[Snort-sigs] seeing thousands of hits on COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Exploit, Sig ID, 100000101

Russell Fulton r.fulton at ...575...
Sun Jul 30 23:24:08 EDT 2006


This one from one of our own servers but many from elsewhere including
many reputable sites.

I've seen nearly 4000 hits in the last 24 hours -- this has been going
some time but I've just got around to doing something about it.

Russell

META
--------
SID	CID	TimeStamp		Signature
6	12634057	2006-07-30 15:25:00	COMMUNITY EXPLOIT Windows Acrobat Reader
Activex Overflow Exploit
Sig ID
100000101

Sensor Hostname				Sensor Interface
hihi.insec.auckland.ac.nz	new dmz sensor

IP
--------
Source Address	Dest Address	Ver	Hdr Len
130.216.11.1	202.180.83.6	4	5
TOS	length	ID	flags	offset	TTL	chksum
0	1500	24867	2	0	124	60516

Resolved Source
cecilwfa.cecil.auckland.ac.nz

Resolved Dest
nc1.akl.callplus.net.nz

TCP
--------
Source Port	Dest Port	Seq		Ack		
80		2778		2657346162	1028135209
Offset	Reserved	Flags	Window	Checksum	Urgent Ptr
8	0		16	64219	21114		0

Options
--------
None


Flags
--------
RB 1	RB 0	URG	ACK	PSH	RST	SYN	FIN
			X					

DATA
--------
485454502F312E312032	HTTP/1.1 2
3030204F4B0D0A446174	00 OK..Dat
653A2053756E2C203330	e: Sun, 30
204A756C203230303620	 Jul 2006
30333A32353A30312047	03:25:01 G
4D540D0A536572766572	MT..Server
3A204D6963726F736F66	: Microsof
742D4949532F362E300D	t-IIS/6.0.
0A7033703A2043503D6E	.p3p: CP=n
6F6E0D0A582D506F7765	on..X-Powe
7265642D42793A204153	red-By: AS
502E4E45540D0A582D41	P.NET..X-A
73704E65742D56657273	spNet-Vers
696F6E3A20312E312E34	ion: 1.1.4
3332320D0A507261676D	322..Pragm
613A206E6F2D63616368	a: no-cach
650D0A436F6E74656E74	e..Content
2D446973706F73697469	-Dispositi
6F6E3A20696E6C696E65	on: inline
3B66696C656E616D653D	;filename=
22436F76657273686565	"Covershee
742E706466220D0A436F	t.pdf"..Co
6E74656E742D4C656E67	ntent-Leng
74683A2031313033350D	th: 11035.
0A43616368652D436F6E	.Cache-Con
74726F6C3A206E6F2D63	trol: no-c
616368650D0A50726167	ache..Prag
6D613A206E6F2D636163	ma: no-cac
68650D0A457870697265	he..Expire
733A202D310D0A436F6E	s: -1..Con
74656E742D547970653A	tent-Type:
206170706C6963617469	 applicati
6F6E2F7064660D0A0D0A	on/pdf....
255044462D312E340D25	%PDF-1.4.%
E2E3CFD30D0A36203020	......6 0
6F626A203C3C2F4C696E	obj <</Lin
656172697A656420312F	earized 1/
4C2031313033352F4F20	L 11035/O
382F4520363931302F4E	8/E 6910/N
20312F54203130383639	 1/T 10869
2F48205B203535362031	/H [ 556 1
36335D3E3E0D656E646F	63]>>.endo
626A0D20202020202020	bj.
20202020202020202020	
202020200D0A78726566	    ..xref
0D0A362031330D0A3030	..6 13..00
30303030303031362030	00000016 0
30303030206E0D0A3030	0000 n..00
30303030303731392030	00000719 0
30303030206E0D0A3030	0000 n..00
30303030303739352030	00000795 0
30303030206E0D0A3030	0000 n..00
30303030303932372030	00000927 0
30303030206E0D0A3030	0000 n..00
30303030313034372030	00001047 0
30303030206E0D0A3030	0000 n..00
30303030313435352030	00001455 0
30303030206E0D0A3030	0000 n..00
30303030313932322030	00001922 0
30303030206E0D0A3030	0000 n..00
30303030333634312030	00003641 0
30303030206E0D0A3030	0000 n..00
30303030333637352030	00003675 0
30303030206E0D0A3030	0000 n..00
30303030363334342030	00006344 0
30303030206E0D0A3030	0000 n..00
30303030363539322030	00006592 0
30303030206E0D0A3030	0000 n..00
30303030363833342030	00006834 0
30303030206E0D0A3030	0000 n..00
30303030303535362030	00000556 0
30303030206E0D0A7472	0000 n..tr
61696C65720D0A3C3C2F	ailer..<</
53697A652031392F5072	Size 19/Pr
65762031303835392F52	ev 10859/R
6F6F742037203020522F	oot 7 0 R/
496E666F203520302052	Info 5 0 R
2F49445B3C3144353333	/ID[<1D533
37433641443643374232	7C6AD6C7B2
31334244414238464145	13BDAB8FAE
443535334139453E3C36	D553A9E><6
46323145334238384342	F21E3B88CB
30453734393941413046	0E7499AA0F
37393334424544344643	7934BED4FC
413E5D3E3E0D0A737461	A>]>>..sta
7274787265660D0A300D	rtxref..0.
0A2525454F460D0A2020	.%%EOF..
20202020202020202020	
202020200D0A31382030	    ..18 0
206F626A3C3C2F4C656E	 obj<</Len
6774682038302F46696C	gth 80/Fil
7465722F466C61746544	ter/FlateD
65636F64652F49203936	ecode/I 96
2F4C2038302F53203339	/L 80/S 39
3E3E73747265616D0D0A	>>stream..
78DA626060E0626060AA	x.b``.b``.
600002F1C70CA8800988	`.........
5918380E301820097241	Y.8.0. .rA
31038312030F9B429878	1......B.x
E2C6CC0086251BAEF132	.....%...2
688185191918A4A2A1BA	h.........
2D8098958141E339449C	-....A.9D.
E12140800100D0290A24	.!@....).$
0D0A656E647374726561	..endstrea
6D0D656E646F626A0D37	m.endobj.7
2030206F626A3C3C2F4D	 0 obj<</M
65746164617461203420	etadata 4
3020522F506167657320	0 R/Pages
33203020522F54797065	3 0 R/Type
2F436174616C6F672F50	/Catalog/P
6167654C6162656C7320	ageLabels
31203020523E3E0D656E	1 0 R>>.en
646F626A0D382030206F	dobj.8 0 o
626A3C3C2F43726F7042	bj<</CropB
6F785B30203020353935	ox[0 0 595
2E3232203834325D2F50	.22 842]/P
6172656E742033203020	arent 3 0
522F436F6E74656E7473	R/Contents
203132203020522F526F	 12 0 R/Ro
7461746520302F4D6564	tate 0/Med
6961426F785B30203020	iaBox[0 0
3539352E323220383432	595.22 842
5D2F5265736F75726365	]/Resource
732039203020522F5479	s 9 0 R/Ty
70652F506167653E3E0D	pe/Page>>.
656E646F626A0D392030	endobj.9 0
206F626A3C3C2F436F6C	 obj<</Col
6F7253706163653C3C2F	orSpace<</
43733620313320302052	Cs6 13 0 R
3E3E2F466F6E743C3C2F	>>/Font<</
54543220313020302052	TT2 10 0 R
2F545434203131203020	/TT4 11 0
523E3E2F50726F635365	R>>/ProcSe
745B2F5044462F546578	t[/PDF/Tex
745D2F45787447537461	t]/ExtGSta
74653C3C2F4753312031	te<</GS1 1
37203020523E3E3E3E0D	7 0 R>>>>.
656E646F626A0D313020	endobj.10
30206F626A3C3C2F5375	0 obj<</Su
62747970652F54727565	btype/True
547970652F466F6E7444	Type/FontD
657363726970746F7220	escriptor
3135203020522F4C6173	15 0 R/Las
7443686172203131382F	tChar 118/
5769647468735B32	Widths[2

