- Eriberto Blog - http://eriberto.pro.br/blog -

Invasão de rede de camarote again…

Tweet [1]

Povo de Deus, Novamente temos uma máquina no ar, desde 18:40h, realizando a mesma tarefa descrita no post “Assistindo a uma invasão de rede de camarote… [2]“. A diferença é que, desta vez, pretendo disponibilizar o dump de memória e já estou escrevendo um wiki que ensina preparar o mesmo ambiente que eu fiz. Agora é esperar os acontecimentos…

Dia 03 ago. 2010

18:40 h

Dia 04 ago. 2010

06:26 h

06:35 h

Aug  4 00:01:29 server sshd[1141]: Invalid user Benutzer from 98.173.22.178
Aug  4 02:29:12 server sshd[1511]: Failed password for root from 61.129.86.186 port 65487 ssh2

09:10 h

09:40 h

2010-08-03 19:11:45.040983 IP 220.76.200.59
2010-08-03 19:11:45.365377 IP 220.76.200.59
2010-08-03 19:14:49.230188 IP 192.168.100.20
2010-08-03 19:22:17.485984 IP 200.252.13.18
2010-08-03 19:27:26.205297 IP 60.195.124.238
2010-08-03 19:27:26.601530 IP 60.195.124.238
2010-08-03 20:22:20.046507 IP 189.107.24.115
2010-08-03 21:31:46.417342 IP 200.252.61.5
2010-08-03 23:06:29.001721 IP 200.252.67.194
2010-08-03 23:39:52.022671 IP 200.252.59.194
2010-08-04 01:01:48.582544 IP 200.252.55.9
2010-08-04 01:06:26.379342 IP 200.252.16.180
2010-08-04 03:39:29.641986 IP 61.251.176.29
2010-08-04 03:39:30.015736 IP 61.251.176.29
2010-08-04 06:09:36.519864 IP 68.169.176.89
2010-08-04 06:09:36.683012 IP 68.169.176.89
2010-08-04 06:41:36.830823 IP 80.183.103.193
2010-08-04 06:41:37.136954 IP 80.183.103.193
2010-08-04 07:33:28.368651 IP 200.252.76.101
2010-08-04 08:31:13.581548 IP 119.175.16.243
2010-08-04 08:31:13.947929 IP 119.175.16.243
2010-08-04 09:21:37.754272 IP 63.81.251.30
2010-08-04 09:21:39.806937 IP 63.81.251.30
2010-08-04 09:31:37.037950 IP 200.252.130.65

10:20 h

2010-08-03 19:04:33.674752 IP 201.240.72.50.3126 > x.x.x.x.23: [S]
2010-08-03 19:04:33.674884 IP x.x.x.x.23 > 201.240.72.50.3126: [R.]
2010-08-03 19:04:48.592490 IP 41.145.25.77.4688 > x.x.x.x.23: [S]
2010-08-03 19:04:48.592607 IP x.x.x.x.23 > 41.145.25.77.4688: [R.]
2010-08-03 19:22:17.514418 IP 200.252.13.18.1070 > x.x.x.x.445: [S]
2010-08-03 19:22:17.514532 IP x.x.x.x.445 > 200.252.13.18.1070: [R.]
2010-08-03 19:22:17.514664 IP 200.252.13.18.63371 > x.x.x.x.139: [S]
2010-08-03 19:22:17.514775 IP x.x.x.x.139 > 200.252.13.18.1071: [R.]
2010-08-03 19:22:17.514800 IP x.x.x.x.139 > 200.252.13.18.63371: [R.]
2010-08-03 19:22:17.859811 IP 200.252.13.18.63371 > x.x.x.x.139: [S]
2010-08-03 19:22:17.859922 IP x.x.x.x.139 > 200.252.13.18.1071: [R.]
2010-08-03 19:22:17.859949 IP x.x.x.x.139 > 200.252.13.18.63371: [R.]
2010-08-03 19:22:17.875350 IP 200.252.13.18.1070 > x.x.x.x.445: [S]
2010-08-03 19:22:17.875465 IP x.x.x.x.445 > 200.252.13.18.1070: [R.]
2010-08-03 19:22:18.406396 IP 200.252.13.18.1071 > x.x.x.x.139: [S]
2010-08-03 19:22:18.406510 IP x.x.x.x.139 > 200.252.13.18.1071: [R.]
2010-08-03 19:22:18.422025 IP 200.252.13.18.63371 > x.x.x.x.139: [S]
2010-08-03 19:22:18.422162 IP x.x.x.x.139 > 200.252.13.18.63371: [R.]
2010-08-03 19:22:18.531637 IP 200.252.13.18.1070 > x.x.x.x.445: [S]
2010-08-03 19:22:18.531859 IP x.x.x.x.445 > 200.252.13.18.1070: [R.]
2010-08-03 19:27:26.990938 IP 60.195.124.238.53364 > x.x.x.x.139: [S]
2010-08-03 19:27:26.991057 IP x.x.x.x.139 > 60.195.124.238.53364: [R.]
2010-08-03 19:27:27.806026 IP 60.195.124.238.53364 > x.x.x.x.139: [S]
2010-08-03 19:27:27.806141 IP x.x.x.x.139 > 60.195.124.238.53364: [R.]
2010-08-03 19:27:28.607119 IP 60.195.124.238.53364 > x.x.x.x.139: [S]
2010-08-03 19:27:28.607214 IP x.x.x.x.139 > 60.195.124.238.53364: [R.]
2010-08-03 19:27:32.993421 IP 60.195.124.238.53995 > x.x.x.x.445: [S]
2010-08-03 19:27:32.993537 IP x.x.x.x.445 > 60.195.124.238.53995: [R.]
2010-08-03 19:27:35.917854 IP 60.195.124.238.53995 > x.x.x.x.445: [S]
2010-08-03 19:27:35.917967 IP x.x.x.x.445 > 60.195.124.238.53995: [R.]
2010-08-03 20:22:20.266544 IP 189.107.24.115.12602 > x.x.x.x.445: [S]
2010-08-03 20:22:20.266697 IP x.x.x.x.445 > 189.107.24.115.12602: [R.]
2010-08-03 20:22:20.731732 IP 189.107.24.115.12602 > x.x.x.x.445: [S]
2010-08-03 20:22:20.731973 IP x.x.x.x.445 > 189.107.24.115.12602: [R.]
2010-08-03 20:22:21.273379 IP 189.107.24.115.12602 > x.x.x.x.445: [S]
2010-08-03 20:22:21.273526 IP x.x.x.x.445 > 189.107.24.115.12602: [R.]
