From owner-freebsd-security  Wed Nov 14  4:19:22 2001
Delivered-To: freebsd-security@freebsd.org
Received: from topperwein.dyndns.org (acs-24-154-28-168.zoominternet.net [24.154.28.168])
	by hub.freebsd.org (Postfix) with ESMTP id E5D7C37B416
	for <security@freebsd.org>; Wed, 14 Nov 2001 04:19:17 -0800 (PST)
Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10])
	by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id fAECJHF56198
	for <security@freebsd.org>; Wed, 14 Nov 2001 07:19:17 -0500 (EST)
	(envelope-from behanna@zbzoom.net)
Date: Wed, 14 Nov 2001 07:19:12 -0500 (EST)
From: Chris BeHanna <behanna@zbzoom.net>
Reply-To: Chris BeHanna <behanna@zbzoom.net>
To: <security@freebsd.org>
Subject: Re: AdoreWorm
In-Reply-To: <5.1.0.14.2.20011114183520.01e71d20@MailServer>
Message-ID: <20011114071710.B56125-100000@topperwein.dyndns.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, 14 Nov 2001, Stefan Probst wrote:

> Hi,
>
> some hours later, lots of grey hair more, but feeling more safe now....
>
> As it looks now, somebody in Romania used most probably the telnetd hole
> (because there were no other unused services running, and it would be hard
> to believe, that somebody on a dial-up line in Romania can sniff telnet
> passwords, which usually go from Vietnam via Hongkong to the EastCost) and
> got somehow root access. They installed then this AdoreBSD. Luckily, as it
> looks right now (I might be wrong), they didn't do anything else - at least
> nothing major.
>
> They furthermore installed from http://www.psychoid.lam3rz.de the psyBNC,
> which is obviously kind of an "special" IRC relay ???
>
> This psyBNC left a logfile, and I have their ISP now: warpnet.ro, including
> some IP numbers, which they used. Not sure, what I should do with that.

    Turn them in to the appropriate authorities.  The box was in the
U.S. right?  That brings this under the jurisdiction of the FBI
Computer Crimes Squad, which, if they have any bandwidth to spare
these days, can handle the international jurisdictional issues.

    You still are best off reinstalling from trusted media.  How you
wipe the disk and do this remotely is not something I know how to do.

-- 
Chris BeHanna
Software Engineer                   (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
I was raised by a pack of wild corn dogs.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message