We are currently still tracing this exploit and here is what we do know so far:
HOW TO FIND OUT IF YOU HAVE BEEN ROOTED:
ls -la /lib64/libkeyutils.so.1.9
rpm -qf /lib64/libkeyutils.so.1.9
ls -la /lib/libkeyutils.so.1.9
rpm -qf /lib/libkeyutils.so.1.9
If you find the file and RPM shows “is not owned by any package” you have been rooted.
Currently known affected OSes: RHEL-based servers
Currently known effected control panels: cPanel, DirectAdmin, and Plesk
we do not know if controls panels are the reason or not.
Servers with ksplice have been exploited
WHAT WE KNOW:
- I have scoured over CVE’s for the linux kernel up to the latest 3.x version and I didn’t see anything relevant that would cause it in the centos kernels.
- SSHDs running non normal ports compromised.
- We think it is some daemon exploit and not a privileged escalation via kernel. Given that some boxes running CageFS were exploited — if exploit would be delivered via end user account, /lib & /lib64 wouldn’t be available to attacker (it would be a copy of those directories instead). So, unless hacker explicitly made a work around to deal with CageFS (which probably possible with ptrace kernel exploit, but highly unlikely), that library would never make it to /lib & /lib64.
- The data send to that port 53 connection is not a normal DNS packet as far as I can tell.
- Servers with the latest centos/cloudlinux have been compromised. Both versions 5 and 6.
- The earliest server I have seen exploited was Late December.
- The strings are different and changing for the LIB libkeyutils.so.1.9. One was reported to not have the external 53 port call compiled in it.
- The connections are not typically logged in /var/log/secure UNLESS you raise the log level to verbose. I originally found the connections using lsof, also how I tracked down the outbound smtp connections.
- When you strace sshd, and login to the server normally there is a outbound port 53 connection to an IP address that is not in /etc/resolv.conf.
Here is something also that is interesting…
– They will connect to MULTIPLE ips on the same server.
root@xxxxx [~]# netstat -n |grep 87.230.54.65
tcp 0 0 xxx.xxx.xxx.84:22 87.230.54.65:51101 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.9:22 87.230.54.65:54288 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.147:22 87.230.54.65:35982 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.12:22 87.230.54.65:33467 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.246:22 87.230.54.65:59694 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.24:22 87.230.54.65:42571 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.36:22 87.230.54.65:55064 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.62:22 87.230.54.65:57357 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.46:22 87.230.54.65:50876 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.59:22 87.230.54.65:51425 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.235:22 87.230.54.65:48760 ESTABLISHED
tcp 0 112 xxx.xxx.xxx.155:22 87.230.54.65:52329 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.125:22 87.230.54.65:60776 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.27:22 87.230.54.65:36775 ESTABLISHED
tcp 0 112 xxx.xxx.xxx.185:22 87.230.54.65:44919 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.101:22 87.230.54.65:44025 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.163:22 87.230.54.65:38346 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.158:22 87.230.54.65:59424 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.89:22 87.230.54.65:32780 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.29:22 87.230.54.65:39850 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.70:22 87.230.54.65:36001 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.57:22 87.230.54.65:48533 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.211:22 87.230.54.65:58030 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.227:22 87.230.54.65:38784 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.4:22 87.230.54.65:40025 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.238:22 87.230.54.65:41285 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.171:22 87.230.54.65:57272 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.248:22 87.230.54.65:35473 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.197:22 87.230.54.65:50670 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.113:22 87.230.54.65:44296 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.137:22 87.230.54.65:53060 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.245:22 87.230.54.65:35150 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.54:22 87.230.54.65:37230 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.128:22 87.230.54.65:39850 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.126:22 87.230.54.65:53901 ESTABLISHED
tcp 0 64 xxx.xxx.xxx.188:22 87.230.54.65:39340 ESTABLISHED
tcp 0 0 xxx.xxx.xxx.96:22 87.230.54.65:51755 ESTABLISHED
Example of those ‘sleep’ processes I mentioned earlier:
root 149848 0.0 0.0 100904 588 ? Ss 09:09 0:00 sleep 7200
root 149942 0.0 0.0 100904 592 ? Ss 09:09 0:00 sleep 7200
root 150005 0.0 0.0 100904 592 ? Ss 09:09 0:00 sleep 7200
root 150406 0.0 0.0 66952 3520 ? Ss 09:10 0:00 sshd: root@notty
root 150413 0.0 0.0 100904 592 ? Ss 09:10 0:00 sleep 7200
root 150702 0.0 0.0 100904 592 ? Ss 09:12 0:00 sleep 7200
root 151066 0.0 0.0 66772 3444 ? Ss 09:14 0:00 sshd: root@notty
root 151070 0.0 0.0 100904 596 ? Ss 09:14 0:00 sleep 7200
root 151576 0.0 0.0 66928 3472 ? Ss 09:16 0:00 sshd: root@notty
root 151585 0.0 0.0 100904 592 ? Ss 09:16 0:00 sleep 7200
root 151699 0.0 0.0 100904 596 ? Ss 09:16 0:00 sleep 7200
root 151736 0.0 0.0 66748 3416 ? Ss 09:16 0:00 sshd: root@notty
root 151739 0.0 0.0 100904 596 ? Ss 09:17 0:00 sleep 7200
root 151855 0.0 0.0 66824 3452 ? Ss 09:17 0:00 sshd: root@notty
root 151859 0.0 0.0 100904 596 ? Ss 09:17 0:00 sleep 7200
root 152382 0.0 0.0 66964 3528 ? Ss 09:20 0:00 sshd: root@notty
root 152388 0.0 0.0 100904 592 ? Ss 09:20 0:00 sleep 7200
root 152615 0.0 0.0 66824 3464 ? Ss 09:21 0:00 sshd: root@notty
root 152619 0.0 0.0 100904 596 ? Ss 09:21 0:00 sleep 7200
root 152706 0.0 0.0 66792 3448 ? Ss 09:21 0:00 sshd: root@notty
root 152720 0.0 0.0 100904 592 ? Ss 09:21 0:00 sleep 7200
root 152735 0.0 0.0 66792 3448 ? Ss 09:21 0:00 sshd: root@notty
root 152745 0.0 0.0 100904 592 ? Ss 09:21 0:00 sleep 7200
root 152902 0.0 0.0 66748 3416 ? Ss 09:22 0:00 sshd: root@notty
root 152906 0.0 0.0 100904 592 ? Ss 09:22 0:00 sleep 7200
root 153288 0.0 0.0 66852 3432 ? Ss 09:24 0:00 sshd: root@notty
root 153295 0.0 0.0 100904 592 ? Ss 09:24 0:00 sleep 7200
root 153406 0.0 0.0 100904 592 ? Ss 09:24 0:00 sleep 7200
root 153439 0.0 0.0 66824 3416 ? Ss 09:24 0:00 sshd: root@notty
root 153443 0.0 0.0 100904 596 ? Ss 09:24 0:00 sleep 7200
root 153968 0.0 0.0 66792 3404 ? Ss 09:26 0:00 sshd: root@notty
root 153977 0.0 0.0 100904 592 ? Ss 09:26 0:00 sleep 7200
root 154014 0.0 0.0 100904 596 ? Ss 09:26 0:00 sleep 7200
root 154055 0.0 0.0 66824 3476 ? Ss 09:27 0:00 sshd: root@notty
root 154061 0.0 0.0 100904 596 ? Ss 09:27 0:00 sleep 7200
root 154086 0.0 0.0 66952 3520 ? Ss 09:27 0:00 sshd: root@notty
root 154092 0.0 0.0 100904 596 ? Ss 09:27 0:00 sleep 7200
root 154372 0.0 0.0 66748 3380 ? Ss 09:28 0:00 sshd: root@notty
root 154376 0.0 0.0 100904 596 ? Ss 09:28 0:00 sleep 7200
root 154813 0.0 0.0 66760 3432 ? Ss 09:30 0:00 sshd: root@notty
root 154817 0.0 0.0 100904 596 ? Ss 09:30 0:00 sleep 7200
Here 10 packets tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
09:43:58.821991 IP (tos 0×0, ttl 49, id 57719, offset 0, flags [DF], proto TCP (6), length 52)
87.230.54.65.40025 > xxx.xxx.xxx.4.22: Flags [.], cksum 0xa254 (correct), seq 3312262149, ack 1665226106, win 501, options [nop,nop,TS val 885093176 ecr 4154428085], length 0
0×0000: 4500 0034 e177 4000 3106 f6c5 57e6 3641 E..4.w@.1…W.6A
0×0010: 8e5b 5504 9c59 0016 c56d 1c05 6341 557a .[U..Y...m..cAUz
0x0020: 8010 01f5 a254 0000 0101 080a 34c1 7338 .....T......4.s8
0x0030: f79f 8ab5 ....
09:43:58.831253 IP (tos 0x0, ttl 49, id 57720, offset 0, flags [DF], proto TCP (6), length 100)
87.230.54.65.40025 > xxx.xxx.xxx.4.22: Flags [P.], cksum 0x5e95 (correct), seq 3312262149:3312262197, ack 1665226106, win 501, options [nop,nop,TS val 885093186 ecr 4154428085], length 48
0×0000: 4500 0064 e178 4000 3106 f694 57e6 3641 E..d.x@.1…W.6A
0×0010: 8e5b 5504 9c59 0016 c56d 1c05 6341 557a .[U..Y...m..cAUz
0x0020: 8018 01f5 5e95 0000 0101 080a 34c1 7342 ....^.......4.sB
0x0030: f79f 8ab5 4bbb 6494 6583 64ae 90d1 8c5c ....K.d.e.d....\
0x0040: 27d5 62ee 477e 2180 9610 f8de a5f0 5363 '.b.G~!.......Sc
0x0050: f18d c4bb 457a 0109 a4f0 f458 f991 4b70 ....Ez.....X..Kp
0x0060: 733c e172 s<.r
09:43:58.958927 IP (tos 0x8, ttl 50, id 59178, offset 0, flags [DF], proto TCP (6), length 52)
87.230.54.65.59756 > xxx.xxx.xxx.229.22: Flags [.], cksum 0x2bf6 (correct), seq 3258834673, ack 460063979, win 501, options [nop,nop,TS val 885093313 ecr 4154428222], length 0
0×0000: 4508 0034 e72a 4000 3206 ef29 57e6 3641 E..4.*@.2..)W.6A
0×0010: 8e5b 55e5 e96c 0016 c23d def1 1b6c 04eb .[U..l...=...l..
0x0020: 8010 01f5 2bf6 0000 0101 080a 34c1 73c1 ....+.......4.s.
0x0030: f79f 8b3e ...>
09:43:58.965112 IP (tos 0x8, ttl 50, id 59179, offset 0, flags [DF], proto TCP (6), length 100)
87.230.54.65.59756 > xxx.xxx.xxx.229.22: Flags [P.], cksum 0×5491 (correct), seq 3258834673:3258834721, ack 460063979, win 501, options [nop,nop,TS val 885093319 ecr 4154428222], length 48
0×0000: 4508 0064 e72b 4000 3206 eef8 57e6 3641 E..d.+@.2…W.6A
0×0010: 8e5b 55e5 e96c 0016 c23d def1 1b6c 04eb .[U..l...=...l..
0x0020: 8018 01f5 5491 0000 0101 080a 34c1 73c7 ....T.......4.s.
0x0030: f79f 8b3e bfa8 c9f5 1b1c d52e ea8e 9bc4 ...>............
0x0040: b211 1265 b6ca 6cab 3c93 1219 0c35 c4b1 ...e..l.<....5..
0x0050: 03f3 45f9 794e 21aa c2b4 ae20 dff9 b235 ..E.yN!........5
0x0060: 9087 56f8 ..V.
09:43:59.121882 IP (tos 0x0, ttl 49, id 57721, offset 0, flags [DF], proto TCP (6), length 148)
87.230.54.65.40025 > xxx.xxx.xxx.4.22: Flags [P.], cksum 0x86c3 (correct), seq 3312262197:3312262293, ack 1665226186, win 501, options [nop,nop,TS val 885093476 ecr 4154428378], length 96
0×0000: 4500 0094 e179 4000 3106 f663 57e6 3641 E….y@.1..cW.6A
0×0010: 8e5b 5504 9c59 0016 c56d 1c35 6341 55ca .[U..Y...m.5cAU.
0x0020: 8018 01f5 86c3 0000 0101 080a 34c1 7464 ............4.td
0x0030: f79f 8bda 55a8 84fb d551 1050 1726 0c8e ....U....Q.P.&..
0x0040: 6bba 2419 2088 8c10 6072 d0b4 6440 27a1 k.$.....`r..d@'.
0x0050: 0401 089d 46d7 5236 0c62 a9bc ef81 af68 ....F.R6.b.....h
0x0060: 420a 4a44 9ae0 6150 3ad0 1bad 49e8 6518 B.JD..aP:...I.e.
0x0070: be38 c374 5ddc a9f9 3c91 bbb7 413a ba0b .8.t]…<…A:..
0×0080: acea 139c 3073 7a27 4c01 ab93 d2a0 c793 ….0sz’L…….
0×0090: 625e d5da b^..
09:43:59.122374 IP (tos 0×0, ttl 49, id 57722, offset 0, flags [DF], proto TCP (6), length 1480)
87.230.54.65.40025 > xxx.xxx.xxx.4.22: Flags [.], cksum 0x1da4 (correct), seq 3312262293:3312263721, ack 1665226186, win 501, options [nop,nop,TS val 885093476 ecr 4154428378], length 1428
0×0000: 4500 05c8 e17a 4000 3106 f12e 57e6 3641 E….z@.1…W.6A
0×0010: 8e5b 5504 9c59 0016 c56d 1c95 6341 55ca .[U..Y...m..cAU.
0x0020: 8010 01f5 1da4 0000 0101 080a 34c1 7464 ............4.td
0x0030: f79f 8bda 691c e689 f8e6 2d0e 5a67 73ca ....i.....-.Zgs.
0x0040: c1cf 7080 8a0c 5660 5848 6a39 8b94 cb37 ..p...V`XHj9...7
0x0050: c40b c0b1 e2d0 4e45 6b9b fc89 f6dc fbf3 ......NEk.......
0x0060: 47a5 a6cf d728 c64d 9e80 87f0 176f 03d8 G....(.M.....o..
0x0070: ea56 50b6 8673 ebc3 fa0b 365d 8f12 0da0 .VP..s....6]….
0×0080: 1f80 a87e 2be0 c920 9393 a298 2058 10c2 …~+……..X..
0×0090: c85c b0b5 ade9 5a98 47e4 ef92 f64a 2ffb .\….Z.G….J/.
0x00a0: cf52 30c4 0e9e 1fed 0108 ec5c a46a 8b9e .R0……..\.j..
0x00b0: 985a 9a10 e39f 090e d924 2658 9029 b250 .Z…….$&X.).P
0x00c0: 3bb9 2100 a7bd 88a5 510c a4a9 729e c1c2 ;.!…..Q…r…
0x00d0: 151c af51 65b6 3003 59ff 5dd0 d17d 6b94 …Qe.0.Y.]..}k.
0x00e0: 84a2 c44c fd80 3129 a002 5ad2 0e81 1eb7 …L..1)..Z…..
0x00f0: e330 42bd fdf2 9f78 c019 1594 78af b4c4 .0B….x….x…
0×0100: 610e 2dee 6dc8 f2da 44d1 9499 e10d 3d82 a.-.m…D…..=.
0×0110: 101e dda9 0372 aa8e 3a9b 8567 62d7 e415 …..r..:..gb…
0×0120: 218d 2618 1a37 fd6a 08ef 9577 06d5 0e41 !.&..7.j…w…A
0×0130: d015 17c8 f9af 7d60 462b 4f7b 6739 592a ……}`F+O{g9Y*
0×0140: 40f3 d8f4 19df 83dd 8b49 b5b6 74ef 6860 @……..I..t.h`
0×0150: 1f1a 62fd 8889 0ba9 c537 deed b173 fe50 ..b……7…s.P
0×0160: 6382 4ab6 16ef 3423 4203 9d8e 9519 e847 c.J…4#B……G
0×0170: dfb8 ca85 6a46 a2da a80c 0b85 af23 8048 ….jF…….#.H
0×0180: 8f2b ce49 c311 b8d6 afdb 1739 47ff 3fb4 .+.I…….9G.?.
0×0190: f04e 07de c1d2 407e 420a b160 9096 bbbc .N….@~B..`….
0x01a0: 7540 426d 574d 2334 038c 3c64 6b77 d89d u@BmWM#4..<dkw..
0x01b0: 7bf2 8d97 72ed 098f 64a5 a4fc b854 a419 {…r…d….T..
0x01c0: 65fd 967d 57cb 7e26 d556 5ddb 82c1 19cc e..}W.~&.V]…..
0x01d0: 0854 930f 26c1 340a 36e3 6fdd 4c4a de5d .T..&.4.6.o.LJ.]
0x01e0: f60a ff46 ad22 35ee 8d39 afcd eb2c 607d …F.”5..9…,`}
0x01f0: 825e d975 b22c 38bd 12b1 4071 f720 ff14 .^.u.,8…@q….
0×0200: 056a 9624 4762 325f 1559 4cd9 7e74 8b4c .j.$Gb2_.YL.~t.L
0×0210: 2ed6 ed20 85eb fd52 2fe8 fc76 fa2b 0403 …….R/..v.+..
0×0220: d9a2 b4f3 edfc a6d5 7c82 dd72 fcfa 9644 ……..|..r…D
0×0230: 3314 7fe2 32db 6d59 bfc6 dd1e 8d8f 5fc7 3…2.mY……_.
0×0240: 6e86 212b 9651 2299 abf8 cd72 9b68 3f2f n.!+.Q”….r.h?/
0×0250: baba dab3 ad0f ce2c a830 fe5c fb17 3313 …….,.0.\..3.
