Snort mailing list archives

RE: please help ID payload info

From: twig les <twigles () yahoo com>
Date: Tue, 15 Oct 2002 11:28:48 -0700 (PDT)

I think you may have hit a wall on the usefullness of
Snort here.  What do your host logs say?  Who logged
in?  What time were the logs manipulated last?  What
do your firewall logs say?  It may be worth your time
to check the md5 hashes on a few binaries like ps and
top.

Regarding how someone could get to your /etc/passwd
file...what access control does your Apache use? 
Which hosts does your sshd/ipfw/ipfilter allow to log
in?

As far as damage control (since I would assume the box
was compromised if it was mine) if you can't rebuild
then at least change passwords and make sure
/etc/shadow uses something strong (viva la Blowfish!)
to encrypt it.  I've read of a snafu in FreeBSD that
allows user passwds to be stored in DES when created
with the adduser function (can't confirm this, don't
flame).


--- Randy Bey <Randy.Bey () rivernorthsys com> wrote:

Well, first did you check to see if this is

actually coming from your

webserver, or an external one? You left any

details about that out, so
I

figure it's worth asking just to be sure. If it's

an external
webserver, I

bet it's a webpage containing sample output from a

security check
tool.

Sorry, should have said it's the snort servers web
server (used for
acid, etc).


also you claim that's similar to content sent out

via email... do you
have

some sort of webmail access going where you might

be accessing those

emails
from your webserver, causing it to legitimately

send that content?

No webmail type thing there, and further down the
line in the payload it
gets weird, like a dump of the /etc directory, then
some binary
gobbledegook that is not understandable. Here:

