|
|
BugTraq
what is this? Jan 13 2008 04:01PM crazy frog crazy frog (i m crazy frog gmail com) (5 replies) Re: what is this? Jan 15 2008 05:16AM Denis (sp23 internode on net) (3 replies) Re: what is this? Jan 15 2008 06:12AM crazy frog crazy frog (i m crazy frog gmail com) (2 replies) Re: [Full-disclosure] what is this? Jan 15 2008 06:45AM Nick FitzGerald (nick virus-l demon co uk) (1 replies) Re: [Full-disclosure] what is this? Jan 15 2008 08:26AM crazy frog crazy frog (i m crazy frog gmail com) (1 replies) Re: [Full-disclosure] what is this? Jan 15 2008 05:22PM Gadi Evron (ge linuxbox org) (1 replies) Re: [Full-disclosure] what is this? Jan 15 2008 05:24PM crazy frog crazy frog (i m crazy frog gmail com) Re: [Full-disclosure] what is this? Jan 14 2008 09:34AM 3APA3A (3APA3A SECURITY NNOV RU) (1 replies) Re: [Full-disclosure] what is this? Jan 14 2008 11:52AM Nick FitzGerald (nick virus-l demon co uk) (1 replies) Re: [Full-disclosure] what is this? Jan 14 2008 01:56PM crazy frog crazy frog (i m crazy frog gmail com) |
|
Privacy Statement |
However it could and be a privilege escalation scenario through the
application layer .. maybe PHP, knowing its history and the fact it's
present on all the infected machines.
Anyway, nobody really knows how the initial root compromise is achieved
but it's definately one (root compromise that is).
Denis
On Tue, 15 Jan 2008 11:33:27 -0500
"Memisyazici, Aras" <arasm (at) vt (dot) edu [email concealed]> wrote:
---> @Dennis:
--->
---> <quote>
---> (...)
---> From all reports so far it does not appear to be a
---> kernel vulnerability (as some of the affected servers were using latest
---> kernels)
---> </quote>
--->
---> And... how can you assume that exactly? What if this is an
---> unpatched/unseen kernel vulnerability?
--->
---> Aras "Russ" Memisyazici
---> IT/R&D/Security Specialist
--->
---> Outreach Information Services
---> Virginia Tech
--->
---> -----Original Message-----
---> From: Denis [mailto:sp23 (at) internode.on (dot) net [email concealed]]
---> Sent: Tuesday, January 15, 2008 12:16 AM
---> To: crazy frog crazy frog
---> Cc: bugtraq (at) securityfocus (dot) com [email concealed]
---> Subject: Re: what is this?
--->
---> This is a very serious new threat affecting Linux servers and thousands
---> of boxes have been compromised since December 2007.
--->
---> Each box serving the nasty javascript has been rooted. One person has
---> found a way to CLEAN the infection (ie. stop your server from serving
---> the bad javascript), however not the root hole ie. the servers in
---> question are still rooted as nobody so far has found what hole is being
---> exploited to gain root access in the first place.
--->
---> See the following urls for a lot more info on this exploit:
--->
---> http://www.webhostingtalk.com/showthread.php?t=651748 (useful discussion
---> starts on page 3 or so)
--->
---> http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/
--->
---> Time for some honey pot action to find out how they're gaining root
---> access to begin with. From all reports so far it does not appear to be a
---> kernel vulnerability (as some of the affected servers were using latest
---> kernels)
--->
---> Cheers,
---> Denis
--->
--->
---> On Sun, 13 Jan 2008 21:31:34 +0530
---> "crazy frog crazy frog" <i.m.crazy.frog (at) gmail (dot) com [email concealed]> wrote:
--->
---> ---> Hi,
---> --->
---> ---> Recently on opening one of my site,my antivirus pops up saying that
---> it
---> ---> has found on malicious script.the url is random and i have managed
---> to
---> ---> get tht script.it is using some flaw in apple quick time.
---> ---> u can get the zip file for java script here:
---> ---> http://secgeeks.com/what.zip
---> ---> password is 12345
---> ---> can somebody guide/help me what is this and how can i remove it?
---> --->
---> ---> --
---> ---> advertise on secgeeks?
---> ---> http://secgeeks.com/Advertising_on_Secgeeks.com
---> ---> http://newskicks.com
--->
---> Denis
[ reply ]