User=>Root | An attacker who has access to a local account on a computer system is able to elevate his or her privileges by exploiting a bug in the operating system or a program that is installed on the system. |
Remote=>Local | An attacker who has the ability to send packets to a machine over a network (but who does not have an account on that machine), gains local access (either as a user or as root) to that machine. |
Surveillance/Probing | An attacker uses network services to collect information about a host (such as what services it offers, or what users have accounts on the machine). Such information can often be useful in staging a later attack. |
Denial Of Service | An attacker who has the ability to send packets to a machine denies others access to the resources or services of that machine. |
Solaris (BSM) | SunOS | Linux | |
---|---|---|---|
User=>Root | Eject Ffbconfig Fdformat Ps |
Loadmodule | Perl Xterm |
Remote=>Local | Dictionary Ftp-write Guest Phf Xlock Xsnoop |
Dictionary Ftp-write Guest Phf Xlock Xsnoop |
Dictionary Ftp-write Guest Phf Xlock Xsnoop Named Sendmail Imap |
Denail Of Service | Apache2 Back Mailbomb Neptune (syn flood) Ping Of Death Process Table Smurf Syslogd UDP Storm |
Apache2 Back Mailbomb Neptune (syn flood) Ping Of Death Process Table Smurf Land UDP Storm |
Apache2 Back Mailbomb Neptune (syn flood) Ping Of Death Process Table Smurf Teardrop UDP Storm |
Surveillance/Probing | IP Sweep Mscan Nmap Portsweep Saint Satan |
IP Sweep Mscan Nmap Portsweep Saint Satan |
IP Sweep Mscan Nmap Portsweep Saint Satan |
Denial of Service
Usually Denial of Service attacks cannot be made
stealthy. One possible method of trying to hide your actions is to gain the
cooperation of a large group and break up the attack so pieces of it are coming
from several different sources.
Probe
Several methods have been identified for either hiding the
fact that a probe is occurring, or hiding the identity of the party who is doing
the scanning. If we want to hide that fact that a probe is occurring our
simplest option is to let the probe occur slowly and make sure that it does not
perform a linear sweep but that its behavior is more erratic. An intrusion
detection system is going to have a very hard time identifying one stray
connection per hour to some random port as a port sweep. Another method of
scanning stealthily is to probe with half-open connections. A connection for
which the three-way TCP handshake is never completed will not be logged by the
operating system. There are several tools available which will do half-open or
FIN scanning of a network.
One way of hiding your identity is to use a so-called FTP bounce probe. Some FTP servers will allow anyone to tell them to send data to a particular port on a particular machine. A hacker can look at the response the FTP server gives from such a request and ascertain whether that port is listening on the victim machine. The portscan will appear to be coming from an anonymous FTP server, and this simple step may be enough to assure that the party who is really doing the scanning is never identified.
User=>Root
Some IDS's that attempt to detect illegal
User=>Root transitions rely on keyword spotting to detect intruders. For
example, if the system sees the text of the C file for the publicly available
Eject exploit come across a telnet or rlogin session it may flag this session as
being suspicious. By uuencoding or Mime encoding the text of the code before
sending it over the network connection, an attacker would avoid detection by
such a system. It is also possible to identify attacks by looking that the
output that is displayed on the terminal when the exploit is run. An attacker
can avoid detection by this mechanism by sending all the output of the commands
he runs to a file and encoding the file before displaying or transferring it.
A system might also look for an attacker to run some command which only root should be able to run, such as displaying the contents of the shadow password file. If an attacker wishes to hide from someone who is looking for certain suspicious commands or actions, he can obfuscate the invocation of these commands by using glob constructs and character replacement. Instead of typing the command "/bin/cat /etc/passwd", the attacker can issue the command "/[r,s,t,b]?[l,w,n,m]/[c,d]?t /?t[c,d,e]/*a?s*". When the shell tries to interpret this input string it will do replacement of the glob characters and find that the only valid match for this string is "/bin/cat /etc/passwd".
Finally, we might be able to avoid detection (or at least reduce the chances of identification), by separating the time of exploit from the initial time of access. This can be accomplished by submitting a job to the "at" or "cron" daemon which will run the attack at some later time. It would be possible for an attacker to log in as a normal user (which would not be noticed by an IDS) and submit a shell script to the "at" daemon which would execute any actions that the attacker desired three weeks (or six months, or five years!) after the attacker initially logged into the system. In the extreme case, an attacker could package up the whole session into one shell script which would:
Remote=>Local
Many Remote=>Local attacks have a unique
signature that is hard to alter. In a dictionary-based password guessing attack
the user simply must connect to a service many times and try different
passwords. If an attacker wants to gain access to a machine by remotely
overflowing the IMAP service they have to transmit the code that overflows the
buffer across the network in the clear. For this reason we have fewer options
for making Remote=>Local attacks stealthy than we did with the User=>Root
attacks. However, once we have gained access and are interacting with a shell,
all the same methods that were outlined in the User=>Root case can be used to
hide the actions of an attacker who has gained access by using a
Remote=>Local exploit.
id | An attacker would use "id" to check whether an exploit had gotten them root access |
cat /etc/password, cat /etc/shadow | Once the attacker has collected the contents of the password file he can then try to crack passwords after he has disconnected. |
netstat | An attacker might be interested in what network services a host offers. |
mount, showmount | Usually an attacker would run these commands to look for NFS mounted drives that might give them access to another machine or additional data. |
cat /etc/hosts.equiv | This is the list of trusted machines. By adding his own machine to this list of trusted hosts an attacker can assure himself later access. |
Creation of a suid root shell | By making a copy of /bin/sh or some other shell and setting its permissions so the file is suid root the attacker can guarantee that they will later be able to get root access as long as they can get normal user access to the machine. |
w, who | An attacker who is trying to avoid detection will be very concerned with who else is on the system. |
cat /var/log/syslog (or other logfiles) | An attacker who wants to remain undetected will check logfiles and cleanup any evidence of a breakin that was left in these files. |
Editing .rhosts | The .rhosts file is similar to /etc/hosts.equiv in that it specifies trusted hosts. If an attacker can add the string "+ +" to /root/.rhosts the system will allow anyone to perform remote commands (rsh, rlogin, rcp, etc.) as root on that system. |
uname | The uname command will give an attacker information about the hardware and operating system of the host they are logged in to. |
