Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: SHELLCODE x86 NOOP
From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Fri, 5 Oct 2001 09:28:36 +1200
Dan Terhesiu <dante () tvc codec ro> wrote:


      Hello to all of you.

      I've seen this morning several (aprox. 82, as reported by
snort) alerts containig "SHELLCODE x86 NOOP". Almost all the connections
begin with a "WEB-IIS ISAPI .ida access" alert. I've searched on google


As has already been explained, the "WEB-IIS ISAPI .ida access" alert 
is (most likely) a false alarm.


about this x86 SHELLCODE, but there is nothing about :80 port
there. Because I'm new to this field, I'm asking for your help: is this
something I should worry about? 

<<snip>>

Probably not, or perhaps probably, depending on what is normally on 
this box and what is normally uploaded to/downloaded from it.  This:


00 2E 74 65 78 74 00 00 00 96 91 02 00 00 10 00  ..text..........
00 00 92 02 00 00 04 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 20 00 00 60 2E 72 64 61 74 61 00  ..... ..`.rdata.
00 FB 2E 00 00 00 B0 02 00 00 30 00 00 00 96 02  ..........0.....
00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00  ............. ()   
40 2E 64 61 74 61 00 00 00 10 72 01 00 00 E0 02  @.data....r.....
00 00 76 00 00 00 C6 02 00 00 00 00 00 00 00 00  ..v.............
00 00 00 00 00 40 00 00 C0 2E 69 64 61 74 61 00  ..... ()     idata 
00 F2 14 00 00 00 60 04 00 00 16 00 00 00 3C 03  ......`.......<.
00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00  ............. ()   
C0 2E 72 73 72 63 00 00 00 1C 1D 00 00 00 80 04  ..rsrc..........
00 00 1E 00 00 00 52 03 00 00 00 00 00 00 00 00  ......R.........


almost certainly indicates transfer of a PE binary.  Are your users
normally allowed to transfer  Windows program files around via HTTP?? 
If so, the above is nothing to worry about (the *practice* may be, 
but the snort alarm, given "normal practice" at your site, is not).


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]