Snort mailing list archives

Previous By Date Next
Previous By Thread Next

likely FPs Web-Client .... dll-load exploit attempt

From: Russell Fulton <r.fulton () auckland ac nz>
Date: Mon, 18 Apr 2011 11:05:26 +1200
SID     CID     Timestamp       Signature       IP Src  IP Dst  Proto   Length
10      78025871        2011-04-18 09:53:08     WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt      
130.216.25.112 ee5112cp.ece.auckland.ac.nz      119.31.248.196 None     6       185
10      78025872        2011-04-18 09:53:08     WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt    
130.216.25.112 ee5112cp.ece.auckland.ac.nz      119.31.248.196 None     6       185
10      78025881        2011-04-18 09:53:18     WEB-CLIENT Firefox Acrobat Reader agm.dll dll-load exploit attempt      
130.216.25.112 ee5112cp.ece.auckland.ac.nz      119.31.248.196 None     6       179
10      78025882        2011-04-18 09:53:18     WEB-CLIENT Acrobat Reader IE plugin agm.dll dll-load exploit attempt    
130.216.25.112 ee5112cp.ece.auckland.ac.nz      119.31.248.196 None     6       179
10      78025908        2011-04-18 09:54:32     WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt      
130.216.25.112 ee5112cp.ece.auckland.ac.nz      119.31.248.196 None     6       179
10      78025909        2011-04-18 09:54:32     WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt    
130.216.25.112 ee5112cp.ece.auckland.ac.nz      119.31.248.196 None     6       179
10      78025915        2011-04-18 09:54:45     WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt      
130.216.25.112 ee5112cp.ece.auckland.ac.nz      119.31.248.196 None     6       172
10      78025916        2011-04-18 09:54:45     WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt    
130.216.25.112 ee5112cp.ece.auckland.ac.nz      119.31.248.196 None     6       172
10      78025917        2011-04-18 09:54:46     WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt      
130.216.25.112 ee5112cp.ece.auckland.ac.nz      119.31.248.196 None     6       196
10      78025918        2011-04-18 09:54:46     WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt    
130.216.25.112 ee5112cp.ece.auckland.ac.nz      119.31.248.196 None     6       196

sample capture:
GET /files/pluginhost/2.0.0.11032_12/External/DeviceModules/DCInterface.dll.cab HTTP/1.1
User-Agent: SAMSUNG_KIES
Host: msupdate.emodio.com

googling msupdate.emodio.com  suggests that this is a legit site related to Samsung Kies...

 


------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Previous By Date Next
Previous By Thread Next

Current thread: