[nsp-sec] rooted UNIX boxes
Gabriel Iovino
giovino at ren-isac.net
Tue Jun 28 09:10:47 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 6/28/2011 5:27 AM, Dirk Stander wrote:
> Hi,
>
> please find attached a list of compromised servers found
> in an email drop box. The servers do have a userland root
> kit installed and are running a trojanized ssh/sshd.
>
> I'm not sure about the initial attack vector.
ACK:
> 128.120.33.19 | email-admin.ucdavis.edu.
> 128.120.38.25 | bct2.ucdavis.edu.
> 128.120.47.48 | messenger-test1.ucdavis.edu.
> 128.120.47.49 | messenger-test2.ucdavis.edu.
> 128.32.164.184 | vehicle.me.berkeley.edu.
> 129.49.200.164 | dh164.noc.sunysb.edu.
> 169.237.4.43 | opennms.cs.ucdavis.edu.
> 169.237.4.8 | smtp.cs.ucdavis.edu.
> 169.237.63.16 | education16.ucdavis.edu.
> 169.237.69.52 | chase.ucdavis.edu.
> 169.237.69.88 | critpinn6dev.ucdavis.edu.
> 169.237.69.89 | critpinn6.ucdavis.edu.
> 216.136.82.71 | relay-5.host.twtelecom.net. | root at mca.edu
> 216.136.82.72 | relay-6.host.twtelecom.net. | root at mca.edu
> 216.136.82.76 | relay-7.dlfw.twtelecom.net. | root at mca.edu
> 216.136.82.77 | relay-8.dlfw.twtelecom.net. | root at mca.edu
Thank you!
Gabe
- --
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk4J0tcACgkQwqygxIz+pTuVVwCdFpGI5RgCpc/eNtfYLOo7erwT
19gAnj/6bva1oHEYr2A7sMm6yp9l1L1T
=YqmT
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list