[Dshield] A little more info regarding the GIF89a packets

Taylor, Graham GrahamTaylor at michaelpage.com
Fri Sep 27 13:25:11 GMT 2002


Firstly, thanks for all the replies!

Now a little more info, below is a table showing the packets from each user

     Source				FQDN
Total
	
Packets
     57.66.33.129             Unable to resolve address
1        
     62.202.232.170            170.232.202.62.dial.bluewin.ch
100    
     62.202.241.64            64.241.202.62.dial.bluewin.ch
20      
     203.51.239.84            cpe-203-51-239-84.qld.bigpond.net.au
1        
     212.137.166.96            ch8as11-75-166-96.cw-visp.com
90      
     212.234.87.236             Unable to resolve address
1        
     213.3.231.131            131.231.3.213.dial.bluewin.ch
45      
     213.3.233.78            78.233.3.213.dial.bluewin.ch
45      
     213.98.248.11            213-98-248-11.uc.nombres.ttd.es
4        
     213.122.234.5            host213-122-234-5.in-addr.btopenworld.com
4        

As you can see these are not single packets being sent, all of the packets
from the source addresses with high counts have a packet length of 536 bytes
as do several of the other source addresses, a few have longer packet
lengths. The 100, 90, 45 packet streams arrived within a 1-2 minute window
from each host.

305 of the packets have ACK+RST flags set
304 have a packet length of 536
The same source port was used for 5 packets from each host
The 5 packets all have the same seq number does this suggest a crafted
packet ?



The Snort rule that was triggered is

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
scriptali
as access"; flags:A+; uricontent: "///"; reference:cve,CVE-1999-0236;
reference:
bugtraq,2300; reference:arachnids,227; classtype:attempted-recon; sid:873;
rev:
5;)

The above rule does suggest that the packets are from the external addresses

Because of our business locations around the world I would not expect to see
traffic from Switzerland arriving at our web site, although I am waiting for
a report from our web team to confirm this :)


I apologise for the long post, but I am trying to learn here :) having just
recently taken on this role

Many thanks Graham
 
--__--__--

Message: 1
From: "Taylor, Graham" <GrahamTaylor at michaelpage.com>
To: "'list at dshield.org'" <list at dshield.org>
Date: Thu, 26 Sep 2002 12:27:08 +0100
Subject: [Dshield] Am I being paranoid?
Reply-To: list at dshield.org

Below is a packet dump from our snort IDS, the strange thing about this
packet is that it is from a dial-up user to our webserver on port 80, the
user appears to be sending us a GIF89a file, but after examining a GIF89a
file produced by "Paintshop Pro" the format does not look correct, and why
would somebody connecting to our server be sending a GIF to us?

The packet is obviously NOT a CGI scriptalias attempt, but the format of a
series of consecutive characters in groups of 3 does look a little
suspicious!

TIA Graham


Generated by ACID v0.9.6b13 on Thu September 26, 2002 11:17:04

----------------------------------------------------------------------------
--
#(7 - 111) [2002-09-26 11:46:10] [CVE/CVE-1999-0236] [Bugtraq/2300]
[arachNIDS/227]  WEB-CGI scriptalias access
IPv4: 212.137.166.96 -> 172.16.100.10
      hlen=5 TOS=0 dlen=576 ID=40121 flags=0 offset=0 TTL=128 chksum=53497
TCP:  port=2195 -> dport: 80  flags=***A*R** seq=12091020
      ack=1360648059 off=5 res=0 win=16616 urp=0 chksum=44575
Payload:  length = 536

