[Snort-sigs] likely FPs Web-Client .... dll-load exploit attempt

Russell Fulton r.fulton at ...575...
Sun Apr 17 19:05:26 EDT 2011


SID	CID	Timestamp	Signature	IP Src	IP Dst	Proto	Length
10 	78025871 	2011-04-18 09:53:08 	WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt 	130.216.25.112 ee5112cp.ece.auckland.ac.nz 	119.31.248.196 None 	6 	185
10 	78025872 	2011-04-18 09:53:08 	WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt 	130.216.25.112 ee5112cp.ece.auckland.ac.nz 	119.31.248.196 None 	6 	185
10 	78025881 	2011-04-18 09:53:18 	WEB-CLIENT Firefox Acrobat Reader agm.dll dll-load exploit attempt 	130.216.25.112 ee5112cp.ece.auckland.ac.nz 	119.31.248.196 None 	6 	179
10 	78025882 	2011-04-18 09:53:18 	WEB-CLIENT Acrobat Reader IE plugin agm.dll dll-load exploit attempt 	130.216.25.112 ee5112cp.ece.auckland.ac.nz 	119.31.248.196 None 	6 	179
10 	78025908 	2011-04-18 09:54:32 	WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt 	130.216.25.112 ee5112cp.ece.auckland.ac.nz 	119.31.248.196 None 	6 	179
10 	78025909 	2011-04-18 09:54:32 	WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt 	130.216.25.112 ee5112cp.ece.auckland.ac.nz 	119.31.248.196 None 	6 	179
10 	78025915 	2011-04-18 09:54:45 	WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt 	130.216.25.112 ee5112cp.ece.auckland.ac.nz 	119.31.248.196 None 	6 	172
10 	78025916 	2011-04-18 09:54:45 	WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt 	130.216.25.112 ee5112cp.ece.auckland.ac.nz 	119.31.248.196 None 	6 	172
10 	78025917 	2011-04-18 09:54:46 	WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt 	130.216.25.112 ee5112cp.ece.auckland.ac.nz 	119.31.248.196 None 	6 	196
10 	78025918 	2011-04-18 09:54:46 	WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt 	130.216.25.112 ee5112cp.ece.auckland.ac.nz 	119.31.248.196 None 	6 	196

sample capture:
GET /files/pluginhost/2.0.0.11032_12/External/DeviceModules/DCInterface.dll.cab HTTP/1.1
User-Agent: SAMSUNG_KIES
Host: msupdate.emodio.com

googling msupdate.emodio.com  suggests that this is a legit site related to Samsung Kies...

 





More information about the Snort-sigs mailing list