0day linux 2.6 /dev/mem rootkit found

I found one interesting tool on my server, with the
name 'Boxer 0.99 BETA3'. It's protected by ELFuck
linux executables obfuscator. Google doesn't know
anything about it.
Now, it is available at http://surfall.net/rel.tar.gz
(ELFuck password: 'notdead')
Anybody seen it before?


       
____________________________________________________________________________________
Choose the right car based on your needs.  Check out
Yahoo! Autos new Car Finder tool.
http://autos.yahoo.com/carfinder/


       
____________________________________________________________________________________
Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more.
http://mobile.yahoo.com/go?refer=1GNXIC

-------------------------------------------------------------------------
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper
It's as simple as placing additional SQL commands into a Web Form input box
giving hackers complete access to all your backend systems! Firewalls and IDS
will not stop such attacks because SQL Injections are NOT seen as intruders.
Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E
--------------------------------------------------------------------------

Hello list,

I had a power outage on one of my routers. After power came back the
router logged the messages below. I know there was nobody on the console
and there is no way some one from the team to do the change. Has anyone
seen something like it?
 


*Jul 15 14:47:26.587: %VPN_HW-6-INFO_LOC: Crypto engine: aim 0  State
changed to: Initialized
*Jul 15 14:47:26.591: %VPN_HW-6-INFO_LOC: Crypto engine: aim 0  State
changed to: Enabled sslinit fn

*Jul 15 14:47:29.779: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0
State changed to: Initialized
*Jul 15 14:47:29.779: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0
State changed to: Disabled
*Jul 15 14:47:31.031: %LINEPROTO-5-UPDOWN: Line protocol on Interface
VoIP-Null0, changed state to up
*Jul 15 14:47:31.031: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed
state to up
*Jul 15 14:47:31.031: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed
state to up
*Jul 15 14:47:32.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/0, changed state to up
*Jul 15 14:47:32.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to up
*Jul 15 09:47:32: %SYS-6-CLOCKUPDATE: System clock has been updated from
14:47:32 UTC Sun Jul 15 2007 to 09:47:32 EST Sun Jul 15 2007, configured
from console by console.
*Jul 15 10:47:32: %SYS-6-CLOCKUPDATE: System clock has been updated from
09:47:32 EST Sun Jul 15 2007 to 10:47:32 EDT Sun Jul 15 2007, configured
from console by console.
*Jul 15 10:47:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Tunnel100101, changed state to down
*Jul 15 10:47:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0,
changed state to up
*Jul 15 10:47:37: %SYS-5-CONFIG_I: Configured from memory by console
*Jul 15 10:47:37: %FW-6-INIT: Firewall inspection startup completed;
beginning operation.
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged
command:access-list 199 permit icmp host 10.10.10.10 host 20.20.20.20
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged
command:crypto map NiStTeSt1 10 ipsec-manual
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged
command:match address 199

*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged
command:set peer 20.20.20.20

*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged
command:exit
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged
command:no access-list 199
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged
command:no crypto map NiStTeSt1
*Jul 15 10:47:38: %SYS-5-RESTART: System restarted --
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(13b), RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Tue 24-Apr-07 16:18 by prod_rel_team
*Jul 15 10:47:38: %SNMP-5-COLDSTART: SNMP agent on host ROUTER is
undergoing a cold start

----------------------------------------------------------
Radi Tzvetkoff
Network Engineer II
Provado Technologies
A Logisticare Company
503 Oak Place, Ste. 550
Atlanta, GA 30349
e-mail: radit@...
tel: 800-486-7642 ext 493
cell: 678-429-6880
----------------------------------------------------------

-----Original Message-----
From: James E. Jones [mailto:ceriofag@...]
Sent: Wednesday, July 11, 2007 12:07 PM
To: incidents@...
Subject: 0day linux 2.6 /dev/mem rootkit found

I found one interesting tool on my server, with the
name 'Boxer 0.99 BETA3'. It's protected by ELFuck
linux executables obfuscator. Google doesn't know
anything about it.
Now, it is available at http://surfall.net/rel.tar.gz
(ELFuck password: 'notdead')
Anybody seen it before?


       
________________________________________________________________________
____________
Choose the right car based on your needs.  Check out
Yahoo! Autos new Car Finder tool.
http://autos.yahoo.com/carfinder/


       
________________________________________________________________________
____________
Take the Internet to Go: Yahoo!Go puts the Internet in your pocket:
mail, news, photos & more.
http://mobile.yahoo.com/go?refer=1GNXIC

------------------------------------------------------------------------
-
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper
It's as simple as placing additional SQL commands into a Web Form input
box
giving hackers complete access to all your backend systems! Firewalls
and IDS
will not stop such attacks because SQL Injections are NOT seen as
intruders.
Download this *FREE* white paper from SPI Dynamics for a complete guide
to protection!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8
E
------------------------------------------------------------------------
--


-------------------------------------------------------------------------
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper
It's as simple as placing additional SQL commands into a Web Form input box
giving hackers complete access to all your backend systems! Firewalls and IDS
will not stop such attacks because SQL Injections are NOT seen as intruders.
Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E
--------------------------------------------------------------------------

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Radi:

        Hi there. This is Dario Ciccarone from the Cisco PSIRT -
Product Security Incident Response Team.

