Dark Developments Where Knowledge Meets Power

6Sep/130

DD – Forums

Posted by Dark#Basics

We've just setup the new forums at www.darkdevelopments.org/forums or use the Forums button at the top of the website. Due note that it's still under review and major changes can still occur.

More info at www.darkdevelopments.org/forums/viewtopic.php?f=2&t=2

Filed under: About No Comments
13Jul/130

AX2012 – Automated Installation

Posted by Dark#Basics

The following site contains information about how to use the AxSetup Code library to automate the deployment of all AX 2012 Components.

community.dynamics.com/ax/b/daxmusings/archive/2013/06/19/dynamics-ax-admin-tools-codecrib-ax-setup.aspx#.UeD_f0FA3tY

5Apr/130

DPM – Redirected Access “Backup In Progress”

Posted by Dark#Basics

DPM - Redirected Access "Backup In Progress"

Today I had an issue where our Hyper-V Cluster Volumes were staying in Redirected Access. In this state, the CSV is available to all nodes in the cluster as part of the ClusterStorage namespace, but all nodes in the cluster except the coordinator node perform their IO via the coordinator node. The redirected access is used for example when running a backup using DPM.

As it turns out the DPM Agent running on both HyperV owners was stuck, and thus restarting the DPMRA service made sure that the volumes were back online.

19Feb/130

0day Linux/CentOS SSHd Spam Exploit — libkeyutils.so.1.9

Posted by dijit

Currently still tracing this exploit and here is what we do know so far:

HOW TO FIND OUT IF YOU HAVE BEEN ROOTED:

ls -la /lib/libkeyutils.so.1.9
rpm -qf /lib/libkeyutils.so.1.9

If you find the file and RPM shows “is not owned by any package” you have been rooted.

Currently known affected OSes:  RHEL-based servers
Currently known effected control panels:  cPanel, DirectAdmin, and Plesk
we do not know if controls panels are the reason or not.
Servers with ksplice have been exploited

WHAT WE KNOW:

  • I have scoured over CVE’s for the linux kernel up to the latest 3.x version and I didn’t see anything relevant that would cause it in the centos kernels.
  • SSHDs running non normal ports compromised.
  • We think it is some daemon exploit and not a privileged escalation via kernel. Given that some boxes running CageFS were exploited — if exploit would be delivered via end user account, /lib & /lib64 wouldn’t be available to attacker (it would be a copy of those directories instead). So, unless hacker explicitly made a work around to deal with CageFS (which probably possible with ptrace kernel exploit, but highly unlikely), that library would never make it to /lib & /lib64.
  • The data send to that port 53 connection is not a normal DNS packet as far as I can tell.
  • Servers with the latest centos/cloudlinux have been compromised. Both versions 5 and 6.
  • The earliest server I have seen exploited was Late December.
  • The strings are different and changing for the LIB libkeyutils.so.1.9. One was reported to not have the external 53 port call compiled in it.
  • The connections are not typically logged in /var/log/secure UNLESS you raise the log level to verbose. I originally found the connections using lsof, also how I tracked down the outbound smtp connections.
  • When you strace sshd, and login to the server normally there is a outbound port 53 connection to an IP address that is not in /etc/resolv.conf.

Here is something also that is interesting…
– They will connect to MULTIPLE ips on the same server.

root@xxxxx [~]# netstat -n |grep 87.230.54.65

tcp        0      0 xxx.xxx.xxx.84:22             87.230.54.65:51101          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.9:22              87.230.54.65:54288          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.147:22            87.230.54.65:35982          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.12:22             87.230.54.65:33467          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.246:22            87.230.54.65:59694          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.24:22             87.230.54.65:42571          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.36:22             87.230.54.65:55064          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.62:22             87.230.54.65:57357          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.46:22             87.230.54.65:50876          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.59:22             87.230.54.65:51425          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.235:22            87.230.54.65:48760          ESTABLISHED

tcp        0    112 xxx.xxx.xxx.155:22            87.230.54.65:52329          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.125:22            87.230.54.65:60776          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.27:22             87.230.54.65:36775          ESTABLISHED

tcp        0    112 xxx.xxx.xxx.185:22            87.230.54.65:44919          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.101:22            87.230.54.65:44025          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.163:22            87.230.54.65:38346          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.158:22            87.230.54.65:59424          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.89:22             87.230.54.65:32780          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.29:22             87.230.54.65:39850          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.70:22             87.230.54.65:36001          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.57:22             87.230.54.65:48533          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.211:22            87.230.54.65:58030          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.227:22            87.230.54.65:38784          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.4:22              87.230.54.65:40025          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.238:22            87.230.54.65:41285          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.171:22            87.230.54.65:57272          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.248:22            87.230.54.65:35473          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.197:22            87.230.54.65:50670          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.113:22            87.230.54.65:44296          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.137:22            87.230.54.65:53060          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.245:22            87.230.54.65:35150          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.54:22             87.230.54.65:37230          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.128:22            87.230.54.65:39850          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.126:22            87.230.54.65:53901          ESTABLISHED

tcp        0     64 xxx.xxx.xxx.188:22            87.230.54.65:39340          ESTABLISHED

tcp        0      0 xxx.xxx.xxx.96:22             87.230.54.65:51755          ESTABLISHED

Example of those ‘sleep’ processes I mentioned earlier:

root      149848  0.0  0.0 100904   588 ?        Ss   09:09   0:00 sleep 7200

root      149942  0.0  0.0 100904   592 ?        Ss   09:09   0:00 sleep 7200

root      150005  0.0  0.0 100904   592 ?        Ss   09:09   0:00 sleep 7200

root      150406  0.0  0.0  66952  3520 ?        Ss   09:10   0:00 sshd: root@notty

root      150413  0.0  0.0 100904   592 ?        Ss   09:10   0:00 sleep 7200

root      150702  0.0  0.0 100904   592 ?        Ss   09:12   0:00 sleep 7200

root      151066  0.0  0.0  66772  3444 ?        Ss   09:14   0:00 sshd: root@notty

root      151070  0.0  0.0 100904   596 ?        Ss   09:14   0:00 sleep 7200

root      151576  0.0  0.0  66928  3472 ?        Ss   09:16   0:00 sshd: root@notty

root      151585  0.0  0.0 100904   592 ?        Ss   09:16   0:00 sleep 7200

root      151699  0.0  0.0 100904   596 ?        Ss   09:16   0:00 sleep 7200

root      151736  0.0  0.0  66748  3416 ?        Ss   09:16   0:00 sshd: root@notty

root      151739  0.0  0.0 100904   596 ?        Ss   09:17   0:00 sleep 7200

root      151855  0.0  0.0  66824  3452 ?        Ss   09:17   0:00 sshd: root@notty

root      151859  0.0  0.0 100904   596 ?        Ss   09:17   0:00 sleep 7200

root      152382  0.0  0.0  66964  3528 ?        Ss   09:20   0:00 sshd: root@notty

root      152388  0.0  0.0 100904   592 ?        Ss   09:20   0:00 sleep 7200

root      152615  0.0  0.0  66824  3464 ?        Ss   09:21   0:00 sshd: root@notty

root      152619  0.0  0.0 100904   596 ?        Ss   09:21   0:00 sleep 7200

root      152706  0.0  0.0  66792  3448 ?        Ss   09:21   0:00 sshd: root@notty

root      152720  0.0  0.0 100904   592 ?        Ss   09:21   0:00 sleep 7200

root      152735  0.0  0.0  66792  3448 ?        Ss   09:21   0:00 sshd: root@notty

root      152745  0.0  0.0 100904   592 ?        Ss   09:21   0:00 sleep 7200

root      152902  0.0  0.0  66748  3416 ?        Ss   09:22   0:00 sshd: root@notty

root      152906  0.0  0.0 100904   592 ?        Ss   09:22   0:00 sleep 7200

root      153288  0.0  0.0  66852  3432 ?        Ss   09:24   0:00 sshd: root@notty

root      153295  0.0  0.0 100904   592 ?        Ss   09:24   0:00 sleep 7200

root      153406  0.0  0.0 100904   592 ?        Ss   09:24   0:00 sleep 7200

root      153439  0.0  0.0  66824  3416 ?        Ss   09:24   0:00 sshd: root@notty

root      153443  0.0  0.0 100904   596 ?        Ss   09:24   0:00 sleep 7200

root      153968  0.0  0.0  66792  3404 ?        Ss   09:26   0:00 sshd: root@notty

root      153977  0.0  0.0 100904   592 ?        Ss   09:26   0:00 sleep 7200

root      154014  0.0  0.0 100904   596 ?        Ss   09:26   0:00 sleep 7200

root      154055  0.0  0.0  66824  3476 ?        Ss   09:27   0:00 sshd: root@notty

root      154061  0.0  0.0 100904   596 ?        Ss   09:27   0:00 sleep 7200

root      154086  0.0  0.0  66952  3520 ?        Ss   09:27   0:00 sshd: root@notty

root      154092  0.0  0.0 100904   596 ?        Ss   09:27   0:00 sleep 7200

root      154372  0.0  0.0  66748  3380 ?        Ss   09:28   0:00 sshd: root@notty

root      154376  0.0  0.0 100904   596 ?        Ss   09:28   0:00 sleep 7200

root      154813  0.0  0.0  66760  3432 ?        Ss   09:30   0:00 sshd: root@notty

root      154817  0.0  0.0 100904   596 ?        Ss   09:30   0:00 sleep 7200

Here 10 packets tcpdump

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
09:43:58.821991 IP (tos 0×0, ttl 49, id 57719, offset 0, flags [DF], proto TCP (6), length 52)
87.230.54.65.40025 > xxx.xxx.xxx.4.22: Flags [.], cksum 0xa254 (correct), seq 3312262149, ack 1665226106, win 501, options [nop,nop,TS val 885093176 ecr 4154428085], length 0
0×0000:  4500 0034 e177 4000 3106 f6c5 57e6 3641  E..4.w@.1…W.6A
0×0010:  8e5b 5504 9c59 0016 c56d 1c05 6341 557a  .[U..Y...m..cAUz
0x0020:  8010 01f5 a254 0000 0101 080a 34c1 7338  .....T......4.s8
0x0030:  f79f 8ab5                                ....
09:43:58.831253 IP (tos 0x0, ttl 49, id 57720, offset 0, flags [DF], proto TCP (6), length 100)
87.230.54.65.40025 > xxx.xxx.xxx.4.22: Flags [P.], cksum 0x5e95 (correct), seq 3312262149:3312262197, ack 1665226106, win 501, options [nop,nop,TS val 885093186 ecr 4154428085], length 48
0×0000:  4500 0064 e178 4000 3106 f694 57e6 3641  E..d.x@.1…W.6A
0×0010:  8e5b 5504 9c59 0016 c56d 1c05 6341 557a  .[U..Y...m..cAUz
0x0020:  8018 01f5 5e95 0000 0101 080a 34c1 7342  ....^.......4.sB
0x0030:  f79f 8ab5 4bbb 6494 6583 64ae 90d1 8c5c  ....K.d.e.d....\
0x0040:  27d5 62ee 477e 2180 9610 f8de a5f0 5363  '.b.G~!.......Sc
0x0050:  f18d c4bb 457a 0109 a4f0 f458 f991 4b70  ....Ez.....X..Kp
0x0060:  733c e172                                s<.r
09:43:58.958927 IP (tos 0x8, ttl 50, id 59178, offset 0, flags [DF], proto TCP (6), length 52)
87.230.54.65.59756 > xxx.xxx.xxx.229.22: Flags [.], cksum 0x2bf6 (correct), seq 3258834673, ack 460063979, win 501, options [nop,nop,TS val 885093313 ecr 4154428222], length 0
0×0000:  4508 0034 e72a 4000 3206 ef29 57e6 3641  E..4.*@.2..)W.6A
0×0010:  8e5b 55e5 e96c 0016 c23d def1 1b6c 04eb  .[U..l...=...l..
0x0020:  8010 01f5 2bf6 0000 0101 080a 34c1 73c1  ....+.......4.s.
0x0030:  f79f 8b3e                                ...>
09:43:58.965112 IP (tos 0x8, ttl 50, id 59179, offset 0, flags [DF], proto TCP (6), length 100)
87.230.54.65.59756 > xxx.xxx.xxx.229.22: Flags [P.], cksum 0×5491 (correct), seq 3258834673:3258834721, ack 460063979, win 501, options [nop,nop,TS val 885093319 ecr 4154428222], length 48
0×0000:  4508 0064 e72b 4000 3206 eef8 57e6 3641  E..d.+@.2…W.6A
0×0010:  8e5b 55e5 e96c 0016 c23d def1 1b6c 04eb  .[U..l...=...l..
0x0020:  8018 01f5 5491 0000 0101 080a 34c1 73c7  ....T.......4.s.
0x0030:  f79f 8b3e bfa8 c9f5 1b1c d52e ea8e 9bc4  ...>............
0x0040:  b211 1265 b6ca 6cab 3c93 1219 0c35 c4b1  ...e..l.<....5..
0x0050:  03f3 45f9 794e 21aa c2b4 ae20 dff9 b235  ..E.yN!........5
0x0060:  9087 56f8                                ..V.
09:43:59.121882 IP (tos 0x0, ttl 49, id 57721, offset 0, flags [DF], proto TCP (6), length 148)
87.230.54.65.40025 > xxx.xxx.xxx.4.22: Flags [P.], cksum 0x86c3 (correct), seq 3312262197:3312262293, ack 1665226186, win 501, options [nop,nop,TS val 885093476 ecr 4154428378], length 96
0×0000:  4500 0094 e179 4000 3106 f663 57e6 3641  E….y@.1..cW.6A
0×0010:  8e5b 5504 9c59 0016 c56d 1c35 6341 55ca  .[U..Y...m.5cAU.
0x0020:  8018 01f5 86c3 0000 0101 080a 34c1 7464  ............4.td
0x0030:  f79f 8bda 55a8 84fb d551 1050 1726 0c8e  ....U....Q.P.&..
0x0040:  6bba 2419 2088 8c10 6072 d0b4 6440 27a1  k.$.....`r..d@'.
0x0050:  0401 089d 46d7 5236 0c62 a9bc ef81 af68  ....F.R6.b.....h
0x0060:  420a 4a44 9ae0 6150 3ad0 1bad 49e8 6518  B.JD..aP:...I.e.
0x0070:  be38 c374 5ddc a9f9 3c91 bbb7 413a ba0b  .8.t]…<…A:..
0×0080:  acea 139c 3073 7a27 4c01 ab93 d2a0 c793  ….0sz’L…….
0×0090:  625e d5da                                b^..
09:43:59.122374 IP (tos 0×0, ttl 49, id 57722, offset 0, flags [DF], proto TCP (6), length 1480)
87.230.54.65.40025 > xxx.xxx.xxx.4.22: Flags [.], cksum 0x1da4 (correct), seq 3312262293:3312263721, ack 1665226186, win 501, options [nop,nop,TS val 885093476 ecr 4154428378], length 1428
0×0000:  4500 05c8 e17a 4000 3106 f12e 57e6 3641  E….z@.1…W.6A
0×0010:  8e5b 5504 9c59 0016 c56d 1c95 6341 55ca  .[U..Y...m..cAU.
0x0020:  8010 01f5 1da4 0000 0101 080a 34c1 7464  ............4.td
0x0030:  f79f 8bda 691c e689 f8e6 2d0e 5a67 73ca  ....i.....-.Zgs.
0x0040:  c1cf 7080 8a0c 5660 5848 6a39 8b94 cb37  ..p...V`XHj9...7
0x0050:  c40b c0b1 e2d0 4e45 6b9b fc89 f6dc fbf3  ......NEk.......
0x0060:  47a5 a6cf d728 c64d 9e80 87f0 176f 03d8  G....(.M.....o..
0x0070:  ea56 50b6 8673 ebc3 fa0b 365d 8f12 0da0  .VP..s....6]….
0×0080:  1f80 a87e 2be0 c920 9393 a298 2058 10c2  …~+……..X..
0×0090:  c85c b0b5 ade9 5a98 47e4 ef92 f64a 2ffb  .\….Z.G….J/.
0x00a0:  cf52 30c4 0e9e 1fed 0108 ec5c a46a 8b9e  .R0……..\.j..
0x00b0:  985a 9a10 e39f 090e d924 2658 9029 b250  .Z…….$&X.).P
0x00c0:  3bb9 2100 a7bd 88a5 510c a4a9 729e c1c2  ;.!…..Q…r…
0x00d0:  151c af51 65b6 3003 59ff 5dd0 d17d 6b94  …Qe.0.Y.]..}k.
0x00e0:  84a2 c44c fd80 3129 a002 5ad2 0e81 1eb7  …L..1)..Z…..
0x00f0:  e330 42bd fdf2 9f78 c019 1594 78af b4c4  .0B….x….x…
0×0100:  610e 2dee 6dc8 f2da 44d1 9499 e10d 3d82  a.-.m…D…..=.
0×0110:  101e dda9 0372 aa8e 3a9b 8567 62d7 e415  …..r..:..gb…
0×0120:  218d 2618 1a37 fd6a 08ef 9577 06d5 0e41  !.&..7.j…w…A
0×0130:  d015 17c8 f9af 7d60 462b 4f7b 6739 592a  ……}`F+O{g9Y*
0×0140:  40f3 d8f4 19df 83dd 8b49 b5b6 74ef 6860  @……..I..t.h`
0×0150:  1f1a 62fd 8889 0ba9 c537 deed b173 fe50  ..b……7…s.P
0×0160:  6382 4ab6 16ef 3423 4203 9d8e 9519 e847  c.J…4#B……G
0×0170:  dfb8 ca85 6a46 a2da a80c 0b85 af23 8048  ….jF…….#.H
0×0180:  8f2b ce49 c311 b8d6 afdb 1739 47ff 3fb4  .+.I…….9G.?.
0×0190:  f04e 07de c1d2 407e 420a b160 9096 bbbc  .N….@~B..`….
0x01a0:  7540 426d 574d 2334 038c 3c64 6b77 d89d  u@BmWM#4..<dkw..
0x01b0:  7bf2 8d97 72ed 098f 64a5 a4fc b854 a419  {…r…d….T..
0x01c0:  65fd 967d 57cb 7e26 d556 5ddb 82c1 19cc  e..}W.~&.V]…..
0x01d0:  0854 930f 26c1 340a 36e3 6fdd 4c4a de5d  .T..&.4.6.o.LJ.]
0x01e0:  f60a ff46 ad22 35ee 8d39 afcd eb2c 607d  …F.”5..9…,`}
0x01f0:  825e d975 b22c 38bd 12b1 4071 f720 ff14  .^.u.,8…@q….
0×0200:  056a 9624 4762 325f 1559 4cd9 7e74 8b4c  .j.$Gb2_.YL.~t.L
0×0210:  2ed6 ed20 85eb fd52 2fe8 fc76 fa2b 0403  …….R/..v.+..
0×0220:  d9a2 b4f3 edfc a6d5 7c82 dd72 fcfa 9644  ……..|..r…D
0×0230:  3314 7fe2 32db 6d59 bfc6 dd1e 8d8f 5fc7  3…2.mY……_.
0×0240:  6e86 212b 9651 2299 abf8 cd72 9b68 3f2f  n.!+.Q”….r.h?/
0×0250:  baba dab3 ad0f ce2c a830 fe5c fb17 3313  …….,.0.\..3.
0×0260:  5a16 bb43 5e4c 6c24 1fae 88cc 983a 924f  Z..C^Ll$…..:.O
0×0270:  3f85 fe8c 7198 e308 1124 37cc b35d c8c4  ?…q….$7..]..
0×0280:  6111 2301 e355 2ada 51f4 ec37 578c 9cca  a.#..U*.Q..7W…
0×0290:  0fc4 03a3 286f 2c1f 925f b124 999c b624  ….(o,.._.$…$
0x02a0:  866d 34e2 5913 f3a1 2479 284a 6a90 6fb9  .m4.Y…$y(Jj.o.
0x02b0:  8b90 4203 a4dc 26b4 5a38 f66d b5b4 1171  ..B…&.Z8.m…q
0x02c0:  0aaa da0c 7c24 3fd1 e6d7 b820 c448 e39b  ….|$?……H..
0x02d0:  0df2 0e30 b2f1 17f5 7e1a 14b5 6dc1 3e74  …0….~…m.>t
0x02e0:  2e2d a482 1103 f1e5 26f1 60d5 a70b 593e  .-……&.`…Y>
0x02f0:  0e06 32fd 16cc 3689 c6bc 50a7 081c da32  ..2…6…P….2
0×0300:  bdb7 8165 752d 2a37 52d0 79ab 1646 b784  …eu-*7R.y..F..
0×0310:  bc67 1e55 3fd8 9ebc 44b5 1000 97e3 b1d5  .g.U?…D…….
0×0320:  00c9 2404 d956 861d 0c29 63c7 ef7a 9754  ..$..V…)c..z.T
0×0330:  d1f4 4127 dbc3 cdb0 1459 3836 e638 6738  ..A’…..Y86.8g8
0×0340:  f40c 533e 31f4 e702 9823 60a3 e784 5d54  ..S>1….#`…]T
0×0350:  612d 95cc d2c7 b3c7 70f9 c7da cb2f 0a4b  a-……p…./.K
0×0360:  11bb 48fc 3ac1 41fd 8417 7d1a b23a ab09  ..H.:.A…}..:..
0×0370:  1f90 e7d6 b83f bace 009d a987 21d8 395e  …..?……!.9^
0×0380:  201c 3d83 1f48 cffb 345a 5082 b424 b219  ..=..H..4ZP..$..
