[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Re: Backdoor over http(s)??



Retallack, Mark (Siemens) wrote:

...

If you assume that the rs.c source file is contains the code for the rhs/.do
application then 163.17.51.8 will be the address that the application
connects to on the internet and opens a shell for the remote hacker to use.
From looking at the code, it is not a worm/virus type of application, it
requires a human to infect the destination computer.
I think that 218.234.171.84 is just a storage location for the files. If
this is correct then both machines are the origin, however the 163.17.51.8
computer is the more important one because it is the one that the hacker
would use to communicate to the compromised machine (directly or via a proxy
of some sort).
...


I agree that rs.c is used to get a shell on the "remote" computer, probably then to exploit some local root weakness. However, rs.c does not produce rhs, I tried and it's the wrong size. Can't tell if it produces ".do", I don't care to try on my machine. :-)

This is definitely an injection type attack (stating the obvious here aren't I? :-) If you do a wget on the dir, you get an index.html back that shows others files there, including a couple of text files (i.txt, ii.txt) and a coupld of perl files (r.pl, do.pl) with other IP addresses in them (other than the ones listed in this thread). Not sure yet what they're trying to inject this into.

All very interesting... I've never had a chance to see how this sort of thing is done before.

Kevin


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here