RE: Trojan?

From: Kirt Cathey (kirtat_private)
Date: Sat Aug 23 2003 - 17:26:34 PDT

Next message: Pete Phillips: "Re: Sobig.F style email with no attachments"

Previous message: cbirch: "Re: ICMP port 2048 scans"
In reply to: Vinny Bedus: "Trojan?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Despite what the Blackice logs might say..... this looks like the firewall
is receiving a HTTP GET from
the client. The attacker is attempting a very rouge outdated buffer overflow
attack on your web server.

Of course, this all has "I THINK" conditioned around what I say.

/***************************************
Kirt S. Cathey, CIA, CISA, CISSP, MCSE
PricewaterhouseCoopers - Tokyo, Japan
Intrusion Detection, Forensics, and Audit
080-3388-6798
www.systemsrisk.com
PGP: http://www.systemsrisk.com/pgp.txt
***************************************/

-----Original Message-----
From: Vinny Bedus [mailto:vbedusat_private]
Sent: Friday, August 22, 2003 3:46 AM
To: incidentsat_private
Subject: Trojan?


All,

I have noticed the following in my black ice logs:

HTTP_URL_Name_Very_Long, serverip, servername, 210.108.137.153, ,
URL=/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,
1, B, 80, 36286, 0x188006

This says that the server itself is sending a web request out to a
client machine at 210.108.137.153.

I ran tcpView and it does not show any outgoing activity, but I am not
sure that utility will show that activity.  We run Norton Corp AV, and
it does not pick up anything in a full scan.  We checked the box for the
usually suspects, and nothing was found.  Anyone have any ideas?  Could
black ice possibly have it backwards?

Thanks in advance.


Vinny Bedus
Bit Changers
http://www.BitChangers.com


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

Next message: Pete Phillips: "Re: Sobig.F style email with no attachments"
Previous message: cbirch: "Re: ICMP port 2048 scans"
In reply to: Vinny Bedus: "Trojan?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 08:08:30 PDT