Full Disclosure mailing list archives
Re: mydoom.c information
From: m.mohr () laposte net
Date: Sun, 7 Mar 2004 14:01:01 -0800 (PST)
See comments inserted in reply: On Sun, 7 Mar 2004, morning_wood wrote:
bascially looking for sync-src-1.00.tbz. That message was posted to thisavail on infected hosts
The whole point is that I don't *want* to be infected. I don't have an infected host because I am a good admin. I want to obtain a copy of the source code, not the binary virus.
This is how I came to be in possession of it: nc -l -p 3127 > doomjuice.dump You will probably want to write a loop to restart netcat because it exits after a successful transfer.nc -L -p 3127 > out.txt note: " -L " will not exit your listener, as it is for a persistant listener.
Okay. Strangely enough, my version of netcat doesn't have an option "L": nc [v1.10] bash-2.05b$ nc -L nc: invalid option -- L nc -h for help bash-2.05b$ Additionally, the whole point of writing a script is that I actually *want* my listener to exit so that it can be called again and write to a new file, thus separating infection attempts cleanly. This removes the need for me to comb through a huge dump and guess where each virus begins and ends. E.g.: x=0; while true; do x=$((x+1)); nc -l -p 3127 > 3127.$x; done
please see http://lists.netsys.com/pipermail/full-disclosure/2004-February/017126.html
Thanks for the link ... I wish I had been able to find this earlier, it would have helped me quite a bit. Although the bit about intentionally infecting oneself doesn't exactly make me want to jump for joy.
as i do not wish to type-iterate. Donnie Werner http://exploitlabs.com
In any case, thank you for your reply! Regards, Michael Mohr P.S. I visited your website and it has some good information on it. One thing really needs to change though IMHO: Flash isn't cool. If I can't see it in lynx, I generally don't want to see it. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- mydoom.c information m . mohr (Mar 06)
- Re: mydoom.c information Gregory A. Gilliss (Mar 07)
- Message not available
- Re: mydoom.c information m . mohr (Mar 07)
- Re: mydoom.c information John Sage (Mar 07)
- Re: mydoom.c information m . mohr (Mar 07)
- Re: mydoom.c information m . mohr (Mar 07)
- <Possible follow-ups>
- mydoom.c information morning_wood (Mar 07)
- Re: mydoom.c information John Sage (Mar 07)
- Re: mydoom.c information morning_wood (Mar 07)
- Re: mydoom.c information John Sage (Mar 07)
- Re: mydoom.c information Gyrniff (Mar 07)
- RE: mydoom.c information Chris Eagle (Mar 07)
- RE: mydoom.c information Frank Knobbe (Mar 07)
- RE: mydoom.c information m . mohr (Mar 07)
- Re: mydoom.c information John Sage (Mar 07)