Phishing & BotNets
Zombied Box with Localized Phishing? Dec 20 2005 05:47PM
gary huntress gmail com
This is a little convoluted please bear with me.

1) I work for *.navy.mil and I spotted an XSS attack in our web logs. Very, very coincidentally, I knew the owner of the box that was attacking us. He runs a web/mail server.

2) He gave me access and I did what little forensics that I could. I think he's been zombied and is currently being controlled via an IRC user. I see (via "last") root logins from romania and I see irc traffic to finland. I think the main intrusion was an installation of cback (found in /tmp)

3) Via top I see a process called fun, and in it's working directory I see other phishing code. I don't know if it's running or not.

Here is my question. The phishing code specifically targets banks local to me (New England Federal Credit Union). Given that my box (in step 1) which is also local, was targetted, would it be jumping to conclusions to think that the 3 events (my box, the zombie box, and the phishing of local banks) are related?

IE should I be looking for a local exploiter?

Thanks,

Gary H.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus