Re: a compromised machine

To: debian-security@lists.debian.org
Cc: Nejc Novak <nejc@soncek.biz>
Subject: Re: a compromised machine
From: Marcin Owsiany <porridge@debian.org>
Date: Wed, 27 Jul 2005 00:32:19 +0200
Message-id: <[🔎] 20050726223219.GA1200@kufelek>
Mail-followup-to: debian-security@lists.debian.org, Nejc Novak <nejc@soncek.biz>
In-reply-to: <[🔎] 20050726203919.GA9459@peaches-en-regalia>
References: <[🔎] D0B6C1BAE46CD711B8E70048545A2AC90C9222@serveur2.tg.lan> <[🔎] 42E696EC.6050006@soncek.biz> <[🔎] 20050726203919.GA9459@peaches-en-regalia>

On Tue, Jul 26, 2005 at 04:39:20PM -0400, Edward Faulkner wrote:
> On Tue, Jul 26, 2005 at 10:02:52PM +0200, Nejc Novak wrote:
> > Can you get any information out of this cron file? I tried creating the 
> > same exec that this file creats, but obiously i was doing sth wrong :)
> 
> The crontab writes out a binary file and executes it.  I straced the
> binary on a virtual machine with no network.
> 
> It's attempting to connect to two different hosts:
> 
> 210.169.91.66:5454

This is an IRC server. The program seems to be an IRC zombie.

Marcin
-- 
Marcin Owsiany <porridge@debian.org>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216

Reply to:

Follow-Ups:
- Re: a compromised machine
  - From: Nejc Novak <nejc@soncek.biz>

References:
- RE: a compromised machine
  - From: Mathieu JANIN <Matt@tgcaen.dyndns.biz>
- Re: a compromised machine
  - From: Nejc Novak <nejc@soncek.biz>
- Re: a compromised machine
  - From: Edward Faulkner <ef@alum.mit.edu>

Prev by Date: Re: a compromised machine
Next by Date: Re: a compromised machine
Previous by thread: Re: a compromised machine
Next by thread: Re: a compromised machine
Index(es):
- Date
- Thread