The .ida alert in this case is a misfiring alert. It triggered on the .idata in the payload of this packet. This NOOP alert is more interesting (in fact the packet that caused the .ida misfire would have triggered a NOOP alert if it hadn't triggered the ida alert.) This NOOP could be something bad, or it could be someone doing an HTTP download of a binary from your webserver. Do you have any binaries for download? Keep in mind that a binary attachment to an email could trigger this if you are running a web-based email system. -Steve > -----Original Message----- > From: Dan Terhesiu [mailto:danteat_private] > Sent: Thursday, October 04, 2001 4:33 AM > To: incidentsat_private > Subject: SHELLCODE x86 NOOP > > > > Hello to all of you. > > I've seen this morning several (aprox. 82, as reported by > snort) alerts containig "SHELLCODE x86 NOOP". Almost all the > connections > begin with a "WEB-IIS ISAPI .ida access" alert. I've searched > on google > about this x86 SHELLCODE, but there is nothing about :80 port > there. Because I'm new to this field, I'm asking for your > help: is this > something I should worry about? > > Thank you for any help. > > > Here is an example from my alert log: > > [**] WEB-IIS ISAPI .ida access [**] > 10/04-01:55:24.944782 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD > type:0x800 len:0x24E > 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111 > TOS:0x0 ID:53830 > IpLen:20 DgmLen:576 DF > ***A**** Seq: 0x42156F Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 > 00 00 00 00 00 00 00 00 00 00 60 04 00 A0 00 00 ..........`..... > 00 00 80 04 00 1C 1D 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 18 64 04 00 78 03 00 00 00 00 00 00 00 00 00 ..d..x.......... > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 2E 74 65 78 74 00 00 00 96 91 02 00 00 10 00 ..text.......... > 00 00 92 02 00 00 04 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 20 00 00 60 2E 72 64 61 74 61 00 ..... ..`.rdata. > 00 FB 2E 00 00 00 B0 02 00 00 30 00 00 00 96 02 ..........0..... > 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 .............@.. > 40 2E 64 61 74 61 00 00 00 10 72 01 00 00 E0 02 @.data....r..... > 00 00 76 00 00 00 C6 02 00 00 00 00 00 00 00 00 ..v............. > 00 00 00 00 00 40 00 00 C0 2E 69 64 61 74 61 00 .....@....idata. > 00 F2 14 00 00 00 60 04 00 00 16 00 00 00 3C 03 ......`.......<. > 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 .............@.. > C0 2E 72 73 72 63 00 00 00 1C 1D 00 00 00 80 04 ..rsrc.......... > 00 00 1E 00 00 00 52 03 00 00 00 00 00 00 00 00 ......R......... > 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 .....@..@....... > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 ........ > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > =+=+=+=+=+=+ > > [**] SHELLCODE x86 NOOP [**] > 10/04-01:55:36.942082 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD > type:0x800 len:0x24E > 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111 > TOS:0x0 ID:44615 > IpLen:20 DgmLen:576 DF > ***A**** Seq: 0x42E847 Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 > C3 8B 4C 24 04 81 E1 FF 00 00 00 8A 81 B0 01 43 ..L$...........C > 00 C3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ > 90 A1 4C 38 44 00 85 C0 74 10 8B 44 24 04 25 FF ..L8D...t..D$.%. > 00 00 00 8A 80 B0 00 43 00 C3 A1 50 38 44 00 85 .......C...P8D.. > C0 74 11 8B 4C 24 04 81 E1 FF 00 00 00 8A 81 B0 .t..L$.......... > 02 43 00 C3 A1 54 38 44 00 85 C0 74 11 8B 54 24 .C...T8D...t..T$ > 04 81 E2 FF 00 00 00 8A 82 B0 03 43 00 C3 8A 44 ...........C...D > 24 04 C3 90 90 90 90 90 90 90 90 90 90 90 90 90 $............... > 90 A1 58 38 44 00 85 C0 74 10 8B 44 24 04 25 FF ..X8D...t..D$.%. > 00 00 00 8A 80 B0 05 43 00 C3 8A 44 24 04 C3 90 .......C...D$... > 90 A1 2C 68 43 00 81 EC B4 01 00 00 53 33 DB 56 ..,hC.......S3.V > 3B C3 57 0F 84 A0 01 00 00 39 1D 28 68 43 00 0F ;.W......9.(hC.. > 85 A6 00 00 00 66 39 1D 24 68 43 00 75 4A A1 BC .....f9.$hC.uJ.. > 40 44 00 8D 4C 24 14 51 C7 44 24 18 03 00 00 00 @D..L$.Q.D$..... > C7 44 24 1C 40 E2 40 00 89 5C 24 20 89 5C 24 24 .D$.@.@..\$ .\$$ > 89 44 24 28 89 5C 24 2C 89 5C 24 30 89 5C 24 34 .D$(.\$,.\$0.\$4 > 89 5C 24 38 C7 44 24 3C B8 06 43 00 FF 15 28 66 .\$8.D$<..C...(f > 44 00 66 A3 24 68 43 00 8B 35 78 66 44 00 6A 18 D.f.$hC..5xfD.j. > FF D6 6A 17 A3 18 68 43 00 FF D6 8D 54 24 6C A3 ..j...hC....T$l. > 1C 68 43 00 53 B9 55 00 00 00 33 C0 8D 7C 24 70 .hC.S.U...3..|$p > 52 68 54 01 00 00 F3 AB 6A 29 C7 44 24 7C 54 01 RhT.....j).D$|T. > 00 00 FF 15 7C 66 44 00 8D 84 24 48 01 00 00 50 ....|fD...$H...P > FF 15 60 64 44 00 A3 20 68 43 00 8B 8C 24 CC 01 ..`dD.. hC...$.. > 00 00 8B 94 24 C8 01 00 00 51 52 8D 44 24 54 68 ....$....QR.D$Th > B0 06 43 00 50 E8 47 3A 01 00 A1 28 68 43 00 83 ..C.P.G:...(hC.. > C4 10 3B C3 0F 85 B3 00 00 00 53 FF 15 88 64 44 ..;.......S...dD > 00 8D 4C 24 0C 8B F0 51 8D 7C 24 50 83 C9 FF 33 ..L$...Q.|$P...3 > C0 F2 AE F7 D1 49 8D 54 24 50 51 52 56 FF 15 64 .....I.T$PQRV..d > 64 44 00 56 FF 15 A0 64 44 00 8B 8C 24 C4 01 00 dD.V...dD...$... > 00 8D 44 24 3C 50 51 FF 15 20 66 44 00 8B 44 24 ..D$<PQ.. fD..D$ > 3C 83 F8 10 8B C8 7D 05 B9 10 00 00 00 8B 44 24 <.....}.......D$ > 40 8B 54 24 10 2B C2 83 F8 10 7D 05 B8 10 00 00 @.T$.+....}..... > 00 8B 35 BC 40 44 00 53 56 53 53 52 8B 54 24 20 ..5.@D.SVSSR.T$ > 52 50 51 8B 0D 24 68 43 RPQ..$hC > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > =+=+=+=+=+=+ > > [**] SHELLCODE x86 NOOP [**] > 10/04-01:55:37.521677 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD > type:0x800 len:0xCE > 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111 > TOS:0x0 ID:46919 > IpLen:20 DgmLen:192 DF > ***AP*** Seq: 0x42F0A7 Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 > F8 22 75 06 B8 58 08 43 00 C3 83 F8 23 75 06 B8 ."u..X.C....#u.. > 4C 08 43 00 C3 83 F8 24 75 06 B8 40 08 43 00 C3 L.C....$u..@.C.. > 83 F8 00 43 00 C3 83 F8 26 75 06 B8 28 08 43 00 ...C....&u..(.C. > C3 83 F8 27 75 06 B8 1C 08 43 00 C3 3D FF 00 00 ...'u....C..=... > 00 B8 14 08 43 00 74 05 B8 08 08 43 00 C3 90 90 ....C.t....C.... > 90 90 90 90 90 90 90 90 90 90 90 90 8B 44 24 10 .............D$. > 85 C0 75 10 8B 44 24 04 50 E8 FE 14 00 00 83 C4 ..u..D$.P....... > 04 33 C0 C3 8B 4C 24 0C 50 51 E8 0D 00 00 00 83 .3...L$.PQ...... > C4 08 B8 01 00 00 00 C3 90 90 90 90 8B 44 24 08 .............D$. > 8B C8 48 24 08 8B C8 48 ..H$...H > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > =+=+=+=+=+=+ > > [**] SHELLCODE x86 NOOP [**] > 10/04-01:55:37.998818 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD > type:0x800 len:0x24E > 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111 > TOS:0x0 ID:50247 > IpLen:20 DgmLen:576 DF > ***A**** Seq: 0x42F56F Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 > 50 51 E8 F2 F8 FF FF 83 C4 08 C7 46 14 03 00 00 PQ.........F.... > 00 5E C3 90 90 90 90 90 90 56 8B 74 24 08 81 3E .^.......V.t$..