7:55 PM
207.35.251.172 connects to the honeypot's FTP (wu-ftp 2.6.0) and has a root shell in 7 seconds. I think it is safe to assume he did this with the zxploit script included in the copy.tar.gz script he uploaded later on. For the gritty details of this session, refer to the actual session. In short, he pokes around the system for 17 minutes. Ftp session
8:12 PM
207.35.251.172 finishes looking around and deletes the password for the 'nobody' user. He then does *nothing* until 8:22
8:22 PM
207.35.251.172 starts a script that creates /etc/X11/applnk/Internet/.etc and /etc/X11/applnk/Internet/.etcpasswd It then touches these two files with /etc/passwd and /etc. It then removes nobody's password(again), creates a root user(dns) and removes dns's password. It then touches /etc/passwd and /etc with the files it made before. I'm pretty sure it's a script because it all happened in 3 seconds.
8:22 PM
207.35.251.172's script finishes running and he pokes around for a little while.
8:26 PM
207.35.251.172 executes his last command (cat /etc/passwd) but doesn't logoff. The connection times out exactly 30 minutes later.
8:32 PM
217.156.93.166 telnets into the honeypot as nobody and immediately su's to dns. For the exact commands of this session, check the transcript. Telnet session
8:33 PM
217.156.93.166 makes /dev/rd/sdc0 and forces the honeypot connect via ftp to teleport.go.ro as teleport/gunoierel and download copy.tar.gz, ooty.tar.gz and Zer0.tar.gz, three rootkits.
8:43 PM
217.156.93.166 runs Go, the program to install the Zer0 rootkit and all tgz that came with it. Among other things, it installs adore, a hacked sshd listening on port 24 and cleans some logs.
8:44 PM
207.35.251.172 conducts a two minute, randomized portscan on the honeypot from port 1 to 4922, skipping a few. I'm not sure which tool he used. Portscan log
8:45 PM
207.35.251.172 tries to connect to the hacked ssh on port 24 but is unable to connect. This was the portscan.
8:51 PM
217.156.93.166 connects to port 24 with PuTTY (a win32 based SSH client) SSH packets
8:54 PM
217.156.93.166 exits his root shell from the telnet session and then disconnects
8:55
217.156.93.166 starts using his SSH connection. He removes the Zer0 tar, changes the password for nobody (I don't know what it is because SSH encrypted it). View syslog
9:00 PM
Syslog notes that a login session was started for user uucp and ends 26 seconds later. Probably done from inside the SSH session because none of the logged packets contain 'uucp' except for the catted passwd file.
9:01 PM
The intruder pings www.yahoo.com then starts editing /etc/rc.d/rc3.d/inet This is the file that starts his rootkit from before (hides the directories he wants hidden and starts the hacked sshd.
9:02 PM
He then inflates his copy.tar.gz rootkit to /usr/X11R6/bin/.,/copy/ and chmods all the files to 7777
9:07 PM
217.156.93.166 stops logging to syslog after running uname -r then pstree
9:07 PM
The last SSH packets with any data in them flow to the honeypot (whew!)
9:11 PM
The SSH connection is broken and the cracker is gone for the rest of the log.
THINGS TO NOTE: