Data Chaos Perl connect

Our server was pulled out from ev1 server because of aup violation, i got reply from them, I want to find out what should we do to protect us in future

We found fl.txt, ircbot.txt and Data Chaos Perl connect Backdoor in /tmp. Also rkhunter was run on your server.

Pulled (123 Ip address) for outbound attack to 201.9.226.26.

0.0070 seconds ellapsed in capture
35857 inbound PPS to 201.9.226.26
0 outbound PPS from 201.9.226.26
16.35 inbound Mbps to 201.9.226.26
0.00 outbound Mbps from 201.9.226.26


Re-crunch on keyword: Exclude sources with:

2 2005-08-22 16:23:51.175317 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 11493
3 2005-08-22 16:23:51.175327 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 8416
4 2005-08-22 16:23:51.175336 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 50164
5 2005-08-22 16:23:51.175339 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 16030
6 2005-08-22 16:23:51.175348 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 33941
8 2005-08-22 16:23:51.175474 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 48849
9 2005-08-22 16:23:51.175484 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 38867
10 2005-08-22 16:23:51.175488 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 53544
11 2005-08-22 16:23:51.175499 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 47457
13 2005-08-22 16:23:51.175626 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 9359
14 2005-08-22 16:23:51.175631 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 29283
15 2005-08-22 16:23:51.175642 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 11199
16 2005-08-22 16:23:51.175645 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 28699
17 2005-08-22 16:23:51.175654 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 11866
18 2005-08-22 16:23:51.175657 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 30023
19 2005-08-22 16:23:51.175668 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 44349
20 2005-08-22 16:23:51.175671 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 48335
21 2005-08-22 16:23:51.175681 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 4400
22 2005-08-22 16:23:51.175689 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 21076
23 2005-08-22 16:23:51.175692 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 12209
24 2005-08-22 16:23:51.175701 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 22500
25 2005-08-22 16:23:51.175710 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 1446
26 2005-08-22 16:23:51.175711 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 20278
27 2005-08-22 16:23:51.175721 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 9827
28 2005-08-22 16:23:51.175724 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 31076
29 2005-08-22 16:23:51.175735 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 284
30 2005-08-22 16:23:51.175738 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 11159
31 2005-08-22 16:23:51.175748 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 58843
33 2005-08-22 16:23:51.175761 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 42029
34 2005-08-22 16:23:51.175770 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 59500
35 2005-08-22 16:23:51.175771 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 34006
37 2005-08-22 16:23:51.175796 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 23537
38 2005-08-22 16:23:51.175821 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 40099
39 2005-08-22 16:23:51.175845 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 62099
41 2005-08-22 16:23:51.175902 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 31327
42 2005-08-22 16:23:51.175906 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 48344
43 2005-08-22 16:23:51.175938 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 8319
44 2005-08-22 16:23:51.175958 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 42992
45 2005-08-22 16:23:51.175983 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 12610
49 2005-08-22 16:23:51.176343 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 25769
50 2005-08-22 16:23:51.176354 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 261
51 2005-08-22 16:23:51.176355 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 15253
52 2005-08-22 16:23:51.176366 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 204
54 2005-08-22 16:23:51.176493 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 61065
55 2005-08-22 16:23:51.176504 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 29514
56 2005-08-22 16:23:51.176507 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 15037
57 2005-08-22 16:23:51.176521 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 612
61 2005-08-22 16:23:51.176656 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 53963
62 2005-08-22 16:23:51.176666 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 51423
63 2005-08-22 16:23:51.176674 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 57199
64 2005-08-22 16:23:51.176677 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 52296
65 2005-08-22 16:23:51.176686 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 63728
66 2005-08-22 16:23:51.176689 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 45609
67 2005-08-22 16:23:51.176705 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 39265
69 2005-08-22 16:23:51.176826 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 12990
70 2005-08-22 16:23:51.176836 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 54589
71 2005-08-22 16:23:51.176844 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 19750
72 2005-08-22 16:23:51.176846 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 24387
74 2005-08-22 16:23:51.176982 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 58236
75 2005-08-22 16:23:51.176983 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 28025
76 2005-08-22 16:23:51.176994 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 58231
77 2005-08-22 16:23:51.176997 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 45048
78 2005-08-22 16:23:51.177006 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 6636
81 2005-08-22 16:23:51.177141 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 42970
82 2005-08-22 16:23:51.177149 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 41425
83 2005-08-22 16:23:51.177152 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 12900
84 2005-08-22 16:23:51.177162 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 42939
86 2005-08-22 16:23:51.177289 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 39938
87 2005-08-22 16:23:51.177303 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 62889
88 2005-08-22 16:23:51.177304 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 50952
89 2005-08-22 16:23:51.177309 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 37010
91 2005-08-22 16:23:51.177442 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 10088
92 2005-08-22 16:23:51.177446 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 44108
93 2005-08-22 16:23:51.177456 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 7106
94 2005-08-22 16:23:51.177464 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 59701
96 2005-08-22 16:23:51.177592 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 24978
97 2005-08-22 16:23:51.177596 (123 Ip address) -> 201.9.226.26 UDP Source port: 44131 Destination port: 17967


Date Time Switch Port In PPS Out PPS In MBPS Out MBPS MAC Address
1. 2005/08/22 16:32:25 67.15.134.245 9 32883.23 222.84 15.03 0.26 00c0.9f21.02c0


Your lookup was on: (123 Ip address)

MAC: 00c0.9f21.02c0

IP Data
Netiron / Port IPs First Seen Last Seen Age
66.98.240.117 port 11 67.15.134.53 Mon Aug 1 22:27:08 2005 Mon Aug 22 16:36:06 2005 0
66.98.240.117 port 11 (123 Ip address) Mon Feb 21 10:50:46 2005 Mon Aug 22 16:34:27 2005 1
67.15.134.52 Mon Aug 1 22:42:20 2005
66.98.240.117 port 11 67.15.134.51 Mon Aug 1 22:18:56 2005 Mon Aug 22 15:20:40 2005 30

Switch Data
Switch / Port First Seen Last Seen Age
67.15.134.245 port 9 Mon Feb 21 09:49:37 2005 Mon Aug 22 16:28:25 2005 1



Frame 2 (60 bytes on wire, 60 bytes captured)
Arrival Time: Aug 22, 2005 16:23:51.175317000
Time delta from previous packet: 0.000002000 seconds
Time since reference or first frame: 0.000002000 seconds
Frame Number: 2
Packet Length: 60 bytes
Capture Length: 60 bytes
Ethernet II, Src: 00:c0:9f:21:02:c0, Dst: 00:e0:52:0b:10:60
Destination: 00:e0:52:0b:10:60 (00:e0:52:0b:10:60)
Source: 00:c0:9f:21:02:c0

 

 

 

 

Top