2f0 : 2D 72 2D 2D 20 31 20 72 6F 6F 74 20 6F 74 68
65   -r-- 1 root othe
300 : 72 20 33 31 34 20 53 65 70 20 32 30 20 31 36
3A   r 314 Sep 20 16:
310 : 32 36 20 32 30 30 32 20 2F 65 74 63 2F 63 6F
72   26 2002 /etc/cor
320 : 65 61 64 6D 2E 63 6F 6E 66 20 20 32 34 37 30
30   eadm.conf  24700
330 : 20 31 0D 0A 2D 2D 2D 0D 0A 3E 20 2D 72 77 2D
72    1..---..> -rw-r
340 : 2D 2D 72 2D 2D 20 31 20 72 6F 6F 74 20 6F 74
68   --r-- 1 root oth
350 : 65 72 20 33 31 34 20 4F 63 74 20 31 30 20 32
32   er 314 Oct 10 22
360 : 3A 30 38 20 32 30 30 32 20 2F 65 74 63 2F 63
6F   :08 2002 /etc/co
370 : 72 65 61 64 6D 2E 63 6F 6E 66 20 20 32 34 37
30   readm.conf  2470
380 : 30 20 31 0D 0A 34 38 63 34 38 0D 0A 3C 20 64
72   0 1..48c48..< dr
390 : 77 78 72 2D 78 72 2D 78 20 32 20 72 6F 6F 74
20   wxr-xr-x 2 root 
3a0 : 73 79 73 20 35 31 32 20 53 65 70 20 32 30 20
31   sys 512 Sep 20 1
3b0 : 36 3A 32 38 20 32 30 30 32 20 2F 65 74 63 2F
63   6:28 2002 /etc/c
3c0 : 72 6F 6E 2E 64 20 0D 0A 2D 2D 2D 0D 0A 3E 20
64   ron.d ..---..> d
3d0 : 72 77 78 72 2D 78 72 2D 78 20 32 20 72 6F 6F
74   rwxr-xr-x 2 root
3e0 : 20 73 79 73 20 35 31 32 20 4F 63 74 20 31 30
20    sys 512 Oct 10 
3f0 : 32 32 3A 30 39 20 32 30 30 32 20 2F 65 74 63
2F   22:09 2002 /etc/
400 : 63 72 6F 6E 2E 64 20 0D 0A 36 35 63 36 35 0D
0A   cron.d ..65c65..
410 : 3C 20 2D 72 77 2D 72 2D 2D 72 2D 2D 20 31 20
72   < -rw-r--r-- 1 r
420 : 6F 6F 74 20 6F 74 68 65 72 20 32 33 39 20 53
65   oot other 239 Se
430 : 70 20 32 30 20 31 36 3A 32 38 20 32 30 30 32
20   p 20 16:28 2002 
440 : 2F 65 74 63 2F 64 75 6D 70 61 64 6D 2E 63 6F
6E   /etc/dumpadm.con
450 : 66 20 20 31 39 36 39 36 20 31 0D 0A 2D 2D 2D
0D   f  19696 1..---.
460 : 0A 3E 20 2D 72 77 2D 72 2D 2D 72 2D 2D 20 31
20   .> -rw-r--r-- 1 
470 : 72 6F 6F 74 20 6F 74 68 65 72 20 32 33 39 20
4F   root other 239 O
480 : 63 74 20 31 30 20 32 32 3A 30 39 20 32 30 30
32   ct 10 22:09 2002
490 : 20 2F 65 74 63 2F 64 75 6D 70 61 64 6D 2E 63
6F    /etc/dumpadm.co
4a0 : 6E 66 20 20 31 39 36 39 36 20 31 0D 0A 39 30
2C   nf  19696 1..90,
4b0 : 39 31 63 39 30 2C 39 31 0D 0A 3C 20 64 72 77
78   91c90,91..< drwx
4c0 : 72 2D 78 72 2D 78 20 32 20 72 6F 6F 74 20 73
79   r-xr-x 2 root sy
4d0 : 73 20 32 30 34 38 20 53 65 70 20 32 33 20 31
37   s 2048 Sep 23 17
4e0 : 3A 30 30 20 32 30 30 32 20 2F 65 74 63 2F 69
6E   :00 2002 /etc/in
4f0 : 69 74 2E 64 20 0D 0A 3C 20 70 72 77 2D 2D 2D
2D   it.d ..< prw----
500 : 2D 2D 2D 20 31 20 72 6F 6F 74 20 72 6F 6F 74
20   --- 1 root root 
510 : 30 20 53 65 70 20 32 30 20 31 36 3A 32 38 20
32   0 Sep 20 16:28 2
520 : 30 30 32 20 2F 65 74 63 2F 69 6E 69 74 70 69
70   002 /etc/initpip
530 : 65 20 0D 0A 2D 2D 2D 0D 0A 3E 20 64 72 77 78
72   e ..---..> drwxr
540 : 2D 78 72 2D 78 20 32 20 72 6F 6F 74 20 73 79
73   -xr-x 2 root sys
550 : 20 32 30 34 38 20 4F 63 74 20 31 30 20 31 34
3A    2048 Oct 10 14:
560 : 34 31 20 32 89 95 50 FE FF FF 83 BD 50 FE FF
FF   41 2..P.....P...
570 : 00 75 26 8B F4 6A 00 8D 85 4C FE FF FF 50 8B
8D   .u&..j...L...P..
580 : 68 FE FF FF 51 8B 55 08 8B 42 08 50 FF 95 6C
FE   h...Q.U..B.P..l.
590 : FF FF 3B F4 90 43 4B 43 4B 83 BD 50 FE FF FF
64   ..;..CKCK..P...d
5a0 : 7D 5C 8B 8D 50 FE FF FF 83 C1 01 89 8D 50 FE
FF   }\..P........P..
5b0 : FF 8B 95 50 FE FF FF 69 D2 8D 66 F0 50 89 95
74   ...P...i..f.P..


Randy Bey
RiverNorth Systems
7300 W 147th St Suite 300
Apple Valley, MN 55124
http://www.rivernorthsys.com

-------------------------------------------------------

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Heavy metal made me do it.                        
-----------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

please help ID payload info Randy Bey (Oct 15)
- Re: please help ID payload info Matt Kettler (Oct 15)
- Re: please help ID payload info Robby Desmond (Oct 17)
  - Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
    - AW: Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
    - AW: Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
- <Possible follow-ups>
- RE: please help ID payload info Randy Bey (Oct 15)
  - RE: please help ID payload info twig les (Oct 15)
- RE: please help ID payload info matthew . keay (Oct 17)
- RE: please help ID payload info matthew . keay (Oct 17)