lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3460.192.168.0.6.1161603590.squirrel@mail.oldum.net>
Date: Mon, 23 Oct 2006 14:39:50 +0300 (EEST)
From: hijacker@...um.net
To: "Rik Bobbaers" <Rik.Bobbaers@...kuleuven.be>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Plague Proof of Concept Linux backdoor

Hello Rik,
and how on earth can you make "root" run that piece of code? Do you have
to specify it in the README section that it is mandatory to run that as
root in order the "new" application root will be installing to run as
expected?

Indeed, it is hard to tell what it actually does... unless you open your
eyes and see sed 's/root/something/g' somewhere.

Either way, installing from hundreds of source files, can make even the
best sys admin to not notice that part of the source code of the
BACKDOOR-contagious application!

bad PLAGUE! bad intentions! bad people possibly putting that where root is
messing.

cheers,
-nik


> hijacker@...um.net wrote:
>> Are you saying I just injected my system with an account with root
>> access
>> hiding somewhere? Please, clarify.
>
> as you can tell by the subject, this is a BACKDOOR, you run it as root,
> and yes, than it works and creates a "new root" account
>
> you ran it as a normal user, so it won't work (you can't read
> /etc/shadow as normal user (du'uh))
>
> grtz,
>
> --
> harry
> aka Rik Bobbaers
>
> K.U.Leuven - LUDIT          -=- Tel: +32 485 52 71 50
> Rik.Bobbaers@...kuleuven.be -=- http://harry.ulyssis.org
>
> thinking always leads to conclusions... and those can be extremely
> dangerous
> -- me ;)
>
> Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
>
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