| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dotslash at snosoft.com (KF) Subject: ABfrag / linux kernel vulns I think the patch is here but I can not read it so somone else will have to tell me if its really here. =] http://www.thefreeworld.net/non-US/ -KF Mike Tone wrote: >errrrr... hmmm > >http://www.linuxsecurity.com/articles/intrusion_detection_article-5933.html > >note: >http://www.kernel.org/pub/linux/kernel/v2.4/testing/ >says that latest pre-patch is 2.4.20-pre11 >(15/oct/02) > >Also, how does the DMCA come into play with >reverse engineering malcode? > >----- >New Linux Kernel Exploit? / ABFrag >By Daniel Roberts >Posted By: Dave Wreski >10/16/2002 21:42 > >Daniel Roberts discovered a binary named "ABfrag" >on one of his servers after detecting suspicious >network activity. He sent in a note requesting >anyone with information to contact him in an >effort to deciper its purpose. > >From: daniel.roberts@...hmail.com >To: bugtraq@...urityfocus.com, >vuln-dev@...urityfocus.com, >incidents@...urityfocus.com, cert@...t.org, >submissions@...ketstormsecurity.org, >contribute@...uxsecurity.com >Subject: Linux Kernel Exploits / ABFrag > >Greetings. >Today I had a rather strange experiance. At about >4:30 pm GMT my IDS began reporting strange TCP >behaviour on my network segment. As I was unable >to verify the cause of this behaviour I was forced >to remove the Linux box that I use a border >gateway and traffic monitor - at no small cost to >my organization - the network is yet to be >reconnected. After a reboot and preliminary >analysis I found the binary ABfrag sitting in >/tmp. It had only been created minutes before. >Setting up a small sandbox I ran the program and >was presented with the following output: > >---------------------------------------------------------------------------- > > ABfrag - Linux Kernel ( <= 2.4.20pre20 ) Remote >Syncing exploit > > Found and coded by Ac1db1tch3z - t3kn10n, n0n3 >and t3kn0h03. > > WARNING: > Unlicensed usage and/or distribution of this >program carries heavy fines > and penalties under American, British, European >and International copyright > law. > Should you find this program on any compromised >system we urge you to delete > this binary rather than attempt distribution or >analysis. Such actions would > be both unlawful and unwise. > > >---------------------------------------------------------------------------- > password: > invalid key > > >I remembered, vaguely - I sift through a lot of >security mail each day, some talk of a rumoured >Linux kernel exploit circulating among members of >the hacker underground. On the advice of some >friends in law-enforcement I joined the EFnet >channels #phrack and #darknet and tried to solicit >some information regarding this alleged exploit. >Most people publicly attacked me for my neivette >but two individuals contacted me via private >messages and informed me that the "ac1db1tch3z" >were bad news, apparently a group of older (mid >20's) security guru's, and that I should delete >the exploit and forget I ever knew it existed. >However, somthing twigged my sense of adventure >and prompted me to try and get this out to the >community. > >Any help or information regarding this will be of >great help. > >I have attached the binary although it appears to >be encrypted and passworded. I wish any skilled >programmers the best of luck in decyphering it. > >Yours, > >Daniel Roberts >Head Network Manager > >--------------------------------------------------------------------- >Never lose a fax again, receive faxes to your personal email account! >Visit http://www.mbox.com.au/fax >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists