HUC

Helixx · 04-25-2001, 01:29 PM

We got hit by a group calling themselves the HUC (Hackers Union of China.) I verified that all unused ports were shutdown and got hit again today! Grrr. They change all of the home pages to a vanity line that reads "Powered by H.U.C(c00l li0n).-----li0n Crew"

Any info on how to block these guys would be appreciated. Also, are we the only ones? Anyone else getting hit? Thanks.

H

raz · 04-27-2001, 03:59 AM

You say all unused ports are shut down.
Then I can tell you they are using your open ports.

Make sure you have patched your web server and any other public services. i.e DNS server...

/Raz

roxymuzick · 07-11-2001, 03:37 PM

We got hit by the H.U.C

Does anybody know where to go and what to do to fix it and protect against it happening again?

If so please let us know:

Thanks

Greg
RoxyMuzick@aol.com

Brandon
brandon@avccorp.com

mcleodnine · 07-11-2001, 03:52 PM

Judging by the hackers .sig, it appears that this is then 'lion' worm/trojan that exploits some bind implementations. there's a util called 'lionfind' that I got a while back to search for suspicious files. Think it was from cert.

unSpawn · 07-11-2001, 04:07 PM

Your systems security was severely breached.
I suggest u first read CERT's "discover from root compromise" http://www.cert.org/tech_tips/root_compromise.html

Using Lion/Ramen stylee attack against vulnerable BIND8 to get in, read http://whitehats.com/library/worms/lion/ for the whole detailed story.

raz · 07-12-2001, 03:33 AM

To check if you do have this worm, run the lion find script written by Bill Stearns.

http://www.ists.dartmouth.edu/IRIA/k...s/lionfind.htm

/Raz

Colonel Panic · 07-19-2001, 05:17 PM

They are no hackers. Just a bunch of crackers, I say. Can't stand them. Crackers have no morals, nor do they have skill. They just know how to break security...

*****Colonel Panic*****