Snort mailing list archives

RE: please help ID payload info

From: "Randy Bey" <Randy.Bey () rivernorthsys com>
Date: Tue, 15 Oct 2002 11:05:15 -0600

Well, first did you check to see if this is actually coming from your
webserver, or an external one? You left any details about that out, so

figure it's worth asking just to be sure. If it's an external

webserver, I

bet it's a webpage containing sample output from a security check

tool.

Sorry, should have said it's the snort servers web server (used for
acid, etc).


also you claim that's similar to content sent out via email... do you

have

some sort of webmail access going where you might be accessing those
emails
from your webserver, causing it to legitimately send that content?


No webmail type thing there, and further down the line in the payload it
gets weird, like a dump of the /etc directory, then some binary
gobbledegook that is not understandable. Here:

2f0 : 2D 72 2D 2D 20 31 20 72 6F 6F 74 20 6F 74 68 65   -r-- 1 root othe
300 : 72 20 33 31 34 20 53 65 70 20 32 30 20 31 36 3A   r 314 Sep 20 16:
310 : 32 36 20 32 30 30 32 20 2F 65 74 63 2F 63 6F 72   26 2002 /etc/cor
320 : 65 61 64 6D 2E 63 6F 6E 66 20 20 32 34 37 30 30   eadm.conf  24700
330 : 20 31 0D 0A 2D 2D 2D 0D 0A 3E 20 2D 72 77 2D 72    1..---..> -rw-r
340 : 2D 2D 72 2D 2D 20 31 20 72 6F 6F 74 20 6F 74 68   --r-- 1 root oth
350 : 65 72 20 33 31 34 20 4F 63 74 20 31 30 20 32 32   er 314 Oct 10 22
360 : 3A 30 38 20 32 30 30 32 20 2F 65 74 63 2F 63 6F   :08 2002 /etc/co
370 : 72 65 61 64 6D 2E 63 6F 6E 66 20 20 32 34 37 30   readm.conf  2470
380 : 30 20 31 0D 0A 34 38 63 34 38 0D 0A 3C 20 64 72   0 1..48c48..< dr
390 : 77 78 72 2D 78 72 2D 78 20 32 20 72 6F 6F 74 20   wxr-xr-x 2 root 
3a0 : 73 79 73 20 35 31 32 20 53 65 70 20 32 30 20 31   sys 512 Sep 20 1
3b0 : 36 3A 32 38 20 32 30 30 32 20 2F 65 74 63 2F 63   6:28 2002 /etc/c
3c0 : 72 6F 6E 2E 64 20 0D 0A 2D 2D 2D 0D 0A 3E 20 64   ron.d ..---..> d
3d0 : 72 77 78 72 2D 78 72 2D 78 20 32 20 72 6F 6F 74   rwxr-xr-x 2 root
3e0 : 20 73 79 73 20 35 31 32 20 4F 63 74 20 31 30 20    sys 512 Oct 10 
3f0 : 32 32 3A 30 39 20 32 30 30 32 20 2F 65 74 63 2F   22:09 2002 /etc/
400 : 63 72 6F 6E 2E 64 20 0D 0A 36 35 63 36 35 0D 0A   cron.d ..65c65..
410 : 3C 20 2D 72 77 2D 72 2D 2D 72 2D 2D 20 31 20 72   < -rw-r--r-- 1 r
420 : 6F 6F 74 20 6F 74 68 65 72 20 32 33 39 20 53 65   oot other 239 Se
430 : 70 20 32 30 20 31 36 3A 32 38 20 32 30 30 32 20   p 20 16:28 2002 
440 : 2F 65 74 63 2F 64 75 6D 70 61 64 6D 2E 63 6F 6E   /etc/dumpadm.con
450 : 66 20 20 31 39 36 39 36 20 31 0D 0A 2D 2D 2D 0D   f  19696 1..---.
460 : 0A 3E 20 2D 72 77 2D 72 2D 2D 72 2D 2D 20 31 20   .> -rw-r--r-- 1 
470 : 72 6F 6F 74 20 6F 74 68 65 72 20 32 33 39 20 4F   root other 239 O
480 : 63 74 20 31 30 20 32 32 3A 30 39 20 32 30 30 32   ct 10 22:09 2002
490 : 20 2F 65 74 63 2F 64 75 6D 70 61 64 6D 2E 63 6F    /etc/dumpadm.co
4a0 : 6E 66 20 20 31 39 36 39 36 20 31 0D 0A 39 30 2C   nf  19696 1..90,
4b0 : 39 31 63 39 30 2C 39 31 0D 0A 3C 20 64 72 77 78   91c90,91..< drwx
4c0 : 72 2D 78 72 2D 78 20 32 20 72 6F 6F 74 20 73 79   r-xr-x 2 root sy
4d0 : 73 20 32 30 34 38 20 53 65 70 20 32 33 20 31 37   s 2048 Sep 23 17
4e0 : 3A 30 30 20 32 30 30 32 20 2F 65 74 63 2F 69 6E   :00 2002 /etc/in
4f0 : 69 74 2E 64 20 0D 0A 3C 20 70 72 77 2D 2D 2D 2D   it.d ..< prw----
500 : 2D 2D 2D 20 31 20 72 6F 6F 74 20 72 6F 6F 74 20   --- 1 root root 
510 : 30 20 53 65 70 20 32 30 20 31 36 3A 32 38 20 32   0 Sep 20 16:28 2
520 : 30 30 32 20 2F 65 74 63 2F 69 6E 69 74 70 69 70   002 /etc/initpip
530 : 65 20 0D 0A 2D 2D 2D 0D 0A 3E 20 64 72 77 78 72   e ..---..> drwxr
540 : 2D 78 72 2D 78 20 32 20 72 6F 6F 74 20 73 79 73   -xr-x 2 root sys
550 : 20 32 30 34 38 20 4F 63 74 20 31 30 20 31 34 3A    2048 Oct 10 14:
560 : 34 31 20 32 89 95 50 FE FF FF 83 BD 50 FE FF FF   41 2..P.....P...
570 : 00 75 26 8B F4 6A 00 8D 85 4C FE FF FF 50 8B 8D   .u&..j...L...P..
580 : 68 FE FF FF 51 8B 55 08 8B 42 08 50 FF 95 6C FE   h...Q.U..B.P..l.
590 : FF FF 3B F4 90 43 4B 43 4B 83 BD 50 FE FF FF 64   ..;..CKCK..P...d
5a0 : 7D 5C 8B 8D 50 FE FF FF 83 C1 01 89 8D 50 FE FF   }\..P........P..
5b0 : FF 8B 95 50 FE FF FF 69 D2 8D 66 F0 50 89 95 74   ...P...i..f.P..


Randy Bey
RiverNorth Systems
7300 W 147th St Suite 300
Apple Valley, MN 55124
http://www.rivernorthsys.com



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

please help ID payload info Randy Bey (Oct 15)
- Re: please help ID payload info Matt Kettler (Oct 15)
- Re: please help ID payload info Robby Desmond (Oct 17)
  - Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
    - AW: Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
    - AW: Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
- <Possible follow-ups>
- RE: please help ID payload info Randy Bey (Oct 15)
  - RE: please help ID payload info twig les (Oct 15)
- RE: please help ID payload info matthew . keay (Oct 17)
- RE: please help ID payload info matthew . keay (Oct 17)