lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <527DCF00.9070208@mail.umbrellix.tk>
Date: Fri, 08 Nov 2013 21:58:24 -0800
From: Jack Johnson <jack@...l.umbrellix.tk>
To: Full-Disclosure@...ts.grok.org.uk
Subject: Re: I'm new here,
 and I already have something to share

Sorry, I don't actually have a sample, I was just once infected with it.
Thank you for your concern.

Źmicier Januszkiewicz wrote:
> Hi Jack,
>
> Care to share a sample of this one?
>
> Cheers,
> Z.
>
> 2013/11/7 Jack Johnson <jack@...l.umbrellix.tk>:
>> It is a user friendly report about a new worm/rootkit (only goes into worm
>> mode when UUCP is active) that is able to, but has not yet, wreaked havoc on
>> any system that it infects.
>>
>> This report does drop dox, since it mentions the handle of an EFNet user.
>> However, all it is
>> is a description of a currently-active rootkit.
>>
>> Xplatform.JPreskit rootkit
>>
>> User friendly report written by Jack Johnson
>> 'j4jackj' on EFNet
>>
>>          DESCRIPTION
>> This newest infection is a rootkit spread by weak passwords and duff links.
>> It was made by an EFNetter called JPres. He originally developed it on the
>> BeOS
>> but it is able to strike every operating system that has actual use in the
>> world.
>>
>>          THREAT LEVEL
>> This threat is terminal, for once a computer is infected, if you isolate it,
>> the failsafe mode kicks in. The JPresKit failsafe is to nuke the hard disk
>> on which /
>> resides.
>>
>> It is able to infect Windows ia32 and amd64 architectures, Debian and RHEL
>> 32 and 64,
>> and the BeOS, PowerPC and Intel.
>>
>> Threat activation is manually, by an unsuspecting user or by the master
>> using a weak
>> password via SSH and RSH.
>>
>>          PAYLOAD DELIVERY
>> Payload delivery once the rootkit is on the computer is by Pastebin.com.
>> Payloads are encrypted and base64 encoded. It is unknown which encryption
>> method
>> from those available in a default (insert form of UNIX here) install is
>> used.
>>
>> The format for payload titles is @tagYYYYMMDDSS where YYYYMMDDSS is a
>> serial number determining the time of execution, and tag is the
>> tag of the rooted machine.
>>
>>          BEHAVIOUR
>> On UNIX systems, when UUCP is enabled, this rootkit is also a worm.
>> This rootkit/worm is able to morph by the master issuing commands to the
>> worm.
>>
>>          RECOMMENDED ACTION
>> You must back up and reinstall. This rootkit may still be present after a
>> reinstall,
>> if you moved your files to the new installation.
>>
>>          PREVENTION
>> In the future, do not allow anonymous SSH into your computer, unless for
>> things like UUCP.
>> This will prevent future reinfection.
>>
>> Thank you for reading this report as a matter of urgency.
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