On Wed, Apr 27, 2005 at 05:14:51PM +0200, Daniel Kirsten wrote:
Yesterday, I examined the directory ~daikanyama/.undernet and probably I executed mech as root. The file mech is indeed infected by Linux/Rst-B. This explains everything.......
Does anyone know whether .undernet/mech has another purpose than distributing the Linux/Rst-B virus???
It looks like an IRC bot. I imagine the script kiddies who broke into your machine weren't even aware that the files are infected. (Or maybe, they were hoping you'd find them and execute them and make the virus spread to root, giving them a backdoor. But I bet that's giving too much credit.)
mech is an IRC bot, it's available for download from its website. A while ago I had a Debian box cracked and mech was installed in, I think, some place under /var/spool/cron.
Complying with the GPL, the cracker included the source code for mech:-)
This actually happened to the same box twice - my first effort and sanitising was ineffective.
The cracker installed a set of binaries in /bin that caused the system to not work, consquently I discovered the crack within hours.
Someone in .mx infiltrated another box I manage (also Debian) via a user account, installed an IRC bot and other stoff and promptly used our system to attempt to crack others.
The kit includes attempts to crack various RH (and I think FC) releases plus (I think) SuSE and/or Mandrake. There was one for Debian, but not our kernel.
The cracks I've seen send email to someone@hotmail (or yahoo!) with information including the IP address of eth0.
None of the boxes I manage have public IP addresses on eth0 - those are assigned to ADSL routers or ppp0; in some cases I have the IP address also on a dummy interface to simplify routing issues (the Billions don't cope well with traffic aimed at their external IP address appearing from inside the network).
Probably, none of the cracks work if you keep your software up2date. Running Debian seems to help too:-)
--
Cheers John
-- spambait 1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/