Information Security News mailing list archives

RE: *MAJOR SECURITY BREACH AT CCBILL**

From: InfoSec News <isn () c4i org>
Date: Mon, 24 Dec 2001 02:16:01 -0600 (CST)

Forwarded from: Jason Ware <jware () centerbeam com>

This is someone's eggdrop botnet, the first part of the dump is the
user file.  The -bfoN is the user flags set, and b means another bot.  
The port it listens to, 9872, is the port the bots will use to connect
to each other, using telnet or DCC, so that they can communicate.  
The first bot listed, goldeneye, is the hub bot, "--BOTFL ghp" means
this bot will listen to goldeneye for any changes to user or channel
records and will always try and connect to it.  You can find more
information about eggdrop bots and botnets at http://www.egghelp.org.  
Incidentally, this botnet is running the netbots set of scripts (the N
flag means it's a netbots bot).  This scripts maker is the one running
egghelp.org, but he would not be involved in this mess, it is a very
common and useful set of scripts for eggdrop bots.  Eggdrop bots are
mostly harmless, they are used to hold and guard chat channels on IRC,
but they can be modified very easily and run TCL scripts to do some
nasty or wonderful things.


-----Original Message-----
From: InfoSec News [mailto:isn () c4i org]
Sent: Wednesday, December 19, 2001 10:23 PM
To: isn () attrition org
Subject: [ISN] *MAJOR SECURITY BREACH AT CCBILL** 


Forwarded from: Ryan W. Maple <ryan () guardiandigital com>

---------- Forwarded message ----------
Date: Wed, 19 Dec 2001 04:14:48 -0500
From: Dayne Jordan <djordan () completeweb net>
To: incidents () securityfocus com
Subject: *MAJOR SECURITY BREACH AT CCBILL**

It appears that perhaps tens of thousands of username/passwords for
valid shell logins ALL ACROSS THE NET may have been compromised at
CCBILL, a large internet credit card/check processor used for
e-commerce and adult sites, read carefully!!

Well, after the user complaint below, we began some investigation and
found about 6 of these IRC bots running on our network as well. All
with a fartone.conf and fartone eggdrop irc daemon listening on port
9872... this is across 6 different machines alone in our server farm,
so far that we have found, we are scanning right now to find out if
there are more listening on port 9872 in our address spaces.

Interestingly enough, the common tie between all these compromised
accounts is that they are ALL CCBILL customers. Being CCBILL
customers, they have all their userid and password information to ssh
to their website(s)/server(s) to update scripts and databases as
required. Was CCBILL hacked? OR do they have someone inside who has
released the user information abroad? We called a couple other hosts
whom we communicate with and voila.. they have boxes with IRC bots
running on port 9872 as well... also CCBILL clients.

It appears whomever has obtained the CCBILL list of
usernames/passwords systematically SSH's into their customers server,
installs the irc eggdrop bot and leaves.

I have found no instances of root kits, or anything else malicious
being performed or installed. In fact, in all 6 instances they left
all their .tar and config files, AND their .history files intact.
Looking thru normal daily log files would not tip you off to any sort
of compromise at all -No multiple password failures, etc etc because
they already have the correct password to login :)

It is my opinion that Cavecreek/CCBILL has had a breach of security
thus releasing user ids and logins on various servers around the
internet. CCBILLS customer base is in the tens of thousands.

It appears the bots are merely sitting and listening waiting for
commands for perhaps a large distributed DoS attack, it does not
appear that they are logging any sensitive data transmitted thru the
server(s). I tcpdumped the port and logged in and out of the server to
make sure it wasnt transmitting any data elsewhere. I also confirmed
that the bots were not logging anything locally either.

