[Intrusions] RE Question
Earnhart, Benjamin J
benjamin-earnhart at uiowa.edu
Sat Apr 30 15:00:46 GMT 2005
I have no problem getting to their site, either from a my work or from
my cable modem at home, by IP or by hostname.
Since it looks like a deliberate redirect on their end based on your IP
address, any chance that you were using your home machine for scraping
or anything that might look like that? I'm guessing you weren't
deliberately abusing them (or you wouldn't be posting here and would
already know what happened), but if you had some sort of
legit-but-unusual software for offline browsing that looked to them like
an unidentified robot of some kind, especially if it was a rude one that
ignored robots.txt or grabbed content too fast, they might block you.
(and, if you're on a dynamic IP, then you might be mistaken for somebody
else who had been banned for a similar reason).
Also, given their content (fairly strong right-wing opinions) and where
they redirect you (a site about a part of the male anatomy), I wouldn't
be surprised if a range of IPs on your ISP might have been blocked. Not
like they're (to my mind) offensive, but anybody far out there on
controversial issues might be the victim of a DDOS if somebody said the
wrong words in the wrong forum at the wrong time when the wrong person
in the wrong mood noticed them. Though if that were the case, not very
efficient or polite of them to redirect instead of quietly dropping.
If you do find out what's going on, please let me/us know. I dunno if
it's worth posting to the whole list (your call on that), but I'm
personally curious and would appreciate hearing back.
*==========================================;
*Ben Earnhart
*Computer Consultant and
*ICPSR Representative
*Department of Sociology and
*College of Liberal Arts
*University of Iowa
*(319) 335-2887
*benjamin-earnhart at uiowa.edu
*==========================================;
> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Joel Esler
> Sent: Saturday, April 30, 2005 8:31 AM
> To: Intrusions List (GCIA Practicals)
> Subject: Re: [Intrusions] RE Question
>
> I'd hate to be hasty about it, as I am still laying in bed
> this morning... *yawn*
>
> My thoughts are.. DNS poisoning, however that may not be the
> case, because it appears to me that the 67.19 IP, the
> right-thinking.com IP, is forcibly redirecting you to tcrc.acor.org.
>
> I tried both IPs from here (my isp is knology.net) and they
> both come up correctly. I checked the source code of the
> right-thinking.com IP's webpage, and I don't see anything to
> lead me to believe that it redirects based on browser or
> anything like that. I tried it with a couple different
> browsers and they all worked fine.
>
> rather strange.
>
>
>
> On Apr 29, 2005, at 8:40 PM, Mike Chandler wrote:
>
> > O.K. So I did a bad job of explaining what I posted. I'll
> try again.
> > From
> > work I can access the web site
> > http://right-thinking.com/index.php/weblog/comments/9192/ using the
> > uri or using http://67.19.19.69. From home behind my cable
> modem and
> > linksys router, when I access the site using the uri or the IP
> > address, I'm redirected to http://tcrc.acor.org/. This
> happens from
> > my Windows box or my Linux box. The packet capture below is from a
> > capture I did when I typed the uri into my web browser on
> the Windows
> > box. The packet capture looks the same when I type the IP address
> > into my browser except the Get request to the
> right-thinking.com looks
> > a little different. The only thing that makes sense is
> that the web
> > server is making choices on what to return to a web browser
> based on
> > IP address range. I've done a whois on the server and I'll contact
> > the system administrator to get his take on my diagnosis.
> > Thanks for your patience in my learning experience.
> >
> >
> > -----Original Message-----
> > From: intrusions-bounces at lists.sans.org
> > [mailto:intrusions-bounces at lists.sans.org]On Behalf Of
> Esler, Joel -
> > Contractor
> > Sent: Thursday, April 28, 2005 6:59 AM
> > To: Intrusions List (GCIA Practicals)
> > Subject: RE: [Intrusions] RE Question
> >
> >
> > Can you post a whole packet dump in here? There could be a
> number of
> > reasons why.. Your box having spyware, your box being re-directed.
> > PHP
> > exploited box... Any different number of things... A full
> packet dump
> > would help.
> >
> > Joel
> > =============================================================
> > Here ya go Joel,
> >
> > This has gotten even more curious. I went to work and pointed my
> > broswer to
> > http://67.19.19.69 and I went to the correct site. That makes me
> > think that either Time Warner is modifiying the packets at some web
> > proxy in between my system and the web site or I have some sort of
> > spyware running on my computer. If it is spyware, wow I'm
> impressed.
> > This isn't some redirection of dns this is packet
> modification. If it
> > is Time Warner, I'm outraged.
> > Anyway here is the complete dump:
> >
> >
> >> Windump -s 0 -nXvvr redirect2.dmp
> >
> > 19:51:56.275377 arp who-has 192.168.1.162 tell 192.168.1.1
> > 0x0000: 0001 0800 0604 0001 000c 410a ce10 c0a8
> ..........A.....
> > 0x0010: 0101 0000 0000 0000 c0a8 01a2 0000 0000
> ................
> > 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
> > /*
> > * This is the beginning of my three way handshake with
> > http://67.19.19.69.
> > DNS didn't
> > * come into play with this because I specified the IP address.
> > */
> > 19:52:06.460858 IP (tos 0x0, ttl 128, id 4845, offset 0, flags [DF],
> > length:
> > 48) 192.168.1.172.1195 > 67.19.19.69.80: S [tcp sum ok]
> > 2154536782:2154536782(0) win 65535 <mss 1460,nop,nop,sackOK>
> > 0x0000: 4500 0030 12ed 4000 8006 cf2e c0a8 01ac
> E..0.. at .........
> > 0x0010: 4313 1345 04ab 0050 806b 9f4e 0000 0000
> C..E...P.k.N....
> > 0x0020: 7002 ffff 45be 0000 0204 05b4 0101 0402
> p...E...........
> > 19:52:06.500041 IP (tos 0x80, ttl 52, id 0, offset 0, flags [DF],
> > length:
> > 48) 67.19.19.69.80 > 192.168.1.172.1195: S [tcp sum ok]
> > 2996811387:2996811387(0) ack 2154536783 win 5840 <mss
> > 1460,nop,nop,sackOK>
> > 0x0000: 4580 0030 0000 4000 3406 2d9c 4313 1345
> E..0.. at .4.-.C..E
> > 0x0010: c0a8 01ac 0050 04ab b29f b67b 806b 9f4f
> .....P.....{.k.O
> > 0x0020: 7012 16d0 c5c1 0000 0204 05b4 0101 0402
> p...............
> > 19:52:06.500145 IP (tos 0x0, ttl 128, id 4846, offset 0, flags [DF],
> > length:
> > 40) 192.168.1.172.1195 > 67.19.19.69.80: . [bad tcp cksum 18c7
> > (->956)!]
> > 1:1(0) ack 1 win 65535
> > 0x0000: 4500 0028 12ee 4000 8006 cf35 c0a8 01ac
> E..(.. at ....5....
> > 0x0010: 4313 1345 04ab 0050 806b 9f4f b29f b67c
> C..E...P.k.O...|
> > 0x0020: 5010 ffff 18c7 0000 P.......
> > 19:52:06.501038 IP (tos 0x0, ttl 128, id 4850, offset 0, flags [DF],
> > length:
> > 457) 192.168.1.172.1195 > 67.19.19.69.80: P [bad tcp cksum 1a68
> > (->e7de)!]
> > 1:418(417) ack 1 win 65535
> > 0x0000: 4500 01c9 12f2 4000 8006 cd90 c0a8 01ac
> E..... at .........
> > 0x0010: 4313 1345 04ab 0050 806b 9f4f b29f b67c
> C..E...P.k.O...|
> > 0x0020: 5018 ffff 1a68 0000 4745 5420 2f69 6e64
> P....h..GET./ind
> > 0x0030: 6578 2e70 6870 2f77 6562 6c6f 672f 636f
> ex.php/weblog/co
> > 0x0040: 6d6d 656e 7473 2f39 3139 322f 2048 5454
> mments/9192/.HTT
> > 0x0050: 502f 312e 310d 0a41 6363 6570 743a 2069
> P/1.1..Accept:.i
> > 0x0060: 6d61 6765 2f67 6966 2c20 696d 6167 652f
> mage/gif,.image/
> > 0x0070: 782d 7862 6974 6d61 702c 2069 6d61 6765
> x-xbitmap,.image
> > 0x0080: 2f6a 7065 672c 2069 6d61 6765 2f70 6a70
> /jpeg,.image/pjp
> > 0x0090: 6567 2c20 6170 706c 6963 6174 696f 6e2f
> eg,.application/
> > 0x00a0: 782d 7368 6f63 6b77 6176 652d 666c 6173
> x-shockwave-flas
> > 0x00b0: 682c 2061 7070 6c69 6361 7469 6f6e 2f76
> h,.application/v
> > 0x00c0: 6e64 2e6d 732d 706f 7765 7270 6f69 6e74
> nd.ms-powerpoint
> > 0x00d0: 2c20 6170 706c 6963 6174 696f 6e2f 766e
> ,.application/vn
> > 0x00e0: 642e 6d73 2d65 7863 656c 2c20 6170 706c
> d.ms-excel,.appl
> > 0x00f0: 6963 6174 696f 6e2f 6d73 776f 7264 2c20
> ication/msword,.
> > 0x0100: 2a2f 2a0d 0a41 6363 6570 742d 4c61 6e67
> */*..Accept-Lang
> > 0x0110: 7561 6765 3a20 656e 2d75 730d 0a2d 2d2d
> uage:.en-us..---
> > 0x0120: 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 3a20 2d2d
> ------------:.--
> > 0x0130: 2d2d 2d20 2d2d 2d2d 2d2d 2d0d 0a55 7365
> ---.-------..Use
> > 0x0140: 722d 4167 656e 743a 204d 6f7a 696c 6c61
> r-Agent:.Mozilla
> > 0x0150: 2f34 2e30 2028 636f 6d70 6174 6962 6c65
> /4.0.(compatible
> > 0x0160: 3b20 4d53 4945 2036 2e30 3b20 5769 6e64
> ;.MSIE.6.0;.Wind
> > 0x0170: 6f77 7320 4e54 2035 2e31 3b20 5356 313b
> ows.NT.5.1;.SV1;
> > 0x0180: 202e 4e45 5420 434c 5220 312e 312e 3433
> ..NET.CLR.1.1.43
> > 0x0190: 3232 290d 0a48 6f73 743a 2072 6967 6874
> 22)..Host:.right
> > 0x01a0: 2d74 6869 6e6b 696e 672e 636f 6d0d 0a43
> -thinking.com..C
> > 0x01b0: 6f6e 6e65 6374 696f 6e3a 204b 6565 702d
> onnection:.Keep-
> > 0x01c0: 416c 6976 650d 0a0d 0a Alive....
> > 19:52:06.543651 IP (tos 0x80, ttl 52, id 49113, offset 0,
> flags [DF],
> > length: 40) 67.19.19.69.80 > 192.168.1.172.1195: . [tcp sum
> ok] 1:1(0)
> > ack
> > 418 win 6432
> > 0x0000: 4580 0028 bfd9 4000 3406 6dca 4313 1345
> E..(.. at .4.m.C..E
> > 0x0010: c0a8 01ac 0050 04ab b29f b67c 806b a0f0
> .....P.....|.k..
> > 0x0020: 5010 1920 ee94 0000 0000 0000 0000 P.............
> > /*
> > * This is where I get redirected to http://tcrc.acor.org */
> > 19:52:06.567894 IP (tos 0x80, ttl 52, id 49114, offset 0,
> flags [DF],
> > length: 328) 67.19.19.69.80 > 192.168.1.172.1195: P [tcp sum ok]
> > 1:289(288)
> > ack 418 win 6432
> > 0x0000: 4580 0148 bfda 4000 3406 6ca9 4313 1345
> E..H.. at .4.l.C..E
> > 0x0010: c0a8 01ac 0050 04ab b29f b67c 806b a0f0
> .....P.....|.k..
