Odd string in packet...

From: Grimes, Shawn (NIA/IRP) (GrimesSh@grc.nia.nih.gov)
Date: 01/25/02

Previous message: Andrew Simmons: "Re: Panz root kit"
Next in thread: Frank de Lange: "Re: Odd string in packet..."
Reply: Frank de Lange: "Re: Odd string in packet..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Grimes, Shawn (NIA/IRP)" <GrimesSh@grc.nia.nih.gov>
To: incidents@securityfocus.com
Date: Fri, 25 Jan 2002 08:51:54 -0500

This may be normal but who knows. I picked up the following alert today:
Jan 25 07:39:45 sensor1 snort: [1:873:2] WEB-CGI scriptalias access
[Classification: Attempted Information Leak] [Priority: 3]: {TCP}
xx.aol.com:3167 -> zzz.ournet.net:80

In fact, I've received 20 of these alerts in the last 24 hours, no big deal,
the alert triggers on a packet containing the string: "///". So the box on
our side that receiving these packets is an apache web server running on Red
Hat, and this box runs a utility called "http filter" which takes an
incoming packet sees which of our web servers it wants to talk to and
presents the information to visitor. So we have a few IIS servers
(including an Outlook Webmail Server) that this apache box servers as a
middle man for. I wouldn't think anything of these alerts except that I
happened to click on one an included in the packet (the same alert above)
was the following:
220 : 7D 7C 7C 7C 7B 7B 7B 7A 7A 7A 79 79 79 78 78 78 }|||{{{zzzyyyxxx
230 : 77 77 77 76 76 76 75 75 75 74 74 74 73 73 73 72 wwwvvvuuutttsssr
240 : 72 72 71 71 71 70 70 70 6F 6F 6F 6E 6E 6E 6D 6D rrqqqpppooonnnmm
250 : 6D 6C 6C 6C 6B 6B 6B 6A 6A 6A 69 69 69 68 68 68 mlllkkkjjjiiihhh
260 : 67 67 67 66 66 66 65 65 65 64 64 64 63 63 63 62 gggfffeeedddcccb
270 : 62 62 61 61 61 60 60 60 5F 5F 5F 5E 5E 5E 5D 5D bbaaa```___^^^]]
280 : 5D 5C 5C 5C 5B 5B 5B 5A 5A 5A 59 59 59 58 58 58 ]\\\[[[ZZZYYYXXX
290 : 57 57 57 56 56 56 55 55 55 54 54 54 53 53 53 52 WWWVVVUUUTTTSSSR
2a0 : 52 52 51 51 51 50 50 50 4F 4F 4F 4E 4E 4E 4D 4D RRQQQPPPOOONNNMM
2b0 : 4D 4C 4C 4C 4B 4B 4B 4A 4A 4A 49 49 49 48 48 48 MLLLKKKJJJIIIHHH
2c0 : 47 47 47 46 46 46 45 45 45 44 44 44 43 43 43 42 GGGFFFEEEDDDCCCB
2d0 : 42 42 41 41 41 40 40 40 3F 3F 3F 3E 3E 3E 3D 3D BBAAA@@@???>>>==
2e0 : 3D 3C 3C 3C 3B 3B 3B 3A 3A 3A 39 39 39 38 38 38 =<<<;;;:::999888
2f0 : 37 37 37 36 36 36 35 35 35 34 34 34 33 33 33 32 7776665554443332
300 : 32 32 31 31 31 30 30 30 2F 2F 2F 2E 2E 2E 2D 2D 22111000///...--
310 : 2D 2C 2C 2C 2B 2B 2B 2A 2A 2A 29 29 29 28 28 28 -,,,+++***)))(((
320 : 27 27 27 26 26 26 25 25 25 24 24 24 23 23 23 22 '''&&&%%%$$$###"
330 : 22 22 21 21 21 20 20 20 1F 1F 1F 1E 1E 1E 1D 1D ""!!! ........

Could this be a normal http/webmail packet? But it almost seems to me that
someone reversed the alphabet to maybe bypass some intrusion detection
systems that would pick up on it in the packet? Any ideas? Below is the
full packet contents.

Thanks,
--=Shawn

length = 1360

000 : BD DC 9E 20 56 B7 AC AD AF D5 0E B5 37 B9 7C C5 ... V.......7.|.
010 : 05 5C 2F E0 D6 8F A8 4A 4A 03 AC 7A D9 5F EE 8F .\/....JJ..z._..
020 : EA FC F9 1B E0 F6 FE AC DB E6 79 05 4E BD 3F 9F ..........y.N.?.
030 : FF 07 78 10 BF 10 12 F4 0C CD 00 00 00 00 49 45 ..x...........IE
040 : 4E 44 AE 42 60 82 00 6E 1E F0 C0 00 04 00 F9 51 ND.B`..n.......Q
050 : BF 1D 6E E1 7E 93 78 B0 84 E1 D7 EE 8B 3E FF 89 ..n.~.x......>..
060 : 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 PNG........IHDR.
070 : 00 05 41 00 00 01 98 08 03 00 00 00 5B 38 D3 66 ..A.........[8.f
080 : 00 00 00 04 67 41 4D 41 00 00 D9 05 AB B5 EA 94 ....gAMA........
090 : 00 00 03 00 50 4C 54 45 FF FF FF FE FE FE FD FD ....PLTE........
0a0 : FD FC FC FC FB FB FB FA FA FA F9 F9 F9 F8 F8 F8 ................
0b0 : F7 F7 F7 F6 F6 F6 F5 F5 F5 F4 F4 F4 F3 F3 F3 F2 ................
0c0 : F2 F2 F1 F1 F1 F0 F0 F0 EF EF EF EE EE EE ED ED ................
0d0 : ED EC EC EC EB EB EB EA EA EA E9 E9 E9 E8 E8 E8 ................
0e0 : E7 E7 E7 E6 E6 E6 E5 E5 E5 E4 E4 E4 E3 E3 E3 E2 ................
0f0 : E2 E2 E1 E1 E1 E0 E0 E0 DF DF DF DE DE DE DD DD ................
100 : DD DC DC DC DB DB DB DA DA DA D9 D9 D9 D8 D8 D8 ................
110 : D7 D7 D7 D6 D6 D6 D5 D5 D5 D4 D4 D4 D3 D3 D3 D2 ................
120 : D2 D2 D1 D1 D1 D0 D0 D0 CF CF CF CE CE CE CD CD ................
130 : CD CC CC CC CB CB CB CA CA CA C9 C9 C9 C8 C8 C8 ................
140 : C7 C7 C7 C6 C6 C6 C5 C5 C5 C4 C4 C4 C3 C3 C3 C2 ................
150 : C2 C2 C1 C1 C1 C0 C0 C0 BF BF BF BE BE BE BD BD ................
160 : BD BC BC BC BB BB BB BA BA BA B9 B9 B9 B8 B8 B8 ................
170 : B7 B7 B7 B6 B6 B6 B5 B5 B5 B4 B4 B4 B3 B3 B3 B2 ................
180 : B2 B2 B1 B1 B1 B0 B0 B0 AF AF AF AE AE AE AD AD ................
190 : AD AC AC AC AB AB AB AA AA AA A9 A9 A9 A8 A8 A8 ................
1a0 : A7 A7 A7 A6 A6 A6 A5 A5 A5 A4 A4 A4 A3 A3 A3 A2 ................
1b0 : A2 A2 A1 A1 A1 A0 A0 A0 9F 9F 9F 9E 9E 9E 9D 9D ................
1c0 : 9D 9C 9C 9C 9B 9B 9B 9A 9A 9A 99 99 99 98 98 98 ................
1d0 : 97 97 97 96 96 96 95 95 95 94 94 94 93 93 93 92 ................
1e0 : 92 92 91 91 91 90 90 90 8F 8F 8F 8E 8E 8E 8D 8D ................
1f0 : 8D 8C 8C 8C 8B 8B 8B 8A 8A 8A 89 89 89 88 88 88 ................
200 : 87 87 87 86 86 86 85 85 85 84 84 84 83 83 83 82 ................
210 : 82 82 81 81 81 80 80 80 7F 7F 7F 7E 7E 7E 7D 7D ........~~~}}
220 : 7D 7C 7C 7C 7B 7B 7B 7A 7A 7A 79 79 79 78 78 78 }|||{{{zzzyyyxxx
230 : 77 77 77 76 76 76 75 75 75 74 74 74 73 73 73 72 wwwvvvuuutttsssr
240 : 72 72 71 71 71 70 70 70 6F 6F 6F 6E 6E 6E 6D 6D rrqqqpppooonnnmm
250 : 6D 6C 6C 6C 6B 6B 6B 6A 6A 6A 69 69 69 68 68 68 mlllkkkjjjiiihhh
260 : 67 67 67 66 66 66 65 65 65 64 64 64 63 63 63 62 gggfffeeedddcccb
270 : 62 62 61 61 61 60 60 60 5F 5F 5F 5E 5E 5E 5D 5D bbaaa```___^^^]]
280 : 5D 5C 5C 5C 5B 5B 5B 5A 5A 5A 59 59 59 58 58 58 ]\\\[[[ZZZYYYXXX
290 : 57 57 57 56 56 56 55 55 55 54 54 54 53 53 53 52 WWWVVVUUUTTTSSSR
2a0 : 52 52 51 51 51 50 50 50 4F 4F 4F 4E 4E 4E 4D 4D RRQQQPPPOOONNNMM
2b0 : 4D 4C 4C 4C 4B 4B 4B 4A 4A 4A 49 49 49 48 48 48 MLLLKKKJJJIIIHHH
2c0 : 47 47 47 46 46 46 45 45 45 44 44 44 43 43 43 42 GGGFFFEEEDDDCCCB
2d0 : 42 42 41 41 41 40 40 40 3F 3F 3F 3E 3E 3E 3D 3D BBAAA@@@???>>>==
2e0 : 3D 3C 3C 3C 3B 3B 3B 3A 3A 3A 39 39 39 38 38 38 =<<<;;;:::999888
2f0 : 37 37 37 36 36 36 35 35 35 34 34 34 33 33 33 32 7776665554443332
300 : 32 32 31 31 31 30 30 30 2F 2F 2F 2E 2E 2E 2D 2D 22111000///...--
310 : 2D 2C 2C 2C 2B 2B 2B 2A 2A 2A 29 29 29 28 28 28 -,,,+++***)))(((
320 : 27 27 27 26 26 26 25 25 25 24 24 24 23 23 23 22 '''&&&%%%$$$###"
330 : 22 22 21 21 21 20 20 20 1F 1F 1F 1E 1E 1E 1D 1D ""!!! ........
340 : 1D 1C 1C 1C 1B 1B 1B 1A 1A 1A 19 19 19 18 18 18 ................
350 : 17 17 17 16 16 16 15 15 15 14 14 14 13 13 13 12 ................
360 : 12 12 11 11 11 10 10 10 0F 0F 0F 0E 0E 0E 0D 0D ................
370 : 0D 0C 0C 0C 0B 0B 0B 0A 0A 0A 09 09 09 08 08 08 ................
380 : 07 07 07 06 06 06 05 05 05 04 04 04 03 03 03 02 ................
390 : 02 02 01 01 01 00 00 00 EE AE E1 94 00 00 00 09 ................
3a0 : 70 48 59 73 FF FF FF FF FF FF FF FF 01 CA 4E F5 pHYs..........N.
3b0 : 17 00 00 20 00 49 44 41 54 78 9C 84 BD FB AF 6D ... .IDATx.....m
3c0 : F7 75 DD C7 3F A3 B0 10 41 14 64 A8 50 0B 07 29 .u..?...A.d.P..)
3d0 : 9C A0 09 82 3A 50 03 18 49 D1 02 76 80 3A 68 0A ....:P..I..v.:h.
3e0 : A7 41 0C 44 86 9B C0 AE 03 B7 46 22 19 B2 A4 80 .A.D......F"....
3f0 : 96 45 81 34 4D 81 12 79 79 79 EE B9 1B E7 EC BD .E.4M..yyy......
400 : DE EF F7 5A FB F5 87 75 7C C6 77 1D CA 3F 24 ED ...Z...u|.w..?$.
410 : 21 EF 79 EC BD F6 7A 7E BF E3 3B E6 9C 63 CE F9 !.y...z~..;..c..
420 : 4E 96 1C 5F 7D FE F9 AB CF 0E 59 56 F5 63 3F 0C N.._}.....YV.c?.
430 : 7D DD F7 ED 30 74 79 9A 7C F2 EF 7E F3 1F 7D FB }...0ty.|..~..}.
440 : 1F FC C6 3F FE AD DF FC 3F FE E0 F7 FE B7 7F F1 ...?....?......
450 : BF FF C9 F7 FE E2 AF 0F 0F 51 5E 34 6D EF AF 69 .........Q^4m..i
460 : 18 B2 22 AB EA EC 83 7F FE CD AF 7D E3 DD 6F FC ..".......}..o.
470 : CA 37 7F FB BB 1F 3E E4 59 9E E7 45 D7 37 63 DF .7...>.Y..E.7c.
480 : D6 63 57 D7 6D 5B 6B BF DA BA 1F C6 FE CB AF 61 .cW.m[k........a
490 : EC A6 8E 9F FA DF 5F CD C0 09 F0 47 DB EA C5 BE ......_....G....
4a0 : 1B BC D9 30 B5 63 A3 B3 AA C6 71 D1 79 0D FD D4 ...0.c....q.y...
4b0 : D7 2D A7 D8 F6 C3 C4 FB FD D0 D6 45 CD 6E 9A 61 .-.........E.n.a
4c0 : 28 DB B6 2F BB 56 BB A8 FD D6 30 D6 63 1D AE AA (../.V....0.c...
4d0 : F7 FE BA 3E 1C 83 EF FA B5 E2 95 BA D2 1E 79 4D ...>..........yM
4e0 : 27 D0 8F 5D F8 60 33 84 0F B0 61 5D E7 75 55 76 '..].`3...a].uUv
4f0 : 65 5E 16 45 9E 16 45 55 94 69 96 46 BA F8 A2 28 e^.E..EU.i.F...(
500 : CA BA C8 B3 B2 68 EA B2 ED 9A A6 CB B2 A6 CE 86 .....h..........
510 : AE D3 6F 79 D6 EB FD A6 D1 07 F2 2A 2F F4 41 3E ..oy.......*/.A>
520 : DA E4 79 53 94 85 6E 4B D3 76 BA 45 99 AE 54 67 ..yS..nK.v.E..Tg
530 : DE D5 5D 53 56 AD CE 5F FF 86 B2 29 AA AC E8 6A ..]SV.._...)...j
540 : 0E D9 D4 FA A3 A8 DA A2 6D 8B BA 2C AB 22 AF AA ........m..,."..

