Download raw source

Delivered-To: greg@hbgary.com Received: by 10.147.41.13 with SMTP id t13cs17637yaj; Sun, 6 Feb 2011 12:16:00 -0800 (PST) Received: by 10.204.84.77 with SMTP id i13mr14184801bkl.200.1297023359169; Sun, 06 Feb 2011 12:15:59 -0800 (PST) Return-Path: <jussij@gmail.com> Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx.google.com with ESMTPS id l3si8894212bkb.76.2011.02.06.12.15.57 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 06 Feb 2011 12:15:58 -0800 (PST) Received-SPF: pass (google.com: domain of jussij@gmail.com designates 209.85.161.54 as permitted sender) client-ip=209.85.161.54; Authentication-Results: mx.google.com; spf=pass (google.com: domain of jussij@gmail.com designates 209.85.161.54 as permitted sender) smtp.mail=jussij@gmail.com; dkim=pass (test mode) header.i=@gmail.com Received: by fxm16 with SMTP id 16so4363251fxm.13 for <greg@hbgary.com>; Sun, 06 Feb 2011 12:15:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:content-type:mime-version:subject:from :in-reply-to:date:content-transfer-encoding:message-id:references:to :x-mailer; bh=7DCpkN004sRFi97wBLnDVVJ6B0ZlvP/ZUX/4+3mhhuo=; b=lNlUn+Ly7CqwTsTvZyK3RTB/mC9O+alQHyGpdxBodQ5yZobKd/4lLa0Hr9UJsEHX0B ICMDMpdn07mpDtv0G7l6eVOGvuRtxZRbWZHy8cyNE046RGwj5w6J2DPVR1mG/qSiXd0g d9xrC1g/OTyARvxuf6rwCxcTl3Xi7CM3/rqB4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to:x-mailer; b=BIr/jM2o+grFVjXJoTvQIk0Mn+EnoGvoDXRJxqLf3VM1nWlqcJt/6jkWxcRfCU5Zgn tnnW9DmoAd3gzMmdeokdogTQX/i5I6nPkcpug9ophXT6fEQFel4ji+/+x7XYm1Alp+U9 aNuH+WGilfReb7WIP6QlvuxGC+bQzfRRfPzDg= Received: by 10.223.78.138 with SMTP id l10mr8732581fak.17.1297023357318; Sun, 06 Feb 2011 12:15:57 -0800 (PST) Return-Path: <jussij@gmail.com> Received: from [192.168.1.101] (cs145060.pp.htv.fi [213.243.145.60]) by mx.google.com with ESMTPS id n3sm926588fax.7.2011.02.06.12.15.56 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 06 Feb 2011 12:15:56 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1082) Subject: Re: need to ssh into rootkit From: jussi jaakonaho <jussij@gmail.com> In-Reply-To: <AANLkTinHx0QOrdYpY+wZh5uzpOG140Co2aGi+=9SSk-e@mail.gmail.com> Date: Sun, 6 Feb 2011 22:15:54 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <FC6C3D49-F246-4184-8AC4-C5FAECCE94C7@gmail.com> References: <AANLkTinZPDvw497CgP37TLB8eiZ-JfOWgD3WQxDkvNco@mail.gmail.com> <98D47680-0995-4F5E-8F29-63FCEA569EC5@gmail.com> <AANLkTimTQmHwm1NS3RMpXzk5Z7mH=NS_sCbNrB-sWox2@mail.gmail.com> <F30FC869-1DBC-4489-B691-29E4BCD6EBEF@gmail.com> <AANLkTi=0tGi=BapY1gvdgJFiyFofsB8vGf7ccYVt1C43@mail.gmail.com> <547F0DBC-1995-406B-92B5-95687AF03892@gmail.com> <AANLkTi=+nU3t0O=Vv_4uZQGntiFijBVU2Pi3p35zTfYe@mail.gmail.com> <16680452-5247-438E-998A-00C078AA1969@gmail.com> <AANLkTi=DbPN+ksvZDv0cuyOnt5a10TZRSRmANUtP0edP@mail.gmail.com> <20B42332-8457-4339-93BD-EB0666B78770@gmail.com> <AANLkTinswz8QHgMvQU4K53A_bsUxgV_z-N_PjAuCg3UV@mail.gmail.com> <FB191CFE-D604-4139-814F-4017FB60B288@gmail.com> <AANLkTinHx0QOrdYpY+wZh5uzpOG140Co2aGi+=9SSk-e@mail.gmail.com> To: Greg Hoglund <greg@hbgary.com> X-Mailer: Apple Mail (2.1082) did you open something running on high port? On Feb 6, 2011, at 9:43 PM, Greg Hoglund wrote: > ok let me know if you need me >=20 > On 2/6/11, jussi jaakonaho <jussij@gmail.com> wrote: >> tnx. >> i am also connected to the box, seems some people have download = problems - >> have figured earlier that some chinese used chinese chars on names of = files, >> which then our filtering stripped off when putting db etc. so some db >> editing >>=20 >>=20 >> _jussi >>=20 >> On Feb 6, 2011, at 9:36 PM, Greg Hoglund wrote: >>=20 >>> ok ill make sure to get you a new license asap. >>>=20 >>> On 2/6/11, jussi jaakonaho <jussij@gmail.com> wrote: >>>> np. >>>> btw i did not shut down the firewall so it still protects with too = many >>>> connections from same source address. >>>>=20 >>>> i have also downloaded latest backups from /home/varmi to my = homebox, >>>> just >>>> in case. >>>>=20 >>>> oh, also seem my license is expiring for responder again. o:-) was >>>> thinking >>>> to put it into box with more memory. >>>>=20 >>>> _jussi >>>>=20 >>>> On Feb 6, 2011, at 9:26 PM, Greg Hoglund wrote: >>>>=20 >>>>> yup im logged in thanks ill email you in a few, im backed up >>>>>=20 >>>>> thanks >>>>>=20 >>>>> On 2/6/11, jussi jaakonaho <jussij@gmail.com> wrote: >>>>>> nope. your account is named as hoglund >>>>>>=20 >>>>>>=20 >>>>>> On Feb 6, 2011, at 9:23 PM, Greg Hoglund wrote: >>>>>>=20 >>>>>>> yes jussi thanks >>>>>>>=20 >>>>>>> did you reset the user greg or? >>>>>>>=20 >>>>>>> On 2/6/11, jussi jaakonaho <jussij@gmail.com> wrote: >>>>>>>> does it work now? >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> On Feb 6, 2011, at 9:17 PM, Greg Hoglund wrote: >>>>>>>>=20 >>>>>>>>> if i can squeeze out time maybe we can catch up.. ill be in = germany >>>>>>>>> for a little bit. >>>>>>>>>=20 >>>>>>>>> anyway I can't ssh into rootkit. you sure the ips still >>>>>>>>> 65.74.181.141? >>>>>>>>>=20 >>>>>>>>> thanks >>>>>>>>>=20 >>>>>>>>> On 2/6/11, jussi jaakonaho <jussij@gmail.com> wrote: >>>>>>>>>> ok, >>>>>>>>>> it should now accept from anywhere to 47152 as ssh. i am = doing >>>>>>>>>> testing >>>>>>>>>> so >>>>>>>>>> that it works for sure. >>>>>>>>>> your password is changeme123 >>>>>>>>>>=20 >>>>>>>>>> i am online so just shoot me if you need something. >>>>>>>>>>=20 >>>>>>>>>> in europe, but not in finland? :-) >>>>>>>>>>=20 >>>>>>>>>> _jussi >>>>>>>>>>=20 >>>>>>>>>> On Feb 6, 2011, at 9:08 PM, Greg Hoglund wrote: >>>>>>>>>>=20 >>>>>>>>>>> no i dont have the public ip with me at the moment because = im >>>>>>>>>>> ready >>>>>>>>>>> for a small meeting and im in a rush. >>>>>>>>>>>=20 >>>>>>>>>>> if anything just reset my password to changeme123 and give = me >>>>>>>>>>> public >>>>>>>>>>> ip and ill ssh in and reset my pw. >>>>>>>>>>>=20 >>>>>>>>>>> thanks >>>>>>>>>>>=20 >>>>>>>>>>> On 2/6/11, jussi jaakonaho <jussij@gmail.com> wrote: >>>>>>>>>>>> hi, >>>>>>>>>>>>=20 >>>>>>>>>>>> do you have public ip? or should i just drop fw? >>>>>>>>>>>> and it is w0cky - tho no remote root access allowed >>>>>>>>>>>>=20 >>>>>>>>>>>> On Feb 6, 2011, at 8:59 PM, Greg Hoglund wrote: >>>>>>>>>>>>=20 >>>>>>>>>>>> _jussi >>>>>>>>>>>>=20 >>>>>>>>>>>>=20 >>>>>>>>>>>>> jussi >>>>=20 >>>>=20 >>=20 >>=20