0day Linux/CentOS SSHd Spam Exploit — libkeyutils.so.1.9

We are currently still tracing this exploit and here is what we do know so far:

HOW TO FIND OUT IF YOU HAVE BEEN ROOTED:
ls -la /lib64/libkeyutils.so.1.9
rpm -qf /lib64/libkeyutils.so.1.9

ls -la /lib/libkeyutils.so.1.9
rpm -qf /lib/libkeyutils.so.1.9

If you find the file and RPM shows “is not owned by any package” you have been rooted.

Currently known affected OSes:  RHEL-based servers
Currently known effected control panels:  cPanel, DirectAdmin, and Plesk
we do not know if controls panels are the reason or not.
Servers with ksplice have been exploited

WHAT WE KNOW:

  • I have scoured over CVE’s for the linux kernel up to the latest 3.x version and I didn’t see anything relevant that would cause it in the centos kernels.
  • SSHDs running non normal ports compromised.
  • We think it is some daemon exploit and not a privileged escalation via kernel. Given that some boxes running CageFS were exploited — if exploit would be delivered via end user account, /lib & /lib64 wouldn’t be available to attacker (it would be a copy of those directories instead). So, unless hacker explicitly made a work around to deal with CageFS (which probably possible with ptrace kernel exploit, but highly unlikely), that library would never make it to /lib & /lib64.
  • The data send to that port 53 connection is not a normal DNS packet as far as I can tell.
  • Servers with the latest centos/cloudlinux have been compromised. Both versions 5 and 6.
  • The earliest server I have seen exploited was Late December.
  • The strings are different and changing for the LIB libkeyutils.so.1.9. One was reported to not have the external 53 port call compiled in it.
  • The connections are not typically logged in /var/log/secure UNLESS you raise the log level to verbose. I originally found the connections using lsof, also how I tracked down the outbound smtp connections.
  • When you strace sshd, and login to the server normally there is a outbound port 53 connection to an IP address that is not in /etc/resolv.conf.

Here is something also that is interesting…
— They will connect to MULTIPLE ips on the same server.

root@xxxxx [~]# netstat -n |grep 87.230.54.65

tcp        0      0 xxx.xxx.xxx.84:22             87.230.54.65:51101          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.9:22              87.230.54.65:54288          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.147:22            87.230.54.65:35982          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.12:22             87.230.54.65:33467          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.246:22            87.230.54.65:59694          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.24:22             87.230.54.65:42571          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.36:22             87.230.54.65:55064          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.62:22             87.230.54.65:57357          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.46:22             87.230.54.65:50876          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.59:22             87.230.54.65:51425          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.235:22            87.230.54.65:48760          ESTABLISHED

tcp        0    112 xxx.xxx.xxx.155:22            87.230.54.65:52329          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.125:22            87.230.54.65:60776          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.27:22             87.230.54.65:36775          ESTABLISHED

tcp        0    112 xxx.xxx.xxx.185:22            87.230.54.65:44919          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.101:22            87.230.54.65:44025          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.163:22            87.230.54.65:38346          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.158:22            87.230.54.65:59424          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.89:22             87.230.54.65:32780          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.29:22             87.230.54.65:39850          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.70:22             87.230.54.65:36001          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.57:22             87.230.54.65:48533          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.211:22            87.230.54.65:58030          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.227:22            87.230.54.65:38784          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.4:22              87.230.54.65:40025          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.238:22            87.230.54.65:41285          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.171:22            87.230.54.65:57272          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.248:22            87.230.54.65:35473          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.197:22            87.230.54.65:50670          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.113:22            87.230.54.65:44296          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.137:22            87.230.54.65:53060          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.245:22            87.230.54.65:35150          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.54:22             87.230.54.65:37230          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.128:22            87.230.54.65:39850          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.126:22            87.230.54.65:53901          ESTABLISHED

tcp        0     64 xxx.xxx.xxx.188:22            87.230.54.65:39340          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.96:22             87.230.54.65:51755          ESTABLISHED

Example of those ‘sleep’ processes I mentioned earlier:

root      149848  0.0  0.0 100904   588 ?        Ss   09:09   0:00 sleep 7200

root      149942  0.0  0.0 100904   592 ?        Ss   09:09   0:00 sleep 7200

root      150005  0.0  0.0 100904   592 ?        Ss   09:09   0:00 sleep 7200

root      150406  0.0  0.0  66952  3520 ?        Ss   09:10   0:00 sshd: root@notty

root      150413  0.0  0.0 100904   592 ?        Ss   09:10   0:00 sleep 7200

root      150702  0.0  0.0 100904   592 ?        Ss   09:12   0:00 sleep 7200

root      151066  0.0  0.0  66772  3444 ?        Ss   09:14   0:00 sshd: root@notty

root      151070  0.0  0.0 100904   596 ?        Ss   09:14   0:00 sleep 7200

root      151576  0.0  0.0  66928  3472 ?        Ss   09:16   0:00 sshd: root@notty

root      151585  0.0  0.0 100904   592 ?        Ss   09:16   0:00 sleep 7200

root      151699  0.0  0.0 100904   596 ?        Ss   09:16   0:00 sleep 7200

root      151736  0.0  0.0  66748  3416 ?        Ss   09:16   0:00 sshd: root@notty

root      151739  0.0  0.0 100904   596 ?        Ss   09:17   0:00 sleep 7200

root      151855  0.0  0.0  66824  3452 ?        Ss   09:17   0:00 sshd: root@notty

root      151859  0.0  0.0 100904   596 ?        Ss   09:17   0:00 sleep 7200

root      152382  0.0  0.0  66964  3528 ?        Ss   09:20   0:00 sshd: root@notty

root      152388  0.0  0.0 100904   592 ?        Ss   09:20   0:00 sleep 7200

root      152615  0.0  0.0  66824  3464 ?        Ss   09:21   0:00 sshd: root@notty

root      152619  0.0  0.0 100904   596 ?        Ss   09:21   0:00 sleep 7200

root      152706  0.0  0.0  66792  3448 ?        Ss   09:21   0:00 sshd: root@notty

root      152720  0.0  0.0 100904   592 ?        Ss   09:21   0:00 sleep 7200

root      152735  0.0  0.0  66792  3448 ?        Ss   09:21   0:00 sshd: root@notty

root      152745  0.0  0.0 100904   592 ?        Ss   09:21   0:00 sleep 7200

root      152902  0.0  0.0  66748  3416 ?        Ss   09:22   0:00 sshd: root@notty

root      152906  0.0  0.0 100904   592 ?        Ss   09:22   0:00 sleep 7200

root      153288  0.0  0.0  66852  3432 ?        Ss   09:24   0:00 sshd: root@notty

root      153295  0.0  0.0 100904   592 ?        Ss   09:24   0:00 sleep 7200

root      153406  0.0  0.0 100904   592 ?        Ss   09:24   0:00 sleep 7200

root      153439  0.0  0.0  66824  3416 ?        Ss   09:24   0:00 sshd: root@notty

root      153443  0.0  0.0 100904   596 ?        Ss   09:24   0:00 sleep 7200

root      153968  0.0  0.0  66792  3404 ?        Ss   09:26   0:00 sshd: root@notty

root      153977  0.0  0.0 100904   592 ?        Ss   09:26   0:00 sleep 7200

root      154014  0.0  0.0 100904   596 ?        Ss   09:26   0:00 sleep 7200

root      154055  0.0  0.0  66824  3476 ?        Ss   09:27   0:00 sshd: root@notty

root      154061  0.0  0.0 100904   596 ?        Ss   09:27   0:00 sleep 7200

root      154086  0.0  0.0  66952  3520 ?        Ss   09:27   0:00 sshd: root@notty

root      154092  0.0  0.0 100904   596 ?        Ss   09:27   0:00 sleep 7200

root      154372  0.0  0.0  66748  3380 ?        Ss   09:28   0:00 sshd: root@notty

root      154376  0.0  0.0 100904   596 ?        Ss   09:28   0:00 sleep 7200

root      154813  0.0  0.0  66760  3432 ?        Ss   09:30   0:00 sshd: root@notty

root      154817  0.0  0.0 100904   596 ?        Ss   09:30   0:00 sleep 7200

Here 10 packets tcpdump

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes

09:43:58.821991 IP (tos 0x0, ttl 49, id 57719, offset 0, flags [DF], proto TCP (6), length 52)

87.230.54.65.40025 > xxx.xxx.xxx.4.22: Flags [.], cksum 0xa254 (correct), seq 3312262149, ack 1665226106, win 501, options [nop,nop,TS val 885093176 ecr 4154428085], length 0

0x0000:  4500 0034 e177 4000 3106 f6c5 57e6 3641  E..4.w@.1…W.6A

0x0010:  8e5b 5504 9c59 0016 c56d 1c05 6341 557a  .[U..Y…m..cAUz

0x0020:  8010 01f5 a254 0000 0101 080a 34c1 7338  …..T……4.s8

0x0030:  f79f 8ab5                                ….

