Re: Systems compromised with ShellBOT perl script - part 2

[Kirby Angell <kangell () alertra com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think that must be a different doze4; this one just doesn't seem that
complicated.  I'll go back and recheck my VM though to see if it did
anything else.

Archive on its way to you.

Shashank Rai wrote:
| Hi Kirby,
|
| great work!! is it possible to get the gzipped files? BTW as for doze4
| ... a scan with f-prot (linux cmd line edition) identifies it as
| "Infection: Unix/RST.B". An online scan on
| http://www.kaspersky.com/remoteviruschk.html also identifies doze4 as
| Linux.RST.b
| Here is Spohos description of RST.B (from
| http://www.sophos.com/virusinfo/analyses/linuxrstb.html):
| ------
| Linux/Rst-B will attempt to infect all ELF executables in the current
| working directory and the directory /bin
|
| If Linux/Rst-B is executed by a privileged user then it may attempt to
| create a backdoor on the system. This is achieved by opening a socket
| and listening for a particular packet containing details about the
| origin of the attacker and the command the attacker would like to
| execute on the system.
| -----------
|
| There was a discussion on FD recently, where the original poster had
| started a Debian machine with port 22 open and a non-priv user id of
| guest/guest .... in order to be a victim of the recent SSH scans. The
| crackers who got into this system had also downloaded RST.B infected
| binary.
|
| cheers,


- --
Thank you,

Kirby Angell
Get notified anytime your website goes down!
http://www.alertra.com
key: 9004F4C0
fingerprint: DD7E E88D 7F50 2A1E 229D  836A DB5B A751 9004 F4C0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBPwTR21unUZAE9MARAsqtAJ9SG6HW4/+6og9Kr04r2rMSrwpXwQCZAQWF
UCEeEdpfqfwFtX/NrM7K0SY=
=ETHf
-----END PGP SIGNATURE-----