> > FB 00 00 00 75 28 83 7E 10 27 75 22 83 3D 24 07 ....u(.~.'u".=$. > 43 00 02 75 19 6A 24 68 FB 00 00 00 E8 B8 F8 FF C..u.j$h........ > FF 83 C4 08 C7 05 24 07 43 00 00 00 00 00 6A 00 ......$.C.....j. > 56 E8 03 FF FF FF 83 C4 08 5E C3 90 90 90 90 90 V........^...... > 90 90 90 90 90 90 90 90 90 8B 0D 34 68 43 00 81 ...........4hC.. > EC A4 08 00 00 8D 41 E8 53 56 83 F8 0F 57 0F 87 ......A.SV...W.. > C9 03 00 00 33 D2 8A 90 64 F1 40 00 FF 24 95 50 ....3...d.@..$.P > F1 40 00 83 3D 30 68 43 00 01 0F 85 CE 00 00 00 .@..=0hC........ > A1 40 68 43 00 80 38 01 0F 85 C0 00 00 00 BF F4 .@hC..8......... > 2F 44 00 83 C9 FF 33 C0 8D 94 24 B4 00 00 00 F2 /D....3...$..... > AE F7 D1 2B F9 C6 84 24 B0 00 00 00 FF 8B C1 8B ...+...$........ > F7 8B FA C6 84 24 B1 00 00 00 FA C1 E9 02 C6 84 .....$.......... > 24 B2 00 00 00 20 C6 84 24 B3 00 00 00 00 F3 A5 $.... ..$....... > 8B C8 33 C0 83 E1 03 8B 15 3C 68 43 00 F3 A4 BF ..3......<hC.... > F4 2F 44 00 83 C9 FF F2 AE F7 D1 83 C1 03 C6 84 ./D............. > 0C B0 00 00 00 FF C6 84 0C B1 00 00 00 F0 83 C1 ................ > 02 51 8D 8C 24 B4 00 00 00 51 52 E8 79 12 00 00 .Q..$....QR.y... > 83 C4 0C 68 34 0A 43 00 E8 DC A0 FF FF 83 C4 04 ...h4.C......... > 8D 44 24 40 68 F4 2F 44 00 68 1C 0A 43 00 50 E8 .D$@h./D.h..C.P. > 55 2D 01 00 83 C4 0C 8D 4C 24 40 51 E8 B8 A0 FF U-......L$@Q.... > FF 83 C4 04 5F 5E 5B 81 C4 A4 08 00 00 C3 68 F8 ...._^[.......h. > 09 43 00 E8 A1 A0 FF FF 83 C4 04 5F 5E 5B 81 C4 .C........._^[.. > A4 08 00 00 C3 83 3D 30 68 43 00 01 0F 85 CD 00 ......=0hC...... > 00 00 8B 15 40 68 43 00 80 3A 01 0F 85 BE 00 00 ....@hC..:...... > 00 A0 D4 2F 44 00 33 C9 84 C0 C6 84 24 B0 00 00 .../D.3.....$... > 00 FF C6 84 24 B1 00 00 00 FA C6 84 24 B2 00 00 ....$.......$... > 00 18 C6 84 24 B3 00 00 00 00 74 25 3C 61 7C 0C ....$.....t%<a|. > 3C 7A 7F 08 0F BE C0 83 E8 20 EB 03 0F BE C0 88 <z....... ...... > 84 0C B4 00 00 00 8A 81 D5 2F 44 00 41 84 C0 75 ........./D.A..u > DB 8D B4 0C B4 00 00 00 83 C1 06 51 8D 84 24 B4 ...........Q..$. > 00 00 00 C6 06 FF C6 84 0C B3 00 00 00 F0 8B 0D ................ > 3C 68 43 00 50 51 E8 8E <hC.PQ.. > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > =+=+=+=+=+=+ > > [**] SHELLCODE x86 NOOP [**] > 10/04-01:55:40.016927 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD > type:0x800 len:0x24E > 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111 > TOS:0x0 ID:56391 > IpLen:20 DgmLen:576 DF > ***A**** Seq: 0x42EA5F Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 > 00 8D 44 24 6C 68 00 00 00 80 81 E1 FF FF 00 00 ..D$lh.......... > 50 51 68 88 00 00 00 FF 15 18 66 44 00 6A 04 50 PQh.......fD.j.P > A3 28 68 43 00 FF 15 30 66 44 00 5F 5E 5B 81 C4 .(hC...0fD._^[.. > B4 01 00 00 C3 8D 54 24 4C 52 50 FF 15 38 66 44 ......T$LRP..8fD > 00 5F 5E 5B 81 C4 B4 01 00 00 C3 90 90 90 90 90 ._^[............ > 90 90 90 90 90 90 90 90 90 8B 44 24 08 83 EC 50 ..........D$...P > 83 C0 FE 53 8B 5C 24 64 55 8B 6C 24 5C 56 3D 82 ...S.\$dU.l$\V=. > 00 00 00 57 0F 87 A8 01 00 00 33 C9 8A 88 40 E4 ...W......3...@. > 40 00 FF 24 8D 28 E4 40 00 B8 01 00 00 00 5F 5E @..$.(.@......_^ > 5D 5B 83 C4 50 C2 10 00 8B 7C 24 64 8D 54 24 20 ][..P....|$d.T$ > 52 57 FF 15 04 67 44 00 8B 1D 40 64 44 00 8B F0 RW...gD...@dD... > A1 20 68 43 00 50 56 FF D3 6A 07 FF 15 B4 64 44 . hC.PV..j....dD > 00 50 56 FF D3 8B 0D 18 68 43 00 51 FF 15 54 64 .PV.....hC.Q..Td > 44 00 50 56 89 44 24 74 FF D3 8D 54 24 10 52 57 D.PV.D$t...T$.RW > 89 44 24 78 FF 15 14 66 44 00 8B 44 24 1C 8B 4C .D$x...fD..D$..L > 24 18 8B 54 24 14 50 8B 44 24 14 51 52 50 56 FF $..T$.P.D$.QRPV. > 15 58 64 44 00 57 FF 15 70 66 44 00 89 44 24 68 .XdD.W..pfD..D$h > 40 50 89 44 24 68 E8 3E 21 00 00 8B 4C 24 68 83 @P.D$h.>!...L$h. > C4 04 8B E8 51 55 57 FF 15 74 66 44 00 8B 15 1C ....QUW..tfD.... > 68 43 00 52 56 FF 15 48 64 44 00 A1 18 68 43 00 hC.RV..HdD...hC. > 50 56 FF 15 90 64 44 00 8B 4C 24 68 8B 54 24 14 PV...dD..L$h.T$. > 8B 44 24 10 51 83 C2 03 55 83 C0 03 52 50 56 FF .D$.Q...U...RPV. > 15 5C 64 44 00 55 E8 7E 21 00 00 8B 4C 24 74 83 .\dD.U.~!...L$t. > C4 04 51 56 FF D3 8B 54 24 6C 52 FF 15 84 64 44 ..QV...T$lR...dD > 00 8D 44 24 20 50 57 FF 15 08 67 44 00 33 C0 5F ..D$ PW...gD.3._ > 5E 5D 5B 83 C4 50 C2 10 00 83 C8 FF 5F 5E 5D 5B ^][..P......_^][ > 83 C4 50 C2 10 00 8B 0D 20 68 43 00 51 FF 15 84 ..P..... hC.Q... > 64 44 00 C7 05 20 68 43 00 00 00 00 00 EB 63 6A dD... hC......cj > 00 FF 15 88 64 44 00 8B 15 20 68 43 00 8B F0 52 ....dD... hC...R > 56 FF 15 40 64 44 00 8D 44 24 10 8B FB 50 83 C9 V..@dD..D$...P.. > FF 33 C0 F2 AE F7 D1 49 51 53 56 FF 15 64 64 44 .3.....IQSV..ddD > 00 6A 16 8B 4C 24 18 8B 54 24 14 83 C1 06 83 C2 .j..L$..T$...... > 06 51 52 6A 00 6A 00 6A 00 55 FF 15 F8 65 44 00 .QRj.j.j.U...eD. > 6A 00 6A 00 55 FF 15 50 j.j.U..P > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > =+=+=+=+=+=+ > > [**] SHELLCODE x86 NOOP [**] > 10/04-01:55:47.561147 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD > type:0x800 len:0x24E > 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111 > TOS:0x0 ID:35933 > IpLen:20 DgmLen:576 DF > ***A**** Seq: 0x438417 Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 > 56 02 88 46 04 8B C1 8B D1 C1 E8 08 C1 EA 10 88 V..F............ > 46 06 8B 44 24 30 88 56 05 88 4E 07 83 C4 10 83 F..D$0.V..N..... > C6 08 48 8B E9 89 44 24 20 0F 85 62 FF FF FF 89 ..H...D$ ..b.... > BB 48 10 00 00 5F 89 AB 4C 10 00 00 5E 5D 5B 83 .H..._..L...^][. > C4 08 C3 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ > 90 8B 44 24 08 8B 4C 24 04 68 10 7E 43 00 50 51 ..D$..L$.h.~C.PQ > E8 0C 00 00 00 83 C4 0C C3 90 90 90 90 90 90 90 ................ > 90 8A 44 24 08 83 EC 0C A8 07 53 55 56 57 74 17 ..D$......SUVWt. > 68 7D 01 00 00 68 AC 1B 43 00 68 18 1A 43 00 E8 h}...h..C.h..C.. > 1D B2 00 00 83 C4 0C 8B 44 24 28 8B 88 4C 10 00 ........D$(..L.. > 00 8B 98 48 10 00 00 89 4C 24 10 8B 4C 24 24 85 ...H....L$..L$$. > C9 0F 8E BA 00 00 00 8B 74 24 20 83 C1 07 C1 E9 ........t$ ..... > 03 89 4C 24 24 33 D2 33 C9 8A 36 8A 4E 02 8A 56 ..L$$3.3..6.N..V > 01 50 C1 E2 08 0B D1 33 C9 8A 4E 03 C1 E2 08 0B .P.....3..N..... > D1 33 C9 8A 4E 06 8B FA 33 D2 8A 76 04 8A 56 05 .3..N...3..v..V. > C1 E2 08 0B D1 33 C9 8A 4E 07 C1 E2 08 0B D1 8B .....3..N....... > EA 8D 54 24 18 52 55 57 E8 B4 F9 FF FF 8B 54 24 ..T$.RUW......T$ > 24 8B 44 24 20 8B 4C 24 28 33 DA 33 C1 8B CB 8B $.D$ .L$(3.3.... > D3 88 5E 03 C1 E9 18 C1 EA 10 88 0E 88 56 01 8B ..^..........V.. > CB 8B D0 C1 E9 08 C1 EA 18 88 4E 02 88 56 04 8B ..........N..V.. > C8 8B D0 C1 E9 10 C1 EA 08 88 46 07 8B 44 24 34 ..........F..D$4 > 88 4E 05 88 56 06 83 C4 10 83 C6 08 48 8B DF 89 .N..V.......H... > 44 24 24 8B 44 24 28 89 6C 24 10 0F 85 54 FF FF D$$.D$(.l$...T.. > FF 8B 4C 24 10 5F 5E 89 98 48 10 00 00 5D 89 88 ..L$._^..H...].. > 4C 10 00 00 5B 83 C4 0C C3 90 90 90 90 90 90 90 L...[........... > 90 81 EC 48 02 00 00 8D 44 24 00 53 56 57 68 07 ...H....D$.SVWh. > 01 00 00 50 FF 15 4C 65 44 00 BF DC 1B 43 00 83 ...P..LeD....C.. > C9 FF 33 C0 8D 54 24 0C F2 AE F7 D1 2B F9 8B F7 ..3..T$.....+... > 8B D9 8B FA 83 C9 FF F2 AE 8B CB 4F C1 E9 02 F3 ...........O.... > A5 8B CB 8D 84 24 14 01 00 00 83 E1 03 50 F3 A4 .....$.......P.. > 8D 4C 24 10 51 FF 15 34 65 44 00 8B BC 24 58 02 .L$.Q..4eD...$X. > 00 00 8B F0 83 FE FF 74 2E 8B 1D 38 65 44 00 8D .......t...8eD.. > 94 24 14 01 00 00 68 40 01 00 00 52 FF D7 83 C4 .$....h@...R.... > 08 8D 84 24 14 01 00 00 ...$.... > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > =+=+=+=+=+=+ > > [**] SHELLCODE x86 NOOP [**] > 10/04-01:55:55.535563 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD > type:0x800 len:0x24E > 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111 TOS:0x0 ID:9856 > IpLen:20 DgmLen:576 DF > ***A**** Seq: 0x43F56F Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 > 4C 02 FE 8A 0D 88 A4 43 00 A1 98 A4 43 00 8B 15 L......C....C... > 90 A4 43 00 2A C8 88 4C 02 FF C3 90 90 90 90 90 ..C.*..L........ > 90 90 90 90 90 90 90 90 90 8B 4C 24 04 8D 44 24 ..........L$..D$ > 04 56 50 51 E8 B0 00 00 00 83 C4 08 8B F0 E8 36 .VPQ...........6 > FF FF FF 8B 54 24 08 52 56 E8 1B 00 00 00 83 C4 ....T$.RV....... > 08 56 E8 82 17 FF FF 83 C4 04 5E C3 90 90 90 90 .V........^..... > 90 90 90 90 90 90 90 90 90 8B 44 24 08 8B 4C 24 ..........D$..L$ > 04 50 51 E8 01 FE FF FF 8B 15 88 A4 43 00 A1 98 .PQ.........C... > A4 43 00 8B 0D 90 A4 43 00 2B D0 C1 FA 18 88 54 .C.....C.+.....T > 01 FC 8B 15 88 A4 43 00 A1 98 A4 43 00 8B 0D 90 ......C....C.... > A4 43 00 2B D0 83 C4 08 C1 FA 10 88 54 01 FD 8B .C.+........T... > 15 88 A4 43 00 A1 98 A4 43 00 8B 0D 90 A4 43 00 ...C....C.....C. > 2B D0 C1 FA 08 88 54 01 FE 8A 15 88 A4 43 00 A1 +.....T......C.. > 98 A4 43 00 8B 0D 90 A4 43 00 2A D0 88 54 01 FF ..C.....C.*..T.. > C3 90 90 90 90 90 90 90 90 53 8B 5C 24 08 55 56 .........S.\$.UV > 57 33 FF 66 8B 3B 8D 2C 3F 8D 45 01 50 E8 47 16 W3.f.;.,?.E.P.G. > FF FF 8B F0 83 C4 04 85 F6 75 0D 68 80 27 43 00 .........u.h.'C. > E8 C4 65 FE FF 83 C4 04 85 FF C6 06 00 7E 1D 8D ..e..........~.. > 46 02 8D 0C 2B 33 D2 83 C0 02 8A 51 01 83 E9 02 F...+3.....Q.... > 88 50 FD 8A 51 02 88 50 FE 4F 75 E9 8A 0E 33 C0 .P..Q..P.Ou...3. > 84 C9 75 11 B1 80 84 4C 30 01 75 09 8A 54 30 01 ..u....L0.u..T0. > 40 84 D2 74 F1 2B E8 03 C6 8D 7D 01 57 50 56 E8 @..t.+....}.WPV. > B5 2D 00 00 8B 44 24 24 83 C4 0C 89 38 8B C6 5F .-...D$$....8.._ > 5E 5D 5B C3 90 90 90 90 90 A1 50 A4 43 00 83 EC ^][.......P.C... > 08 85 C0 53 56 74 51 8D 4C 24 0C 8D 54 24 08 51 ...SVtQ.L$..T$.Q > 8B 0D 88 A4 43 00 52 8B 15 90 A4 43 00 83 C1 FB ....C.R....C.... > 83 C2 05 51 52 FF 50 08 83 C4 10 85 C0 74 29 8B ...QR.P......t). > 44 24 0C 8B 4C 24 08 50 51 C7 05 88 A4 43 00 05 D$..L$.PQ....C.. > 00 00 00 E8 B1 FC FF FF 8B 54 24 10 83 C4 08 52 .........T$....R > E8 04 16 FF FF 83 C4 04 A1 3C A4 43 00 85 C0 74 .........<.C...t > 05 8B 48 20 EB 05 B9 08 00 00 00 83 F9 08 7D 05 ..H ..........}. > B9 08 00 00 00 A1 88 A4 43 00 33 F6 83 C0 04 99 ........C.3..... > F7 F9 8B C1 2B C2 99 F7 F9 8B 0D 90 A4 43 00 8B ....+........C.. > DA 83 C3 04 85 DB 88 59 .......Y > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > =+=+=+=+=+=+ > > [**] SHELLCODE x86 NOOP [**] > 10/04-01:55:58.581281 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD > type:0x800 len:0x24E > 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111 > TOS:0x0 ID:16512 > IpLen:20 DgmLen:576 DF > ***A**** Seq: 0x442A5F Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 > 00 50 E8 32 00 00 00 83 C4 0C C3 90 90 90 90 90 .P.2............ > 90 90 90 90 90 90 90 90 90 8B 44 24 04 6A 00 6A ..........D$.j.j > 01 50 E8 12 00 00 00 83 C4 0C C3 90 90 90 90 90 .P.............. > 90 90 90 90 90 90 90 90 90 A1 F8 26 44 00 53 55 ...........&D.SU > 8B 6C 24 0C 83 F8 01 56 75 0E 55 FF 15 24 65 44 .l$....Vu.U..$eD > 00 50 FF 15 08 65 44 00 8B 44 24 14 8B 5C 24 18 .P...eD..D$..\$. > 85 C0 C7 05 F4 26 44 00 01 00 00 00 88 1D F0 26 .....&D........& > 44 00 75 3E 8B 0D 08 52 44 00 85 C9 74 22 8B 35 D.u>...RD...t".5 > 04 52 44 00 83 EE 04 3B F1 72 15 8B 06 85 C0 74 .RD....;.r.....t > 08 FF D0 8B 0D 08 52 44 00 83 EE 04 3B F1 73 EB ......RD....;.s. > 68 1C E0 42 00 68 14 E0 42 00 E8 3A 00 00 00 83 h..B.h..B..:.... > C4 08 68 24 E0 42 00 68 20 E0 42 00 E8 28 00 00 ..h$.B.h .B..(.. > 00 83 C4 08 85 DB 75 11 55 C7 05 F8 26 44 00 01 ......u.U...&D.. > 00 00 00 FF 15 0C 65 44 00 5E 5D 5B C3 90 90 90 ......eD.^][.... > 90 90 90 90 90 90 90 90 90 56 8B 74 24 08 57 8B .........V.t$.W. > 7C 24 10 3B F7 73 0F 8B 06 85 C0 74 02 FF D0 83 |$.;.s.....t.... > C6 04 3B F7 72 F1 5F 5E C3 A1 38 27 44 00 83 EC ..;.r._^..8'D... > 08 85 C0 53 75 1E 8B 44 24 10 83 F8 41 0F 8C DD ...Su..D$...A... > 00 00 00 83 F8 5A 0F 8F D4 00 00 00 83 C0 20 5B .....Z........ [ > 83 C4 08 C3 8B 5C 24 10 81 FB 00 01 00 00 7D 2C .....\$.......}, > 83 3D 9C 2C 43 00 01 7E 0D 6A 01 53 E8 F8 00 00 .=.,C..~.j.S.... > 00 83 C4 08 EB 0B A1 90 2A 43 00 8A 04 58 83 E0 ........*C...X.. > 01 85 C0 75 07 8B C3 5B 83 C4 08 C3 8B 15 90 2A ...u...[.......* > 43 00 8B C3 C1 F8 08 8B C8 81 E1 FF 00 00 00 F6 C............... > 44 4A 01 80 74 14 88 44 24 10 88 5C 24 11 C6 44 DJ..t..D$..\$..D > 24 12 00 B8 02 00 00 00 EB 0E 88 5C 24 10 C6 44 $..........\$..D > 24 11 00 B8 01 00 00 00 6A 00 8D 4C 24 08 6A 03 $.......j..L$.j. > 51 8D 54 24 1C 50 A1 38 27 44 00 52 68 00 01 00 Q.T$.P.8'D.Rh... > 00 50 E8 72 32 00 00 83 C4 1C 85 C0 75 07 8B C3 .P.r2.......u... > 5B 83 C4 08 C3 83 F8 01 75 0E 8B 44 24 04 25 FF [.......u..D$.%. > 00 00 00 5B 83 C4 08 C3 8B 44 24 05 8B 4C 24 04 ...[.....D$..L$. > 25 FF 00 00 00 81 E1 FF 00 00 00 C1 E0 08 0B C1 %............... > 5B 83 C4 08 C3 90 90 90 90 55 8B EC 56 33 C0 50 [........U..V3.P > 50 50 50 50 50 50 50 8B PPPPPPP. > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > =+=+=+=+=+=+ > > [**] SHELLCODE x86 NOOP [**] > 10/04-01:56:01.991104 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD > type:0x800 len:0x24E > 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111 > TOS:0x0 ID:59781 > IpLen:20 DgmLen:576 DF > ***A**** Seq: 0x445DCF Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 > 83 C4 08 EB 0F 8B 74 24 08 A1 90 2A 43 00 8A 04 ......t$...*C... > 70 83 E0 04 85 C0 75 06 83 E6 DF 83 EE 07 8B C6 p.....u......... > 5E C3 90 90 90 90 90 90 90 8B 4C 24 04 8B 41 04 ^.........L$..A. > 48 89 41 04 78 0A 8B 11 33 C0 8A 02 42 89 11 C3 H.A.x...3...B... > 51 E8 33 20 00 00 83 C4 04 C3 90 90 90 90 90 90 Q.3 ............ > 90 90 90 90 90 90 90 90 90 8B 44 24 04 83 F8 FF ..........D$.... > 74 0E 8B 4C 24 08 51 50 E8 BC 31 00 00 83 C4 08 t..L$.QP..1..... > C3 90 90 90 90 90 90 90 90 53 8B 5C 24 0C 56 57 .........S.\$.VW > 8B 7C 24 10 53 FF 07 E8 9D FF FF FF 83 C4 04 8B .