From owner-freebsd-security@FreeBSD.ORG  Wed Aug 18 09:54:45 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E13EB16A4CE
	for <freebsd-security@freebsd.org>;
	Wed, 18 Aug 2004 09:54:45 +0000 (GMT)
Received: from pathfinder.roks.biz (roks.biz [82.207.80.37])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A1D6843D58
	for <freebsd-security@freebsd.org>;
	Wed, 18 Aug 2004 09:54:42 +0000 (GMT)	(envelope-from padla@roks.biz)
Received: from admin.office.roks.biz (admin.office.roks.biz [192.168.100.103])
	by pathfinder.roks.biz (8.12.11/8.12.11) with ESMTP id i7I9sLHv027779;
	Wed, 18 Aug 2004 12:54:21 +0300 (EEST)
	(envelope-from padla@pathfinder.roks.biz)
Received: from admin.office.roks.biz (localhost.roks.biz [127.0.0.1])
	i7I9sM7a000858;	Wed, 18 Aug 2004 12:54:22 +0300 (EEST)
	(envelope-from padla@admin.office.roks.biz)
Received: (from padla@localhost)
	by admin.office.roks.biz (8.12.11/8.12.11/Submit) id i7I9sLCV000857;
	Wed, 18 Aug 2004 12:54:21 +0300 (EEST)
	(envelope-from padla)
Date: Wed, 18 Aug 2004 12:54:21 +0300
From: Nikolay Pavlov <quetzal@roks.biz>
To: Justin <freebsd@alt-network.com>
Message-ID: <20040818095421.GA207@roks.biz>
Mail-Followup-To: Nikolay Pavlov <quetzal@roks.biz>,
	Justin <freebsd@alt-network.com>, freebsd-security@freebsd.org
References: <411CCAAE.7020505@beco.hu>
	<200408172301.28844.freebsd@alt-network.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200408172301.28844.freebsd@alt-network.com>
User-Agent: Mutt/1.4.2.1i
cc: freebsd-security@freebsd.org
Subject: Re: sequences in the auth.log
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Aug 2004 09:54:46 -0000

Hi, Justin

On Tuesday, 17 August 2004 at 23:01:28 -0500, Justin wrote:
> I'm seeing the same thing in my log. It makes me think it is a virus because 
> test, guest, and admin are not normal unix users.

And I'm too. But I think that this is a some kind of Linux worm.
The first record in my auth.log dated on Jul 23 01:48:30
Nmap identificates all hosts (already more than ten) in my auth.log as 
"Linux 2.4.0 - 2.5.20, Linux 2.4.20 (Itanium), Linux 2.4.20 - 2.4.22 w/grsecurity.org patch"

Best regards,
	Nikolay Pavlov.