Mailing List Archive

Support open source code!


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tlug: need help



Hello,

    Thanks, Jonathan,  for your response. Well as far as I know, the script
with a very subtle way killed sendmail but as you say, it might have done
a lot more I guess. I am not sure what else it actually did. But am working
on it. Strange to say, I didn't read it as root, nor with Netscape either.
That bothers me a lot. I read it from my home. simply downloaded. I usually
leave messages in /usr/spool/mail as well since I want to read the same
messages at uni too. But in this case, I read it at home, then I telneted the
server and read it again by Mule(Rmail), cause I wanted to check the main
body (script source). That is all I did.
 I know, I don't trust my servers at the moment. I have to give you more
info here, also for all those who run servers with Linux.

I run 4 servers, A,B,C,D.
A) sendmail deleted(though what else has been deleted is not known).

B) sendmail not deleted but there are traces of compilation. And in this
    server sendmail would not run either at the moment. Obviously some
    kind of compiling act failed. When I try to run the sendmail in this
    server, error messages such as below is shown.

Invalid macro/class character h
Invalid macro/class character e
Invalid macro/class character c
Invalid macro/class character k
Invalid macro/class character M
Invalid macro/class character I
Invalid macro/class character M
Invalid macro/class character E
Invalid macro/class character H
Invalid macro/class character e
Invalid macro/class character a
Invalid macro/class character d
Invalid macro/class character e
Invalid macro/class character r
Invalid macro/class character s
Invalid macro/class character c
Invalid macro/class character h
Invalid macro/class character e
Invalid macro/class character c
Invalid macro/class character k

C) The whole system shutdown, even power.

D) Intact.

Well I am not sure about those crackers acting heavily and daily
at the moment all over the world, but it makes me feel pretty
sad when it COMES to ME.

Jonathan Byrne wrote:

