[40840] in North American Network Operators' Group
Re: should i publish a list of cracked machines?
daemon@ATHENA.MIT.EDU (Josha Bronson)
Thu Aug 23 12:20:20 2001
Date: Thu, 23 Aug 2001 09:12:58 -0700
From: Josha Bronson <dmuz@slartibartfast.angrypacket.com>
To: Jim Mercer <jim@reptiles.org>
Cc: nanog@merit.edu
Message-ID: <20010823091258.A19212@slartibartfast.angrypacket.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010823115338.B10630@reptiles.org>; from jim@reptiles.org on Thu, Aug 23, 2001 at 11:53:38AM -0400
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, Aug 23, 2001 at 11:53:38AM -0400, Jim Mercer said:
> i found one of my boxes was cracked (probably due to the BSD telnetd overflow).
>
> in any case, i found a file in the cracker's directory containing what i think
> is a list of other servers which might be hacked.
> i think the list also includes the passwords for using the trojan.
>
> on my server, i found a trojan daemon, allowing ssh on an 14000 series port.
>
> i was gonna just post the list of hosts here, but then, maybe not.
>
> what is the appropriate feeling?
I'd try to contact the owners of the systems in the list personally.
Posting such a list of machines thought to be cracked would accomplish
little except getting those machines further probed/attacked.
I would suggest trying to see what domains the IPs belong to and just
shoot out some mail to root@/admin@/hostmaster@ or any other likely
admin accounts with a heads up.
--
Josha Bronson <dmuz@slartibartfast.angrypacket.com>
Network/Systems/Security Engineer
josha.net || dmuz.angrypacket.com
