[Intrusions] LOGS: GIAC GCIA Version 3.4 Practical Detect Kevin Cryan
Joe Matusiewicz
joem at nist.gov
Tue Jun 29 14:58:45 GMT 2004
Comments at the end....
At 08:37 AM 6/29/2004, Kevin Cryan wrote:
>Detect #1 Buffer Overflow
>
>[**] [1:1390:4] SHELLCODE x86 inc ebx NOOP [**]
>[Classification: Executable code was detected] [Priority: 1]
>10/02/02-05:13:47.256507 0:3:E3:D9:26:C0 -> 0:0:C:4:B2:33 type:0x800 len:0x5EA
>81.19.69.18:8000 -> 115.74.249.65:63742 TCP TTL:46 TOS:0x0 ID:15191 IpLen:20
>DgmLen:1500 DF ***A**** Seq: 0x6812E8FB Ack: 0x97C707F Win: 0xFFFF TcpLen:
>20
>
>05:13:47.256507 00:03:e3:d9:26:c0 > 00:00:0c:04:b2:33, ethertype IPv4
>(0x0800), length 1514: IP (tos 0x0, ttl 46, id 15191, offset 0, flags [DF],
>length: 1500, bad cksum 98a6 (->914)!) 81.19.69.18.8000 >
>115.74.249.65.63742: . [bad tcp cksum 40b (->7478)!] 1746069755:1746071215
>(1460) ack 159150207 win 65535
> 0x0000: 0000 0c04 b233 0003 e3d9 26c0 0800 4500 .....3....&...E.
> 0x0010: 05dc 3b57 4000 2e06 98a6 5113 4512 734a ..;W at .....Q.E.sJ
> 0x0020: f941 1f40 f8fe 6812 e8fb 097c 707f 5010 .A. at ..h....|p.P.
> 0x0030: ffff 040b 0000 4854 5450 2f31 2e31 2032 ......HTTP/1.1.2
> 0x0040: 3030 204f 4b0d 0a53 6572 7665 723a 2074 00.OK..Server:.t
> 0x0050: 6874 7470 642f 322e 3232 6265 7461 3420 httpd/2.22beta4.
> 0x0060: 3134 6e6f 7632 3030 310d 0a43 6f6e 7465 14nov2001..Conte
> 0x0070: 6e74 2d54 7970 653a 2069 6d61 6765 2f6a nt-Type:.image/j
> 0x0080: 7065 670d 0a44 6174 653a 2057 6564 2c20 peg..Date:.Wed,.
> 0x0090: 3032 204f 6374 2032 3030 3220 3134 3a31 02.Oct.2002.14:1
> 0x00a0: 323a 3434 2047 4d54 0d0a 4c61 7374 2d4d 2:44.GMT..Last-M
> 0x00b0: 6f64 6966 6965 643a 2057 6564 2c20 3032 odified:.Wed,.02
> 0x00c0: 204f 6374 2032 3030 3220 3132 3a35 323a .Oct.2002.12:52:
> 0x00d0: 3132 2047 4d54 0d0a 4163 6365 7074 2d52 12.GMT..Accept-R
> 0x00e0: 616e 6765 733a 2062 7974 6573 0d0a 436f anges:.bytes..Co
> 0x00f0: 6e6e 6563 7469 6f6e 3a20 636c 6f73 650d nnection:.close.
> 0x0100: 0a43 6f6e 7465 6e74 2d4c 656e 6774 683a .Content-Length:
> 0x0110: 2033 3635 390d 0a0d 0aff d8ff e000 104a .3659..........J
> 0x0120: 4649 4600 0102 0000 6400 6400 00ff ec00 FIF.....d.d.....
> 0x0130: 1144 7563 6b79 0001 0004 0000 000d 0000 .Ducky..........
> 0x0140: ffee 000e 4164 6f62 6500 64c0 0000 0001 ....Adobe.d.....
> 0x0150: ffdb 0084 0013 1010 1811 1826 1717 2630 ...........&..&0
> 0x0160: 251e 2530 2c25 2424 252c 3b33 3333 3333 %.%0,%$$%,;33333
> 0x0170: 3b43 3e3e 3e3e 3e3e 4343 4343 4343 4343 ;C>>>>>>CCCCCCCC
> 0x0180: 4343 4343 4343 4343 4343 4343 4343 4343 CCCCCCCCCCCCCCCC
> 0x0190: 4343 4343 4301 1418 181f 1b1f 2518 1825 CCCCC.......%..%
> 0x01a0: 3425 1f25 3443 3429 2934 4343 4340 3340 4%.%4C4))4CCC at 3@
> 0x01b0: 4343 4343 4343 4343 4343 4343 4343 4343 CCCCCCCCCCCCCCCC
> 0x01c0: 4343 4343 4343 4343 4343 4343 4343 4343 CCCCCCCCCCCCCCCC
> 0x01d0: 4343 4343 4343 ffc0 0011 0800 7100 9603 CCCCCC......q...
