> -----Original Message-----
> From: Michael Stauber [mailto:bq (at mark) solarspeed.net]
> Sent: Wednesday, July 29, 2009 10:03 PM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:15846] Re: [LIKELY_SPAM]Root exploit on Blue Quartz
>
> Hmm. So someone from 87.68.83.90 (Smile Communications Ltd., Hasivim 25
> Petach-Tikva,Israel) logged in by SSH as "adm1n". An account that he had
> created minutes earlier by logging in as "admin" into the GUI:
>
> > Jul 27 12:56:17 www cced(smd)[31615]: client 0:[48:12626]: AUTH to
> "admin"
> > (5) succeeded
> > Jul 27 12:59:50 www cced(smd)[32605]: client 5:[48:12627]: CREATE
> "User"
> > "fullName" "=" "adm1n" "capLevels" "="
> "&adminUser&controlPower&ipPooling&"
> > "sortName" "=" "" "name" "=" "adm1n" "password" "=" xxx
>
> Now the real question is: How did he obtain the "admin" password in first
> place which allowed him to make the initial privileged connection to the
> GUI?
Dunno.
I changed the password just to be safe until I figured out what's going on.