[Intrusions] RE Question
Mike Chandler
mchandl1 at san.rr.com
Fri Apr 29 00:10:33 GMT 2005
-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org]On Behalf Of Esler, Joel -
Contractor
Sent: Thursday, April 28, 2005 6:59 AM
To: Intrusions List (GCIA Practicals)
Subject: RE: [Intrusions] RE Question
Can you post a whole packet dump in here? There could be a number of
reasons why.. Your box having spyware, your box being re-directed. PHP
exploited box... Any different number of things... A full packet dump
would help.
Joel
=============================================================
Here ya go Joel,
This has gotten even more curious. I went to work and pointed my broswer to
http://67.19.19.69 and I went to the correct site. That makes me think that
either Time Warner is modifiying the packets at some web proxy in between my
system and the web site or I have some sort of spyware running on my
computer. If it is spyware, wow I'm impressed. This isn't some redirection
of dns this is packet modification. If it is Time Warner, I'm outraged.
Anyway here is the complete dump:
>Windump -s 0 -nXvvr redirect2.dmp
19:51:56.275377 arp who-has 192.168.1.162 tell 192.168.1.1
0x0000: 0001 0800 0604 0001 000c 410a ce10 c0a8 ..........A.....
0x0010: 0101 0000 0000 0000 c0a8 01a2 0000 0000 ................
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
/*
* This is the beginning of my three way handshake with http://67.19.19.69.
DNS didn't
* come into play with this because I specified the IP address.
*/
19:52:06.460858 IP (tos 0x0, ttl 128, id 4845, offset 0, flags [DF], length:
48) 192.168.1.172.1195 > 67.19.19.69.80: S [tcp sum ok]
2154536782:2154536782(0) win 65535 <mss 1460,nop,nop,sackOK>
0x0000: 4500 0030 12ed 4000 8006 cf2e c0a8 01ac E..0.. at .........
0x0010: 4313 1345 04ab 0050 806b 9f4e 0000 0000 C..E...P.k.N....
0x0020: 7002 ffff 45be 0000 0204 05b4 0101 0402 p...E...........
19:52:06.500041 IP (tos 0x80, ttl 52, id 0, offset 0, flags [DF], length:
48) 67.19.19.69.80 > 192.168.1.172.1195: S [tcp sum ok]
2996811387:2996811387(0) ack 2154536783 win 5840 <mss 1460,nop,nop,sackOK>
0x0000: 4580 0030 0000 4000 3406 2d9c 4313 1345 E..0.. at .4.-.C..E
0x0010: c0a8 01ac 0050 04ab b29f b67b 806b 9f4f .....P.....{.k.O
0x0020: 7012 16d0 c5c1 0000 0204 05b4 0101 0402 p...............
19:52:06.500145 IP (tos 0x0, ttl 128, id 4846, offset 0, flags [DF], length:
40) 192.168.1.172.1195 > 67.19.19.69.80: . [bad tcp cksum 18c7 (->956)!]
1:1(0) ack 1 win 65535
0x0000: 4500 0028 12ee 4000 8006 cf35 c0a8 01ac E..(.. at ....5....
0x0010: 4313 1345 04ab 0050 806b 9f4f b29f b67c C..E...P.k.O...|
0x0020: 5010 ffff 18c7 0000 P.......
19:52:06.501038 IP (tos 0x0, ttl 128, id 4850, offset 0, flags [DF], length:
457) 192.168.1.172.1195 > 67.19.19.69.80: P [bad tcp cksum 1a68 (->e7de)!]
1:418(417) ack 1 win 65535
0x0000: 4500 01c9 12f2 4000 8006 cd90 c0a8 01ac E..... at .........
