fd-l-iDAIDALOS.INFORMATIK.UNIBW-MUENCHEN.DE

• Next message: Stuart Staniford-Chen: "Syn and Fin in different packets together"
• Previous message: markus tromday: "Re: lots of interest in port 109 (POP2)"
• Next in thread: Rick Tait: "Re: Linux-box hacked, ls, ps, login modified"
• Reply: Rick Tait: "Re: Linux-box hacked, ls, ps, login modified"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi list,

Anybody seen this?
The process for gl0ck is running as root on a red hat box.

/bin/bincp/glox.su:

gl0ck 3.2 [icmp/tcp/udp/frag+rand ID] by ip, this copy is registred to s3phz

usage: Cancer <ip#1,ip#2,...> [options]

-F <type> : i=icmp s=syn u=udp f=fragbomb [i=icmp]
-I <addr> : Use <addr> as source [random]
-p <port> : Destinationport in syn/udp flood
-s <size> : Payload size in bytes(always 0 in synflood) [0]
-c <count> : Only send <count> packets [endless]
-m <count> : Multiple packets(<count>) in each packetburst [1]
-d <delay> : Microsec(s) delay between bursts [0]
-t <min> : Floodtimeout in min(s) [30]
-l <port> : CancerServer, listen for cmd's on <port>
-f <hostfile> : Flood using CancerServers in <hostfile>
-q : Quiet mode
~

Further investigation shoed shat /bin/ls /bin/ps /bin/login were
replaced byx trojaned ones.

Luckily I found a source file with code for an exploit. Unfortunately
I cannont transfer it from "\xeb \x38 ..." to a readalby form.

Any ideas?

TIA
Frank

--
Frank Derichsweiler
Please *NO* CC: I read the mailing list !

• Next message: Stuart Staniford-Chen: "Syn and Fin in different packets together"
• Previous message: markus tromday: "Re: lots of interest in port 109 (POP2)"
• Next in thread: Rick Tait: "Re: Linux-box hacked, ls, ps, login modified"
• Reply: Rick Tait: "Re: Linux-box hacked, ls, ps, login modified"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]