Maybe I am the only one who is correlating things, but is it possible that the CERT® Incident Note IN-99-04 is related. I know, I had the opportunity to clean up several machines that were compromised using the methods described in the note. Oddly enough, there was an executable left in the root dir, but nothing else seemed to have happened. The logs didn't show very much activity, just this one executable (called FD or something).
Could it be this rouge executable was placed on hundreds of machines all over the world, and left to be; until this week. The result is a really hard problem to track? I know even finding the break in was just by accident. Maybe there are hundreds of machines all over the internet that have yet to find this break-in, and are ignorantly helping the folks.
If this were true, then the situation would tend to point to Linux and Solaris OS machines causing the trouble. However, it could also be a PR boon to M$, the week before they release the Win2K bug on the world.:-)
I didn't put much effort into finding out what this rouge process did. I know the startup script was in cron, and there would only be one copy running at a time. We had to clean up a bit before we felt comfortable running the machines on the internet again.
I love how the media has latched on a new "evil" term, they started calling this process a "demon". I guess that is our fault for pronouncing daemon that way. So now every bad thing that happened will be demons left by hackers:-P
Slashdot Mirror
Could it be this rouge executable was placed on hundreds of machines all over the world, and left to be; until this week. The result is a really hard problem to track? I know even finding the break in was just by accident. Maybe there are hundreds of machines all over the internet that have yet to find this break-in, and are ignorantly helping the folks.
If this were true, then the situation would tend to point to Linux and Solaris OS machines causing the trouble. However, it could also be a PR boon to M$, the week before they release the Win2K bug on the world. :-)
I didn't put much effort into finding out what this rouge process did. I know the startup script was in cron, and there would only be one copy running at a time. We had to clean up a bit before we felt comfortable running the machines on the internet again.
I love how the media has latched on a new "evil" term, they started calling this process a "demon". I guess that is our fault for pronouncing daemon that way. So now every bad thing that happened will be demons left by hackers :-P