0x0010: 4313 1345 04ab 0050 806b 9f4f b29f b67c C..E...P.k.O...|
0x0020: 5018 ffff 1a68 0000 4745 5420 2f69 6e64 P....h..GET./ind
0x0030: 6578 2e70 6870 2f77 6562 6c6f 672f 636f ex.php/weblog/co
0x0040: 6d6d 656e 7473 2f39 3139 322f 2048 5454 mments/9192/.HTT
0x0050: 502f 312e 310d 0a41 6363 6570 743a 2069 P/1.1..Accept:.i
0x0060: 6d61 6765 2f67 6966 2c20 696d 6167 652f mage/gif,.image/
0x0070: 782d 7862 6974 6d61 702c 2069 6d61 6765 x-xbitmap,.image
0x0080: 2f6a 7065 672c 2069 6d61 6765 2f70 6a70 /jpeg,.image/pjp
0x0090: 6567 2c20 6170 706c 6963 6174 696f 6e2f eg,.application/
0x00a0: 782d 7368 6f63 6b77 6176 652d 666c 6173 x-shockwave-flas
0x00b0: 682c 2061 7070 6c69 6361 7469 6f6e 2f76 h,.application/v
0x00c0: 6e64 2e6d 732d 706f 7765 7270 6f69 6e74 nd.ms-powerpoint
0x00d0: 2c20 6170 706c 6963 6174 696f 6e2f 766e ,.application/vn
0x00e0: 642e 6d73 2d65 7863 656c 2c20 6170 706c d.ms-excel,.appl
0x00f0: 6963 6174 696f 6e2f 6d73 776f 7264 2c20 ication/msword,.
0x0100: 2a2f 2a0d 0a41 6363 6570 742d 4c61 6e67 */*..Accept-Lang
0x0110: 7561 6765 3a20 656e 2d75 730d 0a2d 2d2d uage:.en-us..---
0x0120: 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 3a20 2d2d ------------:.--
0x0130: 2d2d 2d20 2d2d 2d2d 2d2d 2d0d 0a55 7365 ---.-------..Use
0x0140: 722d 4167 656e 743a 204d 6f7a 696c 6c61 r-Agent:.Mozilla
0x0150: 2f34 2e30 2028 636f 6d70 6174 6962 6c65 /4.0.(compatible
0x0160: 3b20 4d53 4945 2036 2e30 3b20 5769 6e64 ;.MSIE.6.0;.Wind
0x0170: 6f77 7320 4e54 2035 2e31 3b20 5356 313b ows.NT.5.1;.SV1;
0x0180: 202e 4e45 5420 434c 5220 312e 312e 3433 ..NET.CLR.1.1.43
0x0190: 3232 290d 0a48 6f73 743a 2072 6967 6874 22)..Host:.right
0x01a0: 2d74 6869 6e6b 696e 672e 636f 6d0d 0a43 -thinking.com..C
0x01b0: 6f6e 6e65 6374 696f 6e3a 204b 6565 702d onnection:.Keep-
0x01c0: 416c 6976 650d 0a0d 0a Alive....
19:52:06.543651 IP (tos 0x80, ttl 52, id 49113, offset 0, flags [DF],
length: 40) 67.19.19.69.80 > 192.168.1.172.1195: . [tcp sum ok] 1:1(0) ack
418 win 6432
0x0000: 4580 0028 bfd9 4000 3406 6dca 4313 1345 E..(.. at .4.m.C..E
0x0010: c0a8 01ac 0050 04ab b29f b67c 806b a0f0 .....P.....|.k..
0x0020: 5010 1920 ee94 0000 0000 0000 0000 P.............
/*
* This is where I get redirected to http://tcrc.acor.org
*/
19:52:06.567894 IP (tos 0x80, ttl 52, id 49114, offset 0, flags [DF],
length: 328) 67.19.19.69.80 > 192.168.1.172.1195: P [tcp sum ok] 1:289(288)
ack 418 win 6432
0x0000: 4580 0148 bfda 4000 3406 6ca9 4313 1345 E..H.. at .4.l.C..E
0x0010: c0a8 01ac 0050 04ab b29f b67c 806b a0f0 .....P.....|.k..
0x0020: 5018 1920 5d37 0000 4854 5450 2f31 2e31 P...]7..HTTP/1.1
0x0030: 2033 3032 2046 6f75 6e64 0d0a 4461 7465 .302.Found..Date
0x0040: 3a20 5468 752c 2032 3820 4170 7220 3230 :.Thu,.28.Apr.20
0x0050: 3035 2030 323a 3532 3a30 3020 474d 540d 05.02:52:00.GMT.
0x0060: 0a53 6572 7665 723a 2041 7061 6368 652f .Server:.Apache/
0x0070: 322e 302e 3436 2028 5265 6420 4861 7429 2.0.46.(Red.Hat)
0x0080: 0d0a 4163 6365 7074 2d52 616e 6765 733a ..Accept-Ranges:
0x0090: 2062 7974 6573 0d0a 582d 506f 7765 7265 .bytes..X-Powere
0x00a0: 642d 4279 3a20 5048 502f 342e 332e 320d d-By:.PHP/4.3.2.
