Hello all; by way of introduction, I'm at home on a dialup (don't laugh: it gets better..) into AT&T's 12.82.x.x Class A via their Seattle WA POP I've got a 2.2.14 Linux-based ipchains firewall; snort 1.8.7 logging into ACID on another box; PortSentry; and I'm still back using LogCheck, not LogSentry from Psionic; LogCheck emails alerts from syslog regarding ipchains, snort, p0f, and ACK_hole to several boxes.. I've just written a little proggie I call ACK_hole01.c; it essentially acts as a network data sink, allowing (after I poke an appropriate hole in my firewall - currently TCP 22, 80, 1433, 12345, 27374, and 17300) the TCP stack to accept connections to those ports, all the while ACK_hole drops the packet contents on the floor, after snort 1.8.7 has logged the transaction. Anyway, getting to the point... Saw this today: hybrid scan to TCP:80 and TCP:1433, and the payloads of the port 80 packets particularily caught my eye (not that I yet have much experience recognizing what's really "new"). A quick google search seems to turn up no maillist archives anywhere discussing the interesting phrase: GET /global.asa? -- although the phrase *does* turn up a lot in pages about M$ ASP stuff.. [toot@sparky /]# host 172.183.59.40 40.59.183.172.in-addr.arpa. domain name pointer ACB73B28.ipt.aol.com. Here's some packets: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/17-08:25:50.085392 172.183.59.40:3598 -> 12.82.137.167:80 TCP TTL:110 TOS:0x0 ID:443 IpLen:20 DgmLen:96 DF ***AP*** Seq: 0x3F790CAD Ack: 0x2D9D50B7 Win: 0x4510 TcpLen: 20 47 45 54 20 2F 67 6C 6F 62 61 6C 2E 61 73 61 2B GET /global.asa+ 2E 68 74 72 20 48 54 54 50 2F 31 2E 31 0D 0A 48 .htr HTTP/1.1..H 6F 73 74 3A 20 31 32 2E 38 32 2E 31 33 37 2E 31 ost: 12.82.137.1 36 37 0D 0A 0D 0A 0D 0A 67...... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ : =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/17-08:25:51.915771 172.183.59.40:3761 -> 12.82.137.167:80 TCP TTL:110 TOS:0x0 ID:682 IpLen:20 DgmLen:104 DF ***AP*** Seq: 0x3FFAE785 Ack: 0x2DB72099 Win: 0x4510 TcpLen: 20 47 45 54 20 2F 67 6C 6F 62 61 6C 2E 61 73 61 5C GET /global.asa\ 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A HTTP/1.1..Host: 20 31 32 2E 38 32 2E 31 33 37 2E 31 36 37 0D 0A 12.82.137.167.. 54 72 61 6E 73 6C 61 74 65 3A 20 66 0D 0A 0D 0A Translate: f.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ : =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/17-08:25:53.685836 172.183.59.40:3826 -> 12.82.137.167:80 TCP TTL:110 TOS:0x0 ID:916 IpLen:20 DgmLen:112 DF ***AP*** Seq: 0x40331BDD Ack: 0x2D97644F Win: 0x4510 TcpLen: 20 47 45 54 20 2F 67 6C 6F 62 61 6C 2E 61 73 61 3F GET /global.asa? 2B 2E 68 74 72 5C 20 5C 20 48 54 54 50 2F 31 2E +.htr\ \ HTTP/1. 31 0D 0A 48 6F 73 74 3A 20 31 32 2E 38 32 2E 31 1..Host: 12.82.1 33 37 2E 31 36 37 0D 0A 54 72 61 6E 73 6C 61 74 37.167..Translat 65 3A 20 66 0D 0A 0D 0A e: f.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ : =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/17-08:25:55.345977 172.183.59.40:3938 -> 12.82.137.167:80 TCP TTL:110 TOS:0x0 ID:1129 IpLen:20 DgmLen:99 DF ***AP*** Seq: 0x408D6257 Ack: 0x2E29DF40 Win: 0x4510 TcpLen: 20 47 45 54 20 2F 67 6C 6F 62 61 6C 2E 61 73 61 3F GET /global.asa? 2B 2E 68 74 72 20 72 20 48 54 54 50 2F 31 2E 31 +.htr r HTTP/1.1 0D 0A 48 6F 73 74 3A 20 31 32 2E 38 32 2E 31 33 ..Host: 12.82.13 37 2E 31 36 37 0D 0A 0D 0A 0D 0A 7.167...... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ : Here's another.. : =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/17-08:25:56.816103 172.183.59.40:4047 -> 12.82.137.167:80 TCP TTL:110 TOS:0x0 ID:1311 IpLen:20 DgmLen:137 DF ***AP*** Seq: 0x40E531F7 Ack: 0x2E474926 Win: 0x4510 TcpLen: 20 47 45 54 20 2F 69 69 73 73 61 6D 70 6C 65 73 2F GET /iissamples/ 65 78 61 69 72 2F 68 6F 77 69 74 77 6F 72 6B 73 exair/howitworks 2F 63 6F 64 65 62 72 77 73 2E 61 73 70 3F 73 6F /codebrws.asp?so 75 72 63 65 3D 2F 6C 6F 67 69 6E 2E 61 73 70 20 urce=/login.asp 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 HTTP/1.1..Host: 31 32 2E 38 32 2E 31 33 37 2E 31 36 37 0D 0A 0D 12.82.137.167... 