logo       
<prev   next>

Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...

Re: New sig for unknown bot: msg#00144

security.ids.snort.bleedingsnort

Subject: Re: New sig for unknown bot

Hmmm. I'm assuming this is supposed to be exploiting the rtvscan stuff.
THe aaaa's are filler of course, and easily changed.

Did any of the rtvscan sigs trip on this when you caught it? Like 2003250?

Matt

Raitz, Alex wrote:
> I can't confirm, the traffic and ports are different enough that I am
> not sure. I do have a capture of the Sagevo exploit.
>
> -----Original Message-----
> From: bleeding-sigs-bounces-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> [mailto:bleeding-sigs-bounces-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx]
> On Behalf Of Jack
> Pepper
> Sent: Tuesday, January 23, 2007 11:09 PM
> To: bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> Subject: Re: [Bleeding-sigs] New sig for unknown bot
>
> Quoting Matt Jonkman
> <jonkman-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>:
>
>> What kind of web servers is it hitting? IIS, apache?
>
> Apache on this one.
>
>
>> You able to grab a full session?
>>
>
> Unfortunately, no. I got this quite by accident while trying to look
> for something else completely unrelated.
>
> I have put this on my systems with the "msg:" line "Unlikely Fake
> HTTPS traffic".
>
> Alex: Were you able to confirm Sagevo on this? Is there already a
> rule for it?
>
> jp
>
>
>> Jack Pepper wrote:
>>> I don't know what's causing this, but that's just due to my own
>>> laziness. I am seeing this on several https web servers. A long
> sled
>>> of AA fillers in an https session? I dont think so. There is no
> chance
>>> that https encryption could produce all these AAAAA.
>>>
>>> The sig:
>>>
>>> alert TCP $EXTERNAL_NET any -> $HOME_NET 443 (msg: "BLEEDING-EDGE
> VIRUS
>>> incoming"; flow: established; content:"AAAAAAAAAAAAAAAAAAAAAAA";
>>> classtype: trojan-activity; sid: xxxxxx; rev:1; )
>>>
>>>
>>> The packet data:
>>>
>>> 19:19:05.584929 202.62.72.235.4957 > 192.168.1.26.https: .
>>> 0000 45 00 05 8c 98 d6 40 00 2d 06 da a9 ca 3e 48 eb |||
>>> E.....@.-....>H.
>>> 0010 c0 a8 01 1a 13 5d 01 bb 80 42 0f 57 8a 2a b6 81 |||
>>> .....]...B.W.*..
>>> 0020 80 10 20 10 54 66 00 00 01 01 08 0a 00 c0 a7 fc ||| ..
>>> .Tf..........
>>> 0030 00 8c 69 f9 90 90 90 90 90 90 90 90 90 90 90 90 |||
>>> ..i.............
>>> 0040 90 90 90 90 eb 0e 5a 4a 31 c9 b1 99 80 34 11 fa |||
>>> ......ZJ1....4..
>>> 0050 e2 fa eb 05 e8 ed ff ff ff 13 7d fa fa fa a5 cb |||
>>> ..........}.....
>>> 0060 33 4f fe 73 31 ab cb 33 4b f9 cb 28 cb 3a 4a cd |||
>>> 3O.s1..3K..(.:J.
>>> 0070 37 7a 73 3c 73 38 7a 34 f2 bb cb 3a 4a cd 37 7a |||
>>> 7zs<s8z4...:J.7z
>>> 0080 73 30 77 b5 f2 73 2a b2 37 7a 73 2b 73 08 cb 3a |||
>>> s0w..s*.7zs+s..:
>>> 0090 4a cd 37 7a a3 7b 85 f2 94 9f 8c 9f 8e fe 18 39 |||
>>> J.7z.{.........9
>>> 00a0 11 47 cb 3a aa 92 8d ca ca 8e 73 1b 4a fe 73 38 |||
>>> .G.:......s.J.s8
>>> 00b0 37 7a cb 33 cb 3a 4a c5 37 7a bb cb 3a 4a c5 37 |||
>>> 7z.3.:J.7z..:J.7
>>> 00c0 7a bb cb 3a 4a c5 37 7a 73 01 73 a5 f2 cb 3a 73 |||
>>> z..:J.7zs.s...:s
>>> 00d0 bd f6 72 bd fd cb 28 77 b5 f2 4a f1 37 7a cb 21 |||
>>> ..r...(w..J.7z.!
>>> 00e0 73 22 ba 37 7a 12 8e 05 05 05 d5 98 93 94 d5 89 |||
>>> s".7z...........
>>> 00f0 92 c5 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> ..AAAAAAAAAAAAAA
>>> 0100 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0110 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0120 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0130 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0140 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0150 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0160 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0170 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0180 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0190 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 01a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 01b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 01c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 01d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 01e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 01f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0200 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0210 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0220 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0230 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0240 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0250 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0260 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0270 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0280 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0290 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 02a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 02b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 02c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 02d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 