|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Schmehl, Paul L (pauls_at_utdallas.edu)
Date: Thu Oct 03 2002 - 09:26:20 CDT
The chances are extremely good that the IP you're seeing is JAHB (just
another hacked box.)
Paul Schmehl (pauls
utdallas.edu)
Department Coordinator
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of
> Francisco Guerreiro
> Sent: Thursday, October 03, 2002 7:59 AM
> To: full-disclosurelists.netsys.com
> Subject: [Full-Disclosure] (no subject)
>
>
> hi folks..
> I was meddling in a friend's box when I came across a weird
> file in /tmp with apache perms. I thought it was a exploit to
> obtain root since the machine was vuln to the openssl
> problem, but it turned out to be something else. attached I
> send the stuff I found, it's quite self explanatory. I've
> looked at it for a few minutes, it's the slaper code, with
> some comments and a shell script that ghaters info about the
> box and send's it to an email account at yahoo.com . The ip
> that is written on the worm resolves to an adsl acount on
> some ISP, i guess it is somekind of target since it would be
> quite stupid to put your home ip on a worm.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]