[prev in list] [next in list] [prev in thread] [next in thread]
List: incidents
Subject: Re: New Incident - neet.tar was Re: trends
From: Jens Hektor <hektor () RZ ! RWTH-AACHEN ! DE>
Date: 1999-07-12 10:26:24
[Download RAW message or body]
Hi,
our university was also hit by this attack. Within five
minutes Solaris-machines were broken into campus-wide.
> Does anyone have a copy of the exploit for this? We have
> seen similar things but would like to analyze exactly what
> the shell code is.
We have shell-scripts and binaries ("bd", and the mentioned
"neet.tar"), what exactly do you want ?
> BTW, the trojaned inetd relies upon the source port to be
> some magic number to get in, i.e. something like
> nc -p 12345 hostname 23
Because I'm interested, how did you get this information ?
> AFAIK, the crackers are automating sniffer collection also
> (i've seen the scripts).
We also suspect that this attack was automatically done,
because of the close timing. Two hours before we noticed a
portscan on the entire network from the same site, which did
possibly two things:
a) search for open ports
b) OS detection
Regards, Jens Hektor
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic