[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Re: Trojan found on Linux server

To: "Gaddis, Jeremy L." <jeremy@xxxxxxxxxxxx>
Subject: [Full-disclosure] Re: Trojan found on Linux server
From: Bulgaria Online - Assen Totin <assen@xxxxxxxxx>
Date: Wed, 04 Jan 2006 14:26:29 +0200

Hi all,

> http://www.jeremygaddis.com/files/ummtodkhk.

A quick test shows that the process forks, then opens an IRC session to
64.239.9.236 port 3434 (there are also two others hard-coded IP
addresses inside the binary, 219.133.46.212 and 61.211.239.84) -
probably a password protected server, the agent issues these commands:

PASS f9dsa
USER mbopaidgb
NICK cmktvjopr

Probably stays logged there, expecting remote commands. Seems capable of
spawning a shell on the infected machine. The "crontab" solution is
quite interesting, however. But even more interesting is how the
infection spreads... if it came through Apache, can you suggest version
and configuration (is there PHP, for example; is any file upload
permitted etc.)

Happy hunting,

Assen Totin
Development Manager

-- 
===============================
       BULGARIA ONLINE
  Your quality... Your price!
===============================
   ++ 359 2 9733000 ext. 511
     http://home.online.bg

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Trojan found on Linux server
  - From: Gaddis, Jeremy L.

Prev by Date: Re: [Full-disclosure] Outlook Express 6.0 : link destination obfuscation
Next by Date: Re: [Full-disclosure] Undeletable user account.
Previous by thread: Re: [Full-disclosure] Trojan found on Linux server
Next by thread: [Full-disclosure] WMF round-up, updates and de-mystification
Index(es):
- Date
- Thread