Our hacker inspects the website:


14:57:30.400652 CENSORED.10590 > 192.168.3.100.22: P 20866:20869(3) ack 3334 win 57920 <nop,nop,timestamp 13745030 362492472> (DF)
  0000: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  E..7.e@.&.Æø?à.w
  0010: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  À¨.d)^..<:}ûå©.=
  0020: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  ..â@ÀÞ.......Ñ».
  0030: 159b 3238 6c73 0a                        ..28ls.

14:57:30.402117 192.168.3.100.22 > CENSORED.10590: P 3334:3365(31) ack 20869 win 17376 <nop,nop,timestamp 362492473 13745030> (DF)
  0000: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  E..S..@.@..·À¨.d
  0010: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  ?à.w..)^å©.=<:}þ
  0020: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  ..CàÛº........29
  0030: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  .Ñ».cgi-bin.conf
  0040: 0a68 7464 6f63 730a 6963 6f6e 730a 6c6f  .htdocs.icons.lo
  0050: 6773 0a                                  gs.

14:57:32.634381 CENSORED.10590 > 192.168.3.100.22: P 20869:20879(10) ack 3365 win 57920 <nop,nop,timestamp 13745253 362492473> (DF)
  0000: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  E..>..@.&.ÆÉ?à.w
  0010: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  À¨.d)^..<:}þå©.\
  0020: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  ..â@[ª.......Ѽe
  0030: 159b 3239 6364 2068 7464 6f63 730a       ..29cd htdocs.

14:57:33.032919 CENSORED.10590 > 192.168.3.100.22: P 20879:20882(3) ack 3365 win 57920 <nop,nop,timestamp 13745293 362492478> (DF)
  0000: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  E..7..@.&.ÆÇ?à.w
  0010: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  À¨.d)^..<:~.å©.\
  0020: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  ..â@¿¥.......Ѽ.
  0030: 159b 323e 6c73 0a                        ..2>ls.


14:57:33.498556 192.168.3.100.22 > CENSORED.10590: P 3365:3502(137) ack 20882 win 17376 <nop,nop,timestamp 362492480 13745293> (DF)
  0000: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  E..½bb@.@.ÍuÀ¨.d
  0010: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  ?à.w..)^å©.\<:~.
  0020: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  ..Càj³........2@
  0030: 00d1 bc8d 6170 6163 6865 5f70 622e 6769  .Ѽ.apache_pb.gi
  0040: 660a 626c 6f77 6669 7368 2e6a 7067 0a62  f.blowfish.jpg.b
  0050: 7364 5f73 6d61 6c6c 2e67 6966 0a69 6e64  sd_small.gif.ind
  0060: 6578 2e68 746d 6c0a 6c6f 636b 2e67 6966  ex.html.lock.gif
  0070: 0a6c 6f67 6f32 332e 6a70 670a 6c6f 676f  .logo23.jpg.logo
  0080: 3234 2e6a 7067 0a6d 616e 7561 6c0a 6f70  24.jpg.manual.op
  0090: 656e 6273 645f 7062 2e67 6966 0a6f 7065  enbsd_pb.gif.ope
  00a0: 6e62 7364 706f 7765 722e 6769 660a 736d  nbsdpower.gif.sm
  00b0: 616c 6c74 6974 6c65 2e67 6966 0a         alltitle.gif.


14:57:45.687963 CENSORED.10590 > 192.168.3.100.22: P 20882:20898(16) ack 3502 win 57920 <nop,nop,timestamp 13746559 362492480> (DF)
  0000: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  E..D.`@.&.Åð?à.w
  0010: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  À¨.d)^..<:~.å©.å
  0020: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  ..â@M........ÑÁ.
  0030: 159b 3240 6d6f 7265 2069 6e64 6578 2e68  ..2@more index.h
  0040: 746d 6c0a                                tml.

14:57:45.715158 192.168.3.100.22 > CENSORED.10590: P 3502:3552(50) ack 20898 win 17376 <nop,nop,timestamp 362492504 13746559> (DF)
  0000: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  E..fRç@.@.ÝGÀ¨.d
  0010: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  ?à.w..)^å©.å<:~.
  0020: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  ..Cà½.........2X
  0030: 00d1 c17f 4c41 4e20 5765 6273 6974 6520  .ÑÁ.LAN Website 
  0040: 756e 6465 7220 636f 6e73 7472 7563 7469  under constructi
  0050: 6f6e 2120 4368 6563 6b20 6261 636b 206c  on! Check back l
  0060: 6174 6572 210a                           ater!.


^---- Just a little added touch to make it appear as though this honeypot is a legitimate server! ;)


14:57:52.078168 CENSORED.10590 > 192.168.3.100.22: P 20899:20905(6) ack 3552 win 57920 <nop,nop,timestamp 13747198 362492510> (DF)
  0000: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  E..:.Á@.&.Å.?à.w
  0010: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  À¨.d)^..<:~.å©..
  0020: 8018 e240 7c19 0000 0101 080a 00d1 c3fe  ..â@|........ÑÃþ
  0030: 159b 325e 6364 202e 2e0a                 ..2^cd ...


