Re: msamba

[Paulo Abrantes <pcma () mega ist utl pt>]

> Anyone else seen this? I'd like to make sure I've got everything tied down
> enough that this won't happen again. Samba wasn't supposed to be on there,
> and it's now been removed. I have a suspicion ssl might have been involved
> too, due to the gzip comment and the way apache was reloaded.

I downloaded the msamba and checked the strings for the sambalx binary, 
for what I've seen it's the exploit for samba 2.2.8 written by eSDee,
with a little modification (adding q3 to the output strings and also
the command to email the info about samba). The exploit I'm talking
can be found in http://packetstormsecurity.nl/0304-exploits/sambal.c

This is not a 0 day, and there are already patches to fix this problem.
Regards,

Paulo Abrantes
 
++++++++++++++++++++++++++++++++++++++++
 
        Computer Science Student @
        Instituto Superior Tecnico
          (http://www.ist.utl.pt) 
 
This email fortune cookie: 
 
The memory management on the PowerPC can be used to 
frighten small children. -- Linus Torvalds
 
++++++++++++++++++++++++++++++++++++++++

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------