0×0260: 5a16 bb43 5e4c 6c24 1fae 88cc 983a 924f Z..C^Ll$…..:.O
0×0270: 3f85 fe8c 7198 e308 1124 37cc b35d c8c4 ?…q….$7..]..
0×0280: 6111 2301 e355 2ada 51f4 ec37 578c 9cca a.#..U*.Q..7W…
0×0290: 0fc4 03a3 286f 2c1f 925f b124 999c b624 ….(o,.._.$…$
0x02a0: 866d 34e2 5913 f3a1 2479 284a 6a90 6fb9 .m4.Y…$y(Jj.o.
0x02b0: 8b90 4203 a4dc 26b4 5a38 f66d b5b4 1171 ..B…&.Z8.m…q
0x02c0: 0aaa da0c 7c24 3fd1 e6d7 b820 c448 e39b ….|$?……H..
0x02d0: 0df2 0e30 b2f1 17f5 7e1a 14b5 6dc1 3e74 …0….~…m.>t
0x02e0: 2e2d a482 1103 f1e5 26f1 60d5 a70b 593e .-……&.`…Y>
0x02f0: 0e06 32fd 16cc 3689 c6bc 50a7 081c da32 ..2…6…P….2
0×0300: bdb7 8165 752d 2a37 52d0 79ab 1646 b784 …eu-*7R.y..F..
0×0310: bc67 1e55 3fd8 9ebc 44b5 1000 97e3 b1d5 .g.U?…D…….
0×0320: 00c9 2404 d956 861d 0c29 63c7 ef7a 9754 ..$..V…)c..z.T
0×0330: d1f4 4127 dbc3 cdb0 1459 3836 e638 6738 ..A’…..Y86.8g8
0×0340: f40c 533e 31f4 e702 9823 60a3 e784 5d54 ..S>1….#`…]T
0×0350: 612d 95cc d2c7 b3c7 70f9 c7da cb2f 0a4b a-……p…./.K
0×0360: 11bb 48fc 3ac1 41fd 8417 7d1a b23a ab09 ..H.:.A…}..:..
0×0370: 1f90 e7d6 b83f bace 009d a987 21d8 395e …..?……!.9^
0×0380: 201c 3d83 1f48 cffb 345a 5082 b424 b219 ..=..H..4ZP..$..
0×0390: 3c6a ef25 3861 6647 df68 558a 5b73 1684 <j.%8afG.hU.[s..
0x03a0: 2564 6615 ff62 1a5b a1c7 adb0 d415 8486 %df..b.[........
0x03b0: c67d 690e 7e10 1695 b068 ec53 159d 77a8 .}i.~....h.S..w.
0x03c0: f58a e91d 53b1 2caf 167c 67ba c6a1 f3b4 ....S.,..|g.....
0x03d0: e70c 4fd8 e97a b3ee 7c66 83b3 8cd6 f28f ..O..z..|f......
0x03e0: 1cd4 58ab 1e3e 38b1 1454 77b9 425e 389c ..X..>8..Tw.B^8.
0x03f0: e617 4cc8 a63c 1502 3d78 e6e1 1b29 bcdd ..L..<..=x...)..
0x0400: 20fe 5e82 89b5 649c 2729 abc1 f83f 3677 ..^...d.')...?6w
0x0410: c540 f3b5 599b d58d 5cc6 e023 c8ac 77d9 .@..Y...\..#..w.
0x0420: 3411 ec70 0ff9 f569 6e01 063f 1197 3c2b 4..p...in..?..<+
0x0430: 52bd e3e6 2b8a 25a2 8b03 dda8 6797 0921 R...+.%.....g..!
0x0440: aa9d dc93 d62f fb74 6bd1 f975 1160 e4ef ...../.tk..u.`..
0x0450: dbb5 1c21 e578 9020 6cfb 5a20 17ec b480 ...!.x..l.Z.....
0x0460: a376 6e48 552e 9353 2b52 3e72 957b 34f6 .vnHU..S+R>r.{4.
0x0470: 5667 6cba 8a4f 1142 8214 d025 618d f775 Vgl..O.B...%a..u
0x0480: dca2 16d6 c427 3c52 845e ff36 b5e2 406b .....'<R.^.6..@k
0x0490: bb39 f171 3aa5 7bed f626 ca85 b9c6 a93b .9.q:.{..&.....;
0x04a0: fb04 2f2a 91d4 9dcc dfff 3cb2 839e 7559 ../*......<...uY
0x04b0: 67da cf68 9381 7810 04ce fe00 6a59 e0ef g..h..x.....jY..
0x04c0: 8425 d707 7e6b e32c 2e38 c06c 5fdb 2fc3 .%..~k.,.8.l_./.
0x04d0: d8a3 2050 ecd7 5a28 cfd9 b1c2 b0c2 24cd ...P..Z(......$.
0x04e0: 7a73 6dd7 6b24 6880 2986 e7a5 314f 15a5 zsm.k$h.)...1O..
0x04f0: 86e7 2d46 774b 82a1 46b3 b288 4700 4e61 ..-FwK..F...G.Na
0x0500: f2a0 c625 1c77 c3bb e660 bc36 be9a f700 ...%.w...`.6....
0x0510: 8b63 493c 8a01 b67e c8e5 8a7d b998 7caa .cI<...~...}..|.
0x0520: 5c6b 7e8e e39f bff9 49e5 c165 1592 be7d \k~.....I..e...}
0x0530: d8f7 8853 b31c b1dd 9007 4e82 0a88 99db ...S......N.....
0x0540: d9e9 6f80 3717 a01b f2c6 d932 5398 9a8c ..o.7......2S...
0x0550: 7cda 03ec 7907 2142 f381 bb66 07b3 4ffc |...y.!B...f..O.
0x0560: e5f2 4483 becb d5e1 c7df 7308 06ae ba9a ..D.......s.....
0x0570: 6cd8 f3d5 d484 b257 71ea 45a8 cd45 cf92 l......Wq.E..E..
0x0580: 5d01 acd3 e0ad 42b9 8c46 3021 8c6b cd23 ]…..B..F0!.k.#
0×0590: a8e2 8920 5d50 34bb 04f7 eff9 bbc9 2887 ….]P4…….(.
0x05a0: 1a46 5783 a94a c61f 01e0 7fb5 8a18 52c4 .FW..J……..R.
0x05b0: e00d 2b60 b588 c14c c7f2 74bd 1ef0 c0a4 ..+`…L..t…..
0x05c0: 5b20 1cae a63d 1f9e [....=..
09:43:59.122787 IP (tos 0x0, ttl 49, id 57723, offset 0, flags [DF], proto TCP (6), length 1480)
87.230.54.65.40025 > xxx.xxx.xxx.4.22: Flags [.], cksum 0xb3b1 (correct), seq 3312263721:3312265149, ack 1665226186, win 501, options [nop,nop,TS val 885093477 ecr 4154428378], length 1428
0×0000: 4500 05c8 e17b 4000 3106 f12d 57e6 3641 E….{@.1..-W.6A
0×0010: 8e5b 5504 9c59 0016 c56d 2229 6341 55ca .[U..Y...m")cAU.
0x0020: 8010 01f5 b3b1 0000 0101 080a 34c1 7465 ............4.te
0x0030: f79f 8bda acc8 9a9a 9882 6d73 5e0e c4d8 ..........ms^...
0x0040: 6a2e 17f7 30f1 5c6e 48ff a65f 2158 f8bf j...0.\nH.._!X..
0x0050: 4271 b6ab a50a 8569 3f0b 97c1 88f6 cdf5 Bq.....i?.......
0x0060: a793 8c8c 91b9 b6d3 fa8e fca5 46a6 e170 ............F..p
0x0070: 77e9 4257 fa7e 30f7 8aa2 b164 125a e4bb w.BW.~0....d.Z..
0x0080: 982e 2c17 e8d8 0b36 e0e8 a8b9 1ffe 80c5 ..,....6........
0x0090: 8ca0 1a50 ec3e b967 bd2f 8034 c15c 65d8 ...P.>.g./.4.\e.
0x00a0: 75be b06a 5a33 3a37 1f23 cb3a 156d d5bf u..jZ3:7.#.:.m..
0x00b0: d6e5 2fc8 febc 988f 8a0d 754c 2489 c435 ../.......uL$..5
0x00c0: 8feb 5ee3 79fb 2015 ad0c 461c c76b c099 ..^.y.....F..k..
0x00d0: 8ff9 3afb f5ac cf8b 7d53 d6fc 5a35 643a ..:.....}S..Z5d:
0x00e0: 9870 6fee ce3a 4ebc 9e2f 9abd c24a fa61 .po..:N../...J.a
0x00f0: c762 4099 f315 45cd 23f7 47df 5b91 9fc1 .b@...E.#.G.[...
0x0100: ba80 53db cdc5 9f3e 2e00 af91 8653 0177 ..S....>.....S.w
0x0110: d6b0 cd12 e738 b1a5 ffad d590 5137 36d7 .....8......Q76.
