logo       
<prev   next>

Re: New sig for unknown bot: msg#00136

security.ids.snort.bleedingsnort

Subject: Re: New sig for unknown bot

What kind of web servers is it hitting? IIS, apache?

You able to grab a full session?

Matt

Jack Pepper wrote:
> I don't know what's causing this, but that's just due to my own
> laziness. I am seeing this on several https web servers. A long sled
> of AA fillers in an https session? I dont think so. There is no chance
> that https encryption could produce all these AAAAA.
>
> The sig:
>
> alert TCP $EXTERNAL_NET any -> $HOME_NET 443 (msg: "BLEEDING-EDGE VIRUS
> incoming"; flow: established; content:"AAAAAAAAAAAAAAAAAAAAAAA";
> classtype: trojan-activity; sid: xxxxxx; rev:1; )
>
>
> The packet data:
>
> 19:19:05.584929 202.62.72.235.4957 > 192.168.1.26.https: .
> 0000 45 00 05 8c 98 d6 40 00 2d 06 da a9 ca 3e 48 eb |||
> E.....@.-....>H.
> 0010 c0 a8 01 1a 13 5d 01 bb 80 42 0f 57 8a 2a b6 81 |||
> .....]...B.W.*..
> 0020 80 10 20 10 54 66 00 00 01 01 08 0a 00 c0 a7 fc ||| ..
> .Tf..........
> 0030 00 8c 69 f9 90 90 90 90 90 90 90 90 90 90 90 90 |||
> ..i.............
> 0040 90 90 90 90 eb 0e 5a 4a 31 c9 b1 99 80 34 11 fa |||
> ......ZJ1....4..
> 0050 e2 fa eb 05 e8 ed ff ff ff 13 7d fa fa fa a5 cb |||
> ..........}.....
> 0060 33 4f fe 73 31 ab cb 33 4b f9 cb 28 cb 3a 4a cd |||
> 3O.s1..3K..(.:J.
> 0070 37 7a 73 3c 73 38 7a 34 f2 bb cb 3a 4a cd 37 7a |||
> 7zs<s8z4...:J.7z
> 0080 73 30 77 b5 f2 73 2a b2 37 7a 73 2b 73 08 cb 3a |||
> s0w..s*.7zs+s..:
> 0090 4a cd 37 7a a3 7b 85 f2 94 9f 8c 9f 8e fe 18 39 |||
> J.7z.{.........9
> 00a0 11 47 cb 3a aa 92 8d ca ca 8e 73 1b 4a fe 73 38 |||
> .G.:......s.J.s8
> 00b0 37 7a cb 33 cb 3a 4a c5 37 7a bb cb 3a 4a c5 37 |||
> 7z.3.:J.7z..:J.7
> 00c0 7a bb cb 3a 4a c5 37 7a 73 01 73 a5 f2 cb 3a 73 |||
> z..:J.7zs.s...:s
> 00d0 bd f6 72 bd fd cb 28 77 b5 f2 4a f1 37 7a cb 21 |||
> ..r...(w..J.7z.!
> 00e0 73 22 ba 37 7a 12 8e 05 05 05 d5 98 93 94 d5 89 |||
> s".7z...........
> 00f0 92 c5 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> ..AAAAAAAAAAAAAA
> 0100 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0110 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0120 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0130 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0140 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0150 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0160 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0170 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0180 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0190 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 01a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 01b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 01c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 01d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 01e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 01f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0200 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0210 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0220 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0230 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0240 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0250 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0260 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0270 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0280 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0290 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 02a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 02b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 02c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 02d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 02e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 02f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0300 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0310 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0320 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0330 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0340 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0350 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0360 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0370 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0380 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0390 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 03a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 03b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 03c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 03d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 03e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 03f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0400 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0410 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0420 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0430 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0440 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0450 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0460 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0470 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0480 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0490 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 04a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 04b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 04c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 04d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 04e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 04f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0500 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0510 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0520 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0530 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0540 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0550 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0560 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0570 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAAAAAA
> 0580 41 41 41 41 41 41 41 41 41 41 41 41 |||
> AAAAAAAAAAAA....
>
>
> -------------------------------------------------
> Email solutions, MS Exchange alternatives and extrication,
> security services, systems integration.
> Contact: services-MMNQ1ylbVXZN8Ch2cx6nig@xxxxxxxxxxxxxxxx
>
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs

--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  New sig for unknown bot: 00136, Jack Pepper
Next by Date:  Re: Stormy P2P bot Sigs: 00136, Matt Jonkman
Previous by Thread:  New sig for unknown boti: 00136, Jack Pepper
Next by Thread:  RE: New sig for unknown bot: 00136, Raitz, Alex
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
News | FAQ | advertise