On 0, Allen Wayne Best <[EMAIL PROTECTED]> wrote:
>On Wednesday 08 August 2001 01:53, P Kirk pronounced:
>> >
>> >No offense intended, but this is some of the WORST advice I've heard on
>> >this list to date.
>> >
>> >If you fear you may have been compromised, by all means, and for the
>> >love of
On Wednesday 08 August 2001 01:53, P Kirk pronounced:
> >
> >No offense intended, but this is some of the WORST advice I've heard on
> >this list to date.
> >
> >If you fear you may have been compromised, by all means, and for the
> >love of us all, unplug your network cable at once. If for no othe
>
>No offense intended, but this is some of the WORST advice I've heard on
>this list to date.
>
>If you fear you may have been compromised, by all means, and for the
>love of us all, unplug your network cable at once. If for no other
>reason than this: Your system could possibly be launching attac
* William Leese ([EMAIL PROTECTED]) [010807 10:35]:
> urgh, and now with the attachment
>
The attached log just shows a bunch of broadcast ARP requests. It could
be that this is part of some kind of network scanner in action, but it's
pretty inconclusive, afaics.
--
Vineet
* P Kirk ([EMAIL PROTECTED]) [010807 12:32]:
> Saw something similiar in a FreeBSD box once. It was a trojan ftp
> daemon that started off some obscure user like sysgetty or some other
> "official" looking name. The RAID had 36 gigs of mp3s and porn.
>
> You might want to backup your data and re
On 07-Aug 08:29, P Kirk wrote:
[snip]
> killa.bat says killall ftpd and call killb.bat and killb does the same
> in reverse.
>
> I know someone must have a neat shell script that does this?
> --
>
[a bash script]
$while true; do killall ftpd; sleep 1; done;
Thomas
pgpS5WslsxtQU.pgp
Descriptio
On Tue, 7 Aug 2001, William Leese wrote:
>On Tuesday 07 August 2001 18:59, Dave Sherohman wrote:
>> On Tue, Aug 07, 2001 at 06:53:38PM +0200, William Leese wrote:
>> > there's more though. but again i'm not sure.. for the first time i've
>> > seen a few odd requests being logged in boa, just a sma
>Uh... Why? Wouldn't it be simpler to just shut down the ftp service
>(either /etc/init.d/ftpd stop or comment it out in inetd.conf and then
>/etc/init.d/inetd restart), work on it, and restart the service?
Because being a trojan it respawns every time you stop it. Otherwise it
would be a rathe
On Tue, Aug 07, 2001 at 08:29:39PM +0100, P Kirk wrote:
> In the meantime there's no need to disconnect from the net. Just have a
> rolling kill command that kills ftpd every second.
Uh... Why? Wouldn't it be simpler to just shut down the ftp service
(either /etc/init.d/ftpd stop or comment it
...and only one script needed :-)
--
Patrick "No sig in my .sig" Kirk
GSM: +44 7876 560 646
ICQ: 42219699
On Tue, Aug 07, 2001 at 08:29:39PM +0100, P Kirk wrote:
> Saw something similiar in a FreeBSD box once. It was a trojan ftp
> daemon that started off some obscure user like sysgetty or some other
> "official" looking name. The RAID had 36 gigs of mp3s and porn.
>
> You might want to backup your
Saw something similiar in a FreeBSD box once. It was a trojan ftp
daemon that started off some obscure user like sysgetty or some other
"official" looking name. The RAID had 36 gigs of mp3s and porn.
You might want to backup your data and reinstall if no-one has a more
knowledgable answer.
In t
On Tuesday 07 August 2001 18:59, Dave Sherohman wrote:
> On Tue, Aug 07, 2001 at 06:53:38PM +0200, William Leese wrote:
> > there's more though. but again i'm not sure.. for the first time i've
> > seen a few odd requests being logged in boa, just a small snippet:
> >
> >
> > [07/Aug/2001:06:26:03
> [07/Aug/2001:06:26:03 +] request from
> 195.38.105.70 "GET /default.ida?
That's from the "Code Red", or some variant of it, worm...
Hall
On Tue, Aug 07, 2001 at 06:53:38PM +0200, William Leese wrote:
> there's more though. but again i'm not sure.. for the first time i've seen a
> few odd requests being logged in boa, just a small snippet:
>
>
> [07/Aug/2001:06:26:03 +] request from 195.38.105.70 "GET
> /default.ida?XXX
-- Forwarded Message --
there's more though. but again i'm not sure.. for the first time i've seen a
few odd requests being logged in boa, just a small snippet:
[07/Aug/2001:06:26:03 +] request from 195.38.105.70 "GET
/default.ida?X
urgh, and now with the attachment
-- Forwarded Message --
Subject: please read: very odd network traffic
Date: Tue, 7 Aug 2001 18:40:11 +0200
From: William Leese <[EMAIL PROTECTED]>
To: debian-user@lists.debian.org
I think my machine has been compromised though i
-- Forwarded Message --
Subject: please read: very odd network traffic
Date: Tue, 7 Aug 2001 18:40:11 +0200
From: William Leese <[EMAIL PROTECTED]>
To: debian-user@lists.debian.org
I think my machine has been compromised though i'm not entirely sure.
I sud
I think my machine has been compromised though i'm not entirely sure.
I suddenly saw a reasonable amount of traffic when I wasn't going anything
that could generate it so I turned off all the net connection using
applications and still there was traffic.
Opened top to see if there was a proces
19 matches
Mail list logo
