Security Incidents mailing list archives
what else you can do with worm networks...fun, profit, etc
From: "Anton A. Chuvakin" <anton () chuvakin org>
Date: Mon, 9 Dec 2002 13:27:24 -0500 (EST)
Hi all,
Just saw something rather amusing brought by the worm tide :-) A little
nasty daemon (named "httpd") was deployed by whoever hit our Apache/SSL
honeypot. Another mod of the good ole slapper, but! here are some funny
strings from the binary:
...
find /|grep -i "order"
search.log
rm -rf search.log
...
and some hard coded addresses on where to send the stuff...
The telltale sign in the /tmp: ".fontunix" (with no dash unlike the real
thing).
Get paid from collecting order data from lame web servers - heh, an idea?
Best,
--
Anton A. Chuvakin, Ph.D., GCIA
http://www.chuvakin.org
http://www.info-secure.org
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Current thread:
- Incident tracking database Danny (Dec 03)
- Re: Incident tracking database Chip Mefford (Dec 04)
- what else you can do with worm networks...fun, profit, etc Anton A. Chuvakin (Dec 09)
- Re: Incident tracking database Paul Gillingwater (Dec 04)
- Re: Incident tracking database Steven Hong (Dec 04)
- Re: Incident tracking database james (Dec 04)
- <Possible follow-ups>
- Re: Incident tracking database Holger Kipp (Dec 04)
- Re: Incident tracking database Russell Fulton (Dec 05)
- Re: Incident tracking database Chris Adams (Dec 08)
- Re: Incident tracking database Russell Fulton (Dec 05)
- Re: Incident tracking database Chip Mefford (Dec 04)