Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- *OLD* pass_from: 189.123.52.86 user: root pass: se44@vitor1a45 (bd7b3456.virtua.com.br)
- pass_from: 189.114.56.2 user: root pass: Se44@^7Gbh_9%v1tori@ (talkinteractive2.static.gvt.net.br)
- pass_from: 186.220.204.80 user: thiago.borges pass: thbo7093 (badccc50.virtua.com.br)
- pass_from: 187.49.239.10 user: leonardo.koslowski pass: l3on@rdo (host10.iea.org.br)
- pass_from: 186.220.204.80 user: isaias.coelho pass: 1s@1a5 (badccc50.virtua.com.br)
- pass_from: 189.114.56.2 user: marco.malaquias pass: m@l@qu1@s (talkinteractive2.static.gvt.net.br)
- $db_url = 'mysql://serra45_homolog:45camp@dbloc4web@localhost/serra45_homologacao';
- SSH 187.45.234.172 / serra45.com.br / Locaweb
- Skynet, OK.
- Users:
- root:x:0:0:root:/root:/bin/bash
- thiago.virtua:x:0:0:Thiago Borges,,,:/home/thiago.borges:/bin/bash
- isaias.gvt:x:1001:1001:Isaias Coelho,,,:/var/www:/bin/bash
- gustavo.gomes:x:1002:1002:Gustavo Gomes,,,:/var/www:/bin/bash
- marco.malaquias:x:1003:1003:Marco.malaquias,,,:/var/www:/bin/bash
- nayara.perone:x:1004:1004:Nayara Perone,,,:/var/www:/bin/bash
- estevao.lucas:x:1000:1006:estevao,,,:/home/estevao.lucas:/bin/bash
- mmalaquias:x:1005:1007:,,,:/home/mmalaquias:/bin/bash
- leonardo.koslowski:x:1006:1008:leonardo koslowski,,,:/home/leonardo.koslowski:/bin/bash
- adisson.oliveira:x:1008:1011:Adisson,,,:/home/adisson.oliveira:/bin/bash
- Shadow:
- root:$1$GVUP9Bhu$C94ic4EFATm4aXQuPNl8p.:14907:0:99999:7:::
- thiago.borges:$1$3IuSJYc/$Tb.ACdEYgBoPZ7NzJwK15/:14883:0:99999:7:::
- isaias.coelho:$1$Ki8r4Fxu$CyKHUw62PpZTXjXux6xIo1:14875:0:99999:7:::
- gustavo.gomes:$1$2O7x1/0y$p23UAXlmigx9CpdxcJBBe.:14875:0:99999:7:::
- marco.malaquias:$1$2MUEeo77$eJmvIxqLXzxfVOitjXhJn.:14875:0:99999:7:::
- nayara.perone:$1$8ircKySk$0WKV5JaN906QU9VbVPdw21:14875:0:99999:7:::
- estevao.lucas:$1$3FzgSgC3$K/9zLIsgyIJyYDzkFz8Hp1:14884:0:99999:7:::
- mmalaquias:$1$0NMpzPSY$BKDvvklcLvaZ0fG4ZCpYq0:14894:0:99999:7:::
- leonardo.koslowski:$1$pj3IQjzN$ydoNAIpv7.mnAw58xBaYn.:14894:0:99999:7:::
- ftpserra45:$1$KGSpZ3Oy$ER9MKLNCGmEMSeSgPD6c9.:14902:0:99999:7:::
- adisson.oliveira:$1$qqhHWVa4$6t0K1eLufloPmOUZnCLEa/:14908:0:99999:7:::
- ---------------------------------------------------------------------------------------
- SSH2_OUT: 174.122.220.4 user: root pass: OAvmdufnmds (4.dc.7aae.static.theplanet.com) andre.luiz jeferson marco.malaquias
- STRACE OK,
- ---------------------------------------------------------------------------------------
- SSH2_OUT: 187.45.202.150 user: root pass: OAvmdufnmds (vostok.talk2.com.br)
- OK.
- Users:
- adisson:x:1057:1058:Adisson Olvieira,,,:/home/adisson:/bin/bash = n055055h0wna
- Shadow:
- root:$1$A4nz3CWG$FUtCkk94gZiwYteSxf6Hl.:14856:0:99999:7:::
- ntp:*:14830:0:99999:7:::
- ---------------------------------------------------------------------------------------
- vostok:/usr/include/libnet# ssh root@192.168.201.3
- /etc/ssh/ssh_config line 50: Unsupported option "GSSAPIAuthentication"
- /etc/ssh/ssh_config line 51: Unsupported option "GSSAPIDelegateCredentials"
- root@192.168.201.3's password:
- **** Connected to ****
- ### # ### ## ### ## ### ### ###### ######
- ## # ## # ## ## ## # ## # # ## #
- #### ### #### ### # #### ##
- ### #### ## ##### ## ##
- # ## ## ## ## ## ## ## ## ##
- #### #### ## #### ### ## ###### #### 1.0
- **** Linux columbia.iea.org.br 2.6.26-2-xen-686 i686 ****
- root@columbia:~#
- s -la /etc/cron.hourly/
- tail -f /var/log/syslog
- df -h
- tail -f /var/log/syslog
- tail -f apache2/serra45.com.br-error_log
- tail -n 100 apache2/serra45.com.br-error_log
- ls -la /tmp/ex*
- ls -la /tmp/ex*
- ls -la /tmp/ex*
- ls -la /tmp/ex*
- ls -la /tmp/ex*
- ls -la /tmp/ex*
- ls -la /tmp/ex*
- grep exploit syslog
- grep exploit syslog | more
- grep exploit syslog | more
- ls -la syslog
- ls -la syslog*
- find / -name 'exploit'
- find /var/www -type f name 'expoit' -exec grep -qi '/j' '{}' \; -print
- find / -name 'exploit'
- tail -f apache2/serra45.com.br-error_log
- tail -f apache2/serra45.com.br-access_log
- tail -f syslog
- find /var/www -type f -iname '*.php' -exec grep -qi 'C99Shell' '{}' \; -print
- find /var/www -type f -iname '*.php' -exec grep -qi 'SA_ROOT' '{}' \; -print
- cat /proc/meminfo
- find /var/www -type f -iname '*.php' -exec grep -qi 'passthru' '{}' \; -prin
- find /var/www -type f -iname '*.php' -exec grep -qi 'passthru' '{}' \; -print
- find /var/www -type f -iname '*.php' -exec grep -qi 'Saldiri.Org' '{}' \; -print
- find /var/www -type f -iname '*.php' -exec grep -qi 'exec(' '{}' \; -print
- find /var/www -type f -iname '*.php' -exec grep -qi 'Daemonise' '{}' \; -print
- exit
- cd /var/www/serra45/
- ls -lah
- chmod -R 775 imagens.serra45.com.br/
- ls -lah
- id leonardo.koslowski
- chown -r root:desenvolvedores imagens.serra45.com.br/
- chown -R root:desenvolvedores imagens.serra45.com.br/
- ls -lah
- vim /etc/apache2/sites-available/serra45.org.br
- /etc/init.d/apache2 reload
- exit
- ls -la /home/mmalaquias/backup/mysql/
- htop
- crontab -l
- htop
- exit
- ls
- vim /boot/grub/menu.lst
- shutdown -r now
- ls -lh
- iptables -L
- mysql -pse44@vitor1a45
- htop
- ps ax
- ping host10.iea.org.br
- netstat -n
- free -m
- free -m
- htop
- cd ../..
- ./backup.sh
- tar -czvf ../logs_serra45.tgz .
- ps aux |grep apache
- htop
- cd /
- find -name exploit
- htop
- netstat -n
- netstat -n | wc -l
- exit
- htop
- htop
- exit
- free -m
- htop
- exit
- htop
- cd /var/www/serra45/serra45.com.br/sites/default
- cd files
- ls
- ls -la VERDEeAMARELOmixFULL*
- htop
- htop
- exit
- ps aux | grep apache | wc -l
- pico /etc/apache2/sites-enabled/serra45.org.br
- exit
- pico /etc/apache2/sites-enabled/serra45.org.br
- /etc/init.d/apache2 reload
- pico /etc/apache2/sites-enabled/serra45.org.br
- /etc/init.d/apache2 reload
- pico /etc/apache2/sites-enabled/serra45.org.br
- /etc/init.d/apache2 reload
- pico /etc/apache2/sites-enabled/000-default
- /etc/init.d/apache2 reload
- pico /etc/apache2/sites-enabled/000-default
- ls -la /var/www
- ls -la /var/www/serra45/
- exit
- vim /etc/apache2/apache2.conf
- htop
- htop
- exit
- pico /var/www/serra45/serra45.com.br/index.php
- htop
- htop
- cd /var/www/serra45/serra45.com.br/
