Security Incidents mailing list archives
Re: Rooted Boxes
From: "Christian W. Zuckschwerdt" <zany () TRIQ NET>
Date: Tue, 16 Jan 2001 15:53:18 +0100
Hi, On Mon, 15 Jan 2001, Brian Houk wrote:
Say, you don't by chance have port 911 TCP running from their rootkit to you?
As far as I've been told the machine is down for forensic analysis. The data our IDS picked up indicated rootkits in /dev/hdb0 and /dev/ptyas The rootkits were (automatically) install on 2001-01-14 and the abuse from multiple telnet connected host (and users) was on 2001-01-15 The created login's were: wormboy adm test sky web aki dani Thought I share that info although it's not likely to be suitable for pattern detection? On Tue, 16 Jan 2001, Robert van der Meulen wrote:
Either you're new on the list, or you haven't read the (huge) 'Finding out who owns particular IP addresses' thread. I suggest you look it up in the list archives, and contact them ( all domains _should_ have active security and abuse contacts, hope these do
Well I managed to locate each responsible ISP. The thread you mentioned was technically centred. My specific question was about your opinion on general practice in contacting each ISP's. Is it okay to send a report to abuse@each-isp or perhaps a more suitable address? cu. : Christian
Current thread:
- Rooted Boxes Christian W. Zuckschwerdt (Jan 15)
- <Possible follow-ups>
- Re: Rooted Boxes Christian W. Zuckschwerdt (Jan 16)
- Re: Rooted Boxes gabriel rosenkoetter (Jan 16)
- Re: Rooted Boxes dor (Jan 17)