Security Incidents mailing list archives
Re: New Linux Trojan
From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Sun, 9 Sep 2001 11:56:15 +1200
Qualys Inc <research () qualys com> wrote: <<snip>>
The backdoor process of Remote Shell Trojan also issues an HTTP GET request to port 80 on the host 212.15.64.41 (orinoco.portland.co.uk). This host does not appear to return any meaningful results upon such a request.
Is it just a simple GET requesting that sites homepage?? I note that the page returned from that site includes this: <FORM ACTION="http://www.portland.co.uk/cgi-bin/formmail.pl";... and wondered if it may be one of the vulnerable formmails that can be used for arbitrary Emailing. This would be a simple way to obfuscate (at the Trojan-compromised site's end) an Email-based "phone home" scheme... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- New Linux Trojan Qualys Inc (Sep 05)
- Re: New Linux Trojan Ben Ford (Sep 05)
- Re: New Linux Trojan Russell Fulton (Sep 05)
- Re: New Linux Trojan Jason Robertson (Sep 05)
- Re: New Linux Trojan Gary Flynn (Sep 06)
- Re: New Linux Trojan Russell Fulton (Sep 05)
- Re: New Linux Trojan Nick FitzGerald (Sep 09)
- <Possible follow-ups>
- RE: New Linux Trojan Vidovic,Zvonimir,VEVEY,GL-IS/CIS (Sep 06)
- Re: New Linux Trojan Brett Glass (Sep 06)
- Re: New Linux Trojan Ben Ford (Sep 05)