| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BAY10-DAV301B2B4D8416A341B4AC4ED9780@phx.gbl>
Date: Wed, 26 Jan 2005 19:16:28 -0800
From: "morning_wood" <se_cur_ity@...mail.com>
To: "Delian Krustev" <krustev@...stev.net>, <bugtraq@...urityfocus.com>,
<full-disclosure@...ts.netsys.com>,
<security-alerts@...uxsecurity.com>
Subject: Re: Re: [ GLSA 200501-36 ] AWStats: Remote
codeexecution
> I don't have the time to investigate the "cgi" and "dc" binaries.
> The "cgi" at least tries to daemonize and opens a TCP listening socket.
> They also try to replace the index page on the vulnerable site.
cgi
00001495 00001495 0 /dev/tty
0000149E 0000149E 0 socket
000014AA 000014AA 0 listen
000014C0 000014C0 0 PsychoPhobia Backdoor is starting...
0000254E 0000254E 0 init.c
dc
000009C0 000009C0 0 Welcome to Data Cha0s Connect Back Shell
000009E9 000009E9 0 No More Damn Issue Commands
00000A20 00000A20 0 Data Cha0s Connect Back Backdoor
00000A42 00000A42 0 /bin/sh
00000A4D 00000A4D 0 XTERM=xterm
00000A59 00000A59 0 HISTFILE=
00000A63 00000A63 0 SAVEHIST=
00000A6D 00000A6D 0 Usage: %s [Host] <port>
00000A86 00000A86 0 [*] Dumping Arguments
00000A9C 00000A9C 0 [*] Resolving Host Name
00000AB4 00000AB4 0 [*] Connecting...
00000AC6 00000AC6 0 [*] Spawning Shell
00000AD9 00000AD9 0 [*] Detached
00004321 00004321 0 dc-connectback.c
cheers,
m.w
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists