Full Disclosure mailing list archives
Re: I'm new here, and I already have something to share
From: Alex <fd () daloo de>
Date: Fri, 08 Nov 2013 18:47:36 +0100
I don't care about this worm. Having password on ssh is not user friendly. Damn you security guys.
Am 7. November 2013 07:02:23 schrieb Jack Johnson <jack () mail umbrellix tk>:
It is a user friendly report about a new worm/rootkit (only goes into worm mode when UUCP is active) that is able to, but has not yet, wreaked havoc on any system that it infects.This report does drop dox, since it mentions the handle of an EFNet user. However, all it isis a description of a currently-active rootkit. Xplatform.JPreskit rootkit User friendly report written by Jack Johnson 'j4jackj' on EFNet DESCRIPTION This newest infection is a rootkit spread by weak passwords and duff links. It was made by an EFNetter called JPres. He originally developed it on the BeOSbut it is able to strike every operating system that has actual use in the world.THREAT LEVEL This threat is terminal, for once a computer is infected, if you isolate it,the failsafe mode kicks in. The JPresKit failsafe is to nuke the hard disk on which /resides.It is able to infect Windows ia32 and amd64 architectures, Debian and RHEL 32 and 64,and the BeOS, PowerPC and Intel.Threat activation is manually, by an unsuspecting user or by the master using a weakpassword via SSH and RSH. PAYLOAD DELIVERY Payload delivery once the rootkit is on the computer is by Pastebin.com.Payloads are encrypted and base64 encoded. It is unknown which encryption methodfrom those available in a default (insert form of UNIX here) install is used. The format for payload titles is @tagYYYYMMDDSS where YYYYMMDDSS is a serial number determining the time of execution, and tag is the tag of the rooted machine. BEHAVIOUR On UNIX systems, when UUCP is enabled, this rootkit is also a worm. This rootkit/worm is able to morph by the master issuing commands to the worm. RECOMMENDED ACTIONYou must back up and reinstall. This rootkit may still be present after a reinstall,if you moved your files to the new installation. PREVENTIONIn the future, do not allow anonymous SSH into your computer, unless for things like UUCP.This will prevent future reinfection. Thank you for reading this report as a matter of urgency. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- I'm new here, and I already have something to share Jack Johnson (Nov 07)
- Re: I'm new here, and I already have something to share Alex (Nov 08)
- Re: I'm new here, and I already have something to share Jasper Kips (Nov 09)
- Message not available
- Re: I'm new here, and I already have something to share Jack Johnson (Nov 09)
- Re: I'm new here, and I already have something to share Alex (Nov 08)