xmGEEKMAFIA.DYNIP.COM

• Next message: Seth Georgion: "Re: Cracked; rootkit - entrapment question?"
• Previous message: drkn: "Re: lots of interest in port 109 (POP2)"
• In reply to: Jens Hektor: "Re: ingreslock message"
• Next in thread: Jens Hektor: "Re: ingreslock message"
• Reply: Ex Machina [xm]: "Re: ingreslock message"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've seen this recently as the default command in in the adm-bind_exp.c
(ADM named 8.2/8.2.1 NXT
remote overflow). It simply started another inetd using a config in
/tmp/bob which was immediately deleted afterwards.

Ex Machina (xmgeekmafia.dynip.com) http://geekmafia.dynip.com/~xm/
phone: 1-877-LPT-WHIP icq: 3387005 aim: ExMachina public.key: finger.me
Hire me: 18 yrs old RI Linux BSD UNIX C++ Perl HTML TCP/IP Security

On Fri, 10 Mar 2000, Jens Hektor wrote:

> Date: Fri, 10 Mar 2000 05:53:17 -0000
> From: Jens Hektor <hektorRZ.RWTH-AACHEN.DE>
> To: INCIDENTSSECURITYFOCUS.COM
> Subject: Re: ingreslock message
>
> Hi,
>
> > I logged this:
> > Mar 5 15:58:23 monitor tcplogd: ingreslock connection
> > attempt from sleipnir1.cs.ucl.ac.uk what does the
> > ingreslock mean and what was this person trying to do?
>
> reading this in the morning and starring later on the
> logs of a cracked box I see the same adress in the wtmp
> logs.
>
> The machine had beside other trojans an inetd with
> compiled-in backdoor at ingreslock.
>
> Will inform the people at ucl.ac.uk about that.
>
> Bye, Jens
>

• Next message: Seth Georgion: "Re: Cracked; rootkit - entrapment question?"
• Previous message: drkn: "Re: lots of interest in port 109 (POP2)"
• In reply to: Jens Hektor: "Re: ingreslock message"
• Next in thread: Jens Hektor: "Re: ingreslock message"
• Reply: Ex Machina [xm]: "Re: ingreslock message"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]