14:57:58.120517 CENSORED.10590 > 192.168.3.100.22: P 20905:20929(24) ack 3552 win 57920 <nop,nop,timestamp 13747802 362492517> (DF)
  0000: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  E..L..@.&.Å5?à.w
  0010: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  À¨.d)^..<:~"å©..
  0020: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  ..â@7$.......ÑÆZ
  0030: 159b 3265 6669 6e64 202f 202d 6e61 6d65  ..2efind / -name
  0040: 2069 6e64 6578 2e68 746d 6c0a             index.html.


He/she looks for more index.html files figuring the other one under construction may be on the system.
It appears the hacker is very interested to find out what kind of LAN website may be going up!

14:59:14.728696 192.168.3.100.22 > CENSORED.10590: P 3552:4109(557) ack 20950 win 17356 <nop,nop,timestamp 362492682 13749768> (DF)
  0000: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  E..a.Ñ@.@.¤bÀ¨.d
  0010: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  ?à.w..)^å©..<:~O
  0020: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX  ..CÌe ........3.
  0030: 00d1 ce08 2f76 6172 2f77 7777 2f68 7464  .ÑÎ./var/www/htd
  0040: 6f63 732f 6d61 6e75 616c 2f6d 6973 632f  ocs/manual/misc/
  0050: 696e 6465 782e 6874 6d6c 0a2f 7661 722f  index.html./var/
  0060: 7777 772f 6874 646f 6373 2f6d 616e 7561  www/htdocs/manua
  0070: 6c2f 6d6f 642f 6d6f 645f 7373 6c2f 696e  l/mod/mod_ssl/in
  0080: 6465 782e 6874 6d6c 0a2f 7661 722f 7777  dex.html./var/ww
  0090: 772f 6874 646f 6373 2f6d 616e 7561 6c2f  w/htdocs/manual/
  00a0: 6d6f 642f 696e 6465 782e 6874 6d6c 0a2f  mod/index.html./
  00b0: 7661 722f 7777 772f 6874 646f 6373 2f6d  var/www/htdocs/m
  00c0: 616e 7561 6c2f 7072 6f67 7261 6d73 2f69  anual/programs/i
  00d0: 6e64 6578 2e68 746d 6c0a 2f76 6172 2f77  ndex.html./var/w
  00e0: 7777 2f68 7464 6f63 732f 6d61 6e75 616c  ww/htdocs/manual
  00f0: 2f76 686f 7374 732f 696e 6465 782e 6874  /vhosts/index.ht
  0100: 6d6c 0a2f 7661 722f 7777 772f 6874 646f  ml./var/www/htdo
  0110: 6373 2f6d 616e 7561 6c2f 696e 6465 782e  cs/manual/index.
  0120: 6874 6d6c 0a2f 7661 722f 7777 772f 6874  html./var/www/ht
  0130: 646f 6373 2f69 6e64 6578 2e68 746d 6c0a  docs/index.html.
  0140: 2f75 7372 2f6c 6f63 616c 2f73 6861 7265  /usr/local/share
  0150: 2f64 6f63 2f76 6e63 2f76 6e63 5f64 6f63  /doc/vnc/vnc_doc
  0160: 732f 696e 6465 782e 6874 6d6c 0a2f 7573  s/index.html./us
  0170: 722f 706f 7274 732f 6d61 696c 2f63 2d63  r/ports/mail/c-c
  0180: 6c69 656e 742f 772d 632d 636c 6965 6e74  lient/w-c-client
  0190: 2d34 2e34 342f 7069 6e65 342e 3434 2f64  -4.44/pine4.44/d
  01a0: 6f63 2f74 6563 682d 6e6f 7465 732f 696e  oc/tech-notes/in
  01b0: 6465 782e 6874 6d6c 0a2f 7573 722f 706f  dex.html./usr/po
  01c0: 7274 732f 6d61 696c 2f70 696e 652f 772d  rts/mail/pine/w-
  01d0: 7069 6e65 2b70 6963 6f2d 342e 3434 2f70  pine+pico-4.44/p
  01e0: 696e 6534 2e34 342f 646f 632f 7465 6368  ine4.44/doc/tech
  01f0: 2d6e 6f74 6573 2f69 6e64 6578 2e68 746d  -notes/index.htm
  0200: 6c0a 2f75 7372 2f70 6f72 7473 2f6e 6574  l./usr/ports/net
  0210: 2f74 6967 6874 766e 632f 772d 7469 6768  /tightvnc/w-tigh
  0220: 7476 6e63 2d31 2e32 2e33 2f66 616b 652d  tvnc-1.2.3/fake-
  0230: 6933 3836 2f75 7372 2f6c 6f63 616c 2f73  i386/usr/local/s
  0240: 6861 7265 2f64 6f63 2f76 6e63 2f76 6e63  hare/doc/vnc/vnc
  0250: 5f64 6f63 732f 696e 6465 782e 6874 6d6c  _docs/index.html
  0260: 0a                                       .

           ^-- finally the output from that find
	       nothing of interest.