Beware of this lame guy!

If you ever had any orders coming from the these IP addresses, report to your merchant to cancel and refund the order.

http://groups.google.com/groups?q=20...llo.com&rnum=2

http://groups.google.com/groups?q=20...inet.hr&rnum=1

and this one - 206.41.250.18

This early morning I found out that there was a cron job added yesterday. Take a look at it and he executed a php scripts to break into others' directories and place all his psyBNC configuration files there. He did the same for the cron job.

He has had quite a lot of eggie and bouncer running at undernet #VooDooPeople. Several of them from Burst (Cpanel) and most of them from RS Ensim box.

Even he has disconnected the service, his cron job might still run if you don't delete it. If you think you might be one of the victims, go look your cron to see any new added cron job that starts from "perl -e ...." that runs every 5 minutes or so. Then search for the file "max.pl" and "chkit" in your server. Delete them and go for a reboot.

It's not quite obvious to see from ps results as he starts the psyBNC as "[httpd]".

Go to your /tmp directory and delete the directory "za" and filename "za.tar.gz"

This guy is still hanging around at WHT. Heh... Watch out for the request if you don't know what you're doing. Beware of this lame guy!

 

 

 

 

Top