0×0390:  3c6a ef25 3861 6647 df68 558a 5b73 1684  <j.%8afG.hU.[s..
0x03a0:  2564 6615 ff62 1a5b a1c7 adb0 d415 8486  %df..b.[........
0x03b0:  c67d 690e 7e10 1695 b068 ec53 159d 77a8  .}i.~....h.S..w.
0x03c0:  f58a e91d 53b1 2caf 167c 67ba c6a1 f3b4  ....S.,..|g.....
0x03d0:  e70c 4fd8 e97a b3ee 7c66 83b3 8cd6 f28f  ..O..z..|f......
0x03e0:  1cd4 58ab 1e3e 38b1 1454 77b9 425e 389c  ..X..>8..Tw.B^8.
0x03f0:  e617 4cc8 a63c 1502 3d78 e6e1 1b29 bcdd  ..L..<..=x...)..
0x0400:  20fe 5e82 89b5 649c 2729 abc1 f83f 3677  ..^...d.')...?6w
0x0410:  c540 f3b5 599b d58d 5cc6 e023 c8ac 77d9  .@..Y...\..#..w.
0x0420:  3411 ec70 0ff9 f569 6e01 063f 1197 3c2b  4..p...in..?..<+
0x0430:  52bd e3e6 2b8a 25a2 8b03 dda8 6797 0921  R...+.%.....g..!
0x0440:  aa9d dc93 d62f fb74 6bd1 f975 1160 e4ef  ...../.tk..u.`..
0x0450:  dbb5 1c21 e578 9020 6cfb 5a20 17ec b480  ...!.x..l.Z.....
0x0460:  a376 6e48 552e 9353 2b52 3e72 957b 34f6  .vnHU..S+R>r.{4.
0x0470:  5667 6cba 8a4f 1142 8214 d025 618d f775  Vgl..O.B...%a..u
0x0480:  dca2 16d6 c427 3c52 845e ff36 b5e2 406b  .....'<R.^.6..@k
0x0490:  bb39 f171 3aa5 7bed f626 ca85 b9c6 a93b  .9.q:.{..&.....;
0x04a0:  fb04 2f2a 91d4 9dcc dfff 3cb2 839e 7559  ../*......<...uY
0x04b0:  67da cf68 9381 7810 04ce fe00 6a59 e0ef  g..h..x.....jY..
0x04c0:  8425 d707 7e6b e32c 2e38 c06c 5fdb 2fc3  .%..~k.,.8.l_./.
0x04d0:  d8a3 2050 ecd7 5a28 cfd9 b1c2 b0c2 24cd  ...P..Z(......$.
0x04e0:  7a73 6dd7 6b24 6880 2986 e7a5 314f 15a5  zsm.k$h.)...1O..
0x04f0:  86e7 2d46 774b 82a1 46b3 b288 4700 4e61  ..-FwK..F...G.Na
0x0500:  f2a0 c625 1c77 c3bb e660 bc36 be9a f700  ...%.w...`.6....
0x0510:  8b63 493c 8a01 b67e c8e5 8a7d b998 7caa  .cI<...~...}..|.
0x0520:  5c6b 7e8e e39f bff9 49e5 c165 1592 be7d  \k~.....I..e...}
0x0530:  d8f7 8853 b31c b1dd 9007 4e82 0a88 99db  ...S......N.....
0x0540:  d9e9 6f80 3717 a01b f2c6 d932 5398 9a8c  ..o.7......2S...
0x0550:  7cda 03ec 7907 2142 f381 bb66 07b3 4ffc  |...y.!B...f..O.
0x0560:  e5f2 4483 becb d5e1 c7df 7308 06ae ba9a  ..D.......s.....
0x0570:  6cd8 f3d5 d484 b257 71ea 45a8 cd45 cf92  l......Wq.E..E..
0x0580:  5d01 acd3 e0ad 42b9 8c46 3021 8c6b cd23  ]…..B..F0!.k.#
0×0590:  a8e2 8920 5d50 34bb 04f7 eff9 bbc9 2887  ….]P4…….(.
0x05a0:  1a46 5783 a94a c61f 01e0 7fb5 8a18 52c4  .FW..J……..R.
0x05b0:  e00d 2b60 b588 c14c c7f2 74bd 1ef0 c0a4  ..+`…L..t…..
0x05c0:  5b20 1cae a63d 1f9e                      [....=..
09:43:59.122787 IP (tos 0x0, ttl 49, id 57723, offset 0, flags [DF], proto TCP (6), length 1480)
87.230.54.65.40025 > xxx.xxx.xxx.4.22: Flags [.], cksum 0xb3b1 (correct), seq 3312263721:3312265149, ack 1665226186, win 501, options [nop,nop,TS val 885093477 ecr 4154428378], length 1428
0×0000:  4500 05c8 e17b 4000 3106 f12d 57e6 3641  E….{@.1..-W.6A
0×0010:  8e5b 5504 9c59 0016 c56d 2229 6341 55ca  .[U..Y...m")cAU.
0x0020:  8010 01f5 b3b1 0000 0101 080a 34c1 7465  ............4.te
0x0030:  f79f 8bda acc8 9a9a 9882 6d73 5e0e c4d8  ..........ms^...
0x0040:  6a2e 17f7 30f1 5c6e 48ff a65f 2158 f8bf  j...0.\nH.._!X..
0x0050:  4271 b6ab a50a 8569 3f0b 97c1 88f6 cdf5  Bq.....i?.......
0x0060:  a793 8c8c 91b9 b6d3 fa8e fca5 46a6 e170  ............F..p
0x0070:  77e9 4257 fa7e 30f7 8aa2 b164 125a e4bb  w.BW.~0....d.Z..
0x0080:  982e 2c17 e8d8 0b36 e0e8 a8b9 1ffe 80c5  ..,....6........
0x0090:  8ca0 1a50 ec3e b967 bd2f 8034 c15c 65d8  ...P.>.g./.4.\e.
0x00a0:  75be b06a 5a33 3a37 1f23 cb3a 156d d5bf  u..jZ3:7.#.:.m..
0x00b0:  d6e5 2fc8 febc 988f 8a0d 754c 2489 c435  ../.......uL$..5
0x00c0:  8feb 5ee3 79fb 2015 ad0c 461c c76b c099  ..^.y.....F..k..
0x00d0:  8ff9 3afb f5ac cf8b 7d53 d6fc 5a35 643a  ..:.....}S..Z5d:
0x00e0:  9870 6fee ce3a 4ebc 9e2f 9abd c24a fa61  .po..:N../...J.a
0x00f0:  c762 4099 f315 45cd 23f7 47df 5b91 9fc1  .b@...E.#.G.[...
0x0100:  ba80 53db cdc5 9f3e 2e00 af91 8653 0177  ..S....>.....S.w
0x0110:  d6b0 cd12 e738 b1a5 ffad d590 5137 36d7  .....8......Q76.
0x0120:  9d6d 1a27 75ca 1e95 cc64 4256 f213 5928  .m.'u....dBV..Y(
0x0130:  671e f527 ec2e 0eb2 cfb9 a00d f9ae cf0d  g..'............
0x0140:  8f41 de45 fb79 dd4e f414 ae42 c4d9 9dab  .A.E.y.N...B....
0x0150:  7705 58d0 c057 235d 0c3c fa6f b3a5 cdc9  w.X..W#].<.o….
0×0160:  d676 2e05 3697 46cd bf43 974c f493 4ac1  .v..6.F..C.L..J.
0×0170:  5151 24fd 1f6c 7829 c67e 144f c263 5841  QQ$..lx).~.O.cXA
0×0180:  6099 193b 3826 7630 3b58 5aea b066 be39  `..;8&v0;XZ..f.9
0×0190:  8fff d009 772a 78c8 cf31 f821 af4d f5e4  ….w*x..1.!.M..
0x01a0:  9c47 672e 3b03 3e11 f28a e608 70e6 e1ee  .Gg.;.>…..p…
0x01b0:  f678 0058 4cef 3923 25af cac3 56a8 5af1  .x.XL.9#%…V.Z.
0x01c0:  00ac a306 ecf5 50e5 b46b dbec cf27 6aca  ……P..k…’j.
0x01d0:  2ad9 a16a e8a7 03ea 9d7a 1b0c 26b1 e358  *..j…..z..&..X
0x01e0:  ca50 db6f 4c6f d8d4 b731 0d30 2dd8 10b8  .P.oLo…1.0-…
0x01f0:  38e0 2540 9203 296a 9353 50a9 08e5 3d51  8.%@..)j.SP…=Q
0×0200:  c04b 8cb7 ac95 9e1f 2f16 549c 465b cfdd  .K……/.T.F[..
0x0210:  d469 42ee 4c15 e497 270f 7e50 ef3c 92a0  .iB.L...'.~P.<..
0x0220:  5b54 58a3 6f0e befc 0df5 6b67 e256 5332  [TX.o.....kg.VS2
0x0230:  a6f8 e661 0556 5400 a82c 38d0 523a 0f27  ...a.VT..,8.R:.'
0x0240:  3955 374e 6149 d4ff a9d4 b590 17fc ebb7  9U7NaI..........
0x0250:  1542 6a99 5492 d6be 5a35 7595 adb8 401b  .Bj.T...Z5u...@.
0x0260:  73be ac69 8e12 0c6f 64cd 46b2 8eef 7eca  s..i...od.F...~.
0x0270:  867b dec8 c5f6 e595 bcc5 59a2 0ecf ec6c  .{........Y....l
0x0280:  faa9 e307 7b04 326e 70c8 d71e 68ef cfff  ....{.2np...h...
0x0290:  7689 9070 ff50 df7e 5e71 8de2 da46 af02  v..p.P.~^q...F..
0x02a0:  f639 8f6c 7c45 3279 b66d 000d d92d 7805  .9.l|E2y.m...-x.
0x02b0:  e9b0 9f71 bf10 8b29 e82a 66ea 240f 974f  ...q...).*f.$..O
0x02c0:  15f2 e36e d55c dcc9 c28f 1aab 354c 7552  ...n.\......5LuR
0x02d0:  1259 dd84 fff8 4449 2604 f7d0 49ad cfac  .Y....DI&...I...
0x02e0:  8e64 5798 da43 685c 7fad bd93 dc82 d132  .dW..Ch\.......2
0x02f0:  d7eb bdb7 b2eb 6fa8 d9d3 8f4b 85ea 7a44  ......o....K..zD
0x0300:  3f75 699f 7030 1e03 7b76 7875 5fd5 0606  ?ui.p0..{vxu_...
0x0310:  5a8c a78a 3c69 8f2a 25d5 f8d6 6c84 a220  Z...<i.*%...l...
0x0320:  35d1 7b1e a9f1 8b0d 5a13 3d76 8128 b4ae  5.{.....Z.=v.(..
0x0330:  00e6 f01d 65f6 3066 8482 7256 63c4 85f7  ....e.0f..rVc...
0x0340:  9e78 89e6 e577 fb8c b74d 634e d772 4241  .x...w...McN.rBA
0x0350:  0fdc 3e05 48e7 d8bf 6ba0 a850 fa53 46f0  ..>.H...k..P.SF.
0x0360:  8362 4763 419c 197d a9e1 3f88 a823 7320  .bGcA..}..?..#s.
0x0370:  d413 f0c0 4e35 987e b057 87c1 4c63 cf60  ....N5.~.W..Lc.`
0x0380:  e9b8 dd8a 797e 746d dae3 6ffa e688 b2ec  ....y~tm..o.....
0x0390:  8374 9f9e 7850 993a 7931 3cd3 51fd ae80  .t..xP.:y1<.Q...
0x03a0:  9da6 a547 e937 2cdd 06c3 cbce 8e95 21aa  ...G.7,.......!.
0x03b0:  a041 39e0 5bd1 0a67 3ad7 a39b 4537 e675  .A9.[..g:...E7.u
0x03c0:  e24d 83d6 5c2d ffe2 782e c43b b38c ff9f  .M..\-..x..;....
0x03d0:  99c9 67d5 1382 26ad 2424 35ab 5094 944c  ..g...&.$$5.P..L
0x03e0:  278d 9056 63e7 0159 072e 08ff ca75 bf20  '..Vc..Y.....u..
0x03f0:  d1f8 3d26 43ed a440 dfa1 4811 e30b 4333  ..=&C..@..H...C3
0x0400:  f86e 9f58 5e41 c34e c63f 8c7e a168 c054  .n.X^A.N.?.~.h.T
0x0410:  0672 3e85 d487 744d 4505 7df6 c53d 9e1b  .r>...tME.}..=..
0x0420:  df00 45fa 823c 704f 10b7 3cd4 f80f b70e  ..E..<pO..<.....
0x0430:  52b0 f253 7e4b f07f 6aaf 40dd 85b0 c119  R..S~K..j.@.....
0x0440:  c8e2 94b8 4662 367a bea0 d351 9669 2e80  ....Fb6z...Q.i..
0x0450:  3e75 c1a1 4f07 c5af ec61 7b6d ab42 9c0f  >u..O....a{m.B..
0x0460:  5c34 ae0a cf0c fab8 ab7d f49a 0870 a464  \4.......}...p.d
0x0470:  c504 a3f7 86fb 85f1 9ee4 cfd6 b6b6 4fdf  ..............O.
0x0480:  e460 3486 1798 e279 b442 35fd eab1 6107  .`4....y.B5...a.
0x0490:  4ea2 595c 6cd8 847e 60f1 7bc6 cc5c e7d5  N.Y\l..~`.{..\..
0x04a0:  f8af 70c2 d95d 7de5 9c3c 7cfb 5ffe 0352  ..p..]}..<|._..R
0x04b0:  d725 1d9a f256 b878 ca00 7582 195b 2e86  .%…V.x..u..[..
0x04c0:  d5fe 04ff 3bb1 3185 9a6f ab4f 06cb 39ca  ....;.1..o.O..9.
0x04d0:  2c1d c593 5f6a c50f 28a7 2c70 e264 477c  ,..._j..(.,p.dG|
0x04e0:  c5b4 6706 c6d3 eb0d 48fc 511e b640 aeb8  ..g.....H.Q..@..
0x04f0:  d4e4 fac3 4a2f c05d 3d21 9172 b84f 61c7  ....J/.]=!.r.Oa.
0×0500:  d002 e69f c8f7 75f3 a086 6c13 b141 abad  ……u…l..A..
0×0510:  f751 7077 7266 53a1 0962 5e11 f8e0 6613  .QpwrfS..b^…f.
0×0520:  04a3 48c3 c665 91b0 2361 4634 db4a 23fb  ..H..e..#aF4.J#.
0×0530:  7ad0 f54d 707f d2c4 d70c dd72 a23d 8911  z..Mp……r.=..
0×0540:  18a7 67db bf14 1b46 cedc 475e 2a22 cd89  ..g….F..G^*”..
0×0550:  58bf a73c b875 8265 5c66 65ca bdcd 40b8  X..<.u.e\fe…@.
0×0560:  1747 d9c0 5bca 0441 3412 6622 c491 facf  .G..[..A4.f"....
0x0570:  28b9 edf4 25e3 461a d7aa 29dc 15b7 3aed  (...%.F...)...:.
0x0580:  ab26 a25f 6041 94b1 db26 beac bb00 0631  .&._`A...&.....1
0x0590:  336c 5304 290d 775f 43a6 ad3f 9b64 e456  3lS.).w_C..?.d.V
0x05a0:  3b53 d8a1 0aba 0d2f 4bd9 10e3 65e0 08dc  ;S...../K...e...
0x05b0:  211f c8d0 a29a 35a4 1c14 351c 449d a88c  !.....5...5.D...
0x05c0:  ce57 4d18 ee60 d851                      .WM..`.Q
09:43:59.248193 IP (tos 0x8, ttl 50, id 59180, offset 0, flags [DF], proto TCP (6), length 100)
87.230.54.65.59756 > xxx.xxx.xxx.229.22: Flags [P.], cksum 0x4a13 (correct), seq 3258834721:3258834769, ack 460064107, win 501, options [nop,nop,TS val 885093603 ecr 4154428505], length 48
0×0000:  4508 0064 e72c 4000 3206 eef7 57e6 3641  E..d.,@.2…W.6A
0×0010:  8e5b 55e5 e96c 0016 c23d df21 1b6c 056b  .[U..l...=.!.l.k
0x0020:  8018 01f5 4a13 0000 0101 080a 34c1 74e3  ....J.......4.t.
0x0030:  f79f 8c59 ba10 2723 22f2 5e3d 1ceb 4642  ...Y..'#".^=..FB
0x0040:  1fac c260 dba5 c165 8fb8 269e c0c4 048f  ...`...e..&.....
0x0050:  d38e 6375 fe62 f167 d26f 5b9c 3619 da49  ..cu.b.g.o[.6..I
0x0060:  3ed9 7a52                                >.zR
09:43:59.252714 IP (tos 0x0, ttl 49, id 57724, offset 0, flags [DF], proto TCP (6), length 1480)
87.230.54.65.40025 > xxx.xxx.xxx.4.22: Flags [.], cksum 0×5342 (correct), seq 3312265149:3312266577, ack 1665226186, win 501, options [nop,nop,TS val 885093607 ecr 4154428516], length 1428
0×0000:  4500 05c8 e17c 4000 3106 f12c 57e6 3641  E….|@.1..,W.6A
0×0010:  8e5b 5504 9c59 0016 c56d 27bd 6341 55ca  .[U..Y...m'.cAU.
0x0020:  8010 01f5 5342 0000 0101 080a 34c1 74e7  ....SB......4.t.
0x0030:  f79f 8c64 4d90 a29e 1535 547e bcc1 8a99  ...dM....5T~....
0x0040:  8c41 353e 3466 765b a6ed d6ab d53d 79ac  .A5>4fv[.....=y.
0x0050:  aace aa97 ff88 478c d379 6cdc 4be7 c5cf  ......G..yl.K...
0x0060:  4b02 1162 ea21 877c 91e6 0ed6 badc 6681  K..b.!.|......f.
0x0070:  f220 a348 57be b887 769b d928 4433 6338  ...HW...v..(D3c8
0x0080:  c09a 9dd6 d714 1c67 8c79 2f64 3e4f 0242  .......g.y/d>O.B
0x0090:  3f2a d379 cb7b a239 54e2 8970 1086 855a  ?*.y.{.9T..p...Z
0x00a0:  dc4c 3290 be2d 865d 882a 49f4 3d61 e37a  .L2..-.].*I.=a.z
0x00b0:  2346 d76e fec5 0897 7431 fb3f 43d6 7092  #F.n….t1.?C.p.
0x00c0:  b7d2 11ac df5c 0edd ceff d9d3 ed48 d78b  …..\…….H..
0x00d0:  e52c 8774 4abc 0b3a 1862 b2f5 4b16 a8eb  .,.tJ..:.b..K…
0x00e0:  1fd4 ad7d e8e3 c102 7122 c9f2 82be d1ea  …}….q”……
0x00f0:  4f85 1439 2807 76d2 4d60 cb20 dbe0 a4ec  O..9(.v.M`……
0×0100:  43fe 73e2 5216 2be5 0a18 2860 b6a7 eaab  C.s.R.+…(`….
0×0110:  2be5 1caa 3179 fd3c b930 e256 02dd 98d9  +…1y.<.0.V….
0×0120:  df06 ffe0 4c6c e11b f6fe 83fd a20c 07c8  ….Ll……….
0×0130:  9dde 9030 1512 d1b3 4e1d 6b97 3293 36b7  …0….N.k.2.6.
0×0140:  e2fb 8734 6723 0040 74ae 646b 596d 72de  …4g#.@t.dkYmr.
0×0150:  d406 c707 82f6 88db 596a 125c d3c9 e86b  ……..Yj.\…k
0×0160:  b752 4342 2aa2 f656 ed58 24d8 b601 fc2f  .RCB*..V.X$…./
0×0170:  8a8b ea2a c69c 19af 72c9 e633 cd9b dd8f  …*….r..3….
0×0180:  ed99 5349 5bf8 8818 5a03 eb08 1765 f1a9  ..SI[...Z....e..
0x0190:  b516 8a3f 2f4c 90d0 2198 2586 b050 ef53  ...?/L..!.%..P.S
0x01a0:  d0fd 7bc1 4892 32ab c66e fadb 2356 6516  ..{.H.2..n..#Ve.
0x01b0:  7e38 5553 45e8 78ff f739 adf2 16da 6247  ~8USE.x..9....bG
0x01c0:  2841 e018 0757 992d 38ec fd77 f5c4 7a11  (A...W.-8..w..z.
0x01d0:  2634 bece 41cf f90d 02a1 a297 4575 6ff3  &4..A.......Euo.
0x01e0:  c380 0761 79c4 4d75 128c be51 455f 7656  ...ay.Mu...QE_vV
0x01f0:  0b2c 74b0 b4b0 ba66 5c86 cbe5 b2e4 909e  .,t....f\.......
0x0200:  4b21 eb9f c7b2 4123 6f85 6627 2322 50bf  K!....A#o.f'#"P.
0x0210:  3310 9ac0 c1a1 31ba c5bf b425 f93c 6131  3.....1....%.<a1
0x0220:  d5d1 23ac 2bc1 2138 c011 5d6d 6212 8caa  ..#.+.!8..]mb…
0×0230:  d8c4 8436 8951 5efe c114 e9c1 37ee 4fc2  …6.Q^…..7.O.
0×0240:  5d47 b65f da3a 634e a34d 7034 c845 b35e  ]G._.:cN.Mp4.E.^
0×0250:  4e6e 776e 5ebb 46f8 f5af fe0d 402e 3afe  Nnwn^.F…..@.:.
0×0260:  717f 64ee 0a23 5657 98da 3705 5532 c536  q.d..#VW..7.U2.6
0×0270:  5ab1 2630 5126 3ab9 3448 cb7b 13a2 c584  Z.&0Q&:.4H.{….
0×0280:  810e ab8e 43b4 8796 ef7e 1e15 8dc0 1321  ….C….~…..!
0×0290:  a87d c79f 783e 903a f781 551d 9b32 f180  .}..x>.:..U..2..
0x02a0:  ee3f 4fe7 6930 720a 24cd da8e 6f57 c54d  .?O.i0r.$…oW.M
0x02b0:  084c cee2 c718 1345 c394 6b2e 14b2 385b  .L…..E..k…8[
0x02c0:  8a7e adb0 1c07 c1ed b93d 816c e4b0 fae1  .~.......=.l....
0x02d0:  909b 68ac bcb7 f7c5 431b 2359 d7ca 8826  ..h.....C.#Y...&
0x02e0:  fb59 dbea 1095 cb85 b528 1cdb 07b3 2628  .Y.......(....&(
0x02f0:  9c7f eca1 2a8f ffc6 6a7f 3297 2ea2 5c89  ....*...j.2...\.
0x0300:  567d 67ab 757f 62b7 6967 ae67 7d5d c511  V}g.u.b.ig.g}]..
0×0310:  2257 0ccc 79e9 40eb f33a aa8b dd1c a63a  “W..y.@..:…..:
0×0320:  51f1 947e cdc4 d74e 621e 3bec 7385 6cba  Q..~…Nb.;.s.l.
0×0330:  4d79 eb5b 4985 8998 e277 37e7 6711 89d6  My.[I....w7.g...
0x0340:  a6b3 c506 acbb 88f2 24ae 9679 293a 7c0e  ........$..y):|.
0x0350:  8a31 cadd f185 ef7c 3d3d ea2a 8b59 6262  .1.....|==.*.Ybb
0x0360:  52a0 2ac4 71ec 62d4 0eb6 3778 abc2 5b5d  R.*.q.b...7x..[]
0×0370:  b4c3 5d57 c4ab 05c3 7efc 97e4 211a ccc6  ..]W….~…!…
0×0380:  021d 91c7 0d3f 03d2 4117 5a57 1fb5 0a29  …..?..A.ZW…)
0×0390:  bc09 da50 dbca 7089 add4 e3e3 f055 42fc  …P..p……UB.
0x03a0:  0214 57fa 2a51 b66f 8fd3 512e fee6 767d  ..W.*Q.o..Q…v}
0x03b0:  4889 1257 5ee8 dc16 a48a 8bd9 aee6 bb0b  H..W^………..
0x03c0:  42e5 592b 5d9a da6e 9a58 5808 0196 e207  B.Y+]..n.XX…..
0x03d0:  64a1 0f2f 7be2 c65f eb96 9b1e 65aa ba44  d../{.._….e..D
0x03e0:  0f29 5627 03d3 5673 a7ac a02f 73ee c55c  .)V’..Vs…/s..\
0x03f0:  c213 b5ee 0500 db19 2485 a276 0d9e 8049  ……..$..v…I
0×0400:  c35c dee1 daaf f338 37b2 9b6b 2f2d 23fa  .\…..87..k/-#.
0×0410:  9bd2 5af9 a303 8b9f fe7d b2f5 7dc8 1a1d  ..Z……}..}…
0×0420:  19f8 faf7 7a83 78b6 4b99 0497 1c78 2aa1  ….z.x.K….x*.
0×0430:  43cc 32a7 6de3 21ba 9a14 9dac f947 9d8f  C.2.m.!……G..
0×0440:  b583 8c6a 0fb5 8f7c 5fa5 acb3 2cbf 0174  …j…|_…,..t
0×0450:  1624 c588 1ddd eb51 8b39 fc6c 7428 49e8  .$…..Q.9.lt(I.
0×0460:  fd0d 8064 b1dc 7e07 5cec 1362 897c beb6  …d..~.\..b.|..
0×0470:  e23e 507c 127c 59db 2a5c 115d ac0a 1e1c  .>P|.|Y.*\.]….
0×0480:  d223 23e7 64eb d4b7 7cce 3ed0 f678 c7a0  .##.d…|.>..x..
0×0490:  8a8b a51a eaf5 dbc8 3f90 0919 9eaa aaaa  ……..?…….
0x04a0:  347c ce1c b212 1487 2fef d0b8 8c75 ce8e  4|……/….u..
0x04b0:  1a27 3569 88ad 8df0 c857 05f8 32b7 ff02  .’5i…..W..2…
0x04c0:  f109 1511 ebc7 3b14 d02e 6534 1eb3 27b2  ……;…e4..’.
0x04d0:  3601 cc77 f583 edd0 5278 c972 2734 321b  6..w….Rx.r’42.
0x04e0:  84cb d62d 5365 7961 f070 e452 84da 6f0d  …-Seya.p.R..o.