0x00b0: 0a6c 6f63 6174 696f 6e3a 2068 7474 703a .location:.http:
0x00c0: 2f2f 7463 7263 2e61 636f 722e 6f72 672f //tcrc.acor.org/
0x00d0: 0d0a 436f 6e74 656e 742d 4c65 6e67 7468 ..Content-Length
0x00e0: 3a20 300d 0a4b 6565 702d 416c 6976 653a :.0..Keep-Alive:
0x00f0: 2074 696d 656f 7574 3d31 352c 206d 6178 .timeout=15,.max
0x0100: 3d31 3030 0d0a 436f 6e6e 6563 7469 6f6e =100..Connection
0x0110: 3a20 4b65 6570 2d41 6c69 7665 0d0a 436f :.Keep-Alive..Co
0x0120: 6e74 656e 742d 5479 7065 3a20 7465 7874 ntent-Type:.text
0x0130: 2f68 746d 6c3b 2063 6861 7273 6574 3d55 /html;.charset=U
0x0140: 5446 2d38 0d0a 0d0a TF-8....
19:52:06.600230 IP (tos 0x0, ttl 128, id 4858, offset 0, flags [DF], length:
48) 192.168.1.172.1197 > 63.236.73.251.80: S [tcp sum ok]
396011596:396011596(0) win 65535 <mss 1460,nop,nop,sackOK>
0x0000: 4500 0030 12fa 4000 8006 9b92 c0a8 01ac E..0.. at .........
0x0010: 3fec 49fb 04ad 0050 179a a84c 0000 0000 ?.I....P...L....
0x0020: 7002 ffff 7200 0000 0204 05b4 0101 0402 p...r...........
19:52:06.676579 IP (tos 0x0, ttl 128, id 4859, offset 0, flags [DF], length:
40) 192.168.1.172.1195 > 67.19.19.69.80: . [bad tcp cksum 18c7 (->7b5)!]
418:418(0) ack 289 win 65247
0x0000: 4500 0028 12fb 4000 8006 cf28 c0a8 01ac E..(.. at ....(....
0x0010: 4313 1345 04ab 0050 806b a0f0 b29f b79c C..E...P.k......
0x0020: 5010 fedf 18c7 0000 P.......
19:52:06.686277 IP (tos 0x80, ttl 51, id 63568, offset 0, flags [DF],
length: 48) 63.236.73.251.80 > 192.168.1.172.1197: S [tcp sum ok]
2059881:2059881(0) ack 396011597 win 32120 <mss 1460,nop,nop,sackOK>
0x0000: 4580 0030 f850 4000 3306 02bc 3fec 49fb E..0.P at .3...?.I.
0x0010: c0a8 01ac 0050 04ad 001f 6e69 179a a84d .....P....ni...M
0x0020: 7012 7d78 85ee 0000 0204 05b4 0101 0402 p.}x............
19:52:06.686359 IP (tos 0x0, ttl 128, id 4860, offset 0, flags [DF], length:
40) 192.168.1.172.1197 > 63.236.73.251.80: . [bad tcp cksum 4c56 (->302b)!]
1:1(0) ack 1 win 65535
0x0000: 4500 0028 12fc 4000 8006 9b98 c0a8 01ac E..(.. at .........
0x0010: 3fec 49fb 04ad 0050 179a a84d 001f 6e6a ?.I....P...M..nj
0x0020: 5010 ffff 4c56 0000 P...LV..
19:52:06.687183 IP (tos 0x0, ttl 128, id 4864, offset 0, flags [DF], length:
429) 192.168.1.172.1197 > 63.236.73.251.80: P [bad tcp cksum 4ddb (->4de9)!]
1:390(389) ack 1 win 65535
0x0000: 4500 01ad 1300 4000 8006 9a0f c0a8 01ac E..... at .........
0x0010: 3fec 49fb 04ad 0050 179a a84d 001f 6e6a ?.I....P...M..nj
0x0020: 5018 ffff 4ddb 0000 4745 5420 2f69 643d P...M...GET./id=
0x0030: 3130 3534 3935 3326 7369 7a65 3d31 3032 1054953&size=102
0x0040: 3426 636f 6c6f 7273 3d33 3226 7265 6665 4&colors=32&refe
0x0050: 7265 723d 266a 6176 613d 7472 7565 2048 rer=&java=true.H
0x0060: 5454 502f 312e 310d 0a41 6363 6570 743a TTP/1.1..Accept:
0x0070: 202a 2f2a 0d0a 2d2d 2d2d 2d2d 2d3a 202d .*/*..-------:.-
0x0080: 2d2d 2d3a 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d ---:------------
0x0090: 2d2d 2d2d 0d0a 4163 6365 7074 2d4c 616e ----..Accept-Lan
0x00a0: 6775 6167 653a 2065 6e2d 7573 0d0a 2d2d guage:.en-us..--
0x00b0: 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d3a 202d -------------:.-
0x00c0: 2d2d 2d2d 202d 2d2d 2d2d 2d2d 0d0a 4966 ----.-------..If
0x00d0: 2d4d 6f64 6966 6965 642d 5369 6e63 653a -Modified-Since:
0x00e0: 2054 6875 2c20 3238 2041 7072 2032 3030 .Thu,.28.Apr.200
0x00f0: 3520 3031 3a35 303a 3536 2047 4d54 3b20 5.01:50:56.GMT;.
0x0100: 6c65 6e67 7468 3d32 3830 0d0a 5573 6572 length=280..User
0x0110: 2d41 6765 6e74 3a20 4d6f 7a69 6c6c 612f -Agent:.Mozilla/
0x0120: 342e 3020 2863 6f6d 7061 7469 626c 653b 4.0.(compatible;
0x0130: 204d 5349 4520 362e 303b 2057 696e 646f .MSIE.6.0;.Windo
0x0140: 7773 204e 5420 352e 313b 2053 5631 3b20 ws.NT.5.1;.SV1;.
0x0150: 2e4e 4554 2043 4c52 2031 2e31 2e34 3332 .NET.CLR.1.1.432
0x0160: 3229 0d0a 486f 7374 3a20 6332 2e74 6865 2)..Host:.c2.the
0x0170: 636f 756e 7465 722e 636f 6d0d 0a43 6f6e counter.com..Con
0x0180: 6e65 6374 696f 6e3a 204b 6565 702d 416c nection:.Keep-Al
0x0190: 6976 650d 0a43 6f6f 6b69 653a 2056 5443 ive..Cookie:.VTC
0x01a0: 3130 3534 3935 333d 300d 0a0d 0a 1054953=0....
19:52:06.776796 IP (tos 0x80, ttl 51, id 63599, offset 0, flags [DF],
length: 40) 63.236.73.251.80 > 192.168.1.172.1197: . [tcp sum ok] 1:1(0) ack
390 win 31731
0x0000: 4580 0028 f86f 4000 3306 02a5 3fec 49fb E..(.o at .3...?.I.
0x0010: c0a8 01ac 0050 04ad 001f 6e6a 179a a9d2 .....P....nj....
0x0020: 5010 7bf3 b2b2 0000 0000 0000 0000 P.{...........
19:52:06.779404 IP (tos 0x80, ttl 51, id 63604, offset 0, flags [DF],
length: 40) 63.236.73.251.80 > 192.168.1.172.1197: F [tcp sum ok] 637:637(0)
ack 390 win 32120
0x0000: 4580 0028 f874 4000 3306 02a0 3fec 49fb E..(.t at .3...?.I.
0x0010: c0a8 01ac 0050 04ad 001f 70e6 179a a9d2 .....P....p.....
0x0020: 5011 7d78 aeb0 0000 0000 0000 0000 P.}x..........
19:52:06.779455 IP (tos 0x0, ttl 128, id 4865, offset 0, flags [DF], length:
52) 192.168.1.172.1197 > 63.236.73.251.80: . [tcp sum ok] 390:390(0) ack 1
win 65535 <nop,nop,sack sack 1 {637:638} >
0x0000: 4500 0034 1301 4000 8006 9b87 c0a8 01ac E..4.. at .........
0x0010: 3fec 49fb 04ad 0050 179a a9d2 001f 6e6a ?.I....P......nj
0x0020: 8010 ffff 1683 0000 0101 050a 001f 70e6 ..............p.
0x0030: 001f 70e7 ..p.
19:52:06.780265 IP (tos 0x80, ttl 51, id 63603, offset 0, flags [DF],
length: 676) 63.236.73.251.80 > 192.168.1.172.1197: P [tcp sum ok]
1:637(636) ack 390 win 32120
0x0000: 4580 02a4 f873 4000 3306 0025 3fec 49fb E....s at .3..%?.I.
0x0010: c0a8 01ac 0050 04ad 001f 6e6a 179a a9d2 .....P....nj....
0x0020: 5018 7d78 149a 0000 4854 5450 2f31 2e30 P.}x....HTTP/1.0
0x0030: 2032 3030 204f 4b0a 4461 7465 3a20 5468 .200.OK.Date:.Th
0x0040: 752c 2032 3820 4170 7220 3230 3035 2030 u,.28.Apr.2005.0
0x0050: 323a 3532 3a30 3020 474d 540a 5365 7276 2:52:00.GMT.Serv
0x0060: 6572 3a20 5468 6543 6f75 6e74 6572 2f32 er:.TheCounter/2
0x0070: 2e31 0a4c 6173 742d 4d6f 6469 6669 6564 .1.Last-Modified
0x0080: 3a20 5468 752c 2032 3820 4170 7220 3230 :.Thu,.28.Apr.20
0x0090: 3035 2030 323a 3532 3a30 3020 474d 540a 05.02:52:00.GMT.
0x00a0: 5072 6167 6d61 3a20 6e6f 2d63 6163 6865 Pragma:.no-cache
0x00b0: 0a43 6163 6865 2d63 6f6e 7472 6f6c 3a20 .Cache-control:.
0x00c0: 6e6f 2d63 6163 6865 2c20 6d75 7374 2d72 no-cache,.must-r
0x00d0: 6576 616c 6964 6174 650a 5033 503a 2043 evalidate.P3P:.C
0x00e0: 503d 224e 4f49 2044 5350 2043 4f52 2043 P="NOI.DSP.COR.C
0x00f0: 5552 6920 4144 4d69 2050 5341 6920 4f55 URi.ADMi.PSAi.OU
0x0100: 5220 5341 4d61 2049 4e44 2043 4f4d 204e R.SAMa.IND.COM.N
0x0110: 4156 2053 5441 220a 4578 7069 7265 733a AV.STA".Expires:
0x0120: 2054 6875 2c20 3238 2041 7072 2032 3030 .Thu,.28.Apr.200
0x0130: 3520 3032 3a35 323a 3030 2047 4d54 0a53 5.02:52:00.GMT.S
0x0140: 6574 2d43 6f6f 6b69 653a 2056 5443 3130 et-Cookie:.VTC10
0x0150: 3534 3935 333d 303b 5041 5448 3d2f 0a43 54953=0;PATH=/.C
0x0160: 6f6e 6e65 6374 696f 6e3a 2063 6c6f 7365 onnection:.close
0x0170: 0a43 6f6e 7465 6e74 2d54 7970 653a 2069 .Content-Type:.i
0x0180: 6d61 6765 2f67 6966 0a0a 4749 4638 3761 mage/gif..GIF87a
0x0190: 3f00 0f00 8000 0000 0000 ffff ff2c 0000 ?............,..
0x01a0: 0000 3f00 0f00 0002 f984 8fa9 cbed 0fa3 ..?.............
0x01b0: 9c8e 2484 4df1 01e0 0e08 8c6f 0080 41f0 ..$.M......o..A.
0x01c0: 21c2 28be 01c0 0101 8800 00a0 0406 0060 !.(............`
0x01d0: 041f 222c 82e0 6344 2052 0230 0300 4202 ..",..cD.R.0..B.
0x01e0: 0010 4148 0000 2208 7e84 45dc 1d20 7108 ..AH..".~.E...q.
0x01f0: 3e44 2004 0500 8800 2020 0111 0004 2408 >D............$.
0x0200: 76c4 45dc 1d49 6004 3fe2 2e82 6053 7c00 v.E..I`.?...`S|.
0x0210: 0300 8a01 0066 4060 fc00 0003 4242 b023 .....f@`....BB.#
0x0220: 22ce 2801 0018 0001 0900 8a1f 041f 2220 ".(...........".
0x0230: 8202 4004 4410 9c30 330b 0a00 1001 4040 .. at .D..03.....@@
0x0240: 0200 2028 840f 1178 4141 0200 2028 607c ...(...xAA...(`|
0x0250: 23f8 1081 1104 23e2 2082 e043 045e 5090 #.....#....C.^P.
