lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <BAY10-DAV301B2B4D8416A341B4AC4ED9780@phx.gbl>
From: se_cur_ity at hotmail.com (morning_wood)
Subject: Re: [ GLSA 200501-36 ] AWStats: Remote
	codeexecution

> I don't have the time to investigate the "cgi" and "dc" binaries.
> The "cgi" at least tries to daemonize and opens a TCP listening socket.
> They also try to replace the index page on the vulnerable site.

cgi
00001495   00001495      0   /dev/tty
0000149E   0000149E      0   socket
000014AA   000014AA      0   listen
000014C0   000014C0      0   PsychoPhobia Backdoor is starting...

0000254E   0000254E      0   init.c


dc
000009C0   000009C0      0   Welcome to Data Cha0s Connect Back Shell
000009E9   000009E9      0   No More Damn Issue Commands
00000A20   00000A20      0   Data Cha0s Connect Back Backdoor
00000A42   00000A42      0   /bin/sh
00000A4D   00000A4D      0   XTERM=xterm
00000A59   00000A59      0   HISTFILE=
00000A63   00000A63      0   SAVEHIST=
00000A6D   00000A6D      0   Usage: %s [Host] <port>
00000A86   00000A86      0   [*] Dumping Arguments
00000A9C   00000A9C      0   [*] Resolving Host Name
00000AB4   00000AB4      0   [*] Connecting...
00000AC6   00000AC6      0   [*] Spawning Shell
00000AD9   00000AD9      0   [*] Detached

00004321   00004321      0   dc-connectback.c


cheers,
m.w


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