2010-08-03 23:18:00.219049 IP 58.215.79.84.6000 > x.x.x.x.9415: [S]
2010-08-03 23:18:00.219959 IP x.x.x.x.9415 > 58.215.79.84.6000: [R.]
2010-08-03 23:31:53.948650 IP 218.175.146.176.2089 > x.x.x.x.445: [S]
2010-08-03 23:31:53.952306 IP x.x.x.x.445 > 218.175.146.176.2089: [R.]
2010-08-03 23:31:55.869555 IP 218.175.146.176.2089 > x.x.x.x.445: [S]
2010-08-03 23:31:55.869645 IP x.x.x.x.445 > 218.175.146.176.2089: [R.]
2010-08-03 23:36:48.848734 IP 200.32.172.184.3883 > x.x.x.x.445: [S]
2010-08-03 23:36:48.848844 IP x.x.x.x.445 > 200.32.172.184.3883: [R.]
2010-08-03 23:36:51.707795 IP 200.32.172.184.3883 > x.x.x.x.445: [S]
2010-08-03 23:36:51.707886 IP x.x.x.x.445 > 200.32.172.184.3883: [R.]
2010-08-03 23:39:52.264355 IP 200.252.59.194.1609 > x.x.x.x.445: [S]
2010-08-03 23:39:52.264458 IP x.x.x.x.445 > 200.252.59.194.1609: [R.]
2010-08-03 23:39:52.267255 IP 200.252.59.194.1610 > x.x.x.x.139: [S]
2010-08-03 23:39:52.267345 IP x.x.x.x.139 > 200.252.59.194.1610: [R.]
2010-08-03 23:39:52.821223 IP 200.252.59.194.1610 > x.x.x.x.139: [S]
2010-08-03 23:39:52.821315 IP x.x.x.x.139 > 200.252.59.194.1610: [R.]
2010-08-03 23:39:52.825174 IP 200.252.59.194.1609 > x.x.x.x.445: [S]
2010-08-03 23:39:52.825264 IP x.x.x.x.445 > 200.252.59.194.1609: [R.]
2010-08-03 23:39:53.604568 IP 200.252.59.194.1610 > x.x.x.x.139: [S]
2010-08-03 23:39:53.604734 IP x.x.x.x.445 > 200.252.59.194.1609: [R.]
2010-08-03 23:39:53.604761 IP x.x.x.x.139 > 200.252.59.194.1610: [R.]
2010-08-03 23:53:27.337014 IP 41.250.160.206.4127 > x.x.x.x.23: [S]
2010-08-03 23:53:27.340306 IP x.x.x.x.23 > 41.250.160.206.4127: [R.]
2010-08-03 23:58:38.434406 IP 222.186.25.143.6000 > x.x.x.x.9415: [S]
2010-08-03 23:58:38.434513 IP x.x.x.x.9415 > 222.186.25.143.6000: [R.]
2010-08-04 00:06:00.316734 IP 58.215.79.202.6000 > x.x.x.x.9415: [S]
2010-08-04 00:06:00.316832 IP x.x.x.x.9415 > 58.215.79.202.6000: [R.]
2010-08-04 00:08:21.859852 IP 196.204.141.8.3970 > x.x.x.x.1433: [S]
2010-08-04 00:08:21.859959 IP x.x.x.x.1433 > 196.204.141.8.3970: [R.]
2010-08-04 00:08:22.510285 IP 196.204.141.8.3970 > x.x.x.x.1433: [S]
2010-08-04 00:08:22.510378 IP x.x.x.x.1433 > 196.204.141.8.3970: [R.]
2010-08-04 00:08:23.275186 IP 196.204.141.8.3970 > x.x.x.x.1433: [S]
2010-08-04 00:08:23.275353 IP x.x.x.x.1433 > 196.204.141.8.3970: [R.]
2010-08-04 00:11:35.799521 IP 217.219.23.166.3094 > x.x.x.x.445: [S]
2010-08-04 00:11:35.799617 IP x.x.x.x.445 > 217.219.23.166.3094: [R.]
2010-08-04 00:47:12.982595 IP 218.56.160.61.2477 > x.x.x.x.4899: [S]
