The Cyber Knights Whitepaper

roothack.org

by The Cyber Knights

**** Roothack Addition ****

epic@cerberus:~/wargames/grace$ cat hades.txt

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on hades.roothack.org (192.168.200.2):
(The 1598 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp 
22/tcp open ssh 
113/tcp filtered auth

Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds

[epic@thecks epic]$ ps axu
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.1 1324 76 ? S Jan02 0:07 init [3]
root 2 0.0 0.0 0 0 ? SW Jan02 0:07 [kflushd]
root 3 0.0 0.0 0 0 ? SW Jan02 0:08 [kupdate]
root 4 0.0 0.0 0 0 ? SW Jan02 0:00 [kpiod]
root 5 0.0 0.0 0 0 ? SW Jan02 0:08 [kswapd]
root 6 0.0 0.0 0 0 ? SW< Jan02 0:00 [mdrecoveryd]
root 332 0.0 0.9 1576 636 ? S Jan02 0:02 syslogd -m 0
root 342 0.0 0.0 1628 0 ? SW Jan02 0:00 [klogd]
root 363 0.0 0.0 1308 0 ? SW Jan02 0:00 [apmd]
daemon 436 0.0 0.0 1356 56 ? S Jan02 0:00 /usr/sbin/atd
root 482 0.0 0.6 2460 436 ? S Jan02 0:04 /usr/sbin/sshd
root 664 0.0 0.1 1552 120 ? S Jan02 0:00 crond
xfs 685 0.0 0.0 3652 52 ? S Jan02 0:00 xfs -droppriv -daemon
root 717 0.0 0.3 1300 220 ? S Jan02 0:00 rhnsd --interval 30
root 729 0.0 0.0 1296 0 tty2 SW Jan02 0:00 [mingetty]
root 730 0.0 0.0 1296 0 tty3 SW Jan02 0:00 [mingetty]
root 731 0.0 0.0 1296 0 tty4 SW Jan02 0:00 [mingetty]
root 732 0.0 0.0 1296 0 tty5 SW Jan02 0:00 [mingetty]
root 733 0.0 0.0 1296 0 tty6 SW Jan02 0:00 [mingetty]
root 1095 0.0 0.0 1296 0 tty1 SW Jan02 0:00 [mingetty]
root 9564 0.0 0.2 1696 132 ? S 05:19 0:00 pure-ftpd (SERVER) 
root 29725 0.0 2.2 3056 1452 ? S 07:10 0:01 /usr/sbin/sshd
talon 29729 0.0 2.0 2264 1284 pts/3 S 07:10 0:00 -bash
root 29761 0.0 1.6 2180 1032 pts/3 S 07:12 0:00 su root
root 29860 0.0 2.1 2396 1388 pts/3 S 07:12 0:00 bash
root 25924 0.0 2.2 3056 1456 ? S 08:45 0:02 /usr/sbin/sshd
skilar 25927 0.0 2.0 2264 1284 pts/2 S 08:45 0:00 -bash
root 25951 0.0 1.6 2180 1032 pts/2 S 08:46 0:00 su - root
root 25952 0.0 2.0 2324 1340 pts/2 S 08:46 0:00 -bash
root 28161 0.1 2.2 3056 1456 ? S 09:18 0:01 /usr/sbin/sshd
root 28162 0.0 2.0 2312 1324 pts/4 S 09:18 0:00 -bash
root 28263 0.0 0.7 1316 496 pts/4 S 09:25 0:00 ./fake
root 28265 0.0 0.0 0 0 pts/4 Z 09:25 0:00 [fake <defunct>]
root 28269 0.0 0.0 0 0 pts/4 Z 09:25 0:00 [fake <defunct>]
root 28270 0.0 0.0 0 0 pts/4 Z 09:25 0:00 [fake <defunct>]
root 28271 0.0 0.0 0 0 pts/4 Z 09:25 0:00 [fake <defunct>]
root 28272 0.0 0.0 0 0 pts/4 Z 09:25 0:00 [fake <defunct>]
root 28273 0.0 0.0 0 0 pts/4 Z 09:25 0:00 [fake <defunct>]
root 28274 0.0 0.0 0 0 pts/4 Z 09:25 0:00 [fake <defunct>]
root 28275 0.0 0.0 0 0 pts/4 Z 09:25 0:00 [fake <defunct>]
root 28276 0.0 0.0 0 0 pts/4 Z 09:25 0:00 [fake <defunct>]
root 28277 0.0 0.0 0 0 pts/4 Z 09:25 0:00 [fake <defunct>]
root 28278 0.0 0.0 0 0 pts/4 Z 09:25 0:00 [fake <defunct>]
root 28279 0.0 0.0 0 0 pts/4 Z 09:25 0:00 [fake <defunct>]
root 28280 0.0 0.0 0 0 pts/4 Z 09:25 0:00 [fake <defunct>]
root 28281 0.0 0.0 0 0 pts/4 Z 09:25 0:00 [fake <defunct>]
root 28282 0.0 0.0 0 0 pts/4 Z 09:25 0:00 [fake <defunct>]
root 28283 0.0 0.0 0 0 pts/4 Z 09:25 0:00 [fake <defunct>]
root 28284 0.0 0.0 0 0 pts/4 Z 09:25 0:00 [fake <defunct>]
root 28285 0.0 0.0 0 0 pts/4 Z 09:25 0:00 [fake <defunct>]
root 28286 0.0 0.0 0 0 pts/4 Z 09:25 0:00 [fake <defunct>]
root 28289 0.0 0.0 0 0 pts/4 Z 09:28 0:00 [fake <defunct>]
root 28296 3.6 2.2 3056 1456 ? S 09:30 0:00 /usr/sbin/sshd
root 28297 2.6 2.2 3056 1456 ? S 09:30 0:00 /usr/sbin/sshd
root 28298 3.7 2.0 2312 1324 pts/0 S 09:30 0:00 -bash
epic 28319 4.6 2.0 2268 1284 pts/5 S 09:30 0:00 -bash
epic 28338 0.0 1.1 2540 740 pts/5 R 09:30 0:00 ps axu
[epic@thecks epic]$


[epic@thecks /tmp]$ lsof |grep LISTEN
sshd 482 root 3u IPv4 553 TCP *:ssh (LISTEN)
pure-ftpd 9564 root 4u IPv4 6233 TCP *:21 (LISTEN)
fake 28263 root 3u IPv4 69218 TCP *:telnet (LISTEN)
[epic@thecks /tmp]$

[epic@thecks /tmp]$ uname -a
Linux localhost.localdomain 2.2.16-22 #1 Tue Aug 22 16:49:06 EDT 2000 i686 unknown
[epic@thecks /tmp]$


[epic@thecks /tmp]$ df
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/hda8 257673 113053 131316 47% /
/dev/hda1 19487 2476 16005 14% /boot
/dev/hda6 1690560 277136 1327544 18% /home
/dev/hda5 1690560 711588 893092 45% /usr
/dev/hda7 257673 9855 234514 5% /var
[epic@thecks /tmp]$

[epic@thecks /tmp]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/var/ftp:
nobody:x:99:99:Nobody:/:
apache:x:48:48:Apache:/var/www:/bin/false
named:x:25:25:Named:/var/named:/bin/false
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/bin/false
rpc:x:32:32:Portmapper RPC user:/:/bin/false
mailnull:x:47:47::/var/spool/mqueue:/dev/null
epic:x:500:500::/home/epic:/bin/bash
vile:x:501:505::/home/vile:/bin/bash
serinth:x:502:506::/home/serinth:/bin/bash
skilar:x:503:507::/home/skilar:/bin/bash
atomix:x:504:508::/home/atomix:/bin/bash
talon:x:505:509::/home/talon:/bin/bash
[epic@thecks /tmp]$


[epic@thecks /tmp]$ cat /etc/*version

Slackware 9.1.0
[epic@thecks /tmp]$


-rwsr-xr-x 1 root root 34220 Aug 8 2000 /usr/bin/chage
-rwsr-xr-x 1 root root 36344 Aug 8 2000 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 21248 Aug 24 2000 /usr/bin/crontab
-rwsr-xr-x 1 root root 35964 Aug 23 2000 /usr/bin/at
-rws--x--x 2 root root 793603 Aug 7 2000 /usr/bin/suidperl
-rws--x--x 2 root root 793603 Aug 7 2000 /usr/bin/sperl5.6.0
-rwsr-xr-x 1 root root 155436 Jul 17 2000 /usr/bin/ssh
-r-s--x--x 1 root root 13536 Jul 12 2000 /usr/bin/passwd
-rwsr-sr-x 1 root mail 63772 Aug 11 2000 /usr/bin/procmail
-rwsr-xr-x 1 root root 14492 Jul 21 2000 /usr/bin/rcp
-rwsr-xr-x 1 root root 7828 Jul 21 2000 /usr/bin/rsh
-rws--x--x 1 root root 13184 Aug 30 2000 /usr/bin/chfn
-rws--x--x 1 root root 12640 Aug 30 2000 /usr/bin/chsh
-rws--x--x 1 root root 5464 Aug 30 2000 /usr/bin/newgrp
-rws--x--x 1 root root 1725941 Jan 3 07:07 /usr/local/bin/ssh-signer2
---S--S--- 1 root root 10516 Aug 30 2000 /usr/sbin/rpcinfo
-rwsr-sr-x 1 root root 6780 Aug 30 2000 /usr/sbin/zdump
-rwsr-sr-x 1 root root 34428 Aug 30 2000 /usr/sbin/zic
-rwsr-sr-x 1 root root 20316 Aug 4 2000 /usr/sbin/anacron
-rwsr-sr-x 1 root root 21276 Aug 8 2000 /usr/sbin/chpasswd
-rwsr-sr-x 1 root root 24540 Aug 8 2000 /usr/sbin/groupadd
-rwsr-sr-x 1 root root 19036 Aug 8 2000 /usr/sbin/groupdel
-rwsr-sr-x 1 root root 21116 Aug 8 2000 /usr/sbin/groupmod
-rwsr-sr-x 1 root root 22268 Aug 8 2000 /usr/sbin/grpck
-rwsr-sr-x 1 root root 18140 Aug 8 2000 /usr/sbin/grpconv
-rwsr-sr-x 1 root root 17916 Aug 8 2000 /usr/sbin/grpunconv
-rwsr-sr-x 1 root root 26588 Aug 8 2000 /usr/sbin/newusers
-rwsr-sr-x 1 root root 19580 Aug 8 2000 /usr/sbin/pwck
-rwsr-sr-x 1 root root 19772 Aug 8 2000 /usr/sbin/pwconv
-rwsr-sr-x 1 root root 15676 Aug 8 2000 /usr/sbin/pwunconv
-rwsr-sr-x 1 root root 52924 Aug 8 2000 /usr/sbin/useradd
-rwsr-sr-x 1 root root 35516 Aug 8 2000 /usr/sbin/userdel
-rwsr-sr-x 1 root root 54492 Aug 8 2000 /usr/sbin/usermod
-rwsr-sr-x 1 root root 21116 Aug 23 2000 /usr/sbin/ab
---S--S--- 1 root root 301820 Aug 23 2000 /usr/sbin/httpd
-rwsr-sr-x 1 root root 6940 Aug 23 2000 /usr/sbin/logresolve
-rwsr-sr-x 1 root root 4668 Aug 23 2000 /usr/sbin/rotatelogs
-rws--s--x 1 root root 11000 Aug 23 2000 /usr/sbin/suexec
-rwsr-sr-x 1 root root 16636 Aug 27 2000 /usr/sbin/apmd
-rwsr-sr-x 1 root root 4088 Aug 30 2000 /usr/sbin/mklost+found
-rwsr-sr-x 1 root root 31504 Aug 15 2000 /usr/sbin/logrotate
-rwsr-sr-x 1 root root 22236 Aug 24 2000 /usr/sbin/crond
-rwsr-sr-x 1 root root 37 Aug 23 2000 /usr/sbin/sys-unconfig
-rwsr-sr-x 1 root root 6288 Aug 23 2000 /usr/sbin/usernetctl
-rwsr-sr-x 1 root root 16060 Aug 11 2000 /usr/sbin/arpsnmp
-rwsr-sr-x 1 root root 79100 Aug 11 2000 /usr/sbin/arpwatch
-rwsr-sr-x 1 root root 15028 Aug 23 2000 /usr/sbin/atd
-rwsr-sr-x 1 root root 67 Aug 23 2000 /usr/sbin/atrun
-rwsr-sr-x 1 root root 42400 Aug 24 2000 /usr/sbin/authconfig
-rwsr-sr-x 1 root root 585 Jul 12 2000 /usr/sbin/mkdict
-rwsr-sr-x 1 root root 3756 Jul 12 2000 /usr/sbin/packer
-rwsr-sr-x 1 root root 5920 Jul 12 2000 /usr/sbin/chroot
-rwsr-sr-x 1 root root 142684 Aug 5 2000 /usr/sbin/dnskeygen
-rwsr-sr-x 1 root root 361500 Aug 5 2000 /usr/sbin/irpd
---S--S--- 1 root root 715164 Aug 5 2000 /usr/sbin/named
-rwsr-sr-x 1 root root 8700 Aug 5 2000 /usr/sbin/named-bootconf
-rwsr-sr-x 1 root root 384156 Aug 5 2000 /usr/sbin/named-xfer
-rwsr-sr-x 1 root root 47420 Aug 5 2000 /usr/sbin/ndc
-rwsr-sr-x 1 root root 10180 Jul 12 2000 /usr/sbin/chkfontpath
-rwsr-sr-x 1 root root 4168 Aug 16 2000 /usr/sbin/sasldblistusers
-rwsr-sr-x 1 root root 6116 Aug 16 2000 /usr/sbin/saslpasswd
-rwsr-sr-x 1 root uucp 73660 Jul 12 2000 /usr/sbin/dip
---S--S--- 1 root root 7484 Aug 30 2000 /usr/sbin/in.fingerd
-rwsr-sr-x 1 root root 60828 Jul 28 2000 /usr/sbin/gpm
-rwsr-sr-x 1 root root 12500 Jul 25 2000 /usr/sbin/rtacct
-rwsr-sr-x 1 root root 9704 Aug 8 2000 /usr/sbin/arping
-rwsr-sr-x 1 root root 10012 Aug 8 2000 /usr/sbin/clockdiff
-rwsr-sr-x 1 root root 17180 Aug 8 2000 /usr/sbin/ping6
-rwsr-sr-x 1 root root 13756 Aug 8 2000 /usr/sbin/rdisc
-rwsr-sr-x 1 root root 6556 Aug 8 2000 /usr/sbin/tracepath
-rwsr-sr-x 1 root root 6884 Aug 8 2000 /usr/sbin/tracepath6
-rwsr-sr-x 1 root root 9788 Aug 8 2000 /usr/sbin/traceroute6
-rwsr-s--- 1 root root 7624 Aug 3 2000 /usr/sbin/actctrl
-rwsr-s--- 1 root root 12700 Aug 3 2000 /usr/sbin/avmcapictrl
-rwsr-sr-x 1 root root 16284 Aug 3 2000 /usr/sbin/capiinit
-rwsr-s--- 1 root root 10428 Aug 3 2000 /usr/sbin/divertctrl
-rwsr-s--- 1 root root 46524 Aug 3 2000 /usr/sbin/eiconctrl
-rwsr-s--- 1 root root 4288 Aug 3 2000 /usr/sbin/hisaxctrl
-rwsr-s--- 1 root root 7320 Aug 3 2000 /usr/sbin/icnctrl
-rwsr-s--- 1 root root 10908 Aug 3 2000 /usr/sbin/imon
-rwsr-sr-x 1 root root 5800 Aug 3 2000 /usr/sbin/imontty
-rws--S--- 1 root root 124924 Aug 3 2000 /usr/sbin/ipppd
-rwsr-sr-x 1 root root 8524 Aug 3 2000 /usr/sbin/ipppstats
-rwsr-s--- 1 root root 5064 Aug 3 2000 /usr/sbin/iprofd
-rwsr-s--- 1 root root 59324 Aug 3 2000 /usr/sbin/isdnctrl
-rwsr-sr-x 1 root root 226236 Aug 3 2000 /usr/sbin/isdnlog
-rwsr-s--- 1 root root 5148 Aug 3 2000 /usr/sbin/loopctrl
-rwsr-s--- 1 root root 8988 Aug 3 2000 /usr/sbin/mkzonedb
-rwsr-s--- 1 root root 9844 Aug 3 2000 /usr/sbin/pcbitctl
-rwsr-sr-x 1 root root 13852 Aug 3 2000 /usr/sbin/rcapid
-rwsr-s--- 1 root root 4288 Aug 3 2000 /usr/sbin/telesctrl
-rwsr-s--- 1 root root 20444 Aug 3 2000 /usr/sbin/vboxd
-rwsr-s--- 1 root root 50460 Aug 3 2000 /usr/sbin/vboxgetty
-rwsr-sr-x 1 root root 11144 Aug 24 2000 /usr/sbin/kbdconfig
-rwsr-sr-x 1 root root 92988 Aug 30 2000 /usr/sbin/kudzu
-rwsr-sr-x 1 root root 256540 Aug 14 2000 /usr/sbin/checkpc
-rwsr-sr-x 1 lp lp 431584 Aug 14 2000 /usr/sbin/lpc
---S--S--- 1 root root 487868 Aug 14 2000 /usr/sbin/lpd
-rwsr-sr-x 1 root root 177788 Aug 14 2000 /usr/sbin/lpraccnt
-rwsr-sr-x 1 root root 83868 Jul 12 2000 /usr/sbin/lsof
-rwsr-sr-- 1 root root 10565 Aug 23 2000 /usr/sbin/makewhatis
-rwsr-sr-x 1 root root 88188 Aug 24 2000 /usr/sbin/mouseconfig
-rwsr-sr-x 1 root root 26684 Aug 2 2000 /usr/sbin/exportfs
-rwsr-sr-x 1 root root 6972 Aug 2 2000 /usr/sbin/nfsstat
-rwsr-sr-x 1 root root 19068 Aug 2 2000 /usr/sbin/nhfsstone
---S--S--- 1 root root 38684 Aug 2 2000 /usr/sbin/rpc.mountd
---S--S--- 1 root root 3644 Aug 2 2000 /usr/sbin/rpc.nfsd
---S--S--- 1 root root 10492 Aug 2 2000 /usr/sbin/rpc.rquotad
-rwsr-sr-x 1 root root 9512 Aug 2 2000 /usr/sbin/showmount
-rwsr-sr-x 1 root root 16436 Aug 30 2000 /usr/sbin/ntsysv
-rwsr-sr-x 1 root root 185596 Jul 17 2000 /usr/sbin/sshd
-rwsr-sr-x 1 root root 6224 Jul 20 2000 /usr/sbin/ibench
-rwsr-sr-x 1 root root 28444 Jul 20 2000 /usr/sbin/identd
-rwsr-sr-x 1 root root 3420 Aug 10 2000 /usr/sbin/pmap_dump
-rwsr-sr-x 1 root root 3620 Aug 10 2000 /usr/sbin/pmap_set
-rwsr-sr-x 1 root root 17276 Jul 12 2000 /usr/sbin/chat
-rwsr-sr-x 1 root root 143708 Jul 12 2000 /usr/sbin/pppd
-rwsr-sr-x 1 root root 38332 Jul 12 2000 /usr/sbin/pppdump
-rwsr-sr-x 1 root root 9068 Jul 12 2000 /usr/sbin/pppstats
-rwsr-sr-x 1 root root 39500 Aug 16 2000 /usr/sbin/netconfig
-r-sr-sr-x 1 root root 20188 Aug 21 2000 /usr/sbin/edquota
-r-sr-sr-x 1 root root 3608 Aug 21 2000 /usr/sbin/quotastats
-r-sr-sr-x 1 root root 9820 Aug 21 2000 /usr/sbin/repquota
-r-sr-sr-x 1 root root 23004 Aug 21 2000 /usr/sbin/setquota
-r-sr-sr-x 1 root root 9692 Aug 21 2000 /usr/sbin/warnquota
-rwsr-sr-x 1 root root 44284 Jul 12 2000 /usr/sbin/rdistd
-rwsr-sr-x 1 root root 378 Aug 27 2000 /usr/sbin/rhn_register
-rwsr-sr-x 1 root root 4829 Aug 8 2000 /usr/sbin/adsl-connect
-rwsr-sr-x 1 root root 8546 Aug 8 2000 /usr/sbin/adsl-setup
-rwsr-sr-x 1 root root 3855 Aug 8 2000 /usr/sbin/adsl-start
-rwsr-sr-x 1 root root 1875 Aug 8 2000 /usr/sbin/adsl-status
-rwsr-sr-x 1 root root 1729 Aug 8 2000 /usr/sbin/adsl-stop
-rwsr-sr-x 1 root root 22364 Aug 8 2000 /usr/sbin/pppoe
-rwsr-sr-x 1 root root 19996 Aug 8 2000 /usr/sbin/pppoe-server
-rwsr-sr-x 1 root root 8692 Aug 8 2000 /usr/sbin/pppoe-sniff
---S--S--- 1 root root 7740 Jul 21 2000 /usr/sbin/in.rexecd
---S--S--- 1 root root 14588 Jul 21 2000 /usr/sbin/in.rlogind
---S--S--- 1 root root 12572 Jul 21 2000 /usr/sbin/in.rshd
---S--S--- 1 root root 15804 Aug 5 2000 /usr/sbin/rpc.rstatd
---S--S--- 1 root root 8540 Aug 5 2000 /usr/sbin/rpc.rusersd
---S--S--- 1 root root 6940 Aug 5 2000 /usr/sbin/rpc.rwalld
---S--S--- 1 root root 10172 Aug 10 2000 /usr/sbin/rwhod
-rwsr-sr-x 1 root root 8892 Aug 22 2000 /usr/sbin/mailstats
-r-sr-sr-x 1 root root 23740 Aug 22 2000 /usr/sbin/makemap
-rwsr-sr-x 1 root root 22076 Aug 22 2000 /usr/sbin/praliases
---S--S--- 1 root root 401748 Aug 22 2000 /usr/sbin/sendmail
-r-sr-sr-x 1 root root 6812 Aug 22 2000 /usr/sbin/smrsh
-rwsr-sr-x 1 root root 6484 Aug 24 2000 /usr/sbin/setup
---S--S--- 1 root root 43836 Aug 18 2000 /usr/sbin/stunnel
-rws--s--x 1 root root 14988 Aug 22 2000 /usr/sbin/in.ntalkd
-rwsr-sr-x 1 root root 5592 Aug 14 2000 /usr/sbin/safe_finger
-rws--s--x 1 root root 20956 Aug 14 2000 /usr/sbin/tcpd
-rwsr-sr-x 1 root root 11164 Aug 14 2000 /usr/sbin/try-from
---S--S--- 1 root root 223644 Aug 11 2000 /usr/sbin/tcpdump
---S--S--- 1 root root 37884 Jul 18 2000 /usr/sbin/in.telnetd
-rwsr-sr-x 1 root root 12508 Aug 22 2000 /usr/sbin/in.tftpd
-rwsr-sr-x 1 root root 615 Aug 24 2000 /usr/sbin/setclock
-rwsr-sr-x 1 root root 12528 Aug 24 2000 /usr/sbin/timeconfig
-rwsr-sr-x 1 root root 9260 Jul 12 2000 /usr/sbin/tmpwatch
-rwsr-sr-x 1 root root 16992 Jul 19 2000 /usr/sbin/traceroute
---S--S--- 1 root root 15532 Jul 20 2000 /usr/sbin/snmpd
-rwsr-sr-x 1 root root 20840 Jul 20 2000 /usr/sbin/snmptrapd
-rwsr-sr-x 1 root root 12754 Aug 27 2000 /usr/sbin/rhn_check
-rwsr-sr-x 1 root root 7936 Aug 27 2000 /usr/sbin/rhnsd
-rwsr-sr-x 1 root root 13181 Aug 27 2000 /usr/sbin/up2date
-rwsr-sr-x 1 root utmp 6584 Jul 12 2000 /usr/sbin/utempter
-rwsr-sr-x 1 root root 43772 Aug 30 2000 /usr/sbin/cfdisk
-rwsr-sr-x 1 root root 7292 Aug 30 2000 /usr/sbin/rdev
-rwsr-sr-x 1 root root 7484 Aug 30 2000 /usr/sbin/readprofile
-rwsr-sr-x 1 root root 6788 Aug 30 2000 /usr/sbin/tunelp
-rwsr-sr-x 1 root root 7836 Aug 30 2000 /usr/sbin/vipw
-rwsr-sr-x 1 bin bin 8060 Aug 9 2000 /usr/sbin/ckconfig
---S--S--- 1 bin bin 8572 Aug 9 2000 /usr/sbin/ftprestart
---S--S--- 1 bin bin 11068 Aug 9 2000 /usr/sbin/ftpshut
---S--S--- 1 bin bin 164860 Aug 9 2000 /usr/sbin/in.ftpd
-rwsr-sr-x 1 bin bin 10332 Aug 9 2000 /usr/sbin/privatepw
-rwsr-sr-x 1 bin bin 10443 Aug 9 2000 /usr/sbin/xferstats
-rwsr-sr-x 1 root root 6942 Aug 18 2000 /usr/sbin/inetdconvert
-rwsr-sr-x 1 root root 141628 Aug 18 2000 /usr/sbin/xinetd
-r-sr-sr-x 1 root root 9608 Aug 15 2000 /usr/sbin/yppoll
-r-sr-sr-x 1 root root 7512 Aug 15 2000 /usr/sbin/ypset
-rwsr-sr-x 1 root root 18644 Aug 16 2000 /usr/sbin/rpc.yppasswdd
-rwsr-sr-x 1 root root 25148 Aug 16 2000 /usr/sbin/rpc.ypxfrd
-rwsr-sr-x 1 root root 14204 Aug 16 2000 /usr/sbin/yppush
-rwsr-sr-x 1 root root 42236 Aug 16 2000 /usr/sbin/ypserv
-rwsr-xr-x 1 root root 14184 Jul 12 2000 /bin/su
-rwsr-xr-x 1 root root 20604 Aug 8 2000 /bin/ping
-rwsr-xr-x 1 root root 55356 Aug 5 2000 /bin/mount
-rwsr-xr-x 1 root root 25404 Aug 5 2000 /bin/umount
-r-sr-xr-x 1 root root 14732 Aug 22 2000 /sbin/pwdb_chkpwd
-r-sr-xr-x 1 root root 15340 Aug 22 2000 /sbin/unix_chkpwd


epic@cerberus:~/wargames/grace$

**** End Roothack Addition ****

*** Friday. January 2nd 2004. 7:00 PM MST

##### # #### # # # # # # 
# # # # # # # # # 
# # ## ## # # # # ## ## # # # # # ## # ## # # ## ### ## 
# ## # # # # # # ## # # # ## ### ## # # # ## ## # # # # 
# # # #### # # # # # #### # # # # # # # # # # # ## 
# # # # # # # # # # # # # # # # # # # # # # 
# # # # # # # ## ## # # # # # # # # # # ## # # # # # 
# # # ## #### # # ## ## # # # # # # ## # # # ## ## 
# # 
# [hades.roothack.org] ###

-=[ members ]=- [w: win, u: unix, l: linux]

=>1. vile - skill: OS:WUL // defense
=>2. Ta|0n - skill: OS:WUL // defense
=>3. skilar - skill: OS:WUL // penetration
=>4. Serinth - skill: OS:WUL // defense
=>5. atomix - skill: OS:WUL // whitepapers/penetration
=>6. Toll - skill: OS:WL // extra/understudy

-=[ actions / server statistics / etc ]=-

Team The Cyber Knights entered server at "". Beginning with checking the
statistics of the server, the following procedures were done:

- id;uname -a
- cat /etc/*release
- cat /etc/*version
- cat /etc/shadow
- cat /etc/passwd
- ps -aux

The following information has been gathered which represents the statstics
and server software our local box (hades.roothack.org) is running and occuring:

OS: Linux
DISTRO: Red Hat Linux Release 7.0 (Guinness)
KERNEL: 2.2.16-22
SHADOW ENCRYPTION: FreeBSD MD5

According to the above information, the Linux distribution is outdated, current
distribution is Red Hat Linux Release 9.0. Also noticed that the kernel is as well outdated.
The current STABLE kernel version is 2.6.0. We will upgrade the kernel to prevent
local root exploits attacking the following linux kernel vulnerabilities:

- do_brk()
- ptrace()

It is just miscellaneous knowlege to know the encryption algorithm for the shadow
password file. We will need to disable non-root reading of shadow incase it happens to be
allowed to get read by a non-root user.

During our GRACE PERIOD of 24 hours for the wargames we will be doing the following
in order to keep any intrusions visible to us or just slim to none :):

Installing an IDS (Intrusion Detection System)(TripWire)
Installing a PSD (Port Scan Detector)(PSad)
Installing a PS (Packet Sniffer)(TcpTrack)

Installing miscellaneous tools for extra protection:
=> OS-Sim

- Snort, Acid, MRTG, NTOP, OpenNMS, nmap, nessus, and rrdtool

The group and I (atomix) begin in an AIM chatroom conversation what we were planning
to do then took it to irc.hack3r.com in our own channel which we are using during the wargame.

We discussed stratagies and possible security measurments we need to take in order to
safeguard our server for the 24 hours time we had in order to do it in. We also discussed who
is doing what as in which member of the group is doing what type of job. We had all agreed that
during the GRACE period we would hold the following positions:

- 1 person upgrades daemons & kernel
- 1 person installs IDS and other server protection
- 1 person handles traffic and port blocking/acceptions
- 1 person installs Sniffers and Fake Daemons
- I write out the white paper and assist with each

We had to choose wisely who was doing what but then decided whomever had the knowlege
at the time of the start of the wargame, would do the job. More like spur to the moment picks.

Im now going to discuss various problems with the server which im sure ive already
stated but im as well going to list possible and already vulnerable services, programs and
anything else that can be classified as a security risk to a server compromise:

- kernel (vulnerable)
- sshd (vulnerable)
- ftpd (vulnerable)
- /sbin (filled with suid programs and vulnerable programs)

-=[ plans and extra comments ]=-

I had the idea of doing something with the server in which it would be almost impossible
for an intruder to breach the security of the box. I had a few plans. I wasnt sure which i wanted
to impliment with the team but there was one plan which i know could be pulled off perfectly or at
least try to pull off perfectly.

Attempting to edit the file /etc/securetty or /etc/inetd.conf would allow us all to disable
remote connections from logging into the box. Or atleast close all ports except SSH and TELNET. By
shutting off everything besides TELNET and SSH, the attacker would have no choice but to either
attempt to login to one of them or attempt to exploit one of them. But why would we just leave them
out in the open? Thats the trick. It would just be a honeypot. A fake daemon to sniff out incoming
connections and log all text sent to the daemon. I wasnt sure at first whether that was legal, but
the rules did say, secure your box and that is sure securing it.

I had spoken to the team and of course i had gotten several replies that if everyone did
something like that, then the whole thing would be a stalemate, but thats not illega. And the point
of the game is to get the most points. Basically our chances of getting those points would be good
whitepapers, and etc.

-=[ 10:00 PM EST ]=-

Currently right now im transfering the kernel bzip then going to extract the archive to
/usr/src. Then going to begin the configuration then going to do the compile and etc.

[root@thecks atomix]# ls
linux-2.6.0.tar.bz2
[root@thecks atomix]# mv linux-2.6.0.tar.bz2 /usr/src/linux-2.6.0.tar.bz2
[root@thecks atomix]# 
[root@thecks atomix]# cd /usr/src
[root@thecks src]# bzip2 -cd linux-2.6.0.tar.bz2 | tar -xvf -

...


-=[ UPGRADED DAEMONS ]=-

The following daemons were upgraded:

- FTP => pure-ftpd-1.0.17a-2.i686.rpm
- SSH => 

The following programs were installed:

- NMAP => nmap-3.48.tar

-=[ PORTS STATUS ]=-

Just did a nmap scan on localhost @ 3:20 PM SATURDAY JAN.3 which is maybe around like
6 hours before the grace period is over. Here currently is the port status:

01. [root@thecks atomix]# nmap -sS -sV -O localhost
02.
03. Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-01-03 07:47 MST
04. Interesting ports on hades (127.0.0.1):
05. (The 1654 ports scanned but not shown below are in state: closed)
06. PORT STATE SERVICE VERSION
07. 21/tcp open ftp PureFTPd
08. 22/tcp open ssh OpenSSH 2.1.1 (protocol 1.99)
09. 13/tcp filtered auth
10. Device type: general purpose
11. Running: Linux 2.1.X|2.2.X
12. OS details: Linux 2.1.19 - 2.2.25
13. Uptime 0.573 days (since Fri Jan 2 18:03:08 2004)
14.
15. Nmap run completed -- 1 IP address (1 host up) scanned in 6.310 seconds
16. [root@thecks atomix]#

Line 01: nmap (starts nmap) -sS (stleath scan) -sV (detect versions) -O (detect OS)
Line 21: port 21 is open so we can do our trasnfers and it was upgraded to PureFTPD
Line 08: ssh currently isnt upgraded, version 2.1.1 suffers a remote root vuln, we
plan on upgrading it to 3.7.1p2, 3.7.1 suffers root vuln.
Line 11: we need to upgrade the kernel from 2.1.x to 2.4.23 so its not vulnerable to
the ptrace() and do_brk() vulnerabilities as i stated before, had trouble
uprading to 2.6.0, so were gonna try 2.4.23.

-=[ 3:46 PM STATUS ]=-

I currently ran a shell script i wrote which did a few things. Currently to help secure
the box totally i made it so if at all we get intrusions, the one thing the attack always checks
(if theyre smart enough) is the /etc/*release or /etc/*version ro check what Linux distribution is
running if it happens to be a linux box. We were given a Red Hat Linux box running the 7.0 release.
I just removed /etc/redhat-release, created /etc/slackware-version and inside of there put in:

[root@thecks /etc]# cat /etc/slackware-version
Slackware 9.1.0
[root@thecks /etc]#

This will help by making the attacker think its a slackware box rather than redhat causing
them to probably just dig around for local slackware exploits if they happen to get in since its
going to be pointless in them using the ptrace() & do_brk() exploit after we upgrade the kernel to
a version that isnt affected.

Currently in our irc channel #thecks on irc.hack3r.com, the team are discussing the install
status of OpenSSH. We currently are planning on upgrading that in a few minutes since the GRACE
period will be over soon.

Im going to be transferring the following files for use:

wget http://packetstormsecurity.nl/linux/security/psad-1.3.1.tar.gz
wget http://umn.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.3.1-2.tar.gz
wget http://packetstormsecurity.nl/sniffers/tcptrack-1.0.2.tar.gz
wget http://packetstormsecurity.nl/UNIX/loggers/os-sim-0.7.1.tgz

Its for the extra security. I believe i had already mentioned them in the whitepaper earlier.

-=[ 3:56 PM ]=-

- installing tcptrack
- installing pango

-=[ 5:13 PM ]=-

- spoofed telnet (fake daemon)

Currently our port status under NMAP is as followed:

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-01-03 09:46 MST
Interesting ports on hades (127.0.0.1):
(The 1653 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
21/tcp open ftp PureFTPd
22/tcp open ssh OpenSSH 2.1.1 (protocol 1.99)
23/tcp open telnet?
113/tcp filtered auth
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port23-TCP:V=3.48%D=1/3%Time=3FF6F1D9%r(NULL,37,"Slackwarex20Linuxx20
SF:9.1.0
Welcomex20tox20Linuxx202.4.18.

login:x20")%r(Generic
SF:Lines,37,"Slackwarex20Linuxx209.1.0
Welcomex20tox20Linuxx202.4
SF:.18.

login:x20")%r(GetRequest,37,"Slackwarex20Linuxx209.1.0

SF:Welcomex20tox20Linuxx202.4.18.

login:x20")%r(HTTPOptions,37,"
SF:Slackwarex20Linuxx209.1.0
Welcomex20tox20Linuxx202.4.18.


SF:login:x20")%r(RTSPRequest,37,"Slackwarex20Linuxx209.1.0
Welcomex
SF:20tox20Linuxx202.4.18.

login:x20")%r(RPCCheck,37,"Slackwarex2
SF:0Linuxx209.1.0
Welcomex20tox20Linuxx202.4.18.

login:x20")
SF:%r(DNSVersionBindReq,37,"Slackwarex20Linuxx209.1.0
Welcomex20tox
SF:20Linuxx202.4.18.

login:x20")%r(DNSStatusRequest,37,"Slackware	
SF:x20Linuxx209.1.0
Welcomex20tox20Linuxx202.4.18.

login:x20
SF:")%r(Help,37,"Slackwarex20Linuxx209.1.0
Welcomex20tox20Linuxx20
SF:2.4.18.

login:x20")%r(SSLSessionReq,37,"Slackwarex20Linuxx209
SF:.1.0
Welcomex20tox20Linuxx202.4.18.

login:x20")%r(SMBProgNe
SF:g,37,"Slackwarex20Linuxx209.1.0
Welcomex20tox20Linuxx202.4.18
SF:.

login:x20")%r(X11Probe,37,"Slackwarex20Linuxx209.1.0
Welcom
SF:ex20tox20Linuxx202.4.18.

login:x20")%r(LPDString,37,"Slackwar
SF:ex20Linuxx209.1.0
Welcomex20tox20Linuxx202.4.18.

login:x
SF:20")%r(LDAPBindReq,37,"Slackwarex20Linuxx209.1.0
Welcomex20tox20
SF:Linuxx202.4.18.

login:x20")%r(LANDesk-RC,37,"Slackwarex20Linux
SF:x209.1.0
Welcomex20tox20Linuxx202.4.18.

login:x20")%r(Ter
SF:minalServer,37,"Slackwarex20Linuxx209.1.0
Welcomex20tox20Linuxx
SF:202.4.18.

login:x20");
Device type: general purpose
Running: Linux 2.1.X|2.2.X
OS details: Linux 2.1.19 - 2.2.25
Uptime 0.655 days (since Fri Jan 2 18:03:08 2004)

Nmap run completed -- 1 IP address (1 host up) scanned in 11.739 seconds

Apparently we added that fake daemon that seems to be kinda obvious... so that might
set us back if the attackers are smart :P. But hopefully not. We still really need to upgrade
that kernel version before open season.

Were also deciding to close SSH over port 22. Why? We currently backdoored our own
server on a different port to login through there. Im not sure whether thats illegal or not,
but its still an SSH login through the backdoor :).


*** END OF GRACE PERIOD. ELAPSED TIME: 24:00:00 
*** BEGINNING OF OPEN SEASON. ELAPSED TIME: 00:00:01

Tis the open season to be jolly and we Team Cyber Knights are jolly as hell. Currently
our status is as followed:

We are going to begin using our penetration portion of the team and begin scanning the
other boxes for open ports and possible vulnerable daemons. A current list of all other boxes
available for scanning are below:

erinys.roothack.org
erebus.roothack.org
orion.roothack.org
thrugdush.roothack.org

Currently its 9:32 PM EST. Team under the thrugdush box are attempting to get into our box, 
we are getting syslogd warnings. We currently are scanning each box noticing a lot of vulnerable 
daemons. Team under thrugdush are vulnerable to RPC and FTPD exploitation.

Our syslogd is now noticing Orion attacking us...

Message from syslogd@thrugdush at Sat Jan 3 19:21:02 2004 ...
thrugdush last message repeated 31 times

Message from syslogd@orion at Sat Jan 3 19:21:02 2004 ...
orion

Message from syslogd@orion at Sat Jan 3 19:21:35 2004 ...
orion

We have a suspicion that orion is fork bombing us which is considered denial of service 
therefore we believe should be disqualified :(. The shell is going extremely slow and some of the
members are complaning of the bash locking up.

Okayyyyyy.....nevermind, that was talons exploit fuckin lockin us up rofl...


Honestly heres my perspective on the teams and how theyre doing:

Media Assasins (thrugdush) - need to upgrade their kernel, 2 many useless sniffed ports

-=[ 11:18 PM ]=-

Its 11:18 PM EST. Apparently one team has already been fucked and only 12 minutes into open
season. I dont give any props for that though. The team who got owned deserved it. They were running
an old exploitable version of Wu-FTPD in which they had 24 hours to upgrade. Their stupidity got them
hacked.

Two teams already have wu-ftpd 2.6.0, i tried to exploit them with 4 wu-ftpd exploits but sadly
no luck even though those 2 teams allowd anonymous logins. Apparently MKDIR isnt allowed which the
exploit needs to use in order to work. Im nos sure if that eliminated team (masters of deception)
had the only box with one that allowed MKDIR unless one of the teams in the game right now has a 0day
which doesnt need to use it. I doubt that though, so im 80% on the chance that their wu-ftpd allowed
the mkdir command.

Currently some of the teams are lately upgrading and disabling some things according to their
port status and shit with nmap. Still no one cept Third Eye Open on erebus has upgraded their kernel.

Also currently, talon has patched our kernel just to be on the safe side incase it happens to
get compromised during his kernel compile then install to upgrade out kernel to 2.4.23 PLUS the gsec
patch.


-=[ 8:01 PM EST - Sunday, January 4th 2004 ]=-

Currently i have my fake server running. Apparently 3 boxes have already been compromised leaving
us and a couple other boxes standing. The fake daemon running is on port 22 which i have echoing a fake
banner. Apparently Third Eye Open have tried connecting to it. My daemon replied to me the connections:

Connection received from host 192.168.200.4
received: 
Connection received from host 192.168.200.4
received: SSH-1.0-3.2.9.1 (compat mode)

Connection received from host 192.168.200.1
received: SSH-1.0-3.2.9.1 (compat mode)

Connection received from host 192.168.200.4
received: 
H-1.0-3.2.9.1 (compat mode)

Connection received from host 192.168.200.4

Apparently theyre trying something. I wonder if they noticed yet that its a fake daemon. Right now
the kernel still isnt upgraded but i have confidence that no ones going to be able to come in. Right now
im the only one online. My teammates are all sleeping, away, etc. Vile is in and out right now.

I think someones trying something right now, im wondering whats going on because i just got this
very odd error:

warning: SSH1 PROTOCOL ERROR: Unexpected EOF from the server.
Connection to hades closed.

Im playing risk right now, its very risky what im doing currently. Im hoping that no one is sniffing
us. If they do, and they happen to get into the box, then i know the reason why and how. I was attempting
to load Hunt, but for some reason the FTP got fucked totally so were screwed. The only safe thing we can do
is just close all ports except the backdoor which is password protected and wait for a stalemate.

Im about to run an nmap scan on 192.168.200.4 which is the Third Eye Open group, the groups who was
believed to be the ones responsible for the 12 minute in ownage against Masters of Deception.

Heres the results of the scan against them:

[root@localhost /root]$ nmap -sS -sV -O -vv 192.168.200.4

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-01-04 12:39 MST
Host erebus (192.168.200.4) appears to be up ... good.
Initiating SYN Stealth Scan against erebus (192.168.200.4) at 12:39
Adding open port 1013/tcp
Adding open port 1012/tcp
The SYN Stealth Scan took 0 seconds to scan 1657 ports.
Initiating service scan against 2 services on 1 host at 12:39
The service scan took 95 seconds to scan 2 services on 1 host.
For OSScan assuming that port 1012 is open and port 1 is closed and neither are firewalled
Interesting ports on erebus (192.168.200.4):
(The 1655 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
1012/tcp open unknown
1013/tcp open unknown
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=15F8E6%IPID=Z%TS=100HZ)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

Uptime 1.034 days (since Sat Jan 3 11:52:13 2004)
TCP Sequence Prediction: Class=random positive increments
Difficulty=1439974 (Good luck!)
TCP ISN Seq. Numbers: EFB40A06 EFC6D926 EFF4F1F5 EFADC262 EF9606D3 EF50B10A
IPID Sequence Generation: All zeros

Nmap run completed -- 1 IP address (1 host up) scanned in 101.786 seconds


Thats just odd... Earlier i did a scan on them and they had ZERO ports open and
for some odd reason next to Linux 2.4.X|2.5.X, it stated ", Novell Netware 4.X. Somethings
going up...

According to a search on the Neohapsis Port Listing, 1012 is rstatd on OpenBSD and
the Doly trojan port... i assume right there that its gotta be a fake.

Also according to a search on the port listing, 1013 doesnt exist as a service port.
Must also be a fake... It DOES say unknown. Wonder what theyre up to know. Im sure they have
a backdoor as well, they have SSH shut off. Im going to run nmap to scan ports 1-60000.

As thats scanning, the guys at Third Eye are apparently alive right now, they just closed
the connection with my fake daemon.

...
Connection to hades closed.

I know right now theyre thinking of how to approach our box. Basically theres nothing to
exploit, or is there. I really should run an nmap scan on localhost to scan ports 1-60000 as well,
im sure theres high ports that may be vulnerable to something possibly?

