Full Disclosure mailing list archives
Re: Trojan found on Linux server
From: Bulgaria Online - Assen Totin <assen () online bg>
Date: Wed, 04 Jan 2006 14:26:29 +0200
Hi all,
http://www.jeremygaddis.com/files/ummtodkhk.
A quick test shows that the process forks, then opens an IRC session to 64.239.9.236 port 3434 (there are also two others hard-coded IP addresses inside the binary, 219.133.46.212 and 61.211.239.84) - probably a password protected server, the agent issues these commands: PASS f9dsa USER mbopaidgb NICK cmktvjopr Probably stays logged there, expecting remote commands. Seems capable of spawning a shell on the infected machine. The "crontab" solution is quite interesting, however. But even more interesting is how the infection spreads... if it came through Apache, can you suggest version and configuration (is there PHP, for example; is any file upload permitted etc.) Happy hunting, Assen Totin Development Manager -- =============================== BULGARIA ONLINE Your quality... Your price! =============================== ++ 359 2 9733000 ext. 511 http://home.online.bg _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Trojan found on Linux server Gaddis, Jeremy L. (Jan 02)
- Re: Trojan found on Linux server Niek (Jan 02)
- Re: Trojan found on Linux server Gaddis, Jeremy L. (Jan 02)
- Re: Trojan found on Linux server Morning Wood (Jan 02)
- Re: Trojan found on Linux server GroundZero Security (Jan 02)
- Re: Trojan found on Linux server Niek (Jan 02)
- Re: Trojan found on Linux server Gaddis, Jeremy L. (Jan 02)
- Re: Trojan found on Linux server Bulgaria Online - Assen Totin (Jan 04)
- Re: Trojan found on Linux server Niek (Jan 02)