[K12OSN] OT: Break-In report
Rob Owens
rob.owens at biochemfluidics.com
Wed Jan 2 14:52:53 UTC 2008
Les Mikesell wrote:
> Rob Owens wrote:
>>
>> I particularly like the use of " " as a directory name. Nice and
>> invisible. Also note that the invader put his files in two
>> directories which have the "sticky" bit set: /dev/shm and /var/tmp
>>
>> In the end, it seems that all the invader succeeded in doing was a
>> bunch of port-scanning. The OS is going to be re-installed anyway,
>> just to be safe.
>
> It is probably looking for additional systems to compromise, and may
> have reported itself back to some controlling system.
>
Yes, that is exactly what it was doing. We found a list of usernames
(members of some group on the internet) and it looked like it was
notifying these users that the system was "open for business"
-Rob
More information about the K12OSN
mailing list