> > 0x0020: 5018 1920 5d37 0000 4854 5450 2f31 2e31
> P...]7..HTTP/1.1
> > 0x0030: 2033 3032 2046 6f75 6e64 0d0a 4461 7465
> .302.Found..Date
> > 0x0040: 3a20 5468 752c 2032 3820 4170 7220 3230
> :.Thu,.28.Apr.20
> > 0x0050: 3035 2030 323a 3532 3a30 3020 474d 540d
> 05.02:52:00.GMT.
> > 0x0060: 0a53 6572 7665 723a 2041 7061 6368 652f
> .Server:.Apache/
> > 0x0070: 322e 302e 3436 2028 5265 6420 4861 7429
> 2.0.46.(Red.Hat)
> > 0x0080: 0d0a 4163 6365 7074 2d52 616e 6765 733a
> ..Accept-Ranges:
> > 0x0090: 2062 7974 6573 0d0a 582d 506f 7765 7265
> .bytes..X-Powere
> > 0x00a0: 642d 4279 3a20 5048 502f 342e 332e 320d
> d-By:.PHP/4.3.2.
> > 0x00b0: 0a6c 6f63 6174 696f 6e3a 2068 7474 703a
> .location:.http:
> > 0x00c0: 2f2f 7463 7263 2e61 636f 722e 6f72 672f
> //tcrc.acor.org/
> > 0x00d0: 0d0a 436f 6e74 656e 742d 4c65 6e67 7468
> ..Content-Length
> > 0x00e0: 3a20 300d 0a4b 6565 702d 416c 6976 653a
> :.0..Keep-Alive:
> > 0x00f0: 2074 696d 656f 7574 3d31 352c 206d 6178
> .timeout=15,.max
> > 0x0100: 3d31 3030 0d0a 436f 6e6e 6563 7469 6f6e
> =100..Connection
> > 0x0110: 3a20 4b65 6570 2d41 6c69 7665 0d0a 436f
> :.Keep-Alive..Co
> > 0x0120: 6e74 656e 742d 5479 7065 3a20 7465 7874
> ntent-Type:.text
> > 0x0130: 2f68 746d 6c3b 2063 6861 7273 6574 3d55
> /html;.charset=U
> > 0x0140: 5446 2d38 0d0a 0d0a TF-8....
> > 19:52:06.600230 IP (tos 0x0, ttl 128, id 4858, offset 0, flags [DF],
> > length:
> > 48) 192.168.1.172.1197 > 63.236.73.251.80: S [tcp sum ok]
> > 396011596:396011596(0) win 65535 <mss 1460,nop,nop,sackOK>
> > 0x0000: 4500 0030 12fa 4000 8006 9b92 c0a8 01ac
> E..0.. at .........
> > 0x0010: 3fec 49fb 04ad 0050 179a a84c 0000 0000
> ?.I....P...L....
> > 0x0020: 7002 ffff 7200 0000 0204 05b4 0101 0402
> p...r...........
> > 19:52:06.676579 IP (tos 0x0, ttl 128, id 4859, offset 0, flags [DF],
> > length:
> > 40) 192.168.1.172.1195 > 67.19.19.69.80: . [bad tcp cksum 18c7
> > (->7b5)!]
> > 418:418(0) ack 289 win 65247
> > 0x0000: 4500 0028 12fb 4000 8006 cf28 c0a8 01ac
> E..(.. at ....(....
> > 0x0010: 4313 1345 04ab 0050 806b a0f0 b29f b79c
> C..E...P.k......
> > 0x0020: 5010 fedf 18c7 0000 P.......
> > 19:52:06.686277 IP (tos 0x80, ttl 51, id 63568, offset 0,
> flags [DF],
> > length: 48) 63.236.73.251.80 > 192.168.1.172.1197: S [tcp sum ok]
> > 2059881:2059881(0) ack 396011597 win 32120 <mss 1460,nop,nop,sackOK>
> > 0x0000: 4580 0030 f850 4000 3306 02bc 3fec 49fb
> E..0.P at .3...?.I.
> > 0x0010: c0a8 01ac 0050 04ad 001f 6e69 179a a84d
> .....P....ni...M
> > 0x0020: 7012 7d78 85ee 0000 0204 05b4 0101 0402
> p.}x............
> > 19:52:06.686359 IP (tos 0x0, ttl 128, id 4860, offset 0, flags [DF],
> > length:
> > 40) 192.168.1.172.1197 > 63.236.73.251.80: . [bad tcp cksum 4c56
> > (->302b)!]
> > 1:1(0) ack 1 win 65535
> > 0x0000: 4500 0028 12fc 4000 8006 9b98 c0a8 01ac
> E..(.. at .........
> > 0x0010: 3fec 49fb 04ad 0050 179a a84d 001f 6e6a
> ?.I....P...M..nj
> > 0x0020: 5010 ffff 4c56 0000 P...LV..
> > 19:52:06.687183 IP (tos 0x0, ttl 128, id 4864, offset 0, flags [DF],
> > length:
> > 429) 192.168.1.172.1197 > 63.236.73.251.80: P [bad tcp cksum 4ddb
> > (->4de9)!]
> > 1:390(389) ack 1 win 65535
> > 0x0000: 4500 01ad 1300 4000 8006 9a0f c0a8 01ac
> E..... at .........
> > 0x0010: 3fec 49fb 04ad 0050 179a a84d 001f 6e6a
> ?.I....P...M..nj
> > 0x0020: 5018 ffff 4ddb 0000 4745 5420 2f69 643d
> P...M...GET./id=
> > 0x0030: 3130 3534 3935 3326 7369 7a65 3d31 3032
> 1054953&size=102
> > 0x0040: 3426 636f 6c6f 7273 3d33 3226 7265 6665
> 4&colors=32&refe
> > 0x0050: 7265 723d 266a 6176 613d 7472 7565 2048
> rer=&java=true.H
> > 0x0060: 5454 502f 312e 310d 0a41 6363 6570 743a
> TTP/1.1..Accept:
> > 0x0070: 202a 2f2a 0d0a 2d2d 2d2d 2d2d 2d3a 202d
> .*/*..-------:.-
> > 0x0080: 2d2d 2d3a 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d
> ---:------------
> > 0x0090: 2d2d 2d2d 0d0a 4163 6365 7074 2d4c 616e
> ----..Accept-Lan
> > 0x00a0: 6775 6167 653a 2065 6e2d 7573 0d0a 2d2d
> guage:.en-us..--
> > 0x00b0: 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d3a 202d
> -------------:.-
> > 0x00c0: 2d2d 2d2d 202d 2d2d 2d2d 2d2d 0d0a 4966
> ----.-------..If
> > 0x00d0: 2d4d 6f64 6966 6965 642d 5369 6e63 653a
> -Modified-Since:
> > 0x00e0: 2054 6875 2c20 3238 2041 7072 2032 3030
> .Thu,.28.Apr.200
> > 0x00f0: 3520 3031 3a35 303a 3536 2047 4d54 3b20
> 5.01:50:56.GMT;.
> > 0x0100: 6c65 6e67 7468 3d32 3830 0d0a 5573 6572
> length=280..User
> > 0x0110: 2d41 6765 6e74 3a20 4d6f 7a69 6c6c 612f
> -Agent:.Mozilla/
> > 0x0120: 342e 3020 2863 6f6d 7061 7469 626c 653b
> 4.0.(compatible;
> > 0x0130: 204d 5349 4520 362e 303b 2057 696e 646f
> .MSIE.6.0;.Windo
> > 0x0140: 7773 204e 5420 352e 313b 2053 5631 3b20
> ws.NT.5.1;.SV1;.
> > 0x0150: 2e4e 4554 2043 4c52 2031 2e31 2e34 3332
> .NET.CLR.1.1.432
> > 0x0160: 3229 0d0a 486f 7374 3a20 6332 2e74 6865
> 2)..Host:.c2.the
> > 0x0170: 636f 756e 7465 722e 636f 6d0d 0a43 6f6e
> counter.com..Con
> > 0x0180: 6e65 6374 696f 6e3a 204b 6565 702d 416c
> nection:.Keep-Al
> > 0x0190: 6976 650d 0a43 6f6f 6b69 653a 2056 5443
> ive..Cookie:.VTC
> > 0x01a0: 3130 3534 3935 333d 300d 0a0d 0a 1054953=0....
> > 19:52:06.776796 IP (tos 0x80, ttl 51, id 63599, offset 0,
> flags [DF],
> > length: 40) 63.236.73.251.80 > 192.168.1.172.1197: . [tcp sum ok]
> > 1:1(0) ack
> > 390 win 31731
> > 0x0000: 4580 0028 f86f 4000 3306 02a5 3fec 49fb
> E..(.o at .3...?.I.
> > 0x0010: c0a8 01ac 0050 04ad 001f 6e6a 179a a9d2
> .....P....nj....
> > 0x0020: 5010 7bf3 b2b2 0000 0000 0000 0000 P.{...........
> > 19:52:06.779404 IP (tos 0x80, ttl 51, id 63604, offset 0,
> flags [DF],
> > length: 40) 63.236.73.251.80 > 192.168.1.172.1197: F [tcp sum ok]
> > 637:637(0)
> > ack 390 win 32120
> > 0x0000: 4580 0028 f874 4000 3306 02a0 3fec 49fb
> E..(.t at .3...?.I.
> > 0x0010: c0a8 01ac 0050 04ad 001f 70e6 179a a9d2
> .....P....p.....
> > 0x0020: 5011 7d78 aeb0 0000 0000 0000 0000 P.}x..........
> > 19:52:06.779455 IP (tos 0x0, ttl 128, id 4865, offset 0, flags [DF],
> > length:
> > 52) 192.168.1.172.1197 > 63.236.73.251.80: . [tcp sum ok]
> 390:390(0)
> > ack 1 win 65535 <nop,nop,sack sack 1 {637:638} >
> > 0x0000: 4500 0034 1301 4000 8006 9b87 c0a8 01ac
> E..4.. at .........
> > 0x0010: 3fec 49fb 04ad 0050 179a a9d2 001f 6e6a
> ?.I....P......nj
> > 0x0020: 8010 ffff 1683 0000 0101 050a 001f 70e6
> ..............p.
> > 0x0030: 001f 70e7 ..p.
> > 19:52:06.780265 IP (tos 0x80, ttl 51, id 63603, offset 0,
> flags [DF],
> > length: 676) 63.236.73.251.80 > 192.168.1.172.1197: P [tcp sum ok]
> > 1:637(636) ack 390 win 32120
> > 0x0000: 4580 02a4 f873 4000 3306 0025 3fec 49fb
> E....s at .3..%?.I.
> > 0x0010: c0a8 01ac 0050 04ad 001f 6e6a 179a a9d2
> .....P....nj....
> > 0x0020: 5018 7d78 149a 0000 4854 5450 2f31 2e30
> P.}x....HTTP/1.0
> > 0x0030: 2032 3030 204f 4b0a 4461 7465 3a20 5468
> .200.OK.Date:.Th
> > 0x0040: 752c 2032 3820 4170 7220 3230 3035 2030
> u,.28.Apr.2005.0
> > 0x0050: 323a 3532 3a30 3020 474d 540a 5365 7276
> 2:52:00.GMT.Serv
> > 0x0060: 6572 3a20 5468 6543 6f75 6e74 6572 2f32
> er:.TheCounter/2
> > 0x0070: 2e31 0a4c 6173 742d 4d6f 6469 6669 6564
> .1.Last-Modified
> > 0x0080: 3a20 5468 752c 2032 3820 4170 7220 3230
> :.Thu,.28.Apr.20
> > 0x0090: 3035 2030 323a 3532 3a30 3020 474d 540a
> 05.02:52:00.GMT.
> > 0x00a0: 5072 6167 6d61 3a20 6e6f 2d63 6163 6865
> Pragma:.no-cache
> > 0x00b0: 0a43 6163 6865 2d63 6f6e 7472 6f6c 3a20
> .Cache-control:.
