Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] SID 2417

from [Frank Knobbe] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] SID 2417
Date: Fri, 20 Aug 2004 12:42:56 -0500 
On Fri, 2004-08-20 at 11:32, Paul Schmehl wrote:

50 41 53 56 0D 0A 52 45 54 52 20 2F 68 6F 6D 65   PASV..RETR /home
2F 30 30 31 2F 6C 2F 6C 78 2F 6C 78 6F 30 31 35   /001/l/lx/lxo015
30 30 30 2F 70 75 62 6C 69 63 5F 68 74 6D 6C 2F   000/public_html/
50 68 6F 74 6F 2F 4D 75 6E 6B 61 68 65 6C 79 2F   Photo/Munkahely/
65 62 65 64 5F 73 7A 75 6E 65 74 5F 6B 2E 6A 70   ebed_szunet_k.jp
67 0D 0A 33 61 25 32 66 25 32 66 62 61 79 39 25   g..3a%2f%2fbay9%
32 65 6F 65 25 32 65 68 6F 74 6D 61 69 6C 25 32   2eoe%2ehotmail%2
65 63 6F 6D 25 32 66 63 67 69 25 32 64 62 69 6E   ecom%2fcgi%2dbin
25 32 66 68 6D 64 61 74 61 25 32 66 64 61 6F 6F   %2fhmdata%2fdaoo
64 25 34 30 68 6F 74 6D 61 69 6C 25 32 65 63 6F   d%40hotmail%2eco
6D 25 33 66 26 6C                                 m%3f&l



Let's see. First, switch to passive mode, then retrieve that jpeg from
the users html dir. But
"3a//bay9.oe.hostmail.com/cgi-bin/hmdata/daood@hotmail.com?&l" is not a
valid FTP command :)  Perhaps left-overs from a previous buffer?
considering that %3a is a ";" which fits fine in front of "//bay9..etc",
it appears that the FTP session data was overwriting a previous packet
(with the last LF overwriting the % of the ":").

A bug in the preprocessor perhaps?

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] RE: Snort Rule Howto, Andrews Carl 448
Next by Date:  RE: [Snort-sigs] SID 2417, Murat Korkmaz
Previous by Thread:  Re: [Snort-sigs] SID 2417, Nigel Houghton
Next by Thread:  RE: [Snort-sigs] SID 2417, Murat Korkmaz
Indexes:  [Date] [Thread] [Top] [All Lists]