> 0x01e0: 0122 0002 1101 0311 01ff c400 8100 0002 ."..............
> 0x01f0: 0301 0100 0000 0000 0000 0000 0000 0304 ................
> 0x0200: 0002 0506 0101 0101 0101 0000 0000 0000 ................
> 0x0210: 0000 0000 0000 0001 0203 1000 0201 0204 ................
> 0x0220: 0404 0308 0105 0100 0000 0001 0203 0011 ................
> 0x0230: 2131 1204 4151 2213 6171 8105 f091 32a1 !1..AQ".aq....2.
> 0x0240: b1c1 d1e1 4223 14f1 5262 7282 3406 1101 ....B#..Rbr.4...
> 0x0250: 0101 0002 0202 0301 0000 0000 0000 0000 ................
> 0x0260: 0111 2131 4102 7112 5161 8132 ffda 000c ..!1A.q.Qa.2....
> 0x0270: 0301 0002 1103 1100 3f00 5a38 8a3a d80c ........?.Z8.:..
> 0x0280: 7a6c 29bd cbbb 1312 0373 c478 5495 7b56 zl)......s.xT.{V
> 0x0290: 9546 ad0d ab4d f3a2 c538 9256 9864 149f .F...M...8.V.d..
> 0x02a0: b2b7 a16e e4d2 2ff2 6a2c a797 ce94 070a ...n../.j,......
> 0x02b0: e8e1 7d1b 6d64 e4a5 ab96 3290 350e 14f5 ..}.md....2.5...
> 0x02c0: a95b 536a 5855 56e4 d85c 0ce9 5d0b dad6 .[SjXUV..\..]...
> 0x02d0: 52c4 1373 cbd6 82d3 34c1 5d8e 9238 f0ff R..s....4.]..8..
> 0x02e0: 0015 58e6 8e67 b30d 372b a9b5 619e 745e ..X..g..7+..a.t^
> 0x02f0: 9a32 ee54 a042 0dfa 7d3c 6981 b331 22cc .2.T.B..}<i..1".
> 0x0300: 86e5 5012 a71c 0d02 65d9 dd9e 376b 0c4e ..P.....e...7k.N
> 0x0310: 1a81 a4ff 00b8 a540 5723 2055 b1cb 222a ....... at W#.U.."*
> 0x0320: 0bc4 345e ee49 37f5 abc7 2870 6100 0245 ..4^.I7...(pa..E
> 0x0330: fcad ca82 1ed1 ea5f a810 07e3 5604 0965 ......._....V..e
> 0x0340: 6385 9748 3e27 3a41 7740 4a95 7be0 085c c..H>':Aw at J.{..\
> 0x0350: b1e5 4f6d 2566 903c 9900 48bb 5ce5 9521 ..Om%f.<..H.\..!
> 0x0360: 1632 292d 6d20 e92b 8dcf 0a11 33ee 4858 .2)-m..+....3.HX
> 0x0370: b162 48c3 0cb3 aa83 fbb4 ecec 740b 01f5 .bH.........t...
> 0x0380: f9d0 7612 1ee2 e9c0 a2d5 6352 1fab 2170 ..v.......cR..!p
> 0x0390: 7d2b c8ad 16a9 0305 232f 955b d610 5954 }+......#/.[..YT
> 0x03a0: 070e 0dd8 dbd2 9adc 4520 7218 0639 b1ce ........E.r..9..
> 0x03b0: 8321 450b 230f f1c2 9f1b a994 3901 1f50 .!E.#.......9..P
> 0x03c0: cc36 02a5 567a 3da5 096e 9392 e77a 74ef .6..Vz=..n...zt.
> 0x03d0: 2dd0 882e 4677 c796 5493 c2aa 8252 0991 -...Fw..T....R..
> 0x03e0: 71c0 e1e5 4fed 7666 78c3 a901 88fa 5b1a q...O.vfx.....[.
