lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <43B99E78.1080304@linuxwiz.net>
Date: Mon Jan  2 21:43:46 2006
From: jeremy at linuxwiz.net (Gaddis, Jeremy L.)
Subject: Trojan found on Linux server

Niek wrote:
> This is a much seen thing these days.
> Your customer probably got attacked by an insecure php script 
> (cacti/xmlphp/awstats/ect). Check your apache logs.
> if I grep my logs for wget, I see tons of attempts.

Roger that.  It wasn't important enough to us to pursue.  I just 
recently signed on with this customer and was in the process of moving 
their websites over to new, freshly installed servers from the Red Hat 
Linux 9 boxes they were running on.  Since we're about to rebuild the 
server anyways, it wasn't worth the time to pursue.

> The trojan is a an irc drone, listinging for ddos commands/ect.

Yep, when running "strings" on it I noticed a few IP addresses 
(219.133.46.212, 61.211.239.84, 64.239.9.236) in there as well as 
commands indicative of IRC ("NOTICE", "NICK", "PRIVMSG", etc.)

-j

--
Jeremy L. Gaddis, GCWN, Linux+, Network+
LinuxWiz Consulting
http://www.linuxwiz.net/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