Linux/Cdorked.A and the tool provided by welivesecurity
Florent Peterschmitt
florent at peterschmitt.fr
Fri May 3 13:53:18 UTC 2013
Hi,
I read a news about a malware called Linux/Cdorked.A :
http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/
They give a tool to know if our system is infected or not.
Well, I have two questions :
* Is this malware relevant on FreeBSD/*BSD systems ?
* The tool don't work out-of-the-box, what do you think of :
--- dump_cdorked_config.c 2013-05-03 09:48:59.000000000 +0000
+++ dump_cdorked_config-freebsd.c 2013-05-03 12:03:45.851681457 +0000
@@ -6,12 +6,13 @@
// would like to help, please send the httpd_cdorked_config.bin
// and your httpd executable to our lab for analysis. Thanks!
//
-// Build with gcc -o dump_cdorked_config dump_cdorked_config.c
+// Build with gcc -D_KERNEL -o dump_cdorked_config dump_cdorked_config.c
//
// Marc-Etienne M.Léveillé <leveille at eset.com>
//
#include <stdio.h>
+#include <sys/types.h>
#include <sys/shm.h>
#define CDORKED_SHM_SIZE (6118512)
I never developed any peace of code for FreeBSD, then what I'm not sure
of is the use of -D_KERNEL on the build command line.
Since shm_info struct is available only with this define and u_long and
others used by sys/shm.h are in sys/types.h, I found it's a good way to do.
I would like to know too, why does these structs (shm_info) are
available only when using _KERNEL ?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20130503/d04b2361/attachment.sig>
More information about the freebsd-hackers
mailing list