- ls
- mv index.php index_drupal.php
- mv index_tampao.html index.php
- htop
- exit
- root@XXXCNN8740:~#
- oot@XXXCNN8740:/var/www# ls
- index.html serra45 webalizer
- root@XXXCNN8740:/var/www# cd serra45
- root@XXXCNN8740:/var/www/serra45# ls
- backup_base_site.sql imagens.serra45.com.br serra45.com.br tampao tampao.old
- conteudo.serra45.com.br material.serra45.com.br serra45.org.br tampao_drupal votodemocratico
- root@XXXCNN8740:/var/www/serra45# cd serra45.com.br
- root@XXXCNN8740:/var/www/serra45/serra45.com.br# ls
- AdSHome_.jpg combataamentira comparacao-mobiliza favicon.ico index.html INSTALL.pgsql.txt lista-boletins.html offline2.html sitefora teste.txt
- arquivos comparacao2510 comparacao-onevideo frame.html index__.php install.php MAINTAINERS.txt offline.html sites themes
- avatar_app.tgz comparacao2710 COPYRIGHT.txt includes index_.php INSTALL.txt manifesto profiles splash_files transmissao
- border-radius.htc comparacao2810 cron.php index_blank.php index.php js misc proposta splashmob update.php
- CHANGELOG.txt comparacao3010 css index_drupal.php Indicadores languages modules robots.txt splash.php UPGRADE.txt
- clearcache.php comparacao-fora favicon45.ico _index.html INSTALL.mysql.txt LICENSE.txt offline scripts tampao.html xmlrpc.php
- root@XXXCNN8740:/var/www/serra45/serra45.com.br# whereis chattr
- chattr: /usr/bin/chattr /usr/share/man/man1/chattr.1.gz
- root@XXXCNN8740:/var/www/serra45/serra45.com.br# w
- 19:10:49 up 3 days, 19:06, 1 user, load average: 0.01, 0.02, 0.00
- USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
- root@XXXCNN8740:/var/www/serra45/serra45.com.br# cd /var/log
- root@XXXCNN8740:/var/log# ls
- acpid aptitude.2.gz btmp debug.1.gz dpkg.log kern.log.3.gz mail.info.5.gz mail.warn messages.6.gz mysql.log.7.gz syslog.4.gz
- acpid.1.gz auth.log btmp.1 debug.2.gz dpkg.log.1 lastlog mail.info.6.gz mail.warn.0 mysql news syslog.5.gz
- acpid.2.gz auth.log.0 daemon.log debug.3.gz dpkg.log.2.gz lpr.log mail.log mail.warn.1.gz mysql.err proftpd syslog.6.gz
- acpid.3.gz auth.log.1.gz daemon.log.0 dist-upgrade faillog mail.err mail.log.0 messages mysql.log pycentral.log udev
- acpid.4.gz auth.log.2.gz daemon.log.1.gz dmesg fsck mail.info mail.log.1.gz messages.0 mysql.log.1.gz samba user.log
- apache2 auth.log.3.gz daemon.log.2.gz dmesg.0 iptraf mail.info.0 mail.log.2.gz messages.1.gz mysql.log.2.gz syslog vmware-tools-guestd
- apparmor auth.log.4.gz daemon.log.3.gz dmesg.1.gz kern.log mail.info.1.gz mail.log.3.gz messages.2.gz mysql.log.3.gz syslog.0 wtmp
- apt auth.log.5.gz daemon.log.4.gz dmesg.2.gz kern.log.0 mail.info.2.gz mail.log.4.gz messages.3.gz mysql.log.4.gz syslog.1.gz wtmp.1
- aptitude auth.log.6.gz debug dmesg.3.gz kern.log.1.gz mail.info.3.gz mail.log.5.gz messages.4.gz mysql.log.5.gz syslog.2.gz xferlog
- aptitude.1.gz boot debug.0 dmesg.4.gz kern.log.2.gz mail.info.4.gz mail.log.6.gz messages.5.gz mysql.log.6.gz syslog.3.gz
- root@XXXCNN8740:/var/log# uname -a;w;/sbin/ifconfig -a | grep inet
- Linux XXXCNN8740 2.6.24-28-server #1 SMP Thu Sep 16 15:43:17 UTC 2010 i686 GNU/Linux
- 19:18:41 up 3 days, 19:13, 1 user, load average: 0.05, 0.04, 0.01
- USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
- inet addr:187.45.234.172 Bcast:187.45.234.255 Mask:255.255.255.0
- inet6 addr: fe80::250:56ff:fe97:7d8b/64 Scope:Link
- inet addr:127.0.0.1 Mask:255.0.0.0
- inet6 addr: ::1/128 Scope:Host
- root@XXXCNN8740:/var/log#
- 187.45.234.172
- s86-@hackware:~$ ssh krishna.pennacchioni@187.45.234.172
- The authenticity of host '187.45.234.172 (187.45.234.172)' can't be established.
