/l3/users/ikravchuk/xg-ids/linux2.unix.nt/root :1 :2 :3 :4 :5 :6 :7 :8 :9 :10 :11 :12
[ править ]

Журнал лабораторных работ

Содержание

Журнал

Суббота (06/23/07)

/dev/pts/5
14:19:07
#cat alert
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
14:19:16
#ls
alert  tcpdump.log.1182597013  tcpdump.log.1182597251
14:19:22
#cd ..










14:19:25




#ls


acpid    auth.log    debug       dmesg.2.gz  exim4           honeypot   lpr.log    mail.warn  mysql.log       mysql.pipe  syslog       syslog.3.gz  Xorg.0.log
aide     boot        dmesg       dmesg.3.gz  faillog         installer  mail.err   messages   mysql.log.1.gz  nessus      syslog.0     user.log     Xorg.0.log.old
apache   btmp        dmesg.0     dmesg.4.gz  fontconfig.log  kern.log   mail.info  mysql      mysql.log.2.gz  news        syslog.1.gz  uucp.log
apache2  daemon.log  dmesg.1.gz  dpkg.log    fsck            lastlog    mail.log   mysql.err  mysql.log.3.gz  snort       syslog.2.gz  wtmp











14:19:26




#ls -l


total 1804
-rw-r----- 1 root        root  12245 2007-06-23 06:34 acpid
drwxr-xr-x 2 root        root   4096 2007-06-23 06:34 aide
drwxr-xr-x 2 root        root   4096 2007-06-20 06:49 apache
drwxr-xr-x 2 root        root   4096 2007-06-23 05:58 apache2
-rw-r----- 1 root        adm   61426 2007-06-23 07:17 auth.log
-rw-r----- 1 root        adm      31 2007-06-19 05:45 boot
-rw-rw-r-- 1 root        utmp   2688 2007-06-20 09:46 btmp
-rw-r----- 1 root        adm  515446 2007-06-23 07:18 daemon.log
-rw-r----- 1 root        adm   26523 2007-06-23 05:52 debug
...
-rw-r----- 1 root        adm   26236 2007-06-23 07:18 syslog
-rw-r----- 1 root        adm   23428 2007-06-19 06:25 syslog.0
-rw-r----- 1 root        adm   31990 2007-06-23 06:34 syslog.1.gz
-rw-r----- 1 root        adm   55916 2007-06-22 06:30 syslog.2.gz
-rw-r----- 1 root        adm   35364 2007-06-21 06:29 syslog.3.gz
-rw-r----- 1 root        adm   14397 2007-06-23 06:10 user.log
-rw-r--r-- 1 root        root      0 2007-06-19 05:54 uucp.log
-rw-rw-r-- 1 root        utmp 102528 2007-06-23 07:15 wtmp
-rw-r--r-- 1 root        root  57485 2007-06-23 06:34 Xorg.0.log
-rw-r--r-- 1 root        root  56711 2007-06-22 13:30 Xorg.0.log.old











14:19:43




#cd snort


http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#











14:20:12




#ls


alert  tcpdump.log.1182597013  tcpdump.log.1182597251











14:20:13




#ls -l


total 4
-rw-r----- 1 snort adm  0 2007-06-23 05:55 alert
-rw-r----- 1 root  adm 24 2007-06-23 07:10 tcpdump.log.1182597013
-rw-r----- 1 root  adm  0 2007-06-23 07:14 tcpdump.log.1182597251











14:20:18




#more tcpdump.log.1182597251










14:20:35




#more tcpdump.log.1182597251










14:21:04




#/etc/snort/





http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
bash: /etc/snort/: is a directory











14:21:15




#cd /etc/snort/


http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#











14:21:31




#ls


classification.config  gen-msg.map  reference.config  rules  sid-msg.map  snort.conf  snort.debian.conf  threshold.conf  unicode.map











14:21:33




#vi snort.conf










14:23:20




#mv /etc/snort/snort.conf /etc/snort/snort.eth0.conf


http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#











14:24:15




#ps -ef | grep snort


snort     6734     1  0 07:14 ?        00:00:02 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=[192.168.0.0/16] -i eth0
root      7020  6006  0 07:24 pts/6    00:00:00 grep snort











14:24:24




#/etc/init.d/s





scanlogd              single                ssh                   stop-bootlogd-single  sysklogd
sendsigs              snort                 stop-bootlogd         sudo                  syslog-ng











14:24:24




#/etc/init.d/snort restart


Stopping Network Intrusion Detection System: snort(eth0).
Starting Network Intrusion Detection System: snort(eth0).











14:24:53




#ps -ef | grep snort


snort     7040     1 43 07:24 ?        00:00:02 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.eth0.conf -S HOME_NET=[192.168.0.0/16] -i eth0
root      7047  6006  0 07:24 pts/6    00:00:00 grep snort











14:24:59




#more tcpdump.log.1182597251










14:25:33




#cd /etc/var





http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
bash: cd: /etc/var: No such file or directory











14:25:40




#cd /var/log/












14:25:48




#cd /snort





http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
bash: cd: /snort: No such file or directory











14:25:57




#cd /snort





bash: cd: /snort: No such file or directory











14:26:00




#ls


10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#
acpid    auth.log    debug       dmesg.2.gz  exim4           honeypot   lpr.log    mail.warn  mysql.log       mysql.pipe  syslog       syslog.3.gz  Xorg.0.log
aide     boot        dmesg       dmesg.3.gz  faillog         installer  mail.err   messages   mysql.log.1.gz  nessus      syslog.0     user.log     Xorg.0.log.old
apache   btmp        dmesg.0     dmesg.4.gz  fontconfig.log  kern.log   mail.info  mysql      mysql.log.2.gz  news        syslog.1.gz  uucp.log
apache2  daemon.log  dmesg.1.gz  dpkg.log    fsck            lastlog    mail.log   mysql.err  mysql.log.3.gz  snort       syslog.2.gz  wtmp











14:26:10




#cd snort/


http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#











14:26:16




#ls


alert  tcpdump.log.1182597013  tcpdump.log.1182597893











14:26:18




#ls -l


total 4
-rw-r----- 1 snort adm  0 2007-06-23 05:55 alert
-rw-r----- 1 root  adm 24 2007-06-23 07:10 tcpdump.log.1182597013
-rw-r----- 1 root  adm  0 2007-06-23 07:24 tcpdump.log.1182597893











14:26:21




#more tcpdump.log.1182597013










14:26:56




#more tcpdump.log.1182597013










/dev/pts/7
14:27:21




#ssh root@linux3


root@linux3's password:
Permission denied, please try again.
root@linux3's password:
Last login: Fri Jun 22 17:19:26 2007 from 192.168.15.201
Linux linux3 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
l3-agent is already running: pid=16387; pidfile=/root/.lilalo/l3-agent.pid











/dev/pts/5
14:28:29




#ls -l


total 4
-rw-r----- 1 snort adm  0 2007-06-23 05:55 alert
-rw-r----- 1 root  adm 24 2007-06-23 07:10 tcpdump.log.1182597013
-rw-r----- 1 root  adm  0 2007-06-23 07:24 tcpdump.log.1182597893











14:28:31




#more tcpdump.log.1182597013










14:28:51




#ls -l


total 4
-rw-r----- 1 snort adm  0 2007-06-23 05:55 alert
-rw-r----- 1 root  adm 24 2007-06-23 07:10 tcpdump.log.1182597013
-rw-r----- 1 root  adm  0 2007-06-23 07:24 tcpdump.log.1182597893











14:28:53




#vi /etc/snort/snort.eth0.conf


513c513
< output database: log, mysql, user=root password=password dbname=snort_log host=localhost
---
> #output database: log, mysql, user=root password=password dbname=snort_log host=localhost









14:31:28




#/etc/init.d/snort restart


Stopping Network Intrusion Detection System: snort(eth0).
Starting Network Intrusion Detection System: snort(eth0).











14:31:39




#ps -ef | grep snort


PING linux2.unix.nt (192.168.15.201) 56(84) bytes of data.
64 bytes from 192.168.15.201: icmp_seq=1 ttl=64 time=0.191 ms
64 bytes from 192.168.15.201: icmp_seq=2 ttl=64 time=0.234 ms
64 bytes from 192.168.15.201: icmp_seq=3 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=4 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=5 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=6 ttl=64 time=0.185 ms
64 bytes from 192.168.15.201: icmp_seq=7 ttl=64 time=0.229 ms
64 bytes from 192.168.15.201: icmp_seq=8 ttl=64 time=0.240 ms
64 bytes from 192.168.15.201: icmp_seq=9 ttl=64 time=0.222 ms
...
64 bytes from 192.168.15.201: icmp_seq=35 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=36 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=37 ttl=64 time=0.227 ms
64 bytes from 192.168.15.201: icmp_seq=38 ttl=64 time=0.219 ms
64 bytes from 192.168.15.201: icmp_seq=39 ttl=64 time=0.279 ms
64 bytes from 192.168.15.201: icmp_seq=40 ttl=64 time=0.228 ms
64 bytes from 192.168.15.201: icmp_seq=41 ttl=64 time=0.246 ms
64 bytes from 192.168.15.201: icmp_seq=42 ttl=64 time=0.214 ms
snort     7246     1 23 07:31 ?        00:00:02 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.eth0.conf -S HOME_NET=[192.168.0.0/16] -i eth0
root      7253  6006  0 07:31 pts/6    00:00:00 grep snort











14:31:50




#pwd


64 bytes from 192.168.15.201: icmp_seq=35 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=36 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=37 ttl=64 time=0.227 ms
64 bytes from 192.168.15.201: icmp_seq=38 ttl=64 time=0.219 ms
64 bytes from 192.168.15.201: icmp_seq=39 ttl=64 time=0.279 ms
64 bytes from 192.168.15.201: icmp_seq=40 ttl=64 time=0.228 ms
64 bytes from 192.168.15.201: icmp_seq=41 ttl=64 time=0.246 ms
64 bytes from 192.168.15.201: icmp_seq=42 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=43 ttl=64 time=0.221 ms
64 bytes from 192.168.15.201: icmp_seq=44 ttl=64 time=0.216 ms
/var/log/snort











14:32:02




#ls -l


PING linux2.unix.nt (192.168.15.201) 56(84) bytes of data.
64 bytes from 192.168.15.201: icmp_seq=1 ttl=64 time=0.191 ms
64 bytes from 192.168.15.201: icmp_seq=2 ttl=64 time=0.234 ms
64 bytes from 192.168.15.201: icmp_seq=3 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=4 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=5 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=6 ttl=64 time=0.185 ms
64 bytes from 192.168.15.201: icmp_seq=7 ttl=64 time=0.229 ms
64 bytes from 192.168.15.201: icmp_seq=8 ttl=64 time=0.240 ms
64 bytes from 192.168.15.201: icmp_seq=9 ttl=64 time=0.222 ms
...
64 bytes from 192.168.15.201: icmp_seq=41 ttl=64 time=0.246 ms
64 bytes from 192.168.15.201: icmp_seq=42 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=43 ttl=64 time=0.221 ms
64 bytes from 192.168.15.201: icmp_seq=44 ttl=64 time=0.216 ms
64 bytes from 192.168.15.201: icmp_seq=45 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=46 ttl=64 time=0.293 ms
total 4
-rw-r----- 1 snort adm  0 2007-06-23 05:55 alert
-rw-r----- 1 root  adm 24 2007-06-23 07:10 tcpdump.log.1182597013
-rw-r----- 1 root  adm  0 2007-06-23 07:31 tcpdump.log.1182598300











14:32:10




#ps -ef | grep snort


64 bytes from 192.168.15.201: icmp_seq=49 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=50 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=51 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=52 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=53 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=54 ttl=64 time=0.264 ms
64 bytes from 192.168.15.201: icmp_seq=55 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=56 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=57 ttl=64 time=0.207 ms
snort     7246     1  2 07:31 ?        00:00:02 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.eth0.conf -S HOME_NET=[192.168.0.0/16] -i eth0
root      7273  6006  0 07:33 pts/6    00:00:00 grep snort











14:33:07




#ps -ef | grep snort


64 bytes from 192.168.15.201: icmp_seq=50 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=51 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=52 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=53 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=54 ttl=64 time=0.264 ms
64 bytes from 192.168.15.201: icmp_seq=55 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=56 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=57 ttl=64 time=0.207 ms
64 bytes from 192.168.15.201: icmp_seq=58 ttl=64 time=0.218 ms
snort     7246     1  2 07:31 ?        00:00:02 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.eth0.conf -S HOME_NET=[192.168.0.0/16] -i eth0
root      7280  6006  0 07:33 pts/6    00:00:00 grep snort











14:33:20




#ls -l


PING linux2.unix.nt (192.168.15.201) 56(84) bytes of data.
64 bytes from 192.168.15.201: icmp_seq=1 ttl=64 time=0.191 ms
64 bytes from 192.168.15.201: icmp_seq=2 ttl=64 time=0.234 ms
64 bytes from 192.168.15.201: icmp_seq=3 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=4 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=5 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=6 ttl=64 time=0.185 ms
64 bytes from 192.168.15.201: icmp_seq=7 ttl=64 time=0.229 ms
64 bytes from 192.168.15.201: icmp_seq=8 ttl=64 time=0.240 ms
64 bytes from 192.168.15.201: icmp_seq=9 ttl=64 time=0.222 ms
...
64 bytes from 192.168.15.201: icmp_seq=55 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=56 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=57 ttl=64 time=0.207 ms
64 bytes from 192.168.15.201: icmp_seq=58 ttl=64 time=0.218 ms
64 bytes from 192.168.15.201: icmp_seq=59 ttl=64 time=0.207 ms
64 bytes from 192.168.15.201: icmp_seq=60 ttl=64 time=0.161 ms
total 4
-rw-r----- 1 snort adm  0 2007-06-23 05:55 alert
-rw-r----- 1 root  adm 24 2007-06-23 07:10 tcpdump.log.1182597013
-rw-r----- 1 root  adm  0 2007-06-23 07:31 tcpdump.log.1182598300











14:33:27




#ps -ef | grep snort


PING linux2.unix.nt (192.168.15.201) 56(84) bytes of data.
64 bytes from 192.168.15.201: icmp_seq=1 ttl=64 time=0.191 ms
64 bytes from 192.168.15.201: icmp_seq=2 ttl=64 time=0.234 ms
64 bytes from 192.168.15.201: icmp_seq=3 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=4 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=5 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=6 ttl=64 time=0.185 ms
64 bytes from 192.168.15.201: icmp_seq=7 ttl=64 time=0.229 ms
64 bytes from 192.168.15.201: icmp_seq=8 ttl=64 time=0.240 ms
64 bytes from 192.168.15.201: icmp_seq=9 ttl=64 time=0.222 ms
...
64 bytes from 192.168.15.201: icmp_seq=55 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=56 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=57 ttl=64 time=0.207 ms
64 bytes from 192.168.15.201: icmp_seq=58 ttl=64 time=0.218 ms
64 bytes from 192.168.15.201: icmp_seq=59 ttl=64 time=0.207 ms
64 bytes from 192.168.15.201: icmp_seq=60 ttl=64 time=0.161 ms
64 bytes from 192.168.15.201: icmp_seq=61 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=62 ttl=64 time=0.184 ms
snort     7246     1  2 07:31 ?        00:00:02 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.eth0.conf -S HOME_NET=[192.168.0.0/16] -i eth0
root      7293  6006  0 07:33 pts/6    00:00:00 grep snort











14:33:35




#/etc/init.d/snort restart


64 bytes from 192.168.15.201: icmp_seq=59 ttl=64 time=0.207 ms
64 bytes from 192.168.15.201: icmp_seq=60 ttl=64 time=0.161 ms
64 bytes from 192.168.15.201: icmp_seq=61 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=62 ttl=64 time=0.184 ms
64 bytes from 192.168.15.201: icmp_seq=63 ttl=64 time=0.204 ms
64 bytes from 192.168.15.201: icmp_seq=64 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=65 ttl=64 time=0.283 ms
64 bytes from 192.168.15.201: icmp_seq=66 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=67 ttl=64 time=0.213 ms
Stopping Network Intrusion Detection System: snort(eth0).
Starting Network Intrusion Detection System: snort(eth0).











14:33:57




#rcp





PING linux2.unix.nt (192.168.15.201) 56(84) bytes of data.
64 bytes from 192.168.15.201: icmp_seq=1 ttl=64 time=0.191 ms
64 bytes from 192.168.15.201: icmp_seq=2 ttl=64 time=0.234 ms
64 bytes from 192.168.15.201: icmp_seq=3 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=4 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=5 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=6 ttl=64 time=0.185 ms
64 bytes from 192.168.15.201: icmp_seq=7 ttl=64 time=0.229 ms
64 bytes from 192.168.15.201: icmp_seq=8 ttl=64 time=0.240 ms
64 bytes from 192.168.15.201: icmp_seq=9 ttl=64 time=0.222 ms
...
64 bytes from 192.168.15.201: icmp_seq=67 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=68 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=69 ttl=64 time=0.229 ms
64 bytes from 192.168.15.201: icmp_seq=70 ttl=64 time=0.245 ms
64 bytes from 192.168.15.201: icmp_seq=71 ttl=64 time=0.216 ms
64 bytes from 192.168.15.201: icmp_seq=72 ttl=64 time=0.207 ms
64 bytes from 192.168.15.201: icmp_seq=73 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=74 ttl=64 time=0.217 ms
64 bytes from 192.168.15.201: icmp_seq=75 ttl=64 time=0.218 ms
alert                   tcpdump.log.1182597013  tcpdump.log.1182598437











14:33:57




#r





ramsize                  readonly                 replace                  rgrep                    rotatelogs               run-mailcap
ranlib                   readprofile              report-hw                rlogin                   route                    run-parts
rarp                     reboot                   reset                    rm                       rpcinfo                  runq
raw                      red                      resize                   rmail                    rsh                      rview
rbash                    reindexdb                resize2fs                rmdir                    rsmtp                    rvim
rcp                      remove-default-ispell    resolveip                rmmod                    rstart
rdev                     remove-default-wordlist  resolve_stack_dump       rmt                      rstartd
read                     remove-shell             return                   rmt-tar                  rsync
readelf                  rename                   rev                      rnano                    runcon
readlink                 renice                   revpath                  rootflags                runlevel











14:33:57




#ls


PING linux2.unix.nt (192.168.15.201) 56(84) bytes of data.
64 bytes from 192.168.15.201: icmp_seq=1 ttl=64 time=0.191 ms
64 bytes from 192.168.15.201: icmp_seq=2 ttl=64 time=0.234 ms
64 bytes from 192.168.15.201: icmp_seq=3 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=4 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=5 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=6 ttl=64 time=0.185 ms
64 bytes from 192.168.15.201: icmp_seq=7 ttl=64 time=0.229 ms
64 bytes from 192.168.15.201: icmp_seq=8 ttl=64 time=0.240 ms
64 bytes from 192.168.15.201: icmp_seq=9 ttl=64 time=0.222 ms
...
64 bytes from 192.168.15.201: icmp_seq=94 ttl=64 time=0.274 ms
64 bytes from 192.168.15.201: icmp_seq=95 ttl=64 time=0.245 ms
64 bytes from 192.168.15.201: icmp_seq=96 ttl=64 time=0.244 ms
64 bytes from 192.168.15.201: icmp_seq=97 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=98 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=99 ttl=64 time=0.308 ms
64 bytes from 192.168.15.201: icmp_seq=100 ttl=64 time=0.216 ms
64 bytes from 192.168.15.201: icmp_seq=101 ttl=64 time=0.274 ms
64 bytes from 192.168.15.201: icmp_seq=102 ttl=64 time=0.214 ms
alert  tcpdump.log.1182597013  tcpdump.log.1182598437











/dev/pts/9
14:35:16




#nmap linux3


22/tcp  open  ssh
25/tcp  open  smtp
53/tcp  open  domain
79/tcp  open  finger
80/tcp  open  http
111/tcp open  rpcbind
113/tcp open  auth
514/tcp open  shell
MAC Address: 00:0A:01:D4:D1:E3 (Sohoware)
Nmap finished: 1 IP address (1 host up) scanned in 0.952 seconds











14:35:23




#less /etc/snort/rules/













14:35:23




#less /etc/snort/rules/dos.rules













/dev/pts/5
14:36:54




#ls -l


total 12
-rw-r----- 1 snort adm 151 2007-06-23 07:35 alert
-rw-r----- 1 root  adm  24 2007-06-23 07:10 tcpdump.log.1182597013
-rw-r----- 1 root  adm 283 2007-06-23 07:35 tcpdump.log.1182598437











14:36:58




#cd ..


64 bytes from 192.168.15.201: icmp_seq=94 ttl=64 time=0.274 ms
64 bytes from 192.168.15.201: icmp_seq=95 ttl=64 time=0.245 ms
64 bytes from 192.168.15.201: icmp_seq=96 ttl=64 time=0.244 ms
64 bytes from 192.168.15.201: icmp_seq=97 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=98 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=99 ttl=64 time=0.308 ms
64 bytes from 192.168.15.201: icmp_seq=100 ttl=64 time=0.216 ms
64 bytes from 192.168.15.201: icmp_seq=101 ttl=64 time=0.274 ms
64 bytes from 192.168.15.201: icmp_seq=102 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=103 ttl=64 time=0.233 ms
64 bytes from 192.168.15.201: icmp_seq=104 ttl=64 time=0.297 ms











14:37:08




#ls


64 bytes from 192.168.15.201: icmp_seq=101 ttl=64 time=0.274 ms
64 bytes from 192.168.15.201: icmp_seq=102 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=103 ttl=64 time=0.233 ms
64 bytes from 192.168.15.201: icmp_seq=104 ttl=64 time=0.297 ms
64 bytes from 192.168.15.201: icmp_seq=105 ttl=64 time=0.224 ms
64 bytes from 192.168.15.201: icmp_seq=106 ttl=64 time=0.201 ms
64 bytes from 192.168.15.201: icmp_seq=107 ttl=64 time=0.214 ms
acpid    auth.log    debug       dmesg.2.gz  exim4           honeypot   lpr.log    mail.warn  mysql.log       mysql.pipe  syslog       syslog.3.gz  Xorg.0.log
aide     boot        dmesg       dmesg.3.gz  faillog         installer  mail.err   messages   mysql.log.1.gz  nessus      syslog.0     user.log     Xorg.0.log.old
apache   btmp        dmesg.0     dmesg.4.gz  fontconfig.log  kern.log   mail.info  mysql      mysql.log.2.gz  news        syslog.1.gz  uucp.log
apache2  daemon.log  dmesg.1.gz  dpkg.log    fsck            lastlog    mail.log   mysql.err  mysql.log.3.gz  snort       syslog.2.gz  wtmp











14:37:16




#vi snort/










14:37:42




#ls


acpid    auth.log    debug       dmesg.2.gz  exim4           honeypot   lpr.log    mail.warn  mysql.log       mysql.pipe  syslog       syslog.3.gz  Xorg.0.log
aide     boot        dmesg       dmesg.3.gz  faillog         installer  mail.err   messages   mysql.log.1.gz  nessus      syslog.0     user.log     Xorg.0.log.old
apache   btmp        dmesg.0     dmesg.4.gz  fontconfig.log  kern.log   mail.info  mysql      mysql.log.2.gz  news        syslog.1.gz  uucp.log
apache2  daemon.log  dmesg.1.gz  dpkg.log    fsck            lastlog    mail.log   mysql.err  mysql.log.3.gz  snort       syslog.2.gz  wtmp











14:37:45




#/etc/snort/





64 bytes from 192.168.15.201: icmp_seq=104 ttl=64 time=0.297 ms
64 bytes from 192.168.15.201: icmp_seq=105 ttl=64 time=0.224 ms
64 bytes from 192.168.15.201: icmp_seq=106 ttl=64 time=0.201 ms
64 bytes from 192.168.15.201: icmp_seq=107 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=108 ttl=64 time=0.274 ms
64 bytes from 192.168.15.201: icmp_seq=109 ttl=64 time=0.253 ms
64 bytes from 192.168.15.201: icmp_seq=110 ttl=64 time=0.218 ms
64 bytes from 192.168.15.201: icmp_seq=111 ttl=64 time=0.205 ms
64 bytes from 192.168.15.201: icmp_seq=112 ttl=64 time=0.238 ms
64 bytes from 192.168.15.201: icmp_seq=113 ttl=64 time=0.205 ms
bash: /etc/snort/: is a directory











/dev/pts/9
14:37:47




#less /etc/snort/rules/dos.rules













14:37:50




#vim










/dev/pts/5
14:37:57




#ls -l


64 bytes from 192.168.15.201: icmp_seq=21 ttl=64 time=0.276 ms
64 bytes from 192.168.15.201: icmp_seq=22 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=23 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=24 ttl=64 time=0.227 ms
64 bytes from 192.168.15.201: icmp_seq=25 ttl=64 time=0.216 ms
64 bytes from 192.168.15.201: icmp_seq=26 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=27 ttl=64 time=0.279 ms
64 bytes from 192.168.15.201: icmp_seq=28 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=29 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=30 ttl=64 time=0.202 ms
...
-rw-r----- 1 root        adm   48906 2007-06-23 07:34 syslog
-rw-r----- 1 root        adm   23428 2007-06-19 06:25 syslog.0
-rw-r----- 1 root        adm   31990 2007-06-23 06:34 syslog.1.gz
-rw-r----- 1 root        adm   55916 2007-06-22 06:30 syslog.2.gz
-rw-r----- 1 root        adm   35364 2007-06-21 06:29 syslog.3.gz
-rw-r----- 1 root        adm   14397 2007-06-23 06:10 user.log
-rw-r--r-- 1 root        root      0 2007-06-19 05:54 uucp.log
-rw-rw-r-- 1 root        utmp 102912 2007-06-23 07:35 wtmp
-rw-r--r-- 1 root        root  57592 2007-06-23 07:25 Xorg.0.log
-rw-r--r-- 1 root        root  56711 2007-06-22 13:30 Xorg.0.log.old











