Security News > 2001 > December > RE: *MAJOR SECURITY BREACH AT CCBILL**
Forwarded from: Jason Ware This is someone's eggdrop botnet, the first part of the dump is the user file. The -bfoN is the user flags set, and b means another bot. The port it listens to, 9872, is the port the bots will use to connect to each other, using telnet or DCC, so that they can communicate. The first bot listed, goldeneye, is the hub bot, "--BOTFL ghp" means this bot will listen to goldeneye for any changes to user or channel records and will always try and connect to it. You can find more information about eggdrop bots and botnets at http://www.egghelp.org. Incidentally, this botnet is running the netbots set of scripts (the N flag means it's a netbots bot). This scripts maker is the one running egghelp.org, but he would not be involved in this mess, it is a very common and useful set of scripts for eggdrop bots. Eggdrop bots are mostly harmless, they are used to hold and guard chat channels on IRC, but they can be modified very easily and run TCL scripts to do some nasty or wonderful things. -----Original Message----- From: InfoSec News [mailto:isn () c4i org] Sent: Wednesday, December 19, 2001 10:23 PM To: isn () attrition org Subject: [ISN] *MAJOR SECURITY BREACH AT CCBILL** Forwarded from: Ryan W. Maple ---------- Forwarded message ---------- Date: Wed, 19 Dec 2001 04:14:48 -0500 From: Dayne Jordan To: incidents () securityfocus com Subject: *MAJOR SECURITY BREACH AT CCBILL** It appears that perhaps tens of thousands of username/passwords for valid shell logins ALL ACROSS THE NET may have been compromised at CCBILL, a large internet credit card/check processor used for e-commerce and adult sites, read carefully!! Well, after the user complaint below, we began some investigation and found about 6 of these IRC bots running on our network as well. All with a fartone.conf and fartone eggdrop irc daemon listening on port 9872... this is across 6 different machines alone in our server farm, so far that we have found, we are scanning right now to find out if there are more listening on port 9872 in our address spaces. Interestingly enough, the common tie between all these compromised accounts is that they are ALL CCBILL customers. Being CCBILL customers, they have all their userid and password information to ssh to their website(s)/server(s) to update scripts and databases as required. Was CCBILL hacked? OR do they have someone inside who has released the user information abroad? We called a couple other hosts whom we communicate with and voila.. they have boxes with IRC bots running on port 9872 as well... also CCBILL clients. It appears whomever has obtained the CCBILL list of usernames/passwords systematically SSH's into their customers server, installs the irc eggdrop bot and leaves. I have found no instances of root kits, or anything else malicious being performed or installed. In fact, in all 6 instances they left all their .tar and config files, AND their .history files intact. Looking thru normal daily log files would not tip you off to any sort of compromise at all -No multiple password failures, etc etc because they already have the correct password to login :) It is my opinion that Cavecreek/CCBILL has had a breach of security thus releasing user ids and logins on various servers around the internet. CCBILLS customer base is in the tens of thousands. It appears the bots are merely sitting and listening waiting for commands for perhaps a large distributed DoS attack, it does not appear that they are logging any sensitive data transmitted thru the server(s). I tcpdumped the port and logged in and out of the server to make sure it wasnt transmitting any data elsewhere. I also confirmed that the bots were not logging anything locally either. I have attached a sample output of strings on the binary file called 'fartone' for your review, please note there are *several* cavecreek machines who are listed as well as many others. ALL these machines below have been verified to have port 9872 open and listening with perhaps this same type IRC Eggdrop bot running. Also please note, all these servers/domains listed below are current CCBILL subscribers: ares# strings fartone #4v: eggdrop v1.6.7 -- betty -- written Wed Dec 19 02:00:00 2001 goldeneye - bfoN --BOTADDR insecure.nl:4567/4567 --BOTFL ghp --HOSTS *!*lagg () blackhole iarga com --LASTON 1008733201 #(_(_)============D --XTRA created 1008544330 --PASS 0dz32ajse1wsg arsch - bfoN --HOSTS *!*jb () * t-dialin net --LASTON 1008721551 #testtest --BOTADDR 123.123.123.123:25432/25432 --XTRA created 1008687422 --PASS fnh4psb7x07rnr Nitallica - bfoN --HOSTS *!*maul () 205 244 47 249 --LASTON 1008723944 #torisbots --BOTADDR smtp.webpipe.net:6000/6000 --XTRA created 1008687422 --PASS 29tuhow2of FrauAntje - bfoN --HOSTS *!*cf () rise and shine --BOTADDR cc118955-b.groni1.gr.nl.home.com:5555/5555 --XTRA created 1008687422 --LASTON 1008715911 #fattool --PASS 6qgkm19qzmqr41 hispa - bfoN --HOSTS *!*hispa () 209 61 189 230 --HOSTS *!*hispa () thunder2 cwihosting com --LASTON 1008727382 #(_(_)============D --BOTADDR thunder2.cwihosting.com:9872/9872 --XTRA created 1008687422 --PASS 4rg6kei8cz livedom - bfoN --HOSTS *!*livedom () s1 ss klmz mi voyager net --HOSTS *!*livedom () 207 89 177 218 --BOTADDR s1.ss.klmz.mi.voyager.net:9872/9872 --XTRA created 1008687422 --PASS chahi5e10yz fetishUSA - bfoN --HOSTS *!*etishUSA () 207 246 139 76 --HOSTS *!*etishUSA () fetish-usa com --BOTADDR fetish-usa.com:9872/9872 --XTRA created 1008687422 --LASTON 1008714534 #fattool.-user --PASS el44md4jsx edik - bfoN --HOSTS *!edik () 216 143 123 202 --HOSTS *!*eve3 () 216 143 123 202 --LASTON 1008721551 #testtest --BOTADDR 216.143.123.202:9872/9872 --XTRA created 1008687422 --PASS lpk748otq4 undergrou - bfoN --HOSTS *!undergrou () undergroundmpegs com --LASTON 1008721551 #testtest --BOTADDR undergroundmpegs.com:9872/9872 --XTRA created 1008687422 --PASS h9raa3sbzib1isl cartoon-x - bfoN --HOSTS *!cartoon-x () dynamic cavecreek net --HOSTS *!*rtoon-x () 64 38 235 20 --LASTON 1008721551 #testtest --BOTADDR dynamic.cavecreek.net:9872/9872 --XTRA created 1008687422 --PASS jsuf82v4gity plump - bfoN --HOSTS *!plump () viper acceleratedweb net --HOSTS *!*lump () 216 118 101 2 --LASTON 1008727382 #(_(_)============D --BOTADDR viper.acceleratedweb.net:9872/9872 --XTRA created 1008687422 --PASS 01rc6sicoh9 dara - bfoN --HOSTS *!dara () 209 67 61 60 --HOSTS *!*dara () flash41 flashhost com --HOSTS *!*ara () www genxxx net --LASTON 1008721551 #testtest --BOTADDR 209.67.61.60:9872/9872 --XTRA created 1008687422 --PASS 1r52f5hl8ua3 asian - bfoN --HOSTS *!asian () asianpornoground com --LASTON 1008727382 #(_(_)============D --BOTADDR asianpornoground.com:9872/9872 --XTRA created 1008687422 --PASS 8kbbvw1d82r flashx - bfoN --HOSTS *!flashx () flashdiet net --LASTON 1008721551 #testtest --BOTADDR flashdiet.net:9872/9872 --XTRA created 1008687422 --PASS r1mict2o4p3m2g bonker - bfoN --HOSTS *!bonker () la2 reliablehosting com --BOTADDR la2.reliablehosting.com:9872/9872 --XTRA created 1008687422 --LASTON 1008689564 #fattool --PASS mstz9bj3w1 cypo - bfoN --HOSTS *!cypo () 66 78 56 62 --LASTON 1008727382 #(_(_)============D --BOTADDR 66.78.56.62:9872/9872 --XTRA created 1008687422 --PASS b051yatpxv78 adult - bfoN --HOSTS *!adult () 216 66 37 130 --LASTON 1008721551 #testtest --BOTADDR 216.66.37.130:9872/9872 --XTRA created 1008687422 --PASS 8vk58u93xm0cp steenbok - bfoN --HOSTS *!steenbok () navajo b-h-e com --LASTON 1008727382 #(_(_)============D --BOTADDR navajo.b-h-e.com:9872/9872 --XTRA created 1008687422 --PASS ky613fzu65pt9 betty - bfoN --HOSTS *!betty () 216 226 153 165 --BOTADDR 216.226.153.165:9872/9872 --XTRA created 1008687422 --PASS svhcr3jpb98bk88 silky - bfoN --HOSTS *!silky () www36 mediaserve net --LASTON 1008721551 #testtest --BOTADDR www36.mediaserve.net:9872/9872 --XTRA created 1008703816 vixie - bfoN --HOSTS *!vixie () zeus envex net --LASTON 1008721551 #testtest --BOTADDR zeus.envex.net:9872/9872 --XTRA created 1008703839 c0wboy - bfoN --HOSTS *!c0wboy () arizonasex com --LASTON 1008737794 #(_(_)============D --BOTADDR arizonasex.com:9872/9872 --XTRA created 1008703859 reddawg - bfoN --HOSTS *!reddawg () 216 215 232 6 nw nuvox net --LASTON 1008727382 #(_(_)============D --BOTADDR 216.215.232.6.nw.nuvox.net:9872/9872 --XTRA created 1008703890 blaq - bfoN --HOSTS *!blaq () www retronudes com --HOSTS *!*ronudes () www retronudes com --LASTON 1008727382 #(_(_)============D --BOTADDR www.retronudes.com:9872/9872 --XTRA created 1008704719 bigdick - bfoN --HOSTS *!bigdick () playawhile com --HOSTS *!*yguy () playawhile com --LASTON 1008727382 #(_(_)============D --BOTADDR playawhile.com:9872/9872 --XTRA created 1008705304 serve - bfoN --HOSTS *!serve () server iicinternet com --HOSTS *!*erve () 64 156 139 240 --LASTON 1008731356 #(_(_)============D --BOTADDR server.iicinternet.com:9872/9872 --XTRA created 1008706464 pedal - bfoN --HOSTS *!pedal () www1 leftcoast net --BOTADDR www1.leftcoast.net:9872/9872 --XTRA created 1008707679 sizco - bfoN --HOSTS *!creme () virtual1 sizco net --HOSTS *!*tcreme () virtual1 sizco net --LASTON 1008737609 #(_(_)============D --BOTADDR virtual1.sizco.net:9872/9872 --XTRA created 1008708744 melody - bfoN --HOSTS *!melody () 64 242 242 9 --LASTON 1008727382 #(_(_)============D --BOTADDR 64.242.242.9:9872/9872 --XTRA created 1008710553 cukinsin - bfoN --HOSTS *!cukinsin () 209 115 38 113 --LASTON 1008727382 #(_(_)============D --BOTADDR 209.115.38.113:9872/9872 --XTRA created 1008711094 slettebak - bfoN --HOSTS *!slettebak () stgeorge janey1 net --HOSTS *!*ettebak () 216 226 157 2 --LASTON 1008737670 #(_(_)============D --BOTADDR stgeorge.janey1.net:9872/9872 --XTRA created 1008712167 tussy - bfoN --HOSTS *!tussy () fs2 reliablehosting com --LASTON 1008721551 #testtest --BOTADDR fs2.reliablehosting.com:9872/9872 --XTRA created 1008712187 hrm - bfoN --HOSTS *!hrm () infiniti isprime com --BOTADDR infiniti.isprime.com:9872/9872 --XTRA created 1008713730 --LASTON 1008713966 #jungbusch fister - bfoN --HOSTS *!fister () or9 reliablehosting com --LASTON 1008727382 #(_(_)============D --BOTADDR or9.reliablehosting.com:9872/9872 --XTRA created 1008713748 buttfuck - bfoN --HOSTS *!buttfuck () www bridgetfox com --HOSTS *!*uttfuck () la4 reliablehosting com --LASTON 1008727382 #(_(_)============D --BOTADDR www.bridgetfox.com:9872/9872 --XTRA created 1008715635 nude - bfoN --HOSTS *!*nude () host210 southwestmedia com --LASTON 1008727382 #(_(_)============D --BOTADDR host210.southwestmedia.com:9872/9872 --XTRA created 1008717613 kippe - bfoN --HOSTS *!*kippe () 207 71 95 100 --LASTON 1008727382 #(_(_)============D --BOTADDR 207.71.95.100 () 9872:3333/3333 --XTRA created 1008718483 lecker - bfoN --HOSTS *!