I had the same problem with a test box that I have on my network. I think the exploit called 73501867 is a trojan. It seems to infect ELF binaries. When turn on the system (slackware 8.0 with kernel 2.4.5) I executed 'netstat -an' and nothing was showed up. But, about 3 minutes later when I executed 'netstat -an' it shows up: Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 0.0.0.0:3049 0.0.0.0:* Do checksum in your files. Regards, Nilton Gomes -- Mensagem original -- >Actally I was pasted on a so called exploit this afternoon which claims to >exploit via post but was only pasted on a binary, >how ever please watch out for this I beleave its a working exploit but it >also seems to open up a udp port on 3049 and some how seems to cloning the >last proc , when stracing the 3049 all it seems to do is sit there and >recv(...) and does nothing when you type anything. > >binary is called 73501867 - x86/linux mod_php v4.0.2rc1-v4.0.5 by lorian. > >Has any one seen this about before?? Is this a trojan , if not then why does >it open udp 3049 even after a reboot. >i trace the proc opening that port kill it and it seems to clone some how >my >last proc and then 2mins l8r opens the port again. > >Any ideas? > > >----- Original Message ----- >From: "Olaf Kirch" <okirat_private> >To: "H D Moore" <hdmat_private> >Cc: <fractalgat_private>; <vuln-devat_private> >Sent: Wednesday, February 27, 2002 3:07 AM >Subject: Re: Rumours about Apache 1.3.22 exploits > > >> > There is a bug in the php_split_mime function in PHP 3.x and 4.x. There >is a >> > working exploit floating around which provides a remote bindshell for >PHP >> > versions 4.0.1 to 4.0.6 with a handful of default offsets for different >> > platforms. >> >> Blechch. This code is really icky. There's really an sprintf down there >> in the code that looks bad (apart from a few other things that look bad). >> But if I don't misread the patch, the sprintf is still there in 4.1.1. >> >> > Since the PHP developers commited another change to the affected >> > source file (rfc1687.c) about two days ago, speculation is that there >is >yet >> > another remote exploit. >> >> Not in the public CVS (has been removed?) >> >> Olaf >> -- >> Olaf Kirch | --- o --- Nous sommes du soleil we love when we play >> okirat_private | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax >> okirat_private +-------------------- Why Not?! ----------------------- >> UNIX, n.: Spanish manufacturer of fire extinguishers. >> > > > ------------------------------------------ Use o melhor sistema de busca da Internet Radar UOL - http://www.radaruol.com.br
This archive was generated by hypermail 2b30 : Tue Mar 05 2002 - 16:47:59 PST