09:43:58.831253 IP (tos 0x0, ttl 49, id 57720, offset 0, flags [DF], proto TCP (6), length 100)

87.230.54.65.40025 > xxx.xxx.xxx.4.22: Flags [P.], cksum 0x5e95 (correct), seq 3312262149:3312262197, ack 1665226106, win 501, options [nop,nop,TS val 885093186 ecr 4154428085], length 48

0x0000:  4500 0064 e178 4000 3106 f694 57e6 3641  E..d.x@.1…W.6A

0x0010:  8e5b 5504 9c59 0016 c56d 1c05 6341 557a  .[U..Y…m..cAUz

0x0020:  8018 01f5 5e95 0000 0101 080a 34c1 7342  ….^…….4.sB

0x0030:  f79f 8ab5 4bbb 6494 6583 64ae 90d1 8c5c  ….K.d.e.d….\

0x0040:  27d5 62ee 477e 2180 9610 f8de a5f0 5363  ‘.b.G~!…….Sc

0x0050:  f18d c4bb 457a 0109 a4f0 f458 f991 4b70  ….Ez…..X..Kp

0x0060:  733c e172                                s<.r

09:43:58.958927 IP (tos 0x8, ttl 50, id 59178, offset 0, flags [DF], proto TCP (6), length 52)

87.230.54.65.59756 > xxx.xxx.xxx.229.22: Flags [.], cksum 0x2bf6 (correct), seq 3258834673, ack 460063979, win 501, options [nop,nop,TS val 885093313 ecr 4154428222], length 0

0x0000:  4508 0034 e72a 4000 3206 ef29 57e6 3641  E..4.*@.2..)W.6A

0x0010:  8e5b 55e5 e96c 0016 c23d def1 1b6c 04eb  .[U..l…=…l..

0x0020:  8010 01f5 2bf6 0000 0101 080a 34c1 73c1  ….+…….4.s.

0x0030:  f79f 8b3e                                …>

09:43:58.965112 IP (tos 0x8, ttl 50, id 59179, offset 0, flags [DF], proto TCP (6), length 100)

87.230.54.65.59756 > xxx.xxx.xxx.229.22: Flags [P.], cksum 0x5491 (correct), seq 3258834673:3258834721, ack 460063979, win 501, options [nop,nop,TS val 885093319 ecr 4154428222], length 48

0x0000:  4508 0064 e72b 4000 3206 eef8 57e6 3641  E..d.+@.2…W.6A

0x0010:  8e5b 55e5 e96c 0016 c23d def1 1b6c 04eb  .[U..l…=…l..

0x0020:  8018 01f5 5491 0000 0101 080a 34c1 73c7  ….T…….4.s.

0x0030:  f79f 8b3e bfa8 c9f5 1b1c d52e ea8e 9bc4  …>…………

0x0040:  b211 1265 b6ca 6cab 3c93 1219 0c35 c4b1  …e..l.<….5..

0x0050:  03f3 45f9 794e 21aa c2b4 ae20 dff9 b235  ..E.yN!……..5

0x0060:  9087 56f8                                ..V.

09:43:59.121882 IP (tos 0x0, ttl 49, id 57721, offset 0, flags [DF], proto TCP (6), length 148)

87.230.54.65.40025 > xxx.xxx.xxx.4.22: Flags [P.], cksum 0x86c3 (correct), seq 3312262197:3312262293, ack 1665226186, win 501, options [nop,nop,TS val 885093476 ecr 4154428378], length 96

0x0000:  4500 0094 e179 4000 3106 f663 57e6 3641  E….y@.1..cW.6A

0x0010:  8e5b 5504 9c59 0016 c56d 1c35 6341 55ca  .[U..Y…m.5cAU.

0x0020:  8018 01f5 86c3 0000 0101 080a 34c1 7464  …………4.td

0x0030:  f79f 8bda 55a8 84fb d551 1050 1726 0c8e  ….U….Q.P.&..

0x0040:  6bba 2419 2088 8c10 6072 d0b4 6440 27a1  k.$…..`r..d@’.

0x0050:  0401 089d 46d7 5236 0c62 a9bc ef81 af68  ….F.R6.b…..h

0x0060:  420a 4a44 9ae0 6150 3ad0 1bad 49e8 6518  B.JD..aP:…I.e.

0x0070:  be38 c374 5ddc a9f9 3c91 bbb7 413a ba0b  .8.t]…<…A:..

0x0080:  acea 139c 3073 7a27 4c01 ab93 d2a0 c793  ….0sz’L…….

0x0090:  625e d5da                                b^..

09:43:59.122374 IP (tos 0x0, ttl 49, id 57722, offset 0, flags [DF], proto TCP (6), length 1480)

87.230.54.65.40025 > xxx.xxx.xxx.4.22: Flags [.], cksum 0x1da4 (correct), seq 3312262293:3312263721, ack 1665226186, win 501, options [nop,nop,TS val 885093476 ecr 4154428378], length 1428

0x0000:  4500 05c8 e17a 4000 3106 f12e 57e6 3641  E….z@.1…W.6A

0x0010:  8e5b 5504 9c59 0016 c56d 1c95 6341 55ca  .[U..Y…m..cAU.

0x0020:  8010 01f5 1da4 0000 0101 080a 34c1 7464  …………4.td

0x0030:  f79f 8bda 691c e689 f8e6 2d0e 5a67 73ca  ….i…..-.Zgs.

0x0040:  c1cf 7080 8a0c 5660 5848 6a39 8b94 cb37  ..p…V`XHj9…7

0x0050:  c40b c0b1 e2d0 4e45 6b9b fc89 f6dc fbf3  ……NEk…….

0x0060:  47a5 a6cf d728 c64d 9e80 87f0 176f 03d8  G….(.M…..o..

0x0070:  ea56 50b6 8673 ebc3 fa0b 365d 8f12 0da0  .VP..s….6]….

0x0080:  1f80 a87e 2be0 c920 9393 a298 2058 10c2  …~+……..X..

0x0090:  c85c b0b5 ade9 5a98 47e4 ef92 f64a 2ffb  .\….Z.G….J/.

0x00a0:  cf52 30c4 0e9e 1fed 0108 ec5c a46a 8b9e  .R0……..\.j..

0x00b0:  985a 9a10 e39f 090e d924 2658 9029 b250  .Z…….$&X.).P

0x00c0:  3bb9 2100 a7bd 88a5 510c a4a9 729e c1c2  ;.!…..Q…r…

0x00d0:  151c af51 65b6 3003 59ff 5dd0 d17d 6b94  …Qe.0.Y.]..}k.

0x00e0:  84a2 c44c fd80 3129 a002 5ad2 0e81 1eb7  …L..1)..Z…..

0x00f0:  e330 42bd fdf2 9f78 c019 1594 78af b4c4  .0B….x….x…

0x0100:  610e 2dee 6dc8 f2da 44d1 9499 e10d 3d82  a.-.m…D…..=.

0x0110:  101e dda9 0372 aa8e 3a9b 8567 62d7 e415  …..r..:..gb…

0x0120:  218d 2618 1a37 fd6a 08ef 9577 06d5 0e41  !.&..7.j…w…A

0x0130:  d015 17c8 f9af 7d60 462b 4f7b 6739 592a  ……}`F+O{g9Y*

0x0140:  40f3 d8f4 19df 83dd 8b49 b5b6 74ef 6860  @……..I..t.h`

0x0150:  1f1a 62fd 8889 0ba9 c537 deed b173 fe50  ..b……7…s.P

0x0160:  6382 4ab6 16ef 3423 4203 9d8e 9519 e847  c.J…4#B……G

0x0170:  dfb8 ca85 6a46 a2da a80c 0b85 af23 8048  ….jF…….#.H

0x0180:  8f2b ce49 c311 b8d6 afdb 1739 47ff 3fb4  .+.I…….9G.?.

0x0190:  f04e 07de c1d2 407e 420a b160 9096 bbbc  .N….@~B..`….

0x01a0:  7540 426d 574d 2334 038c 3c64 6b77 d89d  u@BmWM#4..<dkw..

0x01b0:  7bf2 8d97 72ed 098f 64a5 a4fc b854 a419  {…r…d….T..

0x01c0:  65fd 967d 57cb 7e26 d556 5ddb 82c1 19cc  e..}W.~&.V]…..

0x01d0:  0854 930f 26c1 340a 36e3 6fdd 4c4a de5d  .T..&.4.6.o.LJ.]

0x01e0:  f60a ff46 ad22 35ee 8d39 afcd eb2c 607d  …F.”5..9…,`}

0x01f0:  825e d975 b22c 38bd 12b1 4071 f720 ff14  .^.u.,8…@q….

0x0200:  056a 9624 4762 325f 1559 4cd9 7e74 8b4c  .j.$Gb2_.YL.~t.L

0x0210:  2ed6 ed20 85eb fd52 2fe8 fc76 fa2b 0403  …….R/..v.+..

0x0220:  d9a2 b4f3 edfc a6d5 7c82 dd72 fcfa 9644  ……..|..r…D

0x0230:  3314 7fe2 32db 6d59 bfc6 dd1e 8d8f 5fc7  3…2.mY……_.

0x0240:  6e86 212b 9651 2299 abf8 cd72 9b68 3f2f  n.!+.Q”….r.h?/

0x0250:  baba dab3 ad0f ce2c a830 fe5c fb17 3313  …….,.0.\..3.

0x0260:  5a16 bb43 5e4c 6c24 1fae 88cc 983a 924f  Z..C^Ll$…..:.O

0x0270:  3f85 fe8c 7198 e308 1124 37cc b35d c8c4  ?…q….$7..]..

0x0280:  6111 2301 e355 2ada 51f4 ec37 578c 9cca  a.#..U*.Q..7W…

0x0290:  0fc4 03a3 286f 2c1f 925f b124 999c b624  ….(o,.._.$…$

0x02a0:  866d 34e2 5913 f3a1 2479 284a 6a90 6fb9  .m4.Y…$y(Jj.o.

0x02b0:  8b90 4203 a4dc 26b4 5a38 f66d b5b4 1171  ..B…&.Z8.m…q

0x02c0:  0aaa da0c 7c24 3fd1 e6d7 b820 c448 e39b  ….|$?……H..

