Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Plague Proof of Concept Linux backdoor
From: Andrew Farmer <andfarm () gmail com>
Date: Sun, 22 Oct 2006 20:14:58 -0700

On 22 Oct 06, at 04:29, hijacker () oldum net wrote:
even if they have ssh access, there is still nothing they can do,  
except
to create two files in there $HOME directories containing  
expressions from
paths.h and sysexits.h ?

Why would that be considered a backdoor?

The awk commands parse out the strings "/etc/passwd" and "/etc/ 
shadow" from
the headers. It's still rather easily detected - most of the rootkit- 
checking
programs will detect an alternate uid0 account very quickly - but it  
does
demonstrate an interesting way of avoiding target strings in the binary.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]