lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: dotslash at (KF)
Subject: ABfrag / linux kernel vulns

I think the patch is here but I can not read it so somone else will have 
to tell me if its really here. =]


Mike Tone wrote:

>errrrr... hmmm  
>says that latest pre-patch is 2.4.20-pre11  
>Also, how does the DMCA come into play with  
>reverse engineering malcode?   
>New Linux Kernel Exploit? / ABFrag  
>By Daniel Roberts  
>Posted By: Dave Wreski  
>10/16/2002 21:42  
>Daniel Roberts discovered a binary named "ABfrag"  
>on one of his servers after detecting suspicious  
>network activity. He sent in a note requesting  
>anyone with information to contact him in an  
>effort to deciper its purpose.  
>Subject: Linux Kernel Exploits / ABFrag  
>Today I had a rather strange experiance. At about  
>4:30 pm GMT my IDS began reporting strange TCP  
>behaviour on my network segment. As I was unable  
>to verify the cause of this behaviour I was forced  
>to remove the Linux box that I use a border  
>gateway and traffic monitor - at no small cost to  
>my organization - the network is yet to be  
>reconnected. After a reboot and preliminary  
>analysis I found the binary ABfrag sitting in  
>/tmp. It had only been created minutes before.  
>Setting up a small sandbox I ran the program and  
>was presented with the following output:  
> ABfrag - Linux Kernel ( <= 2.4.20pre20 ) Remote  
>Syncing exploit  
> Found and coded by Ac1db1tch3z - t3kn10n, n0n3  
>and t3kn0h03.  
> Unlicensed usage and/or distribution of this  
>program carries heavy fines  
> and penalties under American, British, European  
>and International copyright  
> law.  
> Should you find this program on any compromised  
>system we urge you to delete  
> this binary rather than attempt distribution or  
>analysis. Such actions would  
> be both unlawful and unwise.  
> password:  
> invalid key    
>I remembered, vaguely - I sift through a lot of  
>security mail each day, some talk of a rumoured  
>Linux kernel exploit circulating among members of  
>the hacker underground. On the advice of some  
>friends in law-enforcement I joined the EFnet  
>channels #phrack and #darknet and tried to solicit  
>some information regarding this alleged exploit.  
>Most people publicly attacked me for my neivette  
>but two individuals contacted me via private  
>messages and informed me that the "ac1db1tch3z"  
>were bad news, apparently a group of older (mid  
>20's) security guru's, and that I should delete  
>the exploit and forget I ever knew it existed.  
>However, somthing twigged my sense of adventure  
>and prompted me to try and get this out to the  
>Any help or information regarding this will be of  
>great help.  
>I have attached the binary although it appears to  
>be encrypted and passworded. I wish any skilled  
>programmers the best of luck in decyphering it.  
>Daniel Roberts  
>Head Network Manager   
>Never lose a fax again, receive faxes to your personal email account!
>Full-Disclosure - We believe in it.

Powered by blists - more mailing lists