[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] Re: Backdoor over http(s)??
Retallack, Mark (Siemens) wrote:
If you assume that the rs.c source file is contains the code for the rhs/.do
application then 18.104.22.168 will be the address that the application
connects to on the internet and opens a shell for the remote hacker to use.
requires a human to infect the destination computer.
From looking at the code, it is not a worm/virus type of application, it
I think that 22.214.171.124 is just a storage location for the files. If
this is correct then both machines are the origin, however the 126.96.36.199
computer is the more important one because it is the one that the hacker
would use to communicate to the compromised machine (directly or via a proxy
of some sort).
I agree that rs.c is used to get a shell on the "remote" computer,
probably then to exploit some local root weakness. However, rs.c does
not produce rhs, I tried and it's the wrong size. Can't tell if it
produces ".do", I don't care to try on my machine. :-)
This is definitely an injection type attack (stating the obvious here
aren't I? :-) If you do a wget on the dir, you get an index.html back
that shows others files there, including a couple of text files (i.txt,
ii.txt) and a coupld of perl files (r.pl, do.pl) with other IP addresses
in them (other than the ones listed in this thread). Not sure yet what
they're trying to inject this into.
All very interesting... I've never had a chance to see how this sort of
thing is done before.
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here