[Snort-users] please help ID payload info

Randy Bey Randy.Bey at ...6683...
Tue Oct 15 10:02:05 EDT 2002


> Well, first did you check to see if this is actually coming from your
> webserver, or an external one? You left any details about that out, so
I
> figure it's worth asking just to be sure. If it's an external
webserver, I
> bet it's a webpage containing sample output from a security check
tool.

Sorry, should have said it's the snort servers web server (used for
acid, etc).
> 
> also you claim that's similar to content sent out via email... do you
have
> some sort of webmail access going where you might be accessing those
> emails
> from your webserver, causing it to legitimately send that content?

No webmail type thing there, and further down the line in the payload it
gets weird, like a dump of the /etc directory, then some binary
gobbledegook that is not understandable. Here:

2f0 : 2D 72 2D 2D 20 31 20 72 6F 6F 74 20 6F 74 68 65   -r-- 1 root othe
300 : 72 20 33 31 34 20 53 65 70 20 32 30 20 31 36 3A   r 314 Sep 20 16:
310 : 32 36 20 32 30 30 32 20 2F 65 74 63 2F 63 6F 72   26 2002 /etc/cor
320 : 65 61 64 6D 2E 63 6F 6E 66 20 20 32 34 37 30 30   eadm.conf  24700
330 : 20 31 0D 0A 2D 2D 2D 0D 0A 3E 20 2D 72 77 2D 72    1..---..> -rw-r
340 : 2D 2D 72 2D 2D 20 31 20 72 6F 6F 74 20 6F 74 68   --r-- 1 root oth
350 : 65 72 20 33 31 34 20 4F 63 74 20 31 30 20 32 32   er 314 Oct 10 22
360 : 3A 30 38 20 32 30 30 32 20 2F 65 74 63 2F 63 6F   :08 2002 /etc/co
370 : 72 65 61 64 6D 2E 63 6F 6E 66 20 20 32 34 37 30   readm.conf  2470
380 : 30 20 31 0D 0A 34 38 63 34 38 0D 0A 3C 20 64 72   0 1..48c48..< dr
390 : 77 78 72 2D 78 72 2D 78 20 32 20 72 6F 6F 74 20   wxr-xr-x 2 root 
3a0 : 73 79 73 20 35 31 32 20 53 65 70 20 32 30 20 31   sys 512 Sep 20 1
3b0 : 36 3A 32 38 20 32 30 30 32 20 2F 65 74 63 2F 63   6:28 2002 /etc/c
3c0 : 72 6F 6E 2E 64 20 0D 0A 2D 2D 2D 0D 0A 3E 20 64   ron.d ..---..> d
3d0 : 72 77 78 72 2D 78 72 2D 78 20 32 20 72 6F 6F 74   rwxr-xr-x 2 root
3e0 : 20 73 79 73 20 35 31 32 20 4F 63 74 20 31 30 20    sys 512 Oct 10 
3f0 : 32 32 3A 30 39 20 32 30 30 32 20 2F 65 74 63 2F   22:09 2002 /etc/
400 : 63 72 6F 6E 2E 64 20 0D 0A 36 35 63 36 35 0D 0A   cron.d ..65c65..
410 : 3C 20 2D 72 77 2D 72 2D 2D 72 2D 2D 20 31 20 72   < -rw-r--r-- 1 r
420 : 6F 6F 74 20 6F 74 68 65 72 20 32 33 39 20 53 65   oot other 239 Se
430 : 70 20 32 30 20 31 36 3A 32 38 20 32 30 30 32 20   p 20 16:28 2002 
440 : 2F 65 74 63 2F 64 75 6D 70 61 64 6D 2E 63 6F 6E   /etc/dumpadm.con
450 : 66 20 20 31 39 36 39 36 20 31 0D 0A 2D 2D 2D 0D   f  19696 1..---.
460 : 0A 3E 20 2D 72 77 2D 72 2D 2D 72 2D 2D 20 31 20   .> -rw-r--r-- 1 
470 : 72 6F 6F 74 20 6F 74 68 65 72 20 32 33 39 20 4F   root other 239 O
480 : 63 74 20 31 30 20 32 32 3A 30 39 20 32 30 30 32   ct 10 22:09 2002
490 : 20 2F 65 74 63 2F 64 75 6D 70 61 64 6D 2E 63 6F    /etc/dumpadm.co
4a0 : 6E 66 20 20 31 39 36 39 36 20 31 0D 0A 39 30 2C   nf  19696 1..90,
4b0 : 39 31 63 39 30 2C 39 31 0D 0A 3C 20 64 72 77 78   91c90,91..< drwx
4c0 : 72 2D 78 72 2D 78 20 32 20 72 6F 6F 74 20 73 79   r-xr-x 2 root sy
4d0 : 73 20 32 30 34 38 20 53 65 70 20 32 33 20 31 37   s 2048 Sep 23 17
4e0 : 3A 30 30 20 32 30 30 32 20 2F 65 74 63 2F 69 6E   :00 2002 /etc/in
4f0 : 69 74 2E 64 20 0D 0A 3C 20 70 72 77 2D 2D 2D 2D   it.d ..< prw----
500 : 2D 2D 2D 20 31 20 72 6F 6F 74 20 72 6F 6F 74 20   --- 1 root root 
510 : 30 20 53 65 70 20 32 30 20 31 36 3A 32 38 20 32   0 Sep 20 16:28 2
520 : 30 30 32 20 2F 65 74 63 2F 69 6E 69 74 70 69 70   002 /etc/initpip
530 : 65 20 0D 0A 2D 2D 2D 0D 0A 3E 20 64 72 77 78 72   e ..---..> drwxr
540 : 2D 78 72 2D 78 20 32 20 72 6F 6F 74 20 73 79 73   -xr-x 2 root sys
550 : 20 32 30 34 38 20 4F 63 74 20 31 30 20 31 34 3A    2048 Oct 10 14:
560 : 34 31 20 32 89 95 50 FE FF FF 83 BD 50 FE FF FF   41 2..P.....P...
570 : 00 75 26 8B F4 6A 00 8D 85 4C FE FF FF 50 8B 8D   .u&..j...L...P..
580 : 68 FE FF FF 51 8B 55 08 8B 42 08 50 FF 95 6C FE   h...Q.U..B.P..l.
590 : FF FF 3B F4 90 43 4B 43 4B 83 BD 50 FE FF FF 64   ..;..CKCK..P...d
5a0 : 7D 5C 8B 8D 50 FE FF FF 83 C1 01 89 8D 50 FE FF   }\..P........P..
5b0 : FF 8B 95 50 FE FF FF 69 D2 8D 66 F0 50 89 95 74   ...P...i..f.P..


Randy Bey
RiverNorth Systems
7300 W 147th St Suite 300
Apple Valley, MN 55124
http://www.rivernorthsys.com





More information about the Snort-users mailing list