Dear System Owner,

We have identified that your machine was compromised by intruders at 7:56:01 from source IP address of 207.35.251.172 by the wu-ftp 2.6 SITE EXEC vulnerability. We collected the evidence based on reviewing the snort log files you provided to us.

By executing the snort file via
snort -dCvr newdat3.log -c snort.conf > scan19out.txt
snort -dCvr slog2.log > slog2_out.txt

The evidence of the compromise was collected and found in ftp exploit file.

Right after this captured packet, the intruder started executing the commands at the machine via port 21.

The intruder used several IP addresses (207.35.251.172, 217.156.93.166) to connect to your server. 217.156.93.166 was used for sending the commands over telnet to the victim machines. The session can be found in between 9/17 8:33:13 to 9:11:25.

The intruder has download three files, Zer0.tar.gz, copy.tar.gz, ooty.tar.gz to your machine from 193.231.236.42 ftp server. The intruder used the account teleport with password gunoierul which are all collected from the ftp captured session. These could be found clearly in the snort log file from 09/17-08:41:44 to 8:43:00. However, all these download files have already been removed from your server. They can only be recaptured back from the snort file. The attached files are the files recovered back from the snort output.

After the rootkit scripts Go executed at 8:47:17, all the commands were encrypted via ssh over the port 24. The can be found in the ex_217_156_93_166.txt

He/She also send your password file from your machine to  64.4.49.71 via mail services port 25 at 9/17, 8:47:47 - 8:47:48. (evidence can be found in ex_64_4_49_71_1.txt)

HP e-Security Center,
Ricci Ieong and Vincent Ip