Re: SHELLCODE x86 NOOP

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: Thu Oct 04 2001 - 14:28:36 PDT

  • Next message: hvdkooijat_private: "Re: Code Red gone to sleep?"

    Dan Terhesiu <danteat_private> wrote:
    
    > 	Hello to all of you.
    > 
    > 	I've seen this morning several (aprox. 82, as reported by
    > snort) alerts containig "SHELLCODE x86 NOOP". Almost all the connections
    > begin with a "WEB-IIS ISAPI .ida access" alert. I've searched on google
    
    As has already been explained, the "WEB-IIS ISAPI .ida access" alert 
    is (most likely) a false alarm.
    
    > about this x86 SHELLCODE, but there is nothing about :80 port
    > there. Because I'm new to this field, I'm asking for your help: is this
    > something I should worry about? 
    <<snip>>
    
    Probably not, or perhaps probably, depending on what is normally on 
    this box and what is normally uploaded to/downloaded from it.  This:
    
    > 00 2E 74 65 78 74 00 00 00 96 91 02 00 00 10 00  ..text..........
    > 00 00 92 02 00 00 04 00 00 00 00 00 00 00 00 00  ................
    > 00 00 00 00 00 20 00 00 60 2E 72 64 61 74 61 00  ..... ..`.rdata.
    > 00 FB 2E 00 00 00 B0 02 00 00 30 00 00 00 96 02  ..........0.....
    > 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00  .............@..
    > 40 2E 64 61 74 61 00 00 00 10 72 01 00 00 E0 02  @.data....r.....
    > 00 00 76 00 00 00 C6 02 00 00 00 00 00 00 00 00  ..v.............
    > 00 00 00 00 00 40 00 00 C0 2E 69 64 61 74 61 00  .....@....idata.
    > 00 F2 14 00 00 00 60 04 00 00 16 00 00 00 3C 03  ......`.......<.
    > 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00  .............@..
    > C0 2E 72 73 72 63 00 00 00 1C 1D 00 00 00 80 04  ..rsrc..........
    > 00 00 1E 00 00 00 52 03 00 00 00 00 00 00 00 00  ......R.........
    
    almost certainly indicates transfer of a PE binary.  Are your users
    normally allowed to transfer  Windows program files around via HTTP?? 
    If so, the above is nothing to worry about (the *practice* may be, 
    but the snort alarm, given "normal practice" at your site, is not).
    
    
    -- 
    Nick FitzGerald
    Computer Virus Consulting Ltd.
    Ph/FAX: +64 3 3529854
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 14:31:00 PDT