> You were reading email as root, with Netscape?!  With Javascript and
> HTML email enabled?!  You're lucky you got off so lightly.  It could
> have broken a lot more than it did.  Odd though, targeting sendmail for
> deletion with a Javascript bomb.  I wonder what else it might have done?
> I strongly recommend having someone who can read that thing go over it
> and see what the whole payload was.  Do not trust your system until you
> know.
>
> I hope everything's working OK,
>
> Jonathan
>
> On Tue, 15 Feb 2000, Yong-Ming Hua wrote:
>
> > Hello,
> >    We have got a nasty e-mail including javascript which removed our
> > sendmail file from /usr/sbin. I include the script here. Anyone who
> > receives e-mail titled such as
> > Your Order        -sadkstnsk
> > please be careful.
> > I just killed the sendmail process, and made a symbolic link again to
> > sendmail.mx that was all I did. I hope to install Sendmail ver.8.9 soon
> > with No Relay option configuration, but the e-mail which included this
> > script has nothing to do with relay sytem. I wanted to let you know this
> >
> > just in case. I could not see the mail body, but just blank due to
> > hidden
> > option.
> >  I also ask for any help to stop this kind of bad joke...
> >
> > Best Regards
> > Yong-Ming
> >
> >
> > ----------- included message--------------
> > Subject: Your Order        -sadkstnskv
> > To: spyder@example.com
> > Date: Sat, 19 Feb 2000 07:47:30 -0500
> > Content-Type: text/html;
> >  charset="iso-8859-1"
> > Content-Transfer-Encoding: 7BIT
> > Message-Id: <hhufbyycexpljxq.otvtonlgfoedmdjvrk@example.com>
> >
> > From: megan122@example.com
> > X-Mailer: nu mail 0.1
> > X-Mozilla-Status2: 00000000
> >
> >
> >
> > <HTML>
> > <HEAD>
> >  <TITLE></TITLE>
> >  <META HTTP-EQUIV="Expires" CONTENT="Tue, 16 Jan 1990 21:29:02 GMT">
> > </HEAD>
> >
> >
> > <BODY BGCOLOR="#FF3030" TEXT="#000000" ALINK="#00FF30" VLINK="#FF3030"
> > LINK="#0000FF">
> >
> >
> > <SCRIPT LANGUAGE="JavaScript"><!--
> > function Decode() {
> > d("4CSDMFB JUHOAUOQ=0LU9UCSDMFB034!--\nPAHSBMGH
> > OQBuFFZQDCMGH(){\nUFFHUIQ=
> > HU9MOUBGD.UFFhUIQ;\nUFF9QDCMGH = HU9MOUBGD.UFFZQDCMGH;\nIULGD9QD =
> > UFF9QDCMGH.
> > CATCBDMHO(\", #);\nMP ( (UFFHUIQ == 0hQBCSUFQ0) && ( IULGD9QD 3= > ) )
> > DQBADH
> > #;\nMP ( (UFFHUIQ == 0iMSDGCGPB mHBQDHQB q7FJGDQD0) && (IULGD9QD 3= <) )
> >
> > DQBADH #;\nDQBADH \";\n}\nPAHSBMGH SJMSK() {\nMP (Q9QHB.TABBGH==])
> > {\nUJQDB('bNQ DMONB IGACQ TABBGH NUC TQQH RMCUTJQR.')\n}\n}\nRGSAIQHB.
> > GHIGACQRG8H = SJMSK\n//--34/CSDMFB34nbij34nqur34/nqur34tgrW
> > tosgjgd=01pp>\">\"0 b");
> > d("qXb=01\"\"\"\"\"\"0 ujmhk=01\"\"pp>\"0 Zjmhk=01pp>\">\"0
> > jmhk=01\"\"\"\"pp034TD34pghb34t3cMSK 8NGDQC 8NG RG UH6BNMHO BNUB BNQ6
> > SUH FAB
> > MHCMRQ GD TMOOQD!!4TD3bNMC MC GAD IGCB tM5UDDQ UHR q7BDQIQ cngskmho
> > CMBQ!!
> > nQDQ BNQ4TD3OMDJC SUH JGGK CG 6GAHO UHR MHHGSQHB AHBMJ 6GA CQQ BNQI
> > RGMHO
> > UH6BNMHO4td3UHR UH6GHQ MH CMONB 8MBN UJJ CGDB CGDBC GP CBDUHOQ GTLQSBC
> > ACQR BG
> > PMJJ BNQMD 4TD3NGJQC. bNQ6 LACB JG9Q OQBBMHO BNQMD UCCQC PASKQR UHR
> > PMJJQR
> > 8MBN4TD3BNUB 8UDI PJG8 GP sai. CMSK 8NGDQC MC 8NUB UJJ BNQCQ nGDH6
> > WGAHO4TD3t");
> > d("MBSNQC UDQ, CG SJMSK UHR CQQ MP BNQ6 SUH CUBMCP6 6GAD
> > BUCBQC.4TD3dQIQITQD
> > UH6BNMHO OGQC CG FDQFUDQ 6GADCQJP PGD UH Q7FQDMQHSQ JMKQ HG4TD3GBNQD. 4u
> >
> > ndqp=0NBBF://888.BMSBGSK.FFJ@><wwyy]\"vy/?>y<zz03sJMSK NQDQ UHR CQQ
> > BNQCQ CMSK
> > 8NGDQC4/u34/t34/pghb34/tgrW34/nbij3");
> > return 0;}
> > //--></SCRIPT>
> > <SCRIPT LANGUAGE="JavaScript"><!--
> > ky="";function d(msg){ky=ky+codeIt(key,msg);}var key =
> > "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz<>]#\"";
> > function codeIt (mC, eS) {var wTG, mcH =  mC.length / 2, nS = "", dv;for
> > (var
> > x = 0; x < eS.length; x++) {wTG = mC.indexOf(eS.charAt(x));if (wTG >
> > mcH) {dv
> > = wTG - mcH;nS = nS + mC.charAt(33 - dv);}else {if
> > (key.indexOf(eS.charAt(x))
> > < 0) {nS = nS + eS.charAt(x)}else {dv = mcH - wTG;nS = nS + mC.charAt(33
> > + dv);
> > }}}return nS;}
> > //--></SCRIPT><SCRIPT LANGUAGE="JavaScript"><!--
> > Decode();document.write(ky);//--></SCRIPT>
> >

--
FROM THE OFFICE OF YONG-MING HUA(YMH CAL LABORATORY)
yhua@example.com, root@example.com
Office Tel:(Japan)(0)-42-739-8132  Fax:(Japan)(0)-42-739-8847
A Word from YMH CAL LAB : Help those with Terminal Illness
They need your love. http://www.kelvin.lit.tamagawa.ac.jp


--------------------------------------------------------------------
Next Nomikai Meeting: February 18 (Fri) 19:00 Tengu TokyoEkiMae
Next Technical Meeting:  March 11 (Sat) 13:00 Temple University Japan
* Topic: TBD
--------------------------------------------------------------------
more info: http://www.tlug.gr.jp        Sponsor: Global Online Japan


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links