hi folks.. I was meddling in a friend's box when I came across a weird file in /tmp with apache perms. I thought it was a exploit to obtain root since the machine was vuln to the openssl problem, but it turned out to be something else. attached I send the stuff I found, it's quite self explanatory. I've looked at it for a few minutes, it's the slaper code, with some comments and a shell script that ghaters info about the box and send's it to an email account at yahoo.com . The ip that is written on the worm resolves to an adsl acount on some ISP, i guess it is somekind of target since it would be quite stupid to put your home ip on a worm.
regards, cray -- -- http://obfuscated.info :: The light weight of mind.. 10Mb na sua caixa de email gratuita no mail.pt http://www.mail.pt
cinik.tgz
Description: application/gzip-compressed