0x04f0:  322c fe84 1f15 7bb4 5e4c 7db3 035c 3940  2,….{.^L}..\9@
0×0500:  a1d8 72e7 6a95 c8ca 12d8 c697 4b3c 9f90  ..r.j…….K<..
0×0510:  2fe2 36e0 dea7 29ec 18d6 4440 3039 ca12  /.6…)…D@09..
0×0520:  89f0 f0fb 1782 baa8 f95c 9364 7592 2ac3  ………\.du.*.
0×0530:  bebf 4e84 8f6e cd41 1b35 11b7 3c7f 485d  ..N..n.A.5..<.H]
0×0540:  2735 69f2 4f18 8b99 a165 e521 7e54 a0cc  ’5i.O….e.!~T..
0×0550:  a73b d869 f79d c27d 48ae 3b96 a678 44a4  .;.i…}H.;..xD.
0×0560:  6f05 f0bf c435 f145 84f0 ef4e a562 fd79  o….5.E…N.b.y
0×0570:  6189 5d3c 80eb 54b1 2534 0e90 398c f7c7  a.]<..T.%4..9…
0×0580:  1d88 2cbb 08d7 3931 fca1 5c06 9236 a32f  ..,…91..\..6./
0×0590:  912f 92c4 9593 c19c ae2b 69d5 f489 a9e1  ./…….+i…..
0x05a0:  0879 00fd 4bba efd5 9325 30c6 82f9 874e  .y..K….%0….N
0x05b0:  b15f fcbb dc26 068b 6688 72ff c594 4adf  ._…&..f.r…J.
0x05c0:  6124 9757 9885 342a                      a$.W..4*
09:43:59.253591 IP (tos 0×0, ttl 49, id 57725, offset 0, flags [DF], proto TCP (6), length 1480)
87.230.54.65.40025 > xxx.xxx.xxx.4.22: Flags [.], cksum 0xcdaf (correct), seq 3312266577:3312268005, ack 1665226186, win 501, options [nop,nop,TS val 885093607 ecr 4154428516], length 1428
0×0000:  4500 05c8 e17d 4000 3106 f12b 57e6 3641  E….}@.1..+W.6A
0×0010:  8e5b 5504 9c59 0016 c56d 2d51 6341 55ca  .[U..Y...m-QcAU.
0x0020:  8010 01f5 cdaf 0000 0101 080a 34c1 74e7  ............4.t.
0x0030:  f79f 8c64 3ee4 d50d d2b1 bfe9 7ec4 a3c1  ...d>.......~...
0x0040:  5014 6d71 cf48 0f5a 3f40 6d7b 04a6 3ba2  P.mq.H.Z?@m{..;.
0x0050:  82cb 8ffc cbbf 5093 482a 5016 cbcd 0c3a  ......P.H*P....:
0x0060:  f3ac 1b88 19cb 3a45 1bbe 91c0 eedd eaad  ......:E........
0x0070:  fa5b 1dcd 9e99 a70e dd6e cce5 9a8e d92a  .[.......n.....*
0x0080:  6768 3a07 0002 593c 9f4a 4cef 781c 4593  gh:...Y<.JL.x.E.
0x0090:  d489 d68f 1dc1 0e57 ae20 39b7 437b f511  .......W..9.C{..
0x00a0:  2793 3148 044c 8256 d7bf e0ba bbaf f4ac  '.1H.L.V........
0x00b0:  05b8 3cdb af38 6e7f 5e4f 635e a8a1 6581  ..<..8n.^Oc^..e.
0x00c0:  a466 74be d400 f606 d5bf 2d17 fb6b 141e  .ft.......-..k..
0x00d0:  984a 732b 3c96 9d69 2a34 2f51 d6c9 7a13  .Js+<..i*4/Q..z.
0x00e0:  8661 be9c 1cd1 3fc6 8383 90b0 04b3 4b18  .a....?.......K.
0x00f0:  7734 d87c 3f98 4a1b 25f4 a810 791b adf8  w4.|?.J.%...y...
0x0100:  27c4 4c40 c338 fe81 480d 0d64 a926 af2d  '.L@.8..H..d.&.-
0x0110:  4565 98c1 4873 dceb eddd 3c3a cae6 47c3  Ee..Hs....<:..G.
0x0120:  625c c617 1023 17a8 f32a 0951 7f2d 8f5e  b\...#...*.Q.-.^
0x0130:  1bb5 8f28 a2f0 11f6 8b84 c712 6108 e0ef  ...(........a...
0x0140:  254e 0373 14d0 d608 72d0 bf32 1b28 7a97  %N.s....r..2.(z.
0x0150:  8e89 6d04 2933 6798 8a12 c958 fc78 dbc3  ..m.)3g....X.x..
0x0160:  a881 4da0 97fa f43d 5ef1 b9c1 f740 c9be  ..M....=^....@..
0x0170:  0cda 5c3a e744 1135 3781 b2f4 1cdb 13ef  ..\:.D.57.......
0x0180:  6774 7b44 8fe1 b151 09ac e5f1 7f14 ba6b  gt{D...Q.......k
0x0190:  2764 cd88 78fe c0a0 a459 11c4 8744 ba12  'd..x....Y...D..
0x01a0:  6d5a ada5 6fb6 8aee c630 afe2 36a5 4be9  mZ..o....0..6.K.
0x01b0:  58b2 590b cc82 c41c aa50 130e 8b9e 01c7  X.Y......P......
0x01c0:  73ed ac8a 676a dccc 586e f8e3 e4fb 5625  s...gj..Xn....V%
0x01d0:  8452 f995 6f53 4332 2873 cf62 334a 8fd1  .R..oSC2(s.b3J..
0x01e0:  7e0e 5e9b 8f10 4198 1487 caa5 2b60 99ae  ~.^...A.....+`..
0x01f0:  6d56 5716 e1b3 1e8d 74c1 4fe7 9043 7913  mVW.....t.O..Cy.
0x0200:  3b98 94de bb42 5b4a efba 4b6a 67b7 69e4  ;....B[J..Kjg.i.
0x0210:  2581 4e60 f886 23d5 d80e c117 c56c d59b  %.N`..#......l..
0x0220:  db03 dc5e b36f 2a66 c730 e340 33d3 f0d5  ...^.o*f.0.@3...
0x0230:  8fe9 eff8 2682 3553 ea9e eb25 1aab 7fbd  ....&.5S...%....
0x0240:  c075 4a01 8b39 e760 0411 0cb5 d7c3 1a87  .uJ..9.`........
0x0250:  9949 05d5 acc8 8f4f b0e3 60ef c194 368c  .I.....O..`...6.
0x0260:  6697 210a 5f61 e820 ba1c 4d1e 4de8 c5d1  f.!._a....M.M...
0x0270:  ef15 9f3b eebc ee2a 9351 80b5 3ab8 a4f0  ...;...*.Q..:...
0x0280:  9302 404a cd61 6437 b9ca 3c50 0201 0418  ..@J.ad7..<P....
0x0290:  b0e6 8618 b834 966e f8f7 42cb b163 9184  .....4.n..B..c..
0x02a0:  98bb ac2a 9a4b 2ecd 1cdf 1ed9 6047 04c6  ...*.K......`G..
0x02b0:  7ffb 9c9e a9e2 a2eb d993 5e71 d7ea 1b91  ..........^q....
0x02c0:  4a96 50fd 706e 50ec b0a2 815f 58a9 0961  J.P.pnP...._X..a
0x02d0:  8e0a a87b 5788 94c7 af28 9285 2fb9 ace0  ...{W....(../...
0x02e0:  cbbd 6339 0c03 3a27 a660 d010 ffdd 9860  ..c9..:'.`.....`
0x02f0:  5652 ca42 6c71 c972 ad45 6d31 8d0c 753b  VR.Blq.r.Em1..u;
0x0300:  3cc7 f953 f2a1 7f94 60ed ff4d ef27 5ade  <..S....`..M.'Z.
0x0310:  9592 0d3a d0e7 609a 20cd d651 b512 4650  ...:..`....Q..FP
0x0320:  b2ac 70b2 20a9 e85a 7d9e c975 b100 a33e  ..p....Z}..u...>
0x0330:  efe4 1513 b85f 4325 a71b afd6 1be2 9d72  ....._C%.......r
0x0340:  0933 9fcf e10d 15c9 f2c3 7317 6654 703c  .3........s.fTp<
0x0350:  e15a 518d 6060 6066 c563 00a5 8f26 7384  .ZQ.```f.c...&s.
0x0360:  3927 1129 82d4 0357 30c5 3fc2 b281 8e35  9'.)...W0.?....5
0x0370:  33a6 ca36 c852 d273 336e efdb b378 33c2  3..6.R.s3n...x3.
0x0380:  9ebe 309b 3b60 7abf a488 deb4 aa2c 59ae  ..0.;`z......,Y.
0x0390:  65ff 6be4 a180 323b 1df7 5979 1f19 9e91  e.k...2;..Yy....
0x03a0:  dc62 dadf 7fba bd8f a796 13ed b470 9aa3  .b...........p..
0x03b0:  c783 1681 89ff 6089 2a81 a9f9 c7a6 b7d0  ......`.*.......
0x03c0:  ef20 6c94 5684 b5ae aa0e 8a03 334f 002e  ..l.V.......3O..
0x03d0:  eebd 90ef abef a6a4 6c67 4ed9 15e2 5781  ........lgN...W.
0x03e0:  d9ad 935c 0149 3f71 8df2 6ef7 1354 3b20  ...\.I?q..n..T;.
0x03f0:  1e55 be1c 8d1b 0ba9 b51f 736e 888c d5d2  .U........sn....
0x0400:  5b6e 07d1 bb80 8366 7f3c 640f baf9 7b12  [n.....f.<d...{.
0x0410:  a453 b3b4 5003 6007 3527 ae64 83a3 a50e  .S..P.`.5'.d....
0x0420:  f519 804f 9565 3a6a 2549 53e9 04ac 26cc  ...O.e:j%IS...&.
0x0430:  efe5 864b c2d8 a1c0 84c5 1662 678c 89be  ...K.......bg...
0x0440:  1d96 f1b6 e499 6c28 c257 c739 76fd c626  ......l(.W.9v..&
0x0450:  960b e62c ea5e 9cc6 45a4 9c05 c05f e4ca  ...,.^..E...._..
0x0460:  9b05 ee14 eff0 9f0f f4ad 7f09 2a44 bb59  ............*D.Y
0x0470:  e539 6857 620e 5b39 5ccb 45df 27a2 5890  .9hWb.[9\.E.'.X.
0x0480:  6667 7d6f bc6c bb64 36db 6dc4 17ee 2d36  fg}o.l.d6.m...-6
0x0490:  ca15 3630 c8d2 e568 db54 4919 52ef c85e  ..60...h.TI.R..^
0x04a0:  66f4 6cd7 5b9f 192c 6996 2449 e18f 57cd  f.l.[..,i.$I..W.
0x04b0:  26c8 c83e 6d53 51df 1b0b 6135 d2e8 10e5  &..>mSQ...a5....
0x04c0:  1af2 0448 ec5e 3454 8455 b61e 4299 25ab  ...H.^4T.U..B.%.
0x04d0:  1ab9 0277 135a 795a 208f 041e 00f0 643f  ...w.ZyZ......d?
0x04e0:  7cf0 3c1b 0efc eeaf 3318 4cd2 7a02 9892  |.<.....3.L.z...
0x04f0:  ad5f f88b 8636 d2a5 d93c 6cc9 7b4d bd4b  ._...6...<l.{M.K
0x0500:  8927 12c4 6552 7acd 9575 c3fb bd7c 5efb  .'..eRz..u...|^.
0x0510:  06d1 6321 bae7 47ce 4afe a668 def2 d905  ..c!..G.J..h....
0x0520:  24c0 5084 7d61 d5b7 9cd8 35e6 1717 0dc5  $.P.}a....5.....
0x0530:  75ad 8bcf c931 96ca 813e f2b5 a3eb 54ed  u....1...>....T.
0x0540:  4ffc e698 d1c1 b5d6 614f 42ac a19e c564  O.......aOB....d
0x0550:  36a0 01b4 92e3 587f 5aed 4342 027b 30ef  6.....X.Z.CB.{0.
0x0560:  3fcc 7270 ce3c 5169 b639 7170 7f03 dd88  ?.rp.<Qi.9qp....
0x0570:  5af4 d287 f3ba 74cd c5f2 f7bd ab0c f1de  Z.....t.........
0x0580:  ff35 5806 221f 2204 4a34 77d9 dea7 0113  .5X.".".J4w.....
0x0590:  7599 78e1 3803 606f 4d21 c34e 423f 7e54  u.x.8.`oM!.NB?~T
0x05a0:  1645 5cda 699c 6371 50ba 96df 8d1e 9b14  .E\.i.cqP.......
0x05b0:  d9bf 8f0a d8e6 5b23 6b0b 1740 4933 232e  ......[#k..@I3#.
0x05c0:  c998 93b8 edef 5338                      ......S8
10 packets captured
17 packets received by filter
0 packets dropped by kernel

