[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] AMDPatchB & InstallStub
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] AMDPatchB & InstallStub
- From: S G Masood <sgmasood@xxxxxxxxx>
- Date: Wed, 17 Sep 2003 14:50:55 -0700 (PDT)
The "text based protocol" at 63.246.134.50:9900 that
you are talking about is IRC. This is an IRC server.
Try connecting to it using an IRC client.
Your computer has been compromised and is part
of a large botnet (/join #A to see what I mean)
which is probably being used to attack other networks.
Take it offline immediately and do a thorough check.
There seem to be about 4000-5000 machines in this
botnet and the Ops use commands like "login yoink -s"
, "threads -n", "scan *.*.*.*" to control them.
--
Cheers,
S.G.Masood
Hyderabad,
India.
--
--- Michael Linke <ml@xxxxxxxxxxx> wrote:
> At one of our Computers with Internet Access, I
> found a strange program
> running.
> amdpatchB.exe(38 KB)
>
> This program is trying to get Internet Access while
> starting.
> amdpatchB.exe is connecting 63.246.134.50:9900.
> There is a text based protocol running on
> 63.246.134.50 at a service on port
> 9900.
> See Telnet output:
>
________________________________________________________
> telnet 63.246.134.50 9900
> Trying 63.246.134.50...
> Connected to 63.246.134.50.
> Escape character is '^]'.
> NOTICE AUTH :*** Looking up your hostname
> NOTICE AUTH :*** Checking Ident
> NOTICE AUTH :*** Found your hostname
> help
> :Drones2.newiso.org 451 * :Register first.
>
_________________________________________________________
>
> I used Google to look for this filename but got no
> result.
> Any ideas what this is?
>
> Regards,
> Michael
> _____________________
>
> -----Ursprüngliche Nachricht-----
> Von: full-disclosure-admin@xxxxxxxxxxxxxxxx
> [mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx] Im
> Auftrag von Richard
> Johnson
> Gesendet: Mittwoch, 17. September 2003 17:48
> An: full-disclosure@xxxxxxxxxxxxxxxx
> Betreff: [Full-Disclosure] Re: openssh remote
> exploit
>
> In article
> <20030917132443.GA17620@xxxxxxxxxxxxxxxx>,
> petard <petard@xxxxxxxxxxxxxxxx> wrote:
>
> > An exploit would certainly constitute such
> evidence. Have you seen
> > anything that indicates this bug is exploitable?
>
>
> I'm beginning to suspect that compromises attributed
> to this bug on
> Linux hosts were coincidental. They could have
> happened via exploits
> of other problems. That's because no-one has any
> forensics data or
> logs that indicate this particular bug as an attack
> route.
>
> However, the chance is not worth taking in practice,
> so upgrade time it
> is.
>
>
> Richard
>
> --
> My mailbox. My property. My personal space. My
> rules. Deal with it.
>
> http://www.river.com/users/share/cluetrain/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.netsys.com/full-disclosure-charter.html
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html