Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

getcat.com -- IE CueCat Spy on you.

From: Richard Rager <kb8rln () PENGUINMASTER COM>
Date: Fri, 8 Sep 2000 08:49:50 -0600
Ok I was having problem goto to www.CueCat.com so I looked with tcpdump
to see what was going on.  The CueCat site was tring to connect to my
computer netbios port.  Here is the proof.


10:33:51.938023 > 209.81.164.237.3991 > 216.34.143.198.www: S
[ECN-Echo,CWR] 1634597875:1634597875(0) win 4452 <mss
1484,sackOK,timestamp 34033191 0,nop,wscale
0> (DF)
10:33:54.936372 > 209.81.164.237.3991 > 216.34.143.198.www: S
[ECN-Echo,CWR] 1634597875:1634597875(0) win 4452 <mss
1484,sackOK,timestamp 34033491 0,nop,wscale
0> (DF)
10:34:00.936370 > 209.81.164.237.3991 > 216.34.143.198.www: S
[ECN-Echo,CWR] 1634597875:1634597875(0) win 4452 <mss
1484,sackOK,timestamp 34034091 0,nop,wscale
0> (DF)
10:34:12.936364 > 209.81.164.237.3991 > 216.34.143.198.www: S
[ECN-Echo,CWR] 1634597875:1634597875(0) win 4452 <mss
1484,sackOK,timestamp 34035291 0,nop,wscale
0> (DF)
10:34:27.376342 < 209.81.216.169.1957 > 209.81.164.237.netbios-ssn: S
35808593:35808593(0) win 8192 <mss 536,nop,nop,sackOK> (DF)
10:34:27.376489 > 209.81.164.237.netbios-ssn > 209.81.216.169.1957: R
0:0(0) ack 35808594 win 0 (DF)
10:34:28.146342 < 209.81.216.169.1957 > 209.81.164.237.netbios-ssn: S
35808593:35808593(0) win 8192 <mss 536,nop,nop,sackOK> (DF)
10:34:28.146397 > 209.81.164.237.netbios-ssn > 209.81.216.169.1957: R
0:0(0) ack 1 win 0 (DF)
10:34:29.006332 < 209.81.216.169.1957 > 209.81.164.237.netbios-ssn: S
35808593:35808593(0) win 8192 <mss 536,nop,nop,sackOK> (DF)
10:34:29.006387 > 209.81.164.237.netbios-ssn > 209.81.216.169.1957: R
0:0(0) ack



We need to stop this type of abuse.

Enjoy,

Richard
Previous By Date Next
Previous By Thread Next

Current thread: