[Intrusions] RE Question
Joel Esler
esler at knology.net
Sat Apr 30 13:30:46 GMT 2005
I'd hate to be hasty about it, as I am still laying in bed this
morning... *yawn*
My thoughts are.. DNS poisoning, however that may not be the case,
because it appears to me that the 67.19 IP, the right-thinking.com IP,
is forcibly redirecting you to tcrc.acor.org.
I tried both IPs from here (my isp is knology.net) and they both come
up correctly. I checked the source code of the right-thinking.com IP's
webpage, and I don't see anything to lead me to believe that it
redirects based on browser or anything like that. I tried it with a
couple different browsers and they all worked fine.
rather strange.
On Apr 29, 2005, at 8:40 PM, Mike Chandler wrote:
> O.K. So I did a bad job of explaining what I posted. I'll try again.
> From
> work I can access the web site
> http://right-thinking.com/index.php/weblog/comments/9192/ using the
> uri or
> using http://67.19.19.69. From home behind my cable modem and linksys
> router, when I access the site using the uri or the IP address, I'm
> redirected to http://tcrc.acor.org/. This happens from my Windows box
> or my
> Linux box. The packet capture below is from a capture I did when I
> typed
> the uri into my web browser on the Windows box. The packet capture
> looks
> the same when I type the IP address into my browser except the Get
> request
> to the right-thinking.com looks a little different. The only thing
> that
> makes sense is that the web server is making choices on what to return
> to a
> web browser based on IP address range. I've done a whois on the
> server and
> I'll contact the system administrator to get his take on my diagnosis.
> Thanks for your patience in my learning experience.
>
>
> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org]On Behalf Of Esler, Joel -
> Contractor
> Sent: Thursday, April 28, 2005 6:59 AM
> To: Intrusions List (GCIA Practicals)
> Subject: RE: [Intrusions] RE Question
>
>
> Can you post a whole packet dump in here? There could be a number of
> reasons why.. Your box having spyware, your box being re-directed.
> PHP
> exploited box... Any different number of things... A full packet dump
> would help.
>
> Joel
> =============================================================
> Here ya go Joel,
>
> This has gotten even more curious. I went to work and pointed my
> broswer to
> http://67.19.19.69 and I went to the correct site. That makes me
> think that
> either Time Warner is modifiying the packets at some web proxy in
> between my
> system and the web site or I have some sort of spyware running on my
> computer. If it is spyware, wow I'm impressed. This isn't some
> redirection
> of dns this is packet modification. If it is Time Warner, I'm
> outraged.
> Anyway here is the complete dump:
>
>
>> Windump -s 0 -nXvvr redirect2.dmp
>
> 19:51:56.275377 arp who-has 192.168.1.162 tell 192.168.1.1
> 0x0000: 0001 0800 0604 0001 000c 410a ce10 c0a8 ..........A.....
> 0x0010: 0101 0000 0000 0000 c0a8 01a2 0000 0000 ................
> 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
> /*
> * This is the beginning of my three way handshake with
> http://67.19.19.69.
> DNS didn't
> * come into play with this because I specified the IP address.
> */
> 19:52:06.460858 IP (tos 0x0, ttl 128, id 4845, offset 0, flags [DF],
> length:
> 48) 192.168.1.172.1195 > 67.19.19.69.80: S [tcp sum ok]
> 2154536782:2154536782(0) win 65535 <mss 1460,nop,nop,sackOK>
> 0x0000: 4500 0030 12ed 4000 8006 cf2e c0a8 01ac E..0.. at .........
> 0x0010: 4313 1345 04ab 0050 806b 9f4e 0000 0000 C..E...P.k.N....
> 0x0020: 7002 ffff 45be 0000 0204 05b4 0101 0402 p...E...........
> 19:52:06.500041 IP (tos 0x80, ttl 52, id 0, offset 0, flags [DF],
> length:
> 48) 67.19.19.69.80 > 192.168.1.172.1195: S [tcp sum ok]
> 2996811387:2996811387(0) ack 2154536783 win 5840 <mss
> 1460,nop,nop,sackOK>
> 0x0000: 4580 0030 0000 4000 3406 2d9c 4313 1345 E..0.. at .4.-.C..E
> 0x0010: c0a8 01ac 0050 04ab b29f b67b 806b 9f4f .....P.....{.k.O
> 0x0020: 7012 16d0 c5c1 0000 0204 05b4 0101 0402 p...............