000 : 47 49 46 38 39 61 0F 00 01 00 F7 00 00 00 00 00   GIF89a..........
010 : 01 01 01 02 02 02 03 03 03 04 04 04 05 05 05 06   ................
020 : 06 06 07 07 07 08 08 08 09 09 09 0A 0A 0A 0B 0B   ................
030 : 0B 0C 0C 0C 0D 0D 0D 0E 0E 0E 0F 0F 0F 10 10 10   ................
040 : 11 11 11 12 12 12 13 13 13 14 14 14 15 15 15 16   ................
050 : 16 16 17 17 17 18 18 18 19 19 19 1A 1A 1A 1B 1B   ................
060 : 1B 1C 1C 1C 1D 1D 1D 1E 1E 1E 1F 1F 1F 20 20 20   .............   
070 : 21 21 21 22 22 22 23 23 23 24 24 24 25 25 25 26   !!!"""###$$$%%%&
080 : 26 26 27 27 27 28 28 28 29 29 29 2A 2A 2A 2B 2B   &&'''((()))***++
090 : 2B 2C 2C 2C 2D 2D 2D 2E 2E 2E 2F 2F 2F 30 30 30   +,,,---...///000
0a0 : 31 31 31 32 32 32 33 33 33 34 34 34 35 35 35 36   1112223334445556
0b0 : 36 36 37 37 37 38 38 38 39 39 39 3A 3A 3A 3B 3B   66777888999:::;;
0c0 : 3B 3C 3C 3C 3D 3D 3D 3E 3E 3E 3F 3F 3F 40 40 40   ;<<<===>>>???@@@
0d0 : 41 41 41 42 42 42 43 43 43 44 44 44 45 45 45 46   AAABBBCCCDDDEEEF
0e0 : 46 46 47 47 47 48 48 48 49 49 49 4A 4A 4A 4B 4B   FFGGGHHHIIIJJJKK
0f0 : 4B 4C 4C 4C 4D 4D 4D 4E 4E 4E 4F 4F 4F 50 50 50   KLLLMMMNNNOOOPPP
100 : 51 51 51 52 52 52 53 53 53 54 54 54 55 55 55 56   QQQRRRSSSTTTUUUV
110 : 56 56 57 57 57 58 58 58 59 59 59 5A 5A 5A 5B 5B   VVWWWXXXYYYZZZ[[
120 : 5B 5C 5C 5C 5D 5D 5D 5E 5E 5E 5F 5F 5F 60 60 60   [\\\]]]^^^___```
130 : 61 61 61 62 62 62 63 63 63 64 64 64 65 65 65 66   aaabbbcccdddeeef
140 : 66 66 67 67 67 68 68 68 69 69 69 6A 6A 6A 6B 6B   ffggghhhiiijjjkk
150 : 6B 6C 6C 6C 6D 6D 6D 6E 6E 6E 6F 6F 6F 70 70 70   klllmmmnnnoooppp
160 : 71 71 71 72 72 72 73 73 73 74 74 74 75 75 75 76   qqqrrrssstttuuuv
170 : 76 76 77 77 77 78 78 78 79 79 79 7A 7A 7A 7B 7B   vvwwwxxxyyyzzz{{
180 : 7B 7C 7C 7C 7D 7D 7D 7E 7E 7E 7F 7F 7F 80 80 80   {|||}}}...
190 : 81 81 81 82 82 82 83 83 83 84 84 84 85 85 85 86   ................
1a0 : 86 86 87 87 87 88 88 88 89 89 89 8A 8A 8A 8B 8B   ................
1b0 : 8B 8C 8C 8C 8D 8D 8D 8E 8E 8E 8F 8F 8F 90 90 90   ................
1c0 : 91 91 91 92 92 92 93 93 93 94 94 94 95 95 95 96   ................
1d0 : 96 96 97 97 97 98 98 98 99 99 99 9A 9A 9A 9B 9B   ................
1e0 : 9B 9C 9C 9C 9D 9D 9D 9E 9E 9E 9F 9F 9F A0 A0 A0   ................
1f0 : A1 A1 A1 A2 A2 A2 A3 A3 A3 A4 A4 A4 A5 A5 A5 A6   ................
200 : A6 A6 A7 A7 A7 A8 A8 A8 A9 A9 A9 AA AA AA AB AB   ................
210 : AB AC AC AC AD AD AD AE                           ........





More information about the list mailing list