[Intrusions] RE Question

Esler, Joel - Contractor joel.esler at rcert-s.army.mil
Thu Apr 28 13:59:13 GMT 2005 

Can you post a whole packet dump in here?  There could be a number of
reasons why..  Your box having spyware, your box being re-directed.  PHP
exploited box...  Any different number of things... A full packet dump
would help.

Joel

-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of Mike Chandler
Sent: Wednesday, April 27, 2005 11:23 PM
To: intrusions at lists.sans.org
Cc: root at 67.19.19.69; webmaster at 67.19.19.69
Subject: [Intrusions] RE Question


I sent this email last Sunday hoping to find an answer.  I'm a little
confused because a member of the list sent me a reply saying that the
web site came up correctly for him.  I don't understand why but I must
report I made a stupid mistake.  I should have used the windump flag -s
1514 to see the full return packet.  I was being redirected the original
site.

My get request to right-thinking.com responded with the following
response referring me to the second site.


00b0  42 79 3a 20 50 48 50 2f  34 2e 33 2e 32 0d 0a 6c   By: PHP/
4.3.2..l
00c0  6f 63 61 74 69 6f 6e 3a  20 68 74 74 70 3a 2f 2f   ocation:
http://
00d0  74 63 72 63 2e 61 63 6f  72 2e 6f 72 67 2f 0d 0a   tcrc.aco
r.org/..
00e0  43 6f 6e 74 65 6e 74 2d  4c 65 6e 67 74 68 3a 20   Content-
Length:
00f0  30 0d 0a 4b 65 65 70 2d  41 6c 69 76 65 3a 20 74   0..Keep- Alive:
t
0100  69 6d 65 6f 75 74 3d 31  35 2c 20 6d 61 78 3d 31   imeout=1 5,
max=1
0110  30 30 0d 0a 43 6f 6e 6e  65 63 74 69 6f 6e 3a 20   00..Conn
ection:
0120  4b 65 65 70 2d 41 6c 69  76 65 0d 0a 43 6f 6e 74   Keep-Ali
ve..Cont
0130  65 6e 74 2d 54 79 70 65  3a 20 74 65 78 74 2f 68   ent-Type :
text/h
0140  74 6d 6c 3b 20 63 68 61  72 73 65 74 3d 55 54 46   tml; cha
rset=UTF
0150  2d 38 0d 0a 0d 0a                                  -8....


I'm guessing the site was compromised with one of the php exploits.
Does anyone care to comment on something other than how neglectful it
was of me to forget to capture the whold packet?

+++++++++++++++++++++++++++++++++++++++++++++++++++++

Hey Guys and or Gals,

If you have time, I would sure appreciate it if you could take a look at
this.  I am trying to get to a specific uri by clicking on a uri in a
google query response page.  The uri is
"right-thinking.com/index.php/weblog/comments/9192/" but I'm redirected
to another page "http://tcrc.acor.org/".  I did a packet capture of the
transaction and still don't see the redirect.  Would you mind pointing
it out?

I flushed dns so the whole transaction should be there.  Please see the
attached windump packet capture.

More information about the Intrusions mailing list