Odd string in packet...

From: Grimes, Shawn (NIA/IRP) (GrimesShat_private)
Date: Fri Jan 25 2002 - 05:51:54 PST
Next message: Frank de Lange: "Re: Odd string in packet..."
Previous message: Andrew Simmons: "Re: Panz root kit"
Next in thread: Frank de Lange: "Re: Odd string in packet..."
Reply: Frank de Lange: "Re: Odd string in packet..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This may be normal but who knows.  I picked up the following alert today:
Jan 25 07:39:45 sensor1 snort: [1:873:2] WEB-CGI scriptalias access
[Classification: Attempted Information Leak] [Priority: 3]: {TCP}
xx.aol.com:3167 -> zzz.ournet.net:80

In fact, I've received 20 of these alerts in the last 24 hours, no big deal,
the alert triggers on a packet containing the string: "///".  So the box on
our side that receiving these packets is an apache web server running on Red
Hat, and this box runs a utility called "http filter" which takes an
incoming packet sees which of our web servers it wants to talk to and
presents the information to visitor.  So we have a few IIS servers
(including an Outlook Webmail Server) that this apache box servers as a
middle man for. I wouldn't think anything of these alerts except that I
happened to click on one an included in the packet (the same alert above)
was the following:
220 : 7D 7C 7C 7C 7B 7B 7B 7A 7A 7A 79 79 79 78 78 78   }|||{{{zzzyyyxxx
230 : 77 77 77 76 76 76 75 75 75 74 74 74 73 73 73 72   wwwvvvuuutttsssr
240 : 72 72 71 71 71 70 70 70 6F 6F 6F 6E 6E 6E 6D 6D   rrqqqpppooonnnmm
250 : 6D 6C 6C 6C 6B 6B 6B 6A 6A 6A 69 69 69 68 68 68   mlllkkkjjjiiihhh
260 : 67 67 67 66 66 66 65 65 65 64 64 64 63 63 63 62   gggfffeeedddcccb
270 : 62 62 61 61 61 60 60 60 5F 5F 5F 5E 5E 5E 5D 5D   bbaaa```___^^^]]
280 : 5D 5C 5C 5C 5B 5B 5B 5A 5A 5A 59 59 59 58 58 58   ]\\\[[[ZZZYYYXXX
290 : 57 57 57 56 56 56 55 55 55 54 54 54 53 53 53 52   WWWVVVUUUTTTSSSR
2a0 : 52 52 51 51 51 50 50 50 4F 4F 4F 4E 4E 4E 4D 4D   RRQQQPPPOOONNNMM
2b0 : 4D 4C 4C 4C 4B 4B 4B 4A 4A 4A 49 49 49 48 48 48   MLLLKKKJJJIIIHHH
2c0 : 47 47 47 46 46 46 45 45 45 44 44 44 43 43 43 42   GGGFFFEEEDDDCCCB
2d0 : 42 42 41 41 41 40 40 40 3F 3F 3F 3E 3E 3E 3D 3D   BBAAA@@@???>>>==
2e0 : 3D 3C 3C 3C 3B 3B 3B 3A 3A 3A 39 39 39 38 38 38   =<<<;;;:::999888
2f0 : 37 37 37 36 36 36 35 35 35 34 34 34 33 33 33 32   7776665554443332
300 : 32 32 31 31 31 30 30 30 2F 2F 2F 2E 2E 2E 2D 2D   22111000///...--
310 : 2D 2C 2C 2C 2B 2B 2B 2A 2A 2A 29 29 29 28 28 28   -,,,+++***)))(((
320 : 27 27 27 26 26 26 25 25 25 24 24 24 23 23 23 22   '''&&&%%%$$$###"
330 : 22 22 21 21 21 20 20 20 1F 1F 1F 1E 1E 1E 1D 1D   ""!!!   ........

Could this be a normal http/webmail packet?  But it almost seems to me that
someone reversed the alphabet to maybe bypass some intrusion detection
systems that would pick up on it in the packet?  Any ideas?  Below is the
full packet contents.


Thanks,
--=Shawn


length = 1360

000 : BD DC 9E 20 56 B7 AC AD AF D5 0E B5 37 B9 7C C5   ... V.......7.|.
010 : 05 5C 2F E0 D6 8F A8 4A 4A 03 AC 7A D9 5F EE 8F   .\/....JJ..z._..
020 : EA FC F9 1B E0 F6 FE AC DB E6 79 05 4E BD 3F 9F   ..........y.N.?.
030 : FF 07 78 10 BF 10 12 F4 0C CD 00 00 00 00 49 45   ..x...........IE
040 : 4E 44 AE 42 60 82 00 6E 1E F0 C0 00 04 00 F9 51   ND.B`..n.......Q
050 : BF 1D 6E E1 7E 93 78 B0 84 E1 D7 EE 8B 3E FF 89   ..n.~.x......>..
060 : 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00   PNG........IHDR.
070 : 00 05 41 00 00 01 98 08 03 00 00 00 5B 38 D3 66   ..A.........[8.f
080 : 00 00 00 04 67 41 4D 41 00 00 D9 05 AB B5 EA 94   ....gAMA........
090 : 00 00 03 00 50 4C 54 45 FF FF FF FE FE FE FD FD   ....PLTE........
0a0 : FD FC FC FC FB FB FB FA FA FA F9 F9 F9 F8 F8 F8   ................
0b0 : F7 F7 F7 F6 F6 F6 F5 F5 F5 F4 F4 F4 F3 F3 F3 F2   ................
0c0 : F2 F2 F1 F1 F1 F0 F0 F0 EF EF EF EE EE EE ED ED   ................
0d0 : ED EC EC EC EB EB EB EA EA EA E9 E9 E9 E8 E8 E8   ................
0e0 : E7 E7 E7 E6 E6 E6 E5 E5 E5 E4 E4 E4 E3 E3 E3 E2   ................
0f0 : E2 E2 E1 E1 E1 E0 E0 E0 DF DF DF DE DE DE DD DD   ................
100 : DD DC DC DC DB DB DB DA DA DA D9 D9 D9 D8 D8 D8   ................
110 : D7 D7 D7 D6 D6 D6 D5 D5 D5 D4 D4 D4 D3 D3 D3 D2   ................
120 : D2 D2 D1 D1 D1 D0 D0 D0 CF CF CF CE CE CE CD CD   ................
130 : CD CC CC CC CB CB CB CA CA CA C9 C9 C9 C8 C8 C8   ................
140 : C7 C7 C7 C6 C6 C6 C5 C5 C5 C4 C4 C4 C3 C3 C3 C2   ................
150 : C2 C2 C1 C1 C1 C0 C0 C0 BF BF BF BE BE BE BD BD   ................
160 : BD BC BC BC BB BB BB BA BA BA B9 B9 B9 B8 B8 B8   ................
170 : B7 B7 B7 B6 B6 B6 B5 B5 B5 B4 B4 B4 B3 B3 B3 B2   ................
180 : B2 B2 B1 B1 B1 B0 B0 B0 AF AF AF AE AE AE AD AD   ................
190 : AD AC AC AC AB AB AB AA AA AA A9 A9 A9 A8 A8 A8   ................
1a0 : A7 A7 A7 A6 A6 A6 A5 A5 A5 A4 A4 A4 A3 A3 A3 A2   ................
1b0 : A2 A2 A1 A1 A1 A0 A0 A0 9F 9F 9F 9E 9E 9E 9D 9D   ................
1c0 : 9D 9C 9C 9C 9B 9B 9B 9A 9A 9A 99 99 99 98 98 98   ................
1d0 : 97 97 97 96 96 96 95 95 95 94 94 94 93 93 93 92   ................
1e0 : 92 92 91 91 91 90 90 90 8F 8F 8F 8E 8E 8E 8D 8D   ................
1f0 : 8D 8C 8C 8C 8B 8B 8B 8A 8A 8A 89 89 89 88 88 88   ................
200 : 87 87 87 86 86 86 85 85 85 84 84 84 83 83 83 82   ................
210 : 82 82 81 81 81 80 80 80 7F 7F 7F 7E 7E 7E 7D 7D   ........~~~}}
220 : 7D 7C 7C 7C 7B 7B 7B 7A 7A 7A 79 79 79 78 78 78   }|||{{{zzzyyyxxx
230 : 77 77 77 76 76 76 75 75 75 74 74 74 73 73 73 72   wwwvvvuuutttsssr
240 : 72 72 71 71 71 70 70 70 6F 6F 6F 6E 6E 6E 6D 6D   rrqqqpppooonnnmm
250 : 6D 6C 6C 6C 6B 6B 6B 6A 6A 6A 69 69 69 68 68 68   mlllkkkjjjiiihhh
260 : 67 67 67 66 66 66 65 65 65 64 64 64 63 63 63 62   gggfffeeedddcccb
270 : 62 62 61 61 61 60 60 60 5F 5F 5F 5E 5E 5E 5D 5D   bbaaa```___^^^]]
280 : 5D 5C 5C 5C 5B 5B 5B 5A 5A 5A 59 59 59 58 58 58   ]\\\[[[ZZZYYYXXX
290 : 57 57 57 56 56 56 55 55 55 54 54 54 53 53 53 52   WWWVVVUUUTTTSSSR
2a0 : 52 52 51 51 51 50 50 50 4F 4F 4F 4E 4E 4E 4D 4D   RRQQQPPPOOONNNMM
2b0 : 4D 4C 4C 4C 4B 4B 4B 4A 4A 4A 49 49 49 48 48 48   MLLLKKKJJJIIIHHH
2c0 : 47 47 47 46 46 46 45 45 45 44 44 44 43 43 43 42   GGGFFFEEEDDDCCCB
2d0 : 42 42 41 41 41 40 40 40 3F 3F 3F 3E 3E 3E 3D 3D   BBAAA@@@???>>>==
2e0 : 3D 3C 3C 3C 3B 3B 3B 3A 3A 3A 39 39 39 38 38 38   =<<<;;;:::999888
2f0 : 37 37 37 36 36 36 35 35 35 34 34 34 33 33 33 32   7776665554443332
300 : 32 32 31 31 31 30 30 30 2F 2F 2F 2E 2E 2E 2D 2D   22111000///...--
310 : 2D 2C 2C 2C 2B 2B 2B 2A 2A 2A 29 29 29 28 28 28   -,,,+++***)))(((
320 : 27 27 27 26 26 26 25 25 25 24 24 24 23 23 23 22   '''&&&%%%$$$###"
330 : 22 22 21 21 21 20 20 20 1F 1F 1F 1E 1E 1E 1D 1D   ""!!!   ........
340 : 1D 1C 1C 1C 1B 1B 1B 1A 1A 1A 19 19 19 18 18 18   ................
350 : 17 17 17 16 16 16 15 15 15 14 14 14 13 13 13 12   ................
360 : 12 12 11 11 11 10 10 10 0F 0F 0F 0E 0E 0E 0D 0D   ................
370 : 0D 0C 0C 0C 0B 0B 0B 0A 0A 0A 09 09 09 08 08 08   ................
380 : 07 07 07 06 06 06 05 05 05 04 04 04 03 03 03 02   ................
390 : 02 02 01 01 01 00 00 00 EE AE E1 94 00 00 00 09   ................
3a0 : 70 48 59 73 FF FF FF FF FF FF FF FF 01 CA 4E F5   pHYs..........N.
3b0 : 17 00 00 20 00 49 44 41 54 78 9C 84 BD FB AF 6D   ... .IDATx.....m
3c0 : F7 75 DD C7 3F A3 B0 10 41 14 64 A8 50 0B 07 29   .u..?...A.d.P..)
3d0 : 9C A0 09 82 3A 50 03 18 49 D1 02 76 80 3A 68 0A   ....:P..I..v.:h.
3e0 : A7 41 0C 44 86 9B C0 AE 03 B7 46 22 19 B2 A4 80   .A.D......F"....
3f0 : 96 45 81 34 4D 81 12 79 79 79 EE B9 1B E7 EC BD   .E.4M..yyy......
400 : DE EF F7 5A FB F5 87 75 7C C6 77 1D CA 3F 24 ED   ...Z...u|.w..?$.
410 : 21 EF 79 EC BD F6 7A 7E BF E3 3B E6 9C 63 CE F9   !.y...z~..;..c..
420 : 4E 96 1C 5F 7D FE F9 AB CF 0E 59 56 F5 63 3F 0C   N.._}.....YV.c?.
430 : 7D DD F7 ED 30 74 79 9A 7C F2 EF 7E F3 1F 7D FB   }...0ty.|..~..}.
440 : 1F FC C6 3F FE AD DF FC 3F FE E0 F7 FE B7 7F F1   ...?....?......
450 : BF FF C9 F7 FE E2 AF 0F 0F 51 5E 34 6D EF AF 69   .........Q^4m..i
460 : 18 B2 22 AB EA EC 83 7F FE CD AF 7D E3 DD 6F FC   ..".......}..o.
470 : CA 37 7F FB BB 1F 3E E4 59 9E E7 45 D7 37 63 DF   .7...>.Y..E.7c.
480 : D6 63 57 D7 6D 5B 6B BF DA BA 1F C6 FE CB AF 61   .cW.m[k........a
490 : EC A6 8E 9F FA DF 5F CD C0 09 F0 47 DB EA C5 BE   ......_....G....
4a0 : 1B BC D9 30 B5 63 A3 B3 AA C6 71 D1 79 0D FD D4   ...0.c....q.y...
4b0 : D7 2D A7 D8 F6 C3 C4 FB FD D0 D6 45 CD 6E 9A 61   .-.........E.n.a
4c0 : 28 DB B6 2F BB 56 BB A8 FD D6 30 D6 63 1D AE AA   (../.V....0.c...
4d0 : F7 FE BA 3E 1C 83 EF FA B5 E2 95 BA D2 1E 79 4D   ...>..........yM
4e0 : 27 D0 8F 5D F8 60 33 84 0F B0 61 5D E7 75 55 76   '..].`3...a].uUv
4f0 : 65 5E 16 45 9E 16 45 55 94 69 96 46 BA F8 A2 28   e^.E..EU.i.F...(
500 : CA BA C8 B3 B2 68 EA B2 ED 9A A6 CB B2 A6 CE 86   .....h..........
510 : AE D3 6F 79 D6 EB FD A6 D1 07 F2 2A 2F F4 41 3E   ..oy.......*/.A>
520 : DA E4 79 53 94 85 6E 4B D3 76 BA 45 99 AE 54 67   ..yS..nK.v.E..Tg
530 : DE D5 5D 53 56 AD CE 5F FF 86 B2 29 AA AC E8 6A   ..]SV.._...)...j
540 : 0E D9 D4 FA A3 A8 DA A2 6D 8B BA 2C AB 22 AF AA   ........m..,."..

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Next message: Frank de Lange: "Re: Odd string in packet..."
Previous message: Andrew Simmons: "Re: Panz root kit"
Next in thread: Frank de Lange: "Re: Odd string in packet..."
Reply: Frank de Lange: "Re: Odd string in packet..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 08:44:05 PST