Full Disclosure mailing list archives
Re: Plague Proof of Concept Linux backdoor
From: Andrew Farmer <andfarm () gmail com>
Date: Sun, 22 Oct 2006 20:14:58 -0700
On 22 Oct 06, at 04:29, hijacker () oldum net wrote:
even if they have ssh access, there is still nothing they can do, except to create two files in there $HOME directories containing expressions from paths.h and sysexits.h ? Why would that be considered a backdoor?
The awk commands parse out the strings "/etc/passwd" and "/etc/ shadow" from the headers. It's still rather easily detected - most of the rootkit- checking programs will detect an alternate uid0 account very quickly - but it does demonstrate an interesting way of avoiding target strings in the binary. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Plague Proof of Concept Linux backdoor J. Oquendo (Oct 21)
- Re: Plague Proof of Concept Linux backdoor Dude VanWinkle (Oct 22)
- Re: Plague Proof of Concept Linux backdoor hijacker (Oct 22)
- Re: Plague Proof of Concept Linux backdoor Andrew Farmer (Oct 22)
- Re: Plague Proof of Concept Linux backdoor hijacker (Oct 23)
- Re: Plague Proof of Concept Linux backdoor Rik Bobbaers (Oct 23)
- Re: Plague Proof of Concept Linux backdoor hijacker (Oct 23)
- Re: Plague Proof of Concept Linux backdoor Rik Bobbaers (Oct 23)
- Re: Plague Proof of Concept Linux backdoor hijacker (Oct 22)
- Re: Plague Proof of Concept Linux backdoor Dude VanWinkle (Oct 22)
- <Possible follow-ups>
- Re: Plague Proof of Concept Linux backdoor cdejrhymeswithgay (Oct 22)
- Re: Plague Proof of Concept Linux backdoor Dude VanWinkle (Oct 22)
- Re: Plague Proof of Concept Linux backdoor daylasoul (Oct 22)
- Re: Plague Proof of Concept Linux backdoor virus (Oct 23)