Linux Kernel Exploits / ABFrag

From: daniel.robertsat_private
Date: Wed Oct 16 2002 - 18:00:35 PDT

Next message: Esler, Joel: "RE: HTTP attack looking for /sumthin ?"

Previous message: GiulioMaria Fontana: "Slapper worm "ink" instead of "cinik" (Re: slapper worm varient "cinik")"
Next in thread: Ali Saifullah Khan: "Re: Linux Kernel Exploits / ABFrag"
Next in thread: Christopher Wagner: "Re: Linux Kernel Exploits / ABFrag"
Reply: Ali Saifullah Khan: "Re: Linux Kernel Exploits / ABFrag"
Reply: Curt Wilson: "Re: Linux Kernel Exploits / ABFrag"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings.
    Today I had a rather strange experiance. At about 4:30 pm GMT my
IDS began reporting strange TCP behaviour on my network segment. As I
was unable to verify the cause of this behaviour I was forced to remove
the Linux box that I use a border gateway and traffic monitor - at no small
cost to my organization - the network is yet to be reconnected.
After a reboot and preliminary analysis I found the binary ABfrag sitting
in /tmp. It had only been created minutes before.
Setting up a small sandbox I ran the program and was presented with the following
output:

 
----------------------------------------------------------------------------
 
ABfrag - Linux Kernel ( <= 2.4.20pre20 ) Remote Syncing exploit
 
Found and coded by Ac1db1tch3z - t3kn10n, n0n3 and t3kn0h03.
 
WARNING:
Unlicensed usage and/or distribution of this program carries heavy fines
and penalties under American, British, European and International copyright
law.
Should you find this program on any compromised system we urge you to delete
this binary rather than attempt distribution or analysis. Such actions would
be both unlawful and unwise.
 
----------------------------------------------------------------------------
password:
invalid key  

I remembered, vaguely - I sift through a lot of security mail each day, some 
talk of a rumoured Linux kernel exploit circulating among members of the hacker
underground. On the advice of some friends in law-enforcement I joined the EFnet
channels #phrack and #darknet and tried to solicit some information regarding this
alleged exploit. Most people publicly attacked me for my neivette but two individuals
contacted me via private messages and informed me that the "ac1db1tch3z" were bad news,
apparently a group of older (mid 20's) security guru's, and that I should delete the
exploit and forget I ever knew it existed.
However, somthing twigged my sense of adventure and prompted me to try and get this out
to the community.

Any help or information regarding this will be of great help.

I have attached the binary although it appears to be encrypted and passworded. I wish
any skilled programmers the best of luck in decyphering it.

Yours,

Daniel Roberts
Head Network Manager





Get your free encrypted email at https://www.hushmail.com

Next message: Esler, Joel: "RE: HTTP attack looking for /sumthin ?"
Previous message: GiulioMaria Fontana: "Slapper worm "ink" instead of "cinik" (Re: slapper worm varient "cinik")"
Next in thread: Ali Saifullah Khan: "Re: Linux Kernel Exploits / ABFrag"
Next in thread: Christopher Wagner: "Re: Linux Kernel Exploits / ABFrag"
Reply: Ali Saifullah Khan: "Re: Linux Kernel Exploits / ABFrag"
Reply: Curt Wilson: "Re: Linux Kernel Exploits / ABFrag"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 13:57:46 PDT