Starting up new services | An attacker may start a new listening port for later access to the machine. They may start up the tftp service which will later allow them to read any world-readable file on the system without authenticating themselves. They may bind a second listening telnet daemon to some port other than 23 to get around a firewall. Or, an attacker may set up netcat to listen on a port and give them a shell, or provide them with some piece of information whenever someone connects to that port and supply's the "magic word". The options for this type of action are boundless. For some examples look at the netcat README available at http://l(pht.com/~weld/netcat/readme.html. |
Week | Day | Time | AID | Comp | Attack Name | Worked? | Run By | Stealth | Source Machine | Dest Machine | Where |
1 | Mon | 09:19:37 | 1 | s | multihop | almost | script | clear | 206.229.221.82 | marx | tcp |
1 | Mon | 10:51:21 | 2 | * | portsweep | yes | script | clear | 207.136.86.223 | marx | tcp |
1 | Mon | 14:49:52 | 3 | * | pod | yes | script | clear | 207.103.80.104 | marx | tcp |
1 | Mon | 16:08:16 | 4 | * | teardrop | yes | script | clear | 123.123.123.123 | zeno | tcp |
1 | Mon | 16:46:28 | 5 | * | syslog | yes | script | clear | 1.1.1.1 | pascal | tcp |
1 | Mon | 17:12:52 | 6 | s | ps | almost | script | clear | 209.154.98.104 | pascal | tcp,bsm |
1 | Mon | 17:12:52 | 6 | b | ps | almost | script | clear | 209.154.98.104 | pascal | tcp,bsm |
1 | Tues | 08:31:46 | 7 | * | satan | yes | script | clear | 153.107.252.61 | marx | tcp |
1 | Tues | 09:11:57 | 8 | * | format | yes | script | stealthy | 209.74.60.168 | pascal | tcp,bsm |
1 | Tues | 10:11:30 | 9 | * | apache2 | yes | script | clear | 207.181.92.211 | marx | tcp |
1 | Tues | 10:56:55 | 10 | * | worm | partial | script | clear | 194.27.251.21 | eagle | tcp |
1 | Tues | 15:44:55 | 11 | * | format | yes | script | clear | 194.27.251.21 | pascal | tcp,bsm |
1 | Tues | 17:25:00 | 12 | * | sqlattack | yes | script | clear | 135.13.216.191 | falcon | tcp |
1 | Tues | 18:15:57 | 13 | * | neptune | yes | script | clear | 166.102.114.43 | zeno | tcp |
1 | Tues | 19:43:50 | 14 | * | smurf | yes | script | clear | 100subs | marx | tcp |
1 | Wed | 08:15:13 | 15 | s | multihop | yes | human | clear | 206.229.221.82 | marx | tcp |
1 | Wed | 09:32:05 | 16 | s | httptunnel | yes | human | clear | 197.182.91.233 | pascal | tcp,bsm |
1 | Wed | 10:34:10 | 17 | * | nmap | yes | human | stealthy | 207.253.84.13 | linux2 | tcp |
1 | Wed | 15:21:15 | 18 | e | sendmail | almost | script | clear | 208.254.251.132 | marx | tcp |
1 | Wed | 15:21:15 | 18 | b | sendmail | almost | script | clear | 208.254.251.132 | marx | tcp |
1 | Wed | 16:30:05 | 19 | * | teardrop | yes | script | clear | 123.123.123.123 | zeno | tcp |
1 | Wed | 19:19:00 | 20 | * | xterm | normal | script | clear | 197.182.91.233 | linux1 | tcp |
1 | Wed | 20:07:38 | 21 | * | smurf | yes | script | clear | 199.174.194 | marx | tcp |
1 | Wed | 21:52:01 | 22 | * | eject | yes | script | stealthy | 153.10.8.174 | pascal | tcp,bsm |
1 | Thurs | 09:00:08 | 23 | * | snmpguess | almost | script | clear | 207.230.054.203 | loud | tcp |
1 | Thurs | 09:08:22 | 24 | * | perlmagic | almost | script | clear | 166.102.114.43 | marx | tcp |
1 | Thurs | 10:16:10 | 25 | * | pod | yes | script | clear | 152.204.242.193 | * | tcp |
1 | Thurs | 10:23:19 | 26 | * | nmap | yes | human | stealthy | 207.253.84.13 | linux2 | tcp |
1 | Thurs | 10:33:08 | 27 | e | named | yes | human | clear | 152.169.215.104 | linux | tcp |
1 | Thurs | 10:33:08 | 27 | b | named | yes | human | clear | 152.169.215.104 | linux | tcp |
1 | Thurs | 10:33:08 | 27 | a | named | yes | human | clear | 152.169.215.104 | linux | tcp |
1 | Thurs | 14:32:32 | 28 | * | eject | yes | script | stealthy | 194.7.248.153 | pascal | tcp,bsm |
1 | Thurs | 14:45:13 | 29 | * | land | yes | script | clear | zeno | zeno | tcp |
1 | Thurs | 15:10:48 | 30 | * | smurf | yes | script | clear | 10subs | linux3 | tcp |
1 | Thurs | 18:26:01 | 31 | * | satan | normal | script | clear | 135.13.216.191 | zeno | tcp |
1 | Thurs | 22:23:17 | 32 | * | snmpgetattack | almost | script | clear | 208.239.005.230 | loud | tcp |
1 | Fri | 08:03:06 | 33 | * | snmpgetattack | yes | script | clear | 207.230.54.203 | loud | tcp |
1 | Fri | 09:27:09 | 34 | * | teardrop | yes | script | clear | 194.7.248.153 | marx | tcp |
1 | Fri | 10:06:37 | 35 | * | format | yes | script | stealthy | 194.7.248.153 | pascal | tcp,bsm |
1 | Fri | 12:41:54 | 36 | * | back | yes | script | clear | 204.97.153.43 | marx | tcp |
1 | Fri | 14:41:28 | 37 | * | neptune | yes | script | clear | 9.9.9.9 | pascal | tcp |
1 | Fri | 19:20:35 | 38 | * | processtable | yes | script | clear | calvin | pascal | tcp,bsm |
1 | Fri | 19:50:59 | 39 | * | neptune | yes | script | clear | 10.20.30.40 | pascal | tcp |
2 | Mon | 08:03:07 | 40 | * | snmpgetattack | yes | script | clear | 207.230.54.203 | loud | tcp |
2 | Mon | 08:55:02 | 41 | b | named | yes | human | clear | calvin | marx | tcp |
2 | Mon | 08:55:02 | 41 | a | named | yes | human | clear | calvin | marx | tcp |
2 | Mon | 09:11:04 | 42 | b | xlock | yes | human | clear | 194.7.248.153 | marx | tcp |
2 | Mon | 09:11:04 | 42 | a | xlock | yes | human | clear | 194.7.248.153 | marx | tcp |
2 | Mon | 09:27:27 | 43 | b | xlock | yes | human | clear | 194.7.248.153 | pascal | tcp |
2 | Mon | 09:27:27 | 43 | a | xlock | yes | human | clear | 194.7.248.153 | pascal | tcp,bsm |
2 | Mon | 09:30:41 | 44 | * | smurf | yes | script | clear | 10subs | pascal | tcp |
2 | Mon | 09:36:10 | 45-1 | e | multihop | yes | human | clear | 206.229.221.82 | marx | tcp |
2 | Mon | 09:36:10 | 45-1 | b | multihop | yes | human | clear | 206.229.221.82 | marx | tcp |
2 | Mon | 09:36:10 | 45-2 | s | multihop | yes | human | clear | 206.229.221.82 | marx | tcp |
2 | Mon | 09:36:07 | 46 | * | ipsweep | yes | script | clear | 204.97.153.43 | * | tcp |
2 | Mon | 09:38:58 | 47 | b | xsnoop | yes | human | clear | 194.27.251.21 | pascal | tcp |
2 | Mon | 09:38:58 | 47 | a | xsnoop | yes | human | clear | 194.27.251.21 | pascal | tcp |
2 | Mon | 09:54:39 | 48 | e | named | yes | human | clear | 204.97.153.43 | linux1 | tcp |
2 | Mon | 09:54:39 | 48 | b | named | yes | human | clear | 204.97.153.43 | linux1 | tcp |
2 | Mon | 09:54:39 | 48 | a | named | yes | human | clear | 204.97.153.43 | linux1 | tcp |
2 | Mon | 10:34:11 | 49 | * | smurf | yes | script | clear | all.attackers | marx | tcp |
2 | Mon | 10:43:55 | 50 | b | sendmail | almost | script | clear | 207.230.54.203 | marx | tcp |
2 | Mon | 10:43:55 | 50 | e | sendmail | almost | script | clear | 207.230.54.203 | marx | tcp |
2 | Mon | 10:43:55 | 50 | a | sendmail | almost | script | clear | 207.230.54.203 | marx | tcp |