14:38:19




#/etc/ac





PING linux2.unix.nt (192.168.15.201) 56(84) bytes of data.
64 bytes from 192.168.15.201: icmp_seq=1 ttl=64 time=0.191 ms
64 bytes from 192.168.15.201: icmp_seq=2 ttl=64 time=0.234 ms
64 bytes from 192.168.15.201: icmp_seq=3 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=4 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=5 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=6 ttl=64 time=0.185 ms
64 bytes from 192.168.15.201: icmp_seq=7 ttl=64 time=0.229 ms
64 bytes from 192.168.15.201: icmp_seq=8 ttl=64 time=0.240 ms
64 bytes from 192.168.15.201: icmp_seq=9 ttl=64 time=0.222 ms
...
64 bytes from 192.168.15.201: icmp_seq=117 ttl=64 time=0.226 ms
64 bytes from 192.168.15.201: icmp_seq=118 ttl=64 time=0.205 ms
64 bytes from 192.168.15.201: icmp_seq=119 ttl=64 time=0.241 ms
64 bytes from 192.168.15.201: icmp_seq=120 ttl=64 time=0.268 ms
64 bytes from 192.168.15.201: icmp_seq=121 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=122 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=123 ttl=64 time=0.225 ms
64 bytes from 192.168.15.201: icmp_seq=124 ttl=64 time=0.327 ms
64 bytes from 192.168.15.201: icmp_seq=125 ttl=64 time=0.345 ms
acidbase/ acpi/











14:38:19




#/etc/acidbase/





bash: /etc/acidbase/: is a directory











/dev/pts/9
14:38:25




#nc linux3 179





PING linux2.unix.nt (192.168.15.201) 56(84) bytes of data.
64 bytes from 192.168.15.201: icmp_seq=1 ttl=64 time=0.191 ms
64 bytes from 192.168.15.201: icmp_seq=2 ttl=64 time=0.234 ms
64 bytes from 192.168.15.201: icmp_seq=3 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=4 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=5 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=6 ttl=64 time=0.185 ms
64 bytes from 192.168.15.201: icmp_seq=7 ttl=64 time=0.229 ms
64 bytes from 192.168.15.201: icmp_seq=8 ttl=64 time=0.240 ms
64 bytes from 192.168.15.201: icmp_seq=9 ttl=64 time=0.222 ms
...
64 bytes from 192.168.15.201: icmp_seq=115 ttl=64 time=0.218 ms
64 bytes from 192.168.15.201: icmp_seq=116 ttl=64 time=0.266 ms
64 bytes from 192.168.15.201: icmp_seq=117 ttl=64 time=0.226 ms
64 bytes from 192.168.15.201: icmp_seq=118 ttl=64 time=0.205 ms
64 bytes from 192.168.15.201: icmp_seq=119 ttl=64 time=0.241 ms
64 bytes from 192.168.15.201: icmp_seq=120 ttl=64 time=0.268 ms
64 bytes from 192.168.15.201: icmp_seq=121 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=122 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=123 ttl=64 time=0.225 ms
linux3.unix.nt [192.168.15.200] 179 (bgp) : Connection refused











14:38:38




#vim /etc/snort/rules/dos.rules










/dev/pts/5
14:38:55




#cd /etc/acidbase/


64 bytes from 192.168.15.201: icmp_seq=117 ttl=64 time=0.226 ms
64 bytes from 192.168.15.201: icmp_seq=118 ttl=64 time=0.205 ms
64 bytes from 192.168.15.201: icmp_seq=119 ttl=64 time=0.241 ms
64 bytes from 192.168.15.201: icmp_seq=120 ttl=64 time=0.268 ms
64 bytes from 192.168.15.201: icmp_seq=121 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=122 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=123 ttl=64 time=0.225 ms
64 bytes from 192.168.15.201: icmp_seq=124 ttl=64 time=0.327 ms
64 bytes from 192.168.15.201: icmp_seq=125 ttl=64 time=0.345 ms
64 bytes from 192.168.15.201: icmp_seq=126 ttl=64 time=0.232 ms
64 bytes from 192.168.15.201: icmp_seq=127 ttl=64 time=0.291 ms











14:39:03




#ls


apache.conf  base_conf.php  database.php











14:39:05




#vi database.php


13c13
< $alert_user='snort';
---
> $alert_user='root';
15,16c15,16
< $basepath='';
< $alert_dbname='snort';
---
> $basepath='localhost';
> $alert_dbname='snort_log';









/dev/pts/9
14:39:34




#nc linux3 179





sdfsdf
sdf
s
fsd











14:39:38




#nc linux3 179





linux3.unix.nt [192.168.15.200] 179 (bgp) : Connection refused











14:39:39




#sdf





bash: sdf: command not found











14:39:40




#nmap linux3


22/tcp  open  ssh
25/tcp  open  smtp
53/tcp  open  domain
79/tcp  open  finger
80/tcp  open  http
111/tcp open  rpcbind
113/tcp open  auth
514/tcp open  shell
MAC Address: 00:0A:01:D4:D1:E3 (Sohoware)
Nmap finished: 1 IP address (1 host up) scanned in 1.585 seconds











14:40:16




#ls


<?php
##
## database access settings in php format
## automatically generated from /etc/dbconfig-common/acidbase.conf
## by /usr/sbin/dbconfig-generate-include
## Sat, 23 Jun 2007 06:03:44 -0400
$alert_user=';
$basepath='lo0_hfile_469_1.doc  Installing_and_configuring_OinkMaster.pdf  phpsyslogng-2.6.tar.gz  ssh-fake       Tablitsa_1_1.xls
1.shrt_dbname='s   phpsyslogng-2.6(2).tar.gzfiguration f      prilozenie_1_4.doc      ssh-fake.1
~
...
~
~
~
~
~
~
~
~
~
~











14:41:42




#cd /etc/snort/





classification.config  reference.config       sid-msg.map            snort.eth0.conf        unicode.map
gen-msg.map            rules/                 snort.debian.conf      threshold.conf











14:41:42




#cd /etc/snort/rules/












14:41:46




#grep -ri ssh .





<?php
##
## database access settings in php format
## automatically generated from /etc/dbconfig-common/acidbase.conf
## by /usr/sbin/dbconfig-generate-include
## Sat, 23 Jun 2007 06:03:44 -0400
$alert_user='
$alert_dbname./scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; nocase; classtype:network-scan; sid:1638; rev:5;)
./deleted.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00|`|00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:617; rev:4;)
~
...
~
~
~
~
~
~
~
~
~
~











14:41:51




#vi exploit.rules










14:42:09




#nc linux3 22


<?php
##
## database access settings in php format
## automatically generated from /etc/dbconfig-common/acidbase.conf
## by /usr/sbin/dbconfig-generate-include
## Sat, 23 Jun 2007 06:03:44 -0400
$alert_user='root';
$alert_dbname='snort_log';nt to edit the configuration file mentioned
~
~            SSH-2.0-OpenSSH_4.3p2 Debian-9
...
~
~
~
~
~
~
~
~
~
~











14:42:18




#echo GOBBLES |]





bash: ]: command not found











/dev/pts/5
14:42:45




#cd ../


64 bytes from 192.168.15.201: icmp_seq=24 ttl=64 time=0.227 ms
64 bytes from 192.168.15.201: icmp_seq=25 ttl=64 time=0.216 ms
64 bytes from 192.168.15.201: icmp_seq=26 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=27 ttl=64 time=0.279 ms
64 bytes from 192.168.15.201: icmp_seq=28 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=29 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=30 ttl=64 time=0.202 ms
64 bytes from 192.168.15.201: icmp_seq=31 ttl=64 time=0.241 ms
64 bytes from 192.168.15.201: icmp_seq=32 ttl=64 time=0.199 ms
64 bytes from 192.168.15.201: icmp_seq=33 ttl=64 time=0.210 ms
...
64 bytes from 192.168.15.201: icmp_seq=163 ttl=64 time=0.220 ms
64 bytes from 192.168.15.201: icmp_seq=164 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=165 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=166 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=167 ttl=64 time=0.205 ms
64 bytes from 192.168.15.201: icmp_seq=168 ttl=64 time=0.219 ms
64 bytes from 192.168.15.201: icmp_seq=169 ttl=64 time=0.207 ms
64 bytes from 192.168.15.201: icmp_seq=170 ttl=64 time=0.208 ms
64 bytes from 192.168.15.201: icmp_seq=171 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=172 ttl=64 time=0.209 ms











/dev/pts/9
14:42:50




#echo GOBBLES |





bash: linux3: command not found











14:42:53




#echo GOBBLES | nc





SSH-2.0-OpenSSH_4.3p2 Debian-9
Protocol mismatch.











