lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <14238cf1220.2795.8638d110b878e192e265aab66f50a68b@daloo.de> Date: Fri, 08 Nov 2013 18:47:36 +0100 From: Alex <fd@...oo.de> To: Jack Johnson <jack@...l.umbrellix.tk>, <Full-Disclosure@...ts.grok.org.uk> Subject: Re: I'm new here, and I already have something to share I don't care about this worm. Having password on ssh is not user friendly. Damn you security guys. Am 7. November 2013 07:02:23 schrieb Jack Johnson <jack@...l.umbrellix.tk>: > It is a user friendly report about a new worm/rootkit (only goes into worm > mode when UUCP is active) that is able to, but has not yet, wreaked havoc > on any system that it infects. > > This report does drop dox, since it mentions the handle of an EFNet user. > However, all it is > is a description of a currently-active rootkit. > > Xplatform.JPreskit rootkit > > User friendly report written by Jack Johnson > 'j4jackj' on EFNet > > DESCRIPTION > This newest infection is a rootkit spread by weak passwords and duff links. > It was made by an EFNetter called JPres. He originally developed it on the BeOS > but it is able to strike every operating system that has actual use in the > world. > > THREAT LEVEL > This threat is terminal, for once a computer is infected, if you isolate it, > the failsafe mode kicks in. The JPresKit failsafe is to nuke the hard disk > on which / > resides. > > It is able to infect Windows ia32 and amd64 architectures, Debian and RHEL > 32 and 64, > and the BeOS, PowerPC and Intel. > > Threat activation is manually, by an unsuspecting user or by the master > using a weak > password via SSH and RSH. > > PAYLOAD DELIVERY > Payload delivery once the rootkit is on the computer is by Pastebin.com. > Payloads are encrypted and base64 encoded. It is unknown which encryption > method > from those available in a default (insert form of UNIX here) install is used. > > The format for payload titles is @tagYYYYMMDDSS where YYYYMMDDSS is a > serial number determining the time of execution, and tag is the > tag of the rooted machine. > > BEHAVIOUR > On UNIX systems, when UUCP is enabled, this rootkit is also a worm. > This rootkit/worm is able to morph by the master issuing commands to the > worm. > > RECOMMENDED ACTION > You must back up and reinstall. This rootkit may still be present after a > reinstall, > if you moved your files to the new installation. > > PREVENTION > In the future, do not allow anonymous SSH into your computer, unless for > things like UUCP. > This will prevent future reinfection. > > Thank you for reading this report as a matter of urgency. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists