Security Incidents mailing list archives
Re: Systems compromised with ShellBOT perl script - part 2
From: Kirby Angell <kangell () alertra com>
Date: Thu, 09 Sep 2004 12:19:02 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sure enough, I ran it as root in my VMWare install and it infected a bunch of files in /bin. For some reason, tcpdump isn't catching any of the traffic it generates though. I've tried it on the host against the vmnet8 interface and from within the VM (after chmod'ing /dev/vmnet). I'm going to try it again with a clean VM install. Shashank Rai wrote: | Hi Kirby, | | great work!! is it possible to get the gzipped files? BTW as for doze4 | ... a scan with f-prot (linux cmd line edition) identifies it as | "Infection: Unix/RST.B". An online scan on | http://www.kaspersky.com/remoteviruschk.html also identifies doze4 as | Linux.RST.b | Here is Spohos description of RST.B (from | http://www.sophos.com/virusinfo/analyses/linuxrstb.html): | ------ | Linux/Rst-B will attempt to infect all ELF executables in the current | working directory and the directory /bin | | If Linux/Rst-B is executed by a privileged user then it may attempt to | create a backdoor on the system. This is achieved by opening a socket | and listening for a particular packet containing details about the | origin of the attacker and the command the attacker would like to | execute on the system. | ----------- - -- Thank you, Kirby Angell Get notified anytime your website goes down! http://www.alertra.com key: 9004F4C0 fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBQJCG21unUZAE9MARAjS4AJsGTKXE6NzWIB/LEhCzOcf6FT+lqgCfVR7I VasdVjiLdYO8SA4aXhVDZnQ= =rzVd -----END PGP SIGNATURE-----
Current thread:
- Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 08)
- Re: Systems compromised with ShellBOT perl script - part 2 Shashank Rai (Sep 09)
- Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 10)
- Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 14)
- Re: Systems compromised with ShellBOT perl script - part 2 Andreia Gaita (Sep 10)
- Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 08)
- Re: Systems compromised with ShellBOT perl script - part 2 Andreia Gaita (Sep 09)
- Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 14)
- Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 08)
- Re: Systems compromised with ShellBOT perl script - part 2 Shashank Rai (Sep 09)
- Re: Systems compromised with ShellBOT perl script - part 2 ASI (Sep 10)
- Re: Systems compromised with ShellBOT perl script - part 2 nathan c. dickerson (Sep 19)