*lecker () ladynylons com --LASTON 1008723944 #torisbots --BOTADDR ladynylons.com () 9872:3333/3333 --XTRA created 1008718866 cf - hjmnoptx --HOSTS -telnet!* () * --HOSTS cf () pain killer --PASS +kqP.7.9x36e. --XTRA created 1008425222 cf_ - fhjmnoptxZ --HOSTS *!cf () pain killer --LASTON 1008727068 @bums --PASS +SO3pi.h66XB1 --XTRA created 1008426075 chumash - fhpYZ --HOSTS *!nitaisa () shemalepornstar com --HOSTS *!nitaisa () tightkitten com --PASS +ghTan/8SXJw1 --COMMENT 1st Offense Badword --XTRA created 1008426757 m00b - h --HOSTS *!b00m () * planet arrakis cz --LASTON 1008733043 #0dayxxxpasswords --PASS +REjnv1Q0DAf/ --XTRA created 1008440044 Cyberwolf - h --HOSTS *!Blah () * rr com --PASS +HPw7k0X0/X51 --XTRA created 1008442445 w33d - hY --HOSTS *!dope () 209 53 205 * --PASS +w/e/c.r8kog/ --XTRA created 1008455421 --COMMENT 1st Offense Badword _maddog_ - hY --HOSTS *!*ouchabl () * dial net4b pt --PASS +w/e/c.r8kog/ --COMMENT 1st Offense Badword --XTRA created 1008459615 undernetx - hY --HOSTS *!*dernetx () * east verizon net --PASS +w/e/c.r8kog/ --COMMENT 1st Offense Badword --XTRA created 1008460443 O2B3 - hY --HOSTS *!*frischr () * xtra co nz --PASS +w/e/c.r8kog/ --COMMENT 1st Offense Badword --XTRA created 1008460560 xxxxx - hY --HOSTS *!cf () * and shine --PASS +w/e/c.r8kog/ --COMMENT 1st Offense Badword --XTRA created 1008465019 ^[FTO1]^ - hY --HOSTS *![FTO1]^ () * astound net --PASS +w/e/c.r8kog/ --XTRA created 1008465619 --COMMENT 1st Offense Badword showty - hE --HOSTS *!dfioaj () 24 129 181 * --PASS +w/e/c.r8kog/ --COMMENT 2 Bad Word Offenses --XTRA created 1008470243 _mysdick - hY --HOSTS *!mystical () ownz com --LASTON 1008732953 #0dayxxxpasswords --PASS +w/e/c.r8kog/ --COMMENT 1st Offense Badword --XTRA created 1008473951 Shareef_A - hY --HOSTS *!Ultima () 200 56 148 * --PASS +w/e/c.r8kog/ --COMMENT 1st Offense Badword --XTRA created 1008477957 aHiMz - hY --HOSTS *!toophat () 210 195 204 * --PASS +w/e/c.r8kog/ --COMMENT 1st Offense Badword --XTRA created 1008480641 sr - hjmnoptx --HOSTS *!figge () shemalepornstar com --LASTON 1008715929 @goldeneye --PASS +9fX2h.WNiV41 --XTRA created 1008539610 bigwave - h --HOSTS *!*tchbust () hereistheporn com --LASTON 1008704750 #jungbusch --PASS +shNEb1VEXSl1 --XTRA created 1008541504 qon - h --HOSTS *!jbcqon () * t-dialin net --LASTON 1008701006 #jungbusch --PASS +HUtku0I/W6R. --XTRA created 1008678075 qonbot - h --HOSTS *!qon () * t-dialin net --HOSTS *!*achgott () * t-dialin net --LASTON 1008701417 #jungbusch --PASS +HUtku0I/W6R. --XTRA created 1008678105 ice2k - h ! #jungbusch 1008706286 fov --HOSTS *!fisch () * t-dialin net --LASTON 1008706286 #jungbusch --PASS +riut8.jEw3u0 --XTRA created 1008705970 stiffy - bfoN --HOSTS *!*stiffy () otis siteprotect com --BOTADDR otis.siteprotect.com () 9872:3333/3333 --XTRA created 1008720570 moese - bfoV --HOSTS *!*moese () ns14 reliablehosting com --BOTADDR ns14.reliablehosting.com () 9872:3333/3333 --XTRA created 1008721358 moepsy - bfoN --HOSTS *!*moepsy () katarina super nu --LASTON 1008723455 #fattool --BOTADDR katarina.super.nu () 9872:3333/3333 --XTRA created 1008723363 sicker - bfoN --HOSTS *!*sicker () 1-nude-girls-sex-pictures com --LASTON 1008726564 #0dayxxxpasswords --BOTADDR 1-nude-girls-sex-pictures.com () 9872:3333/3333 --XTRA created 1008724705 pullo - bfoN --HOSTS *!*pullo () co60 reliablehosting com --LASTON 1008727313 #0dayxxxpasswords --BOTADDR co60.reliablehosting.com () 9872:3333/3333 --XTRA created 1008725430 wixer - bfoN --HOSTS *!