Date: Fri, 03 May 2013 15:53:45 +0200 From: Florent Peterschmitt <florent@peterschmitt.fr> To: freebsd-hackers@freebsd.org Subject: Linux/Cdorked.A and the tool provided by welivesecurity Message-ID: <5183C169.4060907@peterschmitt.fr>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2VAUMEAIMKBQXFAVMLFWC Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi, I read a news about a malware called Linux/Cdorked.A : http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor= -in-the-wild-serves-blackhole/ They give a tool to know if our system is infected or not. Well, I have two questions : * Is this malware relevant on FreeBSD/*BSD systems ? * The tool don't work out-of-the-box, what do you think of : --- dump_cdorked_config.c 2013-05-03 09:48:59.000000000 +0000 +++ dump_cdorked_config-freebsd.c 2013-05-03 12:03:45.851681457 +00= 00 @@ -6,12 +6,13 @@ // would like to help, please send the httpd_cdorked_config.bin // and your httpd executable to our lab for analysis. Thanks! // -// Build with gcc -o dump_cdorked_config dump_cdorked_config.c +// Build with gcc -D_KERNEL -o dump_cdorked_config dump_cdorked_config.c= // // Marc-Etienne M.L=E9veill=E9 <leveille@eset.com> // #include <stdio.h> +#include <sys/types.h> #include <sys/shm.h> #define CDORKED_SHM_SIZE (6118512) I never developed any peace of code for FreeBSD, then what I'm not sure of is the use of -D_KERNEL on the build command line. Since shm_info struct is available only with this define and u_long and others used by sys/shm.h are in sys/types.h, I found it's a good way to d= o. I would like to know too, why does these structs (shm_info) are available only when using _KERNEL ? ------enig2VAUMEAIMKBQXFAVMLFWC Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQEcBAEBAgAGBQJRg8FtAAoJEMtO2Sol0IImcEIIAIf8+K5who4s+/chRxS0e/4+ +yDBsVB7kGgXdAbh7wdvybP9aGBpzfnrIfwUYQyYbeTZttotvmrXQMqYXvtPQCnT /41y04CbBxChki1r0+jAR2MvyrKXE2NKNlMz4ww2YIiJaF0zlELTWtOsbLqVgI75 sZhPVMuNNO3xFQnVRodlAfRPdIuZw1BsjH+NudY2c7t/23/edFLuEVyp2Sf8ooEb TJpxaaSR2FulnVVCJG50xZjH8onNA+82YtK9AgMl4ML0oQ9uOMP/IZw5I47jomW8 Mpaf3Xnu5Hh7ddIywhAo4YpKPHqSZeXIqlXwV4KQXUDd0mwhLxA8wUw11Wo4EK0= =ew9I -----END PGP SIGNATURE----- ------enig2VAUMEAIMKBQXFAVMLFWC--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5183C169.4060907>