Re: Systems compromised with ShellBOT perl script - part 2

From: Kirby Angell (kangell_at_alertra.com)
Date: 09/08/04

  • Next message: jamesworld_at_intelligencia.com: "Re: Wireless router behaviour"
    Date: Wed, 08 Sep 2004 08:10:42 -0500
    To: incidents@securityfocus.com
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I think that must be a different doze4; this one just doesn't seem that
    complicated. I'll go back and recheck my VM though to see if it did
    anything else.

    Archive on its way to you.

    Shashank Rai wrote:
    | Hi Kirby,
    |
    | great work!! is it possible to get the gzipped files? BTW as for doze4
    | ... a scan with f-prot (linux cmd line edition) identifies it as
    | "Infection: Unix/RST.B". An online scan on
    | http://www.kaspersky.com/remoteviruschk.html also identifies doze4 as
    | Linux.RST.b
    | Here is Spohos description of RST.B (from
    | http://www.sophos.com/virusinfo/analyses/linuxrstb.html):
    | ------
    | Linux/Rst-B will attempt to infect all ELF executables in the current
    | working directory and the directory /bin
    |
    | If Linux/Rst-B is executed by a privileged user then it may attempt to
    | create a backdoor on the system. This is achieved by opening a socket
    | and listening for a particular packet containing details about the
    | origin of the attacker and the command the attacker would like to
    | execute on the system.
    | -----------
    |
    | There was a discussion on FD recently, where the original poster had
    | started a Debian machine with port 22 open and a non-priv user id of
    | guest/guest .... in order to be a victim of the recent SSH scans. The
    | crackers who got into this system had also downloaded RST.B infected
    | binary.
    |
    | cheers,

    - --
    Thank you,

    Kirby Angell
    Get notified anytime your website goes down!
    http://www.alertra.com
    key: 9004F4C0
    fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFBPwTR21unUZAE9MARAsqtAJ9SG6HW4/+6og9Kr04r2rMSrwpXwQCZAQWF
    UCEeEdpfqfwFtX/NrM7K0SY=
    =ETHf
    -----END PGP SIGNATURE-----


  • Next message: jamesworld_at_intelligencia.com: "Re: Wireless router behaviour"

    Relevant Pages

    • Re: Systems compromised with ShellBOT perl script - part 2
      ... I ran it as root in my VMWare install and it infected a ... | "Infection: Unix/RST.B". ... | Linux/Rst-B will attempt to infect all ELF executables in the current ... Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org ...
      (Incidents)
    • Re: Best Practice in tackling a suspected virus/worm infection? (ms)
      ... the virus instance and left the legitimate ones alone. ... by the hacker after initial infection. ... >executables - do they get infected? ...
      (microsoft.public.security.virus)
    • Re: Systems compromised with ShellBOT perl script - part 2
      ... BTW as for doze4 ... a scan with f-prot (linux cmd line edition) identifies it as ... "Infection: Unix/RST.B". ... origin of the attacker and the command the attacker would like to ...
      (Incidents)
    • Re: New Linux Trojan
      ... Subject: New Linux Trojan ... You guys are forgetting the other problem, Buffer Overflows, in SUID executables could in theory ... cause this to be a source of infection as well, ... > This list is provided by the SecurityFocus ARIS analyzer service. ...
      (Incidents)
    • Re: Re:Virus
      ... You could pick a restore point which was already infected, ... files associated with the trojan won't be, nor would executables disguised ... no system restore would not be a ... > infection, then you may have to do a reformat of your hard ...
      (microsoft.public.security.virus)