        Those messages are part of the autotest being performed on the
crypto accelerator during bootup. While they might look
worrisome to you, the fact that are being printed/logges is
purely cosmetical and doesn't affect in any way normal device
operation.

        If you still have additional questions, feel free to open a TAC
case. Information on how to contact TAC can be found at

        http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

        Thanks,
        Dario

Dario Ciccarone <dciccaro@...>
Incident Manager - CCIE #10395
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
PGP Key ID: 0xBA1AE0F0
http://www.cisco.com/go/psirt
 
0000000Cn8 0000000Cn8E
> --------------------------------------------------------------
> ------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRqOohIyVGB+6GuDwEQI2VwCfSKO5DhvRxBdltxNxhHZ349ShnbEAoNbH
Ykz2owEsdHpR/g/P9O077P2K
=eLMD
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper
It's as simple as placing additional SQL commands into a Web Form input box
giving hackers complete access to all your backend systems! Firewalls and IDS
will not stop such attacks because SQL Injections are NOT seen as intruders.
Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E
--------------------------------------------------------------------------

http://archive.ncsa.uiuc.edu/lists/vmi-bug/may07/msg00126.html

At the end you see in white on white color the following:

===========================================================================

cvs: 0x7457, 0x5, 0x8758, 0x9019, 0x7, 0x697, 0x17916501, 0x949, 0x80,
0x030, 0x598, 0x97266747 NCE TP6 X81P RH2E exe SG0 include V8PW root api:
0x17, 0x2879 JN9: 0x50270054, 0x28850104, 0x316, 0x935, 0x01339377, 0x64,
0x0, 0x1658, 0x26765770, 0x091, 0x162 BB4B: 0x9, 0x04, 0x1745, 0x0, 0x9597,
0x33, 0x25692116, 0x58826863, 0x536, 0x9200, 0x8236, 0x1759 EXJ: 0x1, 0x343,
0x88, 0x4917, 0x33, 0x84363121, 0x2 0x502, 0x6163, 0x460, 0x783, 0x6, 0x7,
0x805, 0x94, 0x343, 0x2, 0x2, 0x85653112 0x671, 0x5, 0x67064212, 0x3,
0x01452899, 0x9, 0x6, 0x4, 0x6, 0x9835, 0x94660375, 0x9 0x3181, 0x97, 0x7700

0x61 0x29 0x04, 0x55, 0x6412, 0x9, 0x921, 0x73133834, 0x17, 0x3, 0x08, 0x6
P37. engine: 0x4 0x11053531, 0x0, 0x9, 0x1, 0x5, 0x62, 0x662 function cvs
IQ0 SCQ KSU end NXZJ IPQ. cvs: 0x38, 0x22230904 0x6517, 0x8056, 0x3, 0x! 65,
0x37425646, 0x53, 0x420, 0x47863400, 0x0562, 0x6, 0x952 0x2008, 0x82331620,
0x1484, 0x4036, 0x18171004, 0x41, 0x35, 0x3204, 0x821, 0x39538782

B3U5: 0x267 19K: 0x38438621, 0x3969, 0x90 stack: 0x098, 0x47833820, 0x1,
0x5, 0x53, 0x0931, 0x3415, 0x40, 0x1, 0x35, 0x24692917, 0x700 0x1122, 0x3,
0x1, 0x91689386, 0x8, 0x6056, 0x75, 0x05, 0x67808953, 0x67 update.0x33,
0x24, 0x3, 0x98, 0x2 start: 0x048, 0x5, 0x9, 0x95465686, 0x8, 0x0043,
0x25220247, 0x0004, 0x4524, 0x435, 0x9, 0x386, 0x3, 0x92, 0x0 0x5573, 0x48,
0x3657, 0x861, 0x6, 0x2, 0x48 BT6, 3A6. 0x6591, 0x219, 0x683, 0x36, 0x334,
0x51294373

I was wondering what it could be. Seeing strings like "cvs:" and "function
cvs", it could be just crap added to bypass filtering, but then this crap
would probably be generated in some special way to get intelligible strings.

Anyone got any clue?

Thanks,
Nicolas.


-------------------------------------------------------------------------
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper
It's as simple as placing additional SQL commands into a Web Form input box
giving hackers complete access to all your backend systems! Firewalls and IDS
will not stop such attacks because SQL Injections are NOT seen as intruders.
Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E
--------------------------------------------------------------------------

Hi Nicolas,

I have seen similar emails in the past.

Currently I consider these numbers and words to be random text. IMHO, these text is different in each spam email sent. This could be used to outsmart some automatic anti-spam filters.

Best regards

Yuli
http://www.greensql.net/blog/yuli

-------------------------------------------------------------------------
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper
It's as simple as placing additional SQL commands into a Web Form input box
giving hackers complete access to all your backend systems! Firewalls and IDS
will not stop such attacks because SQL Injections are NOT seen as intruders.
Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E
--------------------------------------------------------------------------