Re: Long Exim break-in analysis
Anno domini 2010 Izak Burger scripsit:
Hi!
Nice reports :)
> But there is one bit that gets me. It does this:
> mkdir -p /usr/include/mysql
> echo dropbear >> /usr/include/mysql/mysql.hh1
> It never does anything with that file, and that file does not exist on
> a real system, so its almost like its leaving behind its business
> card?
Might that be a "all your passwords belong to us" file? I've had one
cracked ssh(d) once, which wrote all passwords from clent and server
connections to /usr/include/ssh.h IIRC. Maybe this on is something
similar?
Ciao
Max
--
Gib Dein Bestes. Dann übertriff Dich selbst!
Reply to: