FW: eEyeIsTheBest seen in http? (x-posted to Snort user list)

From: Tom Sevy (tsevy@epx.com)
Date: 09/27/01 

Message-ID: <B25211753929D411902A00508B8B066E013B5B71@NT310PRD>
From: Tom Sevy <tsevy@epx.com>
To: "BugTraq FOCUS-IDS (FOCUS-IDS@SECURITYFOCUS.COM)" <FOCUS-IDS@SECURITYFOCUS.COM>
Subject: FW: eEyeIsTheBest seen in http?  (x-posted to Snort user list)
Date: Thu, 27 Sep 2001 16:44:32 -0400

Has anyone else seen this?

I am seeing a handful of these, from internal machines, sometimes going to
other segments in the network as well as to outside systems (web servers).

Generated by ACID v0.9.6b13 on Thu September 27, 2001 16:33:32

---------------------------------------------------------------------------- 

--
#(4 - 58002) [2001-09-27 15:37:22]  WEB-IIS cmd.exe Out
IPv4: 192.xxx.xx.xx -> xxx.xx.x.xx   
      hlen=5 TOS=0 dlen=217 ID=5482 flags=0 offset=0 TTL=128 chksum=27285
TCP:  port=4850 -> dport: 80  flags=***AP*** seq=3028858
      ack=2830731072 off=5 res=0 win=8490 urp=0 chksum=7675
Payload:  length = 167

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 35 63 2E 2E 25 35 63 2E 2E 25 35 63 2E 2E 25 35   5c..%5c..%5c..%5
020 : 63 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F   cwinnt/system32/
030 : 63 6D 64 2E 65 78 65 3F 2F 63 2B 65 63 68 6F 20   cmd.exe?/c+echo 
040 : 65 45 79 65 49 73 54 68 65 42 65 73 74 20 49 73   eEyeIsTheBest Is
050 : 54 68 65 42 65 73 74 20 48 54 54 50 2F 31 2E 31   TheBest HTTP/1.1
060 : 0D 0A 48 6F 73 74 3A 20 65 65 79 65 0D 0A 55 73   ..Host: eeye..Us
070 : 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C   er-Agent: Mozill
080 : 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C   a/4.0 (compatibl
090 : 65 3B 20 4D 53 49 45 20 35 2E 30 31 3B 20 57 69   e; MSIE 5.01; Wi
0a0 : 6E 64 6F 77 73 20 4E                              ndows N

Relevant Pages

  • Re: ISA 2006 configuration question - multiple VLANs and domains
    ... very familiar with network segments vs. domains et. al. ... multihomed ISA 2006 server forward a DHCP request to the proper VLAN ... ISA is a Firewall Product designed to protect a network from the Internet. ...
    (microsoft.public.isa.configuration)
  • Re: debugging routing problem
    ... The setup is that I have a linux box as the firewall/router ... I just added a wireless router/hub onto the internal network. ... internal machines sending out requests, ... I'd suspect that your wireless router has somehow munged the routing ...
    (comp.os.linux.networking)
  • RE: Unusual Network Topology - advice please!
    ... All domain trust models will be unavailable when using sbs, ... > to two distinct and separate segments, an admin network and a 'technical ... > from the 'technical production' network to the admin network. ...
    (microsoft.public.windows.server.sbs)
  • Re: Can you route an IP Address range (other than the existing one) through ISA on the internal Lan
    ... OrgTechName:   Network DoD ... Network segments should not be allowed to grow over 250-300 ... Do the same on the "other" Firewall ... TheLANRouter will then use the "firewall" as its Default Gateway. ...
    (microsoft.public.isa.configuration)
  • Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)
    ... but today's firewalls let too much stuff back ... > why people feel they need to compromise. ... Last spring we completely re-engineered the network for a large school ... All these segments are set up on separate VLANs and communicate with each ...
    (Firewall-Wizards)