[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030917222014.92201.qmail@web11003.mail.yahoo.com>
From: sgmasood at yahoo.com (S G Masood)
Subject: AMDPatchB & InstallStub
I had the "honour" :) of chatting with the IRC Ops on
this server just now. They accepted that it is a
botnet. When told their address was on FD, they
panicked and are now killing all new connections.
This might be useful:
8<------------
Welcome to the Internet Relay Network via The World
Wide NEWiSO, aaaa
Your host is Drones2.newiso.org, running version
u2.10.11.04
This server was created Thu Aug 21 2003 at 22:05:31
EST
Drones2.newiso.org u2.10.11.04 dioswkgx biklmnopstvr
bklov
8<-------------
I would've been fun if the original poster had
attached a sample of amdpatchb.exe.
--
Cheers,
S.G.Masood
Hyderabad,
India.
--
--- Michael Linke <ml@...ract.org> wrote:
> At one of our Computers with Internet Access, I
> found a strange program
> running.
> amdpatchB.exe(38 KB)
>
> This program is trying to get Internet Access while
> starting.
> amdpatchB.exe is connecting 63.246.134.50:9900.
> There is a text based protocol running on
> 63.246.134.50 at a service on port
> 9900.
> See Telnet output:
>
________________________________________________________
> telnet 63.246.134.50 9900
> Trying 63.246.134.50...
> Connected to 63.246.134.50.
> Escape character is '^]'.
> NOTICE AUTH :*** Looking up your hostname
> NOTICE AUTH :*** Checking Ident
> NOTICE AUTH :*** Found your hostname
> help
> :Drones2.newiso.org 451 * :Register first.
>
_________________________________________________________
>
> I used Google to look for this filename but got no
> result.
> Any ideas what this is?
>
> Regards,
> Michael
> _____________________
>
> -----Ursprüngliche Nachricht-----
> Von: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] Im
> Auftrag von Richard
> Johnson
> Gesendet: Mittwoch, 17. September 2003 17:48
> An: full-disclosure@...ts.netsys.com
> Betreff: [Full-Disclosure] Re: openssh remote
> exploit
>
> In article
> <20030917132443.GA17620@....LONESTAR.ORG>,
> petard <petard@....lonestar.org> wrote:
>
> > An exploit would certainly constitute such
> evidence. Have you seen
> > anything that indicates this bug is exploitable?
>
>
> I'm beginning to suspect that compromises attributed
> to this bug on
> Linux hosts were coincidental. They could have
> happened via exploits
> of other problems. That's because no-one has any
> forensics data or
> logs that indicate this particular bug as an attack
> route.
>
> However, the chance is not worth taking in practice,
> so upgrade time it
> is.
>
>
> Richard
>
> --
> My mailbox. My property. My personal space. My
> rules. Deal with it.
>
> http://www.river.com/users/share/cluetrain/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.netsys.com/full-disclosure-charter.html
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
Powered by blists - more mailing lists