On Thu, 13 Oct 2005, Charles Curley wrote:
> On Thu, Oct 13, 2005 at 01:48:45PM -0500, P. Thompson wrote:
> >
> > On Thu, 13 Oct 2005, taharka wrote:
> >
> > I am as big a linux advocate as anyone on a Fedora list, but most of the
> > phish servers out there seem to be improperly maintained linux based
> > machines. If you happen to scan the phish tarball often left behind some
> > of them will detect the server side phish components and most will add
> > detection if you send the tarball to them.
>
> How does one detech a phish tarball? chkrootkit? tripwire or analogs?
> Any other tools?
Tripwire for sure, phishers are not very high tech as far as loading
mystery modules in the kernel, etc, because of the quantity of low hanging
fruit of unpatched boxes to choose from.
What I actually meant was often you can traverse the directory structure
of the phish and see little turds that the phisher left behind. Often the
tarball or zip file of the phish directory structure. Reasonably often
you will see webphp.php which will allow you to exectute shell commands as
the apache user on the box, etc. If you wget the tarball off the server
and sent to a virus company you will get things back like below.
With regards to the file "index.php" submitted by you on 05 Oct
10:36:02 (Australian Eastern Standard Time), we have added detection
for HTML/Phishbank.Ppal!Trojan to the signature files for the
InoculateIT engine.
The HTML(active content) file "index.php" has been determined to be
malicious. This file appears to be a malware component. A malware
component is a file that may be used by particular malware, but cannot
behave maliciously by itself.
Please restore the file from installation media or clean backup if
possible.
Aliases reported by other AV products are listed here:
(Exploit-IEPageSpoof)
Researcher comment:
Paypal phish, server side.
With regards to the file "gencmd" submitted by you on 11 Oct 12:32:14
(Australian Eastern Standard Time), we have added detection for
ELF/IRCBot.59967!Trojan to the signature files for the InoculateIT
engine.
The Linux 32bit ELF Executable file "gencmd" has been determined to be
malicious. Our researchers have analyzed the file and confirmed the
result.
Researcher comment:
IRC bot
eTrust Antivirus 6.x/v7 (Vet Engine)
We will inform you by email ASAP when we have a signature update
available providing detection.
eTrust Antivirus 6.x/v7 (InoculateIT Engine)
Engine Update version Last Update
23.70.0 23.70.65 12 Oct
Please check for the latest signature updates.
These examples apply to windoze versions of CA Antivirus. But in general
antivirus companies seem to be willing to add detections probably on the
premise that ELF binaries can be stored on Windoze but run on Linux...