I have attached a sample output of strings on the binary file called
'fartone' for your review, please note there are *several* cavecreek
machines who are listed as well as many others. ALL these machines
below have been verified to have port 9872 open and listening with
perhaps this same type IRC Eggdrop bot running. Also please note, all
these servers/domains listed below are current CCBILL subscribers:

ares# strings fartone
#4v: eggdrop v1.6.7 -- betty -- written Wed Dec 19 02:00:00 2001
goldeneye  - bfoN                    
--BOTADDR insecure.nl:4567/4567
--BOTFL ghp
--HOSTS *!*lagg () blackhole iarga com
--LASTON 1008733201 #(_(_)============D
--XTRA created 1008544330
--PASS 0dz32ajse1wsg
arsch      - bfoN                    
--HOSTS *!*jb@*.t-dialin.net
--LASTON 1008721551 #testtest
--BOTADDR 123.123.123.123:25432/25432
--XTRA created 1008687422
--PASS fnh4psb7x07rnr
Nitallica  - bfoN                    
--HOSTS *!*maul@205.244.47.249
--LASTON 1008723944 #torisbots
--BOTADDR smtp.webpipe.net:6000/6000
--XTRA created 1008687422
--PASS 29tuhow2of
FrauAntje  - bfoN                    
--HOSTS *!*cf () rise and.shine
--BOTADDR cc118955-b.groni1.gr.nl.home.com:5555/5555
--XTRA created 1008687422
--LASTON 1008715911 #fattool
--PASS 6qgkm19qzmqr41
hispa      - bfoN                    
--HOSTS *!*hispa@209.61.189.230
--HOSTS *!*hispa () thunder2 cwihosting com
--LASTON 1008727382 #(_(_)============D
--BOTADDR thunder2.cwihosting.com:9872/9872
--XTRA created 1008687422
--PASS 4rg6kei8cz
livedom    - bfoN                    
--HOSTS *!*livedom () s1 ss klmz mi voyager net
--HOSTS *!*livedom@207.89.177.218
--BOTADDR s1.ss.klmz.mi.voyager.net:9872/9872
--XTRA created 1008687422
--PASS chahi5e10yz
fetishUSA  - bfoN                    
--HOSTS *!*etishUSA@207.246.139.76
--HOSTS *!*etishUSA () fetish-usa com
--BOTADDR fetish-usa.com:9872/9872
--XTRA created 1008687422
--LASTON 1008714534 #fattool.-user
--PASS el44md4jsx
edik       - bfoN                    
--HOSTS *!edik@216.143.123.202
--HOSTS *!*eve3@216.143.123.202
--LASTON 1008721551 #testtest
--BOTADDR 216.143.123.202:9872/9872
--XTRA created 1008687422
--PASS lpk748otq4
undergrou  - bfoN                    
--HOSTS *!undergrou () undergroundmpegs com
--LASTON 1008721551 #testtest
--BOTADDR undergroundmpegs.com:9872/9872
--XTRA created 1008687422
--PASS h9raa3sbzib1isl
cartoon-x  - bfoN                    
--HOSTS *!cartoon-x () dynamic cavecreek net
--HOSTS *!*rtoon-x@64.38.235.20
--LASTON 1008721551 #testtest
--BOTADDR dynamic.cavecreek.net:9872/9872
--XTRA created 1008687422
--PASS jsuf82v4gity
plump      - bfoN                    
--HOSTS *!plump () viper acceleratedweb net
--HOSTS *!*lump@216.118.101.2
--LASTON 1008727382 #(_(_)============D
--BOTADDR viper.acceleratedweb.net:9872/9872
--XTRA created 1008687422
--PASS 01rc6sicoh9
dara       - bfoN                    
--HOSTS *!dara@209.67.61.60
--HOSTS *!*dara () flash41 flashhost com
--HOSTS *!*ara () www genxxx net
--LASTON 1008721551 #testtest
--BOTADDR 209.67.61.60:9872/9872
--XTRA created 1008687422
--PASS 1r52f5hl8ua3
asian      - bfoN                    