0x0260: 0000 080a e147 dc59 5000 8008 0002 1200 .....G.YP.......
0x0270: 0041 21fc 088b 38a0 0406 0060 043f c222 .A!...8....`.?."
0x0280: 0e28 0198 1900 81f1 01e0 0c08 00c5 0780 .(..............
0x0290: 3b82 0f11 47f1 093e a62e b73f 8c72 d26a ;...G..>...?.r.j
0x02a0: 2f29 003b /).;
19:52:06.780339 IP (tos 0x0, ttl 128, id 4866, offset 0, flags [DF], length:
40) 192.168.1.172.1197 > 63.236.73.251.80: . [bad tcp cksum 4c56 (->2ea5)!]
390:390(0) ack 638 win 64899
0x0000: 4500 0028 1302 4000 8006 9b92 c0a8 01ac E..(.. at .........
0x0010: 3fec 49fb 04ad 0050 179a a9d2 001f 70e7 ?.I....P......p.
0x0020: 5010 fd83 4c56 0000 P...LV..
19:52:06.784504 IP (tos 0x0, ttl 128, id 4877, offset 0, flags [DF], length:
40) 192.168.1.172.1197 > 63.236.73.251.80: F [bad tcp cksum 4c56 (->2ea4)!]
390:390(0) ack 638 win 64899
0x0000: 4500 0028 130d 4000 8006 9b87 c0a8 01ac E..(.. at .........
0x0010: 3fec 49fb 04ad 0050 179a a9d2 001f 70e7 ?.I....P......p.
0x0020: 5011 fd83 4c56 0000 P...LV..
19:52:06.872915 IP (tos 0x80, ttl 51, id 63628, offset 0, flags [DF],
length: 40) 63.236.73.251.80 > 192.168.1.172.1197: . [tcp sum ok] 638:638(0)
ack 391 win 32120
0x0000: 4580 0028 f88c 4000 3306 0288 3fec 49fb E..(.. at .3...?.I.
0x0010: c0a8 01ac 0050 04ad 001f 70e7 179a a9d3 .....P....p.....
0x0020: 5010 7d78 aeaf 0000 0000 0000 0000 P.}x..........
==============================================================
-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of Mike Chandler
Sent: Wednesday, April 27, 2005 11:23 PM
To: intrusions at lists.sans.org
Cc: root at 67.19.19.69; webmaster at 67.19.19.69
Subject: [Intrusions] RE Question
I sent this email last Sunday hoping to find an answer. I'm a little
confused because a member of the list sent me a reply saying that the
web site came up correctly for him. I don't understand why but I must
report I made a stupid mistake. I should have used the windump flag -s
1514 to see the full return packet. I was being redirected the original
site.
My get request to right-thinking.com responded with the following
response referring me to the second site.
00b0 42 79 3a 20 50 48 50 2f 34 2e 33 2e 32 0d 0a 6c By: PHP/
4.3.2..l
00c0 6f 63 61 74 69 6f 6e 3a 20 68 74 74 70 3a 2f 2f ocation:
http://
00d0 74 63 72 63 2e 61 63 6f 72 2e 6f 72 67 2f 0d 0a tcrc.aco
r.org/..
00e0 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 Content-
Length:
00f0 30 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 0..Keep- Alive:
t
0100 69 6d 65 6f 75 74 3d 31 35 2c 20 6d 61 78 3d 31 imeout=1 5,
max=1
0110 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 00..Conn
ection:
0120 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 Keep-Ali
ve..Cont
0130 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 ent-Type :
text/h
0140 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 tml; cha
rset=UTF
0150 2d 38 0d 0a 0d 0a -8....
I'm guessing the site was compromised with one of the php exploits.
Does anyone care to comment on something other than how neglectful it
was of me to forget to capture the whold packet?
+++++++++++++++++++++++++++++++++++++++++++++++++++++
Hey Guys and or Gals,
If you have time, I would sure appreciate it if you could take a look at
this. I am trying to get to a specific uri by clicking on a uri in a
google query response page. The uri is
"right-thinking.com/index.php/weblog/comments/9192/" but I'm redirected
to another page "http://tcrc.acor.org/". I did a packet capture of the
transaction and still don't see the redirect. Would you mind pointing
it out?
I flushed dns so the whole transaction should be there. Please see the
attached windump packet capture.
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
More information about the Intrusions
mailing list