Cenzic 232 Patent
Paid Advertising
web application security lab

Yet Another Remote Shell

Here’s another one of the failed attacks on ha.ckers.org. I copied the file in case anyone wants to do forensics on it. It’s located here. The odd part is that it is a .gif file. I’m not sure what filter they were attempting to evade by renaming the file, but it didn’t do much.

Is anyone cataloguing this stuff? Should I continue to post it? If not I’ll save myself the trouble, but I wanted to keep it here for any of the AV guys who visit the site. They may get more out of this stuff than other people.

7 Responses to “Yet Another Remote Shell”

  1. DanielG Says:

    I’ve logged into the previous one you posted (the ircbot) and reported it to an irccop after having fun with the ‘hackers’ by pretending I was one of the infected machines.
    So if more popup I wouldn’t mind toying with them.
    Although this one seems less intriguing.

  2. v wall Says:

    I’m going to take a look at this shell after i got a few other things sorted, set some local tests going, an then if i find anything interesting then I will post back here

  3. Yongge Wang Says:

    Norton Anti-Virus detects it as a virus. So it should be known already

  4. v wall Says:

    Yongge Wang do you think it would be the connect back shell “Data Cha0s Connect Back Shell” and the exploit “Linux kernel do_brk vma overflow exploit” that it carrys inside it that are setting you AV of, s one of the opetions of this shell is to write to disk the connect back shell or the exploit depending on the users choice (my personal though is it will be the exploit thats setting ya AV’s bells to ring but thats just my though) if your willing to do me a test (since in not on a win platform) could you take the connect back shell an the exploit out of the shell then see if you AV goes off?

  5. Yongge Wang Says:

    Yes, you are right. After I delete the words “Cha0s…” and “Linux kernel…”. Norton Anti-Virus will not give any alert

  6. Mr. Extreme Says:

    I have 17 malicious files saved into an encrypted 7z file. Whenever somebody or some bot tries to use xss on my website, I get an alert and try to save the file they use. And I usually can, but not all the times. Some of them are extremely well formatted and very-very clever… The biggest is 153 kBytes, and really, really complex and clever… And NOD32 recognizes only 2-3 of them as trojans.

    Well, basically I am here because somebody tried to hack my site with the file “http://ha.ckers.org/files/tool25.dat?&cmd=id”….

    Anyway, I found these blogs very useful, especially which is about the JS code which tries to run an exe…

    Keep going! ….. I mean, keep blogging, and not keep ckracking my tiny and almost unknown site. Okay? ;)

  7. id Says:

    The attack on your site wasn’t from ha.ckers.org it did however involve trying to use the tools25.dat file that is hosted here (which has been temporarily moved).