Hello and welcome to the Monday, March 23rd, 2006 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu graduate certificate program in penetration testing and ethical hacking.

In diaries today, we have an interesting malar analysis by Xavier.

Xavier looked at a bash script, actually, that took advantage of the G socket backdoor.

G socket, short for global socket, is software and infrastructure that can be used to connect

two systems behind NAD to each other.

So it's a little bit like S-ton and such where both systems establish an outbound connection,

and then the toolkit comes with like Netcat and... both systems establish an outbound connection,

and then the toolkit comes with like Netcat, ZH, and other ways how these systems can then communicate.

So an interesting little tool, of course,

well, no good deed goes unpunished,

so this free tool is also being abused in this particular case to allow access

to the infected machine. There's also some interesting sort of time stomping going on here.

So time stomping refers to that the attacker is changing the last access, last changed dates of a particular file.

So, for example, as so often, the authorized keys file is updated.

And, well, this is then just overwritten, basically, in the sense that the timestamp doesn't change.

So a cursory investigation of the system will not really register any different

timestamp than before, which may lead an analyst to then ignore this particular file

and figure out that the attacker didn't touch it.

Now, an interesting correction here by one of our readers, Middle Verde here,

did add a comment stating that, yes, there was a little mistake here in Xavier's diary.

...