On Thu, Sep 18, 2003 at 07:02:06PM +0200, Michel Messerschmidt wrote: > > Might be a side effect of the tools that were used. > A quick scan with f-prot shows several infected files on the server > www.slacks.hpg.ig.com.br: (....) > www.slacks.hpg.ig.com.br/bin/rh Infection: Unix/Osf.A
This is an exploit to an OpenSSL bug. > www.slacks.hpg.ig.com.br/bin/mass Infection: Unix/Osf.A This is a 'massive' scanner > www.slacks.hpg.ig.com.br/bin/co1 Infection: Unix/Osf.A This is another OpenSSL exploit (written in Portuguese) > www.slacks.hpg.ig.com.br/psyBNC.tar.gz->?->psybnc/makesalt Infection: > Unix/Osf.A > www.slacks.hpg.ig.com.br/psyBNC.tar.gz->?->psybnc/psybnc Infection: > Unix/Osf.A Both of these are programs to setup IRC daemons and relays IIRC. See: http://www.honeynet.org/scans/scan28/ > > But AFAIK none of these viruses is able to get root rights, so the attacker > must have got root rights before. Well, they are not virus themselves. The fact that f-prot labels them as such is that they usually are part of some massrooter, worm or trojan, but they can be (and are) used independently. Regards Javi
pgp00000.pgp
Description: PGP signature