[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: dotslash at snosoft.com (KF)
Subject: ABfrag / linux kernel vulns
I think the patch is here but I can not read it so somone else will have
to tell me if its really here. =]
http://www.thefreeworld.net/non-US/
-KF
Mike Tone wrote:
>errrrr... hmmm
>
>http://www.linuxsecurity.com/articles/intrusion_detection_article-5933.html
>
>note:
>http://www.kernel.org/pub/linux/kernel/v2.4/testing/
>says that latest pre-patch is 2.4.20-pre11
>(15/oct/02)
>
>Also, how does the DMCA come into play with
>reverse engineering malcode?
>
>-----
>New Linux Kernel Exploit? / ABFrag
>By Daniel Roberts
>Posted By: Dave Wreski
>10/16/2002 21:42
>
>Daniel Roberts discovered a binary named "ABfrag"
>on one of his servers after detecting suspicious
>network activity. He sent in a note requesting
>anyone with information to contact him in an
>effort to deciper its purpose.
>
>From: daniel.roberts@...hmail.com
>To: bugtraq@...urityfocus.com,
>vuln-dev@...urityfocus.com,
>incidents@...urityfocus.com, cert@...t.org,
>submissions@...ketstormsecurity.org,
>contribute@...uxsecurity.com
>Subject: Linux Kernel Exploits / ABFrag
>
>Greetings.
>Today I had a rather strange experiance. At about
>4:30 pm GMT my IDS began reporting strange TCP
>behaviour on my network segment. As I was unable
>to verify the cause of this behaviour I was forced
>to remove the Linux box that I use a border
>gateway and traffic monitor - at no small cost to
>my organization - the network is yet to be
>reconnected. After a reboot and preliminary
>analysis I found the binary ABfrag sitting in
>/tmp. It had only been created minutes before.
>Setting up a small sandbox I ran the program and
>was presented with the following output:
>
>----------------------------------------------------------------------------
>
> ABfrag - Linux Kernel ( <= 2.4.20pre20 ) Remote
>Syncing exploit
>
> Found and coded by Ac1db1tch3z - t3kn10n, n0n3
>and t3kn0h03.
>
> WARNING:
> Unlicensed usage and/or distribution of this
>program carries heavy fines
> and penalties under American, British, European
>and International copyright
> law.
> Should you find this program on any compromised
>system we urge you to delete
> this binary rather than attempt distribution or
>analysis. Such actions would
> be both unlawful and unwise.
>
>
>----------------------------------------------------------------------------
> password:
> invalid key
>
>
>I remembered, vaguely - I sift through a lot of
>security mail each day, some talk of a rumoured
>Linux kernel exploit circulating among members of
>the hacker underground. On the advice of some
>friends in law-enforcement I joined the EFnet
>channels #phrack and #darknet and tried to solicit
>some information regarding this alleged exploit.
>Most people publicly attacked me for my neivette
>but two individuals contacted me via private
>messages and informed me that the "ac1db1tch3z"
>were bad news, apparently a group of older (mid
>20's) security guru's, and that I should delete
>the exploit and forget I ever knew it existed.
>However, somthing twigged my sense of adventure
>and prompted me to try and get this out to the
>community.
>
>Any help or information regarding this will be of
>great help.
>
>I have attached the binary although it appears to
>be encrypted and passworded. I wish any skilled
>programmers the best of luck in decyphering it.
>
>Yours,
>
>Daniel Roberts
>Head Network Manager
>
>---------------------------------------------------------------------
>Never lose a fax again, receive faxes to your personal email account!
>Visit http://www.mbox.com.au/fax
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists