----- Log file opened 2004-04-06T21:46 -----
[21:46:38]
***
unixroot102 [User] is now online =)
[21:46:38]
unixroot102:
hello
[21:50:20]
BlueFiredotNET:
who are you?
[21:50:21]
***
Information about unixroot102:
[21:50:21]
***
Class: AIM
[21:50:21]
***
Online time: 1:41m
[21:50:21]
***
Profile:
No User information Provided
[21:50:46]
unixroot102:
nobody
[21:50:50]
unixroot102:
just wanted to talk
[21:51:06]
BlueFiredotNET:
you're certianly not nobody.
[21:51:15]
BlueFiredotNET:
by your screen name you sound like you know something about cmoputers.
[21:51:38]
unixroot102:
possibly
[21:52:04]
unixroot102:
and by your screename looks like your the have something to do with bluefire.net ?
[21:52:05]
unixroot102:
lol
[21:52:11]
BlueFiredotNET:
nah
[21:52:23]
unixroot102:
ic
[21:52:24]
BlueFiredotNET:
my machine's name is BlueFire and I was just mocking microsoft's big thing at the time
[21:52:31]
BlueFiredotNET:
their "dotNET" initiative
[21:52:32]
unixroot102:
hehe
[21:52:39]
unixroot102:
so, you into linux?
[21:53:34]
BlueFiredotNET:
run it fulltime on a server and a desktop
[21:54:01]
unixroot102:
ah
[21:54:04]
unixroot102:
thats nice
[21:54:10]
BlueFiredotNET:
so who are you?
[21:54:18]
BlueFiredotNET:
and where'd you get my screen name?
[21:54:28]
unixroot102:
i pulled it out of my hat
[21:54:32]
unixroot102:
=P
[21:55:06]
unixroot102:
Joshua, is it?
[21:55:11]
BlueFiredotNET:
joshua, it is.
[21:55:14]
***
Information about unixroot102:
[21:55:14]
***
Class: AIM
[21:55:14]
***
Online time: 1:46m
[21:55:14]
***
Profile:
No User information Provided
[21:55:20]
unixroot102:
cool
[21:55:31]
BlueFiredotNET:
camp, school, IRC?
[21:55:45]
unixroot102:
box
[21:55:53]
BlueFiredotNET:
box..?
[21:55:58]
unixroot102:
sh-2.05# uname -a;id
Linux dashnine 2.4.19 #6 Mon Nov 4 00:53:29 EST 2002 i686 unknown
uid=0(root) gid=0(root) groups=62(man)
sh-2.05#
[21:55:59]
unixroot102:
=P
[21:56:04]
BlueFiredotNET:
oh
[21:56:05]
BlueFiredotNET:
look
[21:56:12]
BlueFiredotNET:
you seem to have root on my machine
[21:56:20]
unixroot102:
no way
[21:56:21]
unixroot102:
lol
[21:56:33]
unixroot102:
im not going to mess with anything
[21:56:36]
BlueFiredotNET:
hrrrm
[21:56:38]
unixroot102:
just thought it was kinda funny
[21:56:42]
BlueFiredotNET:
heh
[21:56:42]
unixroot102:
nice box thou
[21:56:51]
BlueFiredotNET:
what was the security hole that you exploited?
[21:56:55]
unixroot102:
just needs abit more security
[21:57:01]
BlueFiredotNET:
I assume I fucked up my mailman inst from earlier?
[21:57:09]
unixroot102:
nah
[21:57:17]
unixroot102:
upload:upload
[21:57:19]
BlueFiredotNET:
ah
[21:57:23]
unixroot102:
and you gave it bash!
[21:57:23]
BlueFiredotNET:
and then local root
[21:57:24]
unixroot102:
why?
[21:57:47]
BlueFiredotNET:
at the time there was not a local root exploit :)
[21:57:54]
unixroot102:
heh
[21:57:58]
unixroot102:
well, now theres about 4
[21:58:04]
BlueFiredotNET:
yeah
[21:58:11]
unixroot102:
so i'd update my kernel if i were you
[21:58:18]
unixroot102:
and dont use common logins! ;)
[21:58:21]
BlueFiredotNET:
I suppose I'd better update my kernel, or at the least, eliminate untrusted users
[21:58:27]
unixroot102:
both
[21:58:34]
BlueFiredotNET:
yeah, next time there's some hardware downtime I'll update the thing's kernel.
[21:58:35]
unixroot102:
i could have just uploaded a phpshell
[21:58:44]
unixroot102:
then ran a backdoor
[21:58:46]
unixroot102:
boom
[21:58:50]
unixroot102:
im in
[21:58:53]
BlueFiredotNET:
yeah
[21:58:57]
unixroot102:
your box was quite easy
[21:59:02]
unixroot102:
it shouldnt be
[21:59:09]
unixroot102:
care bout your security bro
[21:59:17]
unixroot102:
its makes you worth your salt
[21:59:18]
unixroot102:
;)
[21:59:29]
BlueFiredotNET:
yah, but that machine doesn't have any important data anyway.
[21:59:42]
* BlueFiredotNET
goes to passwd -l upload, and decides to only allow ssh auth for it
[21:59:51]
unixroot102:
heh
[21:59:53]
unixroot102:
man pts/14 bluefire.joshuaw 9:35pm 0.00s 1.53s 0.05s w
[21:59:58]
unixroot102:
thats me btw
----- [22:00] -----
[22:00:14]
BlueFiredotNET:
from bluefire?!
[22:00:22]
unixroot102:
i changed the wtmp entry
[22:00:25]
BlueFiredotNET:
aha
[22:00:41]
unixroot102:
/tmp/..../u ;0)
[22:00:44]
BlueFiredotNET:
yeah
[22:01:03]
unixroot102:
you box is amazingly fast
[22:01:10]
BlueFiredotNET:
400mhz p2
[22:01:13]
unixroot102:
what kind of connection you running?
[22:01:19]
BlueFiredotNET:
cable 3mbit/256
[22:01:23]
unixroot102:
awesome
[22:01:45]
unixroot102:
i only have 512kb/56
[22:01:47]
unixroot102:
:(
[22:01:54]
BlueFiredotNET:
satellite?
[22:02:02]
unixroot102:
nah, cheap cable lol
[22:02:09]
BlueFiredotNET:
ah
[22:02:18]
unixroot102:
so, you a hacker, or just coder?
[22:02:31]
unixroot102:
(i read abit of your code, hope you didnt mind)
[22:02:45]
BlueFiredotNET:
coder
[22:02:50]
unixroot102:
ah
[22:02:51]
BlueFiredotNET:
nah, don't mind
[22:02:52]
BlueFiredotNET:
which code?
[22:03:04]
unixroot102:
youloser.c or something i think
[22:03:04]
BlueFiredotNET:
usb.c?
[22:03:10]
unixroot102:
i like signals :)
[22:03:10]
BlueFiredotNET:
oh, youlose
[22:03:16]
BlueFiredotNET:
classic app
[22:03:25]
unixroot102:
ic
[22:03:29]
unixroot102:
nice job
[22:03:35]
unixroot102:
simple, but good for learning
[22:03:44]
BlueFiredotNET:
yeah
[22:03:49]
unixroot102:
how long you been with C?
[22:04:05]
BlueFiredotNET:
for one of my better works check handhelds.org CVS ... look in the bootloader code at usb.c and dma.c
[22:04:15]
BlueFiredotNET:
7 years or so
[22:04:31]
unixroot102:
woah
[22:04:42]
unixroot102:
ive been with it for bout a year or so
[22:04:45]
BlueFiredotNET:
heh
[22:04:46]
unixroot102:
i love it
[22:05:07]
unixroot102:
well, probley abit more then a year
[22:05:22]
BlueFiredotNET:
wanna undo whatever you did to my account? :)
[22:05:30]
unixroot102:
your account?
[22:05:38]
BlueFiredotNET:
seems I can't log in
[22:05:49]
unixroot102:
i only changed the pass on mailman and man
[22:05:56]
BlueFiredotNET:
hrm
[22:05:57]
unixroot102:
i didnt do anything else that i know of
[22:06:05]
BlueFiredotNET:
I can't get in as joshua
[22:06:18]
unixroot102:
didnt touch i, promise
[22:06:21]
unixroot102:
*it
[22:06:34]
BlueFiredotNET:
doh, maybe bash was just having issues
[22:06:39]
unixroot102:
ah
[22:06:53]
unixroot102:
btw, may i keep shell on your box?
[22:07:01]
unixroot102:
i wont mess or snoop
[22:07:02]
BlueFiredotNET:
dunno if I trust you now, heh
[22:07:05]
unixroot102:
just code and such
[22:07:16]
unixroot102:
i just rooted it for fun lol
[22:07:19]
BlueFiredotNET:
heh
[22:07:24]
BlueFiredotNET:
where'd you get the IP to root?
[22:07:48]
unixroot102:
searching for something on google and came across it
[22:07:56]
BlueFiredotNET:
oh, joshuawise.com?
[22:08:04]
unixroot102:
cant rememeber
[22:08:20]
unixroot102:
something.com/~joshua maybe ?
[22:08:37]
* BlueFiredotNET
scp /etc/shadow over and run crack to see if there's anything else wide open
[22:08:40]
BlueFiredotNET:
joshuawise.com/~joshua
[22:08:53]
unixroot102:
ya, thats probley it
[22:09:34]
unixroot102:
may i add me an account?
[22:09:42]
BlueFiredotNET:
prefer if you didn't
[22:09:52]
unixroot102:
your no fun =p
[22:10:02]
unixroot102:
alright, i guess ill leave
[22:10:05]
BlueFiredotNET:
r211066.res.Lehigh.EDU
[22:10:06]
BlueFiredotNET:
that you?
[22:10:09]
unixroot102:
ya
[22:10:26]
unixroot102:
arent going to report me, are you? lol
[22:10:29]
BlueFiredotNET:
nope
[22:10:39]
BlueFiredotNET:
though next time use ssh so that your network admin can't figure out what you're doing
[22:11:02]
unixroot102:
lol
[22:11:33]
unixroot102:
of course, this wasnt a shell i really wanted anyways
[22:11:34]
BlueFiredotNET:
hmmm
[22:11:42]
BlueFiredotNET:
can you un-snarf ps?
[22:11:45]
BlueFiredotNET:
Signal 17 caught by ps (procps version 2.0.7).
[22:12:01]
unixroot102:
i didnt change it
[22:12:04]
BlueFiredotNET:
hrm
[22:12:08]
BlueFiredotNET:
use a rootkit?
[22:12:18]
unixroot102:
nothing on this box
[22:12:24]
unixroot102:
weird, im getting the same
[22:12:27]
BlueFiredotNET:
sch_tbf
[22:12:43]
unixroot102:
hm?
[22:12:48]
BlueFiredotNET:
doh
[22:12:51]
BlueFiredotNET:
that's just my QoS stuff
[22:12:57]
unixroot102:
ah
[22:13:07]
BlueFiredotNET:
how did you gain root? (which exploit?)
[22:13:23]
unixroot102:
overflow in do_brk function in the kernel
[22:13:35]
BlueFiredotNET:
right, but did you write your own exploit?
[22:14:04]
unixroot102:
that exploit is too advanced for me
[22:14:18]
unixroot102:
too many kernel functions, im getting better thou
[22:14:42]
BlueFiredotNET:
which exploit?
[22:15:02]
unixroot102:
just told ya
[22:15:14]
BlueFiredotNET:
right, I mean, which rootkit?
[22:15:26]
unixroot102:
i didnt use a rootkit
[22:15:48]
BlueFiredotNET:
(or exploit source. I'm not familiar with exploit/cracking terminology - I don't do much of it)
[22:16:16]
unixroot102:
oh, you want the source?
[22:16:31]
unixroot102:
http://www.k-otik.com/exploits/12.05.hatorihanzo.c.php
[22:16:34]
unixroot102:
theres a link
[22:16:46]
BlueFiredotNET:
yep
[22:16:57]
BlueFiredotNET:
lemme just see what the thing did to my kernel
[22:17:09]
unixroot102:
the compiled version?
[22:17:17]
unixroot102:
i think i deleted it
[22:17:21]
BlueFiredotNET:
nah
[22:17:31]
BlueFiredotNET:
reading through the source to see what side effects were caused
[22:17:46]
unixroot102:
there should be any
[22:17:53]
unixroot102:
as far as i know
[22:17:58]
BlueFiredotNET:
seems that there were though
[22:18:08]
unixroot102:
may want to use objdump on /bin/ps too
[22:18:35]
unixroot102:
and/or gdb
[22:18:38]
unixroot102:
btw, you shouldnt use suse
[22:18:40]
BlueFiredotNET:
orr just look at the goddamned modification date
[22:18:44]
unixroot102:
its full of app holes
[22:19:04]
unixroot102:
-r-xr-xr-x 1 root root 85860 Apr 6 22:18 /bin/ps
[22:19:13]
unixroot102:
wasnt modifiedby the exploit..
[22:19:51]
BlueFiredotNET:
care to tell me what /bin/tyme is?
[22:20:05]
unixroot102:
lol
[22:20:08]
unixroot102:
a rootshell
[22:20:15]
unixroot102:
you can delelted it if you want
[22:20:19]
unixroot102:
*deleted
[22:20:50]
unixroot102:
i just use it as a backup
[22:21:09]
BlueFiredotNET:
hang on
[22:21:17]
unixroot102:
ok
[22:21:21]
BlueFiredotNET:
gotta go shut off soldering iron
[22:21:33]
unixroot102:
ok
[22:25:28]
BlueFiredotNET:
you know this would be easier if it hadn't trojaned rpm :)
[22:25:45]
unixroot102:
i didnt trojan rpm
[22:25:49]
BlueFiredotNET:
something did
[22:25:52]
unixroot102:
i didnt trojan anything
[22:26:25]
BlueFiredotNET:
well, every minute something is modifying those binaries
[22:26:37]
unixroot102:
didnt get the last msg
[22:26:41]
BlueFiredotNET:
[22:26:25] BlueFiredotNET: well, every minute something is modifying those binaries
[22:26:54]
unixroot102:
and you know this how?
[22:26:59]
BlueFiredotNET:
ls tells me
[22:27:16]
unixroot102:
maybe someone else is in the box
[22:27:23]
unixroot102:
cause im not
[22:27:30]
unixroot102:
and i didnt trojan anything
[22:27:37]
BlueFiredotNET:
yeah, but I think one of your processes is left over
[22:28:12]
unixroot102:
ps -aux | grep brk
[22:28:17]
unixroot102:
shouldnt, but look
[22:28:20]
BlueFiredotNET:
no ps
[22:28:45]
unixroot102:
forgot
[22:29:02]
unixroot102:
use df to see if dics space is changing
[22:29:06]
unixroot102:
*disc
[22:29:14]
BlueFiredotNET:
nope
[22:29:22]
BlueFiredotNET:
hrm, well, this certainly made my day more ... "exciting" :)
[22:29:28]
unixroot102:
hmm
[22:29:32]
unixroot102:
well, im sorry
[22:29:38]
BlueFiredotNET:
s'ok
[22:29:38]
unixroot102:
if i did anything, i didnt mean to
[22:29:42]
BlueFiredotNET:
always good to keep me on my toes
[22:29:47]
unixroot102:
hehe
----- [22:30] -----
[22:52:42]
BlueFiredotNET:
whee, happy birthday me.
[22:52:50]
unixroot102:
happy birthday
[22:52:50]
unixroot102:
lol
[22:53:09]
BlueFiredotNET:
I get to stay up all night reinstalling my router box for my birthday
[22:53:31]
* unixroot102
feels bad