Re: Systems compromised with ShellBOT perl script - part 2
From: Kirby Angell (kangell_at_alertra.com)
Date: Thu, 09 Sep 2004 12:19:02 -0500 To: Incidents List <email@example.com>
-----BEGIN PGP SIGNED MESSAGE-----
Sure enough, I ran it as root in my VMWare install and it infected a
bunch of files in /bin.
For some reason, tcpdump isn't catching any of the traffic it generates
though. I've tried it on the host against the vmnet8 interface and from
within the VM (after chmod'ing /dev/vmnet). I'm going to try it again
with a clean VM install.
Shashank Rai wrote:
| Hi Kirby,
| great work!! is it possible to get the gzipped files? BTW as for doze4
| ... a scan with f-prot (linux cmd line edition) identifies it as
| "Infection: Unix/RST.B". An online scan on
| http://www.kaspersky.com/remoteviruschk.html also identifies doze4 as
| Here is Spohos description of RST.B (from
| Linux/Rst-B will attempt to infect all ELF executables in the current
| working directory and the directory /bin
| If Linux/Rst-B is executed by a privileged user then it may attempt to
| create a backdoor on the system. This is achieved by opening a socket
| and listening for a particular packet containing details about the
| origin of the attacker and the command the attacker would like to
| execute on the system.
Get notified anytime your website goes down!
fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----