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Previous message: Andrew Simmons: "Re: Panz root kit"
Next in thread: Frank de Lange: "Re: Odd string in packet..."
Reply: Frank de Lange: "Re: Odd string in packet..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: NTPD concurrent clients limit
... For some reason I was under the false impression that kod packet would be ... disciplined rubidium timebases for the servers. ... articles about ntp abuse like that series of cheap routers that had an ip ...
(comp.protocols.time.ntp)
Re: B5 actor sighting - Boxleitner on SyFy (was Re: Bruce Boxleitner)
... shift folks because I knew other members of my team tended ... The few recurring problems (e.g. mail servers ... stuff resistant to the "normal" problems, so when we get an alert, it ... Work had to call through D*C ops ...
(rec.arts.sf.tv.babylon5.moderated)
Re: Registering a virtual IP address from a C program
... Then it doesn't matter if that packet goes to anyone of the 10 ... machine for a particular connection by MAC address. ... All the servers share the same IP and all of them respond to ... ARP with a multicast MAC address. ...
(comp.os.vms)
Re: [Full-Disclosure] DHCP Flood on inside network. STP the problem?
... I was able to figure out what was going on when I noticed that instead of a DHCP packet like I was seeing before, tcpdump captured a netbios browser packet from ... Nothing has changed in the switches in 3 months, so a switch could be one failing, a computer sending out weird packet screwing up STP, or a virus doing the ... I can't find any virus that messes with STP and I don't think any of the servers got rooted since no servers can be access from the outside and the firewall is closed ...
(Full-Disclosure)
[Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoS problem
... I cannot see any actual amplification... ... We discussed recursive DNS servers before (servers which allow to query ... The server receives a large packet, breaks it down to several fragments ... Now amplify the effect by the recursive servers ...
(Full-Disclosure)