Re: New sig for unknown bot: msg#00153 security.ids.snort.bleedingsnort

2967 is the rtvscan stuff I'd assume. Has anyone else been seeing
anything like this?

Matt

Alex Raitz wrote:
> I think that the packet data is consistent with a known W32.Sagevo
> exploit. I am looking for the full content right now:
>
> 12:50:37.302768 IP ip-65-75-20-39.ct.dsl.ntplx.com.4516 >
> 192.168.81.2.2967: . 1:1461(1460) ack 1 win 17520
> 0x0000: 4500 05dc 3df0 4000 7506 5b0f 414b 1427 E...=.@.u.[.AK.'
> 0x0010: c0a8 5102 11a4 0b97 ee02 0319 8da7 24bc ..Q...........$.
> 0x0020: 5010 4470 d8ed 0000 0110 0f20 0a00 0000 P.Dp............
> 0x0030: 0218 0001 0000 0000 0024 0014 b7c9 d2d9 .........$......
> 0x0040: 3e33 ef34 251f 4300 0202 5c2f 6161 6161 >3.4%.C...\/aaaa
> 0x0050: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa
> 0x0060: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa
> 0x0070: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa
> 0x0080: 6161 6161 6161 6161 6161 6161 6161 6161 aaaaaaaaaaaaaaaa
>
> -----Original Message-----
> From: bleeding-sigs-bounces-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> [mailto:bleeding-sigs-bounces-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx]
> On Behalf Of Matt
> Jonkman
> Sent: Monday, January 22, 2007 8:56 AM
> To: Bleeding Sigs
> Subject: Re: [Bleeding-sigs] New sig for unknown bot
>
> What kind of web servers is it hitting? IIS, apache?
>
> You able to grab a full session?
>
> Matt
>
> Jack Pepper wrote:
>> I don't know what's causing this, but that's just due to my own
>> laziness. I am seeing this on several https web servers. A long sled
>> of AA fillers in an https session? I dont think so. There is no chance
>> that https encryption could produce all these AAAAA.
>>
>> The sig:
>>
>> alert TCP $EXTERNAL_NET any -> $HOME_NET 443 (msg: "BLEEDING-EDGE VIRUS
>> incoming"; flow: established; content:"AAAAAAAAAAAAAAAAAAAAAAA";
>> classtype: trojan-activity; sid: xxxxxx; rev:1; )
>>
>>
>> The packet data:
>>
>> 19:19:05.584929 202.62.72.235.4957 > 192.168.1.26.https: .
>> 0000 45 00 05 8c 98 d6 40 00 2d 06 da a9 ca 3e 48 eb |||
>> E.....@.-....>H.
>> 0010 c0 a8 01 1a 13 5d 01 bb 80 42 0f 57 8a 2a b6 81 |||
>> .....]...B.W.*..
>> 0020 80 10 20 10 54 66 00 00 01 01 08 0a 00 c0 a7 fc ||| ..
>> .Tf..........
>> 0030 00 8c 69 f9 90 90 90 90 90 90 90 90 90 90 90 90 |||
>> ..i.............
>> 0040 90 90 90 90 eb 0e 5a 4a 31 c9 b1 99 80 34 11 fa |||
>> ......ZJ1....4..
>> 0050 e2 fa eb 05 e8 ed ff ff ff 13 7d fa fa fa a5 cb |||
>> ..........}.....
>> 0060 33 4f fe 73 31 ab cb 33 4b f9 cb 28 cb 3a 4a cd |||
>> 3O.s1..3K..(.:J.
>> 0070 37 7a 73 3c 73 38 7a 34 f2 bb cb 3a 4a cd 37 7a |||
>> 7zs<s8z4...:J.7z
>> 0080 73 30 77 b5 f2 73 2a b2 37 7a 73 2b 73 08 cb 3a |||
>> s0w..s*.7zs+s..:
>> 0090 4a cd 37 7a a3 7b 85 f2 94 9f 8c 9f 8e fe 18 39 |||
>> J.7z.{.........9
>> 00a0 11 47 cb 3a aa 92 8d ca ca 8e 73 1b 4a fe 73 38 |||
>> .G.:......s.J.s8
>> 00b0 37 7a cb 33 cb 3a 4a c5 37 7a bb cb 3a 4a c5 37 |||
>> 7z.3.:J.7z..:J.7
>> 00c0 7a bb cb 3a 4a c5 37 7a 73 01 73 a5 f2 cb 3a 73 |||
>> z..:J.7zs.s...:s
>> 00d0 bd f6 72 bd fd cb 28 77 b5 f2 4a f1 37 7a cb 21 |||
>> ..r...(w..J.7z.!
>> 00e0 73 22 ba 37 7a 12 8e 05 05 05 d5 98 93 94 d5 89 |||
>> s".7z...........
>> 00f0 92 c5 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> ..AAAAAAAAAAAAAA
>> 0100 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0110 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0120 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0130 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0140 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0150 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0160 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0170 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0180 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0190 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 01a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 01b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 01c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 01d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 01e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 01f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0200 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0210 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0220 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0230 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0240 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0250 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0260 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0270 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0280 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0290 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 02a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 02b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 02c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 02d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 02e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 02f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0300 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0310 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0320 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0330 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0340 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0350 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0360 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0370 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0380 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0390 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 03a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 03b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 03c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 03d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 03e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 03f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0400 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0410 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0420 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0430 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0440 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0450 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0460 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0470 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0480 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0490 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 04a0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 04b0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 04c0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 04d0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 04e0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 04f0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0500 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0510 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0520 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0530 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0540 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0550 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0560 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0570 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAAAAAA
>> 0580 41 41 41 41 41 41 41 41 41 41 41 41 |||
>> AAAAAAAAAAAA....
>>
>>
>> -------------------------------------------------
>> Email solutions, MS Exchange alternatives and extrication,
>> security services, systems integration.
>> Contact: services-MMNQ1ylbVXZN8Ch2cx6nig@xxxxxxxxxxxxxxxx
>>
>>
>> _______________________________________________
>> Bleeding-sigs mailing list
>> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
>> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
>

--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc

Previous by Date:	RE: New sig for unknown bot: 00153, Alex Raitz
Next by Date:	P0F in Snort?: 00153, Matt Jonkman
Previous by Thread:	RE: New sig for unknown boti: 00153, Alex Raitz
Next by Thread:	Edonkey Sigs: 00153, Matt Jonkman
Indexes:	[Date] [Thread] [Top] [All Lists]

<Prev in Thread]	Current Thread	[Next in Thread>