[Dshield] Am I being paranoid?

Coxe, John B. JOHN.B.COXE at saic.com
Thu Sep 26 18:22:15 GMT 2002


> but after examining a GIF89a file produced by "Paintshop Pro" the format
does not look correct

Sure it does.  The header and logical screen descriptor are fine and the
global color table (part of which you show) is right.  Cannot see the rest
of it.  But what you show looks perfectly consistent with gif specs.

> why would somebody connecting to our server be sending a GIF to us?

Are you sure about the direction?

-----Original Message-----
From: Taylor, Graham [mailto:GrahamTaylor at michaelpage.com]
Sent: Thursday, September 26, 2002 4:27 AM
To: 'list at dshield.org'
Subject: [Dshield] Am I being paranoid?


Below is a packet dump from our snort IDS, the strange thing about this
packet is that it is from a dial-up user to our webserver on port 80, the
user appears to be sending us a GIF89a file, but after examining a GIF89a
file produced by "Paintshop Pro" the format does not look correct, and why
would somebody connecting to our server be sending a GIF to us?

The packet is obviously NOT a CGI scriptalias attempt, but the format of a
series of consecutive characters in groups of 3 does look a little
suspicious!

TIA Graham


Generated by ACID v0.9.6b13 on Thu September 26, 2002 11:17:04

----------------------------------------------------------------------------
--
#(7 - 111) [2002-09-26 11:46:10] [CVE/CVE-1999-0236] [Bugtraq/2300]
[arachNIDS/227]  WEB-CGI scriptalias access
IPv4: 212.137.166.96 -> 172.16.100.10
      hlen=5 TOS=0 dlen=576 ID=40121 flags=0 offset=0 TTL=128 chksum=53497
TCP:  port=2195 -> dport: 80  flags=***A*R** seq=12091020
      ack=1360648059 off=5 res=0 win=16616 urp=0 chksum=44575
Payload:  length = 536

000 : 47 49 46 38 39 61 0F 00 01 00 F7 00 00 00 00 00   GIF89a..........
010 : 01 01 01 02 02 02 03 03 03 04 04 04 05 05 05 06   ................
020 : 06 06 07 07 07 08 08 08 09 09 09 0A 0A 0A 0B 0B   ................
030 : 0B 0C 0C 0C 0D 0D 0D 0E 0E 0E 0F 0F 0F 10 10 10   ................
040 : 11 11 11 12 12 12 13 13 13 14 14 14 15 15 15 16   ................
050 : 16 16 17 17 17 18 18 18 19 19 19 1A 1A 1A 1B 1B   ................
060 : 1B 1C 1C 1C 1D 1D 1D 1E 1E 1E 1F 1F 1F 20 20 20   .............   
070 : 21 21 21 22 22 22 23 23 23 24 24 24 25 25 25 26   !!!"""###$$$%%%&
080 : 26 26 27 27 27 28 28 28 29 29 29 2A 2A 2A 2B 2B   &&'''((()))***++
090 : 2B 2C 2C 2C 2D 2D 2D 2E 2E 2E 2F 2F 2F 30 30 30   +,,,---...///000
0a0 : 31 31 31 32 32 32 33 33 33 34 34 34 35 35 35 36   1112223334445556
0b0 : 36 36 37 37 37 38 38 38 39 39 39 3A 3A 3A 3B 3B   66777888999:::;;
0c0 : 3B 3C 3C 3C 3D 3D 3D 3E 3E 3E 3F 3F 3F 40 40 40   ;<<<===>>>???@@@
0d0 : 41 41 41 42 42 42 43 43 43 44 44 44 45 45 45 46   AAABBBCCCDDDEEEF
0e0 : 46 46 47 47 47 48 48 48 49 49 49 4A 4A 4A 4B 4B   FFGGGHHHIIIJJJKK
0f0 : 4B 4C 4C 4C 4D 4D 4D 4E 4E 4E 4F 4F 4F 50 50 50   KLLLMMMNNNOOOPPP
100 : 51 51 51 52 52 52 53 53 53 54 54 54 55 55 55 56   QQQRRRSSSTTTUUUV
110 : 56 56 57 57 57 58 58 58 59 59 59 5A 5A 5A 5B 5B   VVWWWXXXYYYZZZ[[
120 : 5B 5C 5C 5C 5D 5D 5D 5E 5E 5E 5F 5F 5F 60 60 60   [\\\]]]^^^___```
130 : 61 61 61 62 62 62 63 63 63 64 64 64 65 65 65 66   aaabbbcccdddeeef
140 : 66 66 67 67 67 68 68 68 69 69 69 6A 6A 6A 6B 6B   ffggghhhiiijjjkk
150 : 6B 6C 6C 6C 6D 6D 6D 6E 6E 6E 6F 6F 6F 70 70 70   klllmmmnnnoooppp
160 : 71 71 71 72 72 72 73 73 73 74 74 74 75 75 75 76   qqqrrrssstttuuuv
170 : 76 76 77 77 77 78 78 78 79 79 79 7A 7A 7A 7B 7B   vvwwwxxxyyyzzz{{
180 : 7B 7C 7C 7C 7D 7D 7D 7E 7E 7E 7F 7F 7F 80 80 80   {|||}}}~~~...
190 : 81 81 81 82 82 82 83 83 83 84 84 84 85 85 85 86   ................
1a0 : 86 86 87 87 87 88 88 88 89 89 89 8A 8A 8A 8B 8B   ................
1b0 : 8B 8C 8C 8C 8D 8D 8D 8E 8E 8E 8F 8F 8F 90 90 90   ................
1c0 : 91 91 91 92 92 92 93 93 93 94 94 94 95 95 95 96   ................
1d0 : 96 96 97 97 97 98 98 98 99 99 99 9A 9A 9A 9B 9B   ................
1e0 : 9B 9C 9C 9C 9D 9D 9D 9E 9E 9E 9F 9F 9F A0 A0 A0   ................
1f0 : A1 A1 A1 A2 A2 A2 A3 A3 A3 A4 A4 A4 A5 A5 A5 A6   ................
200 : A6 A6 A7 A7 A7 A8 A8 A8 A9 A9 A9 AA AA AA AB AB   ................
210 : AB AC AC AC AD AD AD AE                           ........

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list