Home page logo
/

basics logo Security Basics mailing list archives

Does anyone know which Malware owns this?
From: Paul Halliday <paul.halliday () gmail com>
Date: Mon, 7 Dec 2009 13:00:24 -0400

There was a lot of ssh activity prior to this:

NICK Mafiotul
USER putini . . :Dar buni

NOTICE AUTH :*** Checking Ident
:Tampa.FL.US.Undernet.org 433 * Mafiotul :Nickname is already in use.
NICK Mafiotul_
NICK _afiotul_
....
WHOIS Mafio5945
MODE Mafio5945 +i-ws
JOIN #MafiaBOT #
NICK Mafiotul

The box also fetched this:

http://www.laguna.evolink.ro/server/6969.pl

I also see ICMP 6666 "skillz"; stacheldraht? on a new install of centOS?

Domains appear to be US, Japan and Macedonia (for the IRC part).

I don't have access to the box I am trying to reconstruct from pcaps
only. Tips/pointers welcome.

Thanks.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]