lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 Dec 2014 01:50:10 +0000 From: Ed Tredgett <edtredgett@...icallysecure.com> To: Alfred Baroti <marianalfred@...il.com> Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] Interesting Backdoor Check the following link out it may provide you with a greater insight as is looks like that rootkit from the information you've provided, which I've found floating around recently https://gitorious.org/dongforce/main/source/e08f161206e31cc12f1a874d8add153764564065:__UMBREON__ Ed > On 9 Dec 2014, at 01:43, Alfred Baroti <marianalfred@...il.com> wrote: > > Hi, > I was wondering if someone found something similar with this. I didn't find anything similar with this before. > > > Here is: > > root@...1-test:~# ssh zimadmin@0 > zimadmin@0's password: > -------;i------------------------------------------ > -----.,if------------------------------------------ > -----,tLE,--------------..:;ji--------------------- > ----;ittL;----------.;;;tjfGj.--------------------- > ---;tfGDK;--------,;;,tLEKKt-----------------:;,--- > ---ijLDKD.------:;,iLfiiGD;---------------.,ifj.--- > --.;tGKKi------:tjLKWWEj;.--------------:;jLEE;---- > ---;iLEL::..:,;tjEW##Wf,--------------.,;tGKWf----- > ---,,;t;,:,,ifi;LKELt:--------------.;;itiiLD:----- > ---:iiLjGLfLGGDEE;-----------------.i:,LKEfji------ > --:;;jGfDGKW####KL.----------------i,,jDKWEt------- > --,.ifGGGLEEE###WEt---------------:tifDEKD;-------- > --:,;LDGELKKK####KEj.-------------iLGKELi---------- > ---ijGDEWKW#######WDfi;;,,;ii,,,::DELt:------------ > ---,fDKKKW###WK#####EGLLLLLLLfft,:ii.-------------- > -----:,,,:;fji;LW#####WKEEEEEEDLji::i;------------- > -----------,;GLjjDKKWWWEEEKEEDfjLLLGGDL:----------- > -----------,;fGL;;tfLfjjfGDDGftLEKKEDEEf----------- > -----------,;;GEt-:tftifGEEEDftLEKKjjLLL----------- > ------------;iGKt-iGLGLttK####EGDEEjiEGG;---------- > ------------.LEEi;ftff;--,E####LjDEEGGDDD;--------- > -------------;EL:jjGLi----,K###t--,ijDKEDDL:------- > --------------jt;DGt:-----.LKKKi------tDEDEt------- > -------------.tjDKf-----.,ifff;--------tEDEj------- > ------------:fDEWKi----;;,,ii.--------,iLLDt------- > ----------:;ifEKG,-------..-----------,jjj;-------- > -----------fttGED---------------------------------- > ------------.-------------------------------------- > root@...1-test:~# w > 23:28:03 up 234 days, 14:54, 0 users, load average: 0.00, 0.00, 0.00 > USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT > root@...1-test:~# id zimadmin > uid=0(root) gid=197 groups=0(root) > root@...1-test:~# cat /etc/passwd |grep zimadmin > root@...1-test:~# cat /etc/shadow |grep zimadmin > > And in normal login it make no sense: > > root@...1-test:~# ls -la /usr/lib/libc.so.0 > ls: cannot access /usr/lib/libc.so.0: No such file or directory > root@...1-test:~# cd /usr/lib/libc.so.0 > root@...1-test:/usr/lib/libc.so.0# ls > ls: cannot open directory .: No such file or directory > root@...1-test:/usr/lib/libc.so.0# pwd > /usr/lib/libc.so.0 > root@...1-test:/usr/lib/libc.so.0# ls > ls: cannot open directory .: No such file or directory > root@...1-test:/usr/lib/libc.so.0# strace ls > -bash: /usr/bin/strace: Input/output error > root@...1-test:/usr/lib/libc.so.0# > > > Anyone have any idea with what i am dealing with ? > > Thanks > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists