[SunRescue] Cracked!

[Ido Dubrawsky]

--ibTvN161/egqYuK8
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

On Sat, May 12, 2001 at 12:01:03PM -0500, rescue-request at sunhelp.org wrote:
> Message: 3
> Date: Sat, 12 May 2001 08:30:35 -0500
> From: Eric Hall <jester_123 at yahoo.com>
> To: "suns-at-home at net-kitchen.com" <suns-at-home at net-kitchen.com>,
> 	"rescue at sunhelp.org" <rescue at sunhelp.org>
> Subject: [SunRescue] Cracked!
> Reply-To: rescue at sunhelp.org
>=20
> Well, it's my own fault, but=20
> I've been cracked. I noticed
> a process running on my classic
> named uniattack.sh - it seems
> someone was using my lowly
> classic to deface websites.
>=20
> There was a new directory
> created on my system -
> /dev/cuc where the cracker
> installed his utilities.
> /etc/rc2.d/S71rpc was
> replaced with a startup
> script for the cracker.
> Most of the scripts used
> were written in perl.
> I have them tar'd up safe
> so I can reseach it in more
> depth.
>=20
> I'm going to have to=20
> wipe the disk and reinstall
> Sol 7, of course. I'm guessing
> this was a totally scripted=20
> attack - a worm if you will.
> =20
> Anyway, if anyone has any info
> on this crack, please let me
> know. And be carefull out there.
>=20
> Eric H
>=20
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com

Eric,

  If you've got the source code safe and sound I was wondering if you could=
=20
send me a copy of it.  From the sound of it, it looks like your machine is
the victim of a new worm hitting the net...it attacks Solaris boxen using t=
he
sadmind vulnerability, once it's installed it searches for WinNT boxes with
the UNICODE vulnerability and tries to deface the web pages by replacing th=
em
with a black page that says " F*CK USA Government, F*CK <Some Name>" and has
a yahoo.com e-mail address at the end.  If this is that worm I would like to
get my hands on it to study it.  If you are willing, send it to me at:
idubraws at cisco.com.  Even if this is not that worm, I'd like to see it.

Thanks,
Ido

--
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
                        |Ido Dubrawsky               E-mail: idubraws at cisco=
.com
     |          |       |Network Security Engineer
    :|:        :|:      |Cisco Secure Consulting Services
   :|||:      :|||:     |Cisco Systems, Inc.
=2E:|||||||:..:|||||||:.  |Austin, TX. 78759
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D


--ibTvN161/egqYuK8
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOv4Op22NSFxvnJ/5AQEJaAQApXhl2tfIsbTDmOc1UPvQ3NiHpRAWo5K3
DK7C02/tbRXyZ+YyjBECgc3P3R0dHUG9l5n+ZYFvDiZhA02urm50dooMGEyscppI
i+FUuIyY183OtHaqqNRmqUzOgyY5EYx4qi+lP4/Di0Mht25wswejzuxAgBODEH0L
LNV2/orLglk=
=NTvF
-----END PGP SIGNATURE-----

--ibTvN161/egqYuK8--