, 2001 at 04:14:48AM -0500, Dayne Jordan wrote: [snip]
ares# strings fartone #4v: eggdrop v1.6.7 -- betty -- written Wed Dec 19 02:00:00 2001 goldeneye - bfoN --BOTADDR insecure.nl:4567/4567 --BOTFL ghp --HOSTS *!*lagg () blackhole iarga com --LASTON 1008733201 #(_(_)============D --XTRA created 1008544330 --PASS 0dz32ajse1wsg
This entry is interesting due to the fact that it's the sharehub for the bots, this means it was setup first, and all the bots were instructed to automatically connect to it and download userfiles, it's also listening on a different port, and probably was not a hacked account.
cf - hjmnoptx --HOSTS -telnet!*@* --HOSTS cf@pain.killer --PASS +kqP.7.9x36e. --XTRA created 1008425222 cf_ - fhjmnoptxZ --HOSTS *!cf@pain.killer --LASTON 1008727068 @bums --PASS +SO3pi.h66XB1 --XTRA created 1008426075
This person is an "owner" (the mn in hjmnoptx mean 'master' and 'owner') and is actually on IRC: uiu cf_ cf@pain.killer uiu ircname : Illich Ramirez Sanchez uiu channels : @#0dayxxxpasswords uiu server : efnet.vuurwerk.nl [Riders on the Storm] uiu End of WHOIS pain.killer is obviously not a valid hostname, which means the server they're using fakes it for them, or they're cache poisoning. The person when spoken to was acting rather clueless. [snip]
sr - hjmnoptx --HOSTS *!figge () shemalepornstar com --LASTON 1008715929 @goldeneye --PASS +9fX2h.WNiV41 --XTRA created 1008539610
[snip] I wasn't able to find this person, although the host is probably one of the affected sites. It's amazing how law enforcement sits around doing nothing while these people trade usernames/passwords, leaving such incriminating evidence in userfiles. On another note, I'd like to ask that in any informational releases such as this one that people make it clear than Eggdrop is not a DoS tool, a hacker tool, or anything else malicious, it's being misused just like 'nc' or perl are misused for a lot of exploits, anyone needing help gathering information from Eggdrop's running on compromised accounts (including ones using encrypted userfiles/config files/etc) should feel free to contact me, i've been very successful in accessing the bots and shutting down quite a few botnets spawned from things like this. Thanks, Matthew S. Hallacy (Eggdrop Coder, CVS maintainer) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- *MAJOR SECURITY BREACH AT CCBILL** Dayne Jordan (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** H C (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** Dayne Jordan (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** l0rtamus Prime (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** Robert van der Meulen (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** Dayne Jordan (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** H C (Dec 19)
- RE: *MAJOR SECURITY BREACH AT CCBILL** Rick Darsey (Dec 19)
- Contacting t-dialin {MAJOR SECURITY BREACH AT CCBILL} Christian Vogel (Dec 20)
- Re: Contacting t-dialin {MAJOR SECURITY BREACH AT CCBILL} Damir Rajnovic (Dec 21)
- Contacting t-dialin {MAJOR SECURITY BREACH AT CCBILL} Christian Vogel (Dec 20)
- Re: *MAJOR SECURITY BREACH AT CCBILL** Matthew S. Hallacy (Dec 24)
- <Possible follow-ups>
- RE: *MAJOR SECURITY BREACH AT CCBILL** NESTING, DAVID M (SBCSI) (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** Dayne Jordan (Dec 19)
- Re: *MAJOR SECURITY BREACH AT CCBILL** Dayne Jordan (Dec 19)
- RE: *MAJOR SECURITY BREACH AT CCBILL** robh (Dec 20)
- RE: *MAJOR SECURITY BREACH AT CCBILL** jlewis (Dec 20)