Help: Weird email received & E-Safe Alert

From: root (etienneat_private)
Date: Thu Oct 04 2001 - 05:15:17 PDT

  • Next message: Guy Poizat: "Automated scan-for-webserver-vulns tool ?"

    Greetings,
    
    I need some help trying to explain two different issues.
    
    1)
    
    We received an email from someone else with only the following in the
    mail:
    
    #########################################################################################
    <snip>
    Sent: Friday, September 28, 2001 3:04 PM 
    Subject: Be sure to answer. 
    
    \par }\pard \qj\widctlpar{\*\pn \pnlvlcont\pndec }{\fs24\lang2057 
    
    \par {\pntext\pard\plain\f1 \'b7\tab}}\pard
    \qj\fi-283\li283\widctlpar{\*\pn \pnlvlblt\pnf1\pnindent283
    {\pntxtb \'b7}}{\fs24\lang2057 Create a new file.
    
    \par }\pard \qj\widctlpar{\*\pn \pnlvlcont\pndec }{\fs24\lang2057 
    
    \par The new command \ldblquote Scan Text\rdblquote  has been added to
    the \ldblquote File\rdblquote 
    menu. 
    
    \par 
    
    \par 
    
    \par }{\b\fs30\lang2057 C. Excel 2000 (Office 2000) and Excel 97 (Office
    97) 
    
    \par }{\fs24\lang2057 
    
    \par Start Excel. 
    
    ##########################################################################################
    
    My questions are :
    
    - WTF is this ? or What was it suppose to be ?
    - What does the above code try to do ?
    
    I suppose this couldve just been an accident, I haven't mailed the
    sender for his input yet. Just thought I'll add it into the email along
    with my other question.
    
    
    2)
    
    We are using E-trust from Computer Associates. It has detected an event
    "Attempt to use Wingate Redirector  DoS". I suspect this is a false
    positive but I cannot explain what was it that actually triggered this
    alert. I need some help trying to figure out what actually happened.
    
    LOG:
    #########################################################################
    
    Client IP = xxx.xxx.xxx.xxx
    Server IP = aaa.aaa.aaa.aaa
    Client physical address = 00:04:AC:4C:35:27
    Server physical address = 00:04:AC:38:7D:6E
    Client port = 1066
    Server port = 2080 TCP
    
    Server -> Client
    05 00 0B 03 10 00 00 00  83 00 33 00 01 00 00 00  ........f.3.....
    D0 16 D0 16 00 00 00 00  01 00 00 00 00 00 01 00  ..............
    00 DB F1 A4 47 CA 67 10  B3 1F 00 DD 01 06 62 DA  .Gg.....b
    00 00 51 00 04 5D 88 8A  EB 1C C9 11 9F E8 08 00  ..Q..]^S..Y..
    2B 10 48 60 02 00 00 00  0A 02 00 00 88 E2 08 00  +.H`........^..
    4E 54 4C 4D 53 53 50 00  01 00 00 00 07 B2 00 A0  NTLMSSP....... 
    07 00 07 00 2C 00 00 00  0C 00 0C 00 20 00 00 00  ....,....... ...
    4C 49 4E 44 41 4C 4F 55  54 44 42 4E 43 4F 52 50  LINDALOUTDBNCORP
    43 4F 4D                                          COM             
    Client -> Server
    05 00 0C 03 10 00 00 00  82 00 3E 00 01 00 00 00  ........,.>.....
    D0 16 D0 16 1B 3F 01 00  05 00 31 30 36 36 00 61  ...?....1066.a
    01 00 00 00 00 00 00 00  04 5D 88 8A EB 1C C9 11  .........]^S..
    9F E8 08 00 2B 10 48 60  02 00 00 00 0A 02 00 00  Y..+.H`........
    88 E2 08 00 4E 54 4C 4D  53 53 50 00 02 00 00 00  ^..NTLMSSP.....
    0E 00 0E 00 30 00 00 00  05 82 01 00 F5 0A 69 96  ....0....,...i-
    70 CD B7 66 00 00 00 00  00 00 00 00 00 00 00 00  pͷf............
    3E 00 00 00 43 00 4F 00  52 00 50 00 43 00 4F 00  >...C.O.R.P.C.O.
    4D 00                                             M.              
    Server -> Client
    05 00 10 03 10 00 00 00  BC 00 A0 00 01 00 00 00  ......... .....
    D0 16 D0 16 0A 02 00 00  88 E2 08 00 4E 54 4C 4D  ......^..NTLM
    53 53 50 00 03 00 00 00  18 00 18 00 70 00 00 00  SSP.........p...
    18 00 18 00 88 00 00 00  0E 00 0E 00 40 00 00 00  ....^.......@...
    0A 00 0A 00 4E 00 00 00  18 00 18 00 58 00 00 00  ....N.......X...
    00 00 00 00 A0 00 00 00  05 82 00 00 43 00 4F 00  .... ....,..C.O.
    52 00 50 00 43 00 4F 00  4D 00 4C 00 69 00 6E 00  R.P.C.O.M.L.i.n.
    64 00 61 00 4C 00 49 00  4E 00 44 00 41 00 4C 00  d.a.L.I.N.D.A.L.
    4F 00 55 00 54 00 44 00  42 00 4E 00 5F 46 EA BA  O.U.T.D.B.N._F
    74 D2 F2 71 3E 54 19 95  BF 80 61 4D 2E FD 3B 98  tq>T.*?aM.;~
    CC BC 0A 4C BD DD A5 B4  89 16 42 D4 6A C1 55 BC  ̼.Lݥ?.BjU
    54 0A A7 19 DA 5C E4 79  B5 05 F0 54 05 00 00 03  T..\y.T....
    10 00 00 00 A0 00 10 00  01 00 00 00 6C 00 00 00  .... .......l...
    00 00 00 00 35 00 00 00  00 00 00 00 35 00 00 00  ....5.......5...
    2F 6F 3D 43 6F 72 70 63  6F 6D 20 4F 75 74 64 6F  /o=Corpcom Outdo
    6F 72 2F 6F 75 3D 43 4F  52 50 43 4F 4D 2F 63 6E  or/ou=CORPCOM/cn
    3D 52 65 63 69 70 69 65  6E 74 73 2F 63 6E 3D 4C  =Recipients/cn=L
    69 6E 64 61 00 82 01 00  00 00 00 00 F5 DB 40 99  inda.,......@?
    00 00 00 00 E4 04 00 00  09 04 00 00 09 1C 00 00  ...............
    FF FF FF FF 01 00 05 00  03 0B 00 00 00 00 D3 01  ...........
    00 00 00 00 0A 02 04 00  88 E2 08 00 01 00 00 00  ........^......
    00 00 00 00 00 00 00 00  00 00 00 00              ............    
    Client -> Server
    05 00 02 03 10 00 00 00  D0 00 10 00 01 00 00 00  ...............
    98 00 00 00 00 00 00 00  00 00 00 00 CF 49 86 61  ~...........I?a
    36 B6 D5 11 AA 87 00 04  AC 4C 35 27 60 EA 00 00  6.?..L5'`..
    06 00 00 00 10 27 00 00  3B 01 0E 00 C8 D1 11 12  .....'..;.....
    30 00 00 00 00 00 00 00  30 00 00 00 2F 4F 3D 43  0.......0.../O=C
    4F 52 50 43 4F 4D 20 4F  55 54 44 4F 4F 52 2F 4F  ORPCOM OUTDOOR/O
    55 3D 43 4F 52 50 43 4F  4D 2F 43 4E 3D 52 45 43  U=CORPCOM/CN=REC
    49 50 49 45 4E 54 53 2F  43 4E 3D 00 38 40 16 12  IPIENTS/CN=.8@..
    0F 00 00 00 00 00 00 00  0F 00 00 00 4C 69 6E 64  ............Lind
    61 20 4C 65 76 65 6E 64  61 67 00 4D 05 00 5D 0A  a Levendag.M..].
    17 00 05 00 03 0B 00 00  24 82 3C 1C 00 00 00 00  ........$,<.....
    54 0A A7 19 DA 5C E4 79  0A 02 08 00 88 E2 08 00  T..\y....^..
