Phishing & BotNets
Zombied Box with Localized Phishing? Dec 20 2005 05:47PM
gary huntress gmail com (2 replies)
This is a little convoluted please bear with me.

1) I work for *.navy.mil and I spotted an XSS attack in our web logs. Very, very coincidentally, I knew the owner of the box that was attacking us. He runs a web/mail server.

2) He gave me access and I did what little forensics that I could. I think he's been zombied and is currently being controlled via an IRC user. I see (via "last") root logins from romania and I see irc traffic to finland. I think the main intrusion was an installation of cback (found in /tmp)

3) Via top I see a process called fun, and in it's working directory I see other phishing code. I don't know if it's running or not.

Here is my question. The phishing code specifically targets banks local to me (New England Federal Credit Union). Given that my box (in step 1) which is also local, was targetted, would it be jumping to conclusions to think that the 3 events (my box, the zombie box, and the phishing of local banks) are related?

IE should I be looking for a local exploiter?

Thanks,

Gary H.

[ reply ]
Re: Zombied Box with Localized Phishing? May 31 2006 05:50PM
Lance James (phishing securescience net)
Re: Zombied Box with Localized Phishing? May 31 2006 05:50PM
Lance James (lancej securescience net)


 

Privacy Statement
Copyright 2010, SecurityFocus