Help: Weird email received & E-Safe Alert

From: root (etienneat_private)
Date: Thu Oct 04 2001 - 05:15:17 PDT

  • Next message: Guy Poizat: "Automated scan-for-webserver-vulns tool ?"

    Greetings,
    
    I need some help trying to explain two different issues.
    
    1)
    
    We received an email from someone else with only the following in the
    mail:
    
    #########################################################################################
    <snip>
    Sent: Friday, September 28, 2001 3:04 PM 
    Subject: Be sure to answer. 
    
    \par }\pard \qj\widctlpar{\*\pn \pnlvlcont\pndec }{\fs24\lang2057 
    
    \par {\pntext\pard\plain\f1 \'b7\tab}}\pard
    \qj\fi-283\li283\widctlpar{\*\pn \pnlvlblt\pnf1\pnindent283
    {\pntxtb \'b7}}{\fs24\lang2057 Create a new file.
    
    \par }\pard \qj\widctlpar{\*\pn \pnlvlcont\pndec }{\fs24\lang2057 
    
    \par The new command \ldblquote Scan Text\rdblquote  has been added to
    the \ldblquote File\rdblquote 
    menu. 
    
    \par 
    
    \par 
    
    \par }{\b\fs30\lang2057 C. Excel 2000 (Office 2000) and Excel 97 (Office
    97) 
    
    \par }{\fs24\lang2057 
    
    \par Start Excel. 
    
    ##########################################################################################
    
    My questions are :
    
    - WTF is this ? or What was it suppose to be ?
    - What does the above code try to do ?
    
    I suppose this couldve just been an accident, I haven't mailed the
    sender for his input yet. Just thought I'll add it into the email along
    with my other question.
    
    
    2)
    
    We are using E-trust from Computer Associates. It has detected an event
    "Attempt to use Wingate Redirector  DoS". I suspect this is a false
    positive but I cannot explain what was it that actually triggered this
    alert. I need some help trying to figure out what actually happened.
    
    LOG:
    #########################################################################
    
    Client IP = xxx.xxx.xxx.xxx
    Server IP = aaa.aaa.aaa.aaa
    Client physical address = 00:04:AC:4C:35:27
    Server physical address = 00:04:AC:38:7D:6E
    Client port = 1066
    Server port = 2080 TCP
    
    Server -> Client
    05 00 0B 03 10 00 00 00  83 00 33 00 01 00 00 00  ........f.3.....
    D0 16 D0 16 00 00 00 00  01 00 00 00 00 00 01 00  Ð.Ð.............
    00 DB F1 A4 47 CA 67 10  B3 1F 00 DD 01 06 62 DA  .Ûñ¤GÊg.³..Ý..bÚ
    00 00 51 00 04 5D 88 8A  EB 1C C9 11 9F E8 08 00  ..Q..]^Së.É.Yè..
    2B 10 48 60 02 00 00 00  0A 02 00 00 88 E2 08 00  +.H`........^â..
    4E 54 4C 4D 53 53 50 00  01 00 00 00 07 B2 00 A0  NTLMSSP......². 
    07 00 07 00 2C 00 00 00  0C 00 0C 00 20 00 00 00  ....,....... ...
    4C 49 4E 44 41 4C 4F 55  54 44 42 4E 43 4F 52 50  LINDALOUTDBNCORP
    43 4F 4D                                          COM             
    Client -> Server
    05 00 0C 03 10 00 00 00  82 00 3E 00 01 00 00 00  ........,.>.....
    D0 16 D0 16 1B 3F 01 00  05 00 31 30 36 36 00 61  Ð.Ð..?....1066.a
    01 00 00 00 00 00 00 00  04 5D 88 8A EB 1C C9 11  .........]^Së.É.
    9F E8 08 00 2B 10 48 60  02 00 00 00 0A 02 00 00  Yè..+.H`........
    88 E2 08 00 4E 54 4C 4D  53 53 50 00 02 00 00 00  ^â..NTLMSSP.....
    0E 00 0E 00 30 00 00 00  05 82 01 00 F5 0A 69 96  ....0....,..õ.i-
    70 CD B7 66 00 00 00 00  00 00 00 00 00 00 00 00  pÍ·f............
    3E 00 00 00 43 00 4F 00  52 00 50 00 43 00 4F 00  >...C.O.R.P.C.O.
    4D 00                                             M.              
    Server -> Client
    05 00 10 03 10 00 00 00  BC 00 A0 00 01 00 00 00  ........¼. .....
    D0 16 D0 16 0A 02 00 00  88 E2 08 00 4E 54 4C 4D  Ð.Ð.....^â..NTLM
    53 53 50 00 03 00 00 00  18 00 18 00 70 00 00 00  SSP.........p...
    18 00 18 00 88 00 00 00  0E 00 0E 00 40 00 00 00  ....^.......@...
    0A 00 0A 00 4E 00 00 00  18 00 18 00 58 00 00 00  ....N.......X...
    00 00 00 00 A0 00 00 00  05 82 00 00 43 00 4F 00  .... ....,..C.O.
    52 00 50 00 43 00 4F 00  4D 00 4C 00 69 00 6E 00  R.P.C.O.M.L.i.n.
    64 00 61 00 4C 00 49 00  4E 00 44 00 41 00 4C 00  d.a.L.I.N.D.A.L.
    4F 00 55 00 54 00 44 00  42 00 4E 00 5F 46 EA BA  O.U.T.D.B.N._Fêº
    74 D2 F2 71 3E 54 19 95  BF 80 61 4D 2E FD 3B 98  tÒòq>T.*¿?aM.ý;~
    CC BC 0A 4C BD DD A5 B4  89 16 42 D4 6A C1 55 BC  ̼.L½Ý¥´?.BÔjÁU¼
    54 0A A7 19 DA 5C E4 79  B5 05 F0 54 05 00 00 03  T.§.Ú\äyµ.ðT....
    10 00 00 00 A0 00 10 00  01 00 00 00 6C 00 00 00  .... .......l...
    00 00 00 00 35 00 00 00  00 00 00 00 35 00 00 00  ....5.......5...
    2F 6F 3D 43 6F 72 70 63  6F 6D 20 4F 75 74 64 6F  /o=Corpcom Outdo
    6F 72 2F 6F 75 3D 43 4F  52 50 43 4F 4D 2F 63 6E  or/ou=CORPCOM/cn
    3D 52 65 63 69 70 69 65  6E 74 73 2F 63 6E 3D 4C  =Recipients/cn=L
    69 6E 64 61 00 82 01 00  00 00 00 00 F5 DB 40 99  inda.,......õÛ@?
