[nsp-sec] compromised unix systems

[Rolf Gartmann]

Tim, Gabriel & nsp-sec,


add-on to this case,
the 'malware' in question is located under:

http://s11[DOT]info/d/m

(attached as well).

looking at it, IRC pwd would be:

--snip--
print $sock 'PASS oligarchy'."\r\n";
--snip--

hth,
cheers

Rolf


from the fingers of Tim Wilde on 26.8.2009 15:32 Uhr:
> On 8/26/2009 1:44 AM, Rolf Gartmann wrote:
>> ----------- nsp-security Confidential --------
> 
>> Hello nsp-sec,
> 
>> based on an incident report from one of our customers,
>> there is a C&C at 69.163.33.101 port 8080 (yes Team Cymru,
>> feel free to add it ;)
> 
> Rolf & NSP-SEC,
> 
> It looks like this may have been a small private network being abused
> without the operators consent, I'm now seeing this when trying to connect:
> 
> Closing: (This is a private IRC network. Please request access
> <solar at strawberrycupcak.es> before attempting to connect.)
> 
> Not exactly a good way to collect bots, if I do say so myself, unless
> they're using another C&C mechanism to say "hey, I'm going to be
> connecting" and open the ACL first (which I suppose might be possible
> with the attack vectors you mentioned).  Unfortunately, there's no way
> we can tell the difference, so we would have to err on the side of not
> listing this right now.
> 
> If anyone has malware pointing here, we'd love to see it though, it
> might help enlighten us and allow us to list the C&C if appropriate.
> 
> Thanks,
> Tim
> 

-- 
SWITCH
Serving Swiss Universities
--------------------------
Rolf Gartmann,  Security Engineer,  Member of SWITCH-CERT
PGP fingerprint: 4602 9CC2 6C04 5DF0 3A05 7609 BC09 45A2 2E0E CA35
SWITCH,  Werdstrasse 2, P.O. Box,  CH-8021 Zurich,  Switzerland
http://www.switch.ch/cert/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: m.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090831/badac55e/attachment-0001.txt>