Re: Linux Kernel Exploits / ABFrag

[eax () 3xT org]

I don't see the attachment.  Could you re-send it?

Keep in mind you could have gotten owned via a known method.  There have been lots of rumors
about a remote kernel attack and it could just be a hoax/decoy to further propagate that rumor
and/or direct your attention away from the real method of entry.

Could you also elaborate on what exactly the IDS reported?



On Wed, 16 Oct 2002 daniel.roberts () hushmail com wrote:

> Greetings.
>     Today I had a rather strange experiance. At about 4:30 pm GMT my
> IDS began reporting strange TCP behaviour on my network segment. As I
> was unable to verify the cause of this behaviour I was forced to remove
> the Linux box that I use a border gateway and traffic monitor - at no small
> cost to my organization - the network is yet to be reconnected.
> After a reboot and preliminary analysis I found the binary ABfrag sitting
> in /tmp. It had only been created minutes before.
> Setting up a small sandbox I ran the program and was presented with the following
> output:
>
>  
> ----------------------------------------------------------------------------
>  
> ABfrag - Linux Kernel ( <= 2.4.20pre20 ) Remote Syncing exploit
>  
> Found and coded by Ac1db1tch3z - t3kn10n, n0n3 and t3kn0h03.
>  
> WARNING:
> Unlicensed usage and/or distribution of this program carries heavy fines
> and penalties under American, British, European and International copyright
> law.
> Should you find this program on any compromised system we urge you to delete
> this binary rather than attempt distribution or analysis. Such actions would
> be both unlawful and unwise.
>  
> ----------------------------------------------------------------------------
> password:
> invalid key  
>
> I remembered, vaguely - I sift through a lot of security mail each day, some 
> talk of a rumoured Linux kernel exploit circulating among members of the hacker
> underground. On the advice of some friends in law-enforcement I joined the EFnet
> channels #phrack and #darknet and tried to solicit some information regarding this
> alleged exploit. Most people publicly attacked me for my neivette but two individuals
> contacted me via private messages and informed me that the "ac1db1tch3z" were bad news,
> apparently a group of older (mid 20's) security guru's, and that I should delete the
> exploit and forget I ever knew it existed.
> However, somthing twigged my sense of adventure and prompted me to try and get this out
> to the community.
>
> Any help or information regarding this will be of great help.
>
> I have attached the binary although it appears to be encrypted and passworded. I wish
> any skilled programmers the best of luck in decyphering it.
>
> Yours,
>
> Daniel Roberts
> Head Network Manager
>
>
>
>
>
> Get your free encrypted email at https://www.hushmail.com
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com