FW: openbsd rumors

[mweber@exchange.vt.edu]

I'm not sure if you've seen this yet, but I thought I would pass it along
just in case.
Regards,
--Matt

-----Original Message-----
From: Van Cloude Jandame [mailto:vancloudejandame@lemonheads.com]
Sent: Monday, June 17, 2002 4:38 AM
To: vuln-dev@securityfocus.com
Subject: openbse rumours


Deer readers, 

Few days ago, while i was at the #darknet, i saw three ScRiPtKidIeZ (within
the rest of them) talking about the 7350-crocodile.c, 7350-obsdftpd.c and
the 7350-pf.c exploit code by team teso made with support of GOBBLES
Security, who gave them the advisories. 

The good news: 

the exploits aint that much spreaded and they've been kept on the
underground for about 1month. This ain't really a good new, but it is better
than the ones that follow. 

The bad news: 

- openbsd ftp/cvs have been compromised and backdoored by the kidies, that
hang mostly on #!hack.the.turkey at efnet. 
- the technique is new and very obscure, the three exploits abuse em and is
applicable only on *BSD flavors (afaik). 


the a really short part of the logs show this: 

<m0rgan> ./a.out 
<m0rgan> 7350-crocodile - x86/OpenBSD apache/telnetd/sshd 
*** pr0ix (pr0ix@def-con.org) has joined #darknet 
<m0rgan> by lorian and scut / TESO 
<m0rgan> 
<m0rgan> ./7350-crocodile [options] [host] [port] [misc-option] 
<m0rgan> 
<m0rgan> -d <daemon> (1= apache, 2= telnetd, 3= sshd) 
<m0rgan> -b bruteforce 
<m0rgan> -c check only 
<m0rgan> -s <0xaddr> start address 
<m0rgan> -S shellcode (? to show the list) 
<pr0ix> wtf? 
<m0rgan> 
<m0rgan> greetz: synnergy, GOBBLES Security, ElectronicSoulz, shiftee,
bnuts, skyper. 
<m0rgan> sidenote: nasa.gov was really easy ;> 
<m0rgan> muahah fear. 
<xxx> could you send me that? 
*** pr0ix sets mode: +b xxx!*@200.* 
*** xxx was kicked by pr0ix (0day-lurker) 

keep an eye open at your logs, as they said the exploit makes a lot of noise
on the system and "private" logs and thus it is easy to spot, put your ids
on. 

Cheers, 
Martin (VanCloudeJandame)