Evidence: SWT-syslog_messages
Question: At what time (UTC, including year) did the portscanning activity from IP address 123.150.207.231 start?
Tantangan yang pertama, peserta diminta untuk mencari kapan aktifitas portscanning dari ip 123.150.207.231 dimulai. Barang bukti yang diberikan berupa file log SWT-syslog_messages. Search ip source tersebut dengan cara manual atau dengan grep. Saya gunakan editor text biasa, dan saya dapatkan informasi sebagai berikut.
Aug 29 09:51:51 gw named[1004]: validating @0x7fa168551830: choices.truste.com A: no valid signature found
Aug 29 09:55:00 gw nfcapd[1213]: Ident: 'localhost' Flows: 7980, Packets: 36506, Bytes: 19442138, Sequence Errors: 0, Bad Packets: 0
Aug 29 09:55:00 gw nfcapd[1213]: Total ignored packets: 0
Aug 29 09:58:55 gw kernel: FW reject_input: IN=eth0 OUT= MAC=08:00:27:53:38:ee:08:00:27:1c:21:2b:08:00 SRC=123.150.207.231 DST=98.252.16.36 LEN=44 TOS=0x00 PREC=0x00 TTL=41 ID=35517 PROTO=TCP SPT=38553 DPT=3306 WINDOW=1024 RES=0x00 SYN URGP=0
Aug 29 09:58:56 gw kernel: FW reject_input: IN=eth0 OUT= MAC=08:00:27:53:38:ee:08:00:27:1c:21:2b:08:00 SRC=123.150.207.231 DST=98.252.16.36 LEN=44 TOS=0x00 PREC=0x00 TTL=34 ID=45569 PROTO=TCP SPT=38553 DPT=587 WINDOW=1024 RES=0x00 SYN URGP=0
Aug 29 09:58:56 gw kernel: FW reject_input: IN=eth0 OUT= MAC=08:00:27:53:38:ee:08:00:27:1c:21:2b:08:00 SRC=123.150.207.231 DST=98.252.16.36 LEN=44 TOS=0x00 PREC=0x00 TTL=26 ID=46106 PROTO=TCP SPT=38553 DPT=53 WINDOW=1024 RES=0x00 SYN URGP=0
Dari data yang dicetak merah, aktifitas port scanning terjadi pada waktu Aug 29 09:58:55, bagaimana cara membedakan portscanning atau bukan, tinggal perhatikan destination portnya (DPT) yang berubah-ubah, maka dapat disimpulkan dari log tersebut bahwa kegiatan yang dilakukan adalah port scanning. Kembali ke soal, dimana yang ditanyakan adalah waktu dalam UTC, ada bukti lain yang mendukung waktu pada syslog sudah dalam UTC atau belum.
Aug 29 07:07:40 gw kernel: rtc_cmos rtc_cmos: setting system clock to 2013-08-29 11:07:08 UTC (1377774428)
Dari log diatas, didapatkan bahwa clock diset ke waktu 2013-08-29 11:07:08 UTC berbeda 4 jam jika dibandingkan waktu yang ada disyslog Aug 29 07:07:40. Maka perbedaan waktu yang disyslog adalah UTC-4.
Maka kejadian portscanning yang dilakukan pertama kali oleh ip 123.150.207.231 dilakukan pada waktu 9:58 + 4 jam = 13:58 UTC sehingga:
Jawaban : 29 Aug 2013 13:58:55 UTC
The operator has earned the award for Casino of the Year numerous occasions – an ideal combination for prime rollers. As well because the variations within the video games and their betting limits between the assorted suppliers, there are additionally significant variations when it comes to of|in relation to} high quality. Microgaming exclusively provides video games with Playboy 카지노 dealers, but despite this unique function, the standard of their live video games falls far behind the other suppliers.
ReplyDeleteFashionTV Highlife brings the glamorous and luxurious world of FashionTV to life in the form of this shiny 4x4x5x4x4 video slot. Do not think about playing as a way of incomes cash, and solely play with cash you could afford to lose. If you might be} apprehensive 카지노사이트 about your playing or affected by another person's playing, please contact Gamblingtherapy or GamblersAnonymous for assist.
ReplyDelete