Strange connection

Tomas Larsson ktl at bornet.net
Wed Jul 20 01:28:34 UTC 2005 

Well, I wad in the progres to reinstall that box anyway, so it's not a big
deal.
This is the first time I unwillingly and unknowingly was hacked, it's
obviously a new experience.

Just a thought, one of the url's that planted these things is still
active, I should report it I think.

With best regards

Tomas Larsson
Sweden

Verus Amicus Est Tamquam Alter Idem

> -----Original Message-----
> From: fedora-list-bounces at redhat.com 
> [mailto:fedora-list-bounces at redhat.com] On Behalf Of Scot L. Harris
> Sent: Wednesday, July 20, 2005 3:21 AM
> To: For users of Fedora Core releases
> Subject: Re: Strange connection
> 
> 
> On Tue, 2005-07-19 at 20:57, jdow wrote:
> > From: "Tomas Larsson" <ktl at bornet.net>
> > 
> > > gulie.tgz, this one is clearly a virys, symantec calls it 
> > > "Linux.RST.B"
> > > 
> > > The others is
> > > 
> > > cycomm.tar.gz
> > > roots.tar
> > > 
> > > Haven't got a clue what it is, but I don't think they are nice.
> > > 
> > > Now, the big question is, will they affect other boxes on the 
> > > network as well. I assume that the XP-Boxes should be alright.
> > 
> > Assume NOTHING. It could be setup now to spread Windows 
> viruses. Make 
> > sure all the other machines on your network are not infected. 
> > Basically you're toast, I fear.
> 
> While it is not impossible it is unlikely.  They were most 
> likely looking to take control to setup a spam bot or jumping 
> off point to attempt take over of other unix systems.  
> 
> But it is a good idea to sweep all other systems.  
> 
> Note: this is not your typical virus.  An exploit in an 
> application, most likely phpBB, was used to load code on the 
> system.  This was then executed to either attempt connection 
> to a control channel or elevate privileges.  
> 
> Either way it requires a bare metal install to make sure it 
> is cleaned out.
> 
> 
> -- 
> Scot L. Harris
> webid at cfl.rr.com
> 
> If I can have honesty, it's easier to overlook mistakes.
> 		-- Kirk, "Space Seed", stardate 3141.9 
> 
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3018 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050720/e3ac1ab7/attachment-0001.bin>

More information about the fedora-list mailing list