OMg... i fucking knew they fucking had a damn backdoor... check this scan out:

[root@localhost /root]$ nmap -sS -sV -O 192.168.200.4 -p 1-60000

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-01-04 12:47 MST
Interesting ports on erebus (192.168.200.4):
(The 59995 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
1012/tcp open unknown
1013/tcp open unknown
1111/tcp open unknown
9009/tcp open unknown
54917/tcp open ssh SSH 3.2.9.1 (protocol 2.0)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port9009-TCP:V=3.48%D=1/4%Time=3FF86DF1%r(NULL,E,"quitx20tox20exit.
SF:n")%r(GenericLines,12,"quitx20tox20exit.


")%r(GetRequest,20
SF:,"quitx20tox20exit.
GETx20/x20HTTP/1.0

")%r(HTTPOptions,2
SF:4,"quitx20tox20exit.
OPTIONSx20/x20HTTP/1.0

")%r(RTSPRequ
SF:est,24,"quitx20tox20exit.
OPTIONSx20/x20RTSP/1.0

")%r(RPC
SF:Check,F,"quitx20tox20exit.
x80")%r(DNSVersionBindReq,E,"quitx20to
SF:x20exit.
")%r(DNSStatusRequest,E,"quitx20tox20exit.
")%r(Help,14
SF:,"quitx20tox20exit.
HELP
")%r(SSLSessionReq,10,"quitx20tox20ex
SF:it.
x16x03")%r(SMBProgNeg,E,"quitx20tox20exit.
")%r(X11Probe,F,
SF:"quitx20tox20exit.
l")%r(LPDString,17,"quitx20tox20exit.
x01de
SF:fault
")%r(LDAPBindReq,19,"quitx20tox20exit.
0x0cx02x01x01`x0
SF:7x02x01x02x04")%r(LANDesk-RC,13,"quitx20tox20exit.
TNMPx04")%r
SF:(TerminalServer,F,"quitx20tox20exit.
x03")%r(NCP,12,"quitx20tox2
SF:0exit.
DmdT")%r(NotesRPC,F,"quitx20tox20exit.
:")%r(WMSRequest,F,
SF:"quitx20tox20exit.
x01");
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
Uptime 1.040 days (since Sat Jan 3 11:52:14 2004)

Nmap run completed -- 1 IP address (1 host up) scanned in 141.538 seconds
[root@localhost /root]$

...
54917/tcp open ssh SSH 3.2.9.1 (protocol 2.0)
...

As i suspected, a backdoor. They obviously had the same plan as me, lets explore...

[root@localhost /root]$ ssh root@erebus -p 54917
Secure connection to erebus on port 54917 refused.
[root@localhost /root]$

Hm, smart mutherfuckers... or maybe its fake. Im assuming its fake, gotta be fake...
Or not, they DO need something to login to. Maybe its just protected well then. Makes me wonder
if they know we had the same plan to disable ssh and place a backdoor on our own box.

Think its time for me to scan our own box and see whats up...

[root@localhost /root]$ nmap -sS -sV -O localhost -p 1-60000

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-01-04 12:57 MST
Interesting ports on hades (127.0.0.1):
(The 59998 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
21/tcp filtered ftp
52333/tcp open ssh SSH 1.2.27 (protocol 1.5)
Device type: general purpose
Running: Linux 2.1.X|2.2.X
OS details: Linux 2.1.19 - 2.2.25
Uptime 0.076 days (since Sun Jan 4 11:07:55 2004)

Nmap run completed -- 1 IP address (1 host up) scanned in 23.592 seconds
[root@localhost /root]$

Oh lookie :P. Thats not the real SSH version ;) the backdoor im using is one created privately
by my buddies, !tc, !sh 2k4 bitches. Anyway, i have a feelings its just gonna be a stalemate :(. It is
possible that they can scan us, and ATTEMPT to get into the backdoor, but i really doubt theyre gonna
get any far with that unless the backdoor can somehow get exploited, i do have high doubts in that though
as well :).

Seems like the action died down between Third Eye Open and my fake daemon on port 22, im gonna
open another one and see if anything happens there ;).


-=[9:12 PM EST]=-

Im in #roothack on irc.hack3r.com, apparently mercy is saying shit about how he made some sort
of new service which is exploitable that he wants to give the two remaining teams, us and third eye. He
stated that its vulnerable to be exploited but theres no current exploit for it. He tried pming me
to get me to do something, heres the log:

.....okay apparently i closed the damn shit rofl...

Anyway, he said he was gonna give the source and shit and wanted me to chmod my main directory
which was /home/thrugdush/atomix to 777. And hes gotta be fucking insane if he wants me to fucking do that
so of course i declined, he said 700 then, i still declined, said no offense, closed the pm. Then my friend
who was on the Media Assasins team told me this on AIM:

mgrd: howd thecks do
me: us and third eye and left
mgrd: oh
mgrd: we would have done good but some kid for california chmod 700 /
mgrd: :?
me: mercys trying to get me to do chmod 777
me: hes gotta be insane
me: i declined
me: thats fucked up to do
mgrd: ya
mgrd: we couldnt log in anymore
mgrd: so we were out before it started
me: =
mgrd: my states cool for hacking you have to alter something to be convitcted
me: :P
mgrd: Media Assasins had their server compromised early on in the game, however the teams with root privlidges managed to kill the O.S. while trying to fix some mistakes M.A. had made with permissions. Good luck next time Media Assasins.
mgrd: /me crys
mgrd: stupid ref0rm
me: :
me: im pouttin this in my whitepaper
mgrd: i had this awesome script all ready combo of tcl and bash, if someone got root they would only keep it for 5 minutes
me: =
mgrd: just ready to crontab it and ref0rms like DONT LOG OUT
mgrd: i couldnt fix the permissions
mgrd: me and epic tried and couldnt get it
mgrd: we couldnt even log in
me: shit =

Apparently mercy was trying to fuck me up. Like id really chmod anything to 777. Im not stupuid :P.
Obviously ref0rm of Media Assasins sadly got tricked by the social engineering of mercy, but im not making
jokes at all about it. Just happened.

Looks like it was some sort of fight in the media assasins box. Mercy just told in the chan that he
entered through an imap vuln i guess or some shit, and the imap was backdoored on port 143. hm.


-=[9:52 PM EST]=-

Apparently now erebuss box is firewalled or just down... look at this nmap scan:

[root@localhost atomix]$ nmap -sS -sV -O -v erebus

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-01-04 14:20 MST
Host 192.168.200.4 appears to be down, skipping it.
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 13.546 seconds
[root@localhost atomix]$


-=[9:59 PM EST]=-

Fuck.... at 9:59 PM EST, Third Eye compromised us, hades box. I have no fucking clue how but
they got us...godamnit. They got proof though. This is just gonna end th whitepaper saying that its a
possibility tha they exploited my backdoor because its running old ssh.

- atomix