From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 09:57:04 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3CC8B16A4CE for ; Wed, 18 Aug 2004 09:57:04 +0000 (GMT) Received: from dragonfly.sitetronics.com (gibsonnet.demon.nl [82.161.57.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6248B43D39 for ; Wed, 18 Aug 2004 09:57:03 +0000 (GMT) (envelope-from dodell@dragonfly.sitetronics.com) Received: from dragonfly.sitetronics.com (dragonfly.sitetronics.com [127.0.0.1])i7I9urrR001418; Wed, 18 Aug 2004 11:56:53 +0200 (CEST) (envelope-from dodell@dragonfly.sitetronics.com) Received: (from dodell@localhost)i7I9une6001417; Wed, 18 Aug 2004 11:56:49 +0200 (CEST) (envelope-from dodell) Date: Wed, 18 Aug 2004 11:56:49 +0200 From: "Devon H. O'Dell" To: Nikolay Pavlov , Justin , freebsd-security@freebsd.org Message-ID: <20040818095649.GA834@sitetronics.com> References: <411CCAAE.7020505@beco.hu> <200408172301.28844.freebsd@alt-network.com> <20040818095421.GA207@roks.biz> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="opJtzjQTFsWo+cga" Content-Disposition: inline In-Reply-To: <20040818095421.GA207@roks.biz> User-Agent: Mutt/1.4.2.1i X-Mailer: Mutt 1.4.2.1i (2004-02-12) X-Editor: Vim http://www.vim.org/ Subject: Re: sequences in the auth.log X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 09:57:04 -0000 --opJtzjQTFsWo+cga Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Nikolay Pavlov scribbled: > Hi, Justin >=20 > On Tuesday, 17 August 2004 at 23:01:28 -0500, Justin wrote: > > I'm seeing the same thing in my log. It makes me think it is a virus be= cause=20 > > test, guest, and admin are not normal unix users. >=20 > And I'm too. But I think that this is a some kind of Linux worm. > The first record in my auth.log dated on Jul 23 01:48:30 > Nmap identificates all hosts (already more than ten) in my auth.log as=20 > "Linux 2.4.0 - 2.5.20, Linux 2.4.20 (Itanium), Linux 2.4.20 - 2.4.22 w/gr= security.org patch" >=20 > Best regards, > Nikolay Pavlov. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" >=20 This has recently and fully been discussed on the full-disclosure mailing list. --=20 Kind regards, Devon H. O'Dell | dodell@sitetronics.com Key: 4D3D8CA7 | IRC: bofh@WhatNET thebofh@efnet --opJtzjQTFsWo+cga Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFBIyfh9y+/hU09jKcRAtn7AJ4trXkGagbp47uf7uJaKNFTx8gUEQCgj+wZ BkC9cGHVTPkoxGOb3kUwSgk= =yuNy -----END PGP SIGNATURE----- --opJtzjQTFsWo+cga--