Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: New Linux Trojan

Re: New Linux Trojan

From: Nick FitzGerald <nick_at_virus-l.demon.co.uk>
Date: Sun, 9 Sep 2001 11:56:15 +1200

Qualys Inc <research_at_qualys.com> wrote:

<<snip>>
> The backdoor process of Remote Shell Trojan also issues an HTTP GET
> request to port 80 on the host 212.15.64.41 (orinoco.portland.co.uk).
> This host does not appear to return any meaningful results upon
> such a request.

Is it just a simple GET requesting that sites homepage??

I note that the page returned from that site includes this:

   <FORM ACTION="http://www.portland.co.uk/cgi-bin/formmail.pl"...

and wondered if it may be one of the vulnerable formmails that can be
used for arbitrary Emailing. This would be a simple way to obfuscate
(at the Trojan-compromised site's end) an Email-based "phone home"
scheme... 

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Received on Sep 09 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos