Reply to post: Re: Is that the one I noticed this morning?

Mikrotik routers pwned en masse, send network data to mysterious box

bombastic bob Silver badge
Meh

Re: Is that the one I noticed this morning?

unfortunately it seems nothing's been done about the 'izuku.sh' file, though my logs show different IP addresses hosting it now. Yeah, they ignored me. Well that server _IS_ in Poland... they probably can't read or understand the information properly and/or just ignore it because they regularly host criminal services or similar. [I've had 'confirmed kills' before, wtih responses, just not that often - usually it is silently fixed or seems so because the activity stops]. Another possibility is that they leave it on the server to see what IP addresses download it to track the thing. Well I won't interfere with law enforcement if that's the case.

( I also posted the actual URL on USENET, and described it even better there, so not like it's invisible any more, and anyone can see it in web server logs )

Back at the turn o' the century, Code Red lingered for several years after the initial infections started. Someone (allegedly me perhaps?) allegedly had an auto-responder that would allegedly shut down the Code Red infected web server remotely (since it was attempting to spread a virus) via the Code Red back door command/control channel and (allegedly) leave a file on the administrator desktop that said something like "you are an idiot" and explained why the web server was shut down remotely. Both of those factoids should frighten any clueless admin into patching the thing (as it was most likely some old unpatched "oh we have a web server running?" Win2k box in a closet that nobody thought about. But I digress...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020