:wq - blog » xhide http://writequit.org/blog Tu fui, ego eris Mon, 22 Dec 2014 14:54:59 +0000 en-US hourly 1 http://wordpress.org/?v=4.1.5 Backdoors available for analysis http://writequit.org/blog/2008/01/16/backdoors-available-for-analysis/ http://writequit.org/blog/2008/01/16/backdoors-available-for-analysis/#comments Wed, 16 Jan 2008 07:15:46 +0000 http://writequit.org/blog/?p=126 Found a couple of backdoors that had been downloaded to a box of mine. They are available here for your convenience (if the links go down, I’ll put them up for download on a mirror):

http://geocities.com/crewnewbie/tools/cbk.tar.gz
http://geocities.com/evikhobare/chanarybot.tar.gz

From my preliminary findings, they both contain the XHide process faker, one of them includes a remote-connect backdoor. I’d welcome any forensic insight into these, as I don’t have a whole lot of experience with doing process/machine forensics. There are still some processes running from the offending user(s), I am wary to kill anything. In the meantime I’ll be doing my own analysis and hopefully reporting on it here.

Advice? Suggestions?

EDIT: The system is a FreeBSD 6.2-RELEASE machine running on a SPARC processor.

]]>
http://writequit.org/blog/2008/01/16/backdoors-available-for-analysis/feed/ 5