Remember about 6 months back ... there was an "ELF binary infection"
thing that "Escaped from our lab" (as said by some company forget who)
The symptoms were similar...
http://online.securityfocus.com/archive/75/249346 and
http://www.vnunet.com/News/1125305. Maybe a valid exploit has been
infected with something similar... this thing(the exploit) is definately
doing something to my apache daemon.
-KF

VeNoMouS wrote:

>Ive looked into this a little bit more and it adds 8.7KB of data to any elf
>file it finds on your system
>
>it seems to contain the text string OSF
>
>it does apare to be some type of virii back door, plz find attached a clean
>and a infected version of grep 2.4.2 (GNU) from a rh 6.2 box it appends its
>data to the end of the elf but have been unsuccsessful reverse engineing it
>so far.
>
>first run it stays in memory and then goes after /bin/
>and infects all elfs in there then moves onto /usr/bin
>then /usr/lib/gcc* then /sbin
>
>well thats the way i saw it happening over a period of 4 days
>and every elf contains the listen() code to open port 3049
>
>still uncertain as to wat the 3049 actally does
>----- Original Message -----
>From: "VeNoMouS" <venomphreaker.net>
>To: "Olaf Kirch" <okircaldera.de>; "H D Moore" <hdmdigitaloffense.net>
>Cc: <fractalghighspeedweb.net>; <vuln-devsecurityfocus.com>
>Sent: Friday, March 01, 2002 6:03 AM
>Subject: Re: Rumours about Apache 1.3.22 exploits
>
>
>>Actally I was pasted on a so called exploit this afternoon which claims to
>>exploit via post but was only pasted on a binary,
>>how ever please watch out for this I beleave its a working exploit but it
>>also seems to open up a udp port on 3049 and some how seems to cloning the
>>last proc , when stracing the 3049 all it seems to do is sit there and
>>recv(...) and does nothing when you type anything.
>>
>>binary is called 73501867 - x86/linux mod_php v4.0.2rc1-v4.0.5 by lorian.
>>
>>Has any one seen this about before?? Is this a trojan , if not then why
>>
>does
>
>>it open udp 3049 even after a reboot.
>>i trace the proc opening that port kill it and it seems to clone some how
>>
>my
>
>>last proc and then 2mins l8r opens the port again.
>>
>>Any ideas?
>>
>>
>>----- Original Message -----
>>From: "Olaf Kirch" <okircaldera.de>
>>To: "H D Moore" <hdmdigitaloffense.net>
>>Cc: <fractalghighspeedweb.net>; <vuln-devsecurityfocus.com>
>>Sent: Wednesday, February 27, 2002 3:07 AM
>>Subject: Re: Rumours about Apache 1.3.22 exploits
>>
>>
>>>>There is a bug in the php_split_mime function in PHP 3.x and 4.x.
>>>>
>There
>
>>is a
>>
>>>>working exploit floating around which provides a remote bindshell for
>>>>
>>PHP
>>
>>>>versions 4.0.1 to 4.0.6 with a handful of default offsets for
>>>>
>different
>
>>>>platforms.
>>>>
>>>Blechch. This code is really icky. There's really an sprintf down there
>>>in the code that looks bad (apart from a few other things that look
>>>
>bad).
>
>>>But if I don't misread the patch, the sprintf is still there in 4.1.1.
>>>
>>>>Since the PHP developers commited another change to the affected
>>>>source file (rfc1687.c) about two days ago, speculation is that there
>>>>
>is
>
>>yet
>>
>>>>another remote exploit.
>>>>
>>>Not in the public CVS (has been removed?)
>>>
>>>Olaf
>>>--
>>>Olaf Kirch | --- o --- Nous sommes du soleil we love when we
>>>
>play
>
>>>okirmonad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
>>>okircaldera.de +-------------------- Why
>>>
>Not?! -----------------------
>
>>> UNIX, n.: Spanish manufacturer of fire extinguishers.
>>>
>>
>> infected_grep.tar.gz
>>
>> Content-Type:
>>
>> application/x-gzip
>> Content-Encoding:
>>
>> base64
>>
>>
>> ------------------------------------------------------------------------
>> clean_grep.tar.gz
>>
>> Content-Type:
>>
>> application/x-gzip
>> Content-Encoding:
>>
>> base64
>>
>>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]