[Dshield] Am I being paranoid?

Samantha Fetter sama at snowplow.org
Thu Sep 26 18:36:22 GMT 2002


>From April 9 2001:
http://online.securityfocus.com/archive/1/175060

Apparently there's a vulnerability in Netscape, perhaps that's what this
traffic is an attempt to exploit.

Versions 4.76 and earlier of the Netscape browser will execute JavaScript
contained in such a comment block, if execution of JavaScript is enabled
in the configuration of the browser.

Hope this helps,
Samantha

> Below is a packet dump from our snort IDS, the strange thing about this
> packet is that it is from a dial-up user to our webserver on port 80, the
> user appears to be sending us a GIF89a file, but after examining a GIF89a
<snip>
> The packet is obviously NOT a CGI scriptalias attempt, but the format of a
> series of consecutive characters in groups of 3 does look a little
> suspicious!
<snip>
> #(7 - 111) [2002-09-26 11:46:10] [CVE/CVE-1999-0236] [Bugtraq/2300]
> [arachNIDS/227]  WEB-CGI scriptalias access
> IPv4: 212.137.166.96 -> 172.16.100.10
>       hlen=5 TOS=0 dlen=576 ID=40121 flags=0 offset=0 TTL=128 chksum=53497
> TCP:  port=2195 -> dport: 80  flags=***A*R** seq=12091020
>       ack=1360648059 off=5 res=0 win=16616 urp=0 chksum=44575
> Payload:  length = 536
>
> 000 : 47 49 46 38 39 61 0F 00 01 00 F7 00 00 00 00 00   GIF89a..........
> 010 : 01 01 01 02 02 02 03 03 03 04 04 04 05 05 05 06   ................




More information about the list mailing list