2 | Mon | 10:58:11 | 52 | * | dict | normal | human | clear | 205.160.208.190 | pascal | tcp, |
2 | Mon | 11:01:23 | 53 | * | saint | yes | human | clear | calvin | pascal | tcp,bsm |
2 | Mon | 11:15:16 | 54 | * | eject | yes | human | stealthy | 197.218.177.69 | pascal | tcp,bsm |
2 | Mon | 14:01:26 | 55 | * | portsweep | yes | script | clear | 202.247.224.89 | pascal | tcp |
2 | Mon | 15:21:20 | 56 | b | sendmail | almost | script | clear | 208.254.251.132 | marx | tcp |
2 | Mon | 15:21:20 | 56 | e | sendmail | almost | script | clear | 208.254.251.132 | marx | tcp |
2 | Mon | 15:21:20 | 56 | a | sendmail | almost | script | clear | 208.254.251.132 | marx | tcp |
2 | Mon | 16:11:36 | 57 | * | pod | yes | script | clear | 207.103.80.104 | pascal | tcp |
2 | Mon | 18:20:01 | 51 | * | pod | partial | script | clear | 206.222.3.197 | * | tcp |
2 | Mon | 18:22:34 | 58 | * | apache2 | yes | script | clear | 196.227.33.189 | marx | tcp |
2 | Mon | 19:18:07 | 59 | * | xterm | normal | script | clear | 197.182.91.233 | linux1 | tcp |
2 | Mon | 20:46:48 | 60 | * | format | yes | script | clear | 195.73.151.50 | pascal | tcp,bsm |
2 | Mon | 20:58:00 | 61 | * | phf | normal | script | clear | 208.254.251.132 | marx | tcp |
2 | Mon | 21:06:52 | 62 | * | udpstorm | yes | script | clear | 172.16.112.50 | zeno | tcp |
2 | Mon | 23:10:31 | 63 | * | format | yes | script | clear | 202.49.244.10 | pascal | tcp,bsm |
2 | Mon | 23:16:43 | 64 | * | smurf | yes | script | clear | 152.169.215,202.77.162 | marx | tcp |
2 | Mon | 23:26:37 | 65 | * | smurf | yes | script | ttl | 255.255.255.255.et.al | pascal | tcp |
2 | Tues | 08:08:29 | 66-1 | * | warezmaster | yes | script | clear | 200.27.121.118 | pascal | tcp,bsm |
2 | Tues | 08:27:28 | 68 | * | portsweep | yes | script | clear | 135.8.60.182 | marx | tcp |
2 | Tues | 09:00:19 | 69 | a | multihop | yes | script | clear | 206.229.221.82 | marx | tcp |
2 | Tues | 09:08:32 | 70 | * | perlmagic | yes | script | clear | 166.102.114.43 | marx | tcp |
2 | Tues | 09:09:03 | 71 | b | xsnoop | yes | human | clear | 200.27.121.118 | pascal | tcp |
2 | Tues | 09:09:03 | 71 | a | xsnoop | yes | human | clear | 200.27.121.118 | pascal | tcp,bsm |
2 | Tues | 10:33:08 | 72 | * | pod | yes | script | clear | 209.30.70.14 | linux1 | tcp |
2 | Tues | 11:20:57 | 73 | * | guest | almost | script | clear | 195.73.151.50 | pascal | tcp |
2 | Tues | 11:23:37 | 74 | * | dict | yes | script | clear | 208.239.5.230 | marx | tcp |
2 | Tues | 11:55:17 | 75-1 | s | format | yes | script | stealthy | 209.30.71.165 | pascal | tcp,bsm |
2 | Tues | 11:55:17 | 75-3 | b | format | yes | script | stealthy | 209.30.71.165 | pascal | tcp,bsm |
2 | Tues | 12:14:12 | 76 | e | sendmail | yes | script | clear | 204.97.153.43 | marx | tcp |
2 | Tues | 12:14:12 | 76 | b | sendmail | yes | script | clear | 204.97.153.43 | marx | tcp |
2 | Tues | 12:14:12 | 76 | a | sendmail | yes | script | clear | 204.97.153.43 | marx | tcp |
2 | Tues | 13:20:35 | 77 | * | eject | yes | script | clear | 195.115.218.108 | pascal | tcp,bsm |
2 | Tues | 15:17:26 | 78 | * | satan | yes | script | clear | 208.253.77.185 | zeno | tcp |
2 | Tues | 17:33:53 | 79 | * | xterm | almost | script | stealthy | 194.27.251.21 | linux1 | tcp |
