[unisog] New worm?

Pete Hickey pete at shadows.uottawa.ca
Thu Apr 14 14:16:57 GMT 2005


Not sure if this is a worm or just some hacker.

We've had a couple Unix boxes compromised.  A dictionary (userid/password)
attack on ssh.  Once he gets a good password, a program is run,
which does the same thing against other machines.

There is no attempt at trying to cover tracks:  no rootkit
installed, logs intact, etc.  The process is not run as root,
but as the user for which the password was guessed.  This
type of behavior makes me think it is a worm, rather than
someone doing a one-off hack.  Oh yeah.  It also attempts
a (probably) IRC connection to 62.79.27.107 (our default
firewall blocks port 6667)

What makes me not think this is a worm, is that I only saw 
three addresses scanning our address space on port 22.

Anyone else seeing this?

-- 
Pete Hickey                                       /~\  The ASCII
The University of Ottawa                          \ /  Ribbon Campaign
Ottawa, Ontario                                    X   Against HTML
Canada                                            / \  Email!


More information about the unisog mailing list