I doubt the attackers even went through the hustle to gain root (no need, anyone can start stuff on (unfiltered) 8080).
Finding a vulnerable.php/cgi for executing commands on the Server under the uid of the Webserver sounds much easier to me.
1. Scan for vulnerable Servers
2. upload trojansite.tgz
3. unpack to some world-writable/executable directory like for e.g./tmp/.../
4. fire up nginx serving the trojans
5. Profit (5 ?! omg, people really have to work for their monies these days)
As we all learned from this Documentary called "The Terminator" (released lately in 1080p):
"Its framework is a hyper alloy titanium combat chasis" (wh00!)
So, whenever the time is right and i need to know if the object of my interest is titanium or not: i'll just shoot it!
If it's still alive: it is (ass seen in above mentioned docu) titanium most likely... if it's dead: No way it's sweet titanium!
These science thingies are so ez sometimes once u only start to use your brain, i just realize!
But in case this is some kind of phishing, they at least manipulated some reverse records too:)
traceroute to www.mturk.com (207.171.166.182), 30 hops max, 40 byte packets [...] 11 amazon-above.mpr1.iad5.us.mfnx.net.175.185.208.in- addr.arpa (208.185.175.66) 96.801 ms 97.656 ms 97.633 ms 12 72.21.201.27 97.109 ms 97.347 ms 98.164 ms 13 166-182.amazon.com (207.171.166.182) 98.107 ms 97.069 ms 97.510 ms
Slashdot Mirror
Indeed: http://blackhats.com/infosuck/0x007c.png
I doubt the attackers even went through the hustle to gain root (no need, anyone can start stuff on (unfiltered) 8080). Finding a vulnerable .php/cgi for executing commands on the Server under the uid of the Webserver sounds much easier to me.
1. Scan for vulnerable Servers
2. upload trojansite.tgz
3. unpack to some world-writable/executable directory like for e.g. /tmp/.../
4. fire up nginx serving the trojans
5. Profit (5 ?! omg, people really have to work for their monies these days)
[german] http://de.wikipedia.org/wiki/K%C3%B6rpergeruchsprobe
You can check some facts in RL too: http://www.boingboing.net/2007/07/03/stasi-smell-museum.html
With the speed they loose the data they do have to collect much more just to have some left in their own hands.
As we all learned from this Documentary called "The Terminator" (released lately in 1080p):
... if it's dead: No way it's sweet titanium!
"Its framework is a hyper alloy titanium combat chasis" (wh00!)
So, whenever the time is right and i need to know if the object of my interest is titanium or not: i'll just shoot it!
If it's still alive: it is (ass seen in above mentioned docu) titanium most likely
These science thingies are so ez sometimes once u only start to use your brain, i just realize!
Have some eggnog too,
trib
Agreed: whois looks pretty odd. Amazon slashdotted ? Jep, another odd point.
:)
- addr.arpa (208.185.175.66) 96.801 ms 97.656 ms 97.633 ms
But in case this is some kind of phishing, they at least manipulated some reverse
records too
traceroute to www.mturk.com (207.171.166.182), 30 hops max, 40 byte packets
[...]
11 amazon-above.mpr1.iad5.us.mfnx.net.175.185.208.in
12 72.21.201.27 97.109 ms 97.347 ms 98.164 ms
13 166-182.amazon.com (207.171.166.182) 98.107 ms 97.069 ms 97.510 ms
First he gave the kids trinoo, and now cares about our sekj00r1ty. I won't even have a look at this one.
Dunno how you come up with SSL when IPv6 is the topic ;-)
But anyway:
Apache FAQ
Should answer your Question.