FYI issue closed.
At 08:11 AM 4/16/2004, felix k sheng wrote:
>William,
>
>Thanks so much for getting back to me. After sending that in, I had
>the great idea (ok... I'm slow... :) to turn the hex numbers into
>ascii and lo and behold it was just that perl script. I *thought*
>that that meant it presupposed the hackers ability to have arbitrary
>code already running (as opposed to the code giving him the ability
>to execute that arbitrary code) but still wasn't sure.
>
>Thanks again for letting me know the scoop on this. I can breathe
>easy again.
>
>felix
>
>On Thu, Apr 15, 2004 at 08:14:21PM -0500, William A. Rowe, Jr. wrote:
>>
>>>Date: Thu, 15 Apr 2004 10:17:26 -0400
>>>From: felix k sheng <[EMAIL PROTECTED]>
>>>To: [EMAIL PROTECTED]
>>>Subject: 1.3.29 remote root exploit?
>>>
>>>Hello,
>>>
>>>I run several sites using 1.3.29 and came across this page on the net:
>>>
>>> http://secu.zzu.edu.cn/modules.php?name=News&file=article&sid=413
>>>
>>>which claims to be a remote root exploit. Is this a real threat or is
>>>it bogus? Please let me know, thank you!
>>
>>Felix this is a very serious theat, to you personally if you use this rootkit.
>>However, it is of no significance at all to your Apache servers. Simply do
>>not run this toolkit yourself and your machines are invulnerable :)
>>
>>quoting one resident guru;
>>
>>At 03:00 PM 4/15/2004, Mark J Cox wrote:
>>>> I looked briefly - and i do wonder if this isn't the root-yourself toolkit.
>>>
>>>It is; it connects you to a irc server and lets people on the channel run
>>>remote commands as you. If this is getting passed around we should really
>>>warn about trojan horse exploit code on httpd.apache.org.
>>>
>>>> >print $sock "USER lemmings +i lemmings :lemmingsv2 NICK lemmings ";
>>
>>
>>
>
>--
>felix sheng ... [EMAIL PROTECTED]