>>>> rule: ptrace <<<<< Preliminary report: ***** state: init ***** env[0]: ($attack_pid) nil env[1]: ($target_pid) nil env[2]: ($attacker_uid) nil no event. ***** state: ptrace_attach ***** current_env[0]: ($attack_pid) (KEEP|UNKNOWN) int : 1605 current_env[1]: ($target_pid) (KEEP|UNKNOWN) int : 1606 current_env[2]: ($attacker_uid) (KEEP|UNKNOWN) int : 500 -------------------------[ event id: 0x80ac588 ]------------------ fid | attribute | value -----+--------------------------+--------------------------------- 49 | rawsnare.ptrace_data | (KEEP|UNKNOWN) ptr32 : (nil) 48 | rawsnare.ptrace_addr | (KEEP|UNKNOWN) ptr32 : (nil) 47 | rawsnare.ptrace_pid | (KEEP|UNKNOWN) int : 1606 46 | rawsnare.ptrace_req | (KEEP|UNKNOWN) vstr[18] : "(16) PTRACE_ATTACH" 27 | rawsnare.retcode | (KEEP|UNKNOWN) int : 0 26 | rawsnare.procname | (KEEP|UNKNOWN) vstr[11] : "ptrace-kmod" 25 | rawsnare.ppid | (KEEP|UNKNOWN) int : 1604 24 | rawsnare.pid | (KEEP|UNKNOWN) int : 1605 23 | rawsnare.egid | (KEEP|UNKNOWN) int : 500 22 | rawsnare.euid | (KEEP|UNKNOWN) int : 500 21 | rawsnare.rgid | (KEEP|UNKNOWN) int : 500 20 | rawsnare.ruid | (KEEP|UNKNOWN) int : 500 19 | rawsnare.syscall | (KEEP|UNKNOWN) vstr[15] : "(26) SYS_ptrace" 18 | rawsnare.class | (KEEP|UNKNOWN) int : 10 17 | rawsnare.time | (KEEP|MONO) timeval : (1076685825.852105) = Fri Feb 13 16:23:45 2004 (+852105 us) 9 | udp.msg | (KEEP|UNKNOWN) bstr[76] 8 | udp.dst_port | (KEEP|UNKNOWN) int : 6262 5 | udp.src_addr | (KEEP|UNKNOWN) ipv4 : 192.168.0.123 (name=target alias=target.acme.net) 4 | udp.time | (KEEP|MONO) timeval : (1076685825.852732) = Fri Feb 13 16:23:45 2004 (+852732 us) -----+--------------------------+--------------------------------- ***** state: exec_modprobe ***** inherited_env[0]: ($attack_pid) (KEEP|UNKNOWN) int : 1605 inherited_env[1]: ($target_pid) (KEEP|UNKNOWN) int : 1606 inherited_env[2]: ($attacker_uid) (KEEP|UNKNOWN) int : 500 -------------------------[ event id: 0x80acf40 ]------------------ fid | attribute | value -----+--------------------------+--------------------------------- 32 | rawsnare.cmdline | (KEEP|UNKNOWN) vstr[33] : "/sbin/modprobe -s -k -- net-pf-14" 29 | rawsnare.path | (KEEP|UNKNOWN) vstr[14] : "/sbin/modprobe" 28 | rawsnare.workdir | (KEEP|UNKNOWN) vstr[1] : "/" 27 | rawsnare.retcode | (KEEP|UNKNOWN) int : 0 26 | rawsnare.procname | (KEEP|UNKNOWN) vstr[11] : "ptrace-kmod" 25 | rawsnare.ppid | (KEEP|UNKNOWN) int : 1605 24 | rawsnare.pid | (KEEP|UNKNOWN) int : 1606 23 | rawsnare.egid | (KEEP|UNKNOWN) int : 0 22 | rawsnare.euid | (KEEP|UNKNOWN) int : 0 21 | rawsnare.rgid | (KEEP|UNKNOWN) int : 500 20 | rawsnare.ruid | (KEEP|UNKNOWN) int : 0 19 | rawsnare.syscall | (KEEP|UNKNOWN) vstr[15] : "(11) SYS_execve" 18 | rawsnare.class | (KEEP|UNKNOWN) int : 3 17 | rawsnare.time | (KEEP|MONO) timeval : (1076685825.914858) = Fri Feb 13 16:23:45 2004 (+914858 us) 9 | udp.msg | (KEEP|UNKNOWN) bstr[1596] 8 | udp.dst_port | (KEEP|UNKNOWN) int : 6262 5 | udp.src_addr | (KEEP|UNKNOWN) ipv4 : 192.168.0.123 (name=target alias=target.acme.net) 4 | udp.time | (KEEP|MONO) timeval : (1076685825.916079) = Fri Feb 13 16:23:45 2004 (+916079 us) -----+--------------------------+--------------------------------- ***** state: ptrace_syscall ***** inherited_env[0]: ($attack_pid) (KEEP|UNKNOWN) int : 1605 inherited_env[1]: ($target_pid) (KEEP|UNKNOWN) int : 1606 inherited_env[2]: ($attacker_uid) (KEEP|UNKNOWN) int : 500 -------------------------[ event id: 0x80ad290 ]------------------ fid | attribute | value -----+--------------------------+--------------------------------- 49 | rawsnare.ptrace_data | (KEEP|UNKNOWN) ptr32 : (nil) 48 | rawsnare.ptrace_addr | (KEEP|UNKNOWN) ptr32 : (nil) 47 | rawsnare.ptrace_pid | (KEEP|UNKNOWN) int : 1606 46 | rawsnare.ptrace_req | (KEEP|UNKNOWN) vstr[19] : "(24) PTRACE_SYSCALL" 27 | rawsnare.retcode | (KEEP|UNKNOWN) int : 0 26 | rawsnare.procname | (KEEP|UNKNOWN) vstr[11] : "ptrace-kmod" 25 | rawsnare.ppid | (KEEP|UNKNOWN) int : 1604 24 | rawsnare.pid | (KEEP|UNKNOWN) int : 1605 23 | rawsnare.egid | (KEEP|UNKNOWN) int : 500 22 | rawsnare.euid | (KEEP|UNKNOWN) int : 500 21 | rawsnare.rgid | (KEEP|UNKNOWN) int : 500 20 | rawsnare.ruid | (KEEP|UNKNOWN) int : 500 19 | rawsnare.syscall | (KEEP|UNKNOWN) vstr[15] : "(26) SYS_ptrace" 18 | rawsnare.class | (KEEP|UNKNOWN) int : 10 17 | rawsnare.time | (KEEP|MONO) timeval : (1076685825.915361) = Fri Feb 13 16:23:45 2004 (+915361 us) 9 | udp.msg | (KEEP|UNKNOWN) bstr[76] 8 | udp.dst_port | (KEEP|UNKNOWN) int : 6262 5 | udp.src_addr | (KEEP|UNKNOWN) ipv4 : 192.168.0.123 (name=target alias=target.acme.net) 4 | udp.time | (KEEP|MONO) timeval : (1076685825.916122) = Fri Feb 13 16:23:45 2004 (+916122 us) -----+--------------------------+--------------------------------- ***** state: ptrace_getregs ***** inherited_env[0]: ($attack_pid) (KEEP|UNKNOWN) int : 1605 inherited_env[1]: ($target_pid) (KEEP|UNKNOWN) int : 1606 inherited_env[2]: ($attacker_uid) (KEEP|UNKNOWN) int : 500 -------------------------[ event id: 0x80ad600 ]------------------ fid | attribute | value -----+--------------------------+--------------------------------- 49 | rawsnare.ptrace_data | (KEEP|UNKNOWN) ptr32 : 0xbffff6c4 48 | rawsnare.ptrace_addr | (KEEP|UNKNOWN) ptr32 : (nil) 47 | rawsnare.ptrace_pid | (KEEP|UNKNOWN) int : 1606 46 | rawsnare.ptrace_req | (KEEP|UNKNOWN) vstr[19] : "(12) PTRACE_GETREGS" 27 | rawsnare.retcode | (KEEP|UNKNOWN) int : 0 26 | rawsnare.procname | (KEEP|UNKNOWN) vstr[11] : "ptrace-kmod" 25 | rawsnare.ppid | (KEEP|UNKNOWN) int : 1604 24 | rawsnare.pid | (KEEP|UNKNOWN) int : 1605 23 | rawsnare.egid | (KEEP|UNKNOWN) int : 500 22 | rawsnare.euid | (KEEP|UNKNOWN) int : 500 21 | rawsnare.rgid | (KEEP|UNKNOWN) int : 500 20 | rawsnare.ruid | (KEEP|UNKNOWN) int : 500 19 | rawsnare.syscall | (KEEP|UNKNOWN) vstr[15] : "(26) SYS_ptrace" 18 | rawsnare.class | (KEEP|UNKNOWN) int : 10 17 | rawsnare.time | (KEEP|MONO) timeval : (1076685825.915715) = Fri Feb 13 16:23:45 2004 (+915715 us) 9 | udp.msg | (KEEP|UNKNOWN) bstr[76] 8 | udp.dst_port | (KEEP|UNKNOWN) int : 6262 5 | udp.src_addr | (KEEP|UNKNOWN) ipv4 : 192.168.0.123 (name=target alias=target.acme.net) 4 | udp.time | (KEEP|MONO) timeval : (1076685825.916319) = Fri Feb 13 16:23:45 2004 (+916319 us) -----+--------------------------+--------------------------------- ***** state: ptrace_poketext ***** inherited_env[0]: ($attack_pid) (KEEP|UNKNOWN) int : 1605 inherited_env[1]: ($target_pid) (KEEP|UNKNOWN) int : 1606 inherited_env[2]: ($attacker_uid) (KEEP|UNKNOWN) int : 500 -------------------------[ event id: 0x80ad950 ]------------------ fid | attribute | value -----+--------------------------+--------------------------------- 49 | rawsnare.ptrace_data | (KEEP|UNKNOWN) ptr32 : 0x1feb9090 48 | rawsnare.ptrace_addr | (KEEP|UNKNOWN) ptr32 : 0x4000ed4d 47 | rawsnare.ptrace_pid | (KEEP|UNKNOWN) int : 1606 46 | rawsnare.ptrace_req | (KEEP|UNKNOWN) vstr[19] : "(4) PTRACE_POKETEXT" 27 | rawsnare.retcode | (KEEP|UNKNOWN) int : 0 26 | rawsnare.procname | (KEEP|UNKNOWN) vstr[11] : "ptrace-kmod" 25 | rawsnare.ppid | (KEEP|UNKNOWN) int : 1604 24 | rawsnare.pid | (KEEP|UNKNOWN) int : 1605 23 | rawsnare.egid | (KEEP|UNKNOWN) int : 500 22 | rawsnare.euid | (KEEP|UNKNOWN) int : 500 21 | rawsnare.rgid | (KEEP|UNKNOWN) int : 500 20 | rawsnare.ruid | (KEEP|UNKNOWN) int : 500 19 | rawsnare.syscall | (KEEP|UNKNOWN) vstr[15] : "(26) SYS_ptrace" 18 | rawsnare.class | (KEEP|UNKNOWN) int : 10 17 | rawsnare.time | (KEEP|MONO) timeval : (1076685825.916160) = Fri Feb 13 16:23:45 2004 (+916160 us) 9 | udp.msg | (KEEP|UNKNOWN) bstr[76] 8 | udp.dst_port | (KEEP|UNKNOWN) int : 6262 5 | udp.src_addr | (KEEP|UNKNOWN) ipv4 : 192.168.0.123 (name=target alias=target.acme.net) 4 | udp.time | (KEEP|MONO) timeval : (1076685825.916693) = Fri Feb 13 16:23:45 2004 (+916693 us) -----+--------------------------+--------------------------------- ***** state: ptrace_detach ***** inherited_env[0]: ($attack_pid) (KEEP|UNKNOWN) int : 1605 inherited_env[1]: ($target_pid) (KEEP|UNKNOWN) int : 1606 inherited_env[2]: ($attacker_uid) (KEEP|UNKNOWN) int : 500 -------------------------[ event id: 0x80b2de0 ]------------------ fid | attribute | value -----+--------------------------+--------------------------------- 49 | rawsnare.ptrace_data | (KEEP|UNKNOWN) ptr32 : (nil) 48 | rawsnare.ptrace_addr | (KEEP|UNKNOWN) ptr32 : (nil) 47 | rawsnare.ptrace_pid | (KEEP|UNKNOWN) int : 1606 46 | rawsnare.ptrace_req | (KEEP|UNKNOWN) vstr[18] : "(17) PTRACE_DETACH" 27 | rawsnare.retcode | (KEEP|UNKNOWN) int : 0 26 | rawsnare.procname | (KEEP|UNKNOWN) vstr[11] : "ptrace-kmod" 25 | rawsnare.ppid | (KEEP|UNKNOWN) int : 1604 24 | rawsnare.pid | (KEEP|UNKNOWN) int : 1605 23 | rawsnare.egid | (KEEP|UNKNOWN) int : 500 22 | rawsnare.euid | (KEEP|UNKNOWN) int : 500 21 | rawsnare.rgid | (KEEP|UNKNOWN) int : 500 20 | rawsnare.ruid | (KEEP|UNKNOWN) int : 500 19 | rawsnare.syscall | (KEEP|UNKNOWN) vstr[15] : "(26) SYS_ptrace" 18 | rawsnare.class | (KEEP|UNKNOWN) int : 10 17 | rawsnare.time | (KEEP|MONO) timeval : (1076685825.921663) = Fri Feb 13 16:23:45 2004 (+921663 us) 9 | udp.msg | (KEEP|UNKNOWN) bstr[76] 8 | udp.dst_port | (KEEP|UNKNOWN) int : 6262 5 | udp.src_addr | (KEEP|UNKNOWN) ipv4 : 192.168.0.123 (name=target alias=target.acme.net) 4 | udp.time | (KEEP|MONO) timeval : (1076685825.922316) = Fri Feb 13 16:23:45 2004 (+922316 us) -----+--------------------------+--------------------------------- Complementary report: ***** state: audit_loop ***** inherited_env[0]: ($attack_pid) (KEEP|UNKNOWN) int : 1605 inherited_env[1]: ($target_pid) (KEEP|UNKNOWN) int : 1606 inherited_env[2]: ($attacker_uid) (KEEP|UNKNOWN) int : 500 -------------------------[ event id: 0x80b4f80 ]------------------ fid | attribute | value -----+--------------------------+--------------------------------- 41 | rawsnare.owner_gid | (KEEP|UNKNOWN) int : 0 40 | rawsnare.owner_uid | (KEEP|UNKNOWN) int : 0 29 | rawsnare.path | (KEEP|UNKNOWN) vstr[47] : "/local/home/user/ptrace-exploit-kit/ptrace-kmod" 28 | rawsnare.workdir | (KEEP|UNKNOWN) vstr[1] : "/" 27 | rawsnare.retcode | (KEEP|UNKNOWN) int : 0 26 | rawsnare.procname | (KEEP|UNKNOWN) vstr[8] : "modprobe" 25 | rawsnare.ppid | (KEEP|UNKNOWN) int : 1604 24 | rawsnare.pid | (KEEP|UNKNOWN) int : 1606 23 | rawsnare.egid | (KEEP|UNKNOWN) int : 0 22 | rawsnare.euid | (KEEP|UNKNOWN) int : 0 21 | rawsnare.rgid | (KEEP|UNKNOWN) int : 500 20 | rawsnare.ruid | (KEEP|UNKNOWN) int : 0 19 | rawsnare.syscall | (KEEP|UNKNOWN) vstr[15] : "(182) SYS_chown" 18 | rawsnare.class | (KEEP|UNKNOWN) int : 6 17 | rawsnare.time | (KEEP|MONO) timeval : (1076685825.921948) = Fri Feb 13 16:23:45 2004 (+921948 us) 9 | udp.msg | (KEEP|UNKNOWN) bstr[1092] 8 | udp.dst_port | (KEEP|UNKNOWN) int : 6262 5 | udp.src_addr | (KEEP|UNKNOWN) ipv4 : 192.168.0.123 (name=target alias=target.acme.net) 4 | udp.time | (KEEP|MONO) timeval : (1076685825.929664) = Fri Feb 13 16:23:45 2004 (+929664 us) -----+--------------------------+--------------------------------- ***** state: audit_loop ***** inherited_env[0]: ($attack_pid) (KEEP|UNKNOWN) int : 1605 inherited_env[1]: ($target_pid) (KEEP|UNKNOWN) int : 1606 inherited_env[2]: ($attacker_uid) (KEEP|UNKNOWN) int : 500 -------------------------[ event id: 0x80b5690 ]------------------ fid | attribute | value -----+--------------------------+--------------------------------- 31 | rawsnare.createmode | (KEEP|UNKNOWN) int : 3565 30 | rawsnare.mode | (KEEP|UNKNOWN) int : 0 29 | rawsnare.path | (KEEP|UNKNOWN) vstr[47] : "/local/home/user/ptrace-exploit-kit/ptrace-kmod" 28 | rawsnare.workdir | (KEEP|UNKNOWN) vstr[1] : "/" 27 | rawsnare.retcode | (KEEP|UNKNOWN) int : 0 26 | rawsnare.procname | (KEEP|UNKNOWN) vstr[8] : "modprobe" 25 | rawsnare.ppid | (KEEP|UNKNOWN) int : 1604 24 | rawsnare.pid | (KEEP|UNKNOWN) int : 1606 23 | rawsnare.egid | (KEEP|UNKNOWN) int : 0 22 | rawsnare.euid | (KEEP|UNKNOWN) int : 0 21 | rawsnare.rgid | (KEEP|UNKNOWN) int : 500 20 | rawsnare.ruid | (KEEP|UNKNOWN) int : 0 19 | rawsnare.syscall | (KEEP|UNKNOWN) vstr[14] : "(15) SYS_chmod" 18 | rawsnare.class | (KEEP|UNKNOWN) int : 1 17 | rawsnare.time | (KEEP|MONO) timeval : (1076685825.922228) = Fri Feb 13 16:23:45 2004 (+922228 us) 9 | udp.msg | (KEEP|UNKNOWN) bstr[1092] 8 | udp.dst_port | (KEEP|UNKNOWN) int : 6262 5 | udp.src_addr | (KEEP|UNKNOWN) ipv4 : 192.168.0.123 (name=target alias=target.acme.net) 4 | udp.time | (KEEP|MONO) timeval : (1076685825.929700) = Fri Feb 13 16:23:45 2004 (+929700 us) -----+--------------------------+--------------------------------- ***** state: make_report ***** inherited_env[0]: ($attack_pid) (KEEP|UNKNOWN) int : 1605 inherited_env[1]: ($target_pid) (KEEP|UNKNOWN) int : 1606 inherited_env[2]: ($attacker_uid) (KEEP|UNKNOWN) int : 500 -------------------------[ event id: 0x80b5918 ]------------------ fid | attribute | value -----+--------------------------+--------------------------------- 27 | rawsnare.retcode | (KEEP|UNKNOWN) int : 0 26 | rawsnare.procname | (KEEP|UNKNOWN) vstr[8] : "modprobe" 25 | rawsnare.ppid | (KEEP|UNKNOWN) int : 1604 24 | rawsnare.pid | (KEEP|UNKNOWN) int : 1606 23 | rawsnare.egid | (KEEP|UNKNOWN) int : 0 22 | rawsnare.euid | (KEEP|UNKNOWN) int : 0 21 | rawsnare.rgid | (KEEP|UNKNOWN) int : 500 20 | rawsnare.ruid | (KEEP|UNKNOWN) int : 0 19 | rawsnare.syscall | (KEEP|UNKNOWN) vstr[12] : "(1) SYS_exit" 18 | rawsnare.class | (KEEP|UNKNOWN) int : 2 17 | rawsnare.time | (KEEP|MONO) timeval : (1076685825.922482) = Fri Feb 13 16:23:45 2004 (+922482 us) 9 | udp.msg | (KEEP|UNKNOWN) bstr[60] : "..........,@r.......................F...D...modprobe........" 8 | udp.dst_port | (KEEP|UNKNOWN) int : 6262 5 | udp.src_addr | (KEEP|UNKNOWN) ipv4 : 192.168.0.123 (name=target alias=target.acme.net) 4 | udp.time | (KEEP|MONO) timeval : (1076685825.929725) = Fri Feb 13 16:23:45 2004 (+929725 us) -----+--------------------------+---------------------------------