Deer readers, Few days ago, while i was at the #darknet, i saw three ScRiPtKidIeZ (within the rest of them) talking about the 7350-crocodile.c, 7350-obsdftpd.c and the 7350-pf.c exploit code by team teso made with support of GOBBLES Security, who gave them the advisories. The good news: the exploits aint that much spreaded and they've been kept on the underground for about 1month. This ain't really a good new, but it is better than the ones that follow. The bad news: - openbsd ftp/cvs have been compromised and backdoored by the kidies, that hang mostly on #!hack.the.turkey at efnet. - the technique is new and very obscure, the three exploits abuse em and is applicable only on *BSD flavors (afaik). the a really short part of the logs show this: <m0rgan> ./a.out <m0rgan> 7350-crocodile - x86/OpenBSD apache/telnetd/sshd *** pr0ix (pr0ix@def-con.org) has joined #darknet <m0rgan> by lorian and scut / TESO <m0rgan> <m0rgan> ./7350-crocodile [options] [host] [port] [misc-option] <m0rgan> <m0rgan> -d <daemon> (1= apache, 2= telnetd, 3= sshd) <m0rgan> -b bruteforce <m0rgan> -c check only <m0rgan> -s <0xaddr> start address <m0rgan> -S shellcode (? to show the list) <pr0ix> wtf? <m0rgan> <m0rgan> greetz: synnergy, GOBBLES Security, ElectronicSoulz, shiftee, bnuts, skyper. <m0rgan> sidenote: nasa.gov was really easy ;> <m0rgan> muahah fear. <xxx> could you send me that? *** pr0ix sets mode: +b xxx!*@200.* *** xxx was kicked by pr0ix (0day-lurker) keep an eye open at your logs, as they said the exploit makes a lot of noise on the system and "private" logs and thus it is easy to spot, put your ids on. Cheers, Martin (VanCloudeJandame)
This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 07:33:56 PDT