--HOSTS *!asian () asianpornoground com
--LASTON 1008727382 #(_(_)============D
--BOTADDR asianpornoground.com:9872/9872
--XTRA created 1008687422
--PASS 8kbbvw1d82r
flashx     - bfoN                    
--HOSTS *!flashx () flashdiet net
--LASTON 1008721551 #testtest
--BOTADDR flashdiet.net:9872/9872
--XTRA created 1008687422
--PASS r1mict2o4p3m2g
bonker     - bfoN                    
--HOSTS *!bonker () la2 reliablehosting com
--BOTADDR la2.reliablehosting.com:9872/9872
--XTRA created 1008687422
--LASTON 1008689564 #fattool
--PASS mstz9bj3w1
cypo       - bfoN                    
--HOSTS *!cypo@66.78.56.62
--LASTON 1008727382 #(_(_)============D
--BOTADDR 66.78.56.62:9872/9872
--XTRA created 1008687422
--PASS b051yatpxv78
adult      - bfoN                    
--HOSTS *!adult@216.66.37.130
--LASTON 1008721551 #testtest
--BOTADDR 216.66.37.130:9872/9872
--XTRA created 1008687422
--PASS 8vk58u93xm0cp
steenbok   - bfoN                    
--HOSTS *!steenbok () navajo b-h-e com
--LASTON 1008727382 #(_(_)============D
--BOTADDR navajo.b-h-e.com:9872/9872
--XTRA created 1008687422
--PASS ky613fzu65pt9
betty      - bfoN                    
--HOSTS *!betty@216.226.153.165
--BOTADDR 216.226.153.165:9872/9872
--XTRA created 1008687422
--PASS svhcr3jpb98bk88
silky      - bfoN                    
--HOSTS *!silky () www36 mediaserve net
--LASTON 1008721551 #testtest
--BOTADDR www36.mediaserve.net:9872/9872
--XTRA created 1008703816
vixie      - bfoN                    
--HOSTS *!vixie () zeus envex net
--LASTON 1008721551 #testtest
--BOTADDR zeus.envex.net:9872/9872
--XTRA created 1008703839
c0wboy     - bfoN                    
--HOSTS *!c0wboy () arizonasex com
--LASTON 1008737794 #(_(_)============D
--BOTADDR arizonasex.com:9872/9872
--XTRA created 1008703859
reddawg    - bfoN                    
--HOSTS *!reddawg () 216 215 232 6 nw nuvox net
--LASTON 1008727382 #(_(_)============D
--BOTADDR 216.215.232.6.nw.nuvox.net:9872/9872
--XTRA created 1008703890
blaq       - bfoN                    
--HOSTS *!blaq () www retronudes com
--HOSTS *!*ronudes () www retronudes com
--LASTON 1008727382 #(_(_)============D
--BOTADDR www.retronudes.com:9872/9872
--XTRA created 1008704719
bigdick    - bfoN                    
--HOSTS *!bigdick () playawhile com
--HOSTS *!*yguy () playawhile com
--LASTON 1008727382 #(_(_)============D
--BOTADDR playawhile.com:9872/9872
--XTRA created 1008705304
serve      - bfoN                    
--HOSTS *!serve () server iicinternet com
--HOSTS *!*erve@64.156.139.240
--LASTON 1008731356 #(_(_)============D
--BOTADDR server.iicinternet.com:9872/9872
--XTRA created 1008706464
pedal      - bfoN                    
--HOSTS *!pedal () www1 leftcoast net
--BOTADDR www1.leftcoast.net:9872/9872
--XTRA created 1008707679
sizco      - bfoN                    
--HOSTS *!creme () virtual1 sizco net
--HOSTS *!*tcreme () virtual1 sizco net
--LASTON 1008737609 #(_(_)============D
--BOTADDR virtual1.sizco.net:9872/9872
--XTRA created 1008708744
melody     - bfoN                    
--HOSTS *!melody@64.242.242.9
--LASTON 1008727382 #(_(_)============D
--BOTADDR 64.242.242.9:9872/9872
--XTRA created 1008710553
cukinsin   - bfoN                    
--HOSTS *!cukinsin@209.115.38.113
--LASTON 1008727382 #(_(_)============D
--BOTADDR 209.115.38.113:9872/9872
--XTRA created 1008711094
slettebak  - bfoN                    
--HOSTS *!slettebak () stgeorge janey1 net
--HOSTS *!*ettebak@216.226.157.2
--LASTON 1008737670 #(_(_)============D
--BOTADDR stgeorge.janey1.net:9872/9872
--XTRA created 1008712167
tussy      - bfoN                    
--HOSTS *!tussy () fs2 reliablehosting com
--LASTON 1008721551 #testtest
--BOTADDR fs2.reliablehosting.com:9872/9872
--XTRA created 1008712187
hrm        - bfoN                    
--HOSTS *!hrm () infiniti isprime com
--BOTADDR infiniti.isprime.com:9872/9872
--XTRA created 1008713730
--LASTON 1008713966 #jungbusch
fister     - bfoN                    
--HOSTS *!fister () or9 reliablehosting com
--LASTON 1008727382 #(_(_)============D
--BOTADDR or9.reliablehosting.com:9872/9872
--XTRA created 1008713748
buttfuck   - bfoN                    
--HOSTS *!buttfuck () www bridgetfox com
--HOSTS *!*uttfuck () la4 reliablehosting com
--LASTON 1008727382 #(_(_)============D
--BOTADDR www.bridgetfox.com:9872/9872
--XTRA created 1008715635
nude       - bfoN                    
--HOSTS *!*nude () host210 southwestmedia com
--LASTON 1008727382 #(_(_)============D
--BOTADDR host210.southwestmedia.com:9872/9872
--XTRA created 1008717613
kippe      - bfoN                    
--HOSTS *!*kippe@207.71.95.100
--LASTON 1008727382 #(_(_)============D
--BOTADDR 207.71.95.100@9872:3333/3333
--XTRA created 1008718483
lecker     - bfoN                    
--HOSTS *!*lecker () ladynylons com
--LASTON 1008723944 #torisbots
--BOTADDR ladynylons.com@9872:3333/3333
--XTRA created 1008718866
cf         - hjmnoptx                
--HOSTS -telnet!*@*
--HOSTS cf@pain.killer
--PASS +kqP.7.9x36e.
--XTRA created 1008425222
cf_        - fhjmnoptxZ              
--HOSTS *!cf@pain.killer
--LASTON 1008727068 @bums
--PASS +SO3pi.h66XB1
--XTRA created 1008426075
chumash    - fhpYZ                   
--HOSTS *!nitaisa () shemalepornstar com
--HOSTS *!nitaisa () tightkitten com
--PASS +ghTan/8SXJw1
--COMMENT 1st Offense Badword
--XTRA created 1008426757
m00b       - h                       
--HOSTS *!b00m@*.planet.arrakis.cz
--LASTON 1008733043 #0dayxxxpasswords
--PASS +REjnv1Q0DAf/
--XTRA created 1008440044
Cyberwolf  - h                       
--HOSTS *!Blah@*.rr.com
--PASS +HPw7k0X0/X51
--XTRA created 1008442445
w33d       - hY                      
--HOSTS *!dope@209.53.205.*
--PASS +w/e/c.r8kog/
--XTRA created 1008455421
--COMMENT 1st Offense Badword
_maddog_   - hY                      
--HOSTS *!*ouchabl@*.dial.net4b.pt
--PASS +w/e/c.r8kog/
--COMMENT 1st Offense Badword
--XTRA created 1008459615
undernetx  - hY                      
--HOSTS *!*dernetx@*.east.verizon.net
--PASS +w/e/c.r8kog/
--COMMENT 1st Offense Badword
--XTRA created 1008460443
O2B3       - hY                      
--HOSTS *!*frischr@*.xtra.co.nz
--PASS +w/e/c.r8kog/
--COMMENT 1st Offense Badword
--XTRA created 1008460560
xxxxx      - hY                      