    00 00 00 00 E4 04 00 00  09 04 00 00 09 1C 00 00  ....ä...........
    FF FF FF FF 01 00 05 00  03 0B 00 00 00 00 D3 01  ÿÿÿÿ..........Ó.
    00 00 00 00 0A 02 04 00  88 E2 08 00 01 00 00 00  ........^â......
    00 00 00 00 00 00 00 00  00 00 00 00              ............    
    Client -> Server
    05 00 02 03 10 00 00 00  D0 00 10 00 01 00 00 00  ........Ð.......
    98 00 00 00 00 00 00 00  00 00 00 00 CF 49 86 61  ~...........ÏI?a
    36 B6 D5 11 AA 87 00 04  AC 4C 35 27 60 EA 00 00  6¶Õ.ª?..¬L5'`ê..
    06 00 00 00 10 27 00 00  3B 01 0E 00 C8 D1 11 12  .....'..;...ÈÑ..
    30 00 00 00 00 00 00 00  30 00 00 00 2F 4F 3D 43  0.......0.../O=C
    4F 52 50 43 4F 4D 20 4F  55 54 44 4F 4F 52 2F 4F  ORPCOM OUTDOOR/O
    55 3D 43 4F 52 50 43 4F  4D 2F 43 4E 3D 52 45 43  U=CORPCOM/CN=REC
    49 50 49 45 4E 54 53 2F  43 4E 3D 00 38 40 16 12  IPIENTS/CN=.8@..
    0F 00 00 00 00 00 00 00  0F 00 00 00 4C 69 6E 64  ............Lind
    61 20 4C 65 76 65 6E 64  61 67 00 4D 05 00 5D 0A  a Levendag.M..].
    17 00 05 00 03 0B 00 00  24 82 3C 1C 00 00 00 00  ........$,<.....
    54 0A A7 19 DA 5C E4 79  0A 02 08 00 88 E2 08 00  T.§.Ú\äy....^â..
    01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    Server -> Client
    05 00 00 03 10 00 00 00  A0 00 10 00 02 00 00 00  ........ .......
    6E 00 00 00 00 00 02 00  00 00 00 00 CF 49 86 61  n...........ÏI?a
    36 B6 D5 11 AA 87 00 04  AC 4C 35 27 00 02 00 00  6¶Õ.ª?..¬L5'....
    00 00 00 00 49 00 00 00  E0 A5 5B A5 A5 A4 A9 A5  ....I...à¥[¥¥¤©¥
    A5 A5 A5 A5 A5 A5 90 A5  8A CA 98 E6 CA D7 D5 C6  ¥¥¥¥¥¥?¥SÊ~æÊ×ÕÆ
    CA C8 85 EA D0 D1 C1 CA  CA D7 8A CA D0 98 E6 EA  ÊÈ?êÐÑÁÊÊ×SÊÐ~æê
    F7 F5 E6 EA E8 8A C6 CB  98 F7 C0 C6 CC D5 CC C0  ÷õæêèSÆË~÷ÀÆÌÕÌÀ
    CB D1 D6 8A C6 CB 98 E9  CC CB C1 C4 A5 5A 5A 5A  ËÑÖSÆË~éÌËÁÄ¥ZZZ
    5A 00 49 00 00 02 00 00  0A 02 02 00 88 E2 08 00  Z.I.........^â..
    01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    Client -> Server
    05 00 02 03 10 00 00 00  10 01 10 00 02 00 00 00  ................
    D4 00 00 00 00 00 00 00  00 00 00 00 CF 49 86 61  Ô...........ÏI?a
    36 B6 D5 11 AA 87 00 04  AC 4C 35 27 00 02 00 00  6¶Õ.ª?..¬L5'....
    00 00 00 00 AC 00 00 00  0D A5 5B A5 A5 A5 A5 A5  ....¬....¥[¥¥¥¥¥
    A4 A4 A5 A5 A5 A5 A5 99  25 A4 A5 A5 A5 A5 A5 99  ¤¤¥¥¥¥¥?%¤¥¥¥¥¥?
    27 A4 A5 A5 A5 A5 A5 99  26 A4 A5 A5 A5 A5 A5 99  '¤¥¥¥¥¥?&¤¥¥¥¥¥?
    24 A4 A5 A5 A5 A5 A5 99  21 A4 A5 A5 A5 A5 A5 99  $¤¥¥¥¥¥?!¤¥¥¥¥¥?
    20 A4 A5 A5 A5 A5 A5 99  23 A4 A5 A5 A5 A5 A5 99   ¤¥¥¥¥¥?#¤¥¥¥¥¥?
    22 A4 A5 A5 A5 A5 A5 99  2F A4 A5 A5 A5 A5 A5 99  "¤¥¥¥¥¥?/¤¥¥¥¥¥?
    2E A4 A5 A5 A5 A5 A5 99  2D A4 A5 A5 A5 A5 A5 99  .¤¥¥¥¥¥?-¤¥¥¥¥¥?
    2C A4 A5 A5 A5 A5 A5 99  29 A2 83 CF D2 42 C2 EE  ,¤¥¥¥¥¥?)¢fÏÒBÂî
    70 B4 0F CB A5 A1 09 E9  90 82 A4 A5 1C AA 6C BD  p´.Ë¥¡.é?,¤¥.ªl½
    C3 EE 70 B4 0F C8 A5 A1  09 E9 90 82 B7 B5 AF A4  Ãîp´.È¥¡.é?,·µ¯¤
    A4 AF 74 A2 A5 07 67 BB  AA F9 1A A4 A5 A5 A5 A4  ¤¯t¢¥.g»ªù.¤¥¥¥¤
    61 AD A5 A5 AC 00 A5 A5  00 00 00 00 AD A5 A5 A5  a­¥¥¬.¥¥....­¥¥¥
    AC A5 A5 A5 A2 A5 A5 A5  0A 02 0C 00 88 E2 08 00  ¬¥¥¥¢¥¥¥....^â..
    01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    Server -> Client
    05 00 00 03 10 00 00 00  80 00 10 00 03 00 00 00  ........?.......
    44 00 00 00 00 00 02 00  00 00 00 00 CF 49 86 61  D...........ÏI?a
    36 B6 D5 11 AA 87 00 04  AC 4C 35 27 00 16 00 00  6¶Õ.ª?..¬L5'....
    00 00 00 00 1F 00 00 00  BE A5 A2 A5 A5 A5 A5 A5  ........¾¥¢¥¥¥¥¥
    A5 A1 A5 A7 A4 BC C3 A7  A4 BE C3 BB A5 B9 C3 A7  ¥¡¥§¤¼Ã§¤¾Ã»¥¹Ã§
    A4 94 C3 61 AD A5 A5 5D  1F 00 00 16 C9 11 9F E8  ¤?Ãa­¥¥]....É.Yè
    08 00 2B 10 48 60 02 00  0A 02 0C 00 88 E2 08 00  ..+.H`......^â..
    01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    Client -> Server
    05 00 02 03 10 00 00 00  20 01 10 00 03 00 00 00  ........ .......
    F0 00 00 00 00 00 00 00  00 00 00 00 CF 49 86 61  ð...........ÏI?a
    36 B6 D5 11 AA 87 00 04  AC 4C 35 27 00 16 00 00  6¶Õ.ª?..¬L5'....
    00 00 00 00 CA 00 00 00  63 A5 A2 A5 A5 A5 A5 A5  ....Ê...c¥¢¥¥¥¥¥
    A4 A5 F4 A5 A5 A5 A5 A5  79 02 E5 6D 65 E7 B5 BF  ¤¥ô¥¥¥¥¥y.åme絿
    11 1C AD A5 8E 8A 44 27  A4 A5 A5 A5 A5 A5 A5 A5  ..­¥?SD'¤¥¥¥¥¥¥¥
    8A EA 98 E6 EA F7 F5 E6  EA E8 85 EA F0 F1 E1 EA  Sê~æê÷õæêè?êðñáê
    EA F7 8A EA F0 98 E6 EA  F7 F5 E6 EA E8 8A E6 EB  ê÷Sêð~æê÷õæêèSæë
    98 F7 E0 E6 EC F5 EC E0  EB F1 F6 8A E6 EB 98 E9  ~÷àæìõìàëñöSæë~é
    EC EB E1 E4 A5 A5 F4 A5  A5 A5 A5 A5 79 02 E5 6D  ìëá䥥ô¥¥¥¥¥y.åm
    65 E7 B5 BF 11 1C AD A5  8E 8A 44 27 A4 A5 A5 A5  e絿..­¥?SD'¤¥¥¥
    A5 A5 A5 A5 8A EA 98 E6  EA F7 F5 E6 EA E8 85 EA  ¥¥¥¥Sê~æê÷õæêè?ê
    F0 F1 E1 EA EA F7 8A EA  F0 98 E6 EA F7 F5 E6 EA  ðñáêê÷Sêð~æê÷õæê
    E8 8A E6 EB 98 F7 E0 E6  EC F5 EC E0 EB F1 F6 8A  èSæë~÷àæìõìàëñöS
    E6 EB 98 E9 EC EB E1 E4  A5 A5 E9 CC CB C1 C4 85  æë~éìëá䥥éÌËÁÄ?
    E9 C0 D3 C0 CB C1 C4 C2  A5 AF A0 A5 A2 25 61 AD  éÀÓÀËÁÄÂ¥¯ ¥¢%a­
    A5 A5 CA 00 00 00 00 00  0A 02 00 00 88 E2 08 00  ¥¥Ê.........^â..
    01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    
    ..
    ..
    ..etc.
    ##############################################################################
    
    Any Hints/Ideas what this was?
    
    
    tx.
    E.
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 08:48:43 PDT