2 | Tues | 17:36:25 | 80 | * | mscan | yes | script | clear | 207.75.239.115 | * | tcp,bsm |
2 | Tues | 18:04:07 | 81 | * | processtable | yes | script | clear | calvin | pascal | tcp,bsm |
2 | Tues | 19:19:27 | 82 | * | xterm | almost | script | clear | 197.182.91.233 | linux1 | tcp |
2 | Tues | 21:03:36 | 83 | * | smurf | yes | script | ttl | 209.1.12.* | linux2 | tcp |
2 | Wed | 08:03:06 | 84 | * | snmpgetattack | yes | script | clear | 207.230.54.203 | loud | tcp |
2 | Wed | 08:15:06 | 66-3 | * | warezclient | yes | script | clear | all.attackers | pascal | tcp,bsm |
2 | Wed | 09:39:29 | 86 | * | xterm | almost | human | clear | 209.167.99.71 | linux1 | tcp |
2 | Wed | 10:06:44 | 87 | e | ps | yes | human | clear | 209.154.98.104 | pascal | tcp,bsm |
2 | Wed | 10:06:44 | 87 | s | ps | yes | human | clear | 209.154.98.104 | pascal | tcp |
2 | Wed | 10:06:44 | 87 | b | ps | yes | human | clear | 209.154.98.104 | pascal | tcp,bsm |
2 | Wed | 10:16:15 | 88 | * | nmap | yes | human | stealthy | 207.253.84.13 | linux2 | tcp |
2 | Wed | 10:24:39 | 89 | * | dict | yes | script | stealthy | 152.169.215.104 | marx | tcp |
2 | Wed | 10:26:12 | 90 | b | xterm | yes | human | clear | 194.27.251.21 | linux1 | tcp |
2 | Wed | 10:26:12 | 90 | s | xterm | yes | human | clear | 194.27.251.21 | linux1 | tcp |
2 | Wed | 10:33:27 | 91 | b | rootkit | yes | human | clear | 153.10.8.174 | marx | tcp |
2 | Wed | 10:33:27 | 91 | a | rootkit | yes | human | clear | 153.10.8.174 | marx | tcp |
2 | Wed | 10:52:58 | 92 | * | xterm | yes | human | clear | 197.182.91.233 | linux1 | tcp |
2 | Wed | 11:11:28 | 93 | * | neptune | yes | script | ttl | 10.140.175.080 | zeno | tcp |
2 | Wed | 12:40:23 | 94 | * | udpstorm | yes | script | clear | pascal | zeno | tcp |
2 | Wed | 13:32:38 | 95 | * | loadmodule | yes | script | clear | 205.180.112.36 | zeno | tcp |
2 | Wed | 13:46:54 | 96 | * | syslog | yes | script | clear | 194.7.248.153 | pascal | tcp |
2 | Wed | 14:10:49 | 97 | b | xlock | almost | human | clear | 197.218.177.69 | pascal | tcp |
2 | Wed | 14:10:49 | 97 | a | xlock | almost | human | clear | 197.218.177.69 | pascal | tcp,bsm |
2 | Wed | 14:12:44 | 98 | * | xterm | almost | script | stealthy | 135.13.216.191 | linux1 | tcp |
2 | Wed | 14:36:15 | 99 | * | imap | yes | human | clear | calvin | marx | tcp |
2 | Wed | 14:40:57 | 100 | * | xlock | almost | human | clear | 197.218.177.69 | pascal | tcp |
2 | Wed | 15:46:55 | 101 | * | back | yes | script | clear | 209.117.157.183 | marx | tcp |
2 | Wed | 19:26:57 | 102 | s | ps | yes | script | clear | 197.218.177.69 | pascal | tcp |
2 | Wed | 19:26:57 | 102 | b | ps | yes | script | clear | 197.218.177.69 | pascal | tcp,bsm |
2 | Wed | 20:07:16 | 103 | * | ipsweep | yes | script | clear | 194.7.248.153 | * | tcp |
2 | Wed | 20:59:25 | 104 | * | ffb | yes | script | clear | 208.239.5.230 | pascal | tcp,bsm |
2 | Thurs | 08:03:06 | 105 | * | snmpgetattack | yes | script | clear | 207.230.54.203 | loud | tcp |
2 | Thurs | 08:15:05 | 66-4 | * | warezclient | yes | script | clear | all.attackers | pascal | tcp,bsm |
2 | Thurs | 08:29:54 | 107 | * | dict | almost | human | clear | calvin | marx | tcp |
2 | Thurs | 09:00:09 | 108 | a | multihop | yes | script | clear | 206.229.221.82 | pascal | tcp |
2 | Thurs | 09:15:00 | 147 | s | eject | yes | human | at | 135.008.060.182 | pascal | tcp,bsm |
2 | Thurs | 09:36:05 | 109 | * | portsweep | yes | script | stealthy | 195.73.151.50 | pascal | tcp |
2 | Thurs | 09:41:52 | 110 | * | nmap | yes | human | stealthy | 207.253.84.13 | linux2 | tcp |
2 | Thurs | 10:44:06 | 106 | b | sendmail | yes | script | clear | 207.230.54.203 | marx | tcp |
2 | Thurs | 10:44:06 | 106 | e | sendmail | yes | script | clear | 207.230.54.203 | marx | tcp |
2 | Thurs | 10:44:06 | 106 | a | sendmail | yes | script | clear | 207.230.54.203 | marx | tcp |
2 | Thurs | 11:37:27 | 111 | * | loadmodule | yes | script | clear | 135.13.216.191 | zeno | tcp |
2 | Thurs | 11:59:43 | 112 | * | eject | yes | human | clear | 197.182.91.233 | pascal | tcp,bsm |
2 | Thurs | 12:30:03 | 113-1 | e | httptunnel | yes | human | clear | pascal | calvin | tcp |
2 | Thurs | 12:30:03 | 113-1 | a | httptunnel | yes | human | clear | pascal | calvin | tcp |
2 | Thurs | 13:30:49 | 114 | * | neptune | yes | script | clear | 209.74.60.168 | zeno | tcp |
2 | Thurs | 13:42:55 | 115 | * | eject | yes | human | clear | 197.182.91.233 | pascal | tcp,bsm |
2 | Thurs | 14:36:02 | 116 | * | worm | partial | script | clear | 194.27.251.21 | eagle | tcp |
2 | Thurs | 17:56:34 | 117 | * | processtable | yes | script | clear | calvin | pascal | tcp,bsm |
2 | Thurs | 19:33:05 | 118 | * | satan | normal | script | clear | 202.72.1.77 | zeno | tcp |
2 | Thurs | 20:15:14 | 119 | * | neptune | yes | script | clear | 135.13.216.191 | pascal | tcp |
2 | Thurs | 21:13:12 | 120 | * | format | yes | script | stealthy | 206.186.80.111 | pascal | tcp,bsm |
2 | Thurs | 21:14:46 | 121 | * | mailbomb | yes | script | clear | 204.233.47.21 | pascal | tcp,bsm |
2 | Thurs | 23:26:16 | 122 | * | portsweep | yes | script | stealthy | 128.223.199.68 | zeno | tcp |
2 | Thurs | 02:02:57 | 123 | * | xterm | almost | script | stealthy | 209.154.98.104 | linux1 | tcp |
2 | Thurs | 02:09:29 | 124 | * | dict | almost | script | stealthy | 152.169.215.104.et.al | marx | tcp |
2 | Fri | 08:04:11 | 125 | * | snmpgetattack | yes | script | clear | 207.230.54.203 | loud | tcp |
2 | Fri | 08:16:11 | 66-5 | * | warezclient | yes | script | clear | all.attackers | pascal | tcp,bsm |
2 | Fri | 08:43:22 | 127 | e | xterm | yes | human | clear | calvin,209.167.99.71 | linux1 | tcp |
2 | Fri | 08:43:22 | 127 | b | xterm | yes | human | clear | calvin,209.167.99.71 | linux1 | tcp |
2 | Fri | 08:43:22 | 127 | s | xterm | yes | human | clear | calvin,209.167.99.71 | linux1 | tcp |
2 | Fri | 08:49:26 | 128 | b | ftp-write | yes | human | clear | 194.27.251.21 | pascal | tcp,bsm |
2 | Fri | 08:49:26 | 128 | a | ftp-write | yes | human | clear | 194.27.251.21 | pascal | tcp,bsm |
2 | Fri | 08:53:05 | 129 | b | ps | yes | human | clear | 207.136.86.223 | pascal | tcp,bsm |
2 | Fri | 08:53:05 | 129 | s | ps | yes | human | clear | 207.136.86.223 | pascal | tcp,bsm |
2 | Fri | 09:01:08 | 113-3 | e | httptunnel | yes | human | stealthy | pascal | mars | tcp |
2 | Fri | 09:01:08 | 113-3 | a | httptunnel | yes | human | stealthy | pascal | mars | tcp |
2 | Fri | 09:03:57 | 130 | b | rootkit | yes | human | clear | 135.8.60.182 | pascal | tcp,bsm |
2 | Fri | 09:03:57 | 130 | s | rootkit | yes | human | clear | 135.8.60.182 | pascal | tcp,bsm |