> > 0x00c0: 6e6f 2d63 6163 6865 2c20 6d75 7374 2d72
> no-cache,.must-r
> > 0x00d0: 6576 616c 6964 6174 650a 5033 503a 2043
> evalidate.P3P:.C
> > 0x00e0: 503d 224e 4f49 2044 5350 2043 4f52 2043
> P="NOI.DSP.COR.C
> > 0x00f0: 5552 6920 4144 4d69 2050 5341 6920 4f55
> URi.ADMi.PSAi.OU
> > 0x0100: 5220 5341 4d61 2049 4e44 2043 4f4d 204e
> R.SAMa.IND.COM.N
> > 0x0110: 4156 2053 5441 220a 4578 7069 7265 733a
> AV.STA".Expires:
> > 0x0120: 2054 6875 2c20 3238 2041 7072 2032 3030
> .Thu,.28.Apr.200
> > 0x0130: 3520 3032 3a35 323a 3030 2047 4d54 0a53
> 5.02:52:00.GMT.S
> > 0x0140: 6574 2d43 6f6f 6b69 653a 2056 5443 3130
> et-Cookie:.VTC10
> > 0x0150: 3534 3935 333d 303b 5041 5448 3d2f 0a43
> 54953=0;PATH=/.C
> > 0x0160: 6f6e 6e65 6374 696f 6e3a 2063 6c6f 7365
> onnection:.close
> > 0x0170: 0a43 6f6e 7465 6e74 2d54 7970 653a 2069
> .Content-Type:.i
> > 0x0180: 6d61 6765 2f67 6966 0a0a 4749 4638 3761
> mage/gif..GIF87a
> > 0x0190: 3f00 0f00 8000 0000 0000 ffff ff2c 0000
> ?............,..
> > 0x01a0: 0000 3f00 0f00 0002 f984 8fa9 cbed 0fa3
> ..?.............
> > 0x01b0: 9c8e 2484 4df1 01e0 0e08 8c6f 0080 41f0
> ..$.M......o..A.
> > 0x01c0: 21c2 28be 01c0 0101 8800 00a0 0406 0060
> !.(............`
> > 0x01d0: 041f 222c 82e0 6344 2052 0230 0300 4202
> ..",..cD.R.0..B.
> > 0x01e0: 0010 4148 0000 2208 7e84 45dc 1d20 7108
> ..AH..".~.E...q.
> > 0x01f0: 3e44 2004 0500 8800 2020 0111 0004 2408
> >D............$.
> > 0x0200: 76c4 45dc 1d49 6004 3fe2 2e82 6053 7c00
> v.E..I`.?...`S|.
> > 0x0210: 0300 8a01 0066 4060 fc00 0003 4242 b023
> .....f@`....BB.#
> > 0x0220: 22ce 2801 0018 0001 0900 8a1f 041f 2220
> ".(...........".
> > 0x0230: 8202 4004 4410 9c30 330b 0a00 1001 4040
> .. at .D..03.....@@
> > 0x0240: 0200 2028 840f 1178 4141 0200 2028 607c
> ...(...xAA...(`|
> > 0x0250: 23f8 1081 1104 23e2 2082 e043 045e 5090
> #.....#....C.^P.
> > 0x0260: 0000 080a e147 dc59 5000 8008 0002 1200
> .....G.YP.......
> > 0x0270: 0041 21fc 088b 38a0 0406 0060 043f c222
> .A!...8....`.?."
> > 0x0280: 0e28 0198 1900 81f1 01e0 0c08 00c5 0780
> .(..............
> > 0x0290: 3b82 0f11 47f1 093e a62e b73f 8c72 d26a
> ;...G..>...?.r.j
> > 0x02a0: 2f29 003b /).;
> > 19:52:06.780339 IP (tos 0x0, ttl 128, id 4866, offset 0, flags [DF],
> > length:
> > 40) 192.168.1.172.1197 > 63.236.73.251.80: . [bad tcp cksum 4c56
> > (->2ea5)!]
> > 390:390(0) ack 638 win 64899
> > 0x0000: 4500 0028 1302 4000 8006 9b92 c0a8 01ac
> E..(.. at .........
> > 0x0010: 3fec 49fb 04ad 0050 179a a9d2 001f 70e7
> ?.I....P......p.
> > 0x0020: 5010 fd83 4c56 0000 P...LV..
