Event Sequencer

Date & Time	Source	Event & Note
Aug 10, 2003 13:33:19	`//dev/ttyof`	[A-Time]/bin/ls config file
Aug 10, 2003 13:33:19	`//usr/lib/libsss`	[A-Time]blank file
Aug 10, 2003 13:33:19	`//dev/ttyop`	[A-Time]config file for /usr/bin/top
Aug 10, 2003 13:33:19	`//usr/bin/sl2`	[A-Time]Port scanner
Aug 10, 2003 13:33:19	`//usr/bin/sense`	[A-Time]sniffer sorter script
Aug 10, 2003 13:33:19	`//bin/ls`	[A-Time]Trojan file
Aug 10, 2003 13:33:33	`//bin/pico`	[A-Time]A pico editor
Aug 10, 2003 13:33:33	`//usr/include/icepid.h`	[A-Time]PID file for SSH server
Aug 10, 2003 13:33:33	`//usr/bin/crontabs`	[C-Time]Calls smbd -D
Aug 10, 2003 13:33:33	`//usr/include/iceconf.h`	[C-Time]Config file for /usr/include SSH server
Aug 10, 2003 13:33:33	`//usr/include/icepid.h`	[C-Time]PID file for SSH server
Aug 10, 2003 13:33:33	`//usr/bin/sl2`	[C-Time]Port scanner
Aug 10, 2003 13:33:33	`//usr/bin/smbd -D`	[C-Time]SSH server that was running with password logger
Aug 10, 2003 13:33:33	`//etc/rc.d/init.d/functions`	[C-Time]Startup script that executes crontabs
Aug 10, 2003 13:33:33	`//usr/include/icepid.h`	[M-Time]PID file for SSH server
Aug 10, 2003 13:33:33	`//etc/rc.d/init.d/functions`	[M-Time]Startup script that executes crontabs
Aug 10, 2003 13:33:35	`//usr/bin/(swapd)`	[A-Time]Network Sniffer - writes to libice.log
Aug 10, 2003 13:33:35	`//usr/lib/libsss`	[C-Time]blank file
Aug 10, 2003 13:33:35	`//usr/bin/(swapd)`	[C-Time]Network Sniffer - writes to libice.log
Aug 10, 2003 13:33:35	`//usr/bin/(swapd)`	[M-Time]Network Sniffer - writes to libice.log
Aug 10, 2003 13:33:36	`//usr/lib/libice.log`	[A-Time]network log file
Aug 10, 2003 13:33:52	`//dev/ttyoa`	[A-Time]Config file for /bin/netstat
Aug 10, 2003 13:33:52	`//bin/netstat`	[A-Time]Trojan file
Aug 10, 2003 13:33:57	`//dev/ttyof`	[C-Time]/bin/ls config file
Aug 10, 2003 13:33:57	`//bin/pico`	[C-Time]A pico editor
Aug 10, 2003 13:33:57	`//dev/ttyoa`	[C-Time]Config file for /bin/netstat
Aug 10, 2003 13:33:57	`//dev/ttyop`	[C-Time]config file for /usr/bin/top
Aug 10, 2003 13:33:57	`//usr/bin/sense`	[C-Time]sniffer sorter script
Aug 10, 2003 13:33:57	`//bin/netstat`	[C-Time]Trojan file
Aug 10, 2003 13:33:57	`//bin/ls`	[C-Time]Trojan file
Aug 10, 2003 15:30:21	`//usr/lib/sp0`	[A-Time]SSH server
Aug 10, 2003 15:30:52	`//usr/lib/adore.o`	[A-Time]Adore Rootkit module
Aug 10, 2003 15:30:52	`//usr/lib/adore.o`	[M-Time]Adore Rootkit module
Aug 10, 2003 15:30:54	`//usr/lib/cleaner.o`	[A-Time]Adore rootkit file
Aug 10, 2003 15:30:54	`//usr/lib/cleaner.o`	[C-Time]Adore rootkit file
Aug 10, 2003 15:30:54	`//usr/lib/adore.o`	[C-Time]Adore Rootkit module
Aug 10, 2003 15:30:54	`//usr/lib/sp0`	[C-Time]SSH server
Aug 10, 2003 15:30:54	`//etc/rc.d/rc.sysinit`	[C-Time]Startup script where kflushd was added
Aug 10, 2003 15:30:54	`//usr/lib/cleaner.o`	[M-Time]Adore rootkit file
Aug 10, 2003 15:30:54	`//etc/rc.d/rc.sysinit`	[M-Time]Startup script where kflushd was added
Aug 10, 2003 15:31:51	`//lib/.x/.boot`	[A-Time]boot script for rootkit
Aug 10, 2003 15:31:51	`//lib/.x/hide`	[A-Time]script to hide processes with suckit
Aug 10, 2003 15:31:51	`//lib/.x/log`	[A-Time]SucKIT Client
Aug 10, 2003 15:32:15	`//lib/.x/inst`	[C-Time]Installs suckit
Aug 10, 2003 15:32:15	`//lib/.x/cl`	[C-Time]log cleaner
Aug 10, 2003 15:32:15	`//lib/.x/hide`	[C-Time]script to hide processes with suckit
Aug 10, 2003 15:32:15	`//lib/.x/s/lsn`	[C-Time]sniffer process
Aug 10, 2003 15:32:15	`//lib/.x/log`	[C-Time]SucKIT Client
Aug 10, 2003 15:32:16	`//lib/.x/inst`	[A-Time]Installs suckit
Aug 10, 2003 15:32:16	`//lib/.x/s/mfs`	[A-Time]lsn logs
Aug 10, 2003 15:32:16	`//lib/.x/s/lsn`	[A-Time]sniffer process
Aug 10, 2003 15:32:16	`//lib/.x/s/xopen`	[A-Time]SSHD that was running on port 3128.
Aug 10, 2003 15:32:16	`//lib/.x/s/xopen`	[C-Time]SSHD that was running on port 3128.
Aug 10, 2003 15:32:16	`//lib/.x/sk`	[C-Time]SucKIT
Aug 10, 2003 15:32:16	`//lib/.x/sk`	[M-Time]SucKIT
Aug 10, 2003 15:32:17	`//lib/.x/sk`	[A-Time]SucKIT
Aug 10, 2003 15:32:17	`//lib/.x/.boot`	[C-Time]boot script for rootkit
Aug 10, 2003 15:32:17	`//lib/.x/hide.log`	[C-Time]log for 'hide' program
Aug 10, 2003 15:32:17	`//lib/.x/install.log`	[C-Time]SucKIT logs
Aug 10, 2003 15:32:17	`//lib/.x/install.log`	[M-Time]SucKIT logs
Aug 10, 2003 15:32:33	`//lib/.x/install.log`	[A-Time]SucKIT logs
Aug 10, 2003 15:32:34	`//lib/.x/cl`	[A-Time]log cleaner
Aug 10, 2003 15:51:10	`//lib/.x/s/r_s`	[A-Time]Random seed for /lib/.x/s/xopen SSHD
Aug 10, 2003 15:52:00	`//root/sslstop/sslport`	[C-Time]changes SSL port
Aug 10, 2003 15:52:00	`//root/sslstop/sslstop`	[C-Time]stops SSL on apache
Aug 10, 2003 15:52:00	`//root/sslstop/sslport`	[M-Time]changes SSL port
Aug 10, 2003 15:52:00	`//root/sslstop/sslstop`	[M-Time]stops SSL on apache
Aug 10, 2003 15:52:23	`//root/sslstop/sslport`	[A-Time]changes SSL port
Aug 10, 2003 15:54:18	`//usr/bin/crontabs`	[A-Time]Calls smbd -D
Aug 10, 2003 15:54:18	`//usr/include/iceconf.h`	[A-Time]Config file for /usr/include SSH server
Aug 10, 2003 15:54:18	`//usr/bin/smbd -D`	[A-Time]SSH server that was running with password logger
Aug 10, 2003 15:54:18	`//etc/rc.d/init.d/functions`	[A-Time]Startup script that executes crontabs
Aug 10, 2003 15:54:18	`//root/sslstop/sslstop`	[A-Time]stops SSL on apache
Aug 10, 2003 16:02:46	`//etc/opt/psybnc/log/psybnc.log`	[A-Time]psybnc log
Aug 10, 2003 16:32:18	`//lib/.x/s/r_s`	[C-Time]Random seed for /lib/.x/s/xopen SSHD
Aug 10, 2003 16:32:18	`//lib/.x/s/r_s`	[M-Time]Random seed for /lib/.x/s/xopen SSHD
Aug 10, 2003 20:35:59	`//usr/lib/libice.log`	[C-Time]network log file
Aug 10, 2003 20:35:59	`//usr/lib/libice.log`	[M-Time]network log file
Aug 10, 2003 20:36:26	`//lib/.x/s/mfs`	[C-Time]lsn logs
Aug 10, 2003 20:36:26	`//lib/.x/s/mfs`	[M-Time]lsn logs
Aug 10, 2003 20:47:24	`//etc/opt/psybnc/log/psybnc.log`	[C-Time]psybnc log
Aug 10, 2003 20:47:24	`//etc/opt/psybnc/log/psybnc.log`	[M-Time]psybnc log