Path: csiph.com!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail
From: John Hasler <john@sugarbit.com>
Newsgroups: alt.os.linux
Subject: Re: What do you make of this reported Linux back door?
Date: Fri, 28 Feb 2025 08:09:46 -0600
Organization: Dancing Horse Hill
Lines: 15
Message-ID: <87jz9ama8l.fsf@sugarbit.com>
References: <vprpii$1qo1r$1@news.usenet.ovh>
MIME-Version: 1.0
Content-Type: text/plain
Injection-Date: Fri, 28 Feb 2025 16:08:05 +0100 (CET)
Injection-Info: dont-email.me; posting-host="1f59ed5cd5706270b74ed0f196d217a2"; logging-data="3912441"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX19Yz9EsFVlXUQs2C1arIbOm2YbI/IeJaWo="
User-Agent: Gnus/5.13 (Gnus v5.13)
Cancel-Lock: sha1:1y/rttJ4hzKBYy5UnIxE97hZptg= sha1:s53t9LVPaRfgW3qAo4rQSng92dg=
Xref: csiph.com alt.os.linux:81071

From the link:

"the file is intended to run explicitly by the victim on their Linux
machine."

It must also be run as root. Therefor this malware is not by itself a
vulnerability: obviously any program you run as root can do anything.
This thing is just a payload for an attack.  The actual vulnerability,
if any, is the method by which the user is induced to run the thing as
root.
-- 
John Hasler 
john@sugarbit.com
Dancing Horse Hill
Elmwood, WI USA