From owner-freebsd-security@FreeBSD.ORG Sat May 14 15:29:21 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B890716A4CE for ; Sat, 14 May 2005 15:29:21 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 60A8443D7C for ; Sat, 14 May 2005 15:29:21 +0000 (GMT) (envelope-from d4rkstorm@gmail.com) Received: by rproxy.gmail.com with SMTP id i8so332760rne for ; Sat, 14 May 2005 08:29:21 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=pYGDJolNesynsiWg4bmjgo/vnRB3ySQkYYuAopFoU4TBs+NSNvXOPPvoTV9eNOLzCkEza5mJSmYw4LLFsuttdM8JHrBOOkB+62q+dqc3jjU5+ZHXs0yVseD4ks1M38/PZUTrurLUVMYQtJnE1jIRHELkxysvQJ+lxdlIS7QoFG8= Received: by 10.38.104.76 with SMTP id b76mr1387617rnc; Sat, 14 May 2005 08:29:21 -0700 (PDT) Received: by 10.38.101.18 with HTTP; Sat, 14 May 2005 08:29:21 -0700 (PDT) Message-ID: <245f0df105051408291dd3b641@mail.gmail.com> Date: Sun, 15 May 2005 01:29:21 +1000 From: "Drew B. [Security Expertise/Freelance Security research]." To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: RE: Need some help X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Drew B. \[Security Expertise/Freelance Security research\]." List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 May 2005 15:29:21 -0000 Hello, I would like to ask for some specialist assistance in dissecting a 'rootkit' (seems to be massmailing specific,crafted somehow from another kit perhaps) It was found running on 5.x machines belonging (sofar) to my knowledge, 2 companies,one of wich was an isp and another a webhosting service running bsd. I will provide the kit and further details as soon as i am sure the thing will be dealt with by someone official. Being properly examined so all exploits within it can be marked out,whether new and/or old-modified is important and I cannot successfully complete dissection with my current equipment. The atacks are still happening, the familiar 'ebay' login page or paypal, however, the bug itself is Linux-platform speciic, extremely stable, and extremly hard to remove. Anyone interested who has the abality,especially an A/V tech/worker with a certificate from the company or atleast email header,or anyone associated that can link this to freebsd security offically. I can confirm that it is stable and running on v5.x FreeBSD now, and have no idea how long it has been around. Regards, (&&assist) -------------------------------------------------------------------- Drew B. Independant Security analysis,for Aussies. Security researcher/expert,threat-focus,Freelance.