lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <017901c36389$4c56eb60$09010a0a@wh0reh0use.local>
From: sf at diffusion.net (sf)
Subject: DCOM WORM - preface

jihpt@ nigga2 exploitlabs.com #0sec nigger exploitlabs.com 
#whore nigger 

Proc32.exe 
Critical Process Monitor 
mIRC v6.03 Khaled Mardam-Bey 


wtf is that supposed to be?





----- Original Message ----- 
From: "morning_wood" <se_cur_ity@...mail.com>
To: <full-disclosure@...ts.netsys.com>; "0day" <0day@...hackers.org>
Sent: Friday, August 15, 2003 6:31 PM
Subject: [Full-Disclosure] DCOM WORM - preface


> Remnants of the msblaster "beta test"
> 
> 
>  note: I just opened up my router and got the following...
> 
> --------- snip -------
> [01:39:14.744 - 15.08.2003]
> Proto: TCP len: 48 24.241.218.230:1619 -> 192.168.0.2:6667
> 
> [01:39:14.774 - 15.08.2003]
> Proto: TCP len: 48 68.154.196.148:3296 -> 192.168.0.2:6667
> 
> [01:39:14.794 - 15.08.2003]
> Proto: TCP len: 48 24.241.176.121:1263 -> 192.168.0.2:6667
> 
> [01:39:14.794 - 15.08.2003]
> Proto: TCP len: 48 68.154.27.21:1960 -> 192.168.0.2:6667
> 
> [01:39:14.904 - 15.08.2003]
> Proto: TCP len: 48 68.154.77.36:2347 -> 192.168.0.2:6667
> 
> [01:39:14.994 - 15.08.2003]
> Proto: TCP len: 48 67.33.166.173:3774 -> 192.168.0.2:6667
> 
> [01:39:15.015 - 15.08.2003]
> Proto: TCP len: 48 24.73.55.232:3748 -> 192.168.0.2:6667
> 
> [01:39:15.045 - 15.08.2003]
> Proto: TCP len: 48 68.154.79.127:3240 -> 192.168.0.2:6667
> 
> [01:39:15.055 - 15.08.2003]
> Proto: TCP len: 48 24.73.87.245:4222 -> 192.168.0.2:6667
> 
> [01:39:15.055 - 15.08.2003]
> Proto: TCP len: 48 68.154.79.109:4726 -> 192.168.0.2:6667
> 
> [01:39:15.125 - 15.08.2003]
> Proto: TCP len: 48 24.73.39.226:2108 -> 192.168.0.2:6667
> 
> ------------ snip ---------
> 
> 
> Note the pattern in the subnets and that I have not run a server on port
> 6667 in weeks,
> suggests this agent ( proc32.exe = sdbot05b ) is still quite active and
> virulent. samples of the log can be found at:
> http://exploitlabs.com/attacking.zip  <--- log
> http://exploitlabs.com/proc32.zip    <--- captured sdbot
> http://exploitlabs.com/attack/sdbot.txt   <--- decompiled sdbot
> 
> this infection of the attacking systems was complete and in place
> as of July 29, 2003 as recorded in this log preceeding that first attack
> http://exploitlabs.com/attack/morning_wood-fun.txt
> ( this was logged by one of the attackers themselves )
> 
> my original paper can be found, here
> http://exploitlabs.com/attack/RPC-DCOM-DDoS-attack.txt ( July 31, 2003 )
> 
> and is originaly referenced in response to obvious downplay of the DCOM -
> RPC
> issue, here
> http://nothackers.org/pipermail/0day/2003-July/000149.html
> 
> 
> Donnie Werner
> http://e2-labs.com 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