lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 4 Oct 2011 10:43:25 +0100
From: Darren Martyn <d.martyn.fulldisclosure@...il.com>
To: secn3t@...il.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Apache 2.2.17 exploit?

Adam, thanks for the tip on Codepad, I am very grateful.

Is there actually a non backdoored variant of said code? I have not seen any
CVE mentioning that exploit so I was naturally wondering.

Also, pastebin/pastee based bots (those scanner kits especially) are not too
uncommon, I have found more than a few.

I was working on dissecting "kanbe.tar.gz" from madirish.net when my
hardware "vanished", very interesting kit. I have a special place in my
heart for those things, because one can easily find the botnets owners and
report to their ISP (or whatever) or simply observe it (see how big it is).
During the time after Kingcopes EXIM remote root exploit was released I saw
a few kits appear, the first a energymech mod with a scanner and "spreading"
exploit, another a self contained Perl script that spread itself ala worm.
Within the following months more of the kits appeared, including the ones
that have various "x" and "x2" shell scripts that simply pass args and such
to other scripts - fuck ugly things!

I wonder though, when someone will write some kind of "serious" worm for
*nix servers, some kind of self propegating, multiple spread/infection
method worm, that infects, roots, and iFrames the whole site with malware
spreading nastiness, along with whatever else the evil f*ckers want "roots"
for. Something like Scalper except a bit nastier. Will be a fun day for
malware dissection :)

On Tue, Oct 4, 2011 at 12:22 AM, xD 0x41 <secn3t@...il.com> wrote:

> here are places like codepad.org that let you compile/execute various
>
>
> Indeed, i have seen the codepad.org execute action used on many many bots,
> even opastebin just using download= and, renaming the downloaded file :s not
> to hard, dfont even need to rename file, and, raw= featuires, is plain code
> just in a txt.
> on codepad tho, you can actually execute the code on the server, and, thats
> awesome for debugging i guess but, i prefer to use my own stdinout.
> anyhow, it is a nice world there, that is where half the bots in use sit...
> you should find some of the more popular botz, and strings, and watch
> howmany are active...many would be, believ it. specially on pastebin and
> codepad , those two are best because allow sraw download.. but, codepad,
> even allows you to setup a subdomain wich was removed from the pastebin ,
> unf..
> ohwell, thats how it is, it is ok by me.
> xd
>
>
>
> On 4 October 2011 07:14, adam <adam@...sy.net> wrote:
>
>> Darren,
>>
>> There are places like codepad.org that let you compile/execute various
>> programming/scripting languages, of course you don't have the control/access
>> that you'd normally have but for some things - it may just be enough.
>>
>> On Mon, Oct 3, 2011 at 11:41 AM, Darren Martyn <
>> d.martyn.fulldisclosure@...il.com> wrote:
>>
>>> I may have to set up such an RSS + REGEX along with a google alerts to
>>> get the best of both :)
>>>
>>> Since my lack of computing facilities has gotten worse in the last month
>>> I have actually begun to forget ASM, so decoding shellcode is not so easy
>>> for me :(
>>> Nor do I have (currently) access to a Linux box to test it on - only a
>>> friends W7 laptop (which wants to use Cyrillic) and the college computers
>>> (W7 also... Network booting with Novell, buggy and slow for the win!)
>>>
>>> I will keep on posting anything that looks even mildly interesting, may
>>> find something fun in my travels :)
>>>
>>>
>>> On Mon, Oct 3, 2011 at 5:05 PM, PsychoBilly <zpamh0l3@...il.com> wrote:
>>>
>>>> OMG!
>>>> This ...
>>>> actually WORKS!
>>>> GR8 Job, m8+!
>>>> L33+ cC l33+
>>>> W00+ FB Bwana!
>>>> ...
>>>> <! connection reseted by peer >
>>>>
>>>> [[   adam   ]] @ [[   03/10/2011 17:56
>>>> ]]--------------------------------------------------
>>>> > Also, make sure you guys don't miss out on this 0day either:
>>>> http://pastebin.com/R8XdsUgK
>>>> >
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