version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=Mozilla/5.0 (X11; OpenBSD amd64; rv:82.0) Gecko/20100101 Firefox/82.0 author=jrmu charset=UTF-8 csum= ctime=1608355259 host=198.251.81.119 name=Openbsd.Amplification rev=2 targets= text=[@%0a10:54:20.457417 192.168.0.1.3306 > 198.251.81.119.41000: . 153:1601(1448) ack 168 win 243 %3cnop,nop,timestamp 1306862229 3995777189> (DF) (ttl 64, id 29089, len 1500)%0aE...q.@.@..F...3..QA...(............J......%0aM."..*.......D....def.protonsql1_totohot.g5_apms_data.g5_apms_data.id.id.?.......B...H....def.protonsql1_totohot.g5_apms_data.g5_apms_data.type.type.?...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_q.data_q.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_1.data_1.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_2.data_2.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_3.data_3.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_4.data_4.!...........L...def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_5.data_5.!...........L...def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_6.data_6.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_7.data_7.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_8.data_8.!...........L..^M.def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_9.data_9.!...........N....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_10.data_10.!...........P....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_set.data_set.!.................."......3.11..totohot.Basic...........a:24:{s:5:"thema";s:7:"totohot";s:6:"layout";s:0:"";s:2:"pc";s:0:"";s:4:"size";s:4:"1200";s:10:"background";s:0:"";s:7:"bgcolor";s:0:"";s:2:"bg";s:6:"center";s:5:"tmenu";s:0:"";s:3:"nav";s:4:"both";s:4:"subv";s:4:"show";s:4:"subh";s:0:"";s:4:"allm";s:0:"";s:4:"subw";s:0:%0a@]%0a%0aIn the above, we see the source IP (192.168.0.1) port 3306 is sending a TCP packet to 198.251.81.119 port 41000 (our server). The content shows that it is coming from an SQL database. In this case, we know port 3306 is for MySQL by checking /etc/services.%0a%0a[@%0a10:54:20.478357 199.195.255.40.33912 > 198.98.62.208.80: P [tcp sum ok] 0:719(719) ack 1 win 229 %3cnop,nop,timestamp 1400457072 731155732> (DF) (ttl 64, id 52288, len 771)%0aE....@@.@......(.b>..x.Pw4.O........e\.....%0aSyGp+...POST /apkdl_bot.php HTTP/1.1%0aHost: apkdl.in%0aUser-Agent: Railgun/5.3.3%0aContent-Length: 331%0aCdn-Loop: cloudflare%0aCf-Connecting-Ip: 91.108.6.32%0aCf-Ipcountry: AG%0aCf-Origin-Https: off%0aCf-Ray: 5f127601beabd8d5-AMS%0aCf-Request-Id: 065f6815140000d8d517335000000001%0aCf-Visitor: {"scheme":"https"}%0aContent-Type: application/json%0aX-Forwarded-For: 91.108.6.32%0aX-Forwarded-Proto: https%0a%0a{"update_id":98363691,%0a"message":{"message_id":78810276,"from":{"id":1203629066,"is_bot":false,"first_name":"Mi%0arjalol","language_code":"uz"},"chat":{"id":1203629066,"first_name":"Mirjalol","type":"pr%0aivate"},"date":1605207260,"text":"/preview_com_shadow_battle_superhero","entities":[{"of%0afset":0,"length":36,"type":"bot_command"}]}}%0a@]%0a%0a[@%0a10:54:20.594535 199.195.255.40.33914 > 198.98.62.208.80: . [tcp sum ok] ack 1855138974 win 229 %3cnop,nop,timestamp 1400457101 731155849> (DF) (ttl 64, id 57129, len 52)%0aE..4.)@.@..{...(.b>..z.P.R..n.,............%0aSyG.+...