Hrm, exactly what im wondering about, is that packet just 'junk' in effect ,.... or just hiding more :s I will investiagte it. It is strange tho, as nothing of the *normal* has detected anything malign yet to me, but, i just started the OS i use for this stuff 20seconds ago, and it has only read a few setors of the code sofar... yes, it is a home lab, it is just IBM x3 3U racks, put together in a DIYs kinda rack,but works for me :) It is also a 'darknet' , so many of this kinda network shit seems to dribble in from many places, atm it seems, this is the .c file theyre trying to hide, apparently it can send a negotiation wich just trashes the SMB client, according to this, wich i am going to see what does exactly in about 5minutes :P i will keepyou informed as yes, usually most ddos wich uses *trash* code to send as broadcasting packet, would encapsulate exactly this, BS, wich, this is not. It is some code in there, but, it is also not str8 forward yet for me, until i have results but, it does spawn some strange sockets :s I will see where it leads. thx for that info about the SMB bugs, i do know of them but, just have seen this done once properly on linux, wich is a really hardass attacking tool, and clobbers smb server, but, this one seemingly does it diferently. there is a winssmb-nuke tool already, i know that DOES work 100% now i did alittle google b4 ending this post, and, this is the apprent descendant, wich was sold. I will look now and wait for my os to read thru it abit... and darknet to see where it connects. interesting one tho. i have also found similar code, for something else called ipv6killer.c ,no not ipv6fuck.c wich is also, actually real, but, ipv6killer.c, wich is almost exactly this same code, but, actually seems setup for ipv6, so makes me think about this one harder :s i am stumped until i have a malware analysis from my box, as i dont run things at first glance, specially ddos crap, that will certainly lead to mem corruption :P ok, cheers sofar, ill keep looking! xd
On 26 October 2011 13:03, Flavio do Carmo Junior <[email protected]>wrote: > 'system(h3llcode)' ?? > > Should be fun... > > On 10/26/11, xD 0x41 <[email protected]> wrote: > > Hello List, > > Id like people to also, like this thread asks, to pls give some opinion, > > other than mine.. wich, i am yet to make; > > > > http://www.hackerthreads.org/Topic-5973 > > > > Please look at this .c code on here, if you wish, and tell me, why > > A. It is still in circulation, seeminlgly, on MANY MANY boxes.... > > B. people still seem to try keep it private :s > > > > This morning, a friend from webhostingtalk.com ,asked me to take a look. > > I have and, i can only sofar say, once i decrypt the shellcode, ill know > > abit more.. > > altho , i rmember this thing, and, somany people were after it, people > were > > paying for it, this is first time i have seen it actually disclosed tho, > > admittedly only looked today. > > If skiddies are using it to ddos things, I want to makesure i can expose > it, > > and kill the threats. > > thankyou. > > xd .// exposing bullshit as i ride! > > > > -- > Sent from my mobile device > > -- > Best regards, > > Flávio do Carmo Júnior > Sydney/NSW > http://au.linkedin.com/in/carmoflavio/en > http://0xcd80.wordpress.com >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