> 19:52:06.500145 IP (tos 0x0, ttl 128, id 4846, offset 0, flags [DF],
> length:
> 40) 192.168.1.172.1195 > 67.19.19.69.80: . [bad tcp cksum 18c7
> (->956)!]
> 1:1(0) ack 1 win 65535
> 0x0000: 4500 0028 12ee 4000 8006 cf35 c0a8 01ac E..(.. at ....5....
> 0x0010: 4313 1345 04ab 0050 806b 9f4f b29f b67c C..E...P.k.O...|
> 0x0020: 5010 ffff 18c7 0000 P.......
> 19:52:06.501038 IP (tos 0x0, ttl 128, id 4850, offset 0, flags [DF],
> length:
> 457) 192.168.1.172.1195 > 67.19.19.69.80: P [bad tcp cksum 1a68
> (->e7de)!]
> 1:418(417) ack 1 win 65535
> 0x0000: 4500 01c9 12f2 4000 8006 cd90 c0a8 01ac E..... at .........
> 0x0010: 4313 1345 04ab 0050 806b 9f4f b29f b67c C..E...P.k.O...|
> 0x0020: 5018 ffff 1a68 0000 4745 5420 2f69 6e64 P....h..GET./ind
> 0x0030: 6578 2e70 6870 2f77 6562 6c6f 672f 636f ex.php/weblog/co
> 0x0040: 6d6d 656e 7473 2f39 3139 322f 2048 5454 mments/9192/.HTT
> 0x0050: 502f 312e 310d 0a41 6363 6570 743a 2069 P/1.1..Accept:.i
> 0x0060: 6d61 6765 2f67 6966 2c20 696d 6167 652f mage/gif,.image/
> 0x0070: 782d 7862 6974 6d61 702c 2069 6d61 6765 x-xbitmap,.image
> 0x0080: 2f6a 7065 672c 2069 6d61 6765 2f70 6a70 /jpeg,.image/pjp
> 0x0090: 6567 2c20 6170 706c 6963 6174 696f 6e2f eg,.application/
> 0x00a0: 782d 7368 6f63 6b77 6176 652d 666c 6173 x-shockwave-flas
> 0x00b0: 682c 2061 7070 6c69 6361 7469 6f6e 2f76 h,.application/v
> 0x00c0: 6e64 2e6d 732d 706f 7765 7270 6f69 6e74 nd.ms-powerpoint
> 0x00d0: 2c20 6170 706c 6963 6174 696f 6e2f 766e ,.application/vn
> 0x00e0: 642e 6d73 2d65 7863 656c 2c20 6170 706c d.ms-excel,.appl
> 0x00f0: 6963 6174 696f 6e2f 6d73 776f 7264 2c20 ication/msword,.
> 0x0100: 2a2f 2a0d 0a41 6363 6570 742d 4c61 6e67 */*..Accept-Lang
> 0x0110: 7561 6765 3a20 656e 2d75 730d 0a2d 2d2d uage:.en-us..---
> 0x0120: 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 3a20 2d2d ------------:.--
> 0x0130: 2d2d 2d20 2d2d 2d2d 2d2d 2d0d 0a55 7365 ---.-------..Use
> 0x0140: 722d 4167 656e 743a 204d 6f7a 696c 6c61 r-Agent:.Mozilla
> 0x0150: 2f34 2e30 2028 636f 6d70 6174 6962 6c65 /4.0.(compatible
> 0x0160: 3b20 4d53 4945 2036 2e30 3b20 5769 6e64 ;.MSIE.6.0;.Wind
> 0x0170: 6f77 7320 4e54 2035 2e31 3b20 5356 313b ows.NT.5.1;.SV1;
> 0x0180: 202e 4e45 5420 434c 5220 312e 312e 3433 ..NET.CLR.1.1.43
> 0x0190: 3232 290d 0a48 6f73 743a 2072 6967 6874 22)..Host:.right
> 0x01a0: 2d74 6869 6e6b 696e 672e 636f 6d0d 0a43 -thinking.com..C
> 0x01b0: 6f6e 6e65 6374 696f 6e3a 204b 6565 702d onnection:.Keep-
> 0x01c0: 416c 6976 650d 0a0d 0a Alive....
> 19:52:06.543651 IP (tos 0x80, ttl 52, id 49113, offset 0, flags [DF],
> length: 40) 67.19.19.69.80 > 192.168.1.172.1195: . [tcp sum ok] 1:1(0)
> ack
> 418 win 6432
> 0x0000: 4580 0028 bfd9 4000 3406 6dca 4313 1345 E..(.. at .4.m.C..E
> 0x0010: c0a8 01ac 0050 04ab b29f b67c 806b a0f0 .....P.....|.k..
> 0x0020: 5010 1920 ee94 0000 0000 0000 0000 P.............
> /*
> * This is where I get redirected to http://tcrc.acor.org
> */
> 19:52:06.567894 IP (tos 0x80, ttl 52, id 49114, offset 0, flags [DF],
> length: 328) 67.19.19.69.80 > 192.168.1.172.1195: P [tcp sum ok]
> 1:289(288)
> ack 418 win 6432
> 0x0000: 4580 0148 bfda 4000 3406 6ca9 4313 1345 E..H.. at .4.l.C..E
> 0x0010: c0a8 01ac 0050 04ab b29f b67c 806b a0f0 .....P.....|.k..
> 0x0020: 5018 1920 5d37 0000 4854 5450 2f31 2e31 P...]7..HTTP/1.1
> 0x0030: 2033 3032 2046 6f75 6e64 0d0a 4461 7465 .302.Found..Date
> 0x0040: 3a20 5468 752c 2032 3820 4170 7220 3230 :.Thu,.28.Apr.20
> 0x0050: 3035 2030 323a 3532 3a30 3020 474d 540d 05.02:52:00.GMT.
> 0x0060: 0a53 6572 7665 723a 2041 7061 6368 652f .Server:.Apache/
> 0x0070: 322e 302e 3436 2028 5265 6420 4861 7429 2.0.46.(Red.Hat)
> 0x0080: 0d0a 4163 6365 7074 2d52 616e 6765 733a ..Accept-Ranges:
> 0x0090: 2062 7974 6573 0d0a 582d 506f 7765 7265 .bytes..X-Powere
> 0x00a0: 642d 4279 3a20 5048 502f 342e 332e 320d d-By:.PHP/4.3.2.
> 0x00b0: 0a6c 6f63 6174 696f 6e3a 2068 7474 703a .location:.http:
> 0x00c0: 2f2f 7463 7263 2e61 636f 722e 6f72 672f //tcrc.acor.org/
> 0x00d0: 0d0a 436f 6e74 656e 742d 4c65 6e67 7468 ..Content-Length
> 0x00e0: 3a20 300d 0a4b 6565 702d 416c 6976 653a :.0..Keep-Alive:
> 0x00f0: 2074 696d 656f 7574 3d31 352c 206d 6178 .timeout=15,.max
> 0x0100: 3d31 3030 0d0a 436f 6e6e 6563 7469 6f6e =100..Connection
> 0x0110: 3a20 4b65 6570 2d41 6c69 7665 0d0a 436f :.Keep-Alive..Co
> 0x0120: 6e74 656e 742d 5479 7065 3a20 7465 7874 ntent-Type:.text
> 0x0130: 2f68 746d 6c3b 2063 6861 7273 6574 3d55 /html;.charset=U
> 0x0140: 5446 2d38 0d0a 0d0a TF-8....
> 19:52:06.600230 IP (tos 0x0, ttl 128, id 4858, offset 0, flags [DF],
> length:
> 48) 192.168.1.172.1197 > 63.236.73.251.80: S [tcp sum ok]
> 396011596:396011596(0) win 65535 <mss 1460,nop,nop,sackOK>
> 0x0000: 4500 0030 12fa 4000 8006 9b92 c0a8 01ac E..0.. at .........
> 0x0010: 3fec 49fb 04ad 0050 179a a84c 0000 0000 ?.I....P...L....
> 0x0020: 7002 ffff 7200 0000 0204 05b4 0101 0402 p...r...........
> 19:52:06.676579 IP (tos 0x0, ttl 128, id 4859, offset 0, flags [DF],
> length:
> 40) 192.168.1.172.1195 > 67.19.19.69.80: . [bad tcp cksum 18c7
> (->7b5)!]
> 418:418(0) ack 289 win 65247
> 0x0000: 4500 0028 12fb 4000 8006 cf28 c0a8 01ac E..(.. at ....(....
> 0x0010: 4313 1345 04ab 0050 806b a0f0 b29f b79c C..E...P.k......
> 0x0020: 5010 fedf 18c7 0000 P.......
> 19:52:06.686277 IP (tos 0x80, ttl 51, id 63568, offset 0, flags [DF],
> length: 48) 63.236.73.251.80 > 192.168.1.172.1197: S [tcp sum ok]
> 2059881:2059881(0) ack 396011597 win 32120 <mss 1460,nop,nop,sackOK>
> 0x0000: 4580 0030 f850 4000 3306 02bc 3fec 49fb E..0.P at .3...?.I.
> 0x0010: c0a8 01ac 0050 04ad 001f 6e69 179a a84d .....P....ni...M
> 0x0020: 7012 7d78 85ee 0000 0204 05b4 0101 0402 p.}x............
> 19:52:06.686359 IP (tos 0x0, ttl 128, id 4860, offset 0, flags [DF],
> length:
> 40) 192.168.1.172.1197 > 63.236.73.251.80: . [bad tcp cksum 4c56
> (->302b)!]
> 1:1(0) ack 1 win 65535
> 0x0000: 4500 0028 12fc 4000 8006 9b98 c0a8 01ac E..(.. at .........
> 0x0010: 3fec 49fb 04ad 0050 179a a84d 001f 6e6a ?.I....P...M..nj
> 0x0020: 5010 ffff 4c56 0000 P...LV..
> 19:52:06.687183 IP (tos 0x0, ttl 128, id 4864, offset 0, flags [DF],
> length:
> 429) 192.168.1.172.1197 > 63.236.73.251.80: P [bad tcp cksum 4ddb
> (->4de9)!]
> 1:390(389) ack 1 win 65535
> 0x0000: 4500 01ad 1300 4000 8006 9a0f c0a8 01ac E..... at .........
> 0x0010: 3fec 49fb 04ad 0050 179a a84d 001f 6e6a ?.I....P...M..nj
> 0x0020: 5018 ffff 4ddb 0000 4745 5420 2f69 643d P...M...GET./id=
> 0x0030: 3130 3534 3935 3326 7369 7a65 3d31 3032 1054953&size=102
> 0x0040: 3426 636f 6c6f 7273 3d33 3226 7265 6665 4&colors=32&refe
> 0x0050: 7265 723d 266a 6176 613d 7472 7565 2048 rer=&java=true.H
> 0x0060: 5454 502f 312e 310d 0a41 6363 6570 743a TTP/1.1..Accept:
> 0x0070: 202a 2f2a 0d0a 2d2d 2d2d 2d2d 2d3a 202d .*/*..-------:.-
> 0x0080: 2d2d 2d3a 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d ---:------------
> 0x0090: 2d2d 2d2d 0d0a 4163 6365 7074 2d4c 616e ----..Accept-Lan
> 0x00a0: 6775 6167 653a 2065 6e2d 7573 0d0a 2d2d guage:.en-us..--
> 0x00b0: 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d3a 202d -------------:.-
> 0x00c0: 2d2d 2d2d 202d 2d2d 2d2d 2d2d 0d0a 4966 ----.-------..If
> 0x00d0: 2d4d 6f64 6966 6965 642d 5369 6e63 653a -Modified-Since:
> 0x00e0: 2054 6875 2c20 3238 2041 7072 2032 3030 .Thu,.28.Apr.200
> 0x00f0: 3520 3031 3a35 303a 3536 2047 4d54 3b20 5.01:50:56.GMT;.