/dev/pts/5
14:42:53




#vi database.php













/dev/pts/9
14:42:56




#nmap linux3


Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-06-23 07:43 EDT
Interesting ports on 192.168.15.200:
Not shown: 1672 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
53/tcp  open  domain
79/tcp  open  finger
80/tcp  open  http
111/tcp open  rpcbind
113/tcp open  auth
514/tcp open  shell
MAC Address: 00:0A:01:D4:D1:E3 (Sohoware)
Nmap finished: 1 IP address (1 host up) scanned in 0.963 seconds











14:43:10




#grpe -ri rpcbind .





bash: grpe: command not found











/dev/pts/5
14:43:13




#rm d





64 bytes from 192.168.15.201: icmp_seq=171 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=172 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=173 ttl=64 time=0.216 ms
64 bytes from 192.168.15.201: icmp_seq=174 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=175 ttl=64 time=0.237 ms
64 bytes from 192.168.15.201: icmp_seq=176 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=177 ttl=64 time=0.302 ms
64 bytes from 192.168.15.201: icmp_seq=178 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=179 ttl=64 time=0.312 ms
database.php         debconf.conf         default/             deluser.conf         dhcp3/               dpkg/
dbconfig-common/     debian_version       defoma/              devfs/               dictionaries-common/











14:43:13




#rm database.php












/dev/pts/9
14:43:17




#grep















/dev/pts/5
14:43:23




#cd /etc/acidbase/


64 bytes from 192.168.15.201: icmp_seq=172 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=173 ttl=64 time=0.216 ms
64 bytes from 192.168.15.201: icmp_seq=174 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=175 ttl=64 time=0.237 ms
64 bytes from 192.168.15.201: icmp_seq=176 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=177 ttl=64 time=0.302 ms
64 bytes from 192.168.15.201: icmp_seq=178 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=179 ttl=64 time=0.312 ms
64 bytes from 192.168.15.201: icmp_seq=180 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=181 ttl=64 time=0.227 ms
64 bytes from 192.168.15.201: icmp_seq=182 ttl=64 time=0.238 ms











/dev/pts/9
14:43:24




#grep -ri 111 .





./web-client.rules:#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser heap overflow attempt"; flow:from_server,established; content:"image/"; nocase; pcre:"/^Content-Type\x3a(\s*|\s*\r?\n\s+)image\x2fp?jpe?g.*\xFF\xD8.{2}.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/smi"; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/2
./web-client.rules:#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser multipacket heap overflow"; flow:from_server,established; flowbits:isset,http.jpeg; content:"|FF|"; pcre:"/\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-admin; sid:2
./web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT winamp .cda file name overflow attempt"; flow:from_server,established; content:".cda"; nocase; pcre:"/(\x5c[^\x5c]{16,}|\x2f[^\x2f]{16,})\.cda$/smi"; reference:bugtraq,11730; reference:cve,2004-1119; reference:nessus,15817; classtype:attempted-user; sid:3088; rev:2;)
./web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla bitmap width integer overflow multipacket attempt"; flow:to_client,established; flowbits:isset,http.bmp; content:"BM"; byte_test:4,>,83386080,16,relative,little; reference:bugtraq,11171; reference:cve,2004-0904; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=255067; classtype:attempted-admin; sid:3
./web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla bitmap width integer overflow attempt"; flow:established,to_client; content:"image/bmp"; nocase; pcre:"/^Content-type\x3a(\s*|\s*\r?\n\s+)image\x2fbmp/smi"; pcre:"/\r\n\r\n|\r\r|\n\n/Rsm"; content:"BM"; distance:0; byte_test:4,>,83386080,16,relative,little; reference:bugtraq,11171; reference:cve,2004-0
./web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player 6.4 ActiveX Object Access"; flow:from_server,established; content:"22D6F312-B0F6-11D0-94AB-0080C74C7E95"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*22D6F312-B0F6-11D0-94AB-0080C74C7E95/si"; reference:bugtraq,793; reference:cve,1999-1110; classtype:att
./web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT WM VIH2 Fix ActiveX CLSID access"; flow:established,to_client; content:"586FB486-5560-4FF3-96DF-1118C96AF456"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*586FB486-5560-4FF3-96DF-1118C96AF456/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/bul
./web-client.rules:#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT OWC11.DataSourceControl.11 ActiveX function call access"; flow:established,to_client; content:"OWC11.DataSourceControl.11"; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22OWC11.DataSourceControl.11\x22|\x27OWC11.DataSourceControl.11\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22OWC11.DataSourceContro
./web-client.rules:#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT OWC11.DataSourceControl.11 ActiveX clsid access"; flow:established,to_client; content:"0002E55B-0000-0000-C000-000000000046"; nocase; pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E55B-0000-0000-C000-000000000046\s*}?\s*\1/si"; reference:bugtraq,19069; reference:cve,2006-3729;
./web-client.rules:#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT OWC11.DataSourceControl.11 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|5|00|B|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; nocase; pcre:"/<\x00o\x00b\x00j\
...
./backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR poison ivy 2.1.2 runtime detection - init connection"; flow:from_server,established; flowbits:isset,PoisonIvy_init; content:"U|8B EC|P|B8 02 00 00 00 81 C4 04 F0 FF FF|"; depth:15; reference:url,www.megasecurity.org/trojans/p/poisonivy/Poisonivy2.1.2.html; classtype:trojan-activity; sid:10111; rev:1;)
./backdoor.rules:alert tcp $HOME_NET 1115 -> $EXTERNAL_NET any (msg:"BACKDOOR lurker 1.1 runtime detection - init connection"; flow:from_server,established; content:"|0D|Lurker"; depth:7; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077370; classtype:trojan-activity; sid:11316; rev:1;)
./deleted.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC prefix-get //"; flow:to_server,established; uricontent:"get //"; nocase; classtype:attempted-recon; sid:1114; rev:6;)
./deleted.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:111; rev:5;)
./deleted.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:4;)
./deleted.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; flow:to_server,established; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1297; rev:8;)
./deleted.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:596; rev:6;)
./deleted.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00|"; depth:2; offset:45; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.co
./deleted.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request TCP"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1
./deleted.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request UDP"; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999











14:43:31




#grep -ri 'NET 111'





./backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 1111 (msg:"BACKDOOR roach 1.0 runtime detection - remote control actions - flowbit set"; flow:to_server,established; content:"|A2 D0 D4 D6 DF C1 E1 D5 D6 DC BB DC CE D7|"; depth:14; flowbits:set,Roach_RemoteControlActions; flowbits:noalert; classtype:trojan-activity; sid:7702; rev:1;)
./backdoor.rules:alert tcp $HOME_NET 1111 -> $EXTERNAL_NET any (msg:"BACKDOOR roach 1.0 runtime detection - remote control actions"; flow:from_server,established; flowbits:isset,Roach_RemoteControlActions; content:"|A2 D0 D4 D6 DF C1 E1 D5 D6 DC BB DC CE D7|"; depth:14; reference:url,www.spywareguide.com/product_show.php?id=950; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075964
./backdoor.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET 1111 (msg:"BACKDOOR xbkdr runtime detection"; flow:to_server,established; content:"|7C|"; depth:1; offset:3; pcre:"/^(?=[abchimoprswx])(acs|bin|c(ap|ls)|h(di|ms|tb)|iex|m(oo|tx|ws)|opn|pwr|rst|s(h[di]|ms|tb|wm)|wrd|xls)\x7C/smi"; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.megasecurity.org/trojans/x/x-bkdr/X-
./backdoor.rules:alert tcp $HOME_NET 1115 -> $EXTERNAL_NET any (msg:"BACKDOOR lurker 1.1 runtime detection - init connection"; flow:from_server,established; content:"|0D|Lurker"; depth:7; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077370; classtype:trojan-activity; sid:11316; rev:1;)
./deleted.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:4;)
./deleted.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; flow:to_server,established; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1297; rev:8;)
./deleted.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:596; rev:6;)
./deleted.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request TCP"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1
./deleted.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request UDP"; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999
./rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,7123; refer
...
./rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003
./rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap BrightStor ARCserve denial of service attempt"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 00 00 00|"; within:4; distance:4; reference:bugtraq,22365; reference:cve,2007-0816; classtype:attempted-dos; sid
./rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap BrightStor ARCserve denial of service attempt"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 00 00 00|"; within:4; distance:4; reference:bugtraq,22365; reference:cve,2007-0816;
./rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap HP-UX Single Logical Screen SLSD udp request"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 5C E0|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,22551; reference:cve,2007-091
./rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap HP-UX Single Logical Screen SLSD udp request"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:" |00 00 01|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,22551; reference:cve,2007-0915;
./rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap HP-UX Single Logical Screen SLSD tcp request"; flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:" |00 00 01|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,225
./rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap HP-UX Single Logical Screen SLSD tcp request"; flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 5C E0|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2
./rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap CA BrightStor ARCserve tcp request"; flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 06 09|~"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,23209; classt
./rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap CA BrightStor ARCserve udp request"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 06 09|~"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,23209; classtype:rpc-portmap-decode; sid:
./rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd tcp request"; flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,16838; reference:cve,2006-0











/dev/pts/5
14:43:37




#ls


apache.conf  base_conf.php  database.php











14:43:38




#cat database.php


<?php
##
## database access settings in php format
## automatically generated from /etc/dbconfig-common/acidbase.conf
## by /usr/sbin/dbconfig-generate-include
## Sat, 23 Jun 2007 06:03:44 -0400
##
## by default this file is managed via ucf, so you shouldn't have to
## worry about manual changes being silently discarded.  *however*,
## you'll probably also want to edit the configuration file mentioned
## above too.
##
$alert_user='root';
$alert_password='password';
$basepath='localhost';
$alert_dbname='snort_log';
$alert_host='';
$alert_port='';
$DBtype='mysql';











/dev/pts/9
14:43:42




#apt-cache search showmount


64 bytes from 192.168.15.201: icmp_seq=176 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=177 ttl=64 time=0.302 ms
64 bytes from 192.168.15.201: icmp_seq=178 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=179 ttl=64 time=0.312 ms
64 bytes from 192.168.15.201: icmp_seq=180 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=181 ttl=64 time=0.227 ms
64 bytes from 192.168.15.201: icmp_seq=182 ttl=64 time=0.238 ms
64 bytes from 192.168.15.201: icmp_seq=183 ttl=64 time=0.236 ms
64 bytes from 192.168.15.201: icmp_seq=184 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=185 ttl=64 time=0.211 ms
nfs-common - NFS support files common to client and server











/dev/pts/5
14:43:43




#ucf


                             configuration file. )
             --state-dir bar Set the state directory to bar instead of the
                             default '/var/lib/ucf'. Used mostly for testing.
             --debconf-ok    Indicate that it is ok for uct to use an already
                             running debconf instance for prompting.
Usage: ucf  -p  destination
     -p,     --purge         Remove any reference to destination from records
By default, the directory the new_file lives in is assumed to be the src-dir,
which is where we look for any historical md5sums.











/dev/pts/9
14:43:56




#apt-get install nfs-common


Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
  libgssapi2 libnfsidmap2 librpcsecgss3 portmap
The following NEW packages will be installed:
  libgssapi2 libnfsidmap2 librpcsecgss3 nfs-common portmap
0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Need to get 236kB of archives.
After unpacking 877kB of additional disk space will be used.
Do you want to continue [Y/n]? Y
...
Setting up portmap (5-26) ...
Starting portmap daemon....
Setting up libgssapi2 (0.10-4) ...
Setting up nfs-common (1.0.10-6) ...
Creating config file /etc/idmapd.conf with new version
Creating config file /etc/default/nfs-common with new version
Adding system user `statd' (UID 107) ...
Adding new user `statd' (UID 107) with group `nogroup' ...
Not creating home directory `/var/lib/nfs'.
Starting NFS common utilities: statd.











/dev/pts/5
14:44:09




#cat database.php


64 bytes from 192.168.15.201: icmp_seq=60 ttl=64 time=0.161 ms
64 bytes from 192.168.15.201: icmp_seq=61 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=62 ttl=64 time=0.184 ms
64 bytes from 192.168.15.201: icmp_seq=63 ttl=64 time=0.204 ms
64 bytes from 192.168.15.201: icmp_seq=64 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=65 ttl=64 time=0.283 ms
64 bytes from 192.168.15.201: icmp_seq=66 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=67 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=68 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=69 ttl=64 time=0.229 ms
...
## you'll probably also want to edit the configuration file mentioned
## above too.
##
$alert_user='root';
$alert_password='password';
$basepath='localhost';
$alert_dbname='snort_log';
$alert_host='';
$alert_port='';
$DBtype='mysql';











14:44:15




#screen













/dev/pts/9
14:44:16




#showmount -e linux3





64 bytes from 192.168.15.201: icmp_seq=44 ttl=64 time=0.216 ms
64 bytes from 192.168.15.201: icmp_seq=45 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=46 ttl=64 time=0.293 ms
64 bytes from 192.168.15.201: icmp_seq=47 ttl=64 time=0.219 ms
64 bytes from 192.168.15.201: icmp_seq=48 ttl=64 time=0.224 ms
64 bytes from 192.168.15.201: icmp_seq=49 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=50 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=51 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=52 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=53 ttl=64 time=0.213 ms
...
64 bytes from 192.168.15.201: icmp_seq=183 ttl=64 time=0.236 ms
64 bytes from 192.168.15.201: icmp_seq=184 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=185 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=186 ttl=64 time=0.230 ms
64 bytes from 192.168.15.201: icmp_seq=187 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=188 ttl=64 time=0.252 ms
64 bytes from 192.168.15.201: icmp_seq=189 ttl=64 time=0.230 ms
64 bytes from 192.168.15.201: icmp_seq=190 ttl=64 time=0.245 ms
64 bytes from 192.168.15.201: icmp_seq=191 ttl=64 time=0.212 ms
mount clntudp_create: RPC: Program not registered











14:44:20




#grep -ri 'NET 111' .





64 bytes from 192.168.15.201: icmp_seq=130 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=131 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=132 ttl=64 time=0.208 ms
64 bytes from 192.168.15.201: icmp_seq=133 ttl=64 time=0.235 ms
64 bytes from 192.168.15.201: icmp_seq=134 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=135 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=136 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=137 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=138 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=139 ttl=64 time=0.211 ms
...
./rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003
./rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap BrightStor ARCserve denial of service attempt"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 00 00 00|"; within:4; distance:4; reference:bugtraq,22365; reference:cve,2007-0816; classtype:attempted-dos; sid
./rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap BrightStor ARCserve denial of service attempt"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 00 00 00|"; within:4; distance:4; reference:bugtraq,22365; reference:cve,2007-0816;
./rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap HP-UX Single Logical Screen SLSD udp request"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 5C E0|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,22551; reference:cve,2007-091
./rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap HP-UX Single Logical Screen SLSD udp request"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:" |00 00 01|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,22551; reference:cve,2007-0915;
./rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap HP-UX Single Logical Screen SLSD tcp request"; flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:" |00 00 01|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,225
./rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap HP-UX Single Logical Screen SLSD tcp request"; flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 5C E0|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2
./rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap CA BrightStor ARCserve tcp request"; flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 06 09|~"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,23209; classt
./rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap CA BrightStor ARCserve udp request"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 06 09|~"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,23209; classtype:rpc-portmap-decode; sid:
./rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd tcp request"; flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,16838; reference:cve,2006-0











/dev/pts/5
14:45:17




#apt-get install screen


64 bytes from 192.168.15.201: icmp_seq=73 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=74 ttl=64 time=0.217 ms
64 bytes from 192.168.15.201: icmp_seq=75 ttl=64 time=0.218 ms
64 bytes from 192.168.15.201: icmp_seq=76 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=77 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=78 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=79 ttl=64 time=0.235 ms
64 bytes from 192.168.15.201: icmp_seq=80 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=81 ttl=64 time=0.252 ms
64 bytes from 192.168.15.201: icmp_seq=82 ttl=64 time=0.212 ms
...
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 587kB of archives.
After unpacking 999kB of additional disk space will be used.
Get:1 http://debian.org.ua etch/main screen 4.0.3-0.3+b1 [587kB]
Fetched 587kB in 3s (165kB/s)
Preconfiguring packages ...
Selecting previously deselected package screen.
(Reading database ... 27867 files and directories currently installed.)
Unpacking screen (from .../screen_4.0.3-0.3+b1_i386.deb) ...
Setting up screen (4.0.3-0.3+b1) ...











/dev/pts/14
14:46:32




#screen -x










/dev/pts/11
14:46:35




#ps -ef| snort





64 bytes from 192.168.15.201: icmp_seq=127 ttl=64 time=0.291 ms
64 bytes from 192.168.15.201: icmp_seq=128 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=129 ttl=64 time=0.217 ms
64 bytes from 192.168.15.201: icmp_seq=130 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=131 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=132 ttl=64 time=0.208 ms
64 bytes from 192.168.15.201: icmp_seq=133 ttl=64 time=0.235 ms
64 bytes from 192.168.15.201: icmp_seq=134 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=135 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=136 ttl=64 time=0.209 ms
...
        -v         Be verbose
        -V         Show version number
        -w         Dump 802.11 management and control frames
        -X         Dump the raw packet data starting at the link layer
        -y         Include year in timestamp in the alert and log files
        -z         Set assurance mode, match on established sesions (for TCP)
        -?         Show this information
<Filter Options> are standard BPF options, as seen in TCPDump
Uh, you need to tell me to do something...
: No such file or directory









