Re: Linux Kernel Exploits / ABFrag

[h2g.sec.list () zipmail com br]

Hi,
exist rumors about this exploit since 3 months. The archive aparently explores
an imperfection in the TCP Sync (i dont know details about problem). Due
to rumors, exist more two exploits for the problem (maybe fake).
Some forums like ByteRage's PRIVATE forum was dicussing it in private (it
is bad to kids/defacers, but good to security professionals and admins).
Thanks to you and all list readers...
Nilson Gomes

-- Mensagem original --

> Greetings.
>    Today I had a rather strange experiance. At about 4:30 pm GMT my
> IDS began reporting strange TCP behaviour on my network segment. As I
> was unable to verify the cause of this behaviour I was forced to remove
> the Linux box that I use a border gateway and traffic monitor - at no small
> cost to my organization - the network is yet to be reconnected.
> After a reboot and preliminary analysis I found the binary ABfrag sitting
> in /tmp. It had only been created minutes before.
> Setting up a small sandbox I ran the program and was presented with the
following
> output:
>
>
> ----------------------------------------------------------------------------
>
> ABfrag - Linux Kernel ( <= 2.4.20pre20 ) Remote Syncing exploit
>
> Found and coded by Ac1db1tch3z - t3kn10n, n0n3 and t3kn0h03.
>
> WARNING:
> Unlicensed usage and/or distribution of this program carries heavy fines
> and penalties under American, British, European and International copyright
> law.
> Should you find this program on any compromised system we urge you to delete
> this binary rather than attempt distribution or analysis. Such actions
would
> be both unlawful and unwise.
>
> ----------------------------------------------------------------------------
> password:
> invalid key
>
> I remembered, vaguely - I sift through a lot of security mail each day,
some
> talk of a rumoured Linux kernel exploit circulating among members of the
> hacker
> underground. On the advice of some friends in law-enforcement I joined
the
> EFnet
> channels #phrack and #darknet and tried to solicit some information regarding
> this
> alleged exploit. Most people publicly attacked me for my neivette but two
> individuals
> contacted me via private messages and informed me that the "ac1db1tch3z"
> were bad news,
> apparently a group of older (mid 20's) security guru's, and that I should
> delete the
> exploit and forget I ever knew it existed.
> However, somthing twigged my sense of adventure and prompted me to try
and
> get this out
> to the community.
>
> Any help or information regarding this will be of great help.
>
> I have attached the binary although it appears to be encrypted and passworded.
> I wish
> any skilled programmers the best of luck in decyphering it.
>
> Yours,
>
> Daniel Roberts
> Head Network Manager
>
>
>
>
>
> Get your free encrypted email at https://www.hushmail.com
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com



------------------------------------------
Use o melhor sistema de busca da Internet
Radar UOL - http://www.radaruol.com.br