As I stated before.. you typically will not see connections unless you set the loglevel to verbose in /etc/ssh/sshd_config.

After you will see these: Unless you set it to verbose, you probably will never even know you had connections based on the log file.

Feb 16 09:52:33 server sshd[160083]: Server listening on :: port 22.

Feb 16 09:53:06 server sshd[160196]: Set /proc/self/oom_score_adj to 0

Feb 16 09:53:06 server sshd[160196]: Connection from 87.230.54.65 port 52157

Feb 16 09:53:08 server sshd[160228]: Set /proc/self/oom_score_adj to 0

Feb 16 09:53:08 server sshd[160228]: Connection from 87.230.54.65 port 52160

Feb 16 09:53:09 server sshd[160250]: Set /proc/self/oom_score_adj to 0

Feb 16 09:53:09 server sshd[160250]: Connection from 87.230.54.65 port 48750

Feb 16 09:53:11 server sshd[160271]: Set /proc/self/oom_score_adj to 0

Feb 16 09:53:11 server sshd[160271]: Connection from 87.230.54.65 port 48753

On one of the servers I have snoopy logger on it:
sourceforge.net/projects/snoopylogger/
This is what happens on connection from malicious user:

Feb 16 10:37:31 server sshd[170828]: Connection from 178.162.248.74 port 35754

Feb 16 10:37:32 server snoopy[170831]: [uid:0 sid:170831 tty: cwd:/root filename:/bin/bash]: bash -c sleep 7200

Feb 16 10:37:32 server snoopy[170833]: [uid:0 sid:170831 tty: cwd:/root filename:/usr/bin/whoami]: whoami

Feb 16 10:37:33 server snoopy[170834]: [uid:0 sid:170831 tty: cwd:/root filename:/usr/bin/mesg]: mesg y

Feb 16 10:37:33 server snoopy[170836]: [uid:0 sid:170831 tty: cwd:/root filename:/usr/bin/dircolors]: dircolors -b

Feb 16 10:37:33 server snoopy[170838]: [uid:0 sid:170831 tty: cwd:/root filename:/usr/bin/whoami]: /usr/bin/whoami

Feb 16 10:37:33 server snoopy[170831]: [uid:0 sid:170831 tty: cwd:/root filename:/bin/sleep]: sleep 7200

INTIAL FINDINGS:

root@server [~]# rpm -qf `lsof -p 785953 | grep lib | awk ‘{print $9}’`
glibc-2.12-1.80.el6_3.7.x86_64
nspr-4.9.2-0.el6_3.1.x86_64
nspr-4.9.2-0.el6_3.1.x86_64
nspr-4.9.2-0.el6_3.1.x86_64
nss-util-3.13.6-1.el6_3.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
file /lib64/libkeyutils.so.1.9 is not owned by any package
krb5-libs-1.9-33.el6_3.3.x86_64
nss-softokn-freebl-3.12.9-11.el6.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
nss-3.13.5-1.el6_3.x86_64
libcom_err-1.41.12-12.el6.x86_64
krb5-libs-1.9-33.el6_3.3.x86_64
krb5-libs-1.9-33.el6_3.3.x86_64
krb5-libs-1.9-33.el6_3.3.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
zlib-1.2.3-27.el6.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
openssl-1.0.0-25.el6_3.1.x86_64
libselinux-2.0.94-5.3.el6.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
pam-1.1.1-10.el6_2.1.x86_64
audit-libs-2.2-2.el6.x86_64
Select All Code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
root@xxxxx [~]# rpm -qf /lib64/libkeyutils.so.1.3
keyutils-libs-1.4-4.el6.x86_64
root@xxxxx [~]# rpm -V keyutils-libs-1.4-4.el6.x86_64
root@xxxxx [~]#
 
<strong>CLEAN FILE:</strong>
root@xxxx [~]# strings /lib64/libkeyutils.so.1.3
I       P
{?Nq
__gmon_start__
_init
_fini
__cxa_finalize
_Jv_RegisterClasses
keyctl
syscall
keyctl_session_to_parent
keyctl_get_security
keyctl_get_security_alloc
malloc
realloc
keyctl_assume_authority
keyctl_set_timeout
keyctl_set_reqkey_keyring
keyctl_negate
keyctl_instantiate
keyctl_read
keyctl_read_alloc
keyctl_search
keyctl_unlink
keyctl_link
keyctl_clear
keyctl_describe
keyctl_describe_alloc
keyctl_setperm
keyctl_chown
keyctl_revoke
keyctl_update
keyctl_join_session_keyring
keyctl_get_keyring_ID
request_key
add_key
libdl.so.2
libc.so.6
_edata
__bss_start
_end
libkeyutils.so.1
KEYUTILS_0.3
KEYUTILS_1.0
KEYUTILS_1.3
GLIBC_2.2.5
ATSubH
D$`H
D$ H
L$8L
D$@H
T$(H
fff.
t$ H
fffff.
fff.
t$ H
fff.
t$ H
fffff.
fff.
ffffff.
root@xxxx [~]#

tcp_wrappers-libs-7.6-57.el6.x86_64
fipscheck-lib-1.2.0-7.el6.x86_64
glibc-2.12-1.80.el6_3.7.x86_64

 

EXPLOITED FILE:

Select All Code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
root@xxxxx [~]# rpm -qf /lib64/libkeyutils.so.1.9
file /lib64/libkeyutils.so.1.9 is not owned by any package
root@xxxxx [~]#
 
root@xxxx [~]# strings /lib64/libkeyutils.so.1.9
 
0+9_
I       P
(yRU
{?N-
__gmon_start__
_init
_fini
__cxa_finalize
_Jv_RegisterClasses
sscanf
strcmp
realloc
free
keyctl
syscall
keyctl_session_to_parent
keyctl_get_security
keyctl_get_security_alloc
malloc
keyctl_assume_authority
keyctl_set_timeout
keyctl_set_reqkey_keyring
keyctl_negate
keyctl_reject
__errno_location
keyctl_instantiate
keyctl_instantiate_iov
memcpy
keyctl_read
keyctl_read_alloc
keyctl_search
keyctl_unlink
keyctl_link
keyctl_clear
keyctl_describe
keyctl_describe_alloc
recursive_key_scan
keyctl_setperm
keyctl_chown
keyctl_revoke
keyctl_update
keyctl_join_session_keyring
keyctl_get_keyring_ID
recursive_session_key_scan
request_key
add_key
mprotect
dlopen
dlinfo
dlsym
sysconf
getnameinfo
strncpy
strlen
sprintf
strncmp
shmget
shmat
semget
semtimedop
shmdt
stdout
fprintf
fflush
sleep
exit
memset
time
geteuid
getpeername
getsockname
write
connect
gethostbyname
bind
__strdup
fork
waitpid
tmpfile
fseek
fread
fclose
strchr
getenv
snprintf
srand
socket
__res_state
inet_ntoa
send
keyutils_version_string
keyutils_build_string
libc.so.6
_edata
__bss_start
_end
libkeyutils.so.1
KEYUTILS_0.3
KEYUTILS_1.0
KEYUTILS_1.3
KEYUTILS_1.4
GLIBC_2.3.3
GLIBC_2.2.5
%zU
%rU
%jU
%bU
%ZU
%RU
%JU
%BU
%:U
%2U
%*U
%”U
%zT
%rT
%jT
%bT
%ZT
%RT
%JT
%BT
%:T
%2T
%*T
%”T
ATSubH
=hQ
%dO
=qV
\$(t
\$(L
\$ L
AWAVAUI
ATUSH
-,T
H;\$
[]A\A]A^A_
[]A\A]A^A_
D$`H
D$ H
L$8L
D$@H
T$(H
fff.
t$ H
fffff.
l$ H
l$ H
l$ L
d$(L
l$0L
t$8L
|$@H
l$ L
d$(1
l$0L
t$81
|$@H
fff.
t$ H
ffffff.
fff.
t$ H
D$ H
fffff.
ffffff.
fffff.
fff.
ffffff.
ffffff.
fff.
5iJ
5IJ
5)J
4BH9
=^z
=Az
=)z
4BH9
=:y
=!y
=JF
=JF
=(F
=&F
ATUSH
D$8H
=lB
=:B
=!B
5QA
5TA
@[]A\
d$ H
%cr
-Er
D$(1
%mq
D$ H
%’q
=x>
=s>
=B>
=3>
\$ H
%wo
-.o
D$(1
%En
D$(1
AWHc
AUATI
l$ L
8[]A\A]A^A_
=[9
=O9
l$ H
ffff.
AUHc
[]A\A]
AVAU
l$`H
l$ H
5p7
=;7
=N6
D4`L
576
[]A\A]A^A_
l$ H
AUATU
=pg
=Lg
5E4
Lc(L
5M/
[]A\A]A^
[]A\A]A^
=E4
=84
ffffff.
ATUS~-1
5[0
[]A\D
A]A^
=u3
5s3
=b3
fffff.
l$ L
d$(L
l$0H
v!H
\$ H
l$(L
d$0H
=Y\
=f[
=n+
={,
l$ L
d$(L
l$0H
T$(I
=)^
5l,
Hc8H
=p]
=~S
=a’
=+*
t$ 1
5S)
5       )
AWAVAUATUH
=^’
t4

SEEN LOGGED:

Feb 18 07:28:03 server1 snoopy[20446]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/rm]: rm -f /home/tmpp/q3def

Feb 18 07:28:03 server1 snoopy[20448]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /var/log/cron

Feb 18 07:28:03 server1 snoopy[20449]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/egrep]: egrep -i Feb 18 07

Feb 18 07:28:04 server1 snoopy[20452]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /var/log/cron

Feb 18 07:28:04 server1 snoopy[20453]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/egrep]: egrep -vi Feb 18 07

Feb 18 07:28:04 server1 snoopy[20454]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /var/log/cron

Feb 18 07:28:04 server1 snoopy[20455]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/egrep]: egrep Feb 18 07

Feb 18 07:28:05 server1 snoopy[20469]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/rm]: rm -f /home/tmpp/q3def

Feb 18 07:28:05 server1 snoopy[20471]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /var/log/notify.log

Feb 18 07:28:05 server1 snoopy[20472]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/egrep]: egrep -vi 46.105.20.166|46.105.20.166

Feb 18 07:28:05 server1 snoopy[20473]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /home/tmpp/q3def

Feb 18 07:28:05 server1 snoopy[20474]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/rm]: rm -f /home/tmpp/q3def

Feb 18 07:28:05 server1 snoopy[20477]: [uid:0 sid:20392 tty: cwd:/root filename:/usr/bin/ssh]: ssh -G1 -V

Feb 18 07:28:05 server1 snoopy[20478]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/grep]: grep illegal

Feb 18 07:28:05 server1 snoopy[21505]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /etc/redhat-release

Feb 18 07:28:05 server1 snoopy[21509]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/grep]: grep -i UseLogin /etc/ssh/sshd_config

Feb 18 07:28:05 server1 snoopy[21510]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/grep]: grep -v ^#

Feb 18 07:28:06 server1 snoopy[21517]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/chown]: chown root:root libzz8d70

Feb 18 07:28:06 server1 snoopy[21518]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/chmod]: chmod 755 libzz8d70

Feb 18 07:28:06 server1 snoopy[21519]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/mv]: mv libzz8d70 libkeyutils.so.1.9

Feb 18 07:28:06 server1 snoopy[21520]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/ln]: ln -s libkeyutils.so.1.9 libkeyutils.so.n

Feb 18 07:28:06 server1 snoopy[21521]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/mv]: mv libkeyutils.so.n libkeyutils.so.1

Feb 18 07:28:06 server1 snoopy[21522]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/touch]: touch -c -r libkeyutils-1.2.so libkeyutils.so.1.9

Feb 18 07:28:06 server1 snoopy[21524]: [uid:0 sid:20392 tty: cwd:/lib filename:/usr/bin/ldd]: ldd /usr/sbin/sshd

REF: www.webhostingtalk.com/showthread.php?t=1235797

 

Filed under: Uncategorized No Comments
3Feb/130

AX2012 – Restore AX Database from different domain

Posted by Dark#Basics

Most of our developers have done a massive customization in our own lab on premises. But what if you need to restore that database on the customer's premises. Well restoring it is like any other database but what happens when you open Microsoft Dynamics AX ? You'll not even able to login to the database. Why, well the issue is that the SID of your current user is not in the 'UserTable' for AX and thus not allowing you to access AX.

In order for the user's Microsoft Dynamics AX account to log into the restored database environment, their domain account must be a user in the system.  Microsoft Dynamics AX 2012 is integrated with Active Directory.  The account information in the database must match the user and or domain in the new environment. This needs to be done by using the following query and by using the current SID of the user you want, the SSID can be found by using regedit.

Next after you have found your SID, update the userinfo DB by using the following query.

update userinfo set SID='', Networkdomain = '<Network_domain_name>', networkalias = '<Network_alias>' where id = 'admin'

Start Dynamics AX again and you should be able to login without any issues.

Source: http://community.dynamics.com/product/ax/axtechnical/b/axsupport/archive/2011/09/02/steps-to-restore-an-ax-database.aspx
Source: http://blogs.msdn.com/b/axsupport/archive/2011/11/07/moving-between-microsoft-dynamics-ax-2012-environments.aspx

3Feb/130

IIS – Move InetPub

Posted by Dark#Basics

After installing IIS it's default location is the system drive. For smaller websites and services that does not result in a problem, but when you're a hosting company or going to provide storage for a large number of websites you'll have to move the inetpub folder. When you don't have any websites installed this is quite easily done by copying the files to the new location and changing the settings on your website in IIS. But what if you already have more then one and are lazy just as me ?

Well I came across the following script that alows you to move inetpub to another drive without doing anything manually expect running the script using CLI.

 

Select All Code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
REM PLEASE BE AWARE: SERVICING (I.E. HOTFIXES AND SERVICE PACKS) WILL STILL REPLACE FILES 
REM IN THE ORIGINAL DIRECTORIES. THE LIKELIHOOD THAT FILES IN THE INETPUB DIRECTORIES HAVE 
REM TO BE REPLACED BY SERVICING IS LOW BUT FOR THIS REASON DELETING THE ORIGINAL DIRECTORIES
REM IS NOT POSSIBLE. 
 
@echo off
IF "%1" == "" goto err
setlocal
set MOVETO=%1:\
 
REM simple error handling if drive does not exist or argument is wrong 
IF NOT EXIST %MOVETO% goto err
 
REM Backup IIS config before we start changing config to point to the new path
%windir%\system32\inetsrv\appcmd add backup beforeRootMove
 
REM Stop all IIS services
iisreset /stop
 
REM Copy all content 
REM /O - copy ACLs
REM /E - copy sub directories including empty ones
REM /I - assume destination is a directory
REM /Q - quiet
 
REM echo on, because user will be prompted if content already exists.
echo on
xcopy %systemdrive%\inetpub %MOVETO%inetpub /O /E /I /Q
@echo off
REM Move AppPool isolation directory 
reg add HKLM\System\CurrentControlSet\Services\WAS\Parameters /v ConfigIsolationPath /t REG_SZ /d %MOVETO%inetpub\temp\appPools /f
 
REM Move logfile directories
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/sites -siteDefaults.traceFailedRequestsLogging.directory:"%MOVETO%inetpub\logs\FailedReqLogFiles"
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/sites -siteDefaults.logfile.directory:"%MOVETO%inetpub\logs\logfiles"
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralBinaryLogFile.directory:"%MOVETO%inetpub\logs\logfiles"
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralW3CLogFile.directory:"%MOVETO%inetpub\logs\logfiles"
 
REM Move config history location, temporary files, the path for the Default Web Site and the custom error locations
%windir%\system32\inetsrv\appcmd set config -section:system.applicationhost/configHistory -path:%MOVETO%inetpub\history
%windir%\system32\inetsrv\appcmd set config -section:system.webServer/asp -cache.disktemplateCacheDirectory:"%MOVETO%inetpub\temp\ASP Compiled Templates"
%windir%\system32\inetsrv\appcmd set config -section:system.webServer/httpCompression -directory:"%MOVETO%inetpub\temp\IIS Temporary Compressed Files"
%windir%\system32\inetsrv\appcmd set vdir "Default Web Site/" -physicalPath:%MOVETO%inetpub\wwwroot
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='401'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='403'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='404'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='405'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='406'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='412'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='500'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='501'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
%windir%\system32\inetsrv\appcmd set config -section:httpErrors /[statusCode='502'].prefixLanguageFilePath:%MOVETO%inetpub\custerr
 
REM Make sure Service Pack and Hotfix Installers know where the IIS root directories are
reg add HKLM\Software\Microsoft\inetstp /v PathWWWRoot /t REG_SZ /d %mOVETO%\inetpub\wwwroot /f 
reg add HKLM\Software\Microsoft\inetstp /v PathFTPRoot /t REG_SZ /d %MOVETO%\inetpub\ftproot /f
REM Do the same for x64 directories
if not "%ProgramFiles(x86)%" == "" reg add HKLM\Software\Wow6432Node\Microsoft\inetstp /v PathWWWRoot /t REG_EXPAND_SZ /d %MOVETO%inetpub\wwwroot /f 
if not "%ProgramFiles(x86)%" == "" reg add HKLM\Software\Wow6432Node\Microsoft\inetstp /v PathFTPRoot /t REG_EXPAND_SZ /d %MOVETO%inetpub\ftproot /f
 
REM Restart all IIS services
iisreset /start
echo.
echo.
echo ===============================================================================
echo Moved IIS7 root directory from %systemdrive%\ to %MOVETO%.
echo.
echo Please verify if the move worked. If so you can delete the %systemdrive%\inetpub directory.
echo If something went wrong you can restore the old settings via 
echo     "APPCMD restore backup beforeRootMove" 
echo and 
echo     "REG delete HKLM\System\CurrentControlSet\Services\WAS\Parameters\ConfigIsolationPath"
echo You also have to reset the PathWWWRoot and PathFTPRoot registry values
echo in HKEY_LOCAL_MACHINE\Software\Microsoft\InetStp.
echo ===============================================================================
echo.
echo.
endlocal
goto success
 
REM error message if no argument or drive does not exist
:err
echo. 
echo New root drive letter required. 
echo Here an example how to move the IIS root to the F:\ drive:
echo. 
echo MOVEIISROOT.BAT F
echo.
echo. 
 
:success

Source: http://blogs.iis.net/thomad/archive/2008/02/10/moving-the-iis7-inetpub-directory-to-a-different-drive.aspx

7Dec/120

APPV – Registry from Sequenced Application

Posted by Dark#Basics

Sometimes you'll need to access the registry of an application. But what if the application is virtualized and sequenced ? Well the solution is the spawn a commandline within the package using sfttray.

Select All Code:
1
Sfttray.exe  /exe cmd.exe "APPNAME"
1Dec/120

WIN2012 – Microsoft Office

Posted by Dark#Basics

We had some issues on our Windows Server 2012 running RDS. with both Office 2007 and Office 2010 installed.

Every time you alternate between one Word version and the other, you get an error message saying “An error occurred and this feature is no longer functioning properly. Please run Setup and select Repair to restore this application". Although the application runs fine without any issues.

If this first happens with Word 2007 and you repair Office 2007, launching Word 2007 again would work fine. But, if we then open Word 2010, the same error pops up. If you repair Office 2010 and launch Word 2010, all is fine. But then if you open Word 2007, the same issue comes up.

When you try to launch Word with /s switch and this works. But after disabling all add-ins and global templates, the issue remains.

After contacting Microsoft is seems it's an issue that 'sometimes' happens with Office installations on RDS Servers. A registry fix is available for this issue at support.microsoft.com/kb/2121447 .

Select All Code:
1
2
3
4
5
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Options]
"NoReReg"=dword:00000001
 
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options]
"NoReReg"=dword:00000001
8Nov/120

Artificial Intelligence

Posted by Ollie

As all our forum members who read the introductions thread know, I am currently studying Artificial Intelligence (AI) at university... what some of you might not know is what it is. (If you are not one of those people you may find this article a waist of time to read, or still of interest... If the former please wait until I publish something more interesting.)

What is machine intelligence?
So when I tell people I study AI the number one response I have gotten is "is that aliens?" and the answer is NO. For this reason I've decided first to define it.

Artificial intelligence is the field devoted to making "computers" (a computer can be any digital system) learn. It seems intuitive however a lot of people seem to not quite make the link in their mind. How some people think artificial means "aliens" I am not sure, as artificial by definition means, man made... not of nature.. Aliens are not man made!

What kind of things do you do?
Well here I should make a distinction between Artificial Intelligence and Machine Intelligence as they are often both bundled together and I may well end up posting about both

  • Artificial Intelligence: This is the study of replicating the cognitive process via digital means to create a system that learns - Mainly when I post about this it will be in relation to Neural Networks which are a collection of programmed "brain cells" (neurons).
  • Machine Intelligence: This is the study of creating intelligent robotic systems, but not necessarily using artificial means (a lot of the time artificial means are used though). An example of an intelligent machine that does not use artificial means of intelligence is a biologically intelligent robot. In the University of Reading, we use rat brains to control robots. All the inputs and outputs given to / from these brains are digital information directly from or to the robot, however the learning is done via biological means (the brain grows and the neurons develop over time, learning tasks that it repeats during infancy).

Currently my studies are in Artificial Intelligence in the form of Neural Networks and I will post more about these soon, but the premise of a neural network is that a collection of programmed "neuron" cells are used to learn and solve tasks. There are many ways to achieve this and I will only post about a few.

What can artificial intelligence be used for?
Systems that implement AI in its many forms have endless numbers of usages. For example Neural Networks are used in weather forecasting, handwriting recognition, voice pattern recognition and data analysis. For example CERN uses neural networks to categories collision events and only saves those which the network suggests are "interesting". This still produces terabytes of data however is far more manageable than if they where to store all collision data generated in the detectors.

Other types of AI can be used in production lines, ranging from basic repeated task code to control robotic construction arms to quality control testing (here if the output is 1 the item is good, otherwise it has failed). AI has even made it's way into day to day life, with services such as Siri of Google's voice search.

What are the big questions in the field of Artificial Intelligence?
Perhaps more interesting sometimes than the material itself is the "big" questions in the field of AI. These are very philosophical and ethical questions that researchers in the field must be aware of and sometimes try to solve. I will go through a few of them...

