Full Disclosure mailing list archives

(no subject)

From: pauls () utdallas edu (Schmehl, Paul L)
Date: Thu, 3 Oct 2002 09:26:20 -0500

The chances are extremely good that the IP you're seeing is JAHB (just
another hacked box.)

Paul Schmehl (pauls () utdallas edu)
Department Coordinator
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

-----Original Message-----
From: full-disclosure-admin () lists netsys com 
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
Francisco Guerreiro
Sent: Thursday, October 03, 2002 7:59 AM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] (no subject)

hi folks..
I was meddling in a friend's box when I came across a weird 
file in /tmp with apache perms. I thought it was a exploit to 
obtain root since the machine was vuln to the openssl 
problem, but it turned out to be something else. attached I 
send the stuff I found, it's quite self explanatory. I've 
looked at it for a few minutes, it's the slaper code, with 
some comments and a shell script that ghaters info about the 
box and send's it to an email account at yahoo.com . The ip 
that is written on the worm resolves to an adsl acount on 
some ISP, i guess it is somekind of target since it would be 
quite stupid to put your home ip on a worm.

Current thread:

(no subject) Francisco Guerreiro (Oct 03)
- <Possible follow-ups>
- (no subject) Schmehl, Paul L (Oct 03)
- RE: (no subject) Anonymous (Oct 03)
- (no subject) blake () mc net (Oct 11)