Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ABfrag / linux kernel vulns

From: KF <dotslash () snosoft com>
Date: Thu, 17 Oct 2002 10:23:53 -0400
I think the patch is here but I can not read it so somone else will have to tell me if its really here. =] 

http://www.thefreeworld.net/non-US/

-KF



Mike Tone wrote:
errrrr... hmmm http://www.linuxsecurity.com/articles/intrusion_detection_article-5933.html note: http://www.kernel.org/pub/linux/kernel/v2.4/testing/ says that latest pre-patch is 2.4.20-pre11 (15/oct/02) Also, how does the DMCA come into play with reverse engineering malcode? ----- New Linux Kernel Exploit? / ABFrag By Daniel Roberts Posted By: Dave Wreski 10/16/2002 21:42 Daniel Roberts discovered a binary named "ABfrag" on one of his servers after detecting suspicious network activity. He sent in a note requesting anyone with information to contact him in an effort to deciper its purpose. From: daniel.roberts () hushmail com To: bugtraq () securityfocus com, vuln-dev () securityfocus com, incidents () securityfocus com, cert () cert org, submissions () packetstormsecurity org, contribute () linuxsecurity com Subject: Linux Kernel Exploits / ABFrag Greetings. Today I had a rather strange experiance. At about 4:30 pm GMT my IDS began reporting strange TCP behaviour on my network segment. As I was unable to verify the cause of this behaviour I was forced to remove the Linux box that I use a border gateway and traffic monitor - at no small cost to my organization - the network is yet to be reconnected. After a reboot and preliminary analysis I found the binary ABfrag sitting in /tmp. It had only been created minutes before. Setting up a small sandbox I ran the program and was presented with the following output: ---------------------------------------------------------------------------- ABfrag - Linux Kernel ( <= 2.4.20pre20 ) Remote Syncing exploit Found and coded by Ac1db1tch3z - t3kn10n, n0n3 and t3kn0h03. WARNING: Unlicensed usage and/or distribution of this program carries heavy fines and penalties under American, British, European and International copyright law. Should you find this program on any compromised system we urge you to delete this binary rather than attempt distribution or analysis. Such actions would be both unlawful and unwise. ---------------------------------------------------------------------------- password: invalid key I remembered, vaguely - I sift through a lot of security mail each day, some talk of a rumoured Linux kernel exploit circulating among members of the hacker underground. On the advice of some friends in law-enforcement I joined the EFnet channels #phrack and #darknet and tried to solicit some information regarding this alleged exploit. Most people publicly attacked me for my neivette but two individuals contacted me via private messages and informed me that the "ac1db1tch3z" were bad news, apparently a group of older (mid 20's) security guru's, and that I should delete the exploit and forget I ever knew it existed. However, somthing twigged my sense of adventure and prompted me to try and get this out to the community. Any help or information regarding this will be of great help. I have attached the binary although it appears to be encrypted and passworded. I wish any skilled programmers the best of luck in decyphering it. Yours, Daniel Roberts Head Network Manager 
---------------------------------------------------------------------
Never lose a fax again, receive faxes to your personal email account!
Visit http://www.mbox.com.au/fax
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: