Quote:
I am beginning to suspect my own machine as being the traitor. *:? *
|
Well, your IP resolves to 217-160-43.adsl.tele2.no, and you've always posted under that one so that's not it. However, what I did find odd is this:
--------------------------------------------------
Zupah_Smurf/s722/plugins/plugins/icqpwsteal.dll b _ i r kostak ftp 0 * c
Zupah_Smurf/s722/plugins/plugins/icqpwsteal.txt b _ i r kostak ftp 0 * c
Zupah_Smurf/s722/plugins/plugins/matrix.dll b _ i r kostak ftp 0 * c
<cut>
Zupah_Smurf/s722/s7config.cfg b _ i r kostak ftp 0 * c
Zupah_Smurf/s722/server.exe b _ i r kostak ftp 0 * c
Zupah_Smurf/s722/sin.exe b _ i r kostak ftp 0 * c
Zupah_Smurf/s722/sub7.exe b _ i r kostak ftp 0 * c
--------------------------------------------------
OK, so what this basically means is that, for some unknown reason, one of the most popular backdoors ever -
subseven, was in your directory on the server. OK, so this is how I think the story goes:
You had / have sub7 installed on your computer. The intruder connected to your machine and extracted all passwords from your computer (yes, it can do that). Then the guy saw the password for abandonia which I gave you. He then connected to the site using WS_FTP and uploaded sub7 to your directory (that's what the logs show he did). I have absolutely no idea why he did it. After he uploaded sub7 to your directory on the server, he erased everything, and left the sub7 files and directories intact. In fact, that was one of the only things left on the server. However, he wasn't very smart because he thought that by deleting the access.log he would cover his tracks.
I filed an abuse complaint to Brittish Telecom. Maybe they'll answer, maybe they wont. Time will tell. One thing is sure - Tom, get some anti-virus software please
