| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030917215055.40402.qmail@web11008.mail.yahoo.com> From: sgmasood at yahoo.com (S G Masood) Subject: AMDPatchB & InstallStub The "text based protocol" at 63.246.134.50:9900 that you are talking about is IRC. This is an IRC server. Try connecting to it using an IRC client. Your computer has been compromised and is part of a large botnet (/join #A to see what I mean) which is probably being used to attack other networks. Take it offline immediately and do a thorough check. There seem to be about 4000-5000 machines in this botnet and the Ops use commands like "login yoink -s" , "threads -n", "scan *.*.*.*" to control them. -- Cheers, S.G.Masood Hyderabad, India. -- --- Michael Linke <ml@...ract.org> wrote: > At one of our Computers with Internet Access, I > found a strange program > running. > amdpatchB.exe(38 KB) > > This program is trying to get Internet Access while > starting. > amdpatchB.exe is connecting 63.246.134.50:9900. > There is a text based protocol running on > 63.246.134.50 at a service on port > 9900. > See Telnet output: > ________________________________________________________ > telnet 63.246.134.50 9900 > Trying 63.246.134.50... > Connected to 63.246.134.50. > Escape character is '^]'. > NOTICE AUTH :*** Looking up your hostname > NOTICE AUTH :*** Checking Ident > NOTICE AUTH :*** Found your hostname > help > :Drones2.newiso.org 451 * :Register first. > _________________________________________________________ > > I used Google to look for this filename but got no > result. > Any ideas what this is? > > Regards, > Michael > _____________________ > > -----Ursprüngliche Nachricht----- > Von: full-disclosure-admin@...ts.netsys.com > [mailto:full-disclosure-admin@...ts.netsys.com] Im > Auftrag von Richard > Johnson > Gesendet: Mittwoch, 17. September 2003 17:48 > An: full-disclosure@...ts.netsys.com > Betreff: [Full-Disclosure] Re: openssh remote > exploit > > In article > <20030917132443.GA17620@....LONESTAR.ORG>, > petard <petard@....lonestar.org> wrote: > > > An exploit would certainly constitute such > evidence. Have you seen > > anything that indicates this bug is exploitable? > > > I'm beginning to suspect that compromises attributed > to this bug on > Linux hosts were coincidental. They could have > happened via exploits > of other problems. That's because no-one has any > forensics data or > logs that indicate this particular bug as an attack > route. > > However, the chance is not worth taking in practice, > so upgrade time it > is. > > > Richard > > -- > My mailbox. My property. My personal space. My > rules. Deal with it. > > http://www.river.com/users/share/cluetrain/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.netsys.com/full-disclosure-charter.html > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Powered by blists - more mailing lists