- RSA key fingerprint is 7d:fa:58:f7:fa:72:58:e3:6e:b5:d1:88:c0:82:33:78.
- Are you sure you want to continue connecting (yes/no)? yes
- Warning: Permanently added '187.45.234.172' (RSA) to the list of known hosts.
- krishna.pennacchioni@187.45.234.172's password:
- Connection closed by 187.45.234.172 conection not permited!
- ssh -dsa 1|eB4BXj1y+jNuUTsdti5bBfmAsAk=|ReEGfhV6u0S0AaXq8lpE0dLynXU= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAv3Hf+3nHJVfZ08tJ3TQ9dCkAllmpqkw8Ishgdrjk3dLs2AEcVWotMfEPKISfDhy7FupdyQLfIfF/t5dc7ck8pXzt5TbpEHAd6NfVcP0D/+OxgbgIZmuC+Q1cyzKZc+ObAti7+ODAKN51meIH6nYw+4iiuLB29EJtuUmLiQbWbHDY7Igp4zPdgolvKV5Rpwvi2IrBrJF7QPihkTBD/fHgTmyC+ZcGnBVYwsuETTgFXrcn6AbW26vlDgD+HifubATrYD9BQIQN42nHMwRxPfEt9hxe4nSirfhGv1L+NPwDtGd47PMoMc9pjx5rQbVLp+32EAek4rxZ6KqkdP67mcxzjw==
- |1|icLj3MlE8bZvEOPxzsiIrQSKPZo=|OPVSsPGJbe1CeF2VAhzy34O68eY= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA2Od7AwdUJJ1HEGKXrqNV1pvab/fH96iL2ADCnWQrzRg2UCuAPMXBOsKu/DvXR+ktAeacVRTNy6hBrAtsX5Cq5IkgfzI5F2K47wyvz/b3x8QMY8qGMXNU99pjC7TYoYLUTPICf+DgMUT9DsFg8GBV1mXv9huTCCRFXdtk8mKgIUjPWT42LiGp6PehJbC9HbFtISd4fAdKpL+KvMFGI9MKcGWkB/YcCol9zlyQWdeesY9x9SgHA/FBjTOWXT3QFNjNkXofBc6OoJ6PGaKNtEv0KzVSzuECmWrlwo3TlFBtL4pPLX4x78YocTqF3ZrcCSCmz2a/6EXK8cJF9LjA7Fuvsw==" >xs86-@hackware".pub"
- (01:10:28) xs86- Abit.: xs86-@hackware:~$ ssh krishna.pennacchioni@187.45.234.172
- krishna.pennacchioni@187.45.234.172's password:
- root@XXXCNN8740:/var/log# uname -a;w;/sbin/ifconfig -a | grep inet
- Linux XXXCNN8740 2.6.24-28-server #1 SMP Thu Sep 16 15:43:17 UTC 2010 i686 GNU/Linux
- 19:18:41 up 3 days, 19:13, 1 user, load average: 0.05, 0.04, 0.01
- USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
- inet addr:187.45.234.172 Bcast:187.45.234.255 Mask:255.255.255.0
- inet6 addr: fe80::250:56ff:fe97:7d8b/64 Scope:Link
- inet addr:127.0.0.1 Mask:255.0.0.0
- inet6 addr: ::1/128 Scope:Host
- root@XXXCNN8740:/var/log#
- usando strace na rede local dos caras wh1t3h4ck3r oĆ <<<<<
- ps aux | grep sshd | grep -v grep
- root@XXXCNN8740:/etc/ssh# ps aux | grep sshd | grep -v grep
- root 3814 0.0 0.0 3096 656 ? Ss Oct21 0:00 /usr/sbin/sshd
- root 23725 0.0 0.0 6036 2092 ? Ss 18:58 0:00 sshd: root@pts/0
- ssh localhost
- Password: *************
- Last login: Tue Oct 25 10:36:35 2011 from from 10.10.4.3
- colombia@Zion:~$
- colombia:~# cat local.txt | grep read | more
- 6036 write(4, \0\0\0\1\0\0\0\******* , 19 <unfinished >
- 6035 < read resumed> 8\0\0\0\1\0\0\0\********** , 19) = 19
- 6012 write(7, \0\0\0\********** , 15 <unfinished >
- 6037 < read resumed> \6\0\0\0\********** , 15) = 15
- A MULEKEEEE! sry
Add Comment
Please, Sign In to add comment