LINUCA
LINUCA - Asociación de Usuarios GNU/Linux en Cantabria
CONTENIDOS
. La Asociación
. ¡ Apúntate a socio !
. Fotos
. Los más leídos
. Autores [Actividad]
. Últimos Comentarios
. ¡Todos los titulares!
. Guía de Estilo
. Cómo publicar en Linuca
. Links cortos
. Lista de Correo
   [Mensajes antiguos]
   [Etiqueta en la Lista]
. Todas las Listas
. ¿Sugerencias?
. ¡Sindícanos!
Gràcies Bulma!
Esta página usa el código fuente de Bulma :-)
Busquedas

Ultimos kernels
(31/10/2014 13:40:24)
Debian
Última actualización
stable: 18/10/2014
testing: 31/10/2014
unstable: 31/10/2014
Rumores sobre exploit remoto para la pila TCP/IP de linux. (7581 lecturas)
Por César González
Bolo (http://www.linuca.org/todos.phtml?id_autor=1)
Creado el 24/10/2002 10:58 modificado el 24/10/2002 10:58

Existen rumores sobre un nuevo exploit llamado ABfrag, que se supone aprovecha una vulnerabilidad en la pila TCP/IP del nucleo linux para conseguir root remoto en el host atacado. El aviso lo dió un administrador de sistemas que encontró un binario muy sospechoso en una máquina que había sido hackeada...

Pagina1/1

El binario está encriptado y pide contraseña para ejecutarse, esto dificulta mucho su estudio y establecer si el exploit es real o es un fake.
El binario en cuestión lo teneis aqui. Y el mensaje original enviado a Bugtraq por el administrador que lo descubrió es este :


From: daniel.roberts@hushmail.com
To: bugtraq@securityfocus.com, vuln-dev@securityfocus.com, incidents@securityfocus.com, cert@cert.org, submissions@packetstormsecurity.org, contribute@linuxsecurity.com
Subject: Linux Kernel Exploits / ABFrag

Greetings. Today I had a rather strange experiance. At about 4:30 pm GMT my IDS began reporting strange TCP behaviour on my network segment. As I was unable to verify the cause of this behaviour I was forced to remove the Linux box that I use a border gateway and traffic monitor - at no small cost to my organization - the network is yet to be reconnected. After a reboot and preliminary analysis I found the binary ABfrag sitting in /tmp. It had only been created minutes before. Setting up a small sandbox I ran the program and was presented with the following output:

  ----------------------------------------------------------------------------

  ABfrag - Linux Kernel ( <= 2.4.20pre20 ) Remote Syncing exploit

  Found and coded by Ac1db1tch3z - t3kn10n, n0n3 and t3kn0h03.

  WARNING:
  Unlicensed usage and/or distribution of this program carries heavy fines
  and penalties under American, British, European and International copyright
  law.
  Should you find this program on any compromised system we urge you to delete
  this binary rather than attempt distribution or analysis. Such actions would
  be both unlawful and unwise.

  ----------------------------------------------------------------------------
  password:
  invalid key
  
I remembered, vaguely - I sift through a lot of security mail each day, some talk of a rumoured Linux kernel exploit circulating among members of the hacker underground. On the advice of some friends in law-enforcement I joined the EFnet channels #phrack and #darknet and tried to solicit some information regarding this alleged exploit. Most people publicly attacked me for my neivette but two individuals contacted me via private messages and informed me that the "ac1db1tch3z" were bad news, apparently a group of older (mid 20's) security guru's, and that I should delete the exploit and forget I ever knew it existed. However, somthing twigged my sense of adventure and prompted me to try and get this out to the community.

Any help or information regarding this will be of great help.

I have attached the binary although it appears to be encrypted and passworded. I wish any skilled programmers the best of luck in decyphering it.

Yours,

Daniel Roberts
Head Network Manager


Imprimir
Version para
imprimir

Imprimir
Version
PDF
Comentarios
No hay comentarios a este articulo.
Calificacion
***0
Votos: 16
SECCIONES
Artículo
Truco
Noticias
Breve
Enlace
Linuca
Libros
Tira ECOL
Tira Ecol
Modificado: 3/3/2006 17:03:23 | Tiempo Total: 0.003 segs | Kernel: Linux - x86_64 - 2.6.18-xen | Last Boot: 03/12/2010 01:21 CET
Powered By WEB-Bulma   Apache   Mysql   PHP   Gimp