0x02d0:  0df2 0e30 b2f1 17f5 7e1a 14b5 6dc1 3e74  …0….~…m.>t

0x02e0:  2e2d a482 1103 f1e5 26f1 60d5 a70b 593e  .-……&.`…Y>

0x02f0:  0e06 32fd 16cc 3689 c6bc 50a7 081c da32  ..2…6…P….2

0x0300:  bdb7 8165 752d 2a37 52d0 79ab 1646 b784  …eu-*7R.y..F..

0x0310:  bc67 1e55 3fd8 9ebc 44b5 1000 97e3 b1d5  .g.U?…D…….

0x0320:  00c9 2404 d956 861d 0c29 63c7 ef7a 9754  ..$..V…)c..z.T

0x0330:  d1f4 4127 dbc3 cdb0 1459 3836 e638 6738  ..A’…..Y86.8g8

0x0340:  f40c 533e 31f4 e702 9823 60a3 e784 5d54  ..S>1….#`…]T

0x0350:  612d 95cc d2c7 b3c7 70f9 c7da cb2f 0a4b  a-……p…./.K

0x0360:  11bb 48fc 3ac1 41fd 8417 7d1a b23a ab09  ..H.:.A…}..:..

0x0370:  1f90 e7d6 b83f bace 009d a987 21d8 395e  …..?……!.9^

0x0380:  201c 3d83 1f48 cffb 345a 5082 b424 b219  ..=..H..4ZP..$..

0x0390:  3c6a ef25 3861 6647 df68 558a 5b73 1684  <j.%8afG.hU.[s..

0x03a0:  2564 6615 ff62 1a5b a1c7 adb0 d415 8486  %df..b.[……..

0x03b0:  c67d 690e 7e10 1695 b068 ec53 159d 77a8  .}i.~….h.S..w.

0x03c0:  f58a e91d 53b1 2caf 167c 67ba c6a1 f3b4  ….S.,..|g…..

0x03d0:  e70c 4fd8 e97a b3ee 7c66 83b3 8cd6 f28f  ..O..z..|f……

0x03e0:  1cd4 58ab 1e3e 38b1 1454 77b9 425e 389c  ..X..>8..Tw.B^8.

0x03f0:  e617 4cc8 a63c 1502 3d78 e6e1 1b29 bcdd  ..L..<..=x…)..

0x0400:  20fe 5e82 89b5 649c 2729 abc1 f83f 3677  ..^…d.’)…?6w

0x0410:  c540 f3b5 599b d58d 5cc6 e023 c8ac 77d9  .@..Y…\..#..w.

0x0420:  3411 ec70 0ff9 f569 6e01 063f 1197 3c2b  4..p…in..?..<+

0x0430:  52bd e3e6 2b8a 25a2 8b03 dda8 6797 0921  R…+.%…..g..!

0x0440:  aa9d dc93 d62f fb74 6bd1 f975 1160 e4ef  …../.tk..u.`..

0x0450:  dbb5 1c21 e578 9020 6cfb 5a20 17ec b480  …!.x..l.Z…..

0x0460:  a376 6e48 552e 9353 2b52 3e72 957b 34f6  .vnHU..S+R>r.{4.

0x0470:  5667 6cba 8a4f 1142 8214 d025 618d f775  Vgl..O.B…%a..u

0x0480:  dca2 16d6 c427 3c52 845e ff36 b5e2 406b  …..'<R.^.6..@k

0x0490:  bb39 f171 3aa5 7bed f626 ca85 b9c6 a93b  .9.q:.{..&…..;

0x04a0:  fb04 2f2a 91d4 9dcc dfff 3cb2 839e 7559 ../*……<…uY

0x04b0:  67da cf68 9381 7810 04ce fe00 6a59 e0ef  g..h..x…..jY..

0x04c0:  8425 d707 7e6b e32c 2e38 c06c 5fdb 2fc3  .%..~k.,.8.l_./.

0x04d0:  d8a3 2050 ecd7 5a28 cfd9 b1c2 b0c2 24cd  …P..Z(……$.

0x04e0:  7a73 6dd7 6b24 6880 2986 e7a5 314f 15a5  zsm.k$h.)…1O..

0x04f0:  86e7 2d46 774b 82a1 46b3 b288 4700 4e61  ..-FwK..F…G.Na

0x0500:  f2a0 c625 1c77 c3bb e660 bc36 be9a f700  …%.w…`.6….

0x0510:  8b63 493c 8a01 b67e c8e5 8a7d b998 7caa  .cI<…~…}..|.

0x0520:  5c6b 7e8e e39f bff9 49e5 c165 1592 be7d  \k~…..I..e…}

0x0530:  d8f7 8853 b31c b1dd 9007 4e82 0a88 99db  …S……N…..

0x0540:  d9e9 6f80 3717 a01b f2c6 d932 5398 9a8c  ..o.7……2S…

0x0550:  7cda 03ec 7907 2142 f381 bb66 07b3 4ffc  |…y.!B…f..O.

0x0560:  e5f2 4483 becb d5e1 c7df 7308 06ae ba9a  ..D…….s…..

0x0570:  6cd8 f3d5 d484 b257 71ea 45a8 cd45 cf92  l……Wq.E..E..

0x0580:  5d01 acd3 e0ad 42b9 8c46 3021 8c6b cd23  ]…..B..F0!.k.#

0x0590:  a8e2 8920 5d50 34bb 04f7 eff9 bbc9 2887  ….]P4…….(.

0x05a0:  1a46 5783 a94a c61f 01e0 7fb5 8a18 52c4  .FW..J……..R.

0x05b0:  e00d 2b60 b588 c14c c7f2 74bd 1ef0 c0a4  ..+`…L..t…..

0x05c0:  5b20 1cae a63d 1f9e                      [….=..

09:43:59.122787 IP (tos 0x0, ttl 49, id 57723, offset 0, flags [DF], proto TCP (6), length 1480)

87.230.54.65.40025 > xxx.xxx.xxx.4.22: Flags [.], cksum 0xb3b1 (correct), seq 3312263721:3312265149, ack 1665226186, win 501, options [nop,nop,TS val 885093477 ecr 4154428378], length 1428

0x0000:  4500 05c8 e17b 4000 3106 f12d 57e6 3641  E….{@.1..-W.6A

0x0010:  8e5b 5504 9c59 0016 c56d 2229 6341 55ca  .[U..Y…m”)cAU.

0x0020:  8010 01f5 b3b1 0000 0101 080a 34c1 7465  …………4.te

0x0030:  f79f 8bda acc8 9a9a 9882 6d73 5e0e c4d8  ……….ms^…

0x0040:  6a2e 17f7 30f1 5c6e 48ff a65f 2158 f8bf  j…0.\nH.._!X..

0x0050:  4271 b6ab a50a 8569 3f0b 97c1 88f6 cdf5  Bq…..i?…….

0x0060:  a793 8c8c 91b9 b6d3 fa8e fca5 46a6 e170  …………F..p

0x0070:  77e9 4257 fa7e 30f7 8aa2 b164 125a e4bb  w.BW.~0….d.Z..

0x0080:  982e 2c17 e8d8 0b36 e0e8 a8b9 1ffe 80c5  ..,….6……..

0x0090:  8ca0 1a50 ec3e b967 bd2f 8034 c15c 65d8  …P.>.g./.4.\e.

0x00a0:  75be b06a 5a33 3a37 1f23 cb3a 156d d5bf  u..jZ3:7.#.:.m..

0x00b0:  d6e5 2fc8 febc 988f 8a0d 754c 2489 c435  ../…….uL$..5

0x00c0:  8feb 5ee3 79fb 2015 ad0c 461c c76b c099  ..^.y…..F..k..

0x00d0:  8ff9 3afb f5ac cf8b 7d53 d6fc 5a35 643a  ..:…..}S..Z5d:

0x00e0:  9870 6fee ce3a 4ebc 9e2f 9abd c24a fa61  .po..:N../…J.a

0x00f0:  c762 4099 f315 45cd 23f7 47df 5b91 9fc1  .b@…E.#.G.[…

0x0100:  ba80 53db cdc5 9f3e 2e00 af91 8653 0177  ..S….>…..S.w

0x0110:  d6b0 cd12 e738 b1a5 ffad d590 5137 36d7  …..8……Q76.

0x0120:  9d6d 1a27 75ca 1e95 cc64 4256 f213 5928  .m.’u….dBV..Y(

0x0130:  671e f527 ec2e 0eb2 cfb9 a00d f9ae cf0d  g..’…………

0x0140:  8f41 de45 fb79 dd4e f414 ae42 c4d9 9dab  .A.E.y.N…B….

0x0150:  7705 58d0 c057 235d 0c3c fa6f b3a5 cdc9  w.X..W#].<.o….

0x0160:  d676 2e05 3697 46cd bf43 974c f493 4ac1  .v..6.F..C.L..J.

0x0170:  5151 24fd 1f6c 7829 c67e 144f c263 5841  QQ$..lx).~.O.cXA

0x0180:  6099 193b 3826 7630 3b58 5aea b066 be39  `..;8&v0;XZ..f.9

0x0190:  8fff d009 772a 78c8 cf31 f821 af4d f5e4  ….w*x..1.!.M..

0x01a0:  9c47 672e 3b03 3e11 f28a e608 70e6 e1ee  .Gg.;.>…..p…

0x01b0:  f678 0058 4cef 3923 25af cac3 56a8 5af1  .x.XL.9#%…V.Z.

0x01c0:  00ac a306 ecf5 50e5 b46b dbec cf27 6aca  ……P..k…’j.

