Security Incidents mailing list archives
Re: SHELLCODE x86 NOOP
From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Fri, 5 Oct 2001 09:28:36 +1200
Dan Terhesiu <dante () tvc codec ro> wrote:
Hello to all of you.
I've seen this morning several (aprox. 82, as reported by
snort) alerts containig "SHELLCODE x86 NOOP". Almost all the connections
begin with a "WEB-IIS ISAPI .ida access" alert. I've searched on google
As has already been explained, the "WEB-IIS ISAPI .ida access" alert is (most likely) a false alarm.
about this x86 SHELLCODE, but there is nothing about :80 port there. Because I'm new to this field, I'm asking for your help: is this something I should worry about?
<<snip>> Probably not, or perhaps probably, depending on what is normally on this box and what is normally uploaded to/downloaded from it. This:
00 2E 74 65 78 74 00 00 00 96 91 02 00 00 10 00 ..text.......... 00 00 92 02 00 00 04 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 20 00 00 60 2E 72 64 61 74 61 00 ..... ..`.rdata. 00 FB 2E 00 00 00 B0 02 00 00 30 00 00 00 96 02 ..........0..... 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 .............@.. 40 2E 64 61 74 61 00 00 00 10 72 01 00 00 E0 02 @.data....r..... 00 00 76 00 00 00 C6 02 00 00 00 00 00 00 00 00 ..v............. 00 00 00 00 00 40 00 00 C0 2E 69 64 61 74 61 00 .....@....idata. 00 F2 14 00 00 00 60 04 00 00 16 00 00 00 3C 03 ......`.......<. 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 .............@.. C0 2E 72 73 72 63 00 00 00 1C 1D 00 00 00 80 04 ..rsrc.......... 00 00 1E 00 00 00 52 03 00 00 00 00 00 00 00 00 ......R.........
almost certainly indicates transfer of a PE binary. Are your users normally allowed to transfer Windows program files around via HTTP?? If so, the above is nothing to worry about (the *practice* may be, but the snort alarm, given "normal practice" at your site, is not). -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- SHELLCODE x86 NOOP Dan Terhesiu (Oct 04)
- Re: SHELLCODE x86 NOOP Nick FitzGerald (Oct 04)
- <Possible follow-ups>
- RE: SHELLCODE x86 NOOP Steve Halligan (Oct 04)
- Re: SHELLCODE x86 NOOP Michal Nazarewicz (Oct 04)
- Re: SHELLCODE x86 NOOP foob (Oct 05)