Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Systems compromised with ShellBOT perl script - part 2

From: Kirby Angell <kangell () alertra com>
Date: Thu, 09 Sep 2004 12:19:02 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sure enough, I ran it as root in my VMWare install and it infected a
bunch of files in /bin.

For some reason, tcpdump isn't catching any of the traffic it generates
though.  I've tried it on the host against the vmnet8 interface and from
within the VM (after chmod'ing /dev/vmnet).  I'm going to try it again
with a clean VM install.

Shashank Rai wrote:
| Hi Kirby,
|
| great work!! is it possible to get the gzipped files? BTW as for doze4
| ... a scan with f-prot (linux cmd line edition) identifies it as
| "Infection: Unix/RST.B". An online scan on
| http://www.kaspersky.com/remoteviruschk.html also identifies doze4 as
| Linux.RST.b
| Here is Spohos description of RST.B (from
| http://www.sophos.com/virusinfo/analyses/linuxrstb.html):
| ------
| Linux/Rst-B will attempt to infect all ELF executables in the current
| working directory and the directory /bin
|
| If Linux/Rst-B is executed by a privileged user then it may attempt to
| create a backdoor on the system. This is achieved by opening a socket
| and listening for a particular packet containing details about the
| origin of the attacker and the command the attacker would like to
| execute on the system.
| -----------

- --
Thank you,

Kirby Angell
Get notified anytime your website goes down!
http://www.alertra.com
key: 9004F4C0
fingerprint: DD7E E88D 7F50 2A1E 229D  836A DB5B A751 9004 F4C0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBQJCG21unUZAE9MARAjS4AJsGTKXE6NzWIB/LEhCzOcf6FT+lqgCfVR7I
VasdVjiLdYO8SA4aXhVDZnQ=
=rzVd
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: