 |
Diagram of attack: 3
|
Initial SSH Backdoor connection
| No. Time Source
Destination Protocol Info
112519 58866.345919 62.101.108.86
192.168.100.28 TCP 52124 > 5001 [SYN] Seq=812392891 Ack=0 Win=5840
Len=0 |
Syslog, shows the box was rebooted to enable IPv6
| Message: Dec 1 17:11:10 reboot: [ID 662345 auth.crit] rebooted by root Message: Dec 1 17:11:16 genunix: [ID 672855 kern.notice] syncing file systems... Message: Dec 1 17:11:16 genunix: [ID 904073 kern.notice] done Message: Dec 1 17:11:55 genunix: [ID 540533 kern.notice] \rSunOS Release 5.8 Version Generic_108528-09 64-bit Message: Dec 1 17:11:55 genunix: [ID 913631 kern.notice] Copyright 1983-2001 Sun Microsystems, Inc. All rights reserved. Message: Dec 1 17:11:55 genunix: [ID 678236 kern.info] Ethernet address = 8:0:20:d1:76:19 Message: Dec 1 17:11:55 unix: [ID 389951 kern.info] mem = 131072K (0x8000000) Message: Dec 1 17:11:55 unix: [ID 930857 kern.info] avail mem = 122232832 Message: Dec 1 17:11:55 rootnex: [ID 466748 kern.info] root nexus = Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 360MHz) Message: Dec 1 17:11:55 rootnex: [ID 349649 kern.info] pcipsy0 at root: UPA 0x1f 0x0 Message: Dec 1 17:11:55 genunix: [ID 936769 kern.info] pcipsy0 is /pci@1f,0 Message: Dec 1 17:11:55 pcipsy: [ID 370704 kern.info] PCI-device: pci@1,1, simba0 Message: Dec 1 17:11:55 genunix: [ID 936769 kern.info] simba0 is /pci@1f,0/pci@1,1 Message: Dec 1 17:11:55 pcipsy: [ID 370704 kern.info] PCI-device: pci@1, simba1 Message: Dec 1 17:11:55 genunix: [ID 936769 kern.info] simba1 is /pci@1f,0/pci@1 Message: Dec 1 17:12:11 simba: [ID 370704 kern.info] PCI-device: ide@3, uata0 Message: Dec 1 17:12:11 genunix: [ID 936769 kern.info] uata0 is /pci@1f,0/pci@1,1/ide@3 Message: Dec 1 17:12:11 uata: [ID 114370 kern.info] dad0 at pci1095,6460 Message: Dec 1 17:12:11 uata: [ID 347839 kern.info] target 0 lun 0 Message: Dec 1 17:12:11 genunix: [ID 936769 kern.info] dad0 is /pci@1f,0/pci@1,1/ide@3/dad@0,0 Message: Dec 1 17:12:12 dada: [ID 365881 kern.info] \t<ST38410A cyl 16706 alt 2 hd 16 sec 63> Message: Dec 1 17:12:12 swapgeneric: [ID 308332 kern.info] root on /pci@1f,0/pci@1,1/ide@3/disk@0,0:a fstype ufs Message: Dec 1 17:12:12 simba: [ID 370704 kern.info] PCI-device: ebus@1, ebus0 Message: Dec 1 17:12:12 ebus: [ID 521012 kern.info] power0 at ebus0: offset 14,724000 Message: Dec 1 17:12:12 genunix: [ID 936769 kern.info] power0 is /pci@1f,0/pci@1,1/ebus@1/power@14,724000 Message: Dec 1 17:12:13 ebus: [ID 521012 kern.info] su0 at ebus0: offset 14,3083f8 Message: Dec 1 17:12:13 genunix: [ID 936769 kern.info] su0 is /pci@1f,0/pci@1,1/ebus@1/su@14,3083f8 Message: Dec 1 17:12:13 ebus: [ID 521012 kern.info] su1 at ebus0: offset 14,3062f8 Message: Dec 1 17:12:13 genunix: [ID 936769 kern.info] su1 is /pci@1f,0/pci@1,1/ebus@1/su@14,3062f8 Message: Dec 1 17:12:13 ebus: [ID 521012 kern.info] se0 at ebus0: offset 14,400000 Message: Dec 1 17:12:13 genunix: [ID 936769 kern.info] se0 is /pci@1f,0/pci@1,1/ebus@1/se@14,400000 Message: Dec 1 17:12:13 unix: [ID 987524 kern.info] cpu0: SUNW,UltraSPARC-IIi (upaid 0 impl 0x12 ver 0x91 clock 360 MHz) Message: Dec 1 17:12:16 hme: [ID 517527 kern.info] SUNW,hme0 : PCI IO 2.0 (Rev Id = c1) Found Message: Dec 1 17:12:16 simba: [ID 370704 kern.info] PCI-device: network@1,1, hme0 Message: Dec 1 17:12:16 genunix: [ID 936769 kern.info] hme0 is /pci@1f,0/pci@1,1/network@1,1 Message: Dec 1 17:12:18 genunix: [ID 454863 kern.info] dump on /dev/dsk/c0t0d0s1 size 512 MB Message: Dec 1 17:12:19 hme: [ID 517527 kern.info] SUNW,hme0 : Internal Transceiver Selected. Message: Dec 1 17:12:19 hme: [ID 517527 kern.info] SUNW,hme0 : Auto-Negotiated 10 Mbps Half-Duplex Link Up Message: Dec 1 17:12:28 rpcbind: [ID 489175 daemon.error] Unable to join IPv6 multicast group for rpc broadcast FF02::202 Message: Dec 1 17:12:28 named[169]: [ID 295310 daemon.notice] starting. in.named BIND 8.2.2-P5 Wed May 9 21:08:34 PDT 2001 Message: Dec 1 17:12:28 \tGeneric 109326-04-5.8-February 2000 Message: Dec 1 17:12:29 named[189]: [ID 295310 daemon.notice] Ready to answer queries. Message: Dec 1 17:12:29 named[189]: [ID 295310 daemon.warning] check_hints: A records for J.ROOT-SERVERS.NET class 1 do not match hint records Message: Dec 1 17:12:31 pseudo: [ID 129642 kern.info] pseudo-device: tod0 Message: Dec 1 17:12:31 genunix: [ID 936769 kern.info] tod0 is /pseudo/tod@0 Message: Dec 1 17:12:32 pseudo: [ID 129642 kern.info] pseudo-device: pm0 Message: Dec 1 17:12:32 genunix: [ID 936769 kern.info] pm0 is /pseudo/pm@0 Message: Dec 1 17:12:33 sendmail[239]: [ID 702911 mail.crit] My unqualified host name (zoberius) unknown; sleeping for retry Message: Dec 1 17:12:33 pseudo: [ID 129642 kern.info] pseudo-device: vol0 Message: Dec 1 17:12:33 genunix: [ID 936769 kern.info] vol0 is /pseudo/vol@0 Message: Dec 1 17:12:34 scsi: [ID 365881 kern.info] /pci@1f,0/pci@1/scsi@1 (glm0): Message: Dec 1 17:12:34 \tRev. 5 Symbios 53c875 found. Message: Dec 1 17:12:34 simba: [ID 370704 kern.info] PCI-device: scsi@1, glm0 Message: Dec 1 17:12:34 genunix: [ID 936769 kern.info] glm0 is /pci@1f,0/pci@1/scsi@1 Message: Dec 1 17:12:34 scsi: [ID 365881 kern.info] /pci@1f,0/pci@1/scsi@1,1 (glm1): Message: Dec 1 17:12:34 \tRev. 5 Symbios 53c875 found. Message: Dec 1 17:12:34 simba: [ID 370704 kern.info] PCI-device: scsi@1,1, glm1 Message: Dec 1 17:12:34 genunix: [ID 936769 kern.info] glm1 is /pci@1f,0/pci@1/scsi@1,1 Message: Dec 1 17:12:34 scsi: [ID 193665 kern.info] sd30 at uata0: target 2 lun 0 Message: Dec 1 17:12:34 genunix: [ID 936769 kern.info] sd30 is /pci@1f,0/pci@1,1/ide@3/sd@2,0 Message: Dec 1 17:12:40 ebus: [ID 521012 kern.info] fd0 at ebus0: offset 14,3023f0 Message: Dec 1 17:12:40 genunix: [ID 936769 kern.info] fd0 is /pci@1f,0/pci@1,1/ebus@1/fdthree@14,3023f0 Message: Dec 1 17:13:33 sendmail[239]: [ID 702911 mail.alert] unable to qualify my own domain name (zoberius) -- using short name |