Wrong address used. alug@stu.uea.ac.uk is the list address.

Message-ID: 01C0877D.F7100D60.earl.brannigan@lindenhouse.co.uk From: Earl Brannigan earl.brannigan@lindenhouse.co.uk To: "'alug-admin@stu.uea.ac.uk'" alug-admin@stu.uea.ac.uk Subject: Something hiding on my system - anyone have any ideas Date: Fri, 26 Jan 2001 09:54:24 -0000

Hi all, New around here, been following the posts for a few weeks - Hoping to make it to Syleham and do the intros there. Anyways - anybody come across this before : Last night I tried to log on to my box and no joy - wouldn't accept any passwords!] OK so I did a quick re-boot and fix with the installation disk (I'm running Red-hat 6.2)- log in and get the message "You have mail". So I open the mail to find a send failure, redirected to root@localhost. Then I scan the message to find the contents of my /etc/shadow file nicely included in the body of the mail! - together with some TCP info (ip address etc) OK So it seems I got Trojaned. OK OK So I should have tripwire or AIDE installed.... I haven't cleaned the box yet - gonna be a major prob to do that. Is anyone aware of any known trojans with this behaviour. The key - I think - is the sendto address on the mail : mmteam@techemail.criticalpath.net Ring any bells?? (BTW please feel free to pass this mail on to any buds who may be interested). I haven't checked the email address yet, I was thinking of rewriting the encrypted password entries to render tham useless then sending the mail, or just sending a blank email to see if it bounces (ie. they've moved on) or if not then the only reason I know about this is the fact that my sendmail is not set up at all.

Just goes to show - I have been a naughty boy recently and downloaded tons of stuff from FTP Sites all over the place but I think I could narrow the suspect packages down to about 5 or 6 if pushed. Cheers Hope to see you all at Syleham. Cheers Earl

"I have not failed. I've just found 10,000 ways that won't work." - Thomas Alva Edison