lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <527DCF00.9070208@mail.umbrellix.tk> Date: Fri, 08 Nov 2013 21:58:24 -0800 From: Jack Johnson <jack@...l.umbrellix.tk> To: Full-Disclosure@...ts.grok.org.uk Subject: Re: I'm new here, and I already have something to share Sorry, I don't actually have a sample, I was just once infected with it. Thank you for your concern. Źmicier Januszkiewicz wrote: > Hi Jack, > > Care to share a sample of this one? > > Cheers, > Z. > > 2013/11/7 Jack Johnson <jack@...l.umbrellix.tk>: >> It is a user friendly report about a new worm/rootkit (only goes into worm >> mode when UUCP is active) that is able to, but has not yet, wreaked havoc on >> any system that it infects. >> >> This report does drop dox, since it mentions the handle of an EFNet user. >> However, all it is >> is a description of a currently-active rootkit. >> >> Xplatform.JPreskit rootkit >> >> User friendly report written by Jack Johnson >> 'j4jackj' on EFNet >> >> DESCRIPTION >> This newest infection is a rootkit spread by weak passwords and duff links. >> It was made by an EFNetter called JPres. He originally developed it on the >> BeOS >> but it is able to strike every operating system that has actual use in the >> world. >> >> THREAT LEVEL >> This threat is terminal, for once a computer is infected, if you isolate it, >> the failsafe mode kicks in. The JPresKit failsafe is to nuke the hard disk >> on which / >> resides. >> >> It is able to infect Windows ia32 and amd64 architectures, Debian and RHEL >> 32 and 64, >> and the BeOS, PowerPC and Intel. >> >> Threat activation is manually, by an unsuspecting user or by the master >> using a weak >> password via SSH and RSH. >> >> PAYLOAD DELIVERY >> Payload delivery once the rootkit is on the computer is by Pastebin.com. >> Payloads are encrypted and base64 encoded. It is unknown which encryption >> method >> from those available in a default (insert form of UNIX here) install is >> used. >> >> The format for payload titles is @tagYYYYMMDDSS where YYYYMMDDSS is a >> serial number determining the time of execution, and tag is the >> tag of the rooted machine. >> >> BEHAVIOUR >> On UNIX systems, when UUCP is enabled, this rootkit is also a worm. >> This rootkit/worm is able to morph by the master issuing commands to the >> worm. >> >> RECOMMENDED ACTION >> You must back up and reinstall. This rootkit may still be present after a >> reinstall, >> if you moved your files to the new installation. >> >> PREVENTION >> In the future, do not allow anonymous SSH into your computer, unless for >> things like UUCP. >> This will prevent future reinfection. >> >> Thank you for reading this report as a matter of urgency. >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists