I had the "honour" :) of chatting with the IRC Ops on this server just now. They accepted that it is a botnet. When told their address was on FD, they panicked and are now killing all new connections.
This might be useful: 8<------------ Welcome to the Internet Relay Network via The World Wide NEWiSO, aaaa Your host is Drones2.newiso.org, running version u2.10.11.04 This server was created Thu Aug 21 2003 at 22:05:31 EST Drones2.newiso.org u2.10.11.04 dioswkgx biklmnopstvr bklov 8<------------- I would've been fun if the original poster had attached a sample of amdpatchb.exe. -- Cheers, S.G.Masood Hyderabad, India. -- --- Michael Linke <[EMAIL PROTECTED]> wrote: > At one of our Computers with Internet Access, I > found a strange program > running. > amdpatchB.exe(38 KB) > > This program is trying to get Internet Access while > starting. > amdpatchB.exe is connecting 63.246.134.50:9900. > There is a text based protocol running on > 63.246.134.50 at a service on port > 9900. > See Telnet output: > ________________________________________________________ > telnet 63.246.134.50 9900 > Trying 63.246.134.50... > Connected to 63.246.134.50. > Escape character is '^]'. > NOTICE AUTH :*** Looking up your hostname > NOTICE AUTH :*** Checking Ident > NOTICE AUTH :*** Found your hostname > help > :Drones2.newiso.org 451 * :Register first. > _________________________________________________________ > > I used Google to look for this filename but got no > result. > Any ideas what this is? > > Regards, > Michael > _____________________ > > -----Urspr�ngliche Nachricht----- > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Im > Auftrag von Richard > Johnson > Gesendet: Mittwoch, 17. September 2003 17:48 > An: [EMAIL PROTECTED] > Betreff: [Full-Disclosure] Re: openssh remote > exploit > > In article > <[EMAIL PROTECTED]>, > petard <[EMAIL PROTECTED]> wrote: > > > An exploit would certainly constitute such > evidence. Have you seen > > anything that indicates this bug is exploitable? > > > I'm beginning to suspect that compromises attributed > to this bug on > Linux hosts were coincidental. They could have > happened via exploits > of other problems. That's because no-one has any > forensics data or > logs that indicate this particular bug as an attack > route. > > However, the chance is not worth taking in practice, > so upgrade time it > is. > > > Richard > > -- > My mailbox. My property. My personal space. My > rules. Deal with it. > > http://www.river.com/users/share/cluetrain/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.netsys.com/full-disclosure-charter.html > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