2010-08-04 00:47:12.984326 IP x.x.x.x.4899 > 218.56.160.61.2477: [R.]
2010-08-04 00:47:13.836599 IP 218.56.160.61.2477 > x.x.x.x.4899: [S]
2010-08-04 00:47:13.836691 IP x.x.x.x.4899 > 218.56.160.61.2477: [R.]
2010-08-04 00:47:14.643027 IP 218.56.160.61.2477 > x.x.x.x.4899: [S]
2010-08-04 00:47:14.643184 IP x.x.x.x.4899 > 218.56.160.61.2477: [R.]
2010-08-04 01:01:48.713103 IP 200.252.55.9.62558 > x.x.x.x.445: [S]
2010-08-04 01:01:48.713197 IP x.x.x.x.445 > 200.252.55.9.62558: [R.]
2010-08-04 01:01:48.714286 IP 200.252.55.9.62559 > x.x.x.x.139: [S]
2010-08-04 01:01:48.714401 IP x.x.x.x.139 > 200.252.55.9.62559: [R.]
2010-08-04 01:01:48.715810 IP 200.252.55.9.62560 > x.x.x.x.139: [S]
2010-08-04 01:01:48.715897 IP x.x.x.x.139 > 200.252.55.9.62560: [R.]
2010-08-04 01:01:49.190492 IP 200.252.55.9.62560 > x.x.x.x.139: [S]
2010-08-04 01:01:49.190583 IP x.x.x.x.139 > 200.252.55.9.62560: [R.]
2010-08-04 01:01:49.192387 IP 200.252.55.9.62558 > x.x.x.x.445: [S]
2010-08-04 01:01:49.192476 IP x.x.x.x.445 > 200.252.55.9.62558: [R.]
2010-08-04 01:01:49.737738 IP 200.252.55.9.62560 > x.x.x.x.139: [S]
2010-08-04 01:01:49.737840 IP x.x.x.x.139 > 200.252.55.9.62560: [R.]
2010-08-04 01:01:49.738908 IP 200.252.55.9.62558 > x.x.x.x.445: [S]
2010-08-04 01:01:49.739025 IP x.x.x.x.445 > 200.252.55.9.62558: [R.]
2010-08-04 01:01:51.597553 IP 200.252.55.9.62559 > x.x.x.x.139: [S]
2010-08-04 01:01:51.597643 IP x.x.x.x.139 > 200.252.55.9.62559: [R.]
2010-08-04 01:01:57.617015 IP 200.252.55.9.62559 > x.x.x.x.139: [S]
2010-08-04 01:01:57.617148 IP x.x.x.x.139 > 200.252.55.9.62559: [R.]
2010-08-04 01:06:32.120233 IP 200.252.16.180.20029 > x.x.x.x.445: [S]
2010-08-04 01:06:32.120327 IP x.x.x.x.445 > 200.252.16.180.20029: [R.]
2010-08-04 01:06:32.120595 IP 200.252.16.180.20030 > x.x.x.x.139: [S]
2010-08-04 01:06:32.120683 IP x.x.x.x.139 > 200.252.16.180.20030: [R.]
2010-08-04 01:06:32.671419 IP 200.252.16.180.20030 > x.x.x.x.139: [S]
2010-08-04 01:06:32.671509 IP x.x.x.x.139 > 200.252.16.180.20030: [R.]
2010-08-04 01:06:32.671920 IP 200.252.16.180.20029 > x.x.x.x.445: [S]
2010-08-04 01:06:32.672008 IP x.x.x.x.445 > 200.252.16.180.20029: [R.]
2010-08-04 01:06:33.108411 IP 200.252.16.180.20030 > x.x.x.x.139: [S]
2010-08-04 01:06:33.108526 IP x.x.x.x.139 > 200.252.16.180.20030: [R.]
2010-08-04 01:06:33.109059 IP 200.252.16.180.20029 > x.x.x.x.445: [S]
2010-08-04 01:06:33.109168 IP x.x.x.x.445 > 200.252.16.180.20029: [R.]
2010-08-04 02:13:04.460384 IP 58.57.9.44.6000 > x.x.x.x.3389: [S]
2010-08-04 02:13:04.460596 IP x.x.x.x.3389 > 58.57.9.44.6000: [R.]
