discuss: Trojan files on TLDP server? (fwd)
Subject:
Trojan files on TLDP server? (fwd)
From:
Machtelt Garrels ####@####.####
Date:
4 Apr 2005 14:56:15 -0000
Message-Id: <Pine.LNX.4.44.0504041501280.9931-100000@cobra.xalasys.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Can somebody look into this? It never happened to me...
Please confirm if this is fake or not.
Tille.
- --
My Penguin, my freedom. http://tille.xalasys.com
Books: http://writers.fultus.com/garrels
- ---------- Forwarded message ----------
Date: Mon, 28 Mar 2005 16:57:59 -0800
From: Brian Wildasinn ####@####.####
To: ####@####.####
Subject: Trojan files on TLDP server?
Hello TLDP,
URGENT NOTICE: Trojan LG TLDP archives alert!
On March 25, 2005, I download some files from TLDP. My download script shows a time stamp of 9:10PM, which downloaded the entire ftpfiles directory at linuxgazette from my home LAN at 66.218.50.80.
I have a WinXP notebook attached to a wireless access point. After downloading some Linux Gazette tarballs from http://linuxgazette.net/ftpfiles/, my security scanners show an active suspicious port open. I could telnet into port 5400 on WinXP from my FreeBSD box over my LAN.
Using NMAP security scan on FreeBSD `nmap -sS -P0 <wireless access point w/WEP encryption/router MN-700>` showed port 5400 open, which is described as "5400/tcp excerpt Excerpt Search" or Bladerunner Trogan.
Here is the results of ClamWin from my infect notebook:
- --------------------------
Scan started: Mon Mar 28 14:50:05 2005
C:\GnuWin32\1.0\home\b21an\Workspace\HOWTO\LG\lg-108.tar.gz: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\\lg-108.tar.gz'
C:\GnuWin32\1.0\home\b21an\Workspace\HOWTO\LG\lg-issue86.tar.gz: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\\lg-issue86.tar.gz'
ERROR: Can't open file C:\WINDOWS\SoftwareDistribution\EventCache\86719410-2583-4BF4-8202-94A1CBB34B36.bin
ERROR: Can't open file C:\WINDOWS\SoftwareDistribution\EventCache\EDE1AC3A-2996-4C2C-AB05-F9E3AF5FFE81.bin
ERROR: Can't open file C:\WINDOWS\system32\CatRoot2\tmp.edb
ERROR: Can't open file C:\WINDOWS\system32\config\default
ERROR: Can't open file C:\WINDOWS\system32\config\SAM
ERROR: Can't open file C:\WINDOWS\system32\config\SECURITY
ERROR: Can't open file C:\WINDOWS\system32\config\software
ERROR: Can't open file C:\WINDOWS\system32\config\system
C:\GnuWin32\1.0\home\b21an\Workspace\HOWTO\LG\lg-108.tar.gz: HTML.Phishing.Bank-1 FOUND
C:\GnuWin32\1.0\home\b21an\Workspace\HOWTO\LG\lg-issue86.tar.gz: Exploit.IFrame.Gen FOUND
- -- summary --
Known viruses: 31931
Scanned directories: 4779
Scanned files: 59220
Infected files: 2
Data scanned: 10810.64 MB
I/O buffer size: 131072 bytes
Time: 5137.895 sec (85 m 37 s)
- -------------------
Completed
- -------------------
#!/bin/sh
#http://linuxgazette.net/ftpfiles/
#http://linuxgazette.net/ftpfiles/lg-100.tar.gz
#http://linuxgazette.net/ftpfiles/lg-base.tar.gz
#http://linuxgazette.net/ftpfiles/lg-issue-1to-6.tar.gz
#http://linuxgazette.net/ftpfiles/lg-issue09.tar.gz
#http://linuxgazette.net/ftpfiles/lg-issue99.tar.gz
#wget http://linuxgazette.net/ftpfiles/lg-issue$i.tar.gz
#http://linuxgazette.net/ftpfiles/lg-issue-1to-6.tar.gz
i=100
until [ $i = 114 ];
do {
if [$i < 7 ]; then
echo "no-op: $i"
fi
if [$i < 10 ]; then
"C:\windows\system32\UNIX\bin\wget.exe" --random-wait http://linuxgazette.net/ftpfiles/lg-issue0$i.tar.gz
else
"C:\windows\system32\UNIX\bin\wget.exe" --random-wait http://linuxgazette.net/ftpfiles/lg-$i.tar.gz
fi
let "i += 1"
} done
#"C:\windows\system32\UNIX\bin\wget.exe"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCUVb2sIIUbMXbBA8RAne/AJ9j2RE2dOc6PWAVoMJLTQhfWi9guQCePwr/
B3kwX5MgIsACZ3bCeOhdfok=
=x11F
-----END PGP SIGNATURE-----