DATA
--------
HTTP/1.1 200 OK..Date: Sun, 30 Jul 2006 03:25:01 GMT..Server
: Microsoft-IIS/6.0..p3p: CP=non..X-Powered-By: ASP.NET..X-A
spNet-Version: 1.1.4322..Pragma: no-cache..Content-Dispositi
on: inline;filename="Coversheet.pdf"..Content-Length: 11035.
.Cache-Control: no-cache..Pragma: no-cache..Expires: -1..Con
tent-Type: application/pdf....%PDF-1.4.%......6 0 obj <</Lin
earized 1/L 11035/O 8/E 6910/N 1/T 10869/H [ 556 163]>>.endo
bj.                     ..xref..6 13..0000000016 00000 n..00
00000719 00000 n..0000000795 00000 n..0000000927 00000 n..00
00001047 00000 n..0000001455 00000 n..0000001922 00000 n..00
00003641 00000 n..0000003675 00000 n..0000006344 00000 n..00
00006592 00000 n..0000006834 00000 n..0000000556 00000 n..tr
ailer..<</Size 19/Prev 10859/Root 7 0 R/Info 5 0 R/ID[<1D533
7C6AD6C7B213BDAB8FAED553A9E><6F21E3B88CB0E7499AA0F7934BED4FC
A>]>>..startxref..0..%%EOF..                ..18 0 obj<</Len
gth 80/Filter/FlateDecode/I 96/L 80/S 39>>stream..x.b``.b``.
`.........Y.8.0. .rA1......B.x.....%...2h.........-....A.9D.
.!@....).$..endstream.endobj.7 0 obj<</Metadata 4 0 R/Pages
3 0 R/Type/Catalog/PageLabels 1 0 R>>.endobj.8 0 obj<</CropB
ox[0 0 595.22 842]/Parent 3 0 R/Contents 12 0 R/Rotate 0/Med
iaBox[0 0 595.22 842]/Resources 9 0 R/Type/Page>>.endobj.9 0
 obj<</ColorSpace<</Cs6 13 0 R>>/Font<</TT2 10 0 R/TT4 11 0
R>>/ProcSet[/PDF/Text]/ExtGState<</GS1 17 0 R>>>>.endobj.10
0 obj<</Subtype/TrueType/FontDescriptor 15 0 R/LastChar 118/
Widths[2




More information about the Snort-sigs mailing list