Greetings,
I need some help trying to explain two different issues.
1)
We received an email from someone else with only the following in the
mail:
#########################################################################################
<snip>
Sent: Friday, September 28, 2001 3:04 PM
Subject: Be sure to answer.
\par }\pard \qj\widctlpar{\*\pn \pnlvlcont\pndec }{\fs24\lang2057
\par {\pntext\pard\plain\f1 \'b7\tab}}\pard
\qj\fi-283\li283\widctlpar{\*\pn \pnlvlblt\pnf1\pnindent283
{\pntxtb \'b7}}{\fs24\lang2057 Create a new file.
\par }\pard \qj\widctlpar{\*\pn \pnlvlcont\pndec }{\fs24\lang2057
\par The new command \ldblquote Scan Text\rdblquote has been added to
the \ldblquote File\rdblquote
menu.
\par
\par
\par }{\b\fs30\lang2057 C. Excel 2000 (Office 2000) and Excel 97 (Office
97)
\par }{\fs24\lang2057
\par Start Excel.
##########################################################################################
My questions are :
- WTF is this ? or What was it suppose to be ?
- What does the above code try to do ?
I suppose this couldve just been an accident, I haven't mailed the
sender for his input yet. Just thought I'll add it into the email along
with my other question.
2)
We are using E-trust from Computer Associates. It has detected an event
"Attempt to use Wingate Redirector DoS". I suspect this is a false
positive but I cannot explain what was it that actually triggered this
alert. I need some help trying to figure out what actually happened.
LOG:
#########################################################################
Client IP = xxx.xxx.xxx.xxx
Server IP = aaa.aaa.aaa.aaa
Client physical address = 00:04:AC:4C:35:27
Server physical address = 00:04:AC:38:7D:6E
Client port = 1066
Server port = 2080 TCP
Server -> Client
05 00 0B 03 10 00 00 00 83 00 33 00 01 00 00 00 ........f.3.....
D0 16 D0 16 00 00 00 00 01 00 00 00 00 00 01 00 Ð.Ð.............
00 DB F1 A4 47 CA 67 10 B3 1F 00 DD 01 06 62 DA .Ûñ¤GÊg.³..Ý..bÚ
00 00 51 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 ..Q..]^Së.É.Yè..
2B 10 48 60 02 00 00 00 0A 02 00 00 88 E2 08 00 +.H`........^â..
4E 54 4C 4D 53 53 50 00 01 00 00 00 07 B2 00 A0 NTLMSSP......².
07 00 07 00 2C 00 00 00 0C 00 0C 00 20 00 00 00 ....,....... ...
4C 49 4E 44 41 4C 4F 55 54 44 42 4E 43 4F 52 50 LINDALOUTDBNCORP
43 4F 4D COM
Client -> Server
05 00 0C 03 10 00 00 00 82 00 3E 00 01 00 00 00 ........,.>.....
D0 16 D0 16 1B 3F 01 00 05 00 31 30 36 36 00 61 Ð.Ð..?....1066.a
01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 .........]^Së.É.
9F E8 08 00 2B 10 48 60 02 00 00 00 0A 02 00 00 Yè..+.H`........
88 E2 08 00 4E 54 4C 4D 53 53 50 00 02 00 00 00 ^â..NTLMSSP.....
0E 00 0E 00 30 00 00 00 05 82 01 00 F5 0A 69 96 ....0....,..õ.i-
70 CD B7 66 00 00 00 00 00 00 00 00 00 00 00 00 pÍ·f............
3E 00 00 00 43 00 4F 00 52 00 50 00 43 00 4F 00 >...C.O.R.P.C.O.
4D 00 M.
Server -> Client
05 00 10 03 10 00 00 00 BC 00 A0 00 01 00 00 00 ........¼. .....
D0 16 D0 16 0A 02 00 00 88 E2 08 00 4E 54 4C 4D Ð.Ð.....^â..NTLM
53 53 50 00 03 00 00 00 18 00 18 00 70 00 00 00 SSP.........p...
18 00 18 00 88 00 00 00 0E 00 0E 00 40 00 00 00 ....^.......@...
0A 00 0A 00 4E 00 00 00 18 00 18 00 58 00 00 00 ....N.......X...
00 00 00 00 A0 00 00 00 05 82 00 00 43 00 4F 00 .... ....,..C.O.
52 00 50 00 43 00 4F 00 4D 00 4C 00 69 00 6E 00 R.P.C.O.M.L.i.n.
64 00 61 00 4C 00 49 00 4E 00 44 00 41 00 4C 00 d.a.L.I.N.D.A.L.
4F 00 55 00 54 00 44 00 42 00 4E 00 5F 46 EA BA O.U.T.D.B.N._Fêº
74 D2 F2 71 3E 54 19 95 BF 80 61 4D 2E FD 3B 98 tÒòq>T.*¿?aM.ý;~
CC BC 0A 4C BD DD A5 B4 89 16 42 D4 6A C1 55 BC ̼.L½Ý¥´?.BÔjÁU¼
54 0A A7 19 DA 5C E4 79 B5 05 F0 54 05 00 00 03 T.§.Ú\äyµ.ðT....
