Mailinglist Archive: opensuse-security (195 mails)
| < Previous | Next > |
How to decrypt shell code of an exploit?
- From: Frank Derichsweiler <fd-l-s-s@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 22 Mar 2000 14:02:01 +0100
- Message-id: <20000322140201.G1270@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Hi list,
the box of a friend was hacked: /bin/ps /bin/login /bin/ls were
replaced / trojaned. The original files were placed in /bin/bincp
(which is not shown by ls, but cd into that dir works fine)
Luckyly I found some source within a log of
another machine. Comments show that there is an
unsigned char shellcode[] =
with some rows of "\x ...\x" numbers. I assume that there is the
coding of a shell command. Unfortunately I do not know how to "read"
the command. Translating the hex numbers into decimal and using an
ASCII table does not give a usefull result. Any idea?
Tips who to detect which root kit was used are welcome, too.
TIA
Frank
the box of a friend was hacked: /bin/ps /bin/login /bin/ls were
replaced / trojaned. The original files were placed in /bin/bincp
(which is not shown by ls, but cd into that dir works fine)
Luckyly I found some source within a log of
another machine. Comments show that there is an
unsigned char shellcode[] =
with some rows of "\x ...\x" numbers. I assume that there is the
coding of a shell command. Unfortunately I do not know how to "read"
the command. Translating the hex numbers into decimal and using an
ASCII table does not give a usefull result. Any idea?
Tips who to detect which root kit was used are welcome, too.
TIA
Frank
| < Previous | Next > |