Security Incidents mailing list archives
Re: Rooted Boxes
From: dor <dor () VIRTUALMYSTIC COM>
Date: Wed, 17 Jan 2001 00:10:28 -0800
Hi,
The created login's were: wormboy adm test sky web aki dani
This is a known kiddy on ircnet, he uses the nicks wormboy, langsuir, ski, and possibly others, and he is known to be from malaysia. i would guess your host ran Solaris and was compromised via the rpc.ttdbserverd exploit, the adm account shouldnt have been created.. it should already have been there, he also often sets passwords to the listen and smtp accounts, which he seems to use the same passwords on multiple compromised hosts. I have these passwords noted down somewhere, but won`t post them to a public list. -- Support your government, give Echelon / Carnivore something to parse -- classfield top-secret government restricted data information project CIA KGB GRU DISA DoD defense systems military systems spy steal terrorist Allah Natasha Gregori destroy destruct attack democracy will send Russia bank system compromise international own rule the world ATSC RTEM warmod ATMD force power enforce sensitive directorate TSP NSTD ORD DD2-N AMTAS STRAP warrior-T presidental elections policital foreign embassy takeover -------------------------------------------------------------------------- On Tue, 16 Jan 2001, Christian W. Zuckschwerdt wrote:
Hi, On Mon, 15 Jan 2001, Brian Houk wrote:Say, you don't by chance have port 911 TCP running from their rootkit to you?As far as I've been told the machine is down for forensic analysis. The data our IDS picked up indicated rootkits in /dev/hdb0 and /dev/ptyas The rootkits were (automatically) install on 2001-01-14 and the abuse from multiple telnet connected host (and users) was on 2001-01-15 The created login's were: wormboy adm test sky web aki dani Thought I share that info although it's not likely to be suitable for pattern detection? On Tue, 16 Jan 2001, Robert van der Meulen wrote:Either you're new on the list, or you haven't read the (huge) 'Finding out who owns particular IP addresses' thread. I suggest you look it up in the list archives, and contact them ( all domains _should_ have active security and abuse contacts, hope these doWell I managed to locate each responsible ISP. The thread you mentioned was technically centred. My specific question was about your opinion on general practice in contacting each ISP's. Is it okay to send a report to abuse@each-isp or perhaps a more suitable address? cu. : Christian
Current thread:
- Rooted Boxes Christian W. Zuckschwerdt (Jan 15)
- <Possible follow-ups>
- Re: Rooted Boxes Christian W. Zuckschwerdt (Jan 16)
- Re: Rooted Boxes gabriel rosenkoetter (Jan 16)
- Re: Rooted Boxes dor (Jan 17)