Date: Wed, 14 Nov 2001 07:19:12 -0500 (EST) From: Chris BeHanna <behanna@zbzoom.net> To: <security@freebsd.org> Subject: Re: AdoreWorm Message-ID: <20011114071710.B56125-100000@topperwein.dyndns.org> In-Reply-To: <5.1.0.14.2.20011114183520.01e71d20@MailServer>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 14 Nov 2001, Stefan Probst wrote: > Hi, > > some hours later, lots of grey hair more, but feeling more safe now.... > > As it looks now, somebody in Romania used most probably the telnetd hole > (because there were no other unused services running, and it would be hard > to believe, that somebody on a dial-up line in Romania can sniff telnet > passwords, which usually go from Vietnam via Hongkong to the EastCost) and > got somehow root access. They installed then this AdoreBSD. Luckily, as it > looks right now (I might be wrong), they didn't do anything else - at least > nothing major. > > They furthermore installed from http://www.psychoid.lam3rz.de the psyBNC, > which is obviously kind of an "special" IRC relay ??? > > This psyBNC left a logfile, and I have their ISP now: warpnet.ro, including > some IP numbers, which they used. Not sure, what I should do with that. Turn them in to the appropriate authorities. The box was in the U.S. right? That brings this under the jurisdiction of the FBI Computer Crimes Squad, which, if they have any bandwidth to spare these days, can handle the international jurisdictional issues. You still are best off reinstalling from trusted media. How you wipe the disk and do this remotely is not something I know how to do. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011114071710.B56125-100000>