%0a@]%0a time=1608356537 author:1608356537=jrmu diff:1608356537:1608355259:=7d6%0a%3c In the above, we see the source IP (192.168.0.1) port 3306 is sending a TCP packet to 198.251.81.119 port 41000 (our server). The content shows that it is coming from an SQL database. In this case, we know port 3306 is for MySQL by checking /etc/services.%0a host:1608356537=198.251.81.119 author:1608355259=jrmu diff:1608355259:1608355259:=1,37d0%0a%3c [@%0a%3c 10:54:20.457417 192.168.0.1.3306 > 198.251.81.119.41000: . 153:1601(1448) ack 168 win 243 %3cnop,nop,timestamp 1306862229 3995777189> (DF) (ttl 64, id 29089, len 1500)%0a%3c E...q.@.@..F...3..QA...(............J......%0a%3c M."..*.......D....def.protonsql1_totohot.g5_apms_data.g5_apms_data.id.id.?.......B...H....def.protonsql1_totohot.g5_apms_data.g5_apms_data.type.type.?...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_q.data_q.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_1.data_1.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_2.data_2.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_3.data_3.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_4.data_4.!...........L...def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_5.data_5.!...........L...def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_6.data_6.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_7.data_7.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_8.data_8.!...........L..^M.def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_9.data_9.!...........N....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_10.data_10.!...........P....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_set.data_set.!.................."......3.11..totohot.Basic...........a:24:{s:5:"thema";s:7:"totohot";s:6:"layout";s:0:"";s:2:"pc";s:0:"";s:4:"size";s:4:"1200";s:10:"background";s:0:"";s:7:"bgcolor";s:0:"";s:2:"bg";s:6:"center";s:5:"tmenu";s:0:"";s:3:"nav";s:4:"both";s:4:"subv";s:4:"show";s:4:"subh";s:0:"";s:4:"allm";s:0:"";s:4:"subw";s:0:%0a%3c @]%0a%3c %0a%3c %0a%3c [@%0a%3c 10:54:20.478357 199.195.255.40.33912 > 198.98.62.208.80: P [tcp sum ok] 0:719(719) ack 1 win 229 %3cnop,nop,timestamp 1400457072 731155732> (DF) (ttl 64, id 52288, len 771)%0a%3c E....@@.@......(.b>..x.Pw4.O........e\.....%0a%3c SyGp+...POST /apkdl_bot.php HTTP/1.1%0a%3c Host: apkdl.in%0a%3c User-Agent: Railgun/5.3.3%0a%3c Content-Length: 331%0a%3c Cdn-Loop: cloudflare%0a%3c Cf-Connecting-Ip: 91.108.6.32%0a%3c Cf-Ipcountry: AG%0a%3c Cf-Origin-Https: off%0a%3c Cf-Ray: 5f127601beabd8d5-AMS%0a%3c Cf-Request-Id: 065f6815140000d8d517335000000001%0a%3c Cf-Visitor: {"scheme":"https"}%0a%3c Content-Type: application/json%0a%3c X-Forwarded-For: 91.108.6.32%0a%3c X-Forwarded-Proto: https%0a%3c %0a%3c {"update_id":98363691,%0a%3c "message":{"message_id":78810276,"from":{"id":1203629066,"is_bot":false,"first_name":"Mi%0a%3c rjalol","language_code":"uz"},"chat":{"id":1203629066,"first_name":"Mirjalol","type":"pr%0a%3c ivate"},"date":1605207260,"text":"/preview_com_shadow_battle_superhero","entities":[{"of%0a%3c fset":0,"length":36,"type":"bot_command"}]}}%0a%3c @]%0a%3c %0a%3c [@%0a%3c 10:54:20.594535 199.195.255.40.33914 > 198.98.62.208.80: . [tcp sum ok] ack 1855138974 win 229 %3cnop,nop,timestamp 1400457101 731155849> (DF) (ttl 64, id 57129, len 52)%0a%3c E..4.)@.@..{...(.b>..z.P.R..n.,............%0a%3c SyG.+...%0a%3c @]%0a host:1608355259=198.251.81.119