Security Incidents mailing list archives

Re: Rooted Boxes

From: dor <dor () VIRTUALMYSTIC COM>
Date: Wed, 17 Jan 2001 00:10:28 -0800

Hi,

The created login's were: wormboy adm test sky web aki dani


This is a known kiddy on ircnet, he uses the nicks wormboy, langsuir,
ski, and possibly others, and he is known to be from malaysia. i would
guess your host ran Solaris and was compromised via the rpc.ttdbserverd
exploit, the adm account shouldnt have been created.. it should already
have been there, he also often sets passwords to the listen and smtp
accounts, which he seems to use the same passwords on multiple compromised
hosts. I have these passwords noted down somewhere, but won`t post them to
a public list.

-- Support your government, give Echelon / Carnivore something to parse --
classfield  top-secret government  restricted data information project CIA
KGB GRU DISA  DoD  defense  systems  military  systems spy steal terrorist
Allah Natasha  Gregori destroy destruct attack  democracy will send Russia
bank system compromise international  own  rule the world ATSC RTEM warmod
ATMD force power enforce  sensitive  directorate  TSP NSTD ORD DD2-N AMTAS
STRAP warrior-T presidental  elections  policital foreign embassy takeover
--------------------------------------------------------------------------

On Tue, 16 Jan 2001, Christian W. Zuckschwerdt wrote:

Hi,

On Mon, 15 Jan 2001, Brian Houk wrote:

Say, you don't by chance have port 911 TCP running from their rootkit to
you?


As far as I've been told the machine is down for forensic analysis. The
data our IDS picked up indicated rootkits in /dev/hdb0 and /dev/ptyas

The rootkits were (automatically) install on 2001-01-14 and the abuse from
multiple telnet connected host (and users) was on 2001-01-15

The created login's were: wormboy adm test sky web aki dani
Thought I share that info although it's not likely to be suitable for
pattern detection?


On Tue, 16 Jan 2001, Robert van der Meulen wrote:

Either you're new on the list, or you haven't read the (huge)
'Finding out who owns particular IP addresses' thread.
I suggest you look it up in the list archives, and contact them ( all
domains _should_ have active security and abuse contacts, hope these do


Well I managed to locate each responsible ISP. The thread you mentioned
was technically centred. My specific question was about your opinion on
general practice in contacting each ISP's.

Is it okay to send a report to abuse@each-isp or perhaps a more suitable
address?


  cu.
    :
    Christian

Current thread:

Rooted Boxes Christian W. Zuckschwerdt (Jan 15)
- <Possible follow-ups>
- Re: Rooted Boxes Christian W. Zuckschwerdt (Jan 16)
  - Re: Rooted Boxes gabriel rosenkoetter (Jan 16)
  - Re: Rooted Boxes dor (Jan 17)