0x0120: 9d6d 1a27 75ca 1e95 cc64 4256 f213 5928 .m.'u....dBV..Y(
0x0130: 671e f527 ec2e 0eb2 cfb9 a00d f9ae cf0d g..'............
0x0140: 8f41 de45 fb79 dd4e f414 ae42 c4d9 9dab .A.E.y.N...B....
0x0150: 7705 58d0 c057 235d 0c3c fa6f b3a5 cdc9 w.X..W#].<.o….
0×0160: d676 2e05 3697 46cd bf43 974c f493 4ac1 .v..6.F..C.L..J.
0×0170: 5151 24fd 1f6c 7829 c67e 144f c263 5841 QQ$..lx).~.O.cXA
0×0180: 6099 193b 3826 7630 3b58 5aea b066 be39 `..;8&v0;XZ..f.9
0×0190: 8fff d009 772a 78c8 cf31 f821 af4d f5e4 ….w*x..1.!.M..
0x01a0: 9c47 672e 3b03 3e11 f28a e608 70e6 e1ee .Gg.;.>…..p…
0x01b0: f678 0058 4cef 3923 25af cac3 56a8 5af1 .x.XL.9#%…V.Z.
0x01c0: 00ac a306 ecf5 50e5 b46b dbec cf27 6aca ……P..k…’j.
0x01d0: 2ad9 a16a e8a7 03ea 9d7a 1b0c 26b1 e358 *..j…..z..&..X
0x01e0: ca50 db6f 4c6f d8d4 b731 0d30 2dd8 10b8 .P.oLo…1.0-…
0x01f0: 38e0 2540 9203 296a 9353 50a9 08e5 3d51 8.%@..)j.SP…=Q
0×0200: c04b 8cb7 ac95 9e1f 2f16 549c 465b cfdd .K……/.T.F[..
0x0210: d469 42ee 4c15 e497 270f 7e50 ef3c 92a0 .iB.L...'.~P.<..
0x0220: 5b54 58a3 6f0e befc 0df5 6b67 e256 5332 [TX.o.....kg.VS2
0x0230: a6f8 e661 0556 5400 a82c 38d0 523a 0f27 ...a.VT..,8.R:.'
0x0240: 3955 374e 6149 d4ff a9d4 b590 17fc ebb7 9U7NaI..........
0x0250: 1542 6a99 5492 d6be 5a35 7595 adb8 401b .Bj.T...Z5u...@.
0x0260: 73be ac69 8e12 0c6f 64cd 46b2 8eef 7eca s..i...od.F...~.
0x0270: 867b dec8 c5f6 e595 bcc5 59a2 0ecf ec6c .{........Y....l
0x0280: faa9 e307 7b04 326e 70c8 d71e 68ef cfff ....{.2np...h...
0x0290: 7689 9070 ff50 df7e 5e71 8de2 da46 af02 v..p.P.~^q...F..
0x02a0: f639 8f6c 7c45 3279 b66d 000d d92d 7805 .9.l|E2y.m...-x.
0x02b0: e9b0 9f71 bf10 8b29 e82a 66ea 240f 974f ...q...).*f.$..O
0x02c0: 15f2 e36e d55c dcc9 c28f 1aab 354c 7552 ...n.\......5LuR
0x02d0: 1259 dd84 fff8 4449 2604 f7d0 49ad cfac .Y....DI&...I...
0x02e0: 8e64 5798 da43 685c 7fad bd93 dc82 d132 .dW..Ch\.......2
0x02f0: d7eb bdb7 b2eb 6fa8 d9d3 8f4b 85ea 7a44 ......o....K..zD
0x0300: 3f75 699f 7030 1e03 7b76 7875 5fd5 0606 ?ui.p0..{vxu_...
0x0310: 5a8c a78a 3c69 8f2a 25d5 f8d6 6c84 a220 Z...<i.*%...l...
0x0320: 35d1 7b1e a9f1 8b0d 5a13 3d76 8128 b4ae 5.{.....Z.=v.(..
0x0330: 00e6 f01d 65f6 3066 8482 7256 63c4 85f7 ....e.0f..rVc...
0x0340: 9e78 89e6 e577 fb8c b74d 634e d772 4241 .x...w...McN.rBA
0x0350: 0fdc 3e05 48e7 d8bf 6ba0 a850 fa53 46f0 ..>.H...k..P.SF.
0x0360: 8362 4763 419c 197d a9e1 3f88 a823 7320 .bGcA..}..?..#s.
0x0370: d413 f0c0 4e35 987e b057 87c1 4c63 cf60 ....N5.~.W..Lc.`
0x0380: e9b8 dd8a 797e 746d dae3 6ffa e688 b2ec ....y~tm..o.....
0x0390: 8374 9f9e 7850 993a 7931 3cd3 51fd ae80 .t..xP.:y1<.Q...
0x03a0: 9da6 a547 e937 2cdd 06c3 cbce 8e95 21aa ...G.7,.......!.
0x03b0: a041 39e0 5bd1 0a67 3ad7 a39b 4537 e675 .A9.[..g:...E7.u
0x03c0: e24d 83d6 5c2d ffe2 782e c43b b38c ff9f .M..\-..x..;....
0x03d0: 99c9 67d5 1382 26ad 2424 35ab 5094 944c ..g...&.$$5.P..L
0x03e0: 278d 9056 63e7 0159 072e 08ff ca75 bf20 '..Vc..Y.....u..
0x03f0: d1f8 3d26 43ed a440 dfa1 4811 e30b 4333 ..=&C..@..H...C3
0x0400: f86e 9f58 5e41 c34e c63f 8c7e a168 c054 .n.X^A.N.?.~.h.T
0x0410: 0672 3e85 d487 744d 4505 7df6 c53d 9e1b .r>...tME.}..=..
0x0420: df00 45fa 823c 704f 10b7 3cd4 f80f b70e ..E..<pO..<.....
0x0430: 52b0 f253 7e4b f07f 6aaf 40dd 85b0 c119 R..S~K..j.@.....
0x0440: c8e2 94b8 4662 367a bea0 d351 9669 2e80 ....Fb6z...Q.i..
0x0450: 3e75 c1a1 4f07 c5af ec61 7b6d ab42 9c0f >u..O....a{m.B..
0x0460: 5c34 ae0a cf0c fab8 ab7d f49a 0870 a464 \4.......}...p.d
0x0470: c504 a3f7 86fb 85f1 9ee4 cfd6 b6b6 4fdf ..............O.
0x0480: e460 3486 1798 e279 b442 35fd eab1 6107 .`4....y.B5...a.
0x0490: 4ea2 595c 6cd8 847e 60f1 7bc6 cc5c e7d5 N.Y\l..~`.{..\..
0x04a0: f8af 70c2 d95d 7de5 9c3c 7cfb 5ffe 0352 ..p..]}..<|._..R
0x04b0: d725 1d9a f256 b878 ca00 7582 195b 2e86 .%…V.x..u..[..
0x04c0: d5fe 04ff 3bb1 3185 9a6f ab4f 06cb 39ca ....;.1..o.O..9.
0x04d0: 2c1d c593 5f6a c50f 28a7 2c70 e264 477c ,..._j..(.,p.dG|
0x04e0: c5b4 6706 c6d3 eb0d 48fc 511e b640 aeb8 ..g.....H.Q..@..
0x04f0: d4e4 fac3 4a2f c05d 3d21 9172 b84f 61c7 ....J/.]=!.r.Oa.
0×0500: d002 e69f c8f7 75f3 a086 6c13 b141 abad ……u…l..A..
0×0510: f751 7077 7266 53a1 0962 5e11 f8e0 6613 .QpwrfS..b^…f.
0×0520: 04a3 48c3 c665 91b0 2361 4634 db4a 23fb ..H..e..#aF4.J#.
0×0530: 7ad0 f54d 707f d2c4 d70c dd72 a23d 8911 z..Mp……r.=..
0×0540: 18a7 67db bf14 1b46 cedc 475e 2a22 cd89 ..g….F..G^*”..
0×0550: 58bf a73c b875 8265 5c66 65ca bdcd 40b8 X..<.u.e\fe…@.
0×0560: 1747 d9c0 5bca 0441 3412 6622 c491 facf .G..[..A4.f"....
0x0570: 28b9 edf4 25e3 461a d7aa 29dc 15b7 3aed (...%.F...)...:.
0x0580: ab26 a25f 6041 94b1 db26 beac bb00 0631 .&._`A...&.....1
0x0590: 336c 5304 290d 775f 43a6 ad3f 9b64 e456 3lS.).w_C..?.d.V
0x05a0: 3b53 d8a1 0aba 0d2f 4bd9 10e3 65e0 08dc ;S...../K...e...
0x05b0: 211f c8d0 a29a 35a4 1c14 351c 449d a88c !.....5...5.D...
0x05c0: ce57 4d18 ee60 d851 .WM..`.Q
09:43:59.248193 IP (tos 0x8, ttl 50, id 59180, offset 0, flags [DF], proto TCP (6), length 100)
87.230.54.65.59756 > xxx.xxx.xxx.229.22: Flags [P.], cksum 0x4a13 (correct), seq 3258834721:3258834769, ack 460064107, win 501, options [nop,nop,TS val 885093603 ecr 4154428505], length 48
0×0000: 4508 0064 e72c 4000 3206 eef7 57e6 3641 E..d.,@.2…W.6A
0×0010: 8e5b 55e5 e96c 0016 c23d df21 1b6c 056b .[U..l...=.!.l.k
0x0020: 8018 01f5 4a13 0000 0101 080a 34c1 74e3 ....J.......4.t.
0x0030: f79f 8c59 ba10 2723 22f2 5e3d 1ceb 4642 ...Y..'#".^=..FB
0x0040: 1fac c260 dba5 c165 8fb8 269e c0c4 048f ...`...e..&.....
0x0050: d38e 6375 fe62 f167 d26f 5b9c 3619 da49 ..cu.b.g.o[.6..I
0x0060: 3ed9 7a52 >.zR
09:43:59.252714 IP (tos 0x0, ttl 49, id 57724, offset 0, flags [DF], proto TCP (6), length 1480)
87.230.54.65.40025 > xxx.xxx.xxx.4.22: Flags [.], cksum 0×5342 (correct), seq 3312265149:3312266577, ack 1665226186, win 501, options [nop,nop,TS val 885093607 ecr 4154428516], length 1428
0×0000: 4500 05c8 e17c 4000 3106 f12c 57e6 3641 E….|@.1..,W.6A
0×0010: 8e5b 5504 9c59 0016 c56d 27bd 6341 55ca .[U..Y...m'.cAU.
0x0020: 8010 01f5 5342 0000 0101 080a 34c1 74e7 ....SB......4.t.
0x0030: f79f 8c64 4d90 a29e 1535 547e bcc1 8a99 ...dM....5T~....
0x0040: 8c41 353e 3466 765b a6ed d6ab d53d 79ac .A5>4fv[.....=y.
0x0050: aace aa97 ff88 478c d379 6cdc 4be7 c5cf ......G..yl.K...
0x0060: 4b02 1162 ea21 877c 91e6 0ed6 badc 6681 K..b.!.|......f.
0x0070: f220 a348 57be b887 769b d928 4433 6338 ...HW...v..(D3c8
0x0080: c09a 9dd6 d714 1c67 8c79 2f64 3e4f 0242 .......g.y/d>O.B
0x0090: 3f2a d379 cb7b a239 54e2 8970 1086 855a ?*.y.{.9T..p...Z
0x00a0: dc4c 3290 be2d 865d 882a 49f4 3d61 e37a .L2..-.].*I.=a.z
0x00b0: 2346 d76e fec5 0897 7431 fb3f 43d6 7092 #F.n….t1.?C.p.
0x00c0: b7d2 11ac df5c 0edd ceff d9d3 ed48 d78b …..\…….H..
0x00d0: e52c 8774 4abc 0b3a 1862 b2f5 4b16 a8eb .,.tJ..:.b..K…
0x00e0: 1fd4 ad7d e8e3 c102 7122 c9f2 82be d1ea …}….q”……
0x00f0: 4f85 1439 2807 76d2 4d60 cb20 dbe0 a4ec O..9(.v.M`……
0×0100: 43fe 73e2 5216 2be5 0a18 2860 b6a7 eaab C.s.R.+…(`….
0×0110: 2be5 1caa 3179 fd3c b930 e256 02dd 98d9 +…1y.<.0.V….
0×0120: df06 ffe0 4c6c e11b f6fe 83fd a20c 07c8 ….Ll……….
0×0130: 9dde 9030 1512 d1b3 4e1d 6b97 3293 36b7 …0….N.k.2.6.
0×0140: e2fb 8734 6723 0040 74ae 646b 596d 72de …4g#.@t.dkYmr.
0×0150: d406 c707 82f6 88db 596a 125c d3c9 e86b ……..Yj.\…k
0×0160: b752 4342 2aa2 f656 ed58 24d8 b601 fc2f .RCB*..V.X$…./
0×0170: 8a8b ea2a c69c 19af 72c9 e633 cd9b dd8f …*….r..3….
0×0180: ed99 5349 5bf8 8818 5a03 eb08 1765 f1a9 ..SI[...Z....e..
0x0190: b516 8a3f 2f4c 90d0 2198 2586 b050 ef53 ...?/L..!.%..P.S
0x01a0: d0fd 7bc1 4892 32ab c66e fadb 2356 6516 ..{.H.2..n..#Ve.
0x01b0: 7e38 5553 45e8 78ff f739 adf2 16da 6247 ~8USE.x..9....bG
0x01c0: 2841 e018 0757 992d 38ec fd77 f5c4 7a11 (A...W.-8..w..z.
0x01d0: 2634 bece 41cf f90d 02a1 a297 4575 6ff3 &4..A.......Euo.
0x01e0: c380 0761 79c4 4d75 128c be51 455f 7656 ...ay.Mu...QE_vV
0x01f0: 0b2c 74b0 b4b0 ba66 5c86 cbe5 b2e4 909e .,t....f\.......
0x0200: 4b21 eb9f c7b2 4123 6f85 6627 2322 50bf K!....A#o.f'#"P.
0x0210: 3310 9ac0 c1a1 31ba c5bf b425 f93c 6131 3.....1....%.<a1
0x0220: d5d1 23ac 2bc1 2138 c011 5d6d 6212 8caa ..#.+.!8..]mb…
0×0230: d8c4 8436 8951 5efe c114 e9c1 37ee 4fc2 …6.Q^…..7.O.
0×0240: 5d47 b65f da3a 634e a34d 7034 c845 b35e ]G._.:cN.Mp4.E.^
0×0250: 4e6e 776e 5ebb 46f8 f5af fe0d 402e 3afe Nnwn^.F…..@.:.
0×0260: 717f 64ee 0a23 5657 98da 3705 5532 c536 q.d..#VW..7.U2.6
0×0270: 5ab1 2630 5126 3ab9 3448 cb7b 13a2 c584 Z.&0Q&:.4H.{….
0×0280: 810e ab8e 43b4 8796 ef7e 1e15 8dc0 1321 ….C….~…..!
0×0290: a87d c79f 783e 903a f781 551d 9b32 f180 .}..x>.:..U..2..
0x02a0: ee3f 4fe7 6930 720a 24cd da8e 6f57 c54d .?O.i0r.$…oW.M
0x02b0: 084c cee2 c718 1345 c394 6b2e 14b2 385b .L…..E..k…8[
0x02c0: 8a7e adb0 1c07 c1ed b93d 816c e4b0 fae1 .~.......=.l....
0x02d0: 909b 68ac bcb7 f7c5 431b 2359 d7ca 8826 ..h.....C.#Y...&
0x02e0: fb59 dbea 1095 cb85 b528 1cdb 07b3 2628 .Y.......(....&(
0x02f0: 9c7f eca1 2a8f ffc6 6a7f 3297 2ea2 5c89 ....*...j.2...\.
0x0300: 567d 67ab 757f 62b7 6967 ae67 7d5d c511 V}g.u.b.ig.g}]..
0×0310: 2257 0ccc 79e9 40eb f33a aa8b dd1c a63a “W..y.@..:…..:
0×0320: 51f1 947e cdc4 d74e 621e 3bec 7385 6cba Q..~…Nb.;.s.l.
0×0330: 4d79 eb5b 4985 8998 e277 37e7 6711 89d6 My.[I....w7.g...
0x0340: a6b3 c506 acbb 88f2 24ae 9679 293a 7c0e ........$..y):|.
0x0350: 8a31 cadd f185 ef7c 3d3d ea2a 8b59 6262 .1.....|==.*.Ybb
0x0360: 52a0 2ac4 71ec 62d4 0eb6 3778 abc2 5b5d R.*.q.b...7x..[]
0×0370: b4c3 5d57 c4ab 05c3 7efc 97e4 211a ccc6 ..]W….~…!…
0×0380: 021d 91c7 0d3f 03d2 4117 5a57 1fb5 0a29 …..?..A.ZW…)
0×0390: bc09 da50 dbca 7089 add4 e3e3 f055 42fc …P..p……UB.
0x03a0: 0214 57fa 2a51 b66f 8fd3 512e fee6 767d ..W.*Q.o..Q…v}
0x03b0: 4889 1257 5ee8 dc16 a48a 8bd9 aee6 bb0b H..W^………..
0x03c0: 42e5 592b 5d9a da6e 9a58 5808 0196 e207 B.Y+]..n.XX…..
0x03d0: 64a1 0f2f 7be2 c65f eb96 9b1e 65aa ba44 d../{.._….e..D
0x03e0: 0f29 5627 03d3 5673 a7ac a02f 73ee c55c .)V’..Vs…/s..\
0x03f0: c213 b5ee 0500 db19 2485 a276 0d9e 8049 ……..$..v…I
0×0400: c35c dee1 daaf f338 37b2 9b6b 2f2d 23fa .\…..87..k/-#.
0×0410: 9bd2 5af9 a303 8b9f fe7d b2f5 7dc8 1a1d ..Z……}..}…
0×0420: 19f8 faf7 7a83 78b6 4b99 0497 1c78 2aa1 ….z.x.K….x*.
0×0430: 43cc 32a7 6de3 21ba 9a14 9dac f947 9d8f C.2.m.!……G..
0×0440: b583 8c6a 0fb5 8f7c 5fa5 acb3 2cbf 0174 …j…|_…,..t
0×0450: 1624 c588 1ddd eb51 8b39 fc6c 7428 49e8 .$…..Q.9.lt(I.
0×0460: fd0d 8064 b1dc 7e07 5cec 1362 897c beb6 …d..~.\..b.|..
0×0470: e23e 507c 127c 59db 2a5c 115d ac0a 1e1c .>P|.|Y.*\.]….
0×0480: d223 23e7 64eb d4b7 7cce 3ed0 f678 c7a0 .##.d…|.>..x..
0×0490: 8a8b a51a eaf5 dbc8 3f90 0919 9eaa aaaa ……..?…….
0x04a0: 347c ce1c b212 1487 2fef d0b8 8c75 ce8e 4|……/….u..
0x04b0: 1a27 3569 88ad 8df0 c857 05f8 32b7 ff02 .’5i…..W..2…
0x04c0: f109 1511 ebc7 3b14 d02e 6534 1eb3 27b2 ……;…e4..’.
0x04d0: 3601 cc77 f583 edd0 5278 c972 2734 321b 6..w….Rx.r’42.
0x04e0: 84cb d62d 5365 7961 f070 e452 84da 6f0d …-Seya.p.R..o.
0x04f0: 322c fe84 1f15 7bb4 5e4c 7db3 035c 3940 2,….{.^L}..\9@
0×0500: a1d8 72e7 6a95 c8ca 12d8 c697 4b3c 9f90 ..r.j…….K<..
0×0510: 2fe2 36e0 dea7 29ec 18d6 4440 3039 ca12 /.6…)…D@09..
0×0520: 89f0 f0fb 1782 baa8 f95c 9364 7592 2ac3 ………\.du.*.
0×0530: bebf 4e84 8f6e cd41 1b35 11b7 3c7f 485d ..N..n.A.5..<.H]
0×0540: 2735 69f2 4f18 8b99 a165 e521 7e54 a0cc ’5i.O….e.!~T..
0×0550: a73b d869 f79d c27d 48ae 3b96 a678 44a4 .;.i…}H.;..xD.
0×0560: 6f05 f0bf c435 f145 84f0 ef4e a562 fd79 o….5.E…N.b.y
0×0570: 6189 5d3c 80eb 54b1 2534 0e90 398c f7c7 a.]<..T.%4..9…
0×0580: 1d88 2cbb 08d7 3931 fca1 5c06 9236 a32f ..,…91..\..6./
0×0590: 912f 92c4 9593 c19c ae2b 69d5 f489 a9e1 ./…….+i…..
0x05a0: 0879 00fd 4bba efd5 9325 30c6 82f9 874e .y..K….%0….N
0x05b0: b15f fcbb dc26 068b 6688 72ff c594 4adf ._…&..f.r…J.
0x05c0: 6124 9757 9885 342a a$.W..4*
09:43:59.253591 IP (tos 0×0, ttl 49, id 57725, offset 0, flags [DF], proto TCP (6), length 1480)
87.230.54.65.40025 > xxx.xxx.xxx.4.22: Flags [.], cksum 0xcdaf (correct), seq 3312266577:3312268005, ack 1665226186, win 501, options [nop,nop,TS val 885093607 ecr 4154428516], length 1428
0×0000: 4500 05c8 e17d 4000 3106 f12b 57e6 3641 E….}@.1..+W.6A
0×0010: 8e5b 5504 9c59 0016 c56d 2d51 6341 55ca .[U..Y...m-QcAU.
0x0020: 8010 01f5 cdaf 0000 0101 080a 34c1 74e7 ............4.t.
0x0030: f79f 8c64 3ee4 d50d d2b1 bfe9 7ec4 a3c1 ...d>.......~...
0x0040: 5014 6d71 cf48 0f5a 3f40 6d7b 04a6 3ba2 P.mq.H.Z?@m{..;.
0x0050: 82cb 8ffc cbbf 5093 482a 5016 cbcd 0c3a ......P.H*P....:
0x0060: f3ac 1b88 19cb 3a45 1bbe 91c0 eedd eaad ......:E........
0x0070: fa5b 1dcd 9e99 a70e dd6e cce5 9a8e d92a .[.......n.....*
0x0080: 6768 3a07 0002 593c 9f4a 4cef 781c 4593 gh:...Y<.JL.x.E.
0x0090: d489 d68f 1dc1 0e57 ae20 39b7 437b f511 .......W..9.C{..
0x00a0: 2793 3148 044c 8256 d7bf e0ba bbaf f4ac '.1H.L.V........
0x00b0: 05b8 3cdb af38 6e7f 5e4f 635e a8a1 6581 ..<..8n.^Oc^..e.
0x00c0: a466 74be d400 f606 d5bf 2d17 fb6b 141e .ft.......-..k..
0x00d0: 984a 732b 3c96 9d69 2a34 2f51 d6c9 7a13 .Js+<..i*4/Q..z.
0x00e0: 8661 be9c 1cd1 3fc6 8383 90b0 04b3 4b18 .a....?.......K.
0x00f0: 7734 d87c 3f98 4a1b 25f4 a810 791b adf8 w4.|?.J.%...y...
0x0100: 27c4 4c40 c338 fe81 480d 0d64 a926 af2d '.L@.8..H..d.&.-
0x0110: 4565 98c1 4873 dceb eddd 3c3a cae6 47c3 Ee..Hs....<:..G.
0x0120: 625c c617 1023 17a8 f32a 0951 7f2d 8f5e b\...#...*.Q.-.^
0x0130: 1bb5 8f28 a2f0 11f6 8b84 c712 6108 e0ef ...(........a...
0x0140: 254e 0373 14d0 d608 72d0 bf32 1b28 7a97 %N.s....r..2.(z.
0x0150: 8e89 6d04 2933 6798 8a12 c958 fc78 dbc3 ..m.)3g....X.x..
0x0160: a881 4da0 97fa f43d 5ef1 b9c1 f740 c9be ..M....=^....@..
0x0170: 0cda 5c3a e744 1135 3781 b2f4 1cdb 13ef ..\:.D.57.......
0x0180: 6774 7b44 8fe1 b151 09ac e5f1 7f14 ba6b gt{D...Q.......k
0x0190: 2764 cd88 78fe c0a0 a459 11c4 8744 ba12 'd..x....Y...D..
0x01a0: 6d5a ada5 6fb6 8aee c630 afe2 36a5 4be9 mZ..o....0..6.K.
0x01b0: 58b2 590b cc82 c41c aa50 130e 8b9e 01c7 X.Y......P......
0x01c0: 73ed ac8a 676a dccc 586e f8e3 e4fb 5625 s...gj..Xn....V%
0x01d0: 8452 f995 6f53 4332 2873 cf62 334a 8fd1 .R..oSC2(s.b3J..
0x01e0: 7e0e 5e9b 8f10 4198 1487 caa5 2b60 99ae ~.^...A.....+`..
0x01f0: 6d56 5716 e1b3 1e8d 74c1 4fe7 9043 7913 mVW.....t.O..Cy.
0x0200: 3b98 94de bb42 5b4a efba 4b6a 67b7 69e4 ;....B[J..Kjg.i.
0x0210: 2581 4e60 f886 23d5 d80e c117 c56c d59b %.N`..#......l..
0x0220: db03 dc5e b36f 2a66 c730 e340 33d3 f0d5 ...^.o*f.0.@3...
0x0230: 8fe9 eff8 2682 3553 ea9e eb25 1aab 7fbd ....&.5S...%....
0x0240: c075 4a01 8b39 e760 0411 0cb5 d7c3 1a87 .uJ..9.`........
0x0250: 9949 05d5 acc8 8f4f b0e3 60ef c194 368c .I.....O..`...6.
0x0260: 6697 210a 5f61 e820 ba1c 4d1e 4de8 c5d1 f.!._a....M.M...
0x0270: ef15 9f3b eebc ee2a 9351 80b5 3ab8 a4f0 ...;...*.Q..:...
0x0280: 9302 404a cd61 6437 b9ca 3c50 0201 0418 ..@J.ad7..<P....
0x0290: b0e6 8618 b834 966e f8f7 42cb b163 9184 .....4.n..B..c..
0x02a0: 98bb ac2a 9a4b 2ecd 1cdf 1ed9 6047 04c6 ...*.K......`G..
0x02b0: 7ffb 9c9e a9e2 a2eb d993 5e71 d7ea 1b91 ..........^q....