*wixer () co60 reliablehosting com --LASTON 1008727314 #0dayxxxpasswords --BOTADDR co60.reliablehosting.com () 9871:3333/3333 --XTRA created 1008725589 bums - bfoN --HOSTS *!*bums () 365host com --BOTADDR 365host.com () 9872:3333/3333 --XTRA created 1008726771 gretl - bfoN --HOSTS *!*gretl () saturn iwebhosting com --LASTON 1008727314 #0dayxxxpasswords --BOTADDR saturn.iwebhosting.com () 9871:3333/3333 --XTRA created 1008726906 Please note the .history file just from this one account, and this is merely a small sample, please note, these are all CCBILL accounts: ssh -l f215109 www.extremeteens.net telnet www.extremeteens.net ssh -l amfight www.amfight.com ssh -l sm-online www.sm-online.net telnet www.musicchief.com telnet www.studspa.com ssh -l gmill www.G2mil.com ssh -l sweetcreme www.sweetcreme.com ssh -l roach www.exposedfantasy.com ssh -l tfi0080192 www.whores.telinco.co.uk ftp www.whores.telinco.co.uk ssh -l jen11sex www.jensex.com ssh -l webusr www.asianvixens.net ssh -l freakfest www.chicagofreakfest.com telnet www.gangbang-wife.com ftp gangbang-wife.com ssh -l gangbang ganbang-wife.com ssh -l gangbang gangbang-wife.com ssh -l norfun www.norfun.com ssh -l doublejay doublejay.ultraadult.com ftp ultraadult.com ftp www.internetpleasure.net telnet www.internetpleasure.net ssh -l admin www.internetpleasure.net ftp www.internetpleasure.net mail w ftp www.teenpussy2001.com w ssh -l livedom www.livedom.com ssh -l dmartin2 www.sweetcuties.com w ssh -l fetish www.fetish-usa.com ssh -l dodger www.dodger.co.uk ssh -l beavis www.eroticamazon.com w ls ssh -l www.thebondagechanne www.thebondagechannel.com ftp www.thebondagechannel.com ssh -l hispa hispamagic.com ssh -l dodger www.dodger.co.uk ssh -l livedom www.livedom.com ssh -l fetish www.fetish-usa.com ssh -l jen11sex www.jensex.com ssh -l stephenp www.thefun-times.com ssh -l barbie www.VoyeurCamCondo.com ssh -l eve3 www.strumpfhosen-girls.com ssh -l melody www.undergroundmpegs.com mail telnet www.AMAHO.COM ssh -l blueflamedesigns www.blueflamedesigns.com ssh -l dynamic www.cartoon-x.net ssh -l u1498 www.plumptious.com ssh -l rowan55 www.dirtydara.com ssh -l barbara www.asianpornoground.com ssh -l alenko www.alenko.com ssh -l hispa hispamagic.com ssh -l livedom www.livedom.com ssh -l melody www.undergroundmpegs.com ssh -l u1498 www.plumptious.com ssh -l rowan55 www.dirtydara.com ssh -l rburdwood www.southcouple.com ssh -l flashdiet flashdiet.net ssh -l cypo www.cypo.com ssh -l u44048 adultfrontier.com ssh -l u44048 www.adultfrontier.com ssh -l avrcon avrcon.com ssh -l sara www.boobtique.com ssh -l extreme-g www.xtreme-girls.com ssh -l lynnol www.lynncarroll.net exit ssh -l www.extremeteens.net /bin/bash ssh -l websex www.websex.org ssh -l playsi www.silkyplay.com ssh -l linda www.nastylinda.com ssh -l ndevine www.nikkidevine.com ssh -l belleleigh www.belleleigh.com ssh -l gtdfor www.arizonasex.com ssh -l voyearexpo www.voyeurexpo.com /bin/bash ssh -l voyeurexpo www.voyeurexpo.com ssh -l markiemark www.profitbusiness.com telnet www.analaddiction.com ssh -l pplump www.proudly-plump.com ssh -l taboo www.incesttaboo.com ssh -l legendaryreddog www.legendaryreddog.com telnet www.adultamateursexpictures.com ssh -l miami miamistudios.com ssh -l envex www.envex.net ssh -l voyeurmyth www.voyeurmyth.com ssh -l netpimp www.exhibitionfetish.com ssh -l teressam www.teressamoss.com ssh -l gospeltr www.gospeltribune.com ssh -l mcooper www.findfreefiles.com telnet www.retronudes.com ssh -l nyguy www.playawhile.com ssh -l wickedgamers www.wickedgamers.net ssh -l wengle www.hentaidimension.com ssh -l nudistphotogallery www.nudistphotogallery.net stan () visox com wrote: