Dan Terhesiu <danteat_private> wrote: > Hello to all of you. > > I've seen this morning several (aprox. 82, as reported by > snort) alerts containig "SHELLCODE x86 NOOP". Almost all the connections > begin with a "WEB-IIS ISAPI .ida access" alert. I've searched on google As has already been explained, the "WEB-IIS ISAPI .ida access" alert is (most likely) a false alarm. > about this x86 SHELLCODE, but there is nothing about :80 port > there. Because I'm new to this field, I'm asking for your help: is this > something I should worry about? <<snip>> Probably not, or perhaps probably, depending on what is normally on this box and what is normally uploaded to/downloaded from it. This: > 00 2E 74 65 78 74 00 00 00 96 91 02 00 00 10 00 ..text.......... > 00 00 92 02 00 00 04 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 20 00 00 60 2E 72 64 61 74 61 00 ..... ..`.rdata. > 00 FB 2E 00 00 00 B0 02 00 00 30 00 00 00 96 02 ..........0..... > 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 .............@.. > 40 2E 64 61 74 61 00 00 00 10 72 01 00 00 E0 02 @.data....r..... > 00 00 76 00 00 00 C6 02 00 00 00 00 00 00 00 00 ..v............. > 00 00 00 00 00 40 00 00 C0 2E 69 64 61 74 61 00 .....@....idata. > 00 F2 14 00 00 00 60 04 00 00 16 00 00 00 3C 03 ......`.......<. > 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 .............@.. > C0 2E 72 73 72 63 00 00 00 1C 1D 00 00 00 80 04 ..rsrc.......... > 00 00 1E 00 00 00 52 03 00 00 00 00 00 00 00 00 ......R......... almost certainly indicates transfer of a PE binary. Are your users normally allowed to transfer Windows program files around via HTTP?? If so, the above is nothing to worry about (the *practice* may be, but the snort alarm, given "normal practice" at your site, is not). -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 14:31:00 PDT