Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: xpire.info & splitinfinity.info - exploits in the wild
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 25 Oct 2004 12:24:47 +1300

Elia Florio wrote:

I'm not sure that qmail-inject isn't a red herring?  The actual
download looks like 'wget' was used.
Good suggestion, my friend :)

It was used WGET to retrieve the http://xpire.info/cli.gz connectback shell.

More specifically, from the strings in the binary it looks awfully like 
sd's bindtty -- try Googling for "bindtty.c"...

The possible bad news is that bindtty is used in the suckit rootkit, so 
your remote-only access may cause major (if not insurmountable) 
problems to doing a half-useful diagnosis...

<<big snip>>
The hacker page used to accomplish the injection are based on this
test-page, taken directly on the hacker-site :-)


I notice that this site is full of trojan/backdoor/shell/worm/exploit and
other malware....why is it still open?

You'd be surprised how few folk actually compain about a lot of these 
sites.  Compound that with the rate of incompetence at many small (and 
even many not-so-small) ISPs, where the very thin margins mean they 
don't have time (and seldom good enough staff anyway) to analyse such 
complaints, and where the emphasis is often more on making sure they 
get their $10, $20, $40, etc this month from that customer, and many 
such sites stay up way too long.  The way to break such sites is for 
some "authority" to contact them (a CERT, law enforcement, etc) or 
"enough" polite, professional, clearly technically competent but not 
overly technical complaints explaining what the site is being used for 
and why it should be shut down.  Of course, often the "base" sites are 
themselves simply just ill-maintained systems that have, themselves, 
been hacked and if all the ISP is up to doing is closing the apparently 
rogue site/account, or simply removing the "offending content" the site 
(and others similarly hosted on the still badly maintained servers) 
remains open to further, similar abuse.


Nick FitzGerald

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]