יום שבת, דצמבר 26, 2009

המחשב שלי חולה ?

לפני כ12 שעות התחיל אצלי מרוץ מטורף נגד השעון. תוך כדאי שאני כותב את הדריבר שלי והWireshark פתוח אני מזהה תעבורת PPTP מהמחשב שלי למחש מרוחק. מה שמפתיע כי אין לי שום אפליקציה שאמורה לעשות את זה. בדיקה חפוזה טוענת כי לא הספקתי לטפוס את ההתליך האחראי לנושא. בבדיקה בלוגים אני מגלה שגיאה ממש מוזרה בשרת שליחת הדואר.אבל ראיתי שזה היה משוייך למשתמש root. דבר ראשון החלפתי את כל הסיסמאות. מחקתי את הקבצים שהכנתי לשרת של המקור (למרות שהבנייה לקחה לי יומיים). התחלתי להעיף דברים מהמחשב הנייד שלי.

שגיאה מוזרה שהייתה בלוג של המייל :

To: your@your_domain.org
Subject: Garbage cans out

Sunday evening, put out the garbage cans.

התנתקתי מהרשת והפעלתי אתchkrootkit ואת tiger :

לשימחתי לא נמצאו (?) שום rootkit אולם נמצאו מספר קבצים שהם suid וguid. בנוסף הוא התריע על רשימת משתמשי המערכת (bin daemon וכן הלאה..).
--WARN-- [pass014w] Login (backup) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (bin) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (games) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (irc) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (libuuid) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (list) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (lp) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (mail) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (man) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (news) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (nobody) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (oracle) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (proxy) is disabled, but has a valid shell.
--WARN-- [pass015w] Login ID sshd does not have a valid shell
(/usr/sbin/nologin).
--WARN-- [pass015w] Login ID sync does not have a valid shell (/bin/sync).
--WARN-- [pass014w] Login (sys) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (uucp) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (www-data) is disabled, but has a valid shell.
--WARN-- [pass012w] Home directory /var/lib/sendmail exists multiple times (2)
in /etc/passwd.
--WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck
-r).

אבל אז הרצתי את rkhunter והתחלתי לפחד :

System checks summary
=====================

File properties checks...
Files checked: 135
Suspect files: 0

Rootkit checks...
Rootkits checked : 245
Possible rootkits: 5
Rootkit names : Possible Lite5-r Rootkit, Xzibit Rootkit, Xzibit Rootkit, Xzibit Rootkit, Xzibit Rootkit

Applications checks...
Applications checked: 4
Suspect applications: 2

The system checks took: 4 minutes and 56 seconds

All results have been written to the log file (/var/log/rkhunter.log)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

שיט :

Found file '/tmp/.bash_history'. Possible rootkit: Possible Lite5-r Rootkit
[07:42:46] Warning: Checking for possible rootkit strings [ Warning ]
[07:42:46] Found string 'hdparm' in file '/etc/init.d/checkroot.sh'. Possible rootkit: Xzibit Rootkit
[07:42:46] Found string 'hdparm' in file '/etc/init.d/bootlogd'. Possible rootkit: Xzibit Rootkit
[07:42:46] Found string 'hdparm' in file '/etc/init.d/hdparm'. Possible rootkit: Xzibit Rootkit
[07:42:47] Found string 'hdparm' in file '/etc/init.d/.depend.boot'. Possible rootkit: Xzibit Rootkit



פלט מקוצר מWireShark :

No. Time Source Destination Protocol Info
3 0.266937 10.0.0.77 64.235.211.233 PPTP UNKNOWN-CONTROL-TYPE

