[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    Re: New Incident - neet.tar was Re: trends
From:       Jens Hektor <hektor () RZ ! RWTH-AACHEN ! DE>
Date:       1999-07-12 10:26:24
[Download RAW message or body]

Hi,

our university was also hit by this attack. Within five
minutes Solaris-machines were broken into campus-wide.

> Does anyone have a copy of the exploit for this?  We have
> seen similar things but would like to analyze exactly what
> the shell code is.

We have shell-scripts and binaries ("bd", and the mentioned
"neet.tar"), what exactly do you want ?

> BTW, the trojaned inetd relies upon the source port to be
> some magic number to get in, i.e. something like
> nc -p 12345 hostname 23

Because I'm interested, how did you get this information ?

> AFAIK, the crackers are automating sniffer collection also
> (i've seen the scripts).

We also suspect that this attack was automatically done,
because of the close timing. Two hours before we noticed a
portscan on the entire network from the same site, which did
possibly two things:
a) search for open ports
b) OS detection

Regards, Jens Hektor

[prev in list] [next in list] [prev in thread] [next in thread]