Security Incidents mailing list archives
Re: spanish rootkit
From: "Martins, Fernando (Lisbon)" <FMartins () PT IMSHEALTH COM>
Date: Thu, 21 Sep 2000 11:01:36 +0200
Actually is brazilian, not portuguese. We dont say: "Agora irei rodar o sniffer ebaaaaaa! ;)" ... this and all other comments are tipical brazilian =) And if it was rooted from Greece, some brazilians like to have shell acounts there. So, all points to Brazil, IMHO. 'Esse script vai ver se está tudo no local correto e fazer de vc o mais l33t possivel ;)' This script will check if evething is in the proper place and makes you as slow as possible "/usr/bin/make encontrado" /usr/bin/make was found "Nãaaao! /usr/bin/make nao encontrado vc tera q compilar o adore em outra makina e em seguida enviar para o diretorio :(" Noooo! /usr/bin/make was not found you will have to compile the adore in other box and then send to the directory "sniffer encontrado continuando..." sniffer found continuing "Não encontrei sniffer (linsniffer) tenha certeza q ele está no diretorio /usr/share/.../" Did not found the sniffer be sure it is in directory /usr/share "Agora irei rodar o sniffer ebaaaaaa! ;)" Now i'll run the sniffer yeahhhhh "Agora irei esconder o processo do sniffer 31337" Now i'll hide the process of the sniffer 31337 "Não encontrei pidof usarei o metodo do ps mesmo ;)" Didn't found pidof i'll use the ps metod "Rodando agora as backdoors..." Running now the backdoors "Não encontrei charbd tenha certeza q ele está no diretorio /usr/share/.../" Didn't found charbd be sure it is in the directory /usr/share "Agora irei esconder as backdoors uhuh ;)" Now i'll hide the backdoors "Agora irei checar se a box roda pop3 para backdoriza-la ;) r0x" Now i'll check if the box runs pop3 for be trojaned "Veja aki se ele está rodando se tiver um # na frente significa q ele está desabilitado" See here if it is running if it have a # in the front means that it is turned off "No diretorio:" In the directory "Agora o vou testar o netstat hehehe vamos trojana-lo ;)" Now i'll test netstat hehehe lets trojan it "netstat encontrado aguarde fazendo as falcatruas ;)" netstat found wait while the tricks are being done "Escondendo as conexoes no netstat trojanado" Hiding connections of netstat trojaned "Eh meio impossivel, mas parece q o netstat nao esta no dir /bin/" It's half impossible, but it seems like netstat is not in the directory /bin "bd de pop3 colocada" bd of pop3 placed (bd usually is an abreviation of database) "Colocando bd de tcpd" Placing bd of tcpd "Backdoor Colocada" Bacldoor placed "Colocando bd de ifconfig" Placing bd of ifconfig "Agora irei colocar a bd de icmp" Now i'll place the bd of icmp "Digite a porta q deseja:" Type the port you wich "Colocando login backdoor" Placing login backdoor chmod +x joao; cp -f joao /bin/login; rm -rf joao; 'joao' it is the same as John (like John Smith, can be anybody) "h0h0h0h0h0 agora vo compilar o rescue.c o mais l33t0 possivel" now i'll compile the rescue.c the slowest way possible "/etc/rc.d/rc.local encontrado ... h0h0h0" founded "Caso vc decida botar pra inicializar mais l1t0 q isso existem 1 backup de tudo no /usr/share/.../ ;)" In the case you wich run slower then that (in the case l1t0 and l33t0 means slow, so he cant even talk the right h4x0r ... a mess, like the all script) "Não encontrei /etc/rc.d/rc.local :((" Didn't found ... I hope this helps. Kind Regards, Fernando Martins
Current thread:
- spanish rootkit Vitaly Osipov (Sep 20)
- Re: spanish rootkit Elias Levy (Sep 20)
- Re: spanish rootkit typo (Sep 21)
- charbd rootkit ( Re: spanish rootkit) Vitaly Osipov (Sep 22)
- <Possible follow-ups>
- Re: spanish rootkit John Yang (Sep 21)
- Re: spanish rootkit Martins, Fernando (Lisbon) (Sep 22)