lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <C513A3BB-10F4-4737-A014-0771F1EB3537@logicallysecure.com>
Date: Tue, 9 Dec 2014 01:50:10 +0000
From: Ed Tredgett <edtredgett@...icallysecure.com>
To: Alfred Baroti <marianalfred@...il.com>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] Interesting Backdoor

Check the following link out it may provide you with a greater insight as is looks like that rootkit from the information you've provided, which I've found floating around recently 

https://gitorious.org/dongforce/main/source/e08f161206e31cc12f1a874d8add153764564065:__UMBREON__

Ed 

> On 9 Dec 2014, at 01:43, Alfred Baroti <marianalfred@...il.com> wrote:
> 
> Hi,
> I was wondering if someone found something similar with this. I didn't find anything similar with this before.
> 
> 
> Here is:
> 
> root@...1-test:~# ssh zimadmin@0
> zimadmin@0's password:
> -------;i------------------------------------------
> -----.,if------------------------------------------
> -----,tLE,--------------..:;ji---------------------
> ----;ittL;----------.;;;tjfGj.---------------------
> ---;tfGDK;--------,;;,tLEKKt-----------------:;,---
> ---ijLDKD.------:;,iLfiiGD;---------------.,ifj.---
> --.;tGKKi------:tjLKWWEj;.--------------:;jLEE;----
> ---;iLEL::..:,;tjEW##Wf,--------------.,;tGKWf-----
> ---,,;t;,:,,ifi;LKELt:--------------.;;itiiLD:-----
> ---:iiLjGLfLGGDEE;-----------------.i:,LKEfji------
> --:;;jGfDGKW####KL.----------------i,,jDKWEt-------
> --,.ifGGGLEEE###WEt---------------:tifDEKD;--------
> --:,;LDGELKKK####KEj.-------------iLGKELi----------
> ---ijGDEWKW#######WDfi;;,,;ii,,,::DELt:------------
> ---,fDKKKW###WK#####EGLLLLLLLfft,:ii.--------------
> -----:,,,:;fji;LW#####WKEEEEEEDLji::i;-------------
> -----------,;GLjjDKKWWWEEEKEEDfjLLLGGDL:-----------
> -----------,;fGL;;tfLfjjfGDDGftLEKKEDEEf-----------
> -----------,;;GEt-:tftifGEEEDftLEKKjjLLL-----------
> ------------;iGKt-iGLGLttK####EGDEEjiEGG;----------
> ------------.LEEi;ftff;--,E####LjDEEGGDDD;---------
> -------------;EL:jjGLi----,K###t--,ijDKEDDL:-------
> --------------jt;DGt:-----.LKKKi------tDEDEt-------
> -------------.tjDKf-----.,ifff;--------tEDEj-------
> ------------:fDEWKi----;;,,ii.--------,iLLDt-------
> ----------:;ifEKG,-------..-----------,jjj;--------
> -----------fttGED----------------------------------
> ------------.--------------------------------------
> root@...1-test:~# w
>  23:28:03 up 234 days, 14:54,  0 users,  load average: 0.00, 0.00, 0.00
> USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
> root@...1-test:~# id zimadmin
> uid=0(root) gid=197 groups=0(root)
> root@...1-test:~# cat /etc/passwd |grep zimadmin
> root@...1-test:~# cat /etc/shadow |grep zimadmin
> 
> And in normal login it make no sense:
> 
> root@...1-test:~# ls -la /usr/lib/libc.so.0
> ls: cannot access /usr/lib/libc.so.0: No such file or directory
> root@...1-test:~# cd /usr/lib/libc.so.0
> root@...1-test:/usr/lib/libc.so.0# ls
> ls: cannot open directory .: No such file or directory
> root@...1-test:/usr/lib/libc.so.0# pwd
> /usr/lib/libc.so.0
> root@...1-test:/usr/lib/libc.so.0# ls
> ls: cannot open directory .: No such file or directory
> root@...1-test:/usr/lib/libc.so.0# strace ls
> -bash: /usr/bin/strace: Input/output error
> root@...1-test:/usr/lib/libc.so.0#
> 
> 
> Anyone have any idea with what i am dealing with ?
> 
> Thanks
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