> 0x0100: 6c65 6e67 7468 3d32 3830 0d0a 5573 6572 length=280..User
> 0x0110: 2d41 6765 6e74 3a20 4d6f 7a69 6c6c 612f -Agent:.Mozilla/
> 0x0120: 342e 3020 2863 6f6d 7061 7469 626c 653b 4.0.(compatible;
> 0x0130: 204d 5349 4520 362e 303b 2057 696e 646f .MSIE.6.0;.Windo
> 0x0140: 7773 204e 5420 352e 313b 2053 5631 3b20 ws.NT.5.1;.SV1;.
> 0x0150: 2e4e 4554 2043 4c52 2031 2e31 2e34 3332 .NET.CLR.1.1.432
> 0x0160: 3229 0d0a 486f 7374 3a20 6332 2e74 6865 2)..Host:.c2.the
> 0x0170: 636f 756e 7465 722e 636f 6d0d 0a43 6f6e counter.com..Con
> 0x0180: 6e65 6374 696f 6e3a 204b 6565 702d 416c nection:.Keep-Al
> 0x0190: 6976 650d 0a43 6f6f 6b69 653a 2056 5443 ive..Cookie:.VTC
> 0x01a0: 3130 3534 3935 333d 300d 0a0d 0a 1054953=0....
> 19:52:06.776796 IP (tos 0x80, ttl 51, id 63599, offset 0, flags [DF],
> length: 40) 63.236.73.251.80 > 192.168.1.172.1197: . [tcp sum ok]
> 1:1(0) ack
> 390 win 31731
> 0x0000: 4580 0028 f86f 4000 3306 02a5 3fec 49fb E..(.o at .3...?.I.
> 0x0010: c0a8 01ac 0050 04ad 001f 6e6a 179a a9d2 .....P....nj....
> 0x0020: 5010 7bf3 b2b2 0000 0000 0000 0000 P.{...........
> 19:52:06.779404 IP (tos 0x80, ttl 51, id 63604, offset 0, flags [DF],
> length: 40) 63.236.73.251.80 > 192.168.1.172.1197: F [tcp sum ok]
> 637:637(0)
> ack 390 win 32120
> 0x0000: 4580 0028 f874 4000 3306 02a0 3fec 49fb E..(.t at .3...?.I.
> 0x0010: c0a8 01ac 0050 04ad 001f 70e6 179a a9d2 .....P....p.....
> 0x0020: 5011 7d78 aeb0 0000 0000 0000 0000 P.}x..........
> 19:52:06.779455 IP (tos 0x0, ttl 128, id 4865, offset 0, flags [DF],
> length:
> 52) 192.168.1.172.1197 > 63.236.73.251.80: . [tcp sum ok] 390:390(0)
> ack 1
> win 65535 <nop,nop,sack sack 1 {637:638} >
> 0x0000: 4500 0034 1301 4000 8006 9b87 c0a8 01ac E..4.. at .........
> 0x0010: 3fec 49fb 04ad 0050 179a a9d2 001f 6e6a ?.I....P......nj
> 0x0020: 8010 ffff 1683 0000 0101 050a 001f 70e6 ..............p.
> 0x0030: 001f 70e7 ..p.
> 19:52:06.780265 IP (tos 0x80, ttl 51, id 63603, offset 0, flags [DF],
> length: 676) 63.236.73.251.80 > 192.168.1.172.1197: P [tcp sum ok]
> 1:637(636) ack 390 win 32120
> 0x0000: 4580 02a4 f873 4000 3306 0025 3fec 49fb E....s at .3..%?.I.
> 0x0010: c0a8 01ac 0050 04ad 001f 6e6a 179a a9d2 .....P....nj....
> 0x0020: 5018 7d78 149a 0000 4854 5450 2f31 2e30 P.}x....HTTP/1.0
> 0x0030: 2032 3030 204f 4b0a 4461 7465 3a20 5468 .200.OK.Date:.Th
> 0x0040: 752c 2032 3820 4170 7220 3230 3035 2030 u,.28.Apr.2005.0
> 0x0050: 323a 3532 3a30 3020 474d 540a 5365 7276 2:52:00.GMT.Serv
> 0x0060: 6572 3a20 5468 6543 6f75 6e74 6572 2f32 er:.TheCounter/2
> 0x0070: 2e31 0a4c 6173 742d 4d6f 6469 6669 6564 .1.Last-Modified
> 0x0080: 3a20 5468 752c 2032 3820 4170 7220 3230 :.Thu,.28.Apr.20
> 0x0090: 3035 2030 323a 3532 3a30 3020 474d 540a 05.02:52:00.GMT.
> 0x00a0: 5072 6167 6d61 3a20 6e6f 2d63 6163 6865 Pragma:.no-cache
> 0x00b0: 0a43 6163 6865 2d63 6f6e 7472 6f6c 3a20 .Cache-control:.
> 0x00c0: 6e6f 2d63 6163 6865 2c20 6d75 7374 2d72 no-cache,.must-r
> 0x00d0: 6576 616c 6964 6174 650a 5033 503a 2043 evalidate.P3P:.C
> 0x00e0: 503d 224e 4f49 2044 5350 2043 4f52 2043 P="NOI.DSP.COR.C
> 0x00f0: 5552 6920 4144 4d69 2050 5341 6920 4f55 URi.ADMi.PSAi.OU
> 0x0100: 5220 5341 4d61 2049 4e44 2043 4f4d 204e R.SAMa.IND.COM.N
> 0x0110: 4156 2053 5441 220a 4578 7069 7265 733a AV.STA".Expires:
> 0x0120: 2054 6875 2c20 3238 2041 7072 2032 3030 .Thu,.28.Apr.200
> 0x0130: 3520 3032 3a35 323a 3030 2047 4d54 0a53 5.02:52:00.GMT.S
> 0x0140: 6574 2d43 6f6f 6b69 653a 2056 5443 3130 et-Cookie:.VTC10
> 0x0150: 3534 3935 333d 303b 5041 5448 3d2f 0a43 54953=0;PATH=/.C
> 0x0160: 6f6e 6e65 6374 696f 6e3a 2063 6c6f 7365 onnection:.close
> 0x0170: 0a43 6f6e 7465 6e74 2d54 7970 653a 2069 .Content-Type:.i
> 0x0180: 6d61 6765 2f67 6966 0a0a 4749 4638 3761 mage/gif..GIF87a
> 0x0190: 3f00 0f00 8000 0000 0000 ffff ff2c 0000 ?............,..
> 0x01a0: 0000 3f00 0f00 0002 f984 8fa9 cbed 0fa3 ..?.............
> 0x01b0: 9c8e 2484 4df1 01e0 0e08 8c6f 0080 41f0 ..$.M......o..A.
> 0x01c0: 21c2 28be 01c0 0101 8800 00a0 0406 0060 !.(............`
> 0x01d0: 041f 222c 82e0 6344 2052 0230 0300 4202 ..",..cD.R.0..B.
> 0x01e0: 0010 4148 0000 2208 7e84 45dc 1d20 7108 ..AH..".~.E...q.
> 0x01f0: 3e44 2004 0500 8800 2020 0111 0004 2408 >D............$.
> 0x0200: 76c4 45dc 1d49 6004 3fe2 2e82 6053 7c00 v.E..I`.?...`S|.
> 0x0210: 0300 8a01 0066 4060 fc00 0003 4242 b023 .....f@`....BB.#
> 0x0220: 22ce 2801 0018 0001 0900 8a1f 041f 2220 ".(...........".
> 0x0230: 8202 4004 4410 9c30 330b 0a00 1001 4040 .. at .D..03.....@@
> 0x0240: 0200 2028 840f 1178 4141 0200 2028 607c ...(...xAA...(`|
> 0x0250: 23f8 1081 1104 23e2 2082 e043 045e 5090 #.....#....C.^P.
> 0x0260: 0000 080a e147 dc59 5000 8008 0002 1200 .....G.YP.......
> 0x0270: 0041 21fc 088b 38a0 0406 0060 043f c222 .A!...8....`.?."
> 0x0280: 0e28 0198 1900 81f1 01e0 0c08 00c5 0780 .(..............
> 0x0290: 3b82 0f11 47f1 093e a62e b73f 8c72 d26a ;...G..>...?.r.j
> 0x02a0: 2f29 003b /).;
> 19:52:06.780339 IP (tos 0x0, ttl 128, id 4866, offset 0, flags [DF],
> length:
> 40) 192.168.1.172.1197 > 63.236.73.251.80: . [bad tcp cksum 4c56
> (->2ea5)!]
> 390:390(0) ack 638 win 64899
> 0x0000: 4500 0028 1302 4000 8006 9b92 c0a8 01ac E..(.. at .........
> 0x0010: 3fec 49fb 04ad 0050 179a a9d2 001f 70e7 ?.I....P......p.
> 0x0020: 5010 fd83 4c56 0000 P...LV..
> 19:52:06.784504 IP (tos 0x0, ttl 128, id 4877, offset 0, flags [DF],
> length:
> 40) 192.168.1.172.1197 > 63.236.73.251.80: F [bad tcp cksum 4c56
> (->2ea4)!]
> 390:390(0) ack 638 win 64899
> 0x0000: 4500 0028 130d 4000 8006 9b87 c0a8 01ac E..(.. at .........
> 0x0010: 3fec 49fb 04ad 0050 179a a9d2 001f 70e7 ?.I....P......p.
> 0x0020: 5011 fd83 4c56 0000 P...LV..
> 19:52:06.872915 IP (tos 0x80, ttl 51, id 63628, offset 0, flags [DF],
> length: 40) 63.236.73.251.80 > 192.168.1.172.1197: . [tcp sum ok]
> 638:638(0)
> ack 391 win 32120
> 0x0000: 4580 0028 f88c 4000 3306 0288 3fec 49fb E..(.. at .3...?.I.
> 0x0010: c0a8 01ac 0050 04ad 001f 70e7 179a a9d3 .....P....p.....
> 0x0020: 5010 7d78 aeaf 0000 0000 0000 0000 P.}x..........
>
> ==============================================================
> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Mike Chandler
> Sent: Wednesday, April 27, 2005 11:23 PM
> To: intrusions at lists.sans.org
> Cc: root at 67.19.19.69; webmaster at 67.19.19.69
> Subject: [Intrusions] RE Question
>
>
> I sent this email last Sunday hoping to find an answer. I'm a little
> confused because a member of the list sent me a reply saying that the
> web site came up correctly for him. I don't understand why but I must
> report I made a stupid mistake. I should have used the windump flag -s
> 1514 to see the full return packet. I was being redirected the
> original
> site.
>
> My get request to right-thinking.com responded with the following
> response referring me to the second site.
>
>
> 00b0 42 79 3a 20 50 48 50 2f 34 2e 33 2e 32 0d 0a 6c By: PHP/
> 4.3.2..l
> 00c0 6f 63 61 74 69 6f 6e 3a 20 68 74 74 70 3a 2f 2f ocation:
> http://
> 00d0 74 63 72 63 2e 61 63 6f 72 2e 6f 72 67 2f 0d 0a tcrc.aco
> r.org/..
> 00e0 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 Content-
> Length:
> 00f0 30 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 0..Keep-
> Alive:
> t
> 0100 69 6d 65 6f 75 74 3d 31 35 2c 20 6d 61 78 3d 31 imeout=1 5,
> max=1
> 0110 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 00..Conn
> ection:
> 0120 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 Keep-Ali
> ve..Cont
> 0130 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 ent-Type :
> text/h
> 0140 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 tml; cha
> rset=UTF
> 0150 2d 38 0d 0a 0d 0a -8....
>
>
> I'm guessing the site was compromised with one of the php exploits.
> Does anyone care to comment on something other than how neglectful it
> was of me to forget to capture the whold packet?
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Hey Guys and or Gals,
>
> If you have time, I would sure appreciate it if you could take a look
> at
> this. I am trying to get to a specific uri by clicking on a uri in a
> google query response page. The uri is
> "right-thinking.com/index.php/weblog/comments/9192/" but I'm redirected
> to another page "http://tcrc.acor.org/". I did a packet capture of the
> transaction and still don't see the redirect. Would you mind pointing
> it out?
>
> I flushed dns so the whole transaction should be there. Please see the
> attached windump packet capture.
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
More information about the Intrusions
mailing list