0x01d0:  2ad9 a16a e8a7 03ea 9d7a 1b0c 26b1 e358  *..j…..z..&..X

0x01e0:  ca50 db6f 4c6f d8d4 b731 0d30 2dd8 10b8  .P.oLo…1.0-…

0x01f0:  38e0 2540 9203 296a 9353 50a9 08e5 3d51  8.%@..)j.SP…=Q

0x0200:  c04b 8cb7 ac95 9e1f 2f16 549c 465b cfdd  .K……/.T.F[..

0x0210:  d469 42ee 4c15 e497 270f 7e50 ef3c 92a0  .iB.L…’.~P.<..

0x0220:  5b54 58a3 6f0e befc 0df5 6b67 e256 5332  [TX.o…..kg.VS2

0x0230:  a6f8 e661 0556 5400 a82c 38d0 523a 0f27  …a.VT..,8.R:.’

0x0240:  3955 374e 6149 d4ff a9d4 b590 17fc ebb7  9U7NaI……….

0x0250:  1542 6a99 5492 d6be 5a35 7595 adb8 401b  .Bj.T…Z5u…@.

0x0260:  73be ac69 8e12 0c6f 64cd 46b2 8eef 7eca  s..i…od.F…~.

0x0270:  867b dec8 c5f6 e595 bcc5 59a2 0ecf ec6c  .{……..Y….l

0x0280:  faa9 e307 7b04 326e 70c8 d71e 68ef cfff  ….{.2np…h…

0x0290:  7689 9070 ff50 df7e 5e71 8de2 da46 af02  v..p.P.~^q…F..

0x02a0:  f639 8f6c 7c45 3279 b66d 000d d92d 7805  .9.l|E2y.m…-x.

0x02b0:  e9b0 9f71 bf10 8b29 e82a 66ea 240f 974f  …q…).*f.$..O

0x02c0:  15f2 e36e d55c dcc9 c28f 1aab 354c 7552  …n.\……5LuR

0x02d0:  1259 dd84 fff8 4449 2604 f7d0 49ad cfac  .Y….DI&…I…

0x02e0:  8e64 5798 da43 685c 7fad bd93 dc82 d132  .dW..Ch\…….2

0x02f0:  d7eb bdb7 b2eb 6fa8 d9d3 8f4b 85ea 7a44  ……o….K..zD

0x0300:  3f75 699f 7030 1e03 7b76 7875 5fd5 0606  ?ui.p0..{vxu_…

0x0310:  5a8c a78a 3c69 8f2a 25d5 f8d6 6c84 a220  Z…<i.*%…l…

0x0320:  35d1 7b1e a9f1 8b0d 5a13 3d76 8128 b4ae  5.{…..Z.=v.(..

0x0330:  00e6 f01d 65f6 3066 8482 7256 63c4 85f7  ….e.0f..rVc…

0x0340:  9e78 89e6 e577 fb8c b74d 634e d772 4241  .x…w…McN.rBA

0x0350:  0fdc 3e05 48e7 d8bf 6ba0 a850 fa53 46f0  ..>.H…k..P.SF.

0x0360:  8362 4763 419c 197d a9e1 3f88 a823 7320  .bGcA..}..?..#s.

0x0370:  d413 f0c0 4e35 987e b057 87c1 4c63 cf60  ….N5.~.W..Lc.`

0x0380:  e9b8 dd8a 797e 746d dae3 6ffa e688 b2ec  ….y~tm..o…..

0x0390:  8374 9f9e 7850 993a 7931 3cd3 51fd ae80  .t..xP.:y1<.Q…

0x03a0:  9da6 a547 e937 2cdd 06c3 cbce 8e95 21aa  …G.7,…….!.

0x03b0:  a041 39e0 5bd1 0a67 3ad7 a39b 4537 e675  .A9.[..g:…E7.u

0x03c0:  e24d 83d6 5c2d ffe2 782e c43b b38c ff9f  .M..\-..x..;….

0x03d0:  99c9 67d5 1382 26ad 2424 35ab 5094 944c  ..g…&.$$5.P..L

0x03e0:  278d 9056 63e7 0159 072e 08ff ca75 bf20  ‘..Vc..Y…..u..

0x03f0:  d1f8 3d26 43ed a440 dfa1 4811 e30b 4333  ..=&C..@..H…C3

0x0400:  f86e 9f58 5e41 c34e c63f 8c7e a168 c054  .n.X^A.N.?.~.h.T

0x0410:  0672 3e85 d487 744d 4505 7df6 c53d 9e1b  .r>…tME.}..=..

0x0420:  df00 45fa 823c 704f 10b7 3cd4 f80f b70e  ..E..<pO..<…..

0x0430:  52b0 f253 7e4b f07f 6aaf 40dd 85b0 c119  R..S~K..j.@…..

0x0440:  c8e2 94b8 4662 367a bea0 d351 9669 2e80  ….Fb6z…Q.i..

0x0450:  3e75 c1a1 4f07 c5af ec61 7b6d ab42 9c0f  >u..O….a{m.B..

0x0460:  5c34 ae0a cf0c fab8 ab7d f49a 0870 a464  \4…….}…p.d

0x0470:  c504 a3f7 86fb 85f1 9ee4 cfd6 b6b6 4fdf  …………..O.

0x0480:  e460 3486 1798 e279 b442 35fd eab1 6107  .`4….y.B5…a.

0x0490:  4ea2 595c 6cd8 847e 60f1 7bc6 cc5c e7d5  N.Y\l..~`.{..\..

0x04a0:  f8af 70c2 d95d 7de5 9c3c 7cfb 5ffe 0352  ..p..]}..<|._..R

0x04b0:  d725 1d9a f256 b878 ca00 7582 195b 2e86  .%…V.x..u..[..

0x04c0:  d5fe 04ff 3bb1 3185 9a6f ab4f 06cb 39ca  ….;.1..o.O..9.

0x04d0:  2c1d c593 5f6a c50f 28a7 2c70 e264 477c  ,…_j..(.,p.dG|

0x04e0:  c5b4 6706 c6d3 eb0d 48fc 511e b640 aeb8  ..g…..H.Q..@..

0x04f0:  d4e4 fac3 4a2f c05d 3d21 9172 b84f 61c7  ….J/.]=!.r.Oa.

0x0500:  d002 e69f c8f7 75f3 a086 6c13 b141 abad  ……u…l..A..

0x0510:  f751 7077 7266 53a1 0962 5e11 f8e0 6613  .QpwrfS..b^…f.

0x0520:  04a3 48c3 c665 91b0 2361 4634 db4a 23fb  ..H..e..#aF4.J#.

0x0530:  7ad0 f54d 707f d2c4 d70c dd72 a23d 8911  z..Mp……r.=..

0x0540:  18a7 67db bf14 1b46 cedc 475e 2a22 cd89  ..g….F..G^*”..

0x0550:  58bf a73c b875 8265 5c66 65ca bdcd 40b8  X..<.u.e\fe…@.

0x0560:  1747 d9c0 5bca 0441 3412 6622 c491 facf  .G..[..A4.f”….

0x0570:  28b9 edf4 25e3 461a d7aa 29dc 15b7 3aed  (…%.F…)…:.

0x0580:  ab26 a25f 6041 94b1 db26 beac bb00 0631  .&._`A…&…..1

0x0590:  336c 5304 290d 775f 43a6 ad3f 9b64 e456  3lS.).w_C..?.d.V

0x05a0:  3b53 d8a1 0aba 0d2f 4bd9 10e3 65e0 08dc  ;S…../K…e…

0x05b0:  211f c8d0 a29a 35a4 1c14 351c 449d a88c  !…..5…5.D…

0x05c0:  ce57 4d18 ee60 d851                      .WM..`.Q

09:43:59.248193 IP (tos 0x8, ttl 50, id 59180, offset 0, flags [DF], proto TCP (6), length 100)

87.230.54.65.59756 > xxx.xxx.xxx.229.22: Flags [P.], cksum 0x4a13 (correct), seq 3258834721:3258834769, ack 460064107, win 501, options [nop,nop,TS val 885093603 ecr 4154428505], length 48

0x0000:  4508 0064 e72c 4000 3206 eef7 57e6 3641  E..d.,@.2…W.6A

0x0010:  8e5b 55e5 e96c 0016 c23d df21 1b6c 056b  .[U..l…=.!.l.k

0x0020:  8018 01f5 4a13 0000 0101 080a 34c1 74e3  ….J…….4.t.

0x0030:  f79f 8c59 ba10 2723 22f2 5e3d 1ceb 4642  …Y..’#”.^=..FB

0x0040:  1fac c260 dba5 c165 8fb8 269e c0c4 048f  …`…e..&…..

0x0050:  d38e 6375 fe62 f167 d26f 5b9c 3619 da49  ..cu.b.g.o[.6..I

0x0060:  3ed9 7a52                                >.zR

09:43:59.252714 IP (tos 0x0, ttl 49, id 57724, offset 0, flags [DF], proto TCP (6), length 1480)

87.230.54.65.40025 > xxx.xxx.xxx.4.22: Flags [.], cksum 0x5342 (correct), seq 3312265149:3312266577, ack 1665226186, win 501, options [nop,nop,TS val 885093607 ecr 4154428516], length 1428

0x0000:  4500 05c8 e17c 4000 3106 f12c 57e6 3641  E….|@.1..,W.6A

0x0010:  8e5b 5504 9c59 0016 c56d 27bd 6341 55ca  .[U..Y…m’.cAU.

0x0020:  8010 01f5 5342 0000 0101 080a 34c1 74e7  ….SB……4.t.

0x0030:  f79f 8c64 4d90 a29e 1535 547e bcc1 8a99  …dM….5T~….

0x0040:  8c41 353e 3466 765b a6ed d6ab d53d 79ac  .A5>4fv[…..=y.

0x0050:  aace aa97 ff88 478c d379 6cdc 4be7 c5cf  ……G..yl.K…

0x0060:  4b02 1162 ea21 877c 91e6 0ed6 badc 6681  K..b.!.|……f.

0x0070:  f220 a348 57be b887 769b d928 4433 6338  …HW…v..(D3c8

0x0080:  c09a 9dd6 d714 1c67 8c79 2f64 3e4f 0242  …….g.y/d>O.B

0x0090:  3f2a d379 cb7b a239 54e2 8970 1086 855a  ?*.y.{.9T..p…Z

0x00a0:  dc4c 3290 be2d 865d 882a 49f4 3d61 e37a  .L2..-.].*I.=a.z

0x00b0:  2346 d76e fec5 0897 7431 fb3f 43d6 7092  #F.n….t1.?C.p.

0x00c0:  b7d2 11ac df5c 0edd ceff d9d3 ed48 d78b  …..\…….H..

0x00d0:  e52c 8774 4abc 0b3a 1862 b2f5 4b16 a8eb  .,.tJ..:.b..K…

0x00e0:  1fd4 ad7d e8e3 c102 7122 c9f2 82be d1ea  …}….q”……

0x00f0:  4f85 1439 2807 76d2 4d60 cb20 dbe0 a4ec  O..9(.v.M`……

0x0100:  43fe 73e2 5216 2be5 0a18 2860 b6a7 eaab  C.s.R.+…(`….

0x0110:  2be5 1caa 3179 fd3c b930 e256 02dd 98d9  +…1y.<.0.V….

0x0120:  df06 ffe0 4c6c e11b f6fe 83fd a20c 07c8  ….Ll……….

0x0130:  9dde 9030 1512 d1b3 4e1d 6b97 3293 36b7  …0….N.k.2.6.

0x0140:  e2fb 8734 6723 0040 74ae 646b 596d 72de  …4g#.@t.dkYmr.

0x0150:  d406 c707 82f6 88db 596a 125c d3c9 e86b  ……..Yj.\…k

0x0160:  b752 4342 2aa2 f656 ed58 24d8 b601 fc2f  .RCB*..V.X$…./

0x0170:  8a8b ea2a c69c 19af 72c9 e633 cd9b dd8f  …*….r..3….

0x0180:  ed99 5349 5bf8 8818 5a03 eb08 1765 f1a9  ..SI[…Z….e..

0x0190:  b516 8a3f 2f4c 90d0 2198 2586 b050 ef53  …?/L..!.%..P.S

0x01a0:  d0fd 7bc1 4892 32ab c66e fadb 2356 6516  ..{.H.2..n..#Ve.

0x01b0:  7e38 5553 45e8 78ff f739 adf2 16da 6247  ~8USE.x..9….bG

0x01c0:  2841 e018 0757 992d 38ec fd77 f5c4 7a11  (A…W.-8..w..z.

0x01d0:  2634 bece 41cf f90d 02a1 a297 4575 6ff3  &4..A…….Euo.

0x01e0:  c380 0761 79c4 4d75 128c be51 455f 7656  …ay.Mu…QE_vV

0x01f0:  0b2c 74b0 b4b0 ba66 5c86 cbe5 b2e4 909e  .,t….f\…….

0x0200:  4b21 eb9f c7b2 4123 6f85 6627 2322 50bf  K!….A#o.f’#”P.

0x0210:  3310 9ac0 c1a1 31ba c5bf b425 f93c 6131  3…..1….%.<a1

0x0220:  d5d1 23ac 2bc1 2138 c011 5d6d 6212 8caa  ..#.+.!8..]mb…

0x0230:  d8c4 8436 8951 5efe c114 e9c1 37ee 4fc2  …6.Q^…..7.O.

0x0240:  5d47 b65f da3a 634e a34d 7034 c845 b35e  ]G._.:cN.Mp4.E.^

0x0250:  4e6e 776e 5ebb 46f8 f5af fe0d 402e 3afe  Nnwn^.F…..@.:.

0x0260:  717f 64ee 0a23 5657 98da 3705 5532 c536  q.d..#VW..7.U2.6

0x0270:  5ab1 2630 5126 3ab9 3448 cb7b 13a2 c584  Z.&0Q&:.4H.{….

0x0280:  810e ab8e 43b4 8796 ef7e 1e15 8dc0 1321  ….C….~…..!

0x0290:  a87d c79f 783e 903a f781 551d 9b32 f180  .}..x>.:..U..2..

0x02a0:  ee3f 4fe7 6930 720a 24cd da8e 6f57 c54d  .?O.i0r.$…oW.M

0x02b0:  084c cee2 c718 1345 c394 6b2e 14b2 385b  .L…..E..k…8[

0x02c0:  8a7e adb0 1c07 c1ed b93d 816c e4b0 fae1  .~…….=.l….

0x02d0:  909b 68ac bcb7 f7c5 431b 2359 d7ca 8826  ..h…..C.#Y…&

0x02e0:  fb59 dbea 1095 cb85 b528 1cdb 07b3 2628  .Y…….(….&(

0x02f0:  9c7f eca1 2a8f ffc6 6a7f 3297 2ea2 5c89  ….*…j.2…\.

0x0300:  567d 67ab 757f 62b7 6967 ae67 7d5d c511  V}g.u.b.ig.g}]..

0x0310:  2257 0ccc 79e9 40eb f33a aa8b dd1c a63a  “W..y.@..:…..:

0x0320:  51f1 947e cdc4 d74e 621e 3bec 7385 6cba  Q..~…Nb.;.s.l.

0x0330:  4d79 eb5b 4985 8998 e277 37e7 6711 89d6  My.[I….w7.g…

0x0340:  a6b3 c506 acbb 88f2 24ae 9679 293a 7c0e  ……..$..y):|.

0x0350:  8a31 cadd f185 ef7c 3d3d ea2a 8b59 6262  .1…..|==.*.Ybb

0x0360:  52a0 2ac4 71ec 62d4 0eb6 3778 abc2 5b5d  R.*.q.b…7x..[]

0x0370:  b4c3 5d57 c4ab 05c3 7efc 97e4 211a ccc6  ..]W….~…!…

0x0380:  021d 91c7 0d3f 03d2 4117 5a57 1fb5 0a29  …..?..A.ZW…)

0x0390:  bc09 da50 dbca 7089 add4 e3e3 f055 42fc  …P..p……UB.

0x03a0:  0214 57fa 2a51 b66f 8fd3 512e fee6 767d  ..W.*Q.o..Q…v}

0x03b0:  4889 1257 5ee8 dc16 a48a 8bd9 aee6 bb0b  H..W^………..

0x03c0:  42e5 592b 5d9a da6e 9a58 5808 0196 e207  B.Y+]..n.XX…..

0x03d0:  64a1 0f2f 7be2 c65f eb96 9b1e 65aa ba44  d../{.._….e..D

0x03e0:  0f29 5627 03d3 5673 a7ac a02f 73ee c55c  .)V’..Vs…/s..\

0x03f0:  c213 b5ee 0500 db19 2485 a276 0d9e 8049  ……..$..v…I

0x0400:  c35c dee1 daaf f338 37b2 9b6b 2f2d 23fa  .\…..87..k/-#.

0x0410:  9bd2 5af9 a303 8b9f fe7d b2f5 7dc8 1a1d  ..Z……}..}…

0x0420:  19f8 faf7 7a83 78b6 4b99 0497 1c78 2aa1  ….z.x.K….x*.

0x0430:  43cc 32a7 6de3 21ba 9a14 9dac f947 9d8f  C.2.m.!……G..

0x0440:  b583 8c6a 0fb5 8f7c 5fa5 acb3 2cbf 0174  …j…|_…,..t

0x0450:  1624 c588 1ddd eb51 8b39 fc6c 7428 49e8  .$…..Q.9.lt(I.

0x0460:  fd0d 8064 b1dc 7e07 5cec 1362 897c beb6  …d..~.\..b.|..

0x0470:  e23e 507c 127c 59db 2a5c 115d ac0a 1e1c  .>P|.|Y.*\.]….

0x0480:  d223 23e7 64eb d4b7 7cce 3ed0 f678 c7a0  .##.d…|.>..x..

0x0490:  8a8b a51a eaf5 dbc8 3f90 0919 9eaa aaaa  ……..?…….

0x04a0:  347c ce1c b212 1487 2fef d0b8 8c75 ce8e  4|……/….u..

0x04b0:  1a27 3569 88ad 8df0 c857 05f8 32b7 ff02  .’5i…..W..2…

0x04c0:  f109 1511 ebc7 3b14 d02e 6534 1eb3 27b2  ……;…e4..’.

0x04d0:  3601 cc77 f583 edd0 5278 c972 2734 321b  6..w….Rx.r’42.

0x04e0:  84cb d62d 5365 7961 f070 e452 84da 6f0d  …-Seya.p.R..o.

0x04f0:  322c fe84 1f15 7bb4 5e4c 7db3 035c 3940  2,….{.^L}..\9@

0x0500:  a1d8 72e7 6a95 c8ca 12d8 c697 4b3c 9f90  ..r.j…….K<..

0x0510:  2fe2 36e0 dea7 29ec 18d6 4440 3039 ca12  /.6…)…D@09..

0x0520:  89f0 f0fb 1782 baa8 f95c 9364 7592 2ac3  ………\.du.*.

0x0530:  bebf 4e84 8f6e cd41 1b35 11b7 3c7f 485d  ..N..n.A.5..<.H]

0x0540:  2735 69f2 4f18 8b99 a165 e521 7e54 a0cc  ‘5i.O….e.!~T..

0x0550:  a73b d869 f79d c27d 48ae 3b96 a678 44a4  .;.i…}H.;..xD.

0x0560:  6f05 f0bf c435 f145 84f0 ef4e a562 fd79  o….5.E…N.b.y

0x0570:  6189 5d3c 80eb 54b1 2534 0e90 398c f7c7  a.]<..T.%4..9…

0x0580:  1d88 2cbb 08d7 3931 fca1 5c06 9236 a32f  ..,…91..\..6./

0x0590:  912f 92c4 9593 c19c ae2b 69d5 f489 a9e1  ./…….+i…..

0x05a0:  0879 00fd 4bba efd5 9325 30c6 82f9 874e  .y..K….%0….N

0x05b0:  b15f fcbb dc26 068b 6688 72ff c594 4adf  ._…&..f.r…J.

0x05c0:  6124 9757 9885 342a                      a$.W..4*

09:43:59.253591 IP (tos 0x0, ttl 49, id 57725, offset 0, flags [DF], proto TCP (6), length 1480)

87.230.54.65.40025 > xxx.xxx.xxx.4.22: Flags [.], cksum 0xcdaf (correct), seq 3312266577:3312268005, ack 1665226186, win 501, options [nop,nop,TS val 885093607 ecr 4154428516], length 1428

0x0000:  4500 05c8 e17d 4000 3106 f12b 57e6 3641  E….}@.1..+W.6A

0x0010:  8e5b 5504 9c59 0016 c56d 2d51 6341 55ca  .[U..Y…m-QcAU.

0x0020:  8010 01f5 cdaf 0000 0101 080a 34c1 74e7  …………4.t.

0x0030:  f79f 8c64 3ee4 d50d d2b1 bfe9 7ec4 a3c1  …d>…….~…

0x0040:  5014 6d71 cf48 0f5a 3f40 6d7b 04a6 3ba2  P.mq.H.Z?@m{..;.

0x0050:  82cb 8ffc cbbf 5093 482a 5016 cbcd 0c3a  ……P.H*P….:

0x0060:  f3ac 1b88 19cb 3a45 1bbe 91c0 eedd eaad  ……:E……..

0x0070:  fa5b 1dcd 9e99 a70e dd6e cce5 9a8e d92a  .[…….n…..*

0x0080:  6768 3a07 0002 593c 9f4a 4cef 781c 4593  gh:…Y<.JL.x.E.

0x0090:  d489 d68f 1dc1 0e57 ae20 39b7 437b f511  …….W..9.C{..

0x00a0:  2793 3148 044c 8256 d7bf e0ba bbaf f4ac  ‘.1H.L.V……..

0x00b0:  05b8 3cdb af38 6e7f 5e4f 635e a8a1 6581  ..<..8n.^Oc^..e.

0x00c0:  a466 74be d400 f606 d5bf 2d17 fb6b 141e  .ft…….-..k..

0x00d0:  984a 732b 3c96 9d69 2a34 2f51 d6c9 7a13  .Js+<..i*4/Q..z.

0x00e0:  8661 be9c 1cd1 3fc6 8383 90b0 04b3 4b18  .a….?…….K.

0x00f0:  7734 d87c 3f98 4a1b 25f4 a810 791b adf8  w4.|?.J.%…y…

0x0100:  27c4 4c40 c338 fe81 480d 0d64 a926 af2d  ‘.L@.8..H..d.&.-

0x0110:  4565 98c1 4873 dceb eddd 3c3a cae6 47c3  Ee..Hs….<:..G.

0x0120:  625c c617 1023 17a8 f32a 0951 7f2d 8f5e  b\…#…*.Q.-.^

0x0130:  1bb5 8f28 a2f0 11f6 8b84 c712 6108 e0ef  …(……..a…

0x0140:  254e 0373 14d0 d608 72d0 bf32 1b28 7a97  %N.s….r..2.(z.

0x0150:  8e89 6d04 2933 6798 8a12 c958 fc78 dbc3  ..m.)3g….X.x..

0x0160:  a881 4da0 97fa f43d 5ef1 b9c1 f740 c9be  ..M….=^….@..

0x0170:  0cda 5c3a e744 1135 3781 b2f4 1cdb 13ef  ..\:.D.57…….

0x0180:  6774 7b44 8fe1 b151 09ac e5f1 7f14 ba6b  gt{D…Q…….k

0x0190:  2764 cd88 78fe c0a0 a459 11c4 8744 ba12  ‘d..x….Y…D..

0x01a0:  6d5a ada5 6fb6 8aee c630 afe2 36a5 4be9  mZ..o….0..6.K.

0x01b0:  58b2 590b cc82 c41c aa50 130e 8b9e 01c7  X.Y……P……

0x01c0:  73ed ac8a 676a dccc 586e f8e3 e4fb 5625  s…gj..Xn….V%

0x01d0:  8452 f995 6f53 4332 2873 cf62 334a 8fd1  .R..oSC2(s.b3J..

0x01e0:  7e0e 5e9b 8f10 4198 1487 caa5 2b60 99ae  ~.^…A…..+`..

0x01f0:  6d56 5716 e1b3 1e8d 74c1 4fe7 9043 7913  mVW…..t.O..Cy.

0x0200:  3b98 94de bb42 5b4a efba 4b6a 67b7 69e4  ;….B[J..Kjg.i.

0x0210:  2581 4e60 f886 23d5 d80e c117 c56c d59b  %.N`..#……l..

0x0220:  db03 dc5e b36f 2a66 c730 e340 33d3 f0d5  …^.o*f.0.@3…

0x0230:  8fe9 eff8 2682 3553 ea9e eb25 1aab 7fbd  ….&.5S…%….

0x0240:  c075 4a01 8b39 e760 0411 0cb5 d7c3 1a87  .uJ..9.`……..

0x0250:  9949 05d5 acc8 8f4f b0e3 60ef c194 368c  .I…..O..`…6.

0x0260:  6697 210a 5f61 e820 ba1c 4d1e 4de8 c5d1  f.!._a….M.M…

0x0270:  ef15 9f3b eebc ee2a 9351 80b5 3ab8 a4f0  …;…*.Q..:…

0x0280:  9302 404a cd61 6437 b9ca 3c50 0201 0418  ..@J.ad7..<P….

0x0290:  b0e6 8618 b834 966e f8f7 42cb b163 9184  …..4.n..B..c..

0x02a0:  98bb ac2a 9a4b 2ecd 1cdf 1ed9 6047 04c6  …*.K……`G..

0x02b0:  7ffb 9c9e a9e2 a2eb d993 5e71 d7ea 1b91  ……….^q….

0x02c0:  4a96 50fd 706e 50ec b0a2 815f 58a9 0961  J.P.pnP…._X..a

0x02d0:  8e0a a87b 5788 94c7 af28 9285 2fb9 ace0  …{W….(../…

0x02e0:  cbbd 6339 0c03 3a27 a660 d010 ffdd 9860  ..c9..:’.`…..`

0x02f0:  5652 ca42 6c71 c972 ad45 6d31 8d0c 753b  VR.Blq.r.Em1..u;

0x0300:  3cc7 f953 f2a1 7f94 60ed ff4d ef27 5ade  <..S….`..M.’Z.

0x0310:  9592 0d3a d0e7 609a 20cd d651 b512 4650  …:..`….Q..FP

0x0320:  b2ac 70b2 20a9 e85a 7d9e c975 b100 a33e  ..p….Z}..u…>

0x0330:  efe4 1513 b85f 4325 a71b afd6 1be2 9d72  ….._C%…….r

0x0340:  0933 9fcf e10d 15c9 f2c3 7317 6654 703c  .3……..s.fTp<

0x0350:  e15a 518d 6060 6066 c563 00a5 8f26 7384  .ZQ.“`f.c…&s.

0x0360:  3927 1129 82d4 0357 30c5 3fc2 b281 8e35  9′.)…W0.?….5

0x0370:  33a6 ca36 c852 d273 336e efdb b378 33c2  3..6.R.s3n…x3.

0x0380:  9ebe 309b 3b60 7abf a488 deb4 aa2c 59ae  ..0.;`z……,Y.

0x0390:  65ff 6be4 a180 323b 1df7 5979 1f19 9e91  e.k…2;..Yy….

0x03a0:  dc62 dadf 7fba bd8f a796 13ed b470 9aa3  .b………..p..

0x03b0:  c783 1681 89ff 6089 2a81 a9f9 c7a6 b7d0  ……`.*…….

0x03c0:  ef20 6c94 5684 b5ae aa0e 8a03 334f 002e  ..l.V…….3O..

0x03d0:  eebd 90ef abef a6a4 6c67 4ed9 15e2 5781  ……..lgN…W.

0x03e0:  d9ad 935c 0149 3f71 8df2 6ef7 1354 3b20  …\.I?q..n..T;.

0x03f0:  1e55 be1c 8d1b 0ba9 b51f 736e 888c d5d2  .U……..sn….

0x0400:  5b6e 07d1 bb80 8366 7f3c 640f baf9 7b12  [n…..f.<d…{.

0x0410:  a453 b3b4 5003 6007 3527 ae64 83a3 a50e  .S..P.`.5′.d….

0x0420:  f519 804f 9565 3a6a 2549 53e9 04ac 26cc  …O.e:j%IS…&.

0x0430:  efe5 864b c2d8 a1c0 84c5 1662 678c 89be  …K…….bg…

0x0440:  1d96 f1b6 e499 6c28 c257 c739 76fd c626  ……l(.W.9v..&

0x0450:  960b e62c ea5e 9cc6 45a4 9c05 c05f e4ca  …,.^..E…._..

0x0460:  9b05 ee14 eff0 9f0f f4ad 7f09 2a44 bb59  …………*D.Y

0x0470:  e539 6857 620e 5b39 5ccb 45df 27a2 5890  .9hWb.[9\.E.’.X.

0x0480:  6667 7d6f bc6c bb64 36db 6dc4 17ee 2d36  fg}o.l.d6.m…-6

0x0490:  ca15 3630 c8d2 e568 db54 4919 52ef c85e  ..60…h.TI.R..^

0x04a0:  66f4 6cd7 5b9f 192c 6996 2449 e18f 57cd  f.l.[..,i.$I..W.

0x04b0:  26c8 c83e 6d53 51df 1b0b 6135 d2e8 10e5  &..>mSQ…a5….

0x04c0:  1af2 0448 ec5e 3454 8455 b61e 4299 25ab  …H.^4T.U..B.%.

0x04d0:  1ab9 0277 135a 795a 208f 041e 00f0 643f  …w.ZyZ……d?

0x04e0:  7cf0 3c1b 0efc eeaf 3318 4cd2 7a02 9892  |.<…..3.L.z…

0x04f0:  ad5f f88b 8636 d2a5 d93c 6cc9 7b4d bd4b  ._…6…<l.{M.K

0x0500:  8927 12c4 6552 7acd 9575 c3fb bd7c 5efb  .’..eRz..u…|^.

0x0510:  06d1 6321 bae7 47ce 4afe a668 def2 d905  ..c!..G.J..h….

0x0520:  24c0 5084 7d61 d5b7 9cd8 35e6 1717 0dc5  $.P.}a….5…..

0x0530:  75ad 8bcf c931 96ca 813e f2b5 a3eb 54ed  u….1…>….T.

0x0540:  4ffc e698 d1c1 b5d6 614f 42ac a19e c564  O…….aOB….d

0x0550:  36a0 01b4 92e3 587f 5aed 4342 027b 30ef  6…..X.Z.CB.{0.

0x0560:  3fcc 7270 ce3c 5169 b639 7170 7f03 dd88  ?.rp.<Qi.9qp….

0x0570:  5af4 d287 f3ba 74cd c5f2 f7bd ab0c f1de  Z…..t………

0x0580:  ff35 5806 221f 2204 4a34 77d9 dea7 0113  .5X.”.”.J4w…..

0x0590:  7599 78e1 3803 606f 4d21 c34e 423f 7e54  u.x.8.`oM!.NB?~T

0x05a0:  1645 5cda 699c 6371 50ba 96df 8d1e 9b14  .E\.i.cqP…….

0x05b0:  d9bf 8f0a d8e6 5b23 6b0b 1740 4933 232e  ……[#k..@I3#.

0x05c0:  c998 93b8 edef 5338                      ……S8

10 packets captured

17 packets received by filter

0 packets dropped by kernel

As I stated before.. you typically will not see connections unless you set the loglevel to verbose in /etc/ssh/sshd_config.

After you will see these: Unless you set it to verbose, you probably will never even know you had connections based on the log file.

Feb 16 09:52:33 server sshd[160083]: Server listening on :: port 22.

Feb 16 09:53:06 server sshd[160196]: Set /proc/self/oom_score_adj to 0

Feb 16 09:53:06 server sshd[160196]: Connection from 87.230.54.65 port 52157

Feb 16 09:53:08 server sshd[160228]: Set /proc/self/oom_score_adj to 0

Feb 16 09:53:08 server sshd[160228]: Connection from 87.230.54.65 port 52160

Feb 16 09:53:09 server sshd[160250]: Set /proc/self/oom_score_adj to 0

Feb 16 09:53:09 server sshd[160250]: Connection from 87.230.54.65 port 48750

Feb 16 09:53:11 server sshd[160271]: Set /proc/self/oom_score_adj to 0

Feb 16 09:53:11 server sshd[160271]: Connection from 87.230.54.65 port 48753

 

On one of the servers I have snoopy logger on it:
http://sourceforge.net/projects/snoopylogger/
This is what happens on connection from malicious user:

Feb 16 10:37:31 server sshd[170828]: Connection from 178.162.248.74 port 35754

Feb 16 10:37:32 server snoopy[170831]: [uid:0 sid:170831 tty: cwd:/root filename:/bin/bash]: bash -c sleep 7200

Feb 16 10:37:32 server snoopy[170833]: [uid:0 sid:170831 tty: cwd:/root filename:/usr/bin/whoami]: whoami

Feb 16 10:37:33 server snoopy[170834]: [uid:0 sid:170831 tty: cwd:/root filename:/usr/bin/mesg]: mesg y

Feb 16 10:37:33 server snoopy[170836]: [uid:0 sid:170831 tty: cwd:/root filename:/usr/bin/dircolors]: dircolors -b

Feb 16 10:37:33 server snoopy[170838]: [uid:0 sid:170831 tty: cwd:/root filename:/usr/bin/whoami]: /usr/bin/whoami

Feb 16 10:37:33 server snoopy[170831]: [uid:0 sid:170831 tty: cwd:/root filename:/bin/sleep]: sleep 7200

 

INTIAL FINDINGS:

root@server [~]# rpm -qf `lsof -p 785953 | grep lib | awk ‘{print $9}’`
glibc-2.12-1.80.el6_3.7.x86_64
nspr-4.9.2-0.el6_3.1.x86_64
nspr-4.9.2-0.el6_3.1.x86_64
nspr-4.9.2-0.el6_3.1.x86_64
nss-util-3.13.6-1.el6_3.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
file /lib64/libkeyutils.so.1.9 is not owned by any package
krb5-libs-1.9-33.el6_3.3.x86_64
nss-softokn-freebl-3.12.9-11.el6.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
nss-3.13.5-1.el6_3.x86_64
libcom_err-1.41.12-12.el6.x86_64
krb5-libs-1.9-33.el6_3.3.x86_64
krb5-libs-1.9-33.el6_3.3.x86_64
krb5-libs-1.9-33.el6_3.3.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
zlib-1.2.3-27.el6.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
openssl-1.0.0-25.el6_3.1.x86_64
libselinux-2.0.94-5.3.el6.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
pam-1.1.1-10.el6_2.1.x86_64
audit-libs-2.2-2.el6.x86_64
tcp_wrappers-libs-7.6-57.el6.x86_64
fipscheck-lib-1.2.0-7.el6.x86_64
glibc-2.12-1.80.el6_3.7.x86_64

 

CLEAN FILE:
root@xxxxx [~]# rpm -qf /lib64/libkeyutils.so.1.3
keyutils-libs-1.4-4.el6.x86_64
root@xxxxx [~]# rpm -V keyutils-libs-1.4-4.el6.x86_64
root@xxxxx [~]#

root@xxxx [~]# strings /lib64/libkeyutils.so.1.3

I       P

{?Nq

__gmon_start__

_init

_fini

__cxa_finalize

_Jv_RegisterClasses

keyctl

syscall

keyctl_session_to_parent

keyctl_get_security

keyctl_get_security_alloc

malloc

realloc

keyctl_assume_authority

keyctl_set_timeout

keyctl_set_reqkey_keyring

keyctl_negate

keyctl_instantiate

keyctl_read

keyctl_read_alloc

keyctl_search

keyctl_unlink

keyctl_link

keyctl_clear

keyctl_describe

keyctl_describe_alloc

keyctl_setperm

keyctl_chown

keyctl_revoke

keyctl_update

keyctl_join_session_keyring

keyctl_get_keyring_ID

request_key

add_key

libdl.so.2

libc.so.6

_edata

__bss_start

_end

libkeyutils.so.1

KEYUTILS_0.3

KEYUTILS_1.0

KEYUTILS_1.3

GLIBC_2.2.5

ATSubH

D$`H

D$ H

L$8L

D$@H

T$(H

fff.

t$ H

fffff.

fff.

t$ H

fff.

t$ H

fffff.

fff.

ffffff.

root@xxxx [~]#

 

EXPLOITED FILE:
root@xxxxx [~]# rpm -qf /lib64/libkeyutils.so.1.9
file /lib64/libkeyutils.so.1.9 is not owned by any package
root@xxxxx [~]#

root@xxxx [~]# strings /lib64/libkeyutils.so.1.9

0+9_

I       P

(yRU

{?N-

__gmon_start__

_init

_fini

__cxa_finalize

_Jv_RegisterClasses

sscanf

strcmp

realloc

free

keyctl

syscall

keyctl_session_to_parent

keyctl_get_security

keyctl_get_security_alloc

malloc

keyctl_assume_authority

keyctl_set_timeout

keyctl_set_reqkey_keyring

keyctl_negate

keyctl_reject

__errno_location

keyctl_instantiate

keyctl_instantiate_iov

memcpy

keyctl_read

keyctl_read_alloc

keyctl_search

keyctl_unlink

keyctl_link

keyctl_clear

keyctl_describe

keyctl_describe_alloc

recursive_key_scan

keyctl_setperm

keyctl_chown

keyctl_revoke

keyctl_update

keyctl_join_session_keyring

keyctl_get_keyring_ID

recursive_session_key_scan

request_key

add_key

mprotect

dlopen

dlinfo

dlsym

sysconf

getnameinfo

strncpy

strlen

sprintf

strncmp

shmget

shmat

semget

semtimedop

shmdt

stdout

fprintf

fflush

sleep

exit

memset

time

geteuid

getpeername

getsockname

write

connect

gethostbyname

bind

__strdup

fork

waitpid

tmpfile

fseek

fread

fclose

strchr

getenv

snprintf

srand

socket

__res_state

inet_ntoa

send

keyutils_version_string

keyutils_build_string

libc.so.6

_edata

__bss_start

_end

libkeyutils.so.1

KEYUTILS_0.3

KEYUTILS_1.0

KEYUTILS_1.3

KEYUTILS_1.4

GLIBC_2.3.3

GLIBC_2.2.5

%zU

%rU

%jU

%bU

%ZU

%RU

%JU

%BU

%:U

%2U

%*U

%”U

%zT

%rT

%jT

%bT

%ZT

%RT

%JT

%BT

%:T

%2T

%*T

%”T

ATSubH

=hQ

%dO

=qV

\$(t

\$(L

\$ L

AWAVAUI

ATUSH

-,T

H;\$

[]A\A]A^A_

[]A\A]A^A_

D$`H

D$ H

L$8L

D$@H

T$(H

fff.