Are machines really intelligent?

This is a question that a lot of people ask, is there such a thing as Artificial Intelligence? The answer to this question not only depends on your definition of intelligence, but how you actually interpreted the question. For example, some would say anything that possesses the ability to learn is intelligent. As such neural networks are intelligent. Others do not agree! Alan Turing attempted to answer this question himself back in the early days of computer development. Turing noted that intelligence comes in different forms, and to program a computer to play chess at a high level was a trivial task... it does not show intelligence, simply computation. For Turing the test of intelligence was "Can machines think?" or rather as he later phrased it "can machines do what we do?" - As mental and physical activities are not entirely separate issues Turing developed what he referred to as the "imagination game" (You can look this up yourself.) This was later developed into what is now known as the Turing test and has been considered the true test of intelligence for many years. Turing predicted that computers would beat this test by the year 2000. The latest estimates put the date at 2029.

Due to the definition given by Alan Turing of what artificial intelligence should be, smaller levels of intelligence are generally ignored. Being able to predict the weather with a 99% accuracy using a neural network is not considered to be a great achievement, nor an act of an intelligent system, even though it is. The human centered approach to intelligence still very much drives forward research in artificial intelligence and the Turing test is still the standard test any "intelligent" system should pass.

Should human brain-cells be allowed to be used to create intelligent systems?

This is an issue that is very much under discussion at the moment. As humans believe our brain to be unique and as human nature is bias toward our species, unlike when other animal brain cells are used in experiments, human brain-cells cause a rather large discussion. Should we be allowed to grow brains from human brain-cells if they are simply going to be used to control a robot? This is a hard question to answer affirmatively without upsetting religious and ethical groups, for the sanctity of life is important and by growing a human brain, unless there is a sure knowledge that it will not be self aware, this usage of it could be considered to be cruel. On the other hand, as we do not know if the brain is sentient and we assume that it is not, by growing a human brain and using it to control systems, this gives an unprecedented opportunity to study the development and workings of the brain. Not only does this research further the advancement of artificially intelligent systems, but also the research can be used for medical purposes. If we know what causes issues with the brain, we may get a better understanding of how to solve them.

If a machine is considered intelligent should it be granted the same rights as a human?

This question is often ignored, as computers are seen very much as the "work horse" of the 21st century, however if an artificially intelligence system was developed, that could pass the Turing test, would that be enough to consider it as having equal status to humans? The answer to this question is hard to predict as the stage of intelligence here has yet to be achieved, however, once it is, what will happen to the system generated. The likely hood is, by looking through human history, an artificial intelligence will be a slave to humanity until the general public can be convinced that it is equal.

Should the military use artificial intelligence in drones?

This is a question I have very strong views on. The military are currently developing AI systems to pilot and control drones. These automated systems can perform a variety of tasks from providing visual surveillance of an area to firing rockets in more modern versions. To me this is not acceptable. Relating this to the former question on artificial intelligence rights, military use of AI will give systems a bad reputation, as any instances of "miss-fires" due to mistakes made by artificial systems will cast negative views in the public eye. However these systems should not be put in this position of control and responsibility in the first place, if people want to kill each other that is fine, but please leave our computers out of it, they should never be made to take a side.

This is the end of the philosophical debates, I shall not be commenting on them further - If I do they will have their own post and will have gained relevance that makes them deserve talking about! Keep an eye out for the next article on neural networks!

7Nov/120

AD – Active Directory, What is it ?

Posted by Dark#Basics

ActiveDirectory

What is it ?

Active Directory enables administrators to force policies and settings in a company network.  You can think of AD as a certain catalogue or a book that holds all the information regarding users, computers, resources, etc. but also settings for the company domain. It makes it possible to provide access and set permission based on that information stored in the catalogue by using different methods like for example a security group.

The most important role of Active Directory is providing the authentication information for users, computers and the resources that are part of the network.

Forests and Domains

When installing Active Directory the first time you need to think of Domains and Forests. A forest is a security boundary. Objects in separate forests are not able to interact with each other, unless the administrators of each separate forest create a trust between them. For example, an Enterprise Administrator account for domain1.com, which is normally the most privileged account of a forest, will have, no permissions at all in a second forest named domain2.com, even if those forests exist within the same LAN, unless there is a trust in place.

A domain is a management boundary. Domains are part of a forest. The first domain in a forest is known as the forest root domain. In many small and medium organizations (and even some large ones), you will only find a single domain in a single forest. The forest root domain defines the default namespace for the forest. For example, if the first domain in a new forest is named domain1.com, then that is the forest root domain. If you have a business need for a child domain, for example - a branch office in Chicago, you might name the child domain chi. The FQDN of the child domain would be chi.domain1.com. You can see that the child domain's name was prepended forest root domain's name. This is typically how it works. You can have disjoint namespaces in the same forest, but that's a whole separate can of worms for a different time.

In most cases, you'll want to try and do everything possible to have a single AD domain. It simplifies management, and modern versions of AD make it very easy to delegate control based on OU, which lessens the need for child domains.

Domain Names

I can name my domain whatever I want, right? Not really. dcpromo.exe, the tool that handles the promotion of a server to a DC isn't idiot-proof. It does let you make bad decisions with your naming, so pay attention to this section if you are unsure.

First of all, don't use made up TLDs like .local, .lan, .corp, or any of that other crap. Those TLDs are not reserved. ICANN is selling TLDs now, so your mycompany.corp that you're using today could actually belong to someone tomorrow. If you own mycompany.com, then the smart thing to do is use something like internal.mycompany.com or ad.mycompany.com for your internal AD name. If you use mycompany.com as an externally resolvable website, you should avoid using that as your internal AD name as well, since you'll end up with a split-brain DNS.

FSMO Roles

When a user tries to log in to a computer that is joined to AD using their AD credentials, the salted and hashed username and password combination are sent to the DC for both the user account and the computer account that are logging in. Yes, the computer logs in too. This is important, because if something happens to the computer account in AD, like someone resets the account or deletes it, you may get an error that say that a trust relationship doesn't exist between the computer and the domain. Even though your network credentials are fine, the computer is no longer trusted to log into the domain.

A server that responds to authentication or authorization requests is a Domain Controller (DC). In most cases, a Domain Controller will hold a copy of the Global Catalog. A Global Catalog (GC) is a partial set of objects in all domains in a forest. It is directly searchable, which means that cross-domain queries can usually be performed on a GC without needing a referral to a DC in the target domain. If a DC is queried on port 3268 (3269 if using SSL), then the GC is being queried. If port 389 (636 if using SSL) is queried, then a standard LDAP query is being used and objects existing in other domains may require a referral.

In general there are five functions that are needed to provide a fully functional Active Directory. The 5 roles and their function are:

  • Domain Naming Master - There is only one Domain Naming Master per forest. The Domain Naming Master makes sure that when a new domain is added to a forest that it is unique. If the server holding this role is offline, you won't be able to make changes to the AD namespace, which includes things like adding new child domains.
  • Schema Master - There is only one Schema Operations Master in a forest. It is responsible for updating the Active Directory Schema. Tasks that require this, such as preparing AD for a new version of Windows Server functioning as a DC or the installation of Exchange, require Schema modifications. These modifications must be done from the Schema Master.
  • Infrastructure Master - There is one Infrastructure Master per domain. If you only have a single domain in your forest, you don't really need to worry about it. If you have multiple forests, then you should make sure that this role is not held by a server that is also a GC holder. The infrastructure master is responsible for making sure that cross-domain references are handled properly. If a user in one domain is added to a group in another domain, the infrastructure master for the domains in question make sure that it is handled properly. This role will not function correctly if it is on a global catalog.
  • RID Master - The Relative ID Master (RID Master) is responsible for issuing RID pools to DCs. There is one RID master per domain. Any object in an AD domain has a unique Security Identifier (SID). This is made up of a combination of the domain identifier and a relative identifier. Every object in a given domain has the same domain identifier, so the relative identifier is what makes objects unique. Each DC has a pool of relative IDs to use, so when that DC creates a new object, it appends a RID that it hasn't used yet. Since DCs are issued non-overlapping pools, each RID should remain unique for the duration of the life of the domain. When a DC gets to ~100 RIDs left in its pool, it requests a new pool from the RID master. If the RID master is offline for an extended period of time, object creation may fail.
  • PDC Emulator - Finally, we get to the most widely misunderstood role of them all, the PDC Emulator role. There is one PDC Emulator per domain. If there is a failed authentication attempt, it is forwarded to the PDC Emulator. The PDC Emulator functions as the "tie-breaker" if a password was updated on one DC and hasn't yet replicated to the others. The PDC Emulator is also the server that controls time sync across the domain. All other DCs sync their time from the PDC Emulator. All clients sync their time from the DC that they logged in to. It's important that everything remain within 5 minutes of each other, otherwise Kerberos breaks and when that happens, everyone cries.

The important thing to remember is that the servers that these roles run on is not set in stone. It's usually trivial to move these roles around, so while some DCs do slightly more than others, if they go down for short periods of time, everything will usually function normally.

Primary and Secondary DC’s

The concept of PDCs and BDCs died with Windows NT4. If you create a secondary DC it will also be capable of offering authentication services. It’s best practice to have atleast two DCs per domain. These DCs should both have a copy of the GC and should both be DNS servers so that the network resources (Clients, Computers,..) are still able to query the DC.

The DCs belonging to the same domain in the same site will replicate their data to each other at a 15 second interval. Do note that there are urgent event that trigger replication after the data has been changed. Think things like password resets, account lockouts.

How can clients find the domain ?

Client and other resources can find the DCs by using DNS. It’s the most critical role that needs to function properly to have a functioning AD. Do note that while it is possible to use any type of DNS service it’s best to stick with using AD integrated DNS zones to avoid any DNS related problems.

When adding a client to the domain the first thing you always need to check is the DNS servers that client is using. Make sure it’s using the in house DNS servers because when trying to add the client to the domain it will try to resolve the domain name to locate the domain controller.

Each FSMO role will have a SRV DNS record that will point to client to the correct DC.

  • _ldap._tcp.<DNSDomainName> - Enables a client to locate a W2K domain controller in the domain named by <DNSDomainName>. A client searching for a domain controller in the domain dpetri.net would query the DNS server for _ldap._tcp.domain1.com.
  •  _ldap._tcp.<SiteName>._sites.<DNSDomainName> - Enables a client to find a W2K domain controller in the domain and site specified (e.g., _ldap._tcp.lab._sites. domain1.com for a domain controller in the Lab site).
  • _ldap._tcp.pdc._ms-dcs.<DNSDomainName> - Enables a client to find the PDC flexible single master object (FSMO) role holder of a mixed-mode domain. Only the PDC of the domain registers this record.
  •  _ldap._tcp.gc._msdcs.<DNSTreeName> - Enables a client to find a Global Catalog (GC) server. Only domain controllers serving as GC servers for the tree will register this name. If a server ceases to be a GC server, the server will deregister the record.
  •  _ldap._tcp. ._sites.gc._msdcs.<DNSTreeName> - Enables a client to find a GC server in the specified site (e.g., _ldap._tcp.lab._sites.gc._msdcs. domain1.com).
  •  _ldap._tcp.<DomainGuid>.domains._msdcs.<DNSTreeName> - Enables a client to find a domain controller in a domain based on the domain controller’s globally unique ID. A GUID is a 128-bit (8 byte) number that generates automatically for referencing Active Directory objects.
  • <DNSDomainName> - Enables a client to find a domain controller through a normal Host record.

Installation and backup of Active Directory.

More information regarding installation of Active Directory can be found here darkdevelopments.org/2011/08/30/win2008-install-active-directory/. Regarding the backup procedure of Active Directory more information can be found here darkdevelopments.org/2011/07/18/db-backuprecovery-notes-part1-active-directory-2/

[1] serverfault.com/questions/402580/what-is-active-directory-and-how-does-it-work
[2] www.petri.co.il/active_directory_srv_records.htm