> 0x03f0: 0ccf ec3f 72e2 fab3 387c 6152 bdfe bb89 ...?r...8|aR....
> 0x0400: fb76 1727 4fd5 f187 db52 ae83 4f27 6d2f .v.'O....R..O'm/
> 0x0410: a829 e171 9fe5 4b6d 6526 4607 0233 af3d .).q..Kme&F..3.=
> 0x0420: c248 d56c ea5b 0b80 39d2 7b78 a52a 655c .H.l.[..9.{x.*e\
> 0x0430: 3e39 5651 d16d 9c3e dd8c a706 363c 30ca >9VQ.m.>....6<0.
> 0x0440: b9e9 82ac 8c88 4940 6e47 3aa2 c4f2 0235 ......I at nG:....5
> 0x0450: 6232 04d6 8ff5 b6e0 0d65 8361 90b8 3e42 b2.......e.a..>B
> 0x0460: a43b 211c 52ee 17a0 82a2 993e d92b 2836 .;!.R......>.+(6
> 0x0470: 0a99 6ae6 d534 cdb4 7ee2 1d21 8627 9d5d ..j..4..~..!.'.]
> 0x0480: b7ed 276a 1761 dabf 52df 8df8 fdf4 3e54 ..'j.a..R.....>T
> 0x0490: dab2 edf5 472e 2a7a 4db1 fba9 9fea 48ec ....G.*zM.....H.
> 0x04a0: 0226 956c 8b8b 03e5 8d56 6486 2955 a190 .&.l.....Vd.)U..
> 0x04b0: 0238 5b57 a9ab bc52 680c b282 45c8 4c6d .8[W...Rh...E.Lm
> 0x04c0: 8e7e 428b 0b76 d902 2b70 3a8d a9d6 4925 .~B..v..+p:...I%
> 0x04d0: 5378 d800 3571 cb9e 148a 42e6 540d a187 Sx..5q....B.T...
> 0x04e0: 0231 1879 7d94 7fef 4961 1a36 82a4 e189 .1.y}...Ia.6....
> 0x04f0: f4e3 6a28 db59 5480 01b2 adc9 f0c6 8cd2 ..j(.YT.........
> 0x0500: ff00 5255 dcb0 06c1 8691 9f56 46b3 4ab4 ..RU.......VF.J.
> 0x0510: 8e5a f627 16e9 cff3 af77 7b79 237e e269 .Z.'.....w{y#~.i
> 0x0520: 6be3 d38e 1ebf 755d 6466 8429 d414 88d8 k.....u]df.)....
> 0x0530: 62da 8f1f 3aa4 b017 8068 c4bb 0b5c f019 b...:....h...\..
> 0x0540: 5449 e791 bb0d 2295 3d1a 72a1 ac92 c326 TI....".=.r.....&
> 0x0550: 8070 5370 1b1b 7d94 04f7 1578 ed18 cd05 .pSp..}....x....
> 0x0560: dbca 92da 49a9 ec49 d371 f2ad 9f71 8e68 ....I..I.q...q.h
> 0x0570: d7bc f6d4 b6bb 0c7e ae06 f597 b68b bae4 .......~........
> 0x0580: c802 822e 34f1 f415 654b 1ab3 a48e 2375 ....4...eK....#u
> 0x0590: b76c 0b9f 524e 1f65 7bb4 dcff 005d bb87 .l..RN.e{....]..
> 0x05a0: 0045 d8e7 85f0 1f65 e971 ba33 a955 3a56 .E.....e.q.3.U:V
> 0x05b0: da15 73e1 ceaa ece0 31d3 d2ab 6b92 0655 ..s.....1...k..U
> 0x05c0: 1a50 cc9a c1d4 6f7b eaf0 cf2c ea50 3fb0 .P....o{...,.P?.
> 0x05d0: a21b 802e 4dcf f9a9 5a43 92c8 11b0 17f2 ....M...ZC......
> 0x05e0: a00d ff00 6d4a b22a 927c ....mJ.*.|
I've seen packets like this too many times...I recognized it instantly as a
false positive. You had me going for a while -- I thought you would fall
into that trap. Source port stays the same but the destination port
changes and you did recognize that it was the response to a request. You
didn't get fooled by port 8000 either. I did like the way you ran the
shell code and recognized that it may not work on other architectures.
What I would like to see is what happens if you point a browser to:
http://81.19.69.18/ and
http://81.19.69.18:8000
Would that help to prove your case?
Hope this helps....
-- Joe
More information about the Intrusions
mailing list