    01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    Server -> Client
    05 00 00 03 10 00 00 00  A0 00 10 00 02 00 00 00  ........ .......
    6E 00 00 00 00 00 02 00  00 00 00 00 CF 49 86 61  n...........I?a
    36 B6 D5 11 AA 87 00 04  AC 4C 35 27 00 02 00 00  6.?..L5'....
    00 00 00 00 49 00 00 00  E0 A5 5B A5 A5 A4 A9 A5  ....I...[
    A5 A5 A5 A5 A5 A5 90 A5  8A CA 98 E6 CA D7 D5 C6  ?S~
    CA C8 85 EA D0 D1 C1 CA  CA D7 8A CA D0 98 E6 EA  ?S~
    F7 F5 E6 EA E8 8A C6 CB  98 F7 C0 C6 CC D5 CC C0  S~
    CB D1 D6 8A C6 CB 98 E9  CC CB C1 C4 A5 5A 5A 5A  S~ĥZZZ
    5A 00 49 00 00 02 00 00  0A 02 02 00 88 E2 08 00  Z.I.........^..
    01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    Client -> Server
    05 00 02 03 10 00 00 00  10 01 10 00 02 00 00 00  ................
    D4 00 00 00 00 00 00 00  00 00 00 00 CF 49 86 61  ...........I?a
    36 B6 D5 11 AA 87 00 04  AC 4C 35 27 00 02 00 00  6.?..L5'....
    00 00 00 00 AC 00 00 00  0D A5 5B A5 A5 A5 A5 A5  ........[
    A4 A4 A5 A5 A5 A5 A5 99  25 A4 A5 A5 A5 A5 A5 99  ?%?
    27 A4 A5 A5 A5 A5 A5 99  26 A4 A5 A5 A5 A5 A5 99  '?&?
    24 A4 A5 A5 A5 A5 A5 99  21 A4 A5 A5 A5 A5 A5 99  $?!?
    20 A4 A5 A5 A5 A5 A5 99  23 A4 A5 A5 A5 A5 A5 99   ?#?
    22 A4 A5 A5 A5 A5 A5 99  2F A4 A5 A5 A5 A5 A5 99  "?/?
    2E A4 A5 A5 A5 A5 A5 99  2D A4 A5 A5 A5 A5 A5 99  .?-?
    2C A4 A5 A5 A5 A5 A5 99  29 A2 83 CF D2 42 C2 EE  ,?)fB
    70 B4 0F CB A5 A1 09 E9  90 82 A4 A5 1C AA 6C BD  p.˥.?,.l
    C3 EE 70 B4 0F C8 A5 A1  09 E9 90 82 B7 B5 AF A4  p.ȥ.?,
    A4 AF 74 A2 A5 07 67 BB  AA F9 1A A4 A5 A5 A5 A4  t.g.
    61 AD A5 A5 AC 00 A5 A5  00 00 00 00 AD A5 A5 A5  a.....
    AC A5 A5 A5 A2 A5 A5 A5  0A 02 0C 00 88 E2 08 00  ....^..
    01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    Server -> Client
    05 00 00 03 10 00 00 00  80 00 10 00 03 00 00 00  ........?.......
    44 00 00 00 00 00 02 00  00 00 00 00 CF 49 86 61  D...........I?a
    36 B6 D5 11 AA 87 00 04  AC 4C 35 27 00 16 00 00  6.?..L5'....
    00 00 00 00 1F 00 00 00  BE A5 A2 A5 A5 A5 A5 A5  ........
    A5 A1 A5 A7 A4 BC C3 A7  A4 BE C3 BB A5 B9 C3 A7  çûç
    A4 94 C3 61 AD A5 A5 5D  1F 00 00 16 C9 11 9F E8  ?a].....Y
    08 00 2B 10 48 60 02 00  0A 02 0C 00 88 E2 08 00  ..+.H`......^..
    01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    Client -> Server
    05 00 02 03 10 00 00 00  20 01 10 00 03 00 00 00  ........ .......
    F0 00 00 00 00 00 00 00  00 00 00 00 CF 49 86 61  ...........I?a
    36 B6 D5 11 AA 87 00 04  AC 4C 35 27 00 16 00 00  6.?..L5'....
    00 00 00 00 CA 00 00 00  63 A5 A2 A5 A5 A5 A5 A5  .......c
    A4 A5 F4 A5 A5 A5 A5 A5  79 02 E5 6D 65 E7 B5 BF  y.me絿
    11 1C AD A5 8E 8A 44 27  A4 A5 A5 A5 A5 A5 A5 A5  ..?SD'
    8A EA 98 E6 EA F7 F5 E6  EA E8 85 EA F0 F1 E1 EA  S~?
    EA F7 8A EA F0 98 E6 EA  F7 F5 E6 EA E8 8A E6 EB  S~S
    98 F7 E0 E6 EC F5 EC E0  EB F1 F6 8A E6 EB 98 E9  ~S~
    EC EB E1 E4 A5 A5 F4 A5  A5 A5 A5 A5 79 02 E5 6D  䥥y.m
    65 E7 B5 BF 11 1C AD A5  8E 8A 44 27 A4 A5 A5 A5  e絿..?SD'
    A5 A5 A5 A5 8A EA 98 E6  EA F7 F5 E6 EA E8 85 EA  S~?
    F0 F1 E1 EA EA F7 8A EA  F0 98 E6 EA F7 F5 E6 EA  S~
    E8 8A E6 EB 98 F7 E0 E6  EC F5 EC E0 EB F1 F6 8A  S~S
    E6 EB 98 E9 EC EB E1 E4  A5 A5 E9 CC CB C1 C4 85  ~䥥?
    E9 C0 D3 C0 CB C1 C4 C2  A5 AF A0 A5 A2 25 61 AD  ¥ %a
    A5 A5 CA 00 00 00 00 00  0A 02 00 00 88 E2 08 00  .........^..
    01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    
    ..
    ..
    ..etc.
    ##############################################################################
    
    Any Hints/Ideas what this was?
    
    
    tx.
    E.
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 08:48:43 PDT