> > 19:52:06.784504 IP (tos 0x0, ttl 128, id 4877, offset 0, flags [DF],
> > length:
> > 40) 192.168.1.172.1197 > 63.236.73.251.80: F [bad tcp cksum 4c56
> > (->2ea4)!]
> > 390:390(0) ack 638 win 64899
> > 0x0000: 4500 0028 130d 4000 8006 9b87 c0a8 01ac
> E..(.. at .........
> > 0x0010: 3fec 49fb 04ad 0050 179a a9d2 001f 70e7
> ?.I....P......p.
> > 0x0020: 5011 fd83 4c56 0000 P...LV..
> > 19:52:06.872915 IP (tos 0x80, ttl 51, id 63628, offset 0,
> flags [DF],
> > length: 40) 63.236.73.251.80 > 192.168.1.172.1197: . [tcp sum ok]
> > 638:638(0)
> > ack 391 win 32120
> > 0x0000: 4580 0028 f88c 4000 3306 0288 3fec 49fb
> E..(.. at .3...?.I.
> > 0x0010: c0a8 01ac 0050 04ad 001f 70e7 179a a9d3
> .....P....p.....
> > 0x0020: 5010 7d78 aeaf 0000 0000 0000 0000 P.}x..........
> >
> > ==============================================================
> > -----Original Message-----
> > From: intrusions-bounces at lists.sans.org
> > [mailto:intrusions-bounces at lists.sans.org] On Behalf Of
> Mike Chandler
> > Sent: Wednesday, April 27, 2005 11:23 PM
> > To: intrusions at lists.sans.org
> > Cc: root at 67.19.19.69; webmaster at 67.19.19.69
> > Subject: [Intrusions] RE Question
> >
> >
> > I sent this email last Sunday hoping to find an answer.
> I'm a little
> > confused because a member of the list sent me a reply
> saying that the
> > web site came up correctly for him. I don't understand why
> but I must
> > report I made a stupid mistake. I should have used the
> windump flag
> > -s
> > 1514 to see the full return packet. I was being redirected the
> > original site.
> >
> > My get request to right-thinking.com responded with the following
> > response referring me to the second site.
> >
> >
> > 00b0 42 79 3a 20 50 48 50 2f 34 2e 33 2e 32 0d 0a 6c By: PHP/
> > 4.3.2..l
> > 00c0 6f 63 61 74 69 6f 6e 3a 20 68 74 74 70 3a 2f 2f ocation:
> > http://
> > 00d0 74 63 72 63 2e 61 63 6f 72 2e 6f 72 67 2f 0d 0a tcrc.aco
> > r.org/..
> > 00e0 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 Content-
> > Length:
> > 00f0 30 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 0..Keep-
> > Alive:
> > t
> > 0100 69 6d 65 6f 75 74 3d 31 35 2c 20 6d 61 78 3d 31 imeout=1 5,
> > max=1
> > 0110 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 00..Conn
> > ection:
> > 0120 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 Keep-Ali
> > ve..Cont
> > 0130 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 ent-Type :
> > text/h
> > 0140 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 tml; cha
> > rset=UTF
> > 0150 2d 38 0d 0a 0d 0a -8....
> >
> >
> > I'm guessing the site was compromised with one of the php exploits.
> > Does anyone care to comment on something other than how
> neglectful it
> > was of me to forget to capture the whold packet?
> >
> > +++++++++++++++++++++++++++++++++++++++++++++++++++++
> >
> > Hey Guys and or Gals,
> >
> > If you have time, I would sure appreciate it if you could
> take a look
> > at this. I am trying to get to a specific uri by clicking
> on a uri in
> > a google query response page. The uri is
> > "right-thinking.com/index.php/weblog/comments/9192/" but I'm
> > redirected to another page "http://tcrc.acor.org/". I did a packet
> > capture of the transaction and still don't see the redirect. Would
> > you mind pointing it out?
> >
> > I flushed dns so the whole transaction should be there. Please see
> > the attached windump packet capture.
> >
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> >
> >
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> >
> >
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> >
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
More information about the Intrusions
mailing list