| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a8f20ca90117.a90117a8f20c@mbox.com.au>
From: simpletone at mbox.com.au (Mike Tone)
Subject: ABfrag / linux kernel vulns
errrrr... hmmm
http://www.linuxsecurity.com/articles/intrusion_detection_article-5933.html
note:
http://www.kernel.org/pub/linux/kernel/v2.4/testing/
says that latest pre-patch is 2.4.20-pre11
(15/oct/02)
Also, how does the DMCA come into play with
reverse engineering malcode?
-----
New Linux Kernel Exploit? / ABFrag
By Daniel Roberts
Posted By: Dave Wreski
10/16/2002 21:42
Daniel Roberts discovered a binary named "ABfrag"
on one of his servers after detecting suspicious
network activity. He sent in a note requesting
anyone with information to contact him in an
effort to deciper its purpose.
From: daniel.roberts@...hmail.com
To: bugtraq@...urityfocus.com,
vuln-dev@...urityfocus.com,
incidents@...urityfocus.com, cert@...t.org,
submissions@...ketstormsecurity.org,
contribute@...uxsecurity.com
Subject: Linux Kernel Exploits / ABFrag
Greetings.
Today I had a rather strange experiance. At about
4:30 pm GMT my IDS began reporting strange TCP
behaviour on my network segment. As I was unable
to verify the cause of this behaviour I was forced
to remove the Linux box that I use a border
gateway and traffic monitor - at no small cost to
my organization - the network is yet to be
reconnected. After a reboot and preliminary
analysis I found the binary ABfrag sitting in
/tmp. It had only been created minutes before.
Setting up a small sandbox I ran the program and
was presented with the following output:
----------------------------------------------------------------------------
ABfrag - Linux Kernel ( <= 2.4.20pre20 ) Remote
Syncing exploit
Found and coded by Ac1db1tch3z - t3kn10n, n0n3
and t3kn0h03.
WARNING:
Unlicensed usage and/or distribution of this
program carries heavy fines
and penalties under American, British, European
and International copyright
law.
Should you find this program on any compromised
system we urge you to delete
this binary rather than attempt distribution or
analysis. Such actions would
be both unlawful and unwise.
----------------------------------------------------------------------------
password:
invalid key
I remembered, vaguely - I sift through a lot of
security mail each day, some talk of a rumoured
Linux kernel exploit circulating among members of
the hacker underground. On the advice of some
friends in law-enforcement I joined the EFnet
channels #phrack and #darknet and tried to solicit
some information regarding this alleged exploit.
Most people publicly attacked me for my neivette
but two individuals contacted me via private
messages and informed me that the "ac1db1tch3z"
were bad news, apparently a group of older (mid
20's) security guru's, and that I should delete
the exploit and forget I ever knew it existed.
However, somthing twigged my sense of adventure
and prompted me to try and get this out to the
community.
Any help or information regarding this will be of
great help.
I have attached the binary although it appears to
be encrypted and passworded. I wish any skilled
programmers the best of luck in decyphering it.
Yours,
Daniel Roberts
Head Network Manager
---------------------------------------------------------------------
Never lose a fax again, receive faxes to your personal email account!
Visit http://www.mbox.com.au/fax
Powered by blists - more mailing lists