--HOSTS *!cf@*.and.shine
--PASS +w/e/c.r8kog/
--COMMENT 1st Offense Badword
--XTRA created 1008465019
^[FTO1]^   - hY                      
--HOSTS *![FTO1]^@*.astound.net
--PASS +w/e/c.r8kog/
--XTRA created 1008465619
--COMMENT 1st Offense Badword
showty     - hE                      
--HOSTS *!dfioaj@24.129.181.*
--PASS +w/e/c.r8kog/
--COMMENT 2 Bad Word Offenses
--XTRA created 1008470243
_mysdick   - hY                      
--HOSTS *!mystical () ownz com
--LASTON 1008732953 #0dayxxxpasswords
--PASS +w/e/c.r8kog/
--COMMENT 1st Offense Badword
--XTRA created 1008473951
Shareef_A  - hY                      
--HOSTS *!Ultima@200.56.148.*
--PASS +w/e/c.r8kog/
--COMMENT 1st Offense Badword
--XTRA created 1008477957
aHiMz      - hY                      
--HOSTS *!toophat@210.195.204.*
--PASS +w/e/c.r8kog/
--COMMENT 1st Offense Badword
--XTRA created 1008480641
sr         - hjmnoptx                
--HOSTS *!figge () shemalepornstar com
--LASTON 1008715929 @goldeneye
--PASS +9fX2h.WNiV41
--XTRA created 1008539610
bigwave    - h                       
--HOSTS *!*tchbust () hereistheporn com
--LASTON 1008704750 #jungbusch
--PASS +shNEb1VEXSl1
--XTRA created 1008541504
qon        - h                       
--HOSTS *!jbcqon@*.t-dialin.net
--LASTON 1008701006 #jungbusch
--PASS +HUtku0I/W6R.
--XTRA created 1008678075
qonbot     - h                       
--HOSTS *!qon@*.t-dialin.net
--HOSTS *!*achgott@*.t-dialin.net
--LASTON 1008701417 #jungbusch
--PASS +HUtku0I/W6R.
--XTRA created 1008678105
ice2k      - h                       
! #jungbusch           1008706286 fov        
--HOSTS *!fisch@*.t-dialin.net
--LASTON 1008706286 #jungbusch
--PASS +riut8.jEw3u0
--XTRA created 1008705970
stiffy     - bfoN                    
--HOSTS *!*stiffy () otis siteprotect com
--BOTADDR otis.siteprotect.com@9872:3333/3333
--XTRA created 1008720570
moese      - bfoV                    
--HOSTS *!*moese () ns14 reliablehosting com
--BOTADDR ns14.reliablehosting.com@9872:3333/3333
--XTRA created 1008721358
moepsy     - bfoN                    
--HOSTS *!*moepsy () katarina super nu
--LASTON 1008723455 #fattool
--BOTADDR katarina.super.nu@9872:3333/3333
--XTRA created 1008723363
sicker     - bfoN                    
--HOSTS *!*sicker () 1-nude-girls-sex-pictures com
--LASTON 1008726564 #0dayxxxpasswords
--BOTADDR 1-nude-girls-sex-pictures.com@9872:3333/3333
--XTRA created 1008724705
pullo      - bfoN                    
--HOSTS *!*pullo () co60 reliablehosting com
--LASTON 1008727313 #0dayxxxpasswords
--BOTADDR co60.reliablehosting.com@9872:3333/3333
--XTRA created 1008725430
wixer      - bfoN                    
--HOSTS *!*wixer () co60 reliablehosting com
--LASTON 1008727314 #0dayxxxpasswords
--BOTADDR co60.reliablehosting.com@9871:3333/3333
--XTRA created 1008725589
bums       - bfoN                    
--HOSTS *!*bums () 365host com
--BOTADDR 365host.com@9872:3333/3333
--XTRA created 1008726771
gretl      - bfoN                    
--HOSTS *!*gretl () saturn iwebhosting com
--LASTON 1008727314 #0dayxxxpasswords
--BOTADDR saturn.iwebhosting.com@9871:3333/3333
--XTRA created 1008726906

