[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [suse-security] Re: Backdoor over http(s)??
Am Die, den 13.01.2004 schrieb Retallack, Mark (Siemens) um 17:27:
> As far has I can tell there are 2 IP address that we have:
> 184.108.40.206 - From where the files are downloaded
> 220.127.116.11 - Where the application connects to when it is run on the
> compromised machine.
Ah. I didn't notice there are two machines involved here. Is there a way
to find out who is running those machines and send along a message to
shut down one of them so that this scriptkiddy has to look for another
> If you assume that the rs.c source file is contains the code for the rhs/.do
> application then 18.104.22.168 will be the address that the application
> connects to on the internet and opens a shell for the remote hacker to use.
> >From looking at the code, it is not a worm/virus type of application, it
> requires a human to infect the destination computer.
Which requires another remote exploit. So when I don't run dynamic
content on my webserver and the yast online update installs the latest
fixes automated every night, the risk should be marginal, right?
> I think that 22.214.171.124 is just a storage location for the files. If
> this is correct then both machines are the origin, however the 126.96.36.199
> computer is the more important one because it is the one that the hacker
> would use to communicate to the compromised machine (directly or via a proxy
> of some sort).
[fun]I'm bored. Let's DOS that machine list! :-)[/fun]
Seriously. When such a "hack" can be traced back by simply looking into
network traffic and source code why are folks not going after those
machines or their owners?
> No real reason. I just like to be paranoid, just in case the file contains
> that it is a 'real' c file.
That's what I was wondering about... if maybe you already found some
malicious content behind that URL.
> > I've given them a look. Has anybody ever heard of a "pokemon squadron
> > hacking team"?!
> Not me. I did notice the name in the html file. Google does not give any
> information ether.
The name suggests some 13 year old script kiddy though ;-)
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here