Re: mystery SF scan tool = Idlescan correlation

[Jan Muenther <jan () RADIO HUNDERT6 DE>]

Hi there,

For everybody interested in this issue:
I had received two of these scans last week and took a quick look
at the originating hosts. They were both Redhat boxes with
_loads_ of open ports and wuftpd running. I mailed to the tech
contacts and told them their boxes were probably compromised.
Both admins had already learnt this much, but currently
post-mortem analysis is being done.

It seems the crackers uploaded a file called hackdatei.tar.gz
several times on one of the hosts. FYI (datei == file in german)
- what an original name.

Hope I'll get to see that tarball soon, I'll keep you in touch
with what I found out.

Bye, Jan

--
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther () radio hundert6 de