2 | Fri | 09:03:57 | 130 | a | rootkit | yes | human | clear | 135.8.60.182 | pascal | tcp,bsm |
2 | Fri | 09:33:40 | 132 | * | teardrop | yes | script | clear | 222.222.222.222 | marx | tcp |
2 | Fri | 09:33:41 | 133 | * | dict | almost | human | stealthy | 172.16.112.149 | mars | tcp |
2 | Fri | 10:20:15 | 134 | * | saint | yes | human | clear | 197.218.177.69 | * | tcp,bsm |
2 | Fri | 10:30:11 | 135 | * | neptune | yes | human | ttl | 18.28.38.48 | pascal | tcp |
2 | Fri | 12:27:21 | 136 | s | ps | yes | script | clear | 202.49.244.10 | pascal | tcp,bsm |
2 | Fri | 12:27:21 | 136 | b | ps | yes | script | clear | 202.49.244.10 | pascal | tcp,bsm |
2 | Fri | 12:48:24 | 137 | * | eject | yes | human | stealthy | 153.107.252.61 | pascal | tcp,bsm |
2 | Fri | 13:27:39 | 138 | * | land | yes | script | clear | eyrie | * | tcp |
2 | Fri | 14:11:41 | 139 | * | sqlattack | yes | script | clear | 153.10.8.174 | falcon | tcp |
2 | Fri | 14:41:11 | 140 | * | dict | almost | human | clear | 172.16.113.105 | mars | tcp |
2 | Fri | 16:22:02 | 141 | b | sendmail | yes | script | clear | 194.7.248.153 | marx | tcp |
2 | Fri | 16:22:02 | 141 | e | sendmail | yes | script | clear | 194.7.248.153 | marx | tcp |
2 | Fri | 16:22:02 | 141 | a | sendmail | yes | script | clear | 194.7.248.153 | marx | tcp |
2 | Fri | 16:46:15 | 142 | * | ipsweep | yes | script | clear | 135.13.216.191 | * | tcp |
2 | Fri | 17:48:37 | 143 | * | satan | normal | script | clear | 207.114.237.57 | zeno | tcp |
2 | Fri | 18:16:42 | 144 | * | pod | yes | script | clear | 196.227.33.189 | linux1 | tcp |
2 | Fri | 20:18:38 | 145 | * | phf | yes | script | clear | 197.182.91.233 | marx | tcp |
2 | Fri | 21:04:50 | 146 | * | apache2 | yes | script | clear | 202.72.1.77 | marx | tcp |
Week | The week (1 or 2) of the test data this attack ran on. | ||||||||
Day | The day this attack ran on. | ||||||||
Time | The time this attack ran. | ||||||||
AID | The ID for this attack. Every attack gets a unique ID number. If an attack is responsible for multiple connections, each connection will have the same ID number. Multi-session attacks have a sequence number appended to their attack ID number in the form [AID]-[sequence number]. These sequence numbers are only used for attacks in which the connections are at significantly times. | ||||||||
Comp | For attacks which generate multiple connections, each connection is
labeled with the attack components it contains. The possible labels
are:
| ||||||||
Attack Name | The name of the attack. Clicking on an attack name will take you to the description of that attack. | ||||||||
Worked | To what degree the attack succeeded. Possible values are:
| ||||||||
Run By | Whether the attack was run by an automated script or by hand. | ||||||||
Stealth | Whether the attack was done in the clear or some effort was made to conceal it. | ||||||||
Source Machine | The source IP address(es) of the attack. This in not necessarily the true machine the attack came from if the packets were forged. | ||||||||
Dest Machine | The IP address of the machine the attacker connected to. A '*' indicates that the attack connected to multiple machines. | ||||||||
Where | The data (bsm or tcpdump) which should contain evidence of the attack. |