|$.S........... > F0 56 E8 42 31 00 00 83 C4 04 85 C0 74 1D 8B 37 .V.B1.......t..7 > 53 46 89 37 E8 80 FF FF FF 83 C4 04 8B F0 56 E8 SF.7..........V. > 25 31 00 00 83 C4 04 85 C0 75 E3 8B C6 5F 5E 5B %1.......u..._^[ > C3 90 90 90 90 90 90 90 90 A1 2C 27 44 00 53 8B ..........,'D.S. > 1D D4 64 44 00 55 56 57 85 C0 75 49 6A 00 6A 00 ..dD.UVW..uIj.j. > 6A 01 68 E8 A4 43 00 68 00 01 00 00 6A 00 FF D3 j.h..C.h....j... > 85 C0 74 07 B8 02 00 00 00 EB 25 6A 00 6A 00 6A ..t.......%j.j.j > 01 68 D4 DB 42 00 68 00 01 00 00 6A 00 FF 15 D0 .h..B.h....j.... > 64 44 00 85 C0 0F 84 C3 01 00 00 B8 01 00 00 00 dD.............. > A3 2C 27 44 00 8B 74 24 20 85 F6 7E 17 8B 7C 24 .,'D..t$ ..~..|$ > 1C 56 57 E8 B1 01 00 00 8B F0 A1 2C 27 44 00 83 .VW........,'D.. > C4 08 EB 04 8B 7C 24 1C 83 F8 02 75 1D 8B 44 24 .....|$....u..D$ > 28 8B 4C 24 24 8B 54 24 18 50 8B 44 24 18 51 56 (.L$$.T$.P.D$.QV > 57 52 50 FF D3 5F 5E 5D 5B C3 83 F8 01 0F 85 D2 WRP.._^][....... > 00 00 00 8B 6C 24 2C C7 44 24 20 00 00 00 00 85 ....l$,.D$ ..... > ED 75 0C 8B 0D 48 27 44 00 89 4C 24 2C 8B E9 6A .u...H'D..L$,..j > 00 6A 00 56 57 6A 09 55 FF 15 DC 64 44 00 8B F8 .j.VWj.U...dD... > 85 FF 75 05 5F 5E 5D 5B C3 8D 14 3F 52 E8 E7 D0 ..u._^][...?R... > FF FF 8B D8 83 C4 04 85 DB 75 05 5F 5E 5D 5B C3 .........u._^][. > 8B 44 24 1C 57 53 56 50 6A 01 55 FF 15 DC 64 44 .D$.WSVPj.U...dD > 00 85 C0 0F 84 EF 00 00 00 8B 6C 24 18 8B 4C 24 ..........l$..L$ > 14 6A 00 6A 00 57 53 55 51 FF 15 D0 64 44 00 8B .j.j.WSUQ...dD.. > F0 85 F6 0F 84 CF 00 00 00 F7 C5 00 04 00 00 74 ...............t > 49 8B 44 24 28 85 C0 74 24 3B F0 0F 8F B7 00 00 I.D$(..t$;...... > 00 8B 54 24 24 50 8B 44 ..T$$P.D > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > =+=+=+=+=+=+ > > [**] SHELLCODE x86 NOOP [**] > 10/04-01:56:02.762176 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD > type:0x800 len:0x24E > 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111 > TOS:0x0 ID:61573 > IpLen:20 DgmLen:576 DF > ***A**** Seq: 0x446C77 Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 > 41 80 38 00 74 F9 3B CA 73 1E 2B D9 3B DA 72 4C A.8.t.;.s.+.;.rL > 8B F0 EB 07 25 FF 00 00 00 03 F0 3B 74 24 14 72 ....%......;t$.r > BD 33 C0 5F 5E 5D 5B C3 8D 04 16 8D 9F F8 00 00 .3._^][......... > 00 3B C3 73 09 2B CA 89 07 89 4F 04 EB 09 89 2F .;.s.+....O..../ > C7 47 04 00 00 00 00 8D 04 7F 88 16 8D 14 80 8D .G.............. > 46 08 C1 E0 04 2B C2 5F 5E 5D 5B C3 5F 5E 5D 33 F....+._^][._^]3 > C0 5B C3 90 90 90 90 90 90 90 90 90 90 90 90 90 .[.............. > 90 8B 4C 24 04 53 55 8B 6C 24 10 56 57 8B 79 10 ..L$.SU.l$.VW.y. > 8B D5 2B D7 8B 7C 24 1C C1 FA 0C 8B 5C 24 20 33 ..+..|$.....\$ 3 > C0 8D 4C D1 18 33 D2 8A 17 89 4C 24 18 8B F2 3B ..L..3....L$...; > F3 76 1B 88 1F 8B 01 2B F3 C7 41 04 F1 00 00 00 .v.....+..A..... > 03 C6 89 01 B8 01 00 00 00 5F 5E 5D 5B C3 73 70 ........._^][.sp > 8D 0C 3B 8D 95 F8 00 00 00 3B CA 77 63 8D 14 3E ..;......;.wc..> > 3B D1 73 0C 80 3A 00 75 05 42 3B D1 72 F6 3B D1 ;.s..:.u.B;.r.;. > 75 4E 88 1F 8B 45 00 3B F8 77 34 3B C8 76 30 8D uN...E.;.w4;.v0. > 85 F8 00 00 00 3B C8 73 19 89 4D 00 8A 11 33 C0 .....;.s..M...3. > 84 D2 75 09 8A 54 08 01 40 84 D2 74 F7 89 45 04 ..u..T..@..t..E. > EB 0D 8D 45 08 C7 45 04 00 00 00 00 89 45 00 8B ...E..E......E.. > 44 24 18 2B F3 8B 08 03 CE 89 08 B8 01 00 00 00 D$.+............ > 5F 5E 5D 5B C3 90 90 90 90 90 90 90 90 90 90 90 _^][............ > 90 8B 44 24 04 8B 0D E0 41 44 00 3B C1 73 3F 8B ..D$....AD.;.s?. > C8 8B D0 C1 F9 05 83 E2 1F 8B 0C 8D E0 40 44 00 .............@D. > F6 44 D1 04 01 74 27 50 E8 54 2F 00 00 83 C4 04 .D...t'P.T/..... > 50 FF 15 8C 65 44 00 85 C0 75 08 FF 15 F0 64 44 P...eD...u....dD > 00 EB 02 33 C0 85 C0 74 12 A3 B4 26 44 00 C7 05 ...3...t...&D... > B0 26 44 00 09 00 00 00 83 C8 FF C3 90 90 90 90 .&D............. > 90 8B 44 24 04 8B 0D E0 41 44 00 81 EC 1C 04 00 ..D$....AD...... > 00 3B C1 53 55 56 57 0F 83 91 01 00 00 8B C8 8B .;.SUVW......... > F0 C1 F9 05 83 E6 1F 8B 14 8D E0 40 44 00 8D 3C ...........@D..< > 8D E0 40 44 00 C1 E6 03 89 7C 24 24 89 74 24 14 ..@D.....|$$.t$. > 8A 4C 16 04 F6 C1 01 0F 84 61 01 00 00 8B 9C 24 .L.......a.....$ > 38 04 00 00 33 ED 3B DD 89 6C 24 10 89 6C 24 20 8...3.;..l$..l$ > 75 0D 33 C0 5F 5E 5D 5B 81 C4 1C 04 00 00 C3 F6 u.3._^][........ > C1 20 74 0C 6A 02 55 50 . t.j.UP > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > =+=+=+=+=+=+ > > [**] SHELLCODE x86 NOOP [**] > 10/04-01:56:03.631988 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD > type:0x800 len:0x24E > 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111 > TOS:0x0 ID:63877 > IpLen:20 DgmLen:576 DF > ***A**** Seq: 0x447DCF Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 > 83 C8 FF 5F 5E 5D 5B C3 33 C0 5F 5E 5D 5B C3 5F ..._^][.3._^][._ > 5E 5D C7 05 B0 26 44 00 09 00 00 00 C7 05 B4 26 ^]...&D........& > 44 00 00 00 00 00 83 C8 FF 5B C3 90 90 90 90 90 D........[...... > 90 90 90 90 90 90 90 90 90 56 8B 74 24 08 8B 46 .........V.t$..F > 0C A8 83 74 25 A8 08 74 21 8B 46 08 50 E8 97 B4 ...t%..t!.F.P... > FF FF 8B 46 0C 83 C4 04 25 F7 FB FF FF 89 46 0C ...F....%.....F. > 33 C0 89 06 89 46 08 89 46 04 5E C3 90 90 90 90 3....F..F.^..... > 90 90 90 90 90 90 90 90 90 56 8B 74 24 08 57 8B .........V.t$.W. > 46 0C A8 83 0F 84 D5 00 00 00 A8 40 0F 85 CD 00 F..........@.... > 00 00 A8 02 74 0B 0C 20 89 46 0C 83 C8 FF 5F 5E ....t.. .F...._^ > C3 0C 01 A9 0C 01 00 00 89 46 0C 75 0B 56 E8 06 .........F.u.V.. > FD FF FF 83 C4 04 EB 05 8B 46 08 89 06 8B 4E 18 .........F....N. > 8B 56 08 8B 46 10 51 52 50 E8 9B 00 00 00 83 C4 .V..F.QRP....... > 0C 89 46 04 85 C0 74 6E 83 F8 FF 74 69 8B 56 0C ..F...tn...ti.V. > F6 C2 82 75 32 8B 4E 10 83 F9 FF 74 14 8B F9 C1 ...u2.N....t.... > FF 05 83 E1 1F 8B 3C BD E0 40 44 00 8D 3C CF EB ......<..@D..<.. > 05 BF B0 51 43 00 8A 4F 04 80 E1 82 80 F9 82 75 ...QC..O.......u > 06 80 CE 20 89 56 0C 81 7E 18 00 02 00 00 75 14 ... .V..~.....u. > 8B 4E 0C F6 C1 08 74 0C F6 C5 04 75 07 C7 46 18 .N....t....u..F. > 00 10 00 00 48 33 D2 89 46 04 8B 06 8A 10 40 89 ....H3..F.....@. > 06 8B C2 5F 5E C3 8B 4E 0C C7 46 04 00 00 00 00 ..._^..N..F..... > F7 D8 1B C0 83 E0 10 83 C0 10 0B C8 89 4E 0C 5F .............N._ > 83 C8 FF 5E C3 90 90 90 90 A1 E0 41 44 00 83 EC ...^.......AD... > 0C 53 8B 5C 24 14 55 56 3B D8 57 0F 83 1D 02 00 .S.\$.UV;.W..... > 00 8B C3 83 E3 1F C1 F8 05 C1 E3 03 8B 0C 85 E0 ................ > 40 44 00 8D 34 85 E0 40 44 00 89 74 24 14 8D 04 @D..4..@D..t$... > 0B 89 44 24 10 8A 50 04 F6 C2 01 0F 84 ED 01 00 ..D$..P......... > 00 8B 4C 24 28 8B 7C 24 24 33 ED 8B C7 85 C9 0F ..L$(.|$$3...... > 84 CF 01 00 00 F6 C2 02 0F 85 C6 01 00 00 F6 C2 ................ > 48 74 1E 8B 54 24 10 8A 52 05 80 FA 0A 74 12 88 Ht..T$..R....t.. > 17 8B 16 8D 47 01 BD 01 00 00 00 49 C6 44 13 05 ....G......I.D.. > 0A 8D 54 24 10 6A 00 52 51 50 8B 06 8B 0C 03 51 ..T$.j.RQP.....Q > FF 15 54 65 44 00 85 C0 75 48 FF 15 F0 64 44 00 ..TeD...uH...dD. > 83 F8 05 75 1A A3 B4 26 ...u...& > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > =+=+=+=+=+=+ > > > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 08:57:53 PDT