Re: Long Exim break-in analysis

To: debian-security@lists.debian.org
Subject: Re: Long Exim break-in analysis
From: Maximilian Wilhelm <max@rfc2324.org>
Date: Wed, 22 Dec 2010 13:45:49 +0100
Message-id: <[🔎] 20101222124549.GA25060@outback.rfc2324.org>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] AANLkTinE=WG_6L4LVzHewJAgMZKjwwB5N595LU=TzYmk@mail.gmail.com>
References: <[🔎] 201012212307.37241.vladislav.kurz@webstep.net> <[🔎] AANLkTi=XOTx6CowzQzjhy-X1M+Mae6RJazeKQWGrvFy7@mail.gmail.com> <[🔎] 20101222120613.GA2794@wavehammer.waldi.eu.org> <[🔎] AANLkTinE=WG_6L4LVzHewJAgMZKjwwB5N595LU=TzYmk@mail.gmail.com>

Anno domini 2010 Izak Burger scripsit:

Hi!

Nice reports :)

> But there is one bit that gets me. It does this:

> mkdir -p /usr/include/mysql
> echo dropbear >> /usr/include/mysql/mysql.hh1

> It never does anything with that file, and that file does not exist on
> a real system, so its almost like its leaving behind its business
> card?

Might that be a "all your passwords belong to us" file? I've had one
cracked ssh(d) once, which wrote all passwords from clent and server
connections to /usr/include/ssh.h IIRC. Maybe this on is something
similar?

Ciao
Max
-- 
Gib Dein Bestes. Dann übertriff Dich selbst!

Reply to:

References:
- Long Exim break-in analysis
  - From: Vladislav Kurz <vladislav.kurz@webstep.net>
- Re: Long Exim break-in analysis
  - From: Izak Burger <isburger@gmail.com>
- Re: Long Exim break-in analysis
  - From: Bastian Blank <waldi@debian.org>
- Re: Long Exim break-in analysis
  - From: Izak Burger <isburger@gmail.com>

Prev by Date: Re: Long Exim break-in analysis
Next by Date: Re: Long Exim break-in analysis
Previous by thread: Re: Long Exim break-in analysis
Next by thread: Re: Long Exim break-in analysis
Index(es):
- Date
- Thread