10 00 00 00 A0 00 10 00 01 00 00 00 6C 00 00 00 .... .......l...
00 00 00 00 35 00 00 00 00 00 00 00 35 00 00 00 ....5.......5...
2F 6F 3D 43 6F 72 70 63 6F 6D 20 4F 75 74 64 6F /o=Corpcom Outdo
6F 72 2F 6F 75 3D 43 4F 52 50 43 4F 4D 2F 63 6E or/ou=CORPCOM/cn
3D 52 65 63 69 70 69 65 6E 74 73 2F 63 6E 3D 4C =Recipients/cn=L
69 6E 64 61 00 82 01 00 00 00 00 00 F5 DB 40 99 inda.,......õÛ@?
00 00 00 00 E4 04 00 00 09 04 00 00 09 1C 00 00 ....ä...........
FF FF FF FF 01 00 05 00 03 0B 00 00 00 00 D3 01 ÿÿÿÿ..........Ó.
00 00 00 00 0A 02 04 00 88 E2 08 00 01 00 00 00 ........^â......
00 00 00 00 00 00 00 00 00 00 00 00 ............
Client -> Server
05 00 02 03 10 00 00 00 D0 00 10 00 01 00 00 00 ........Ð.......
98 00 00 00 00 00 00 00 00 00 00 00 CF 49 86 61 ~...........ÏI?a
36 B6 D5 11 AA 87 00 04 AC 4C 35 27 60 EA 00 00 6¶Õ.ª?..¬L5'`ê..
06 00 00 00 10 27 00 00 3B 01 0E 00 C8 D1 11 12 .....'..;...ÈÑ..
30 00 00 00 00 00 00 00 30 00 00 00 2F 4F 3D 43 0.......0.../O=C
4F 52 50 43 4F 4D 20 4F 55 54 44 4F 4F 52 2F 4F ORPCOM OUTDOOR/O
55 3D 43 4F 52 50 43 4F 4D 2F 43 4E 3D 52 45 43 U=CORPCOM/CN=REC
49 50 49 45 4E 54 53 2F 43 4E 3D 00 38 40 16 12 IPIENTS/CN=.8@..
0F 00 00 00 00 00 00 00 0F 00 00 00 4C 69 6E 64 ............Lind
61 20 4C 65 76 65 6E 64 61 67 00 4D 05 00 5D 0A a Levendag.M..].
17 00 05 00 03 0B 00 00 24 82 3C 1C 00 00 00 00 ........$,<.....
54 0A A7 19 DA 5C E4 79 0A 02 08 00 88 E2 08 00 T.§.Ú\äy....^â..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Server -> Client
05 00 00 03 10 00 00 00 A0 00 10 00 02 00 00 00 ........ .......
6E 00 00 00 00 00 02 00 00 00 00 00 CF 49 86 61 n...........ÏI?a
36 B6 D5 11 AA 87 00 04 AC 4C 35 27 00 02 00 00 6¶Õ.ª?..¬L5'....
00 00 00 00 49 00 00 00 E0 A5 5B A5 A5 A4 A9 A5 ....I...à¥[¥¥¤©¥
A5 A5 A5 A5 A5 A5 90 A5 8A CA 98 E6 CA D7 D5 C6 ¥¥¥¥¥¥?¥SÊ~æÊ×ÕÆ
CA C8 85 EA D0 D1 C1 CA CA D7 8A CA D0 98 E6 EA ÊÈ?êÐÑÁÊÊ×SÊÐ~æê
F7 F5 E6 EA E8 8A C6 CB 98 F7 C0 C6 CC D5 CC C0 ÷õæêèSÆË~÷ÀÆÌÕÌÀ
CB D1 D6 8A C6 CB 98 E9 CC CB C1 C4 A5 5A 5A 5A ËÑÖSÆË~éÌËÁÄ¥ZZZ
5A 00 49 00 00 02 00 00 0A 02 02 00 88 E2 08 00 Z.I.........^â..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Client -> Server
05 00 02 03 10 00 00 00 10 01 10 00 02 00 00 00 ................
D4 00 00 00 00 00 00 00 00 00 00 00 CF 49 86 61 Ô...........ÏI?a
36 B6 D5 11 AA 87 00 04 AC 4C 35 27 00 02 00 00 6¶Õ.ª?..¬L5'....
00 00 00 00 AC 00 00 00 0D A5 5B A5 A5 A5 A5 A5 ....¬....¥[¥¥¥¥¥
A4 A4 A5 A5 A5 A5 A5 99 25 A4 A5 A5 A5 A5 A5 99 ¤¤¥¥¥¥¥?%¤¥¥¥¥¥?
