Re: SHELLCODE x86 NOOP

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: Thu Oct 04 2001 - 14:28:36 PDT

Next message: hvdkooijat_private: "Re: Code Red gone to sleep?"

Previous message: aleph1at_private: "RE: WARNING: Trojan Horse Disguised as Message from SecurityFocus and TrendMicro"
In reply to: Dan Terhesiu: "SHELLCODE x86 NOOP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dan Terhesiu <danteat_private> wrote:

> 	Hello to all of you.
> 
> 	I've seen this morning several (aprox. 82, as reported by
> snort) alerts containig "SHELLCODE x86 NOOP". Almost all the connections
> begin with a "WEB-IIS ISAPI .ida access" alert. I've searched on google

As has already been explained, the "WEB-IIS ISAPI .ida access" alert 
is (most likely) a false alarm.

> about this x86 SHELLCODE, but there is nothing about :80 port
> there. Because I'm new to this field, I'm asking for your help: is this
> something I should worry about? 
<<snip>>

Probably not, or perhaps probably, depending on what is normally on 
this box and what is normally uploaded to/downloaded from it.  This:

> 00 2E 74 65 78 74 00 00 00 96 91 02 00 00 10 00  ..text..........
> 00 00 92 02 00 00 04 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 20 00 00 60 2E 72 64 61 74 61 00  ..... ..`.rdata.
> 00 FB 2E 00 00 00 B0 02 00 00 30 00 00 00 96 02  ..........0.....
> 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00  .............@..
> 40 2E 64 61 74 61 00 00 00 10 72 01 00 00 E0 02  @.data....r.....
> 00 00 76 00 00 00 C6 02 00 00 00 00 00 00 00 00  ..v.............
> 00 00 00 00 00 40 00 00 C0 2E 69 64 61 74 61 00  .....@....idata.
> 00 F2 14 00 00 00 60 04 00 00 16 00 00 00 3C 03  ......`.......<.
> 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00  .............@..
> C0 2E 72 73 72 63 00 00 00 1C 1D 00 00 00 80 04  ..rsrc..........
> 00 00 1E 00 00 00 52 03 00 00 00 00 00 00 00 00  ......R.........

almost certainly indicates transfer of a PE binary.  Are your users
normally allowed to transfer  Windows program files around via HTTP?? 
If so, the above is nothing to worry about (the *practice* may be, 
but the snort alarm, given "normal practice" at your site, is not).


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: hvdkooijat_private: "Re: Code Red gone to sleep?"
Previous message: aleph1at_private: "RE: WARNING: Trojan Horse Disguised as Message from SecurityFocus and TrendMicro"
In reply to: Dan Terhesiu: "SHELLCODE x86 NOOP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 14:31:00 PDT