From owner-freebsd-hackers@FreeBSD.ORG Fri May 3 13:53:18 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 83F6BA4F for ; Fri, 3 May 2013 13:53:18 +0000 (UTC) (envelope-from florent@peterschmitt.fr) Received: from peterschmitt.fr (peterschmitt.fr [5.135.177.31]) by mx1.freebsd.org (Postfix) with ESMTP id 4FBA811C1 for ; Fri, 3 May 2013 13:53:18 +0000 (UTC) Received: from [172.29.180.39] (unknown [194.214.114.46]) by peterschmitt.fr (Postfix) with ESMTPSA id 0CDEC726B for ; Fri, 3 May 2013 13:53:15 +0000 (UTC) Message-ID: <5183C169.4060907@peterschmitt.fr> Date: Fri, 03 May 2013 15:53:45 +0200 From: Florent Peterschmitt User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130413 Icedove/17.0.5 MIME-Version: 1.0 To: freebsd-hackers@freebsd.org Subject: Linux/Cdorked.A and the tool provided by welivesecurity X-Enigmail-Version: 1.5.1 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2VAUMEAIMKBQXFAVMLFWC" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: florent+FreeBSD-hackers@peterschmitt.fr List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 May 2013 13:53:18 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2VAUMEAIMKBQXFAVMLFWC Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi, I read a news about a malware called Linux/Cdorked.A : http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor= -in-the-wild-serves-blackhole/ They give a tool to know if our system is infected or not. Well, I have two questions : * Is this malware relevant on FreeBSD/*BSD systems ? * The tool don't work out-of-the-box, what do you think of : --- dump_cdorked_config.c 2013-05-03 09:48:59.000000000 +0000 +++ dump_cdorked_config-freebsd.c 2013-05-03 12:03:45.851681457 +00= 00 @@ -6,12 +6,13 @@ // would like to help, please send the httpd_cdorked_config.bin // and your httpd executable to our lab for analysis. Thanks! // -// Build with gcc -o dump_cdorked_config dump_cdorked_config.c +// Build with gcc -D_KERNEL -o dump_cdorked_config dump_cdorked_config.c= // // Marc-Etienne M.L=E9veill=E9 // #include +#include #include #define CDORKED_SHM_SIZE (6118512) I never developed any peace of code for FreeBSD, then what I'm not sure of is the use of -D_KERNEL on the build command line. Since shm_info struct is available only with this define and u_long and others used by sys/shm.h are in sys/types.h, I found it's a good way to d= o. I would like to know too, why does these structs (shm_info) are available only when using _KERNEL ? ------enig2VAUMEAIMKBQXFAVMLFWC Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQEcBAEBAgAGBQJRg8FtAAoJEMtO2Sol0IImcEIIAIf8+K5who4s+/chRxS0e/4+ +yDBsVB7kGgXdAbh7wdvybP9aGBpzfnrIfwUYQyYbeTZttotvmrXQMqYXvtPQCnT /41y04CbBxChki1r0+jAR2MvyrKXE2NKNlMz4ww2YIiJaF0zlELTWtOsbLqVgI75 sZhPVMuNNO3xFQnVRodlAfRPdIuZw1BsjH+NudY2c7t/23/edFLuEVyp2Sf8ooEb TJpxaaSR2FulnVVCJG50xZjH8onNA+82YtK9AgMl4ML0oQ9uOMP/IZw5I47jomW8 Mpaf3Xnu5Hh7ddIywhAo4YpKPHqSZeXIqlXwV4KQXUDd0mwhLxA8wUw11Wo4EK0= =ew9I -----END PGP SIGNATURE----- ------enig2VAUMEAIMKBQXFAVMLFWC--