EQGRP icon indicating copy to clipboard operation
EQGRP copied to clipboard

Published 20 hours ago verified publisher icon x0rz

Watcher

Open NoahGWood opened this issue 7 years ago • 1 comments

It appears 'watcher' is a headless packet sniffer used for spying. The first few lines makes calls to /lib64/ld-linux-x86-64.so.2 to find a process ID; next it makes a call to libc.so.6 where it opens up some sort of connection, either to localhost or to a remote server (further disassembly required).

this program was probably written in 2002 or so (judging by the glibc version), definitely before 2011 as libc.so.6 stopped being hard-coded after that afaik.

The strings that give it away as a sniffer are:

monitor_type
set_prismhdr
forceprismheader
forceprism
prismhdr
rfmontx
monitor

NoahGWood avatar Apr 11 '17 17:04 NoahGWood

https://github.com/x0rz/EQGRP/issues/34#issue-226790403

Atavic avatar May 07 '17 18:05 Atavic