now after SSH getting trojaned THIS!!
i thought you guys should know
Details:
* The trojan contains modifications to the configure script and
gencode.c (in libpcap only).
* The configure script downloads
http://mars.raketti.net/~mash/services which is then sourced
with the shell. It contains an embedded shell script that
creates a C file, and compiles it.
* The program connects to 212.146.0.34 (mars.raketti.net) on port
1963 and reads one of three one byte status codes:
* A - program exits
* D - forks and spawns a shell and does the needed file
descriptor manipulation to redirect it to the existing
connection to 212.146.0.34.
* M - closes connection, sleeps 3600 seconds, and then
reconnects
Good sources:
http://www.ibiblio.org/pub/Linux/dis...p-0.7.1.tar.gz
http://www.ibiblio.org/pub/Linux/dis...p-3.6.2.tar.gz
http://www.ibiblio.org/pub/Linux/dis...p-3.7.1.tar.gz
MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz
MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248 tcpdump-3.6.2.tar.gz
MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz
Trojaned sources:
http://www.tcpdump.org/release/libpcap-0.7.1.tar.gz
http://www.tcpdump.org/release/tcpdump-3.6.2.tar.gz
http://www.tcpdump.org/release/tcpdump-3.7.1.tar.gz
MD5 Sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz
MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz
MD5 Sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz
Reply With Quote