Blame
Date:
Mon Jan 23 05:00:25 2023 UTC
Message:
Daily backup
01
2023-01-22
jrmu
version=pmwiki-2.2.130 ordered=1 urlencoded=1
02
2023-01-22
jrmu
agent=Mozilla/5.0 (X11; OpenBSD amd64; rv:82.0) Gecko/20100101 Firefox/82.0
03
2023-01-22
jrmu
author=jrmu
04
2023-01-22
jrmu
charset=UTF-8
05
2023-01-22
jrmu
csum=
06
2023-01-22
jrmu
ctime=1608355259
07
2023-01-22
jrmu
host=198.251.81.119
08
2023-01-22
jrmu
name=Openbsd.Amplification
09
2023-01-22
jrmu
rev=2
10
2023-01-22
jrmu
targets=
11
2023-01-22
jrmu
text=[@%0a10:54:20.457417 192.168.0.1.3306 > 198.251.81.119.41000: . 153:1601(1448) ack 168 win 243 %3cnop,nop,timestamp 1306862229 3995777189> (DF) (ttl 64, id 29089, len 1500)%0aE...q.@.@..F...3..QA...(............J......%0aM."..*.......D....def.protonsql1_totohot.g5_apms_data.g5_apms_data.id.id.?.......B...H....def.protonsql1_totohot.g5_apms_data.g5_apms_data.type.type.?...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_q.data_q.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_1.data_1.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_2.data_2.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_3.data_3.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_4.data_4.!...........L...def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_5.data_5.!...........L...def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_6.data_6.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_7.data_7.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_8.data_8.!...........L..^M.def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_9.data_9.!...........N....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_10.data_10.!...........P....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_set.data_set.!.................."......3.11..totohot.Basic...........a:24:{s:5:"thema";s:7:"totohot";s:6:"layout";s:0:"";s:2:"pc";s:0:"";s:4:"size";s:4:"1200";s:10:"background";s:0:"";s:7:"bgcolor";s:0:"";s:2:"bg";s:6:"center";s:5:"tmenu";s:0:"";s:3:"nav";s:4:"both";s:4:"subv";s:4:"show";s:4:"subh";s:0:"";s:4:"allm";s:0:"";s:4:"subw";s:0:%0a@]%0a%0aIn the above, we see the source IP (192.168.0.1) port 3306 is sending a TCP packet to 198.251.81.119 port 41000 (our server). The content shows that it is coming from an SQL database. In this case, we know port 3306 is for MySQL by checking /etc/services.%0a%0a[@%0a10:54:20.478357 199.195.255.40.33912 > 198.98.62.208.80: P [tcp sum ok] 0:719(719) ack 1 win 229 %3cnop,nop,timestamp 1400457072 731155732> (DF) (ttl 64, id 52288, len 771)%0aE....@@.@......(.b>..x.Pw4.O........e\.....%0aSyGp+...POST /apkdl_bot.php HTTP/1.1%0aHost: apkdl.in%0aUser-Agent: Railgun/5.3.3%0aContent-Length: 331%0aCdn-Loop: cloudflare%0aCf-Connecting-Ip: 91.108.6.32%0aCf-Ipcountry: AG%0aCf-Origin-Https: off%0aCf-Ray: 5f127601beabd8d5-AMS%0aCf-Request-Id: 065f6815140000d8d517335000000001%0aCf-Visitor: {"scheme":"https"}%0aContent-Type: application/json%0aX-Forwarded-For: 91.108.6.32%0aX-Forwarded-Proto: https%0a%0a{"update_id":98363691,%0a"message":{"message_id":78810276,"from":{"id":1203629066,"is_bot":false,"first_name":"Mi%0arjalol","language_code":"uz"},"chat":{"id":1203629066,"first_name":"Mirjalol","type":"pr%0aivate"},"date":1605207260,"text":"/preview_com_shadow_battle_superhero","entities":[{"of%0afset":0,"length":36,"type":"bot_command"}]}}%0a@]%0a%0a[@%0a10:54:20.594535 199.195.255.40.33914 > 198.98.62.208.80: . [tcp sum ok] ack 1855138974 win 229 %3cnop,nop,timestamp 1400457101 731155849> (DF) (ttl 64, id 57129, len 52)%0aE..4.)@.@..{...(.b>..z.P.R..n.,............%0aSyG.+...%0a@]%0a