t$ H

fffff.

l$ H

l$ H

l$ L

d$(L

l$0L

t$8L

|$@H

l$ L

d$(1

l$0L

t$81

|$@H

fff.

t$ H

ffffff.

fff.

t$ H

D$ H

fffff.

ffffff.

fffff.

fff.

ffffff.

ffffff.

fff.

5iJ

5IJ

5)J

4BH9

=^z

=Az

=)z

4BH9

=:y

=!y

=JF

=JF

=(F

=&F

ATUSH

D$8H

=lB

=:B

=!B

5QA

5TA

@[]A\

d$ H

%cr

-Er

D$(1

%mq

D$ H

%’q

=x>

=s>

=B>

=3>

\$ H

%wo

-.o

D$(1

%En

D$(1

AWHc

AUATI

l$ L

8[]A\A]A^A_

=[9

=O9

l$ H

ffff.

AUHc

[]A\A]

AVAU

l$`H

l$ H

5p7

=;7

=N6

D4`L

576

[]A\A]A^A_

l$ H

AUATU

=pg

=Lg

5E4

Lc(L

5M/

[]A\A]A^

[]A\A]A^

=E4

=84

ffffff.

ATUS~-1

5[0

[]A\D

A]A^

=u3

5s3

=b3

fffff.

l$ L

d$(L

l$0H

v!H

\$ H

l$(L

d$0H

=Y\

=f[

=n+

={,

l$ L

d$(L

l$0H

T$(I

=)^

5l,

Hc8H

=p]

=~S

=a’

=+*

t$ 1

5S)

5       )

AWAVAUATUH

=^’

t4<.t0A

= ”

%}V

%UV

I+D$

T$pH

T$ I

T$0H

|$ H

|$(H

t$(H

A;D$

[]A\A]A^A_

I+D$

|$ L

D|$(A

=ZM

=]Q

=LQ

=wL

5rP

ffff.

d$ H

%[^;];%d;%d;%x;

keyring

%02x

root@xxxxx [~]#

 

SEEN LOGGED:

Feb 18 07:28:03 server1 snoopy[20446]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/rm]: rm -f /home/tmpp/q3def

Feb 18 07:28:03 server1 snoopy[20448]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /var/log/cron

Feb 18 07:28:03 server1 snoopy[20449]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/egrep]: egrep -i Feb 18 07

Feb 18 07:28:04 server1 snoopy[20452]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /var/log/cron

Feb 18 07:28:04 server1 snoopy[20453]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/egrep]: egrep -vi Feb 18 07

Feb 18 07:28:04 server1 snoopy[20454]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /var/log/cron

Feb 18 07:28:04 server1 snoopy[20455]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/egrep]: egrep Feb 18 07

Feb 18 07:28:05 server1 snoopy[20469]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/rm]: rm -f /home/tmpp/q3def

Feb 18 07:28:05 server1 snoopy[20471]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /var/log/notify.log

Feb 18 07:28:05 server1 snoopy[20472]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/egrep]: egrep -vi 46.105.20.166|46.105.20.166

Feb 18 07:28:05 server1 snoopy[20473]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /home/tmpp/q3def

Feb 18 07:28:05 server1 snoopy[20474]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/rm]: rm -f /home/tmpp/q3def

Feb 18 07:28:05 server1 snoopy[20477]: [uid:0 sid:20392 tty: cwd:/root filename:/usr/bin/ssh]: ssh -G1 -V

Feb 18 07:28:05 server1 snoopy[20478]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/grep]: grep illegal

Feb 18 07:28:05 server1 snoopy[21505]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /etc/redhat-release

Feb 18 07:28:05 server1 snoopy[21509]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/grep]: grep -i UseLogin /etc/ssh/sshd_config

Feb 18 07:28:05 server1 snoopy[21510]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/grep]: grep -v ^#

Feb 18 07:28:06 server1 snoopy[21517]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/chown]: chown root:root libzz8d70

Feb 18 07:28:06 server1 snoopy[21518]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/chmod]: chmod 755 libzz8d70

Feb 18 07:28:06 server1 snoopy[21519]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/mv]: mv libzz8d70 libkeyutils.so.1.9

Feb 18 07:28:06 server1 snoopy[21520]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/ln]: ln -s libkeyutils.so.1.9 libkeyutils.so.n

Feb 18 07:28:06 server1 snoopy[21521]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/mv]: mv libkeyutils.so.n libkeyutils.so.1

Feb 18 07:28:06 server1 snoopy[21522]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/touch]: touch -c -r libkeyutils-1.2.so libkeyutils.so.1.9

Feb 18 07:28:06 server1 snoopy[21524]: [uid:0 sid:20392 tty: cwd:/lib filename:/usr/bin/ldd]: ldd /usr/sbin/sshd

 

REF: http://www.webhostingtalk.com/showthread.php?t=1235797

Share on Tumblr

72 thoughts on “0day Linux/CentOS SSHd Spam Exploit — libkeyutils.so.1.9

  1. Pingback: вик услуги

  2. Pingback: world of judaica rounded hanukkah b008ejobig 3082

  3. Pingback: bowers wilkins mm 1 hi fi speakers b003r6u6hg 8342

  4. Pingback: chamber urethanes silicones epoxies burlwood b00f28rxzu 5926

  5. Pingback: cozy sack 7 feet chair x large b000zpgb62 260

  6. Pingback: where to buy vacuum cleaner belts

  7. Pingback: Ботинки Benta

  8. Pingback: Обложка Pal Zileri

  9. Pingback: Топ French Connection

  10. Pingback: Кеды Kickers

  11. Pingback: Поло Umbro

  12. Pingback: Колье Pieces

  13. Pingback: Ботильоны Klimini

  14. Pingback: Рубашка Tom Tailor Polo Team

  15. Pingback: Толстовка Pepe Jeans

  16. Pingback: gde kupit v cheljabinske potolochnaja ly

  17. Pingback: puppenhaus

  18. Pingback: volonteryi sochi 2014

  19. Pingback: Where to buy center

  20. Pingback: Where can i buy

  21. Pingback: Where can i buy

  22. Pingback: Where to buy center

  23. Pingback: Where to buy center

  24. Pingback: kingston 2400mhz pc3 19200 khx24c11t3k2 16x b00a771zjg 4627

  25. Pingback: hp pavilion 23 b040xt all desktop b009yj9ijm 7337

  26. Pingback: k9 mundial 4 version keyless remotes b0035jevdk 5338

  27. Pingback: how does a loan work

  28. Pingback: montel payday loan

  29. Pingback: scooters on finance

  30. Pingback: poor credit personal loan lenders

  31. Pingback: loan sharks in fort lauderdale

  32. Pingback: installment loans racine wi

  33. Pingback: cash advance loans kentucky

  34. Pingback: bbb legitimate payday loan companies

  35. Pingback: click here

  36. Pingback: website

  37. Pingback: Trackback...

  38. Pingback: free credit reports from all 3 bureaus

  39. Pingback: cheap sunglasses

  40. Pingback: bare minerals

  41. Pingback: Bing is a gread Search Engine

  42. Pingback: Bing is a gread Search Engine

  43. Pingback: shoes

  44. Pingback: mccarty pottery

  45. Pingback: air yeezy

  46. Pingback: feather earrings

  47. Pingback: where to buy teva sandals for women

  48. Pingback: where to buy center

  49. Pingback: where to buy center

  50. Pingback: Google} is a great Search Engine

  51. Pingback: Yahoo is a nice Search Engine

  52. Pingback: Bing is a gread Search Engine

  53. Pingback: Clearance Sale Kelty Cache Hauler Frame Only

  54. Pingback: Yahoo is a great Search Engine

  55. Pingback: Bing is a gread Search Engine

  56. Pingback: Yahoo is a great Search Engine

  57. Pingback: Yahoo is a nice Search Engine

  58. Pingback: Bing is a gread Search Engine

  59. Pingback: google.com is a great Search Engine

  60. Pingback: google.co.uk is a nice Search Engine

  61. Pingback: google.co.uk is a great Search Engine

  62. Pingback: Gary

  63. Pingback: mathew

  64. Pingback: Phillip

  65. Pingback: google.com is a great Search Engine

  66. Pingback: Bing is a gread Search Engine

  67. Pingback: google.com is a great Search Engine

  68. Pingback: Ricardo

  69. Pingback: jerry

  70. Pingback: Luther

  71. Pingback: google.de is a nice Search Engine

  72. Pingback: marshall

Comments are closed.