13 Dec
2004
13 Dec
'04
11:16 p.m.
"Simon Byrnand"
We've been seeing the same thing for a couple of months now. I think it was discussed on this list about a month ago.... it's either a worm or a script kiddy script (I forget which) which scans for ssh servers, looking for insecure passwords and attempting to install an irc bot...
IIRC someone set up a honeypot with username/password root/root specifically to see what would happen and they did get an IRC bot installed and possibly a rootkit as well. cheers, Jamie -- James Riden / j.riden(a)massey.ac.nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/