Файлы
  • alert
  • database.php
    • alert
    

    >
    http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2.3.tar.gz  (try: 2) => `/var/run/oinkmaster/oinkmaster.9swzRlc2Pt/url.qnIs4lWnM8/snortrules.tar.gz'
Connecting to www.snort.org|199.107.65.177|:80... connected.
HTTP request sent, awaiting response... 403 You must be a registered user with a valid oink code to download this file.
10:14:31 ERROR 403: You must be a registered user with a valid oink code to download this file..
Oink, oink. Exiting...
[root@linux3:~]#
[root@linux3:~]#
[root@linux3:~]#

    database.php
    

    >
    64 bytes from 192.168.15.201: icmp_seq=60 ttl=64 time=0.161 ms
64 bytes from 192.168.15.201: icmp_seq=61 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=62 ttl=64 time=0.184 ms
64 bytes from 192.168.15.201: icmp_seq=63 ttl=64 time=0.204 ms
64 bytes from 192.168.15.201: icmp_seq=64 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=65 ttl=64 time=0.283 ms
64 bytes from 192.168.15.201: icmp_seq=66 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=67 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=68 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=69 ttl=64 time=0.229 ms
64 bytes from 192.168.15.201: icmp_seq=70 ttl=64 time=0.245 ms
64 bytes from 192.168.15.201: icmp_seq=71 ttl=64 time=0.216 ms
64 bytes from 192.168.15.201: icmp_seq=72 ttl=64 time=0.207 ms
64 bytes from 192.168.15.201: icmp_seq=73 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=74 ttl=64 time=0.217 ms
64 bytes from 192.168.15.201: icmp_seq=75 ttl=64 time=0.218 ms
64 bytes from 192.168.15.201: icmp_seq=76 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=77 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=78 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=79 ttl=64 time=0.235 ms
64 bytes from 192.168.15.201: icmp_seq=80 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=81 ttl=64 time=0.252 ms
64 bytes from 192.168.15.201: icmp_seq=82 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=83 ttl=64 time=0.236 ms
64 bytes from 192.168.15.201: icmp_seq=84 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=85 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=86 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=87 ttl=64 time=0.208 ms
64 bytes from 192.168.15.201: icmp_seq=88 ttl=64 time=0.229 ms
64 bytes from 192.168.15.201: icmp_seq=89 ttl=64 time=0.221 ms
64 bytes from 192.168.15.201: icmp_seq=90 ttl=64 time=0.231 ms
64 bytes from 192.168.15.201: icmp_seq=91 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=92 ttl=64 time=0.208 ms
64 bytes from 192.168.15.201: icmp_seq=93 ttl=64 time=0.207 ms
64 bytes from 192.168.15.201: icmp_seq=94 ttl=64 time=0.274 ms
64 bytes from 192.168.15.201: icmp_seq=95 ttl=64 time=0.245 ms
64 bytes from 192.168.15.201: icmp_seq=96 ttl=64 time=0.244 ms
64 bytes from 192.168.15.201: icmp_seq=97 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=98 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=99 ttl=64 time=0.308 ms
64 bytes from 192.168.15.201: icmp_seq=100 ttl=64 time=0.216 ms
64 bytes from 192.168.15.201: icmp_seq=101 ttl=64 time=0.274 ms
64 bytes from 192.168.15.201: icmp_seq=102 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=103 ttl=64 time=0.233 ms
64 bytes from 192.168.15.201: icmp_seq=104 ttl=64 time=0.297 ms
64 bytes from 192.168.15.201: icmp_seq=105 ttl=64 time=0.224 ms
64 bytes from 192.168.15.201: icmp_seq=106 ttl=64 time=0.201 ms
64 bytes from 192.168.15.201: icmp_seq=107 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=108 ttl=64 time=0.274 ms
64 bytes from 192.168.15.201: icmp_seq=109 ttl=64 time=0.253 ms
64 bytes from 192.168.15.201: icmp_seq=110 ttl=64 time=0.218 ms
64 bytes from 192.168.15.201: icmp_seq=111 ttl=64 time=0.205 ms
64 bytes from 192.168.15.201: icmp_seq=112 ttl=64 time=0.238 ms
64 bytes from 192.168.15.201: icmp_seq=113 ttl=64 time=0.205 ms
64 bytes from 192.168.15.201: icmp_seq=114 ttl=64 time=0.219 ms
64 bytes from 192.168.15.201: icmp_seq=115 ttl=64 time=0.218 ms
64 bytes from 192.168.15.201: icmp_seq=116 ttl=64 time=0.266 ms
64 bytes from 192.168.15.201: icmp_seq=117 ttl=64 time=0.226 ms
64 bytes from 192.168.15.201: icmp_seq=118 ttl=64 time=0.205 ms
64 bytes from 192.168.15.201: icmp_seq=119 ttl=64 time=0.241 ms
64 bytes from 192.168.15.201: icmp_seq=120 ttl=64 time=0.268 ms
64 bytes from 192.168.15.201: icmp_seq=121 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=122 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=123 ttl=64 time=0.225 ms
64 bytes from 192.168.15.201: icmp_seq=124 ttl=64 time=0.327 ms
64 bytes from 192.168.15.201: icmp_seq=125 ttl=64 time=0.345 ms
64 bytes from 192.168.15.201: icmp_seq=126 ttl=64 time=0.232 ms
64 bytes from 192.168.15.201: icmp_seq=127 ttl=64 time=0.291 ms
64 bytes from 192.168.15.201: icmp_seq=128 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=129 ttl=64 time=0.217 ms
64 bytes from 192.168.15.201: icmp_seq=130 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=131 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=132 ttl=64 time=0.208 ms
64 bytes from 192.168.15.201: icmp_seq=133 ttl=64 time=0.235 ms
64 bytes from 192.168.15.201: icmp_seq=134 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=135 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=136 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=137 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=138 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=139 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=140 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=141 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=142 ttl=64 time=0.237 ms
64 bytes from 192.168.15.201: icmp_seq=143 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=144 ttl=64 time=0.229 ms
64 bytes from 192.168.15.201: icmp_seq=145 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=146 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=147 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=148 ttl=64 time=0.204 ms
64 bytes from 192.168.15.201: icmp_seq=149 ttl=64 time=0.223 ms
64 bytes from 192.168.15.201: icmp_seq=150 ttl=64 time=0.284 ms
64 bytes from 192.168.15.201: icmp_seq=151 ttl=64 time=0.199 ms
64 bytes from 192.168.15.201: icmp_seq=152 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=153 ttl=64 time=0.214 ms
64 bytes from 192.168.15.201: icmp_seq=154 ttl=64 time=0.217 ms
64 bytes from 192.168.15.201: icmp_seq=155 ttl=64 time=0.275 ms
64 bytes from 192.168.15.201: icmp_seq=156 ttl=64 time=0.224 ms
64 bytes from 192.168.15.201: icmp_seq=157 ttl=64 time=0.212 ms
64 bytes from 192.168.15.201: icmp_seq=158 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=159 ttl=64 time=0.250 ms
64 bytes from 192.168.15.201: icmp_seq=160 ttl=64 time=0.219 ms
64 bytes from 192.168.15.201: icmp_seq=161 ttl=64 time=0.171 ms
64 bytes from 192.168.15.201: icmp_seq=162 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=163 ttl=64 time=0.220 ms
64 bytes from 192.168.15.201: icmp_seq=164 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=165 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=166 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=167 ttl=64 time=0.205 ms
64 bytes from 192.168.15.201: icmp_seq=168 ttl=64 time=0.219 ms
64 bytes from 192.168.15.201: icmp_seq=169 ttl=64 time=0.207 ms
64 bytes from 192.168.15.201: icmp_seq=170 ttl=64 time=0.208 ms
64 bytes from 192.168.15.201: icmp_seq=171 ttl=64 time=0.206 ms
64 bytes from 192.168.15.201: icmp_seq=172 ttl=64 time=0.209 ms
64 bytes from 192.168.15.201: icmp_seq=173 ttl=64 time=0.216 ms
64 bytes from 192.168.15.201: icmp_seq=174 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=175 ttl=64 time=0.237 ms
64 bytes from 192.168.15.201: icmp_seq=176 ttl=64 time=0.210 ms
64 bytes from 192.168.15.201: icmp_seq=177 ttl=64 time=0.302 ms
64 bytes from 192.168.15.201: icmp_seq=178 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=179 ttl=64 time=0.312 ms
64 bytes from 192.168.15.201: icmp_seq=180 ttl=64 time=0.213 ms
64 bytes from 192.168.15.201: icmp_seq=181 ttl=64 time=0.227 ms
64 bytes from 192.168.15.201: icmp_seq=182 ttl=64 time=0.238 ms
64 bytes from 192.168.15.201: icmp_seq=183 ttl=64 time=0.236 ms
64 bytes from 192.168.15.201: icmp_seq=184 ttl=64 time=0.215 ms
64 bytes from 192.168.15.201: icmp_seq=185 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=186 ttl=64 time=0.230 ms
64 bytes from 192.168.15.201: icmp_seq=187 ttl=64 time=0.211 ms
64 bytes from 192.168.15.201: icmp_seq=188 ttl=64 time=0.252 ms
64 bytes from 192.168.15.201: icmp_seq=189 ttl=64 time=0.230 ms
<?php
##
## database access settings in php format
## automatically generated from /etc/dbconfig-common/acidbase.conf
## by /usr/sbin/dbconfig-generate-include
## Sat, 23 Jun 2007 06:03:44 -0400
##
## by default this file is managed via ucf, so you shouldn't have to
## worry about manual changes being silently discarded.  *however*,
## you'll probably also want to edit the configuration file mentioned
## above too.
##
$alert_user='root';
$alert_password='password';
$basepath='localhost';
$alert_dbname='snort_log';
$alert_host='';
$alert_port='';
$DBtype='mysql';

