Strange connection
Tomas Larsson
ktl at bornet.net
Wed Jul 20 01:28:34 UTC 2005
Well, I wad in the progres to reinstall that box anyway, so it's not a big
deal.
This is the first time I unwillingly and unknowingly was hacked, it's
obviously a new experience.
Just a thought, one of the url's that planted these things is still
active, I should report it I think.
With best regards
Tomas Larsson
Sweden
Verus Amicus Est Tamquam Alter Idem
> -----Original Message-----
> From: fedora-list-bounces at redhat.com
> [mailto:fedora-list-bounces at redhat.com] On Behalf Of Scot L. Harris
> Sent: Wednesday, July 20, 2005 3:21 AM
> To: For users of Fedora Core releases
> Subject: Re: Strange connection
>
>
> On Tue, 2005-07-19 at 20:57, jdow wrote:
> > From: "Tomas Larsson" <ktl at bornet.net>
> >
> > > gulie.tgz, this one is clearly a virys, symantec calls it
> > > "Linux.RST.B"
> > >
> > > The others is
> > >
> > > cycomm.tar.gz
> > > roots.tar
> > >
> > > Haven't got a clue what it is, but I don't think they are nice.
> > >
> > > Now, the big question is, will they affect other boxes on the
> > > network as well. I assume that the XP-Boxes should be alright.
> >
> > Assume NOTHING. It could be setup now to spread Windows
> viruses. Make
> > sure all the other machines on your network are not infected.
> > Basically you're toast, I fear.
>
> While it is not impossible it is unlikely. They were most
> likely looking to take control to setup a spam bot or jumping
> off point to attempt take over of other unix systems.
>
> But it is a good idea to sweep all other systems.
>
> Note: this is not your typical virus. An exploit in an
> application, most likely phpBB, was used to load code on the
> system. This was then executed to either attempt connection
> to a control channel or elevate privileges.
>
> Either way it requires a bare metal install to make sure it
> is cleaned out.
>
>
> --
> Scot L. Harris
> webid at cfl.rr.com
>
> If I can have honesty, it's easier to overlook mistakes.
> -- Kirk, "Space Seed", stardate 3141.9
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3018 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050720/e3ac1ab7/attachment-0001.bin>
More information about the fedora-list
mailing list