I don't see the attachment. Could you re-send it? Keep in mind you could have gotten owned via a known method. There have been lots of rumors about a remote kernel attack and it could just be a hoax/decoy to further propagate that rumor and/or direct your attention away from the real method of entry. Could you also elaborate on what exactly the IDS reported? On Wed, 16 Oct 2002 daniel.robertsat_private wrote: > > Greetings. > Today I had a rather strange experiance. At about 4:30 pm GMT my > IDS began reporting strange TCP behaviour on my network segment. As I > was unable to verify the cause of this behaviour I was forced to remove > the Linux box that I use a border gateway and traffic monitor - at no small > cost to my organization - the network is yet to be reconnected. > After a reboot and preliminary analysis I found the binary ABfrag sitting > in /tmp. It had only been created minutes before. > Setting up a small sandbox I ran the program and was presented with the following > output: > > > ---------------------------------------------------------------------------- > > ABfrag - Linux Kernel ( <= 2.4.20pre20 ) Remote Syncing exploit > > Found and coded by Ac1db1tch3z - t3kn10n, n0n3 and t3kn0h03. > > WARNING: > Unlicensed usage and/or distribution of this program carries heavy fines > and penalties under American, British, European and International copyright > law. > Should you find this program on any compromised system we urge you to delete > this binary rather than attempt distribution or analysis. Such actions would > be both unlawful and unwise. > > ---------------------------------------------------------------------------- > password: > invalid key > > I remembered, vaguely - I sift through a lot of security mail each day, some > talk of a rumoured Linux kernel exploit circulating among members of the hacker > underground. On the advice of some friends in law-enforcement I joined the EFnet > channels #phrack and #darknet and tried to solicit some information regarding this > alleged exploit. Most people publicly attacked me for my neivette but two individuals > contacted me via private messages and informed me that the "ac1db1tch3z" were bad news, > apparently a group of older (mid 20's) security guru's, and that I should delete the > exploit and forget I ever knew it existed. > However, somthing twigged my sense of adventure and prompted me to try and get this out > to the community. > > Any help or information regarding this will be of great help. > > I have attached the binary although it appears to be encrypted and passworded. I wish > any skilled programmers the best of luck in decyphering it. > > Yours, > > Daniel Roberts > Head Network Manager > > > > > > Get your free encrypted email at https://www.hushmail.com > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 22:52:39 PDT