lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 15 Jan 2008 16:16:03 +1100
From: Denis <sp23@...ernode.on.net>
To: "crazy frog crazy frog" <i.m.crazy.frog@...il.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: what is this?

This is a very serious new threat affecting Linux servers and thousands
of boxes have been compromised since December 2007.

Each box serving the nasty javascript has been rooted. One person has
found a way to CLEAN the infection (ie. stop your server from serving
the bad javascript), however not the root hole ie. the servers in
question are still rooted as nobody so far has found what hole is being
exploited to gain root access in the first place.

See the following urls for a lot more info on this exploit:

http://www.webhostingtalk.com/showthread.php?t=651748 (useful discussion
starts on page 3 or so)

http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/

Time for some honey pot action to find out how they're gaining root
access to begin with. From all reports so far it does not appear to be a
kernel vulnerability (as some of the affected servers were using latest
kernels)

Cheers,
Denis


On Sun, 13 Jan 2008 21:31:34 +0530
"crazy frog crazy frog" <i.m.crazy.frog@...il.com> wrote:

---> Hi,
---> 
---> Recently on opening one of my site,my antivirus pops up saying that it
---> has found on malicious script.the url is random and i have managed to
---> get tht script.it is using some flaw in apple quick time.
---> u can get the zip file for java script here:
---> http://secgeeks.com/what.zip
---> password is 12345
---> can somebody guide/help me what is this and how can i remove it?
---> 
---> -- 
---> advertise on secgeeks?
---> http://secgeeks.com/Advertising_on_Secgeeks.com
---> http://newskicks.com

Denis

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