[Snort-sigs] likely FPs Web-Client .... dll-load exploit attempt

Joel Esler jesler at ...435...
Sun Apr 17 20:57:44 EDT 2011


Thanks Russell. 

-- 
Sent from my iPad
Please excuse the brevity

On Apr 17, 2011, at 7:05 PM, Russell Fulton <r.fulton at ...575...> wrote:

> SID    CID    Timestamp    Signature    IP Src    IP Dst    Proto    Length
> 10    78025871    2011-04-18 09:53:08    WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt    130.216.25.112 ee5112cp.ece.auckland.ac.nz    119.31.248.196 None    6    185
> 10    78025872    2011-04-18 09:53:08    WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt    130.216.25.112 ee5112cp.ece.auckland.ac.nz    119.31.248.196 None    6    185
> 10    78025881    2011-04-18 09:53:18    WEB-CLIENT Firefox Acrobat Reader agm.dll dll-load exploit attempt    130.216.25.112 ee5112cp.ece.auckland.ac.nz    119.31.248.196 None    6    179
> 10    78025882    2011-04-18 09:53:18    WEB-CLIENT Acrobat Reader IE plugin agm.dll dll-load exploit attempt    130.216.25.112 ee5112cp.ece.auckland.ac.nz    119.31.248.196 None    6    179
> 10    78025908    2011-04-18 09:54:32    WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt    130.216.25.112 ee5112cp.ece.auckland.ac.nz    119.31.248.196 None    6    179
> 10    78025909    2011-04-18 09:54:32    WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt    130.216.25.112 ee5112cp.ece.auckland.ac.nz    119.31.248.196 None    6    179
> 10    78025915    2011-04-18 09:54:45    WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt    130.216.25.112 ee5112cp.ece.auckland.ac.nz    119.31.248.196 None    6    172
> 10    78025916    2011-04-18 09:54:45    WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt    130.216.25.112 ee5112cp.ece.auckland.ac.nz    119.31.248.196 None    6    172
> 10    78025917    2011-04-18 09:54:46    WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt    130.216.25.112 ee5112cp.ece.auckland.ac.nz    119.31.248.196 None    6    196
> 10    78025918    2011-04-18 09:54:46    WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt    130.216.25.112 ee5112cp.ece.auckland.ac.nz    119.31.248.196 None    6    196
> 
> sample capture:
> GET /files/pluginhost/2.0.0.11032_12/External/DeviceModules/DCInterface.dll.cab HTTP/1.1
> User-Agent: SAMSUNG_KIES
> Host: msupdate.emodio.com
> 
> googling msupdate.emodio.com  suggests that this is a legit site related to Samsung Kies...
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> Benefiting from Server Virtualization: Beyond Initial Workload 
> Consolidation -- Increasing the use of server virtualization is a top
> priority.Virtualization can reduce costs, simplify management, and improve 
> application availability and disaster protection. Learn more about boosting 
> the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org




More information about the Snort-sigs mailing list