Frame 3 (460 bytes on wire, 460 bytes captured)
Arrival Time: Dec 26, 2009 01:15:30.195527000
[Time delta from previous captured frame: 0.266721000 seconds]
[Time delta from previous displayed frame: 0.266937000 seconds]
[Time since reference or first frame: 0.266937000 seconds]
Frame Number: 3
Frame Length: 460 bytes
Capture Length: 460 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp:pptp:data]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Ethernet II, Src: , Dst: AskeyCom_ec:c5:b5 (00:21:63:ec:c5:b5)
Destination: AskeyCom_ec:c5:b5 (00:21:63:ec:c5:b5)
Address: AskeyCom_ec:c5:b5 (00:21:63:ec:c5:b5)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source:
Address:
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 10.0.0.77 (10.0.0.77), Dst: 64.235.211.233 (64.235.211.233)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 446
Identification: 0x2d7d (11645)
Flags: 0x02 (Don't Fragment)
0.. = Reserved bit: Not Set
.1. = Don't fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0xec9b [correct]
[Good: True]
[Bad : False]
Source: 10.0.0.77 (10.0.0.77)
Destination: 64.235.211.233 (64.235.211.233)
Transmission Control Protocol, Src Port: 42475 (42475), Dst Port: pptp (1723), Seq: 1, Ack: 1, Len: 394
Source port: 42475 (42475)
Destination port: pptp (1723)
[Stream index: 2]
Sequence number: 1 (relative sequence number)
[Next sequence number: 395 (relative sequence number)]
Acknowledgement number: 1 (relative ack number)
Header length: 32 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 92
Checksum: 0x372a [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Options: (12 bytes)
NOP
NOP
Timestamps: TSval 35814040, TSecr 146400233
[SEQ/ACK analysis]
[Number of bytes in flight: 394]
Point-to-Point Tunnelling Protocol
Length: 10988
Message type: Unknown (57548)
Cookie: 0xc21e8e40 (incorrect)
Control type: UNKNOWN-CONTROL-TYPE (24618)
Reserved: 43063
Data (382 bytes)

0000 df f8 60 d5 03 00 7f aa ad 5a e2 7c b8 f8 22 58 ..`......Z.|.."X
0010 b0 b4 c2 3a d9 70 62 05 1d 5e 84 45 b1 4f e3 37 ...:.pb..^.E.O.7
0020 52 de f4 66 45 ce 70 bd 32 7f eb 94 c4 eb f3 8d R..fE.p.2.......
0030 1d e6 88 fa f1 2e 50 b1 c7 53 3c 7d 71 63 54 e5 ......P..S<}qcT. 0040 26 50 46 95 a5 d7 cf 0c de ee a5 16 1f 61 74 41 &PF..........atA 0050 07 80 0d 32 20 72 ad 56 ff 7f 00 00 00 00 00 00 ...2 r.V........ 0060 00 00 00 00 00 00 00 00 00 00 00 00 48 72 ad 56 ............Hr.V 0070 ff 7f 00 00 8a 76 25 98 00 00 00 00 79 b3 ae bb .....v%.....y... 0080 f3 7f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0090 00 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 ................ 00a0 00 00 00 00 01 00 00 00 ff 7f 00 00 60 0e cc b7 ............`... 00b0 f3 7f 00 00 60 72 ad 56 ff 7f 00 00 50 57 3b 03 ....`r.V....PW;. 00c0 00 00 00 00 c8 85 6c 00 00 00 00 00 a8 c9 cf bb ......l......... 00d0 f3 7f 00 00 00 00 00 00 00 00 00 00 00 cd cf bb ................ 00e0 f3 7f 00 00 d0 71 ad 56 ff 7f 00 00 e8 71 ad 56 .....q.V.....q.V 00f0 ff 7f 00 00 02 00 06 bb 01 00 00 00 71 30 5b bb ............q0[. 0100 f3 7f 00 00 f0 71 ad 56 ff 7f 00 00 08 72 ad 56 .....q.V.....r.V 0110 ff 7f 00 00 30 f4 c6 02 01 00 00 00 f7 3c 5b bb ....0........<[. 0120 f3 7f 00 00 02 00 00 00 00 00 00 00 a8 c9 cf bb ................ 0130 f3 7f 00 00 28 7b 5a bb f3 7f 00 00 a8 c9 cf bb ....({Z......... 0140 f3 7f 00 00 30 72 ad 56 ff 7f 00 00 ff ff ff ff ....0r.V........ 0150 00 00 00 00 b0 d1 5a bb f3 7f 00 00 a8 c9 cf bb ......Z......... 0160 f3 7f 00 00 c0 85 6c 00 00 00 00 00 ff ff ff ff ......l......... 0170 00 00 00 00 c0 85 6c 00 00 00 00 00 00 a0 ......l....... Data: DFF860D503007FAAAD5AE27CB8F82258B0B4C23AD9706205... [Length: 382] No. Time Source Destination Protocol Info 34 2.561218 64.235.211.233 10.0.0.77 TCP pptp > 42475 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1452 TSV=146400833 TSER=35812282