27 A4 A5 A5 A5 A5 A5 99 26 A4 A5 A5 A5 A5 A5 99 '¤¥¥¥¥¥?&¤¥¥¥¥¥?
24 A4 A5 A5 A5 A5 A5 99 21 A4 A5 A5 A5 A5 A5 99 $¤¥¥¥¥¥?!¤¥¥¥¥¥?
20 A4 A5 A5 A5 A5 A5 99 23 A4 A5 A5 A5 A5 A5 99 ¤¥¥¥¥¥?#¤¥¥¥¥¥?
22 A4 A5 A5 A5 A5 A5 99 2F A4 A5 A5 A5 A5 A5 99 "¤¥¥¥¥¥?/¤¥¥¥¥¥?
2E A4 A5 A5 A5 A5 A5 99 2D A4 A5 A5 A5 A5 A5 99 .¤¥¥¥¥¥?-¤¥¥¥¥¥?
2C A4 A5 A5 A5 A5 A5 99 29 A2 83 CF D2 42 C2 EE ,¤¥¥¥¥¥?)¢fÏÒBÂî
70 B4 0F CB A5 A1 09 E9 90 82 A4 A5 1C AA 6C BD p´.Ë¥¡.é?,¤¥.ªl½
C3 EE 70 B4 0F C8 A5 A1 09 E9 90 82 B7 B5 AF A4 Ãîp´.È¥¡.é?,·µ¯¤
A4 AF 74 A2 A5 07 67 BB AA F9 1A A4 A5 A5 A5 A4 ¤¯t¢¥.g»ªù.¤¥¥¥¤
61 AD A5 A5 AC 00 A5 A5 00 00 00 00 AD A5 A5 A5 a¥¥¬.¥¥....¥¥¥
AC A5 A5 A5 A2 A5 A5 A5 0A 02 0C 00 88 E2 08 00 ¬¥¥¥¢¥¥¥....^â..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Server -> Client
05 00 00 03 10 00 00 00 80 00 10 00 03 00 00 00 ........?.......
44 00 00 00 00 00 02 00 00 00 00 00 CF 49 86 61 D...........ÏI?a
36 B6 D5 11 AA 87 00 04 AC 4C 35 27 00 16 00 00 6¶Õ.ª?..¬L5'....
00 00 00 00 1F 00 00 00 BE A5 A2 A5 A5 A5 A5 A5 ........¾¥¢¥¥¥¥¥
A5 A1 A5 A7 A4 BC C3 A7 A4 BE C3 BB A5 B9 C3 A7 ¥¡¥§¤¼Ã§¤¾Ã»¥¹Ã§
A4 94 C3 61 AD A5 A5 5D 1F 00 00 16 C9 11 9F E8 ¤?Ãa¥¥]....É.Yè
08 00 2B 10 48 60 02 00 0A 02 0C 00 88 E2 08 00 ..+.H`......^â..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Client -> Server
05 00 02 03 10 00 00 00 20 01 10 00 03 00 00 00 ........ .......
F0 00 00 00 00 00 00 00 00 00 00 00 CF 49 86 61 ð...........ÏI?a
36 B6 D5 11 AA 87 00 04 AC 4C 35 27 00 16 00 00 6¶Õ.ª?..¬L5'....
00 00 00 00 CA 00 00 00 63 A5 A2 A5 A5 A5 A5 A5 ....Ê...c¥¢¥¥¥¥¥
A4 A5 F4 A5 A5 A5 A5 A5 79 02 E5 6D 65 E7 B5 BF ¤¥ô¥¥¥¥¥y.åme絿
11 1C AD A5 8E 8A 44 27 A4 A5 A5 A5 A5 A5 A5 A5 ..¥?SD'¤¥¥¥¥¥¥¥
8A EA 98 E6 EA F7 F5 E6 EA E8 85 EA F0 F1 E1 EA Sê~æê÷õæêè?êðñáê
EA F7 8A EA F0 98 E6 EA F7 F5 E6 EA E8 8A E6 EB ê÷Sêð~æê÷õæêèSæë
98 F7 E0 E6 EC F5 EC E0 EB F1 F6 8A E6 EB 98 E9 ~÷àæìõìàëñöSæë~é
EC EB E1 E4 A5 A5 F4 A5 A5 A5 A5 A5 79 02 E5 6D ìëá䥥ô¥¥¥¥¥y.åm
65 E7 B5 BF 11 1C AD A5 8E 8A 44 27 A4 A5 A5 A5 e絿..¥?SD'¤¥¥¥
A5 A5 A5 A5 8A EA 98 E6 EA F7 F5 E6 EA E8 85 EA ¥¥¥¥Sê~æê÷õæêè?ê
F0 F1 E1 EA EA F7 8A EA F0 98 E6 EA F7 F5 E6 EA ðñáêê÷Sêð~æê÷õæê
E8 8A E6 EB 98 F7 E0 E6 EC F5 EC E0 EB F1 F6 8A èSæë~÷àæìõìàëñöS
E6 EB 98 E9 EC EB E1 E4 A5 A5 E9 CC CB C1 C4 85 æë~éìëá䥥éÌËÁÄ?
E9 C0 D3 C0 CB C1 C4 C2 A5 AF A0 A5 A2 25 61 AD éÀÓÀËÁÄÂ¥¯ ¥¢%a
A5 A5 CA 00 00 00 00 00 0A 02 00 00 88 E2 08 00 ¥¥Ê.........^â..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
..
..
..etc.
##############################################################################
Any Hints/Ideas what this was?
tx.
E.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 08:48:43 PDT