The chances are extremely good that the IP you're seeing is JAHB (just another hacked box.)
Paul Schmehl ([EMAIL PROTECTED]) Department Coordinator The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > Francisco Guerreiro > Sent: Thursday, October 03, 2002 7:59 AM > To: [EMAIL PROTECTED] > Subject: [Full-Disclosure] (no subject) > > > hi folks.. > I was meddling in a friend's box when I came across a weird > file in /tmp with apache perms. I thought it was a exploit to > obtain root since the machine was vuln to the openssl > problem, but it turned out to be something else. attached I > send the stuff I found, it's quite self explanatory. I've > looked at it for a few minutes, it's the slaper code, with > some comments and a shell script that ghaters info about the > box and send's it to an email account at yahoo.com . The ip > that is written on the worm resolves to an adsl acount on > some ISP, i guess it is somekind of target since it would be > quite stupid to put your home ip on a worm. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html