[Intrusions] RE Question

Mike Chandler mchandl1 at san.rr.com
Thu Apr 28 03:22:44 GMT 2005 

I sent this email last Sunday hoping to find an answer.  I'm a little
confused because a member of the list sent me a reply saying that the web
site came up correctly for him.  I don't understand why but I must report I
made a stupid mistake.  I should have used the windump flag -s 1514 to see
the full return packet.  I was being redirected the original site.

My get request to right-thinking.com responded with the following response
referring me to the second site.


00b0  42 79 3a 20 50 48 50 2f  34 2e 33 2e 32 0d 0a 6c   By: PHP/ 4.3.2..l
00c0  6f 63 61 74 69 6f 6e 3a  20 68 74 74 70 3a 2f 2f   ocation:  http://
00d0  74 63 72 63 2e 61 63 6f  72 2e 6f 72 67 2f 0d 0a   tcrc.aco r.org/..
00e0  43 6f 6e 74 65 6e 74 2d  4c 65 6e 67 74 68 3a 20   Content- Length:
00f0  30 0d 0a 4b 65 65 70 2d  41 6c 69 76 65 3a 20 74   0..Keep- Alive: t
0100  69 6d 65 6f 75 74 3d 31  35 2c 20 6d 61 78 3d 31   imeout=1 5, max=1
0110  30 30 0d 0a 43 6f 6e 6e  65 63 74 69 6f 6e 3a 20   00..Conn ection:
0120  4b 65 65 70 2d 41 6c 69  76 65 0d 0a 43 6f 6e 74   Keep-Ali ve..Cont
0130  65 6e 74 2d 54 79 70 65  3a 20 74 65 78 74 2f 68   ent-Type : text/h
0140  74 6d 6c 3b 20 63 68 61  72 73 65 74 3d 55 54 46   tml; cha rset=UTF
0150  2d 38 0d 0a 0d 0a                                  -8....


I'm guessing the site was compromised with one of the php exploits.  Does
anyone care to comment on something other than how neglectful it was of me
to forget to capture the whold packet?

+++++++++++++++++++++++++++++++++++++++++++++++++++++

Hey Guys and or Gals,

If you have time, I would sure appreciate it if you could take a look at
this.  I am trying to get to a specific uri by clicking on a uri in a google
query response page.  The uri is
"right-thinking.com/index.php/weblog/comments/9192/" but I'm redirected to
another page "http://tcrc.acor.org/".  I did a packet capture of the
transaction and still don't see the redirect.  Would you mind pointing it
out?

I flushed dns so the whole transaction should be there.  Please see the
attached windump packet capture.

More information about the Intrusions mailing list