| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <80d7e4090602201217j38135c8j6dc848d058283a51@mail.gmail.com> Date: Mon, 20 Feb 2006 13:17:29 -0700 From: "Stephen J. Smoogen" <smooge@...il.com> To: "Gadi Evron" <ge@...uxbox.org> Cc: "full-disclosure@...ts.grok.org.uk u" <full-disclosure@...ts.grok.org.uk>, bugtraq@...urityfocus.com Subject: Re: update on the linux worm On 2/18/06, Gadi Evron <ge@...uxbox.org> wrote: > A quick digest of some updates from the last few hours on this issue: > > 1. The worm is based on 'kaiten', which has been going around in > different variants for a long time now. > > 2. This worm is new. > > 3. The first part exploits PHP applications, like these variants > normally do. > > 4. The second part spreads to other systems. > > 5. The worm connects to a botnet C&C based on two Fast-flux DNS RR's > which are not there anymore, and as they change, are taken down. > > As always, more updates if necessary on: http://blog.securiteam.com > > Looking at items on blog.securiteam.com, the ip address the worm was being downloaded from in the beginning showed up around Feb 14, 2005 in all the logs I have. I am not sure if this was a precursor to the newer worm though. -- Stephen J Smoogen. CSIRT/Linux System Administrator _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists