Intrusion Detection Systems mailing list archives

Re: Bounced Message (Mod FWD)

From: blue0ne () igloo org (Jackie Chan)
Date: Tue, 16 May 2000 16:27:54 -0400 (EDT)


Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au

I'm going to take a wild guess here.  My assumption after looking at the
patterns introduced in this data segment, mixed with the intentions of a
gnutella like service is that someone has basically ran a search on
/etc/passwd to test their luck at finding a poorly configured system that
would allow them to view this file.  Withtout doing any real testing, I
would say that this could be a potential problem.

blue0ne

-----------------------------------------------------------------------------
1. very odd traffic...napster?, Network Security <NSECURITY () TASC USDA GOV>

____________________________________________________________________________
______________________

Date: Mon, 15 May 2000 12:42:40 -0600
From: Network Security <NSECURITY () TASC USDA GOV>
To: ids () uow edu au
Subject: very odd traffic...napster?
Message-Id: <s91ff134.047 () TASC USDA GOV>

i have been seeing several instances of this with my ids, i think it maybe
napster/gnutella activity, but what concerns me is why is "/etc/passwd"
referenced within the traffic? is this some sort of napster/gnutella
exploit?

QT,LDJ@f;f'7die krupps'P]r@`!~ozSBkv\'5DESTcakewalk
serial'!jR`@gM1IK}#`rzXr'Zber
ykah badu
'/etc/passwd'P1%~'A$O@N!O2K.0W Z<'P;30F!Id]_'4@0frank
blacka'PP@`SCEP.&Eerin bu+B
`TE@`SCEYua4n,PTVWS*.mpg]@%Ps,@FKH'H>52MOf@@`>P]A'1Devil's
Advocate9(`'iYm4@&e^8=
jf"B`u6*.vbs
z'Vk@@:trvm')A'DESTna'7DESTap?\')@w<KH'O@D&AP(I-q:'>
babe mpbu'`_U8'PyPlaymate 
-'g(e(T8'Pmcold fusion(ixthrowing
muses(`'iYm4@&e^8=D''@iitruelove4FH'q@>W:A%'M~S
&'DEST@0o,OuK>e&'QdM'9,<bI?P@]AGh&}l`VY'. .K7'&u@
*6A'kToo@ye`)KB'i'Px@N<!RTB
'!jR`@gM1IK}#`r\2"'y}ug@W!h&(P5bW'P@jI&P)wt1X'X@'BPjdkNfrem9'sDEST+s^KHz:(An
syncs
O'`nFT('HPo'!jR`@gM1IK}#`r6&P@k&"s<_fR*D'YE2pricelessU;'
'
Tim O'Brien;qU'Mvegas pro`'uZBcabaret voltairejh>'2kissQT,LDJ@f;f'7die
krupps'P]r
@`!~ozSBkv\'5DESTcakewalk serial'!jR`@gM1IK}#`rzXr'Zberykah badu
'/etc/passwd'P1%~'A$O@N!O2K.0W Z<'P;30F!Id]_'4@0frank
blacka'PP@`SCEP.&Eerin bu+B
`TE@`SCEYua4n,PTVWS*.mpg]@%Ps,@FKH'H>52MOf@@`>P]A'1Devi'P]r@`!~ozJ>'cUsGR'P+
F@e{ 
)b_HQ'$)H@yF+h7qe[j{4NgNi<p@_PN,M/' Ui@!xC(=s#K'|@
x*@Q;p0HWT*YCthursday(1
+Yxp&tO6@:$56>Y''
quicktime''geCdqL~DDZ@NpuRM5'zU<'cU(`'iYm4@&e^8=Y~`'p@Fsby'P$pe<2Bshut em
down`;'
5Su}Z'`,c,'D` @D=,r3q'HThj@LOdo0AFKH'H>5deftonesLwGB_'@3bpm
studio@B^'y@Zh'XBBqGA
YPxxx &1 mpg5FH'q@`f+
-A0=Q@'PCILzw@NpuRM5'(`'iYm4@&e^8=M>'<}=1H|/@dHQM
-$ 'DESTtea'
#qeverquest0 OT~^@ K
OFoE4@*'Zh@`lAP9^@\?'5`W-(`'iYm4@&e^8=d2R'*t@`HP&
91:-Mjq'O@x`5-''[?@`5$$HTk&)S@^1;G'@C
mint{]<'cU}P'D.mpgp'xO/m:)Kz$kournikova
nude_GM'.Oorgasm*.wavTCI'$0take it out on
 youjk6 ~bU>7H]phantom menacezu'W}".zip"%'M~b
'DESTm@'P&8Fs'~'XPjenna jamesonKi_'
yPa`' xfIcD=b
K^@`!PP$Y*gGYP^'2@*(,P'^&=@0QH@)-.YMEE'Pkblink
182c_''<GH'DEST@:AI[
Kv_>6BLg')Icelebs nudeYKcyZ@NpuRM5']' xZ@0QH@)-.6FH'q@ bl
KA.'@xy@atI4gR3fn78'BP8
limp bizkitC'v*$(`'iYm4@&e^8=K0q'A"nY)p7II/eb{,*Z'~DESTorgy
mpg0yU''I/w@Xl){}k'\P
d^june christyg0@>zGmusic videojT'P>kjameson jpg
____________________________________________________________________________
______________________
END

This message is for the named person's use only.  It may contain 
confidential, proprietary or legally privileged information.  No 
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please immediately delete it and all
copies of it from your system, destroy any hard copies of it and notify the
sender.  You must not, directly or indirectly, use, disclose, distribute, 
print, or copy any part of this message if you are not the intended 
recipient. CREDIT SUISSE GROUP and each of its subsidiaries each reserve
the right to monitor all e-mail communications through its networks.  Any
views expressed in this message are those of the individual sender, except
where the message states otherwise and the sender is authorised to state 
them to be the views of any such entity.

Current thread:

mouse trap + fight back!, (continued)
- - mouse trap + fight back! ajim de' great (May 15)
    - Re: mouse trap + fight back! Inno Eroraha (May 16)
    - Re: mouse trap + fight back! John D. Burkett (May 16)
    - RE: mouse trap + fight back! Glenn Williamson (May 17)
    - Bounced Messages [Mod FWD] Lister, Justin (May 17)
    - Re: Bounced Messages [Mod FWD] Talisker (May 17)
    - IDS & SNMP Nuno Miguel Neves (May 17)
    - Re: IDS & SNMP Greg Shipley (May 18)
    - Re: IDS & SNMP Allen Leibowitz (May 19)
  - Bounced Message (Mod FWD) Lister, Justin (May 16)
    - Re: Bounced Message (Mod FWD) Jackie Chan (May 16)
    - Re: Bounced Message (Mod FWD) Jonas Eriksson (May 17)
    - RE: mouse trap + fight back! Klaus, Chris (ISSAtlanta) (May 17)
    - RE: mouse trap + fight back! Schawacker, Peter (ISSCalifornia) (May 16)
    - Re: Bounced Message (Mod FWD) Dug Song (May 17)