Help: Weird email received & E-Safe Alert

From: root (etienne@unix.za.org)
Date: 10/04/01


Message-ID: <3BBC52D5.F5069657@unix.za.org>
Date: Thu, 04 Oct 2001 14:15:17 +0200
From: root <etienne@unix.za.org>
To: incidents@securityfocus.com
Subject: Help: Weird email received & E-Safe Alert

Greetings,

I need some help trying to explain two different issues.

1)

We received an email from someone else with only the following in the
mail:

#########################################################################################
<snip>
Sent: Friday, September 28, 2001 3:04 PM
Subject: Be sure to answer.

\par }\pard \qj\widctlpar{\*\pn \pnlvlcont\pndec }{\fs24\lang2057

\par {\pntext\pard\plain\f1 \'b7\tab}}\pard
\qj\fi-283\li283\widctlpar{\*\pn \pnlvlblt\pnf1\pnindent283
{\pntxtb \'b7}}{\fs24\lang2057 Create a new file.

\par }\pard \qj\widctlpar{\*\pn \pnlvlcont\pndec }{\fs24\lang2057

\par The new command \ldblquote Scan Text\rdblquote has been added to
the \ldblquote File\rdblquote
menu.

\par

\par

\par }{\b\fs30\lang2057 C. Excel 2000 (Office 2000) and Excel 97 (Office
97)

\par }{\fs24\lang2057

\par Start Excel.

##########################################################################################

My questions are :

- WTF is this ? or What was it suppose to be ?
- What does the above code try to do ?

I suppose this couldve just been an accident, I haven't mailed the
sender for his input yet. Just thought I'll add it into the email along
with my other question.

2)

We are using E-trust from Computer Associates. It has detected an event
"Attempt to use Wingate Redirector DoS". I suspect this is a false
positive but I cannot explain what was it that actually triggered this
alert. I need some help trying to figure out what actually happened.

LOG:
#########################################################################

Client IP = xxx.xxx.xxx.xxx
Server IP = aaa.aaa.aaa.aaa
Client physical address = 00:04:AC:4C:35:27
Server physical address = 00:04:AC:38:7D:6E
Client port = 1066
Server port = 2080 TCP

Server -> Client
05 00 0B 03 10 00 00 00 83 00 33 00 01 00 00 00 ........f.3.....
D0 16 D0 16 00 00 00 00 01 00 00 00 00 00 01 00 ..............
00 DB F1 A4 47 CA 67 10 B3 1F 00 DD 01 06 62 DA .Gg.....b
00 00 51 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 ..Q..]^S..Y..
2B 10 48 60 02 00 00 00 0A 02 00 00 88 E2 08 00 +.H`........^..
4E 54 4C 4D 53 53 50 00 01 00 00 00 07 B2 00 A0 NTLMSSP.......
07 00 07 00 2C 00 00 00 0C 00 0C 00 20 00 00 00 ....,....... ...
4C 49 4E 44 41 4C 4F 55 54 44 42 4E 43 4F 52 50 LINDALOUTDBNCORP
43 4F 4D COM
Client -> Server
05 00 0C 03 10 00 00 00 82 00 3E 00 01 00 00 00 ........,.>.....
D0 16 D0 16 1B 3F 01 00 05 00 31 30 36 36 00 61 ...?....1066.a
01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 .........]^S..
9F E8 08 00 2B 10 48 60 02 00 00 00 0A 02 00 00 Y..+.H`........
88 E2 08 00 4E 54 4C 4D 53 53 50 00 02 00 00 00 ^..NTLMSSP.....
0E 00 0E 00 30 00 00 00 05 82 01 00 F5 0A 69 96 ....0....,...i-
70 CD B7 66 00 00 00 00 00 00 00 00 00 00 00 00 pͷf............
3E 00 00 00 43 00 4F 00 52 00 50 00 43 00 4F 00 >...C.O.R.P.C.O.
4D 00 M.
Server -> Client
05 00 10 03 10 00 00 00 BC 00 A0 00 01 00 00 00 ......... .....
D0 16 D0 16 0A 02 00 00 88 E2 08 00 4E 54 4C 4D ......^..NTLM
53 53 50 00 03 00 00 00 18 00 18 00 70 00 00 00 SSP.........p...
18 00 18 00 88 00 00 00 0E 00 0E 00 40 00 00 00 ....^.......@...
0A 00 0A 00 4E 00 00 00 18 00 18 00 58 00 00 00 ....N.......X...
00 00 00 00 A0 00 00 00 05 82 00 00 43 00 4F 00 .... ....,..C.O.
52 00 50 00 43 00 4F 00 4D 00 4C 00 69 00 6E 00 R.P.C.O.M.L.i.n.
64 00 61 00 4C 00 49 00 4E 00 44 00 41 00 4C 00 d.a.L.I.N.D.A.L.
4F 00 55 00 54 00 44 00 42 00 4E 00 5F 46 EA BA O.U.T.D.B.N._F
74 D2 F2 71 3E 54 19 95 BF 80 61 4D 2E FD 3B 98 tq>T.*?aM.;~
CC BC 0A 4C BD DD A5 B4 89 16 42 D4 6A C1 55 BC ̼.Lݥ?.BjU
54 0A A7 19 DA 5C E4 79 B5 05 F0 54 05 00 00 03 T..\y.T....
10 00 00 00 A0 00 10 00 01 00 00 00 6C 00 00 00 .... .......l...
00 00 00 00 35 00 00 00 00 00 00 00 35 00 00 00 ....5.......5...
2F 6F 3D 43 6F 72 70 63 6F 6D 20 4F 75 74 64 6F /o=Corpcom Outdo
6F 72 2F 6F 75 3D 43 4F 52 50 43 4F 4D 2F 63 6E or/ou=CORPCOM/cn
3D 52 65 63 69 70 69 65 6E 74 73 2F 63 6E 3D 4C =Recipients/cn=L
69 6E 64 61 00 82 01 00 00 00 00 00 F5 DB 40 99 inda.,......@?
00 00 00 00 E4 04 00 00 09 04 00 00 09 1C 00 00 ...............
FF FF FF FF 01 00 05 00 03 0B 00 00 00 00 D3 01 ...........
00 00 00 00 0A 02 04 00 88 E2 08 00 01 00 00 00 ........^......
00 00 00 00 00 00 00 00 00 00 00 00 ............
Client -> Server
05 00 02 03 10 00 00 00 D0 00 10 00 01 00 00 00 ...............
98 00 00 00 00 00 00 00 00 00 00 00 CF 49 86 61 ~...........I?a
36 B6 D5 11 AA 87 00 04 AC 4C 35 27 60 EA 00 00 6.?..L5'`..
06 00 00 00 10 27 00 00 3B 01 0E 00 C8 D1 11 12 .....'..;.....
30 00 00 00 00 00 00 00 30 00 00 00 2F 4F 3D 43 0.......0.../O=C
4F 52 50 43 4F 4D 20 4F 55 54 44 4F 4F 52 2F 4F ORPCOM OUTDOOR/O
55 3D 43 4F 52 50 43 4F 4D 2F 43 4E 3D 52 45 43 U=CORPCOM/CN=REC
49 50 49 45 4E 54 53 2F 43 4E 3D 00 38 40 16 12 IPIENTS/CN=.8@..
0F 00 00 00 00 00 00 00 0F 00 00 00 4C 69 6E 64 ............Lind
61 20 4C 65 76 65 6E 64 61 67 00 4D 05 00 5D 0A a Levendag.M..].
17 00 05 00 03 0B 00 00 24 82 3C 1C 00 00 00 00 ........$,<.....
54 0A A7 19 DA 5C E4 79 0A 02 08 00 88 E2 08 00 T..\y....^..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Server -> Client
05 00 00 03 10 00 00 00 A0 00 10 00 02 00 00 00 ........ .......
6E 00 00 00 00 00 02 00 00 00 00 00 CF 49 86 61 n...........I?a
36 B6 D5 11 AA 87 00 04 AC 4C 35 27 00 02 00 00 6.?..L5'....
00 00 00 00 49 00 00 00 E0 A5 5B A5 A5 A4 A9 A5 ....I...[
A5 A5 A5 A5 A5 A5 90 A5 8A CA 98 E6 CA D7 D5 C6 ?S~
CA C8 85 EA D0 D1 C1 CA CA D7 8A CA D0 98 E6 EA ?S~
F7 F5 E6 EA E8 8A C6 CB 98 F7 C0 C6 CC D5 CC C0 S~
CB D1 D6 8A C6 CB 98 E9 CC CB C1 C4 A5 5A 5A 5A S~ĥZZZ
5A 00 49 00 00 02 00 00 0A 02 02 00 88 E2 08 00 Z.I.........^..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Client -> Server
05 00 02 03 10 00 00 00 10 01 10 00 02 00 00 00 ................
D4 00 00 00 00 00 00 00 00 00 00 00 CF 49 86 61 ...........I?a
36 B6 D5 11 AA 87 00 04 AC 4C 35 27 00 02 00 00 6.?..L5'....
00 00 00 00 AC 00 00 00 0D A5 5B A5 A5 A5 A5 A5 ........[
A4 A4 A5 A5 A5 A5 A5 99 25 A4 A5 A5 A5 A5 A5 99 ?%?
27 A4 A5 A5 A5 A5 A5 99 26 A4 A5 A5 A5 A5 A5 99 '?&?
24 A4 A5 A5 A5 A5 A5 99 21 A4 A5 A5 A5 A5 A5 99 $?!?
20 A4 A5 A5 A5 A5 A5 99 23 A4 A5 A5 A5 A5 A5 99 ?#?
22 A4 A5 A5 A5 A5 A5 99 2F A4 A5 A5 A5 A5 A5 99 "?/?
2E A4 A5 A5 A5 A5 A5 99 2D A4 A5 A5 A5 A5 A5 99 .?-?
2C A4 A5 A5 A5 A5 A5 99 29 A2 83 CF D2 42 C2 EE ,?)fB
70 B4 0F CB A5 A1 09 E9 90 82 A4 A5 1C AA 6C BD p.˥.?,.l
C3 EE 70 B4 0F C8 A5 A1 09 E9 90 82 B7 B5 AF A4 p.ȥ.?,
A4 AF 74 A2 A5 07 67 BB AA F9 1A A4 A5 A5 A5 A4 t.g.
61 AD A5 A5 AC 00 A5 A5 00 00 00 00 AD A5 A5 A5 a.....
AC A5 A5 A5 A2 A5 A5 A5 0A 02 0C 00 88 E2 08 00 ....^..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Server -> Client
05 00 00 03 10 00 00 00 80 00 10 00 03 00 00 00 ........?.......
44 00 00 00 00 00 02 00 00 00 00 00 CF 49 86 61 D...........I?a
36 B6 D5 11 AA 87 00 04 AC 4C 35 27 00 16 00 00 6.?..L5'....
00 00 00 00 1F 00 00 00 BE A5 A2 A5 A5 A5 A5 A5 ........
A5 A1 A5 A7 A4 BC C3 A7 A4 BE C3 BB A5 B9 C3 A7 çûç
A4 94 C3 61 AD A5 A5 5D 1F 00 00 16 C9 11 9F E8 ?a].....Y
08 00 2B 10 48 60 02 00 0A 02 0C 00 88 E2 08 00 ..+.H`......^..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Client -> Server
05 00 02 03 10 00 00 00 20 01 10 00 03 00 00 00 ........ .......
F0 00 00 00 00 00 00 00 00 00 00 00 CF 49 86 61 ...........I?a
36 B6 D5 11 AA 87 00 04 AC 4C 35 27 00 16 00 00 6.?..L5'....
00 00 00 00 CA 00 00 00 63 A5 A2 A5 A5 A5 A5 A5 .......c
A4 A5 F4 A5 A5 A5 A5 A5 79 02 E5 6D 65 E7 B5 BF y.me絿
11 1C AD A5 8E 8A 44 27 A4 A5 A5 A5 A5 A5 A5 A5 ..?SD'
8A EA 98 E6 EA F7 F5 E6 EA E8 85 EA F0 F1 E1 EA S~?
EA F7 8A EA F0 98 E6 EA F7 F5 E6 EA E8 8A E6 EB S~S
98 F7 E0 E6 EC F5 EC E0 EB F1 F6 8A E6 EB 98 E9 ~S~
EC EB E1 E4 A5 A5 F4 A5 A5 A5 A5 A5 79 02 E5 6D 䥥y.m
65 E7 B5 BF 11 1C AD A5 8E 8A 44 27 A4 A5 A5 A5 e絿..?SD'
A5 A5 A5 A5 8A EA 98 E6 EA F7 F5 E6 EA E8 85 EA S~?
F0 F1 E1 EA EA F7 8A EA F0 98 E6 EA F7 F5 E6 EA S~
E8 8A E6 EB 98 F7 E0 E6 EC F5 EC E0 EB F1 F6 8A S~S
E6 EB 98 E9 EC EB E1 E4 A5 A5 E9 CC CB C1 C4 85 ~䥥?
E9 C0 D3 C0 CB C1 C4 C2 A5 AF A0 A5 A2 25 61 AD ¥ %a
A5 A5 CA 00 00 00 00 00 0A 02 00 00 88 E2 08 00 .........^..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

..
..
..etc.
##############################################################################

Any Hints/Ideas what this was?

tx.
E.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: What doesnt lend itself to OO?
    ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
    (comp.object)
  • Re: More Get-IPlayer Questions
    ... to use with mutt mail client. ... antinat - 0.90-4 - Antinat is a flexible SOCKS server and client ... protocol for Sybase or MS SQL Server. ... ifstat - 1.1-1 - InterFace STATistics Monitoring ...
    (uk.comp.os.linux)
  • This is going straight to the pool room
    ... or not the client has privilege to do what they're trying to do, ... The server environment is this: ... 3GL User action Routines that Tier3 will execute on your behalf during the ... Routine Name: USER_INIT ...
    (comp.os.vms)
  • [Full-Disclosure] R: Full-Disclosure Digest, Vol 3, Issue 42
    ... Full-Disclosure Digest, Vol 3, Issue 42 ... SD Server 4.0.70 Directory Traversal Bug ... Arkeia Network Backup Client Remote Access ...
    (Full-Disclosure)
  • Re: What doesnt lend itself to OO?
    ... > rather than client code. ... no way to do that without also touching the object with clock semantics ... will not encapsulate both clock semantics and network semantics. ... The server can do whatever it wants ...
    (comp.object)