Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: likely FPs Web-Client .... dll-load exploit attempt

From: Joel Esler <jesler () sourcefire com>
Date: Sun, 17 Apr 2011 20:57:44 -0400
Thanks Russell. 

-- 
Sent from my iPad
Please excuse the brevity

On Apr 17, 2011, at 7:05 PM, Russell Fulton <r.fulton () auckland ac nz> wrote:


SID    CID    Timestamp    Signature    IP Src    IP Dst    Proto    Length
10    78025871    2011-04-18 09:53:08    WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt    
130.216.25.112 ee5112cp.ece.auckland.ac.nz    119.31.248.196 None    6    185
10    78025872    2011-04-18 09:53:08    WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt    
130.216.25.112 ee5112cp.ece.auckland.ac.nz    119.31.248.196 None    6    185
10    78025881    2011-04-18 09:53:18    WEB-CLIENT Firefox Acrobat Reader agm.dll dll-load exploit attempt    
130.216.25.112 ee5112cp.ece.auckland.ac.nz    119.31.248.196 None    6    179
10    78025882    2011-04-18 09:53:18    WEB-CLIENT Acrobat Reader IE plugin agm.dll dll-load exploit attempt    
130.216.25.112 ee5112cp.ece.auckland.ac.nz    119.31.248.196 None    6    179
10    78025908    2011-04-18 09:54:32    WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt    
130.216.25.112 ee5112cp.ece.auckland.ac.nz    119.31.248.196 None    6    179
10    78025909    2011-04-18 09:54:32    WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt    
130.216.25.112 ee5112cp.ece.auckland.ac.nz    119.31.248.196 None    6    179
10    78025915    2011-04-18 09:54:45    WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt    
130.216.25.112 ee5112cp.ece.auckland.ac.nz    119.31.248.196 None    6    172
10    78025916    2011-04-18 09:54:45    WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt    
130.216.25.112 ee5112cp.ece.auckland.ac.nz    119.31.248.196 None    6    172
10    78025917    2011-04-18 09:54:46    WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt    
130.216.25.112 ee5112cp.ece.auckland.ac.nz    119.31.248.196 None    6    196
10    78025918    2011-04-18 09:54:46    WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt    
130.216.25.112 ee5112cp.ece.auckland.ac.nz    119.31.248.196 None    6    196

sample capture:
GET /files/pluginhost/2.0.0.11032_12/External/DeviceModules/DCInterface.dll.cab HTTP/1.1
User-Agent: SAMSUNG_KIES
Host: msupdate.emodio.com

googling msupdate.emodio.com  suggests that this is a legit site related to Samsung Kies...




------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Previous By Date Next
Previous By Thread Next

Current thread: