Hello Frank, I think it's not necessary to decode the Assembler-commands, because they do exactly what the name "shellcode" means: Starting a (root-) shell. So the buffer consists of two Linux system calls: (1) execve(/bin/bash) to start the shell (2) exit(0) just in case execve returns with an error
So with that source code you found, you can only say which program was used to break into your friends box, e.g. which service had the security hole. To find out what your hacker did after the break-in, you could probably start reading root's cmdline-history /root/.bash_history or /root/.sh-history.
For further information on buffer overflows read phrack magazine, issue 49 (www.phrack.com), "Smashing the stack for fun an profit".
the box of a friend was hacked: /bin/ps /bin/login /bin/ls were replaced / trojaned. The original files were placed in /bin/bincp (which is not shown by ls, but cd into that dir works fine)
Luckyly I found some source within a log of another machine. Comments show that there is an
unsigned char shellcode =
with some rows of "\x ...\x" numbers. I assume that there is the coding of a shell command. Unfortunately I do not know how to "read" the command. Translating the hex numbers into decimal and using an ASCII table does not give a usefull result. Any idea? Tips who to detect which root kit was used are welcome, too.
To unsubscribe, e-mail: email@example.com For additional commands, e-mail: firstname.lastname@example.org