lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <417CF08F.4792.19DC5B30@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: xpire.info & splitinfinity.info - exploits in
 the wild

Elia Florio wrote:

> > I'm not sure that qmail-inject isn't a red herring?  The actual
> > download looks like 'wget' was used.
> Good suggestion, my friend :)
> 
> It was used WGET to retrieve the http://xpire.info/cli.gz connectback shell.

More specifically, from the strings in the binary it looks awfully like 
sd's bindtty -- try Googling for "bindtty.c"...

The possible bad news is that bindtty is used in the suckit rootkit, so 
your remote-only access may cause major (if not insurmountable) 
problems to doing a half-useful diagnosis...

<<big snip>>
> The hacker page used to accomplish the injection are based on this
> test-page, taken directly on the hacker-site :-)
> 
> http://xpire.info/s/2
> http://xpire.info/s/
> 
> I notice that this site is full of trojan/backdoor/shell/worm/exploit and
> other malware....why is it still open?

You'd be surprised how few folk actually compain about a lot of these 
sites.  Compound that with the rate of incompetence at many small (and 
even many not-so-small) ISPs, where the very thin margins mean they 
don't have time (and seldom good enough staff anyway) to analyse such 
complaints, and where the emphasis is often more on making sure they 
get their $10, $20, $40, etc this month from that customer, and many 
such sites stay up way too long.  The way to break such sites is for 
some "authority" to contact them (a CERT, law enforcement, etc) or 
"enough" polite, professional, clearly technically competent but not 
overly technical complaints explaining what the site is being used for 
and why it should be shut down.  Of course, often the "base" sites are 
themselves simply just ill-maintained systems that have, themselves, 
been hacked and if all the ISP is up to doing is closing the apparently 
rogue site/account, or simply removing the "offending content" the site 
(and others similarly hosted on the still badly maintained servers) 
remains open to further, similar abuse.


Regards,

Nick FitzGerald

Powered by blists - more mailing lists