Posted by: Dan O'Connor
Next it seems like they started counting all of the lines in the ‘ip.conf’ that contained periods ‘.’ and then stored them in ‘$oopsnr2′, but then they do not call it again.
oopsnr2=`grep -c . ip.conf`
echo "[+] Incepe partea cea mai misto "
echo "[+] Doar $oopsnr2 de servere. Exista un inceput pt. toate !"
echo "[+] Incepem sa vedem cate server putem sparge"
They even make a reference to it in the comments. “Only $ oopsnr2 servers. There is a beginning for. all”.
Now ‘atack’ is launched.
rm -rf $1.find.22 ip.conf
I am not entirly sure of what the significance of ’100′ is after the command it will take some further analysis of ‘atack’ to figure that part out.
But since we have the file in my sand box, I can at least poke at it. It also looks like we are going to have to recreate the ‘ip.conf’ file if we are going to get this to work. I created one with just 127.0.0.1, then we can watch the logs on the local system and see what happens.
Launching ‘./atack 100′ will just return the following;
[+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ]
Then it continues to operate in the background trying to login.
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=root
Failed password for root from 127.0.0.1 port 42106 ssh2
There is lots going on inside of ‘atack’ part 4 will be dealing with it.