PortPeeker Capture of DoS Attempt
This DoS exploit was original published on December 23, 2003 by
Peter Winter-Smith but its in the wild now. A
good defence from attacks like this would be URLScan from Microsoft.
61.235.83.138 : 37060 TCP Data In Length 190 bytes
MD5 = 74B48143ED78F01B58CBAFE317332E31
---- 24/03/2004 19:45:11.298
0000 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A GET / HTTP/1.1..
0010 41 63 63 65 70 74 3A 20 69 6D 61 67 65 2F 67 69 Accept: image/gi
0020 66 2C 20 69 6D 61 67 65 2F 78 2D 78 62 69 74 6D f, image/x-xbitm
0030 61 70 2C 20 69 6D 61 67 65 2F 6A 70 65 67 2C 20 ap, image/jpeg,
0040 69 6D 61 67 65 2F 70 6A 70 65 67 2C 20 2A 2F 2A image/pjpeg, */*
0050 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F ..User-Agent: Mo
0060 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 zilla/4.0 (compa
0070 74 69 62 6C 65 3B 20 4D 53 49 45 20 35 2E 35 3B tible; MSIE 5.5;
0080 20 57 69 6E 64 6F 77 73 20 39 38 29 0D 0A 48 6F Windows 98)..Ho
0090 73 74 3A 20 36 38 2E 31 34 34 2E 31 39 33 2E 32 st: 68.144.193.2
00A0 34 36 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 46..Connection:
00B0 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A
Keep-Alive....
NOTE this worm only sends data if it gets a reply to
the above request so we use PortPeeker's Reply on Data Sent feature.
---- Data Sent
0000 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK.
0010 0A 53 65 72 76 65 72 3A 20 4D 69 63 72 6F 73 6F .Server: Microso
0020 66 74 2D 49 49 53 2F 35 2E 30 0D 0A 58 2D 50 6F ft-IIS/5.0..X-Po
0030 77 65 72 65 64 2D 42 79 3A 20 41 53 50 2E 4E 45 wered-By: ASP.NE
0040 54 0D 0A 44 61 74 65 3A 20 53 75 6E 2C 20 31 34 T..Date: Sun, 14
0050 20 53 65 70 20 32 30 30 33 20 30 36 3A 34 32 3A Sep 2003 06:42:
0060 34 32 20 47 4D 54 0D 0A 43 6F 6E 74 65 6E 74 2D 42 GMT..Content-
0070 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C 0D Type: text/html.
0080 0A 41 63 63 65 70 74 2D 52 61 6E 67 65 73 3A 20 .Accept-Ranges:
0090 62 79 74 65 73 0D 0A 4C 61 73 74 2D 4D 6F 64 69 bytes..Last-Modi
00A0 66 69 65 64 3A 20 53 75 6E 2C 20 31 34 20 53 65 fied: Sun, 14 Se
00B0 70 20 32 30 30 33 20 30 36 3A 34 31 3A 31 36 20 p 2003 06:41:16
00C0 47 4D 54 0D 0A 45 54 61 67 3A 20 22 36 38 64 37 GMT..ETag: "68d7
00D0 35 65 33 32 38 62 37 61 63 33 31 3A 65 35 36 22 5e328b7ac31:e56"
00E0 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 ..Content-Length
00F0 3A 20 32 30 34 0D 0A 0D 0A 3C 68 74 6D 6C 3E 0D : 204....<html>.
0100 0A 3C 68 65 61 64 3E 0D 0A 3C 74 69 74 6C 65 3E .<head>..<title>
0110 50 6F 72 74 50 65 65 6B 65 72 3C 2F 74 69 74 6C PortPeeker</titl
0120 65 3E 0D 0A 3C 2F 68 65 61 64 3E 0D 0A 3C 62 6F e>..</head>..<bo
0130 64 79 3E 0D 0A 3C 70 3E 59 6F 75 72 20 63 6F 6E dy>..<p>Your con
0140 6E 65 63 74 69 6F 6E 20 6F 6E 20 74 68 69 73 20 nection on this
0150 70 6F 72 74 20 69 73 20 62 65 69 6E 67 20 6D 6F port is being mo
0160 6E 69 74 6F 72 65 64 20 62 79 20 3C 61 20 68 72 nitored by <a hr
0170 65 66 3D 22 68 74 74 70 3A 2F 2F 77 77 77 2E 6C ef="http://www.l
0180 69 6E 6B 6C 6F 67 67 65 72 2E 63 6F 6D 2F 70 6F inklogger.com/po
0190 72 74 70 65 65 6B 65 72 2E 68 74 6D 22 3E 50 6F rtpeeker.htm">Po
01A0 72 74 50 65 65 6B 65 72 3C 2F 61 3E 2E 3C 2F 70 rtPeeker</a>.</p
01B0 3E 0D 0A 3C 2F 62 6F 64 79 3E 0D 0A 3C 2F 68 74 >..</body>..</ht
01C0 6D 6C 3E 0D 0A 0D 0A 0D 0A
ml>......
61.235.83.138 : 37060 TCP Disconnected ID = 1
---- 24/03/2004 19:45:11.919
Status Code: 43008 [43008] (no description available)
TCP Connection Request
---- 24/03/2004 19:45:12.570
61.235.83.138 : 47012 TCP Connected ID = 1
---- 24/03/2004 19:45:12.570
Status Code: 0 OK
61.235.83.138 : 47012 TCP Data In Length 43 bytes
MD5 = 3F74F53E0718E6B451DCEAF864A69B54
---- 24/03/2004 19:45:12.570
0000 53 45 41 52 43 48 20 2F 20 48 54 54 50 2F 31 2E SEARCH / HTTP/1.
0010 31 0D 0A 48 6F 73 74 3A 20 36 38 2E 31 34 34 2E 1..Host: 68.144.
0020 31 39 33 2E 32 34 36 0D 0A 0D 0A
193.246....
While PortPeeker is not an officially supported product if you have any
suggestions or find any bugs please send them to PortPeeker@LinkLogger.com
|
Scans