0A . =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ : And what is this? It seems to show up in some log files that are captioned in Chinese (?): http://sjpchome.com/jiaocheng/jiaoc245.htm : =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/17-08:25:59.476450 172.183.59.40:4191 -> 12.82.137.167:80 TCP TTL:110 TOS:0x0 ID:1651 IpLen:20 DgmLen:88 DF ***AP*** Seq: 0x415BB0BD Ack: 0x2DAD448F Win: 0x4510 TcpLen: 20 47 45 54 20 2F 4C 69 6E 75 78 2E 69 64 61 20 48 GET /Linux.ida H 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 31 TTP/1.1..Host: 1 32 2E 38 32 2E 31 33 37 2E 31 36 37 0D 0A 0D 0A 2.82.137.167.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ : =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/17-08:26:01.056497 172.183.59.40:4289 -> 12.82.137.167:80 TCP TTL:110 TOS:0x0 ID:1823 IpLen:20 DgmLen:155 DF ***AP*** Seq: 0x419FBD76 Ack: 0x2E84856E Win: 0x4510 TcpLen: 20 47 45 54 20 2F 6E 75 6C 6C 2E 68 74 77 3F 43 69 GET /null.htw?Ci 57 65 62 48 69 74 73 46 69 6C 65 3D 2F 67 6C 6F WebHitsFile=/glo 62 61 6C 2E 61 73 61 20 26 43 69 52 65 73 74 72 bal.asa &CiRestr 69 63 74 69 6F 6E 3D 6E 6F 6E 65 26 43 69 48 69 iction=none&CiHi 6C 69 74 65 54 79 70 65 3D 46 75 6C 6C 20 6C 20 liteType=Full l 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 HTTP/1.1..Host: 31 32 2E 38 32 2E 31 33 37 2E 31 36 37 0D 0A 0D 12.82.137.167... 0A 0D 0A ... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ : At this point the prober went to TCP:1433, with these: : =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/17-08:26:02.586723 172.183.59.40:4433 -> 12.82.137.167:1433 TCP TTL:110 TOS:0x0 ID:2013 IpLen:20 DgmLen:552 DF ***AP*** Seq: 0x41F539DA Ack: 0x2E93379D Win: 0x4510 TcpLen: 20 02 00 02 00 00 00 02 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 73 61 00 00 00 00 00 00 00 .......sa....... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 30 30 30 30 30 30 61 30 00 00 00 .....000000a0... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 18 .............. . 81 B8 2C 08 03 01 06 0A 09 01 01 00 00 00 00 00 ..,............. 00 00 00 00 73 71 75 65 6C 64 61 20 31 2E 30 00 ....squelda 1.0. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 0B 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 04 02 00 00 4D 53 44 42 4C 49 42 00 00 00 ......MSDBLIB... 07 06 00 00 00 00 0D 11 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ : =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/17-08:26:03.296749 172.183.59.40:4433 -> 12.82.137.167:1433 TCP TTL:110 TOS:0x0 ID:2118 IpLen:20 DgmLen:117 DF ***AP*** Seq: 0x41F53BDA Ack: 0x2E93379D Win: 0x4510 TcpLen: 20 02 01 00 4C 00 00 03 00 00 00 00 00 00 00 00 01 ...L............ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 30 30 30 .............000 00 00 03 00 00 00 00 00 00 00 00 00 00 ............. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ : Several times with this line (the fifth in the payload and onward..) changing: Each printable string seems to be preceeded with a non-8859 character.. 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 ................ ^^ : 00 00 00 00 00 02 31 32 33 00 00 00 00 00 00 00 ......123....... ^^ : 00 00 00 00 00 02 31 32 33 34 00 00 00 00 00 00 ......1234...... ^^ : 00 00 00 00 00 02 31 32 33 34 35 00 00 00 00 00 ......12345..... ^^ : 00 00 00 00 00 02 38 38 38 38 38 38 00 00 00 00 ......888888.... ^^ : 00 00 00 00 00 02 61 62 63 64 00 00 00 00 00 00 ......abcd...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 04 30 30 30 30 30 30 61 30 00 00 00 .....000000a0... ^^ : 00 00 00 00 00 02 70 61 73 73 00 00 00 00 00 00 ......pass...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 04 30 30 30 30 30 30 61 30 00 00 00 .....000000a0... ^^ : 00 00 00 00 00 02 69 6E 74 65 72 6E 65 74 00 00 ......internet.. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 08 30 30 30 30 30 30 61 30 00 00 00 .....000000a0... ^^ : 00 00 00 00 00 02 70 61 73 73 77 6F 72 64 00 00 ......password.. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 08 30 30 30 30 30 30 61 30 00 00 00 .....000000a0... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 18 .............. . : 00 00 00 00 00 02 61 64 6D 69 6E 00 00 00 00 00 ......admin..... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 05 30 30 30 30 30 30 61 30 00 00 00 .....000000a0... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 18 .............. . : 00 00 00 00 00 02 73 65 72 76 65 72 00 00 00 00 ......server.... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 06 30 30 30 30 30 30 61 30 00 00 00 .....000000a0... : 00 00 00 00 00 02 73 75 70 65 72 00 00 00 00 00 ......super..... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 05 30 30 30 30 30 30 61 30 00 00 00 .....000000a0... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 18 .............. . : 00 00 00 00 00 02 72 6F 6F 74 00 00 00 00 00 00 ......root...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 04 30 30 30 30 30 30 61 30 00 00 00 .....000000a0... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 18 .............. . : 00 00 00 00 00 02 31 32 33 34 35 36 00 00 00 00 ......123456.... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 06 30 30 30 30 30 30 61 30 00 00 00 .....000000a0... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 18 .............. . : 00 00 00 00 00 02 31 32 33 34 35 00 00 00 00 00 ......12345..... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 05 30 30 30 30 30 30 61 30 00 00 00 .....000000a0... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 18 .............. . : And then he goes back to TCP:80.. : =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/17-08:26:25.569103 172.183.59.40:2048 -> 12.82.137.167:80 TCP TTL:110 TOS:0x0 ID:4786 IpLen:20 DgmLen:79 DF ***AP*** Seq: 0x4620701D Ack: 0x2F8BC861 Win: 0x4510 TcpLen: 20 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A GET / HTTP/1.1.. 48 6F 73 74 3A 20 31 32 2E 38 32 2E 31 33 37 2E Host: 12.82.137. 31 36 37 0D 0A 0D 0A 167.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ : Checking to see if there's a server running, eh? : =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/17-08:26:26.939209 172.183.59.40:2106 -> 12.82.137.167:80 TCP TTL:110 TOS:0x0 ID:4952 IpLen:20 DgmLen:92 DF ***AP*** Seq: 0x4650DCE2 Ack: 0x2F8152A8 Win: 0x4510 TcpLen: 20 47 45 54 20 2F 5F 76 74 69 5F 69 6E 66 2E 68 74 GET /_vti_inf.ht 6D 6C 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 ml HTTP/1.1..Hos 74 3A 20 31 32 2E 38 32 2E 31 33 37 2E 31 36 37 t: 12.82.137.167 0D 0A 0D 0A .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ : And that was it.. =============================================================================== Snort processed 277 packets. Breakdown by protocol: Action Stats: TCP: 277 (100.000%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) =============================================================================== - John -- Most people don't type their own logfiles; but, what do I care? PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705 _______________________________________________ LogAnalysis mailing list LogAnalysisat_private https://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Sat Aug 17 2002 - 17:32:32 PDT