Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Plague re-visited
From: "J. Oquendo" <sil () infiltrated net>
Date: Mon, 23 Oct 2006 07:19:11 -0500

hijacker () oldum net wrote:
Hello Rik,
and how on earth can you make "root" run that piece of code? Do you have
to specify it in the README section that it is mandatory to run that as
root in order the "new" application root will be installing to run as

If you need someone to spell out how this works and how it maintains an account then you should unsubscribe from all 
security lists and search google for pokemon, change your hobby, get out of this field. From the onset nothing 
specified "remote root access" it stated proof of concept "BACKDOOR" if you need the term defined for you, re-read the 
previous sentence in its entirety.

Indeed, it is hard to tell what it actually does... unless you open your
eyes and see sed 's/root/something/g' somewhere.

The purpose of me pondering this was a "notion" that one doesn't always need to re-invent the wheel. Using standard 
commands, its actually easier and safer to maintain a backdoor. If someone already rooted a machine, how does one 
maintain that account without setting off bells and whistles. It's alot easier to whip up little bits and pieces and 
have it precompile into one script, run itself, and delete itself afterwards. There would be no trace of any "all 
inclusive" backdoor programs. A snippet here, a snippet there all precompiling either on a system startup or shutdown.

Either way, installing from hundreds of source files, can make even the
best sys admin to not notice that part of the source code of the
BACKDOOR-contagious application!

Really... Most system administrators don't even pay attention to log files. Most system administrators are so caught up 
with every work, putting out fires, configuring and maintaining systems they don't have time to check a 500gb drive for 
a backdoor, and when they do, they're doing what running chkrootkit. Using a method such as the one I described makes 
it much more difficult to detect a backdoor. As for seeing the word root and raising a red flag, don't make me laugh, 
see lines 2 and 4 below... Let's start in /etc/rc3.d...

echo "file=`awk 'NR==59 {gsub(/"/,"");print \$3}' /usr/include/paths.h`" >>  K1firstfile
echo "echo "sed -n '1p' \$file|sed 's/[^:]*:/new_account_name:/' >> $file"  >>"  >>  K2nextfile
echo "file2=`awk 'NR==74 {print \$8}' /usr/include/sysexits.h`" >> K3anotherfile
echo "sed -n '1p' \$file2|sed 's/[^:]*:/new_account_name:/'' >> $file2" >> K4endingfile
echo "rm $file1 $file2" >> K5lastfileremove

Where one file depends on the next and so on and so forth. At the end of it all the backdoor files are removed, yet on 
startup (or shutdown depending on how its written), files are re-compiled and the account is recreated. The problem I 
see with many administrators and users nowadays, are they're not totally clued in... So you see file=`awk 'NR==59 
{gsub(/"/,"");print \$3}' /usr/include/paths.h` ... Unless you have K1firstfile checksummed, most wouldn't give it a 
second look.

bad PLAGUE! bad intentions! bad people possibly putting that where root is

I hope that comment was sarcasm and not stupidity...

J. Oquendo
echo @infiltrated|sed 's/^/sil/g;s/$/.net/g'

"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey 

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]