Hosting Provided By

what else you can do with worm networks...fun, profit, etc

From: Anton A. Chuvakin <anton(at)chuvakin.org>
Date: Mon Dec 09 2002 - 13:27:24 EST

Hi all,

Just saw something rather amusing brought by the worm tide :-) A little nasty daemon (named "httpd") was deployed by whoever hit our Apache/SSL honeypot. Another mod of the good ole slapper, but! here are some funny strings from the binary:

...

find /|grep -i "order"
search.log
rm -rf search.log
...

and some hard coded addresses on where to send the stuff...

The telltale sign in the /tmp: ".fontunix" (with no dash unlike the real thing).

Get paid from collecting order data from lame web servers - heh, an idea?

Best,

-- 
  Anton A. Chuvakin, Ph.D., GCIA
     
http://www.chuvakin.org
   
http://www.info-secure.org


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com

Received on Tue Dec 10 00:48:09 2002

This message: [ Message body ]
Next message: Volker Tanger: "Re: Spam via proxy"
Previous message: Valdis.Kletnieks(at)vt.edu: "Re: netbios vuln"
In reply to: Chip Mefford: "Re: Incident tracking database"
Next in thread: Paul Gillingwater: "Re: Incident tracking database"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:52 EDT