Event Sequencer

Date & Time Source Event & Note
Aug 10, 2003 13:23:17 log HTTP request for /sumthin
Aug 10, 2003 13:33:19 //dev/ttyof [A-Time]/bin/ls config file
Aug 10, 2003 13:33:19 //usr/lib/libsss [A-Time]blank file
Aug 10, 2003 13:33:19 //dev/ttyop [A-Time]config file for /usr/bin/top
Aug 10, 2003 13:33:19 //usr/bin/sl2 [A-Time]Port scanner
Aug 10, 2003 13:33:19 //usr/bin/sense [A-Time]sniffer sorter script
Aug 10, 2003 13:33:19 //bin/ls [A-Time]Trojan file
Aug 10, 2003 13:33:33 //bin/pico [A-Time]A pico editor
Aug 10, 2003 13:33:33 //usr/include/icepid.h [A-Time]PID file for SSH server
Aug 10, 2003 13:33:33 //usr/bin/crontabs [C-Time]Calls smbd -D
Aug 10, 2003 13:33:33 //usr/include/iceconf.h [C-Time]Config file for /usr/include SSH server
Aug 10, 2003 13:33:33 //usr/include/icepid.h [C-Time]PID file for SSH server
Aug 10, 2003 13:33:33 //usr/bin/sl2 [C-Time]Port scanner
Aug 10, 2003 13:33:33 //usr/bin/smbd -D [C-Time]SSH server that was running with password logger
Aug 10, 2003 13:33:33 //etc/rc.d/init.d/functions [C-Time]Startup script that executes crontabs
Aug 10, 2003 13:33:33 //usr/include/icepid.h [M-Time]PID file for SSH server
Aug 10, 2003 13:33:33 //etc/rc.d/init.d/functions [M-Time]Startup script that executes crontabs
Aug 10, 2003 13:33:35 //usr/bin/(swapd) [A-Time]Network Sniffer - writes to libice.log
Aug 10, 2003 13:33:35 //usr/lib/libsss [C-Time]blank file
Aug 10, 2003 13:33:35 //usr/bin/(swapd) [C-Time]Network Sniffer - writes to libice.log
Aug 10, 2003 13:33:35 //usr/bin/(swapd) [M-Time]Network Sniffer - writes to libice.log
Aug 10, 2003 13:33:36 //usr/lib/libice.log [A-Time]network log file
Aug 10, 2003 13:33:52 //dev/ttyoa [A-Time]Config file for /bin/netstat
Aug 10, 2003 13:33:52 //bin/netstat [A-Time]Trojan file
Aug 10, 2003 13:33:57 //dev/ttyof [C-Time]/bin/ls config file
Aug 10, 2003 13:33:57 //bin/pico [C-Time]A pico editor
Aug 10, 2003 13:33:57 //dev/ttyoa [C-Time]Config file for /bin/netstat
Aug 10, 2003 13:33:57 //dev/ttyop [C-Time]config file for /usr/bin/top
Aug 10, 2003 13:33:57 //usr/bin/sense [C-Time]sniffer sorter script
Aug 10, 2003 13:33:57 //bin/netstat [C-Time]Trojan file
Aug 10, 2003 13:33:57 //bin/ls [C-Time]Trojan file
Aug 10, 2003 13:33:57 log syslog starting and stopping (boot.log)
Aug 10, 2003 14:14:01 log mail sent to jijeljijel@yahoo.com (mallog)
Aug 10, 2003 14:14:41 log ssh connections from extreme-service-10.is.pcnet.ro to smbd -D that failed.
Aug 10, 2003 15:30:21 //usr/lib/sp0 [A-Time]SSH server
Aug 10, 2003 15:30:30 log Ehternet device went into promiscuous mode.
Aug 10, 2003 15:30:52 //usr/lib/adore.o [A-Time]Adore Rootkit module
Aug 10, 2003 15:30:52 //usr/lib/adore.o [M-Time]Adore Rootkit module
Aug 10, 2003 15:30:54 //usr/lib/cleaner.o [A-Time]Adore rootkit file
Aug 10, 2003 15:30:54 //usr/lib/cleaner.o [C-Time]Adore rootkit file
Aug 10, 2003 15:30:54 //usr/lib/adore.o [C-Time]Adore Rootkit module
Aug 10, 2003 15:30:54 //usr/lib/sp0 [C-Time]SSH server
Aug 10, 2003 15:30:54 //etc/rc.d/rc.sysinit [C-Time]Startup script where kflushd was added
Aug 10, 2003 15:30:54 //usr/lib/cleaner.o [M-Time]Adore rootkit file
Aug 10, 2003 15:30:54 //etc/rc.d/rc.sysinit [M-Time]Startup script where kflushd was added
Aug 10, 2003 15:31:51 //lib/.x/.boot [A-Time]boot script for rootkit
Aug 10, 2003 15:31:51 //lib/.x/hide [A-Time]script to hide processes with suckit
Aug 10, 2003 15:31:51 //lib/.x/log [A-Time]SucKIT Client
Aug 10, 2003 15:32:15 //lib/.x/inst [C-Time]Installs suckit
Aug 10, 2003 15:32:15 //lib/.x/cl [C-Time]log cleaner
Aug 10, 2003 15:32:15 //lib/.x/hide [C-Time]script to hide processes with suckit
Aug 10, 2003 15:32:15 //lib/.x/s/lsn [C-Time]sniffer process
Aug 10, 2003 15:32:15 //lib/.x/log [C-Time]SucKIT Client
Aug 10, 2003 15:32:16 //lib/.x/inst [A-Time]Installs suckit
Aug 10, 2003 15:32:16 //lib/.x/s/mfs [A-Time]lsn logs
Aug 10, 2003 15:32:16 //lib/.x/s/lsn [A-Time]sniffer process
Aug 10, 2003 15:32:16 //lib/.x/s/xopen [A-Time]SSHD that was running on port 3128.
Aug 10, 2003 15:32:16 //lib/.x/s/xopen [C-Time]SSHD that was running on port 3128.
Aug 10, 2003 15:32:16 //lib/.x/sk [C-Time]SucKIT
Aug 10, 2003 15:32:16 //lib/.x/sk [M-Time]SucKIT
Aug 10, 2003 15:32:17 //lib/.x/sk [A-Time]SucKIT
Aug 10, 2003 15:32:17 //lib/.x/.boot [C-Time]boot script for rootkit
Aug 10, 2003 15:32:17 //lib/.x/hide.log [C-Time]log for 'hide' program
Aug 10, 2003 15:32:17 //lib/.x/install.log [C-Time]SucKIT logs
Aug 10, 2003 15:32:17 //lib/.x/install.log [M-Time]SucKIT logs
Aug 10, 2003 15:32:33 //lib/.x/install.log [A-Time]SucKIT logs
Aug 10, 2003 15:32:34 //lib/.x/cl [A-Time]log cleaner
Aug 10, 2003 15:42:31 log mail sent to newptraceuser@yahoo.com (maillog)
Aug 10, 2003 15:43:43 log mail sent to skiZophrenia_siCk@yahoo.com (maillog)
Aug 10, 2003 15:51:10 //lib/.x/s/r_s [A-Time]Random seed for /lib/.x/s/xopen SSHD
Aug 10, 2003 15:52:00 //root/sslstop/sslport [C-Time]changes SSL port
Aug 10, 2003 15:52:00 //root/sslstop/sslstop [C-Time]stops SSL on apache
Aug 10, 2003 15:52:00 //root/sslstop/sslport [M-Time]changes SSL port
Aug 10, 2003 15:52:00 //root/sslstop/sslstop [M-Time]stops SSL on apache
Aug 10, 2003 15:52:12 log http starting and stopping (boot.log)
Aug 10, 2003 15:52:23 //root/sslstop/sslport [A-Time]changes SSL port
Aug 10, 2003 15:54:18 //usr/bin/crontabs [A-Time]Calls smbd -D
Aug 10, 2003 15:54:18 //usr/include/iceconf.h [A-Time]Config file for /usr/include SSH server
Aug 10, 2003 15:54:18 //usr/bin/smbd -D [A-Time]SSH server that was running with password logger
Aug 10, 2003 15:54:18 //etc/rc.d/init.d/functions [A-Time]Startup script that executes crontabs
Aug 10, 2003 15:54:18 //root/sslstop/sslstop [A-Time]stops SSL on apache
Aug 10, 2003 15:56:11 log Root user 'su'ed
Aug 10, 2003 16:02:46 //etc/opt/psybnc/log/psybnc.log [A-Time]psybnc log
Aug 10, 2003 16:04:14 log telnet from proxyscan.undernet.org (secure log)
Aug 10, 2003 16:32:18 //lib/.x/s/r_s [C-Time]Random seed for /lib/.x/s/xopen SSHD
Aug 10, 2003 16:32:18 //lib/.x/s/r_s [M-Time]Random seed for /lib/.x/s/xopen SSHD
Aug 10, 2003 18:58:33 log ssh from 202.85.165.46 (secure log)
Aug 10, 2003 20:35:59 //usr/lib/libice.log [C-Time]network log file
Aug 10, 2003 20:35:59 //usr/lib/libice.log [M-Time]network log file
Aug 10, 2003 20:36:26 //lib/.x/s/mfs [C-Time]lsn logs
Aug 10, 2003 20:36:26 //lib/.x/s/mfs [M-Time]lsn logs
Aug 10, 2003 20:47:24 //etc/opt/psybnc/log/psybnc.log [C-Time]psybnc log
Aug 10, 2003 20:47:24 //etc/opt/psybnc/log/psybnc.log [M-Time]psybnc log