[ale] Trojan mpg123 alert

Michael H. Warfield mhw at wittsend.com
Sun Jan 19 21:26:38 EST 2003 

On Wed, Jan 15, 2003 at 09:57:56PM -0500, Matty wrote:
> On Wed, 2003-01-15 at 19:03, John Wells wrote:
> > Here's a link to the symantec info:
> > 
> > http://securityresponse.symantec.com/avcenter/venc/data/trojan.linux.jbellz.html
> > 
> > Bastards.  I say we hunt Gobbles down and string him/them up.  They're
> > invading my comfort zone ;-).


> I met GOBBLES at Defcon last year. He also say in front of
> me on the flight back to Atlanta. I am still curious if his
> writeup on the RIAA stuff is possible (I really think it is).

	1) Gobbles is not an individual.  It's several.  Several of them
have less than a full grasp on either reality or the English language.

	2) After the ISS Apache advisory, Gobbles as much as confessed on
bugtraq that they had been breaking into systems using an Apache exploit
against OpenBSD systems.  (They went strangly silent after posting their
FreeBSD exploit...  Could have been some concern over some unwanted attention
by some low people in high places, but that's just an uncorroborated rumor /
conjecture...)  They claimed they wrote it and, in the comments, they ragged
on about a number of individuals and how they had broken into several systems
(which they listed).

	3) They (in aformentioned confession) claimed amongst others to have
broken into Monkey.org and claimed that's how fragroute got trojaned.
I personally talked to Dug Song about this at the last FIRST (Forum of
Incident Reponse Security Teams) conference in June.  No, they did not
break into Monkey.org using the Apache exploit and no that was not how
fragroute got trojaned.  They (monkey.org) have the breakin very well
documented.  They also have the ATTEMPTED breakin through Apache also
well documented.  Somebody (Gobbles, by their own confession) did try to
break into monkey.org using an exploited known, at that time, only to
Gobbles.  So Gobbles has admitted to criminal activity to which others
have documentation but they have (eh hemm...) "embelished" some of their
activities (i.e. lied through their teeth even after being exposed).

	I wouldn't take them at face value even if you could tell which
end was which.

	BTW...  IAC...  I noticed that if you check the package that the
"mpg123" file belongs to on RedHat, you find out it's the mpg321 package.
In fact, on my RedHat 7.x and 8.x systems, mpg123 is a symlink to mpg321,
which is NOT the beast that is subject to this alert.  Yes, a few versions
of REAL mpg123 were vulnerable to a buffer overrun.  But it's probably
not the ones you might think or worry about.

> - Ryan

> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

 PGP signature

More information about the Ale mailing list