Any comments ?

http://online.securityfocus.com/archive/82/277224/2002-06-14/2002-06-20/0

<-- START -->

Deer readers,

Few days ago, while i was at the #darknet, i saw three ScRiPtKidIeZ
(within the rest of them) talking about the 7350-crocodile.c,
7350-obsdftpd.c and the 7350-pf.c exploit code by team
teso made with support of GOBBLES Security, who gave them
the advisories.

The good news:

the exploits aint that much spreaded and they've been kept on the
underground for about 1month. This ain't really a good new, but it
is better than the ones that follow.

The bad news:

- openbsd ftp/cvs have been compromised and backdoored by the kidies,
that hang mostly on #!hack.the.turkey at efnet.
- the technique is new and very obscure, the three exploits abuse em
and is applicable only on *BSD flavors (afaik).

the a really short part of the logs show this:

<m0rgan> ./a.out
<m0rgan> 7350-crocodile - x86/OpenBSD apache/telnetd/sshd
*** pr0ix (pr0ixdef-con.org) has joined #darknet
<m0rgan> by lorian and scut / TESO
<m0rgan>
<m0rgan> ./7350-crocodile [options] [host] [port] [misc-option]
<m0rgan>
<m0rgan> -d <daemon> (1= apache, 2= telnetd, 3= sshd)
<m0rgan> -b bruteforce
<m0rgan> -c check only
<m0rgan> -s <0xaddr> start address
<m0rgan> -S shellcode (? to show the list)
<pr0ix> wtf?
<m0rgan>
<m0rgan> greetz: synnergy, GOBBLES Security, ElectronicSoulz, shiftee,
bnuts, skyper.
<m0rgan> sidenote: nasa.gov was really easy ;>
<m0rgan> muahah fear.
<xxx> could you send me that?
*** pr0ix sets mode: +b xxx!*200.*
*** xxx was kicked by pr0ix (0day-lurker)

keep an eye open at your logs, as they said the exploit makes a
lot of noise on the system and "private" logs and thus it is easy
to spot, put your ids on.

<-- END -->

-- 
Alex de Joode
ZED-ZED-dot-NET					http://zedz.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]