Full Disclosure mailing list archives
Re: xpire.info & splitinfinity.info - exploits in the wild
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 25 Oct 2004 12:24:47 +1300
Elia Florio wrote:
I'm not sure that qmail-inject isn't a red herring? The actual download looks like 'wget' was used.Good suggestion, my friend :) It was used WGET to retrieve the http://xpire.info/cli.gz connectback shell.
More specifically, from the strings in the binary it looks awfully like sd's bindtty -- try Googling for "bindtty.c"... The possible bad news is that bindtty is used in the suckit rootkit, so your remote-only access may cause major (if not insurmountable) problems to doing a half-useful diagnosis... <<big snip>>
The hacker page used to accomplish the injection are based on this test-page, taken directly on the hacker-site :-) http://xpire.info/s/2 http://xpire.info/s/ I notice that this site is full of trojan/backdoor/shell/worm/exploit and other malware....why is it still open?
You'd be surprised how few folk actually compain about a lot of these sites. Compound that with the rate of incompetence at many small (and even many not-so-small) ISPs, where the very thin margins mean they don't have time (and seldom good enough staff anyway) to analyse such complaints, and where the emphasis is often more on making sure they get their $10, $20, $40, etc this month from that customer, and many such sites stay up way too long. The way to break such sites is for some "authority" to contact them (a CERT, law enforcement, etc) or "enough" polite, professional, clearly technically competent but not overly technical complaints explaining what the site is being used for and why it should be shut down. Of course, often the "base" sites are themselves simply just ill-maintained systems that have, themselves, been hacked and if all the ISP is up to doing is closing the apparently rogue site/account, or simply removing the "offending content" the site (and others similarly hosted on the still badly maintained servers) remains open to further, similar abuse. Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Kevin (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Nick FitzGerald (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Ron DuFresne (Oct 25)
- Re: xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 26)
- Re: [SPAM] Re: xpire.info & splitinfinity.info - exploits in the wild Hugo van der Kooij (Oct 26)
- Re: xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 26)
- <Possible follow-ups>
- Re: xpire.info & splitinfinity.info - exploits in the wild bowwow (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 27)
- Re: [SPAM] Re: xpire.info & splitinfinity.info - exploits in the wild Hugo van der Kooij (Oct 27)
- Re: xpire.info & splitinfinity.info - exploits in the wild Kevin (Oct 24)