Frame 34 (70 bytes on wire, 70 bytes captured)
Arrival Time: Dec 26, 2009 01:15:32.489808000
[Time delta from previous captured frame: 0.111148000 seconds]
[Time delta from previous displayed frame: 2.294281000 seconds]
[Time since reference or first frame: 2.561218000 seconds]
Frame Number: 34
Frame Length: 70 bytes
Capture Length: 70 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: TCP SYN/FIN]
[Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1]
Ethernet II, Src: AskeyCom_ec:c5:b5 (00:21:63:ec:c5:b5), Dst:
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: AskeyCom_ec:c5:b5 (00:21:63:ec:c5:b5)
Address: AskeyCom_ec:c5:b5 (00:21:63:ec:c5:b5)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 64.235.211.233 (64.235.211.233), Dst: 10.0.0.77 (10.0.0.77)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 56
Identification: 0x1c99 (7321)
Flags: 0x02 (Don't Fragment)
0.. = Reserved bit: Not Set
.1. = Don't fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 112
Protocol: TCP (0x06)
Header checksum: 0xcf05 [correct]
[Good: True]
[Bad : False]
Source: 64.235.211.233 (64.235.211.233)
Destination: 10.0.0.77 (10.0.0.77)
Transmission Control Protocol, Src Port: pptp (1723), Dst Port: 42475 (42475), Seq: 0, Ack: 1, Len: 0
Source port: pptp (1723)
Destination port: 42475 (42475)
[Stream index: 2]
Sequence number: 0 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
Header length: 36 bytes
Flags: 0x12 (SYN, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
[Expert Info (Chat/Sequence): Connection establish acknowledge (SYN+ACK): server port pptp]
[Message: Connection establish acknowledge (SYN+ACK): server port pptp]
[Severity level: Chat]
[Group: Sequence]
.... ...0 = Fin: Not set
Window size: 65535
Checksum: 0x4201 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Options: (16 bytes)
Maximum segment size: 1452 bytes
SACK permitted
Timestamps: TSval 146400833, TSecr 35812282

No. Time Source Destination Protocol Info
35 2.561282 10.0.0.77 64.235.211.233 TCP [TCP Dup ACK 3#1] 42475 > pptp [ACK] Seq=395 Ack=1 Win=92 Len=0 TSV=35814613 TSER=146400833 SLE=0 SRE=1

Frame 35 (78 bytes on wire, 78 bytes captured)
Arrival Time: Dec 26, 2009 01:15:32.489872000
[Time delta from previous captured frame: 0.000064000 seconds]
[Time delta from previous displayed frame: 0.000064000 seconds]
[Time since reference or first frame: 2.561282000 seconds]
Frame Number: 35
Frame Length: 78 bytes
Capture Length: 78 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: Bad TCP]
[Coloring Rule String: tcp.analysis.flags]
Ethernet II, Src: , Dst: AskeyCom_ec:c5:b5 (00:21:63:ec:c5:b5)
Destination: AskeyCom_ec:c5:b5 (00:21:63:ec:c5:b5)
Address: AskeyCom_ec:c5:b5 (00:21:63:ec:c5:b5)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source:

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 10.0.0.77 (10.0.0.77), Dst: 64.235.211.233 (64.235.211.233)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 64
Identification: 0x2d7e (11646)
Flags: 0x02 (Don't Fragment)
0.. = Reserved bit: Not Set
.1. = Don't fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0xee18 [correct]
[Good: True]
[Bad : False]
Source: 10.0.0.77 (10.0.0.77)
Destination: 64.235.211.233 (64.235.211.233)
Transmission Control Protocol, Src Port: 42475 (42475), Dst Port: pptp (1723), Seq: 395, Ack: 1, Len: 0
Source port: 42475 (42475)
Destination port: pptp (1723)
[Stream index: 2]
Sequence number: 395 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
Header length: 44 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 92
Checksum: 0xd437 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Options: (24 bytes)
NOP
NOP
Timestamps: TSval 35814613, TSecr 146400833
NOP
NOP
SACK: 0-1
left edge = 0 (relative)
right edge = 1 (relative)
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 34]
[The RTT to ACK the segment was: 0.000064000 seconds]
[TCP Analysis Flags]
[This is a TCP duplicate ack]
[Duplicate ACK #: 1]
[Duplicate to the ACK in frame: 3]
[Expert Info (Note/Sequence): Duplicate ACK (#1)]
[Message: Duplicate ACK (#1)]
[Severity level: Note]
[Group: Sequence]

