Security Basics mailing list archives

RE: Unusual Activity

From: "irado () hotpop com" <irado () hotpop com>
Date: Sat, 14 Feb 2004 02:02:11 -0500

think that someone is trying to get these files from your machien.. maybe
you are now ´owned´ ;).

You said the ´come from´.. but where is it going to?

ps auxww --> to see whish (bash?) script is running now.. and use the
rootkit tool to examine your system :)




Original Message:
-----------------
From: Graydon McKee graydon.s.mckee.iv () orcmacro com
Date: Fri, 13 Feb 2004 11:45:28 -0500
To: security-basics () securityfocus com
Subject: Unusual Activity


Hello All, 
            I'm seeing some unusual activity.  One of our web servers it
sending emails via a
feedback page that proport to come from 333-333-3333test () test999 com. 
These messages have various
things in the From Field: 
 
From: "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\boot.ini" <> 
From: "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\etc\\passwd" <> 
From: "\\\\'/bin/cat /etc/passwd\\\\'" <>
 


--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .



---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------

Current thread:

Unusual Activity Graydon McKee (Feb 13)
- Re: Unusual Activity Gregory Dunlap (Feb 16)
- RE: Unusual Activity dave kleiman (Feb 16)
- <Possible follow-ups>
- RE: Unusual Activity irado () hotpop com (Feb 16)
- RE: Unusual Activity Shawn Jackson (Feb 16)