Return-Path: <sentto-279987-4110-1008825801-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Wed, 19 Dec 2001 21:25:08 -0800 (PST) Received: (qmail 22933 invoked by uid 510); 20 Dec 2001 05:23:48 -0000 Received: from n34.groups.yahoo.com (216.115.96.84) by all.net with SMTP; 20 Dec 2001 05:23:48 -0000 X-eGroups-Return: sentto-279987-4110-1008825801-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.164] by n34.groups.yahoo.com with NNFMP; 20 Dec 2001 05:23:22 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_1_3); 20 Dec 2001 05:23:21 -0000 Received: (qmail 84473 invoked from network); 20 Dec 2001 05:23:21 -0000 Received: from unknown (216.115.97.167) by m10.grp.snv.yahoo.com with QMQP; 20 Dec 2001 05:23:21 -0000 Received: from unknown (HELO red.all.net) (12.232.125.69) by mta1.grp.snv.yahoo.com with SMTP; 20 Dec 2001 05:23:21 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fBK5OYT30541 for iwar@onelist.com; Wed, 19 Dec 2001 21:24:34 -0800 Message-Id: <200112200524.fBK5OYT30541@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Wed, 19 Dec 2001 21:24:34 -0800 (PST) Subject: [iwar] [fc:Update.on.MAJOR.SECURITY.BREACH.AT.CCBILL] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit **UPDATE** Since we first broke this story, I have some further info... It appears that the entire process of ssh'ing/telnet'ing to the machine that they have userids/passwords for is an automated process, perhaps scripted from several sources. The automated script has been preloaded with a vast list of username/passwords and server addresses and it systematically goes thru the list and ftp's the eggdrop and TCL tar files to the users directory. It then attempts to un tar and configure both programs, if it's successful, then it starts the eggdrop program and put it onto the IRC channel at EFNet. IF it's unsuccessful then someone(human) visits the machine via ssh/telnet and compiles the failed eggdrop or TCL programs manually and launches the eggdrop. We've seen evidence of this on 2 other machines. D. ======== ------------------------ Yahoo! Groups Sponsor ---------------------~--> Send FREE Holiday eCards from Yahoo! Greetings. http://us.click.yahoo.com/IgTaHA/ZQdDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 21:00:00 PST