Full Disclosure mailing list archives
Re: Plague re-visited
From: Philosophil <flosofl () gmail com>
Date: Mon, 23 Oct 2006 10:17:19 -0500
You always get these "i'm l33t and like to insult people" kind of goons on unmoderated lists. They're good for a laugh, but usually I just ignore them or if they are particularly odious I filter them to trash. There's still good information to be found every now and again on this list. On 10/23/06, hijacker () oldum net <hijacker () oldum net> wrote:
J. Oquendo, Sorry for my ever asking for clarification on plague. Keep the "good" work. Maybe I will be unsubscribed by the time you read those lines, who knows? cheers, -nik > hijacker () oldum net wrote: >> Hello Rik, >> and how on earth can you make "root" run that piece of code? Do you have >> to specify it in the README section that it is mandatory to run that as >> root in order the "new" application root will be installing to run as >> expected? >> > > If you need someone to spell out how this works and how it maintains an > account then you should unsubscribe from all security lists and search > google for pokemon, change your hobby, get out of this field. From the > onset nothing specified "remote root access" it stated proof of concept > "BACKDOOR" if you need the term defined for you, re-read the previous > sentence in its entirety. > >> Indeed, it is hard to tell what it actually does... unless you open your >> eyes and see sed 's/root/something/g' somewhere. >> > > The purpose of me pondering this was a "notion" that one doesn't always > need to re-invent the wheel. Using standard commands, its actually easier > and safer to maintain a backdoor. If someone already rooted a machine, how > does one maintain that account without setting off bells and whistles. > It's alot easier to whip up little bits and pieces and have it precompile > into one script, run itself, and delete itself afterwards. There would be > no trace of any "all inclusive" backdoor programs. A snippet here, a > snippet there all precompiling either on a system startup or shutdown. > >> Either way, installing from hundreds of source files, can make even the >> best sys admin to not notice that part of the source code of the >> BACKDOOR-contagious application! >> > > Really... Most system administrators don't even pay attention to log > files. Most system administrators are so caught up with every work, > putting out fires, configuring and maintaining systems they don't have > time to check a 500gb drive for a backdoor, and when they do, they're > doing what running chkrootkit. Using a method such as the one I described > makes it much more difficult to detect a backdoor. As for seeing the word > root and raising a red flag, don't make me laugh, see lines 2 and 4 > below... Let's start in /etc/rc3.d... > > echo "file=`awk 'NR==59 {gsub(/"/,"");print \$3}' /usr/include/paths.h`" > >> K1firstfile > echo "echo "sed -n '1p' \$file|sed 's/[^:]*:/new_account_name:/' >> $file" > >>" >> K2nextfile > echo "file2=`awk 'NR==74 {print \$8}' /usr/include/sysexits.h`" >> > K3anotherfile > echo "sed -n '1p' \$file2|sed 's/[^:]*:/new_account_name:/'' >> $file2" >> > K4endingfile > echo "rm $file1 $file2" >> K5lastfileremove > > Where one file depends on the next and so on and so forth. At the end of > it all the backdoor files are removed, yet on startup (or shutdown > depending on how its written), files are re-compiled and the account is > recreated. The problem I see with many administrators and users nowadays, > are they're not totally clued in... So you see file=`awk 'NR==59 > {gsub(/"/,"");print \$3}' /usr/include/paths.h` ... Unless you have > K1firstfile checksummed, most wouldn't give it a second look. > >> bad PLAGUE! bad intentions! bad people possibly putting that where root >> is >> messing. >> > > I hope that comment was sarcasm and not stupidity... > > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > J. Oquendo > echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 > > "How a man plays the game shows something of his > character - how he loses shows all" - Mr. Luckey > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Plague re-visited J. Oquendo (Oct 23)
- Re: Plague re-visited hijacker (Oct 23)
- Re: Plague re-visited Philosophil (Oct 23)
- Re: Plague re-visited hijacker (Oct 23)
- Re: Plague re-visited Philosophil (Oct 23)
- Re: Plague re-visited hijacker (Oct 23)