0x02c0: 4a96 50fd 706e 50ec b0a2 815f 58a9 0961 J.P.pnP...._X..a
0x02d0: 8e0a a87b 5788 94c7 af28 9285 2fb9 ace0 ...{W....(../...
0x02e0: cbbd 6339 0c03 3a27 a660 d010 ffdd 9860 ..c9..:'.`.....`
0x02f0: 5652 ca42 6c71 c972 ad45 6d31 8d0c 753b VR.Blq.r.Em1..u;
0x0300: 3cc7 f953 f2a1 7f94 60ed ff4d ef27 5ade <..S....`..M.'Z.
0x0310: 9592 0d3a d0e7 609a 20cd d651 b512 4650 ...:..`....Q..FP
0x0320: b2ac 70b2 20a9 e85a 7d9e c975 b100 a33e ..p....Z}..u...>
0x0330: efe4 1513 b85f 4325 a71b afd6 1be2 9d72 ....._C%.......r
0x0340: 0933 9fcf e10d 15c9 f2c3 7317 6654 703c .3........s.fTp<
0x0350: e15a 518d 6060 6066 c563 00a5 8f26 7384 .ZQ.```f.c...&s.
0x0360: 3927 1129 82d4 0357 30c5 3fc2 b281 8e35 9'.)...W0.?....5
0x0370: 33a6 ca36 c852 d273 336e efdb b378 33c2 3..6.R.s3n...x3.
0x0380: 9ebe 309b 3b60 7abf a488 deb4 aa2c 59ae ..0.;`z......,Y.
0x0390: 65ff 6be4 a180 323b 1df7 5979 1f19 9e91 e.k...2;..Yy....
0x03a0: dc62 dadf 7fba bd8f a796 13ed b470 9aa3 .b...........p..
0x03b0: c783 1681 89ff 6089 2a81 a9f9 c7a6 b7d0 ......`.*.......
0x03c0: ef20 6c94 5684 b5ae aa0e 8a03 334f 002e ..l.V.......3O..
0x03d0: eebd 90ef abef a6a4 6c67 4ed9 15e2 5781 ........lgN...W.
0x03e0: d9ad 935c 0149 3f71 8df2 6ef7 1354 3b20 ...\.I?q..n..T;.
0x03f0: 1e55 be1c 8d1b 0ba9 b51f 736e 888c d5d2 .U........sn....
0x0400: 5b6e 07d1 bb80 8366 7f3c 640f baf9 7b12 [n.....f.<d...{.
0x0410: a453 b3b4 5003 6007 3527 ae64 83a3 a50e .S..P.`.5'.d....
0x0420: f519 804f 9565 3a6a 2549 53e9 04ac 26cc ...O.e:j%IS...&.
0x0430: efe5 864b c2d8 a1c0 84c5 1662 678c 89be ...K.......bg...
0x0440: 1d96 f1b6 e499 6c28 c257 c739 76fd c626 ......l(.W.9v..&
0x0450: 960b e62c ea5e 9cc6 45a4 9c05 c05f e4ca ...,.^..E...._..
0x0460: 9b05 ee14 eff0 9f0f f4ad 7f09 2a44 bb59 ............*D.Y
0x0470: e539 6857 620e 5b39 5ccb 45df 27a2 5890 .9hWb.[9\.E.'.X.
0x0480: 6667 7d6f bc6c bb64 36db 6dc4 17ee 2d36 fg}o.l.d6.m...-6
0x0490: ca15 3630 c8d2 e568 db54 4919 52ef c85e ..60...h.TI.R..^
0x04a0: 66f4 6cd7 5b9f 192c 6996 2449 e18f 57cd f.l.[..,i.$I..W.
0x04b0: 26c8 c83e 6d53 51df 1b0b 6135 d2e8 10e5 &..>mSQ...a5....
0x04c0: 1af2 0448 ec5e 3454 8455 b61e 4299 25ab ...H.^4T.U..B.%.
0x04d0: 1ab9 0277 135a 795a 208f 041e 00f0 643f ...w.ZyZ......d?
0x04e0: 7cf0 3c1b 0efc eeaf 3318 4cd2 7a02 9892 |.<.....3.L.z...
0x04f0: ad5f f88b 8636 d2a5 d93c 6cc9 7b4d bd4b ._...6...<l.{M.K
0x0500: 8927 12c4 6552 7acd 9575 c3fb bd7c 5efb .'..eRz..u...|^.
0x0510: 06d1 6321 bae7 47ce 4afe a668 def2 d905 ..c!..G.J..h....
0x0520: 24c0 5084 7d61 d5b7 9cd8 35e6 1717 0dc5 $.P.}a....5.....
0x0530: 75ad 8bcf c931 96ca 813e f2b5 a3eb 54ed u....1...>....T.
0x0540: 4ffc e698 d1c1 b5d6 614f 42ac a19e c564 O.......aOB....d
0x0550: 36a0 01b4 92e3 587f 5aed 4342 027b 30ef 6.....X.Z.CB.{0.
0x0560: 3fcc 7270 ce3c 5169 b639 7170 7f03 dd88 ?.rp.<Qi.9qp....
0x0570: 5af4 d287 f3ba 74cd c5f2 f7bd ab0c f1de Z.....t.........
0x0580: ff35 5806 221f 2204 4a34 77d9 dea7 0113 .5X.".".J4w.....
0x0590: 7599 78e1 3803 606f 4d21 c34e 423f 7e54 u.x.8.`oM!.NB?~T
0x05a0: 1645 5cda 699c 6371 50ba 96df 8d1e 9b14 .E\.i.cqP.......
0x05b0: d9bf 8f0a d8e6 5b23 6b0b 1740 4933 232e ......[#k..@I3#.
0x05c0: c998 93b8 edef 5338 ......S8
10 packets captured
17 packets received by filter
0 packets dropped by kernel
As I stated before.. you typically will not see connections unless you set the loglevel to verbose in /etc/ssh/sshd_config.
After you will see these: Unless you set it to verbose, you probably will never even know you had connections based on the log file.
Feb 16 09:52:33 server sshd[160083]: Server listening on :: port 22.
Feb 16 09:53:06 server sshd[160196]: Set /proc/self/oom_score_adj to 0
Feb 16 09:53:06 server sshd[160196]: Connection from 87.230.54.65 port 52157
Feb 16 09:53:08 server sshd[160228]: Set /proc/self/oom_score_adj to 0
Feb 16 09:53:08 server sshd[160228]: Connection from 87.230.54.65 port 52160
Feb 16 09:53:09 server sshd[160250]: Set /proc/self/oom_score_adj to 0
Feb 16 09:53:09 server sshd[160250]: Connection from 87.230.54.65 port 48750
Feb 16 09:53:11 server sshd[160271]: Set /proc/self/oom_score_adj to 0
Feb 16 09:53:11 server sshd[160271]: Connection from 87.230.54.65 port 48753
On one of the servers I have snoopy logger on it:
http://sourceforge.net/projects/snoopylogger/
This is what happens on connection from malicious user:
Feb 16 10:37:31 server sshd[170828]: Connection from 178.162.248.74 port 35754
Feb 16 10:37:32 server snoopy[170831]: [uid:0 sid:170831 tty: cwd:/root filename:/bin/bash]: bash -c sleep 7200
Feb 16 10:37:32 server snoopy[170833]: [uid:0 sid:170831 tty: cwd:/root filename:/usr/bin/whoami]: whoami
Feb 16 10:37:33 server snoopy[170834]: [uid:0 sid:170831 tty: cwd:/root filename:/usr/bin/mesg]: mesg y
Feb 16 10:37:33 server snoopy[170836]: [uid:0 sid:170831 tty: cwd:/root filename:/usr/bin/dircolors]: dircolors -b
Feb 16 10:37:33 server snoopy[170838]: [uid:0 sid:170831 tty: cwd:/root filename:/usr/bin/whoami]: /usr/bin/whoami
Feb 16 10:37:33 server snoopy[170831]: [uid:0 sid:170831 tty: cwd:/root filename:/bin/sleep]: sleep 7200
INTIAL FINDINGS:
root@server [~]# rpm -qf `lsof -p 785953 | grep lib | awk ‘{print $9}’`
glibc-2.12-1.80.el6_3.7.x86_64
nspr-4.9.2-0.el6_3.1.x86_64
nspr-4.9.2-0.el6_3.1.x86_64
nspr-4.9.2-0.el6_3.1.x86_64
nss-util-3.13.6-1.el6_3.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
file /lib64/libkeyutils.so.1.9 is not owned by any package
krb5-libs-1.9-33.el6_3.3.x86_64
nss-softokn-freebl-3.12.9-11.el6.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
nss-3.13.5-1.el6_3.x86_64
libcom_err-1.41.12-12.el6.x86_64
krb5-libs-1.9-33.el6_3.3.x86_64
krb5-libs-1.9-33.el6_3.3.x86_64
krb5-libs-1.9-33.el6_3.3.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
zlib-1.2.3-27.el6.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
openssl-1.0.0-25.el6_3.1.x86_64
libselinux-2.0.94-5.3.el6.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
pam-1.1.1-10.el6_2.1.x86_64
audit-libs-2.2-2.el6.x86_64
tcp_wrappers-libs-7.6-57.el6.x86_64
fipscheck-lib-1.2.0-7.el6.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
CLEAN FILE:
root@xxxxx [~]# rpm -qf /lib64/libkeyutils.so.1.3
keyutils-libs-1.4-4.el6.x86_64
root@xxxxx [~]# rpm -V keyutils-libs-1.4-4.el6.x86_64
root@xxxxx [~]#root@xxxx [~]# strings /lib64/libkeyutils.so.1.3
I P
{?Nq
__gmon_start__
_init
_fini
__cxa_finalize
_Jv_RegisterClasses
keyctl
syscall
keyctl_session_to_parent
keyctl_get_security
keyctl_get_security_alloc
malloc
realloc
keyctl_assume_authority
keyctl_set_timeout
keyctl_set_reqkey_keyring
keyctl_negate
keyctl_instantiate
keyctl_read
keyctl_read_alloc
keyctl_search
keyctl_unlink
keyctl_link
keyctl_clear
keyctl_describe
keyctl_describe_alloc
keyctl_setperm
keyctl_chown
keyctl_revoke
keyctl_update
keyctl_join_session_keyring
keyctl_get_keyring_ID
request_key
add_key
libdl.so.2
libc.so.6
_edata
__bss_start
_end
libkeyutils.so.1
KEYUTILS_0.3
KEYUTILS_1.0
KEYUTILS_1.3
GLIBC_2.2.5
ATSubH
D$`H
D$ H
L$8L
D$@H
T$(H
fff.
t$ H
fffff.
fff.
t$ H
fff.
t$ H
fffff.
fff.
ffffff.
root@xxxx [~]#
EXPLOITED FILE:
root@xxxxx [~]# rpm -qf /lib64/libkeyutils.so.1.9
file /lib64/libkeyutils.so.1.9 is not owned by any package
root@xxxxx [~]#root@xxxx [~]# strings /lib64/libkeyutils.so.1.9
0+9_
I P
(yRU
{?N-
__gmon_start__
_init
_fini
__cxa_finalize
_Jv_RegisterClasses
sscanf
strcmp
realloc
free
keyctl
syscall
keyctl_session_to_parent
keyctl_get_security
keyctl_get_security_alloc
malloc
keyctl_assume_authority
keyctl_set_timeout
keyctl_set_reqkey_keyring
keyctl_negate
keyctl_reject
__errno_location
keyctl_instantiate
keyctl_instantiate_iov
memcpy
keyctl_read
keyctl_read_alloc
keyctl_search
keyctl_unlink
keyctl_link
keyctl_clear
keyctl_describe
keyctl_describe_alloc
recursive_key_scan
keyctl_setperm
keyctl_chown
keyctl_revoke
keyctl_update
keyctl_join_session_keyring
keyctl_get_keyring_ID
recursive_session_key_scan
request_key
add_key
mprotect
dlopen
dlinfo
dlsym
sysconf
getnameinfo
strncpy
strlen
sprintf
strncmp
shmget
shmat
semget
semtimedop
shmdt
stdout
fprintf
fflush
sleep
exit
memset
time
geteuid
getpeername
getsockname
write
connect
gethostbyname
bind
__strdup
fork
waitpid
tmpfile
fseek
fread
fclose
strchr
getenv
snprintf
srand
socket
__res_state
inet_ntoa
send
keyutils_version_string
keyutils_build_string
libc.so.6
_edata
__bss_start
_end
libkeyutils.so.1
KEYUTILS_0.3
KEYUTILS_1.0
KEYUTILS_1.3
KEYUTILS_1.4
GLIBC_2.3.3
GLIBC_2.2.5
%zU
%rU
%jU
%bU
%ZU
%RU
%JU
%BU
%:U
%2U
%*U
%”U
%zT
%rT
%jT
%bT
%ZT
%RT
%JT
%BT
%:T
%2T
%*T
%”T
ATSubH
=hQ
%dO
=qV
\$(t
\$(L
\$ L
AWAVAUI
ATUSH
-,T
H;\$
[]A\A]A^A_
[]A\A]A^A_
D$`H
D$ H
L$8L
D$@H
T$(H
fff.
t$ H
fffff.
l$ H
l$ H
l$ L
d$(L
l$0L
t$8L
|$@H
l$ L
d$(1
l$0L
t$81
|$@H
fff.
t$ H
ffffff.
fff.
t$ H
D$ H
fffff.
ffffff.
fffff.
fff.
ffffff.
ffffff.
fff.
5iJ
5IJ
5)J
4BH9
=^z
=Az
=)z
4BH9
=:y
=!y
=JF
=JF
=(F
=&F
ATUSH
D$8H
=lB
=:B
=!B
5QA
5TA
@[]A\
d$ H
%cr
-Er
D$(1
%mq
D$ H
%’q
=x>
=s>
=B>
=3>
\$ H
%wo
-.o
D$(1
%En
D$(1
AWHc
AUATI
l$ L
8[]A\A]A^A_
=[9
=O9
l$ H
ffff.
AUHc
[]A\A]
AVAU
l$`H
l$ H
5p7
=;7
=N6
D4`L
576
[]A\A]A^A_
l$ H
AUATU
=pg
=Lg
5E4
Lc(L
5M/
[]A\A]A^
[]A\A]A^
=E4
=84
ffffff.
ATUS~-1
5[0
[]A\D
A]A^
=u3
5s3
=b3
fffff.
l$ L
d$(L
l$0H
v!H
\$ H
l$(L
d$0H
=Y\
=f[
=n+
={,
l$ L
d$(L
l$0H
T$(I
=)^
5l,
Hc8H
=p]
=~S
=a’
=+*
t$ 1
5S)
5 )
AWAVAUATUH
=^’
t4<.t0A
= ”
%}V
%UV
I+D$
T$pH
T$ I
T$0H
|$ H
|$(H
t$(H
A;D$
[]A\A]A^A_
I+D$
|$ L
D|$(A
=ZM
=]Q
=LQ
=wL
5rP
ffff.
d$ H
%[^;];%d;%d;%x;
keyring
%02x
root@xxxxx [~]#
SEEN LOGGED:
Feb 18 07:28:03 server1 snoopy[20446]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/rm]: rm -f /home/tmpp/q3def
Feb 18 07:28:03 server1 snoopy[20448]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /var/log/cron
Feb 18 07:28:03 server1 snoopy[20449]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/egrep]: egrep -i Feb 18 07
Feb 18 07:28:04 server1 snoopy[20452]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /var/log/cron
Feb 18 07:28:04 server1 snoopy[20453]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/egrep]: egrep -vi Feb 18 07
Feb 18 07:28:04 server1 snoopy[20454]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /var/log/cron
Feb 18 07:28:04 server1 snoopy[20455]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/egrep]: egrep Feb 18 07
Feb 18 07:28:05 server1 snoopy[20469]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/rm]: rm -f /home/tmpp/q3def
Feb 18 07:28:05 server1 snoopy[20471]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /var/log/notify.log
Feb 18 07:28:05 server1 snoopy[20472]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/egrep]: egrep -vi 46.105.20.166|46.105.20.166
Feb 18 07:28:05 server1 snoopy[20473]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /home/tmpp/q3def
Feb 18 07:28:05 server1 snoopy[20474]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/rm]: rm -f /home/tmpp/q3def
Feb 18 07:28:05 server1 snoopy[20477]: [uid:0 sid:20392 tty: cwd:/root filename:/usr/bin/ssh]: ssh -G1 -V
Feb 18 07:28:05 server1 snoopy[20478]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/grep]: grep illegal
Feb 18 07:28:05 server1 snoopy[21505]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /etc/redhat-release
Feb 18 07:28:05 server1 snoopy[21509]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/grep]: grep -i UseLogin /etc/ssh/sshd_config
Feb 18 07:28:05 server1 snoopy[21510]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/grep]: grep -v ^#
Feb 18 07:28:06 server1 snoopy[21517]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/chown]: chown root:root libzz8d70
Feb 18 07:28:06 server1 snoopy[21518]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/chmod]: chmod 755 libzz8d70
Feb 18 07:28:06 server1 snoopy[21519]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/mv]: mv libzz8d70 libkeyutils.so.1.9
Feb 18 07:28:06 server1 snoopy[21520]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/ln]: ln -s libkeyutils.so.1.9 libkeyutils.so.n
Feb 18 07:28:06 server1 snoopy[21521]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/mv]: mv libkeyutils.so.n libkeyutils.so.1
Feb 18 07:28:06 server1 snoopy[21522]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/touch]: touch -c -r libkeyutils-1.2.so libkeyutils.so.1.9
Feb 18 07:28:06 server1 snoopy[21524]: [uid:0 sid:20392 tty: cwd:/lib filename:/usr/bin/ldd]: ldd /usr/sbin/sshd