[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Long Exim break-in analysis

Anno domini 2010 Izak Burger scripsit:


Nice reports :)

> But there is one bit that gets me. It does this:

> mkdir -p /usr/include/mysql
> echo dropbear >> /usr/include/mysql/mysql.hh1

> It never does anything with that file, and that file does not exist on
> a real system, so its almost like its leaving behind its business
> card?

Might that be a "all your passwords belong to us" file? I've had one
cracked ssh(d) once, which wrote all passwords from clent and server
connections to /usr/include/ssh.h IIRC. Maybe this on is something

Gib Dein Bestes. Dann übertriff Dich selbst!

Reply to: