mailing list archives
Re: xpire.info & splitinfinity.info - exploits in the wild
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 25 Oct 2004 12:24:47 +1300
Elia Florio wrote:
I'm not sure that qmail-inject isn't a red herring? The actual
download looks like 'wget' was used.
Good suggestion, my friend :)
It was used WGET to retrieve the http://xpire.info/cli.gz connectback shell.
More specifically, from the strings in the binary it looks awfully like
sd's bindtty -- try Googling for "bindtty.c"...
The possible bad news is that bindtty is used in the suckit rootkit, so
your remote-only access may cause major (if not insurmountable)
problems to doing a half-useful diagnosis...
The hacker page used to accomplish the injection are based on this
test-page, taken directly on the hacker-site :-)
I notice that this site is full of trojan/backdoor/shell/worm/exploit and
other malware....why is it still open?
You'd be surprised how few folk actually compain about a lot of these
sites. Compound that with the rate of incompetence at many small (and
even many not-so-small) ISPs, where the very thin margins mean they
don't have time (and seldom good enough staff anyway) to analyse such
complaints, and where the emphasis is often more on making sure they
get their $10, $20, $40, etc this month from that customer, and many
such sites stay up way too long. The way to break such sites is for
some "authority" to contact them (a CERT, law enforcement, etc) or
"enough" polite, professional, clearly technically competent but not
overly technical complaints explaining what the site is being used for
and why it should be shut down. Of course, often the "base" sites are
themselves simply just ill-maintained systems that have, themselves,
been hacked and if all the ISP is up to doing is closing the apparently
rogue site/account, or simply removing the "offending content" the site
(and others similarly hosted on the still badly maintained servers)
remains open to further, similar abuse.
Full-Disclosure - We believe in it.