2010-08-04 02:36:32.697229 IP 220.226.18.10.6000 > x.x.x.x.1433: [S]
2010-08-04 02:36:32.704499 IP x.x.x.x.1433 > 220.226.18.10.6000: [R.]
2010-08-04 03:16:03.154845 IP 59.94.130.220.9989 > x.x.x.x.139: [S]
2010-08-04 03:16:03.156371 IP x.x.x.x.139 > 59.94.130.220.9989: [R.]
2010-08-04 03:16:10.370418 IP 59.94.130.220.9989 > x.x.x.x.139: [S]
2010-08-04 03:16:10.370508 IP x.x.x.x.139 > 59.94.130.220.9989: [R.]
2010-08-04 03:39:30.377836 IP 61.251.176.29.3040 > x.x.x.x.139: [S]
2010-08-04 03:39:30.377930 IP x.x.x.x.139 > 61.251.176.29.3040: [R.]
2010-08-04 03:39:31.129670 IP 61.251.176.29.3040 > x.x.x.x.139: [S]
2010-08-04 03:39:31.129762 IP x.x.x.x.139 > 61.251.176.29.3040: [R.]
2010-08-04 03:39:32.016606 IP 61.251.176.29.3040 > x.x.x.x.139: [S]
2010-08-04 03:39:32.016710 IP x.x.x.x.139 > 61.251.176.29.3040: [R.]
2010-08-04 03:51:01.001740 IP 124.172.159.228.6000 > x.x.x.x.9415: [S]
2010-08-04 03:51:01.003497 IP x.x.x.x.9415 > 124.172.159.228.6000: [R.]
2010-08-04 03:56:48.153734 IP 74.208.197.77.4763 > x.x.x.x.5900: [S]
2010-08-04 03:56:48.156272 IP x.x.x.x.5900 > 74.208.197.77.4763: [R.]
2010-08-04 03:56:48.843364 IP 74.208.197.77.4763 > x.x.x.x.5900: [S]
2010-08-04 03:56:48.843457 IP x.x.x.x.5900 > 74.208.197.77.4763: [R.]
2010-08-04 03:56:49.389654 IP 74.208.197.77.4763 > x.x.x.x.5900: [S]
2010-08-04 03:56:49.389789 IP x.x.x.x.5900 > 74.208.197.77.4763: [R.]
2010-08-04 04:45:46.099151 IP 78.183.144.144.2131 > x.x.x.x.23: [S]
2010-08-04 04:45:46.100313 IP x.x.x.x.23 > 78.183.144.144.2131: [R.]
2010-08-04 05:10:18.061284 IP 118.168.134.220.1082 > x.x.x.x.3128: [S]
2010-08-04 05:10:18.063497 IP x.x.x.x.3128 > 118.168.134.220.1082: [R.]
2010-08-04 05:10:18.860405 IP 118.168.134.220.1082 > x.x.x.x.3128: [S]
2010-08-04 05:10:18.860497 IP x.x.x.x.3128 > 118.168.134.220.1082: [R.]
2010-08-04 05:10:19.727480 IP 118.168.134.220.1082 > x.x.x.x.3128: [S]
2010-08-04 05:10:19.727568 IP x.x.x.x.3128 > 118.168.134.220.1082: [R.]
2010-08-04 06:09:36.842784 IP 68.169.176.89.29467 > x.x.x.x.139: [S]
2010-08-04 06:09:36.842943 IP x.x.x.x.139 > 68.169.176.89.29467: [R.]
2010-08-04 06:09:37.489436 IP 68.169.176.89.29467 > x.x.x.x.139: [S]
2010-08-04 06:09:37.489527 IP x.x.x.x.139 > 68.169.176.89.29467: [R.]
2010-08-04 06:09:38.091033 IP 68.169.176.89.29467 > x.x.x.x.139: [S]
2010-08-04 06:09:38.091125 IP x.x.x.x.139 > 68.169.176.89.29467: [R.]
2010-08-04 06:09:42.849257 IP 68.169.176.89.30144 > x.x.x.x.445: [S]
2010-08-04 06:09:42.849350 IP x.x.x.x.445 > 68.169.176.89.30144: [R.]
2010-08-04 06:09:43.498862 IP 68.169.176.89.30144 > x.x.x.x.445: [S]
2010-08-04 06:09:43.498952 IP x.x.x.x.445 > 68.169.176.89.30144: [R.]
2010-08-04 06:09:44.097595 IP 68.169.176.89.30144 > x.x.x.x.445: [S]
2010-08-04 06:09:44.097685 IP x.x.x.x.445 > 68.169.176.89.30144: [R.]
2010-08-04 06:41:37.440980 IP 80.183.103.193.41973 > x.x.x.x.139: [S]
2010-08-04 06:41:37.441075 IP x.x.x.x.139 > 80.183.103.193.41973: [R.]
2010-08-04 06:41:38.250208 IP 80.183.103.193.41973 > x.x.x.x.139: [S]
2010-08-04 06:41:38.250299 IP x.x.x.x.139 > 80.183.103.193.41973: [R.]
2010-08-04 06:41:38.947670 IP 80.183.103.193.41973 > x.x.x.x.139: [S]
2010-08-04 06:41:38.947761 IP x.x.x.x.139 > 80.183.103.193.41973: [R.]
2010-08-04 06:41:43.441575 IP 80.183.103.193.42716 > x.x.x.x.445: [S]
2010-08-04 06:41:43.441665 IP x.x.x.x.445 > 80.183.103.193.42716: [R.]
2010-08-04 06:41:44.169465 IP 80.183.103.193.42716 > x.x.x.x.445: [S]
2010-08-04 06:41:44.169552 IP x.x.x.x.445 > 80.183.103.193.42716: [R.]
2010-08-04 06:41:44.962688 IP 80.183.103.193.42716 > x.x.x.x.445: [S]
2010-08-04 06:41:44.962779 IP x.x.x.x.445 > 80.183.103.193.42716: [R.]
2010-08-04 07:33:49.605152 IP 200.252.76.101.62341 > x.x.x.x.445: [S]
2010-08-04 07:33:49.605250 IP x.x.x.x.445 > 200.252.76.101.62341: [R.]
2010-08-04 07:33:49.605824 IP 200.252.76.101.62342 > x.x.x.x.139: [S]
2010-08-04 07:33:49.605911 IP x.x.x.x.139 > 200.252.76.101.62342: [R.]
2010-08-04 07:33:49.606176 IP 200.252.76.101.62343 > x.x.x.x.139: [S]
2010-08-04 07:33:49.606261 IP x.x.x.x.139 > 200.252.76.101.62343: [R.]
2010-08-04 07:33:50.086681 IP 200.252.76.101.62342 > x.x.x.x.139: [S]
2010-08-04 07:33:50.086772 IP x.x.x.x.139 > 200.252.76.101.62342: [R.]
2010-08-04 07:33:50.087365 IP 200.252.76.101.62341 > x.x.x.x.445: [S]
2010-08-04 07:33:50.087452 IP x.x.x.x.445 > 200.252.76.101.62341: [R.]
2010-08-04 07:33:50.524591 IP 200.252.76.101.62342 > x.x.x.x.139: [S]
2010-08-04 07:33:50.524759 IP x.x.x.x.139 > 200.252.76.101.62342: [R.]
2010-08-04 07:33:50.524975 IP 200.252.76.101.62341 > x.x.x.x.445: [S]
2010-08-04 07:33:50.525062 IP x.x.x.x.445 > 200.252.76.101.62341: [R.]
2010-08-04 07:33:52.604693 IP 200.252.76.101.62343 > x.x.x.x.139: [S]
2010-08-04 07:33:52.604849 IP x.x.x.x.139 > 200.252.76.101.62343: [R.]
2010-08-04 07:33:58.727620 IP 200.252.76.101.62343 > x.x.x.x.139: [S]
2010-08-04 07:33:58.727711 IP x.x.x.x.139 > 200.252.76.101.62343: [R.]
2010-08-04 08:27:13.087499 IP 122.226.223.134.6000 > x.x.x.x.9415: [S]
2010-08-04 08:27:13.088122 IP x.x.x.x.9415 > 122.226.223.134.6000: [R.]

10:40 h

10:53 h

Aug  4 10:30:02 server sshd[2359]: Failed password for root from 187.50.126.38 port 43061 ssh2

Aug  4 10:48:11 server sshd[3095]: Failed password for root from 187.50.126.38 port 60030 ssh2

11:07 h

Aug  4 10:30:10 server sshd[2366]: Accepted password for root from 187.50.126.38 port 43338 ssh2

11:37 h

12:35 h

14:06 h

Aug  4 14:03:01 server sshd[3383]: Did not receive identification string from 200.161.99.38

14:30 h

[3]17:55 h

22:10 h

Dia 05 ago. 2010

06:25 h

Aug  5 05:36:29 server sshd[4743]: Failed password for root from 219.143.125.205 port 54497 ssh2
Aug  5 05:36:35 server sshd[4746]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.143.125.205  user=root
Aug  5 05:36:37 server sshd[4746]: Failed password for root from 219.143.125.205 port 54843 ssh2
Aug  5 05:36:42 server sshd[4748]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.143.125.205  user=root
Aug  5 05:36:45 server sshd[4748]: Failed password for root from 219.143.125.205 port 55161 ssh2
Aug  5 05:36:50 server sshd[4750]: Accepted password for root from 219.143.125.205 port 55493 ssh2
INFO   :  [2010-08-05T04:46:15-0300] msg=<Checking>, path=</etc/samhain>

11:05 h

61.129.86.186: CN, China
91.188.59.62: LV, Latvia
94.138.164.155: IT, Italy
95.0.85.118: TR, Turkey
98.173.22.178: US, United States
115.165.163.55: VN, Vietnam
123.150.196.38: CN, China
124.31.204.185: CN, China
187.50.126.38: BR, Brazil
200.161.99.38: BR, Brazil
202.201.14.252: CN, China
219.143.125.205: CN, China

20:45 h

Aug  5 13:44:00 server sshd[5578]: Accepted password for root from 61.164.108.149 port 51914 ssh2

Dia 06 ago. 2010

09:30 h

Aug  5 23:09:58 server sshd[6635]: Accepted password for root from 209.195.11.34 port 36680 ssh2
Aug  5 23:28:10 server sshd[6686]: Accepted password for root from 95.104.114.44 port 20370 ssh2
INFO   :  [2010-08-06T08:49:37-0300] msg=<Checking>, path=</var/run/utmp>

11:55 h

12:03 h

12:28 h

12:50 h

13:25 h

[2010-08-06T12:50:08-0300] server.projirradiante.com.br [6]
CRIT   : [2010-08-06T12:49:55-0300] msg=<POLICY [ReadOnly] C–I—-T->, path=</etc/shadow>, inode_old=<13300>, inode_new=<17168>, dev_old=<202,1>, dev_new=<202,1>, ctime_old=<[2010-08-03T21:34:30]>, ctime_new=<[2010-08-06T14:51:17]>, mtime_old=<[2010-08-03T21:34:30]>, mtime_new=<[2010-08-06T14:51:17]>, chksum_old=<4E3A8F642C54E0ABD1310A03A7BEFA954DC4EBEBA6349BB5>, chksum_new=<A91AC2692A353AD96F399F994CAE602A575CA16149CDDC36>,

# strings memoria.dd |grep passwd|grep root
Aug  6 11:51:17 server passwd[17395]: pam_unix(passwd:chauthtok): password changed for root
# strings memoria.dd |grep "Aug  6 11:[45]"|grep -v CRON|sort -n
Aug  6 11:42:42 server crontab[17311]: (root) REPLACE (root)
Aug  6 11:42:42 server crontab[17313]: (root) LIST (root)
Aug  6 11:42:51 server crontab[17331]: (root) REPLACE (root)
Aug  6 11:42:51 server crontab[17332]: (root) LIST (root)
Aug  6 11:51:17 server passwd[17395]: pam_unix(passwd:chauthtok): password changed for root

13:47 h

14:52 h

16:07 h – DOWNLOAD DA IMAGEM DA MEMÓRIA!

16:46

18:31 – DOWNLOAD DA IMAGEM DA PARTIÇÃO!

Dia 07 ago. 2010

08:10 h

10:45 h

Dia 09 ago. 2010

http://www.istf.com.br/vb/pericia-forense/14955-assistindo-uma-invasao-de-camarote-analise-forente.html [16]