No. Time Source Destination Protocol Info
91 7.754934 10.0.0.77 64.235.211.233 PPTP [TCP Retransmission] UNKNOWN-CONTROL-TYPE

Frame 91 (460 bytes on wire, 460 bytes captured)
Arrival Time: Dec 26, 2009 01:15:37.683524000
[Time delta from previous captured frame: 0.227992000 seconds]
[Time delta from previous displayed frame: 5.193652000 seconds]
[Time since reference or first frame: 7.754934000 seconds]
Frame Number: 91
Frame Length: 460 bytes
Capture Length: 460 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp:pptp:data]
[Coloring Rule Name: Bad TCP]
[Coloring Rule String: tcp.analysis.flags]
Ethernet II, Src: , Dst: AskeyCom_ec:c5:b5 (00:21:63:ec:c5:b5)
Destination: AskeyCom_ec:c5:b5 (00:21:63:ec:c5:b5)
Address: AskeyCom_ec:c5:b5 (00:21:63:ec:c5:b5)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source:
Address:
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 10.0.0.77 (10.0.0.77), Dst: 64.235.211.233 (64.235.211.233)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 446
Identification: 0x2d7f (11647)
Flags: 0x02 (Don't Fragment)
0.. = Reserved bit: Not Set
.1. = Don't fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0xec99 [correct]
[Good: True]
[Bad : False]
Source: 10.0.0.77 (10.0.0.77)
Destination: 64.235.211.233 (64.235.211.233)
Transmission Control Protocol, Src Port: 42475 (42475), Dst Port: pptp (1723), Seq: 1, Ack: 1, Len: 394
Source port: 42475 (42475)
Destination port: pptp (1723)
[Stream index: 2]
Sequence number: 1 (relative sequence number)
[Next sequence number: 395 (relative sequence number)]
Acknowledgement number: 1 (relative ack number)
Header length: 32 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 92
Checksum: 0x2d82 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Options: (12 bytes)
NOP
NOP
Timestamps: TSval 35815912, TSecr 146400833
[SEQ/ACK analysis]
[Number of bytes in flight: 394]
[TCP Analysis Flags]
[This frame is a (suspected) retransmission]
[Expert Info (Note/Sequence): Retransmission (suspected)]
[Message: Retransmission (suspected)]
[Severity level: Note]
[Group: Sequence]
[The RTO for this segment was: 7.487997000 seconds]
[RTO based on delta from frame: 3]
Point-to-Point Tunnelling Protocol
Length: 10988
Message type: Unknown (57548)
Cookie: 0xc21e8e40 (incorrect)
Control type: UNKNOWN-CONTROL-TYPE (24618)
Reserved: 43063
Data (382 bytes)

0000 df f8 60 d5 03 00 7f aa ad 5a e2 7c b8 f8 22 58 ..`......Z.|.."X
0010 b0 b4 c2 3a d9 70 62 05 1d 5e 84 45 b1 4f e3 37 ...:.pb..^.E.O.7
0020 52 de f4 66 45 ce 70 bd 32 7f eb 94 c4 eb f3 8d R..fE.p.2.......
0030 1d e6 88 fa f1 2e 50 b1 c7 53 3c 7d 71 63 54 e5 ......P..S<}qcT. 0040 26 50 46 95 a5 d7 cf 0c de ee a5 16 1f 61 74 41 &PF..........atA 0050 07 80 0d 32 20 72 ad 56 ff 7f 00 00 00 00 00 00 ...2 r.V........ 0060 00 00 00 00 00 00 00 00 00 00 00 00 48 72 ad 56 ............Hr.V 0070 ff 7f 00 00 8a 76 25 98 00 00 00 00 79 b3 ae bb .....v%.....y... 0080 f3 7f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0090 00 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 ................ 00a0 00 00 00 00 01 00 00 00 ff 7f 00 00 60 0e cc b7 ............`... 00b0 f3 7f 00 00 60 72 ad 56 ff 7f 00 00 50 57 3b 03 ....`r.V....PW;. 00c0 00 00 00 00 c8 85 6c 00 00 00 00 00 a8 c9 cf bb ......l......... 00d0 f3 7f 00 00 00 00 00 00 00 00 00 00 00 cd cf bb ................ 00e0 f3 7f 00 00 d0 71 ad 56 ff 7f 00 00 e8 71 ad 56 .....q.V.....q.V 00f0 ff 7f 00 00 02 00 06 bb 01 00 00 00 71 30 5b bb ............q0[. 0100 f3 7f 00 00 f0 71 ad 56 ff 7f 00 00 08 72 ad 56 .....q.V.....r.V 0110 ff 7f 00 00 30 f4 c6 02 01 00 00 00 f7 3c 5b bb ....0........<[. 0120 f3 7f 00 00 02 00 00 00 00 00 00 00 a8 c9 cf bb ................ 0130 f3 7f 00 00 28 7b 5a bb f3 7f 00 00 a8 c9 cf bb ....({Z......... 0140 f3 7f 00 00 30 72 ad 56 ff 7f 00 00 ff ff ff ff ....0r.V........ 0150 00 00 00 00 b0 d1 5a bb f3 7f 00 00 a8 c9 cf bb ......Z......... 0160 f3 7f 00 00 c0 85 6c 00 00 00 00 00 ff ff ff ff ......l......... 0170 00 00 00 00 c0 85 6c 00 00 00 00 00 00 a0 ......l....... Data: DFF860D503007FAAAD5AE27CB8F82258B0B4C23AD9706205... [Length: 382] No. Time Source Destination Protocol Info 175 13.236182 10.0.0.77 64.235.211.233 TCP 42500 > pptp [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=35817282 TSER=0 WS=6

Frame 175 (74 bytes on wire, 74 bytes captured)
Arrival Time: Dec 26, 2009 01:15:43.164772000
[Time delta from previous captured frame: 0.000523000 seconds]
[Time delta from previous displayed frame: 5.481248000 seconds]
[Time since reference or first frame: 13.236182000 seconds]
Frame Number: 175
Frame Length: 74 bytes
Capture Length: 74 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: TCP SYN/FIN]
[Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1]
Ethernet II, Src: , Dst: AskeyCom_ec:c5:b5 (00:21:63:ec:c5:b5)
Destination: AskeyCom_ec:c5:b5 (00:21:63:ec:c5:b5)
Address: AskeyCom_ec:c5:b5 (00:21:63:ec:c5:b5)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source:
Address:
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 10.0.0.77 (10.0.0.77), Dst: 64.235.211.233 (64.235.211.233)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 60
Identification: 0xa39c (41884)
Flags: 0x02 (Don't Fragment)
0.. = Reserved bit: Not Set
.1. = Don't fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x77fe [correct]
[Good: True]
[Bad : False]
Source: 10.0.0.77 (10.0.0.77)
Destination: 64.235.211.233 (64.235.211.233)
Transmission Control Protocol, Src Port: 42500 (42500), Dst Port: pptp (1723), Seq: 0, Len: 0
Source port: 42500 (42500)
Destination port: pptp (1723)
[Stream index: 47]
Sequence number: 0 (relative sequence number)
Header length: 40 bytes
Flags: 0x02 (SYN)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgement: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
[Expert Info (Chat/Sequence): Connection establish request (SYN): server port pptp]
[Message: Connection establish request (SYN): server port pptp]
[Severity level: Chat]
[Group: Sequence]
.... ...0 = Fin: Not set
Window size: 5840
Checksum: 0x3d33 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Options: (20 bytes)
Maximum segment size: 1460 bytes
SACK permitted
Timestamps: TSval 35817282, TSecr 0
NOP
Window scale: 6 (multiply by 64)

2 comments:

  1. צפית באיזה סרטון בפורמט של realplayer?
    זה מה שרץ שם.
    בהצלחה בזיהוי.

    השבמחק