Subject: rumors about remote *BSD exploits
To: None <>
From: Lubomir Sedlacik <>
List: tech-security
Date: 06/17/2002 17:38:12
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
just seen on vuln-dev mailing list:
Date: 17 Jun 2002 08:37:45 -0000
From: "Van Cloude Jandame" <>
Subject: openbse rumours
Deer readers,=20
Few days ago, while i was at the #darknet, i saw three ScRiPtKidIeZ
(within the rest of them) talking about the 7350-crocodile.c,
7350-obsdftpd.c and the 7350-pf.c exploit code by team teso made with
support of GOBBLES Security, who gave them the advisories.=20
The good news:=20
the exploits aint that much spreaded and they've been kept on the
underground for about 1month. This ain't really a good new, but it is
better than the ones that follow.=20
The bad news:=20
- openbsd ftp/cvs have been compromised and backdoored by the kidies,
that hang mostly on #!hack.the.turkey at efnet.=20
- the technique is new and very obscure, the three exploits abuse em and
is applicable only on *BSD flavors (afaik).=20
the a really short part of the logs show this:=20
<m0rgan> ./a.out=20
<m0rgan> 7350-crocodile - x86/OpenBSD apache/telnetd/sshd=20
*** pr0ix ( has joined #darknet=20
<m0rgan> by lorian and scut / TESO=20
<m0rgan> ./7350-crocodile [options] [host] [port] [misc-option]=20
<m0rgan> -d <daemon> (1=3D apache, 2=3D telnetd, 3=3D sshd)=20
<m0rgan> -b bruteforce=20
<m0rgan> -c check only=20
<m0rgan> -s <0xaddr> start address=20
<m0rgan> -S shellcode (? to show the list)=20
<pr0ix> wtf?=20
<m0rgan> greetz: synnergy, GOBBLES Security, ElectronicSoulz, shiftee, bn=
uts, skyper.=20
<m0rgan> sidenote: was really easy ;>=20
<m0rgan> muahah fear.=20
<xxx> could you send me that?=20
*** pr0ix sets mode: +b xxx!*@200.*=20
*** xxx was kicked by pr0ix (0day-lurker)=20
keep an eye open at your logs, as they said the exploit makes a lot of
noise on the system and "private" logs and thus it is easy to spot, put
your ids on.=20
Martin (VanCloudeJandame)
we encountered strange dirs on ftp few days ago:
/home/ftp/ =
/home/ftp/ /200kb =
/home/ftp/ /TAggEd =
/home/ftp/ /TAggEd/ ;;; =
/home/ftp/ /TAggEd/ ;;; /for =
/home/ftp/ /TAggEd/ ;;; /for/ ;;;;; =
/home/ftp/ /TAggEd/ ;;; /for/ ;;;;; /TargeT =
/home/ftp/ /TAggEd/ ;;; /for/ ;;;;; /TargeT/by =
/home/ftp/ /TAggEd/ ;;; /for/ ;;;;; /TargeT/by/w3l =
/home/ftp/ /TAggEd/ ;;; /for/ ;;;;; /TargeT/by/w3l/ ;;;;;; =
/home/ftp/ /TAggEd/ ;;; /for/ ;;;;; /TargeT/by/w3l/t1 =
/home/ftp/ /TAggEd/ ;;; /for/ ;;;;; /TargeT/by/ProSATANos =
/home/ftp/ /TAggEd/ ;;; /for/ ;;;;; /TargeT/by/ProSATANos/5c33n3=
D =20
/home/ftp/ /TAggEd/ ;;; /for/ ;;;;; /TargeT/by/ProSATANos/5c33n3=
D/ ;;;; ; ; ; =20
/home/ftp/ /TAggEd/ ;;; /for/ ;;;;; /TargeT/by/ProSATANos/5c33n3=
D/ ;;;; ; ; ; /by-W3lt1 =20
/home/ftp/ /TAggEd/ ;;; /for/ ;;;;; /TargeT/by/ProSATANos/5c33n3=
D/ ;;;; ; ; ; /by-W3lt1/ ; =20
/home/ftp/ /TAggEd/ ;;; /for/ ;;;;; / ;;; =
/home/ftp/ /TAggEd/ ;;; /for/ ;; =
/home/ftp/ /TAggEd/ ;;; =
/home/ftp/ /TAggEd/ ;;; =
as far as we can tell, nothing else was changed in the system and ftp
was running in chroot().
does anyone else have similar experience or anyone has more information
on what's going on? anyone seen something like this on NetBSD or
-- Lubomir Sedlacik <> ASCII Ribbon campaign against /"\=
-- <> e-mail in gratuitous HTML and \ /=
-- Microsoft proprietary formats X =
-- PGPkey: / \=
-- Key Fingerprint: DBEC 8BEC 9A90 ECEC 0FEF 716E 59CE B70B 7E3B 70E2 =
Content-Type: application/pgp-signature
Content-Disposition: inline
Version: GnuPG v1.0.7 (NetBSD)