lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <063b01c48bd6$c515d0e0$5746370a@nsp.co.nz>
From: venom at gen-x.co.nz (VeNoMouS)
Subject: Automated ssh scanning

lol the amount of people still trying to work out what these binarys are is 
amusing, i already broke down what each package was and mailed it to full 
disclosure over 24hrs ago, dont you people read threads?

I'll post it again.....

www.bo2k-rulez.net/a
 kernel do_brk exploit by isec - 
http://www.k-otik.com/exploits/12.05.hatorihanzo.c.php, infected with rst.b 
, which when run tries to connect to 207.66.155.21 on port 80
requesting /~telecom69/gov.php which is offline.


www.corbeanu.as.ro/t.gz
Ptrace/kmod kernel exploit by isec - 
http://www.k-otik.com/exploits/03.30.kernel.c.php

http://roarmy.com/god.tgz
root kit with backdoor'd ssh listens on port 26000 which replaces smbd
binary, loggin of the ssh connections goes to /usr/include/iceconf.h , also
has a crappy tcp sniffer which logs to /usr/lib/libice.log,and a syn flooder

***** backdoor password for this ssh door is ice4budu

www.generatiapro.go.ro/fast.tgz
emech setup for undernet to join #tty.



----- Original Message ----- 
From: "Ron DuFresne" <dufresne@...ternet.com>
To: "Gary E. Miller" <gem@...lim.com>
Cc: "Deigo Dude" <deigodude@....com>; <full-disclosure@...ts.netsys.com>
Sent: Friday, August 27, 2004 11:59 AM
Subject: Re: [Full-Disclosure] Automated ssh scanning


>
> Howdy Gary,
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Yo All!
>>
>> On Thu, 26 Aug 2004, Deigo Dude wrote:
>>
>> > Maybe running this test again, and this time ...
>>
>> No need to run the test again.
>>
>> - From the .history I duplicated this:
>>
>>  wget www.bo2k-rulez.net/a
>>
>> Then did this to see the strings in the binary:
>>
>>  strings a | less
>>
>> This string looked ineresting:
>>
>>  Kernel seems not to be vulnerable
>>
>> A google on that string yields the exloit:
>>
>>  http://www.k-otik.com/exploits/12.05.hatorihanzo.c.php
>>
>> A simple exploit for the well known do_brk bug in the Linux kernel...
>>
>
> Cool, I was incrrect in assuning this was a fully patched system and the
> compromise likely being an application sploit it appears.
>
>
> Thanks,
>
> Ron DuFresne
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in humanity.  It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart
> ***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D.  Just don't touch anything.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