    Статистика
    Время первой команды журнала14:19:07 2007- 6-23
    Время последней команды журнала14:46:35 2007- 6-23
    Количество командных строк в журнале101
    Процент команд с ненулевым кодом завершения, %12.87
    Процент синтаксически неверно набранных команд, % 6.93
    Суммарное время работы с терминалом *, час 0.46
    Количество командных строк в единицу времени, команда/мин 3.68
    Частота использования команд
    ls21|===================| 19.09%
    cd14|============| 12.73%
    grep11|==========| 10.00%
    ps7|======|  6.36%
    more6|=====|  5.45%
    vi6|=====|  5.45%
    nc5|====|  4.55%
    /etc/init.d/snort3|==|  2.73%
    nmap3|==|  2.73%
    echo3|==|  2.73%
    less3|==|  2.73%
    cat3|==|  2.73%
    screen2|=|  1.82%
    vim2|=|  1.82%
    rm2|=|  1.82%
    /etc/snort/2|=|  1.82%
    apt-get2|=|  1.82%
    pwd1||  0.91%
    snort1||  0.91%
    ]1||  0.91%
    rcp1||  0.91%
    /etc/init.d/s1||  0.91%
    ucf1||  0.91%
    sdf1||  0.91%
    ssh1||  0.91%
    mv1||  0.91%
    grpe1||  0.91%
    /etc/ac1||  0.91%
    apt-cache1||  0.91%
    r1||  0.91%
    showmount1||  0.91%
    /etc/acidbase/1||  0.91%
    ____
    *) Интервалы неактивности длительностью 30 минут и более не учитываются
    Справка
        Для того чтобы использовать LiLaLo, не нужно знать ничего особенного:
    всё происходит само собой.
    Однако, чтобы ведение и последующее использование журналов
    было как можно более эффективным, желательно иметь в виду следующее:
    
      
    
    1.  
    В журнал автоматически попадают все команды, данные в любом терминале системы.
    
      2. 
    
    2. 
    Для того чтобы убедиться, что журнал на текущем терминале ведётся, 
    и команды записываются, дайте команду w.
    В поле WHAT, соответствующем текущему терминалу, 
    должна быть указана программа script.
    
      3. 
    
    3. 
    Команды, при наборе которых были допущены синтаксические ошибки, 
    выводятся перечёркнутым текстом:

      

      


      $ l s-l
      

      bash: l: command not found

      
      		

      

      

      
    
      4. 
    
    4. 
    Если код завершения команды равен нулю, 
    команда была выполнена без ошибок.
    Команды, код завершения которых отличен от нуля, выделяются цветом.

      

      


      $ test 5 -lt 4
      

      		

      

      
    Обратите внимание на то, что код завершения команды может быть отличен от нуля
    не только в тех случаях, когда команда была выполнена с ошибкой.
    Многие команды используют код завершения, например, для того чтобы показать результаты проверки

      
    
      5. 
    
    5. 
    Команды, ход выполнения которых был прерван пользователем, выделяются цветом.

      

      


      $ find / -name abc
      

      find: /home/devi-orig/.gnome2: Keine Berechtigung
find: /home/devi-orig/.gnome2_private: Keine Berechtigung
find: /home/devi-orig/.nautilus/metafiles: Keine Berechtigung
find: /home/devi-orig/.metacity: Keine Berechtigung
find: /home/devi-orig/.inkscape: Keine Berechtigung
^C

      
      		

      

      

      
    
      6. 
    
    6. 
    Команды, выполненные с привилегиями суперпользователя,
    выделяются слева красной чертой.

      

      


      # id
      

      uid=0(root) gid=0(root) Gruppen=0(root)

      
      		

      

      
    
      
    
      7. 
    
    7. 
    Изменения, внесённые в текстовый файл с помощью редактора, 
    запоминаются и показываются в журнале в формате ed.
    Строки, начинающиеся символом "<", удалены, а строки,
    начинающиеся символом ">" -- добавлены.

      

      


      $ vi ~/.bashrc
      

      2a3,5
>    if [ -f /usr/local/etc/bash_completion ]; then
>         . /usr/local/etc/bash_completion
>        fi

      		

      

      
    
      
    
      8. 
    
    8. 
    Для того чтобы изменить файл в соответствии с показанными в диффшоте
    изменениями, можно воспользоваться командой patch.
    Нужно скопировать изменения, запустить программу patch, указав в
    качестве её аргумента файл, к которому применяются изменения,
    и всавить скопированный текст:

      

      


      $ patch ~/.bashrc
      
      		

      

      
    В данном случае изменения применяются к файлу ~/.bashrc
    
      9. 
    
    9. 
    Для того чтобы получить краткую справочную информацию о команде, 
    нужно подвести к ней мышь. Во всплывающей подсказке появится краткое
    описание команды.
    
      
    
      
    Если справочная информация о команде есть, 
    команда выделяется голубым фоном, например: vi.
    Если справочная информация отсутствует,
    команда выделяется розовым фоном, например: notepad.exe.
    Справочная информация может отсутствовать в том случае, 
    если (1) команда введена неверно; (2) если распознавание команды LiLaLo выполнено неверно;
    (3) если информация о команде неизвестна LiLaLo.
    Последнее возможно для редких команд.
    
      10. 
    
    10. 
    Большие, в особенности многострочные, всплывающие подсказки лучше 
    всего показываются браузерами KDE Konqueror, Apple Safari и Microsoft Internet Explorer.
    В браузерах Mozilla и Firefox они отображаются не полностью, 
    а вместо перевода строки выводится специальный символ.
    
      11. 
    
    11. 
    Время ввода команды, показанное в журнале, соответствует времени 
    начала ввода командной строки, которое равно тому моменту, 
    когда на терминале появилось приглашение интерпретатора
    
      12. 
    
    12. 
    Имя терминала, на котором была введена команда, показано в специальном блоке.
    Этот блок показывается только в том случае, если терминал
    текущей команды отличается от терминала предыдущей.
    
      13. 
    
    13. 
    Вывод не интересующих вас в настоящий момент элементов журнала,
    таких как время, имя терминала и других, можно отключить.
    Для этого нужно воспользоваться формой управления журналом
    вверху страницы.
    
      14. 
    
    14. 
    Небольшие комментарии к командам можно вставлять прямо из командной строки.
    Комментарий вводится прямо в командную строку, после символов #^ или #v.
    Символы ^ и v показывают направление выбора команды, к которой относится комментарий:
    ^ - к предыдущей, v - к следующей.
    Например, если в командной строке было введено:

      $ whoami

      

      user

      

      $ #^ Интересно, кто я?

      
    в журнале это будет выглядеть так:
    

      $ whoami

      

      user

      

      

        Интересно, кто я?
       
       
    
      15. 
    
    15. 
    Если комментарий содержит несколько строк,
    его можно вставить в журнал следующим образом:

      $ whoami

      

      user

      

      $ cat > /dev/null #^ Интересно, кто я?

      

      Программа whoami выводит имя пользователя, под которым 
мы зарегистрировались в системе.
-
Она не может ответить на вопрос о нашем назначении 
в этом мире.

      
    В журнале это будет выглядеть так:

      

      


      $ whoami
      

      user

      

      Интересно, кто я?
      
Программа whoami выводит имя пользователя, под которым
      
мы зарегистрировались в системе.
      

      
Она не может ответить на вопрос о нашем назначении
      
в этом мире.
      

      
      		

      

      
    Для разделения нескольких абзацев между собой
    используйте символ "-", один в строке.
    
      

      16. 
    
    16. 
    Комментарии, не относящиеся непосредственно ни к какой из команд, 
    добавляются точно таким же способом, только вместо симолов #^ или #v 
    нужно использовать символы #=
    
      17. 

    
    17. 
    Содержимое файла может быть показано в журнале.
    Для этого его нужно вывести с помощью программы cat.
    Если вывод команды отметить симоволами #!, 
    содержимое файла будет показано в журнале
    в специально отведённой для этого секции.
    
      18. 

    
      
    
    18. 
    Для того чтобы вставить скриншот интересующего вас окна в журнал,
    нужно воспользоваться командой l3shot.
    После того как команда вызвана, нужно с помощью мыши выбрать окно, которое
    должно быть в журнале.
    
      19. 
    
      

    
      
    
    19. 
    Команды в журнале расположены в хронологическом порядке.
    Если две команды давались одна за другой, но на разных терминалах,
    в журнале они будут рядом, даже если они не имеют друг к другу никакого отношения.

      1
    2
3   
    4

      
    Группы команд, выполненных на разных терминалах, разделяются специальной линией.
    Под этой линией в правом углу показано имя терминала, на котором выполнялись команды.
    Для того чтобы посмотреть команды только одного сенса, 
    нужно щёкнуть по этому названию.
    
      20. 
    
      

    

    О программе
        
    
    LiLaLo (L3) расшифровывается как Live Lab Log.
    
    Программа разработана для повышения эффективности обучения Unix/Linux-системам.
    
    (c) Игорь Чубин, 2004-2008
    
    
    
$Id$