Full Disclosure mailing list archives

Re: what is this?

From: "crazy frog crazy frog" <i.m.crazy.frog () gmail com>
Date: Tue, 15 Jan 2008 11:42:33 +0530

well,
i received many response but no one is perfact.i checked the files and
didn't find anything embeded in my scripts or pages.still i have to
figure out why my antivirus randomly popsup?i mean most of the times
it doesnt detect any infection but then suddenly this thing happnes
and then everything seems ok.
i dont think its a problem with my script otherwise i could have find
the code or it should be repeating consistly.has any one still facing
this issue in the techicorner.com or on tubeley.com or on
secgeeks.com?

let me know i m trying hard to digg this issue.

On Jan 15, 2008 10:46 AM, Denis <sp23 () internode on net> wrote:

This is a very serious new threat affecting Linux servers and thousands
of boxes have been compromised since December 2007.

Each box serving the nasty javascript has been rooted. One person has
found a way to CLEAN the infection (ie. stop your server from serving
the bad javascript), however not the root hole ie. the servers in
question are still rooted as nobody so far has found what hole is being
exploited to gain root access in the first place.

See the following urls for a lot more info on this exploit:

http://www.webhostingtalk.com/showthread.php?t=651748 (useful discussion
starts on page 3 or so)

http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/

Time for some honey pot action to find out how they're gaining root
access to begin with. From all reports so far it does not appear to be a
kernel vulnerability (as some of the affected servers were using latest
kernels)

Cheers,
Denis


On Sun, 13 Jan 2008 21:31:34 +0530
"crazy frog crazy frog" <i.m.crazy.frog () gmail com> wrote:

---> Hi,

--->
---> Recently on opening one of my site,my antivirus pops up saying that it
---> has found on malicious script.the url is random and i have managed to
---> get tht script.it is using some flaw in apple quick time.
---> u can get the zip file for java script here:
---> http://secgeeks.com/what.zip
---> password is 12345
---> can somebody guide/help me what is this and how can i remove it?
--->
---> --
---> advertise on secgeeks?
---> http://secgeeks.com/Advertising_on_Secgeeks.com
---> http://newskicks.com

Denis




-- 
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: what is this?, (continued)
- - - Re: what is this? Fredrick Diggle (Jan 17)
    - Re: what is this? Valdis . Kletnieks (Jan 17)
    - Re: what is this? Paul Schmehl (Jan 17)
    - Re: what is this? Fredrick Diggle (Jan 18)
    - Re: what is this? worried security (Jan 18)
    - Re: what is this? Tremaine Lea (Jan 16)
    - Re: what is this? scott (Jan 16)
    - Re: what is this? reepex (Jan 17)
  - Re: what is this? damncon (Jan 16)
    - Re: what is this? Valdis . Kletnieks (Jan 17)
  - Message not available
    - Re: what is this? crazy frog crazy frog (Jan 14)
    - Re: what is this? Nick FitzGerald (Jan 14)
    - Re: what is this? crazy frog crazy frog (Jan 15)
    - Re: what is this? Gadi Evron (Jan 15)
    - Re: what is this? crazy frog crazy frog (Jan 15)
    - Re: what is this? worried security (Jan 15)
    - Re: what is this? Thomas Pollet (Jan 15)
- Re: what is this? auto71278 (Jan 15)
  - Re: what is this? Paul Schmehl (Jan 15)
    - Re: what is this? Valdis . Kletnieks (Jan 15)
    - Re: what is this? worried security (Jan 15)

(Thread continues...)