02e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 02f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0300 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0310 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0320 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0330 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0340 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0350 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0360 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0370 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0380 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0390 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 03a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 03b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 03c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 03d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 03e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 03f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0400 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0410 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0420 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0430 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0440 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0450 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0460 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0470 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0480 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0490 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 04a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 04b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 04c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 04d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 04e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 04f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0500 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0510 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0520 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0530 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0540 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0550 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0560 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0570 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAAAAAA
>>> 0580 41 41 41 41 41 41 41 41 41 41 41 41 |||
>>> AAAAAAAAAAAA....
>>>
>>>
>>> -------------------------------------------------
>>> Email solutions, MS Exchange alternatives and extrication,
>>> security services, systems integration.
>>> Contact: services-MMNQ1ylbVXZN8Ch2cx6nig@xxxxxxxxxxxxxxxx
>>>
>>>
>>> _______________________________________________
>>> Bleeding-sigs mailing list
>>> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
>>>
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
>> --
>> --------------------------------------------
>> Matthew Jonkman
>> Bleeding Edge Threats
>> 765-429-0398
>> 765-807-3060 fax
>> http://www.bleedingthreats.net
>> --------------------------------------------
>>
>> PGP: http://www.bleedingthreats.com/mattjonkman.asc
>>
>>
>> _______________________________________________
>> Bleeding-sigs mailing list
>> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
>>
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
>
>
>
> -------------------------------------------------
> Email solutions, MS Exchange alternatives and extrication,
> security services, systems integration.
> Contact: services-MMNQ1ylbVXZN8Ch2cx6nig@xxxxxxxxxxxxxxxx
>
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
>
>
> This communication is confidential and may be legally privileged. If you are
> not the intended recipient, (i) please do not read or disclose to others,
> (ii) please notify the sender by reply mail, and (iii) please delete this
> communication from your system. Failure to follow this process may be
> unlawful. Thank you for your cooperation.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs

--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: New sig for unknown bot, Raitz, Alex
Next by Date:  RE: New sig for unknown bot, Raitz, Alex
Previous by Thread:  RE: New sig for unknown bot, Raitz, Alex
Next by Thread:  RE: New sig for unknown bot, Raitz, Alex
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
Recently Viewed:
qnx.openqnx.dev...    gcc.libstdc++.c...    solaris.opensol...    information-ret...    misc.misterhous...    web.catalyst.ge...    apache.webservi...    redhat.release....    hardware.lirc/2...    kernel.autofs/2...    technology.sust...    linux.vdr/2003-...    editors.lyx.gen...    org.user-groups...    netbsd.devel.pk...    xdg.devel/2004-...    version-control...    jakarta.slide.d...    debian.packages...    creativecommons...    ports.ppc.embed...    bug-tracking.bu...   
Home | blog view | USPTO Patent Archive | advertise | OSDir is an inevitable website. super tiny logo

Free Magazines

Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe

Navigation