[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [suse-security] Re: Backdoor over http(s)??



Hello Mark,

Am Die, den 13.01.2004 schrieb Retallack, Mark (Siemens) um 17:27:
> As far has I can tell there are 2 IP address that we have:
> 
> 218.234.171.84 - From where the files are downloaded
> 163.17.51.8    - Where the application connects to when it is run on the
> compromised machine.

Ah. I didn't notice there are two machines involved here. Is there a way
to find out who is running those machines and send along a message to
shut down one of them so that this scriptkiddy has to look for another
victim?

> If you assume that the rs.c source file is contains the code for the rhs/.do
> application then 163.17.51.8 will be the address that the application
> connects to on the internet and opens a shell for the remote hacker to use.
> >From looking at the code, it is not a worm/virus type of application, it
> requires a human to infect the destination computer. 

Which requires another remote exploit. So when I don't run dynamic
content on my webserver and the yast online update installs the latest
fixes automated every night, the risk should be marginal, right?

> I think that 218.234.171.84 is just a storage location for the files. If
> this is correct then both machines are the origin, however the 163.17.51.8
> computer is the more important one because it is the one that the hacker
> would use to communicate to the compromised machine (directly or via a proxy
> of some sort). 

[fun]I'm bored. Let's DOS that machine list! :-)[/fun]

Seriously. When such a "hack" can be traced back by simply looking into
network traffic and source code why are folks not going after those
machines or their owners?

> No real reason. I just like to be paranoid, just in case the file contains
> JavaScript or something. Just because the file ends in .c, does not mean
> that it is a 'real' c file.

That's what I was wondering about... if maybe you already found some
malicious content behind that URL.

> > I've given them a look. Has anybody ever heard of a "pokemon squadron
> > hacking team"?!
> 
> Not me. I did notice the name in the html file. Google does not give any
> information ether. 

The name suggests some 13 year old script kiddy though ;-)

kind regards,
Tobias


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here