Please note the .history file just from this one account,
and this is merely a small sample, please note, these are
all CCBILL accounts:

ssh -l f215109 www.extremeteens.net
telnet www.extremeteens.net
ssh -l amfight www.amfight.com
ssh -l sm-online www.sm-online.net
telnet www.musicchief.com
telnet www.studspa.com
ssh -l gmill www.G2mil.com
ssh -l sweetcreme www.sweetcreme.com
ssh -l roach www.exposedfantasy.com
ssh -l tfi0080192 www.whores.telinco.co.uk
ftp www.whores.telinco.co.uk
ssh -l jen11sex www.jensex.com
ssh -l webusr www.asianvixens.net 
ssh -l freakfest www.chicagofreakfest.com
telnet www.gangbang-wife.com
ftp gangbang-wife.com
ssh -l gangbang ganbang-wife.com
ssh -l gangbang gangbang-wife.com
ssh -l norfun www.norfun.com
ssh -l doublejay doublejay.ultraadult.com
ftp ultraadult.com
ftp www.internetpleasure.net
telnet www.internetpleasure.net
ssh -l admin www.internetpleasure.net
ftp www.internetpleasure.net
mail
w
ftp www.teenpussy2001.com
w
ssh -l livedom www.livedom.com
ssh -l dmartin2 www.sweetcuties.com
w
ssh -l fetish www.fetish-usa.com
ssh -l dodger www.dodger.co.uk
ssh -l beavis www.eroticamazon.com
w
ls
ssh -l www.thebondagechanne www.thebondagechannel.com
ftp www.thebondagechannel.com
ssh -l hispa hispamagic.com
ssh -l dodger www.dodger.co.uk
ssh -l livedom www.livedom.com 
ssh -l fetish www.fetish-usa.com
ssh -l jen11sex www.jensex.com
ssh -l stephenp www.thefun-times.com
ssh -l barbie www.VoyeurCamCondo.com
ssh -l eve3 www.strumpfhosen-girls.com
ssh -l melody www.undergroundmpegs.com
mail
telnet www.AMAHO.COM
ssh -l blueflamedesigns www.blueflamedesigns.com
ssh -l dynamic www.cartoon-x.net
ssh -l u1498 www.plumptious.com
ssh -l rowan55 www.dirtydara.com
ssh -l barbara www.asianpornoground.com
ssh -l alenko www.alenko.com
ssh -l hispa hispamagic.com
ssh -l livedom www.livedom.com
ssh -l melody www.undergroundmpegs.com
ssh -l u1498 www.plumptious.com
ssh -l rowan55 www.dirtydara.com
ssh -l rburdwood www.southcouple.com
ssh -l flashdiet flashdiet.net
ssh -l cypo www.cypo.com
ssh -l u44048 adultfrontier.com
ssh -l u44048 www.adultfrontier.com
ssh -l avrcon avrcon.com
ssh -l sara www.boobtique.com
ssh -l extreme-g www.xtreme-girls.com
ssh -l lynnol www.lynncarroll.net
exit
ssh -l www.extremeteens.net
/bin/bash
ssh -l websex www.websex.org
ssh -l playsi www.silkyplay.com
ssh -l linda www.nastylinda.com
ssh -l ndevine www.nikkidevine.com
ssh -l belleleigh www.belleleigh.com
ssh -l gtdfor www.arizonasex.com
ssh -l voyearexpo www.voyeurexpo.com
/bin/bash
ssh -l voyeurexpo www.voyeurexpo.com
ssh -l markiemark www.profitbusiness.com
telnet www.analaddiction.com
ssh -l pplump www.proudly-plump.com
ssh -l taboo www.incesttaboo.com
ssh -l legendaryreddog www.legendaryreddog.com
telnet www.adultamateursexpictures.com
ssh -l miami miamistudios.com
ssh -l envex www.envex.net
ssh -l voyeurmyth www.voyeurmyth.com
ssh -l netpimp www.exhibitionfetish.com
ssh -l teressam www.teressamoss.com
ssh -l gospeltr www.gospeltribune.com
ssh -l mcooper www.findfreefiles.com
telnet www.retronudes.com
ssh -l nyguy www.playawhile.com
ssh -l wickedgamers www.wickedgamers.net
ssh -l wengle www.hentaidimension.com
ssh -l nudistphotogallery www.nudistphotogallery.net


stan () visox com wrote:



Here is a message regarding a hack attempt. They have stated that the
hack was also from our server 216.226.xxx.xxx. How can we check who/what
happened from that server. The details from there logs are below.

Stan
****

-------- Original Message --------
From: - Tue Dec 18 21:57:22 2001
X-UIDL: c531b934e8e90feedce1e9ab85425a46
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Received: from gelt.cavecreek.net (gelt.cavecreek.net [64.38.195.170])
by zeus.xxxxxxxxxx (8.8.5/8.8.5) with ESMTP id AAA22149 for
<stan@xxxxxxxxxx>; Wed, 19 Dec 2001 00:49:52 -0500 (EST)
Received: from biz-link.com (cx832301-d.chnd1.az.home.com
[24.14.253.216]) by gelt.cavecreek.net (8.11.2/8.11.1) with ESMTP id
fBJ5thY93497; Tue, 18 Dec 2001 22:55:44 -0700 (MST) (envelope-from
wolkove () biz-link com)
Message-ID: <3C202C0C.CDD0D35D () biz-link com>
Date: Tue, 18 Dec 2001 22:56:28 -0700
From: Jeff Wolkove <wolkove () biz-link com>
Reply-To: wolkove () biz-link com
Organization: SVM
X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: abuse () home com, stan@xxxxxxxxx
CC: support () cavecreek com
Subject: Illegal hacking activity
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-UIDL: c531b934e8e90feedce1e9ab85425a46

LEGAL NOTICE TO abuse () home com and stan@xxxxxxxxxx
Courtesy Copy To: support () cavecreek com

One of your users illegally accessed a server I own and illegally
installed and ran software on it. The hacker gained access to the
system using a hacked or stolen password and installed "eggdrop"
an IRC bot with the capability of launching distributed denial
of service attacks.

This hacker accessed my system from cc118955-a.groni1.gr.nl.home.com
by FTP as per the following entry in my system FTP logs. All times
are Mountain Standard Time (Arizona, USA).

Dec 18 11:48:04 gelt ftpd[23349]: connection from
cc118955-a.groni1.gr.nl.home.com (213.51.147.235)

The user also accessed the system using interactive SSH from
216.226.xxx.xxx
according to the following entries in syslog

Dec 18 11:37:51 gelt sshd2[16845]: DNS lookup failed for
"216.226.xxx.xxx".
Dec 18 11:38:02 gelt sshd2[16845]: User gtdfor's local password
accepted.
Dec 18 11:38:02 gelt sshd2[16845]: Password authentication for user
gtdfor accepted.
Dec 18 11:38:02 gelt sshd2[16845]: User gtdfor, coming from
216.226.xxx.xxx, authenticated.

This is a private server and the gtdfor user ID is used only by myself,
the system administrator. This is a unix-level login, not a web site
account. This(these) user(s) therefore gained access illegally.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.

Current thread:

*MAJOR SECURITY BREACH AT CCBILL** InfoSec News (Dec 20)
- <Possible follow-ups>
- RE: *MAJOR SECURITY BREACH AT CCBILL** InfoSec News (Dec 24)