12
2023-01-22
jrmu
time=1608356537
13
2023-01-22
jrmu
author:1608356537=jrmu
14
2023-01-22
jrmu
diff:1608356537:1608355259:=7d6%0a%3c In the above, we see the source IP (192.168.0.1) port 3306 is sending a TCP packet to 198.251.81.119 port 41000 (our server). The content shows that it is coming from an SQL database. In this case, we know port 3306 is for MySQL by checking /etc/services.%0a
15
2023-01-22
jrmu
host:1608356537=198.251.81.119
16
2023-01-22
jrmu
author:1608355259=jrmu
17
2023-01-22
jrmu
diff:1608355259:1608355259:=1,37d0%0a%3c [@%0a%3c 10:54:20.457417 192.168.0.1.3306 > 198.251.81.119.41000: . 153:1601(1448) ack 168 win 243 %3cnop,nop,timestamp 1306862229 3995777189> (DF) (ttl 64, id 29089, len 1500)%0a%3c E...q.@.@..F...3..QA...(............J......%0a%3c M."..*.......D....def.protonsql1_totohot.g5_apms_data.g5_apms_data.id.id.?.......B...H....def.protonsql1_totohot.g5_apms_data.g5_apms_data.type.type.?...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_q.data_q.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_1.data_1.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_2.data_2.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_3.data_3.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_4.data_4.!...........L...def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_5.data_5.!...........L...def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_6.data_6.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_7.data_7.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_8.data_8.!...........L..^M.def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_9.data_9.!...........N....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_10.data_10.!...........P....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_set.data_set.!.................."......3.11..totohot.Basic...........a:24:{s:5:"thema";s:7:"totohot";s:6:"layout";s:0:"";s:2:"pc";s:0:"";s:4:"size";s:4:"1200";s:10:"background";s:0:"";s:7:"bgcolor";s:0:"";s:2:"bg";s:6:"center";s:5:"tmenu";s:0:"";s:3:"nav";s:4:"both";s:4:"subv";s:4:"show";s:4:"subh";s:0:"";s:4:"allm";s:0:"";s:4:"subw";s:0:%0a%3c @]%0a%3c %0a%3c %0a%3c [@%0a%3c 10:54:20.478357 199.195.255.40.33912 > 198.98.62.208.80: P [tcp sum ok] 0:719(719) ack 1 win 229 %3cnop,nop,timestamp 1400457072 731155732> (DF) (ttl 64, id 52288, len 771)%0a%3c E....@@.@......(.b>..x.Pw4.O........e\.....%0a%3c SyGp+...POST /apkdl_bot.php HTTP/1.1%0a%3c Host: apkdl.in%0a%3c User-Agent: Railgun/5.3.3%0a%3c Content-Length: 331%0a%3c Cdn-Loop: cloudflare%0a%3c Cf-Connecting-Ip: 91.108.6.32%0a%3c Cf-Ipcountry: AG%0a%3c Cf-Origin-Https: off%0a%3c Cf-Ray: 5f127601beabd8d5-AMS%0a%3c Cf-Request-Id: 065f6815140000d8d517335000000001%0a%3c Cf-Visitor: {"scheme":"https"}%0a%3c Content-Type: application/json%0a%3c X-Forwarded-For: 91.108.6.32%0a%3c X-Forwarded-Proto: https%0a%3c %0a%3c {"update_id":98363691,%0a%3c "message":{"message_id":78810276,"from":{"id":1203629066,"is_bot":false,"first_name":"Mi%0a%3c rjalol","language_code":"uz"},"chat":{"id":1203629066,"first_name":"Mirjalol","type":"pr%0a%3c ivate"},"date":1605207260,"text":"/preview_com_shadow_battle_superhero","entities":[{"of%0a%3c fset":0,"length":36,"type":"bot_command"}]}}%0a%3c @]%0a%3c %0a%3c [@%0a%3c 10:54:20.594535 199.195.255.40.33914 > 198.98.62.208.80: . [tcp sum ok] ack 1855138974 win 229 %3cnop,nop,timestamp 1400457101 731155849> (DF) (ttl 64, id 57129, len 52)%0a%3c E..4.)@.@..{...(.b>..z.P.R..n.,............%0a%3c SyG.+...%0a%3c @]%0a
18
2023-01-22
jrmu
host:1608355259=198.251.81.119
IRCNow