Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] seeing thousands of hits on COMMUNITY EXPLOIT Windows Acrob

from [Russell Fulton] Network Security [Permanent Link]
Subject: [Snort-sigs] seeing thousands of hits on COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Exploit, Sig ID, 100000101
Date: Mon, 31 Jul 2006 15:24:08 +1200 
This one from one of our own servers but many from elsewhere including
many reputable sites.

I've seen nearly 4000 hits in the last 24 hours -- this has been going
some time but I've just got around to doing something about it.

Russell

META
--------
SID     CID     TimeStamp               Signature
6       12634057        2006-07-30 15:25:00     COMMUNITY EXPLOIT Windows 
Acrobat Reader
Activex Overflow Exploit
Sig ID
100000101

Sensor Hostname                         Sensor Interface
hihi.insec.auckland.ac.nz       new dmz sensor

IP
--------
Source Address  Dest Address    Ver     Hdr Len
130.216.11.1    202.180.83.6    4       5
TOS     length  ID      flags   offset  TTL     chksum
0       1500    24867   2       0       124     60516

Resolved Source
cecilwfa.cecil.auckland.ac.nz

Resolved Dest
nc1.akl.callplus.net.nz

TCP
--------
Source Port     Dest Port       Seq             Ack             
80              2778            2657346162      1028135209
Offset  Reserved        Flags   Window  Checksum        Urgent Ptr
8       0               16      64219   21114           0

Options
--------
None


Flags
--------
RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
                        X                                       

DATA
--------
485454502F312E312032    HTTP/1.1 2
3030204F4B0D0A446174    00 OK..Dat
653A2053756E2C203330    e: Sun, 30
204A756C203230303620     Jul 2006
30333A32353A30312047    03:25:01 G
4D540D0A536572766572    MT..Server
3A204D6963726F736F66    : Microsof
742D4949532F362E300D    t-IIS/6.0.
0A7033703A2043503D6E    .p3p: CP=n
6F6E0D0A582D506F7765    on..X-Powe
7265642D42793A204153    red-By: AS
502E4E45540D0A582D41    P.NET..X-A
73704E65742D56657273    spNet-Vers
696F6E3A20312E312E34    ion: 1.1.4
3332320D0A507261676D    322..Pragm
613A206E6F2D63616368    a: no-cach
650D0A436F6E74656E74    e..Content
2D446973706F73697469    -Dispositi
6F6E3A20696E6C696E65    on: inline
3B66696C656E616D653D    ;filename=
22436F76657273686565    "Covershee
742E706466220D0A436F    t.pdf"..Co
6E74656E742D4C656E67    ntent-Leng
74683A2031313033350D    th: 11035.
0A43616368652D436F6E    .Cache-Con
74726F6C3A206E6F2D63    trol: no-c
616368650D0A50726167    ache..Prag
6D613A206E6F2D636163    ma: no-cac
68650D0A457870697265    he..Expire
733A202D310D0A436F6E    s: -1..Con
74656E742D547970653A    tent-Type:
206170706C6963617469     applicati
6F6E2F7064660D0A0D0A    on/pdf....
255044462D312E340D25    %PDF-1.4.%
E2E3CFD30D0A36203020    ......6 0
6F626A203C3C2F4C696E    obj <</Lin
656172697A656420312F    earized 1/
4C2031313033352F4F20    L 11035/O
382F4520363931302F4E    8/E 6910/N
20312F54203130383639     1/T 10869
2F48205B203535362031    /H [ 556 1
36335D3E3E0D656E646F    63]>>.endo
626A0D20202020202020    bj.
20202020202020202020    
202020200D0A78726566        ..xref
0D0A362031330D0A3030    ..6 13..00
30303030303031362030    00000016 0
30303030206E0D0A3030    0000 n..00
30303030303731392030    00000719 0
30303030206E0D0A3030    0000 n..00
30303030303739352030    00000795 0
30303030206E0D0A3030    0000 n..00
30303030303932372030    00000927 0
30303030206E0D0A3030    0000 n..00
30303030313034372030    00001047 0
30303030206E0D0A3030    0000 n..00
30303030313435352030    00001455 0
30303030206E0D0A3030    0000 n..00
30303030313932322030    00001922 0
30303030206E0D0A3030    0000 n..00
30303030333634312030    00003641 0
30303030206E0D0A3030    0000 n..00
30303030333637352030    00003675 0
30303030206E0D0A3030    0000 n..00
30303030363334342030    00006344 0
30303030206E0D0A3030    0000 n..00
30303030363539322030    00006592 0
30303030206E0D0A3030    0000 n..00
30303030363833342030    00006834 0
30303030206E0D0A3030    0000 n..00
30303030303535362030    00000556 0
30303030206E0D0A7472    0000 n..tr
61696C65720D0A3C3C2F    ailer..<</
53697A652031392F5072    Size 19/Pr
65762031303835392F52    ev 10859/R
6F6F742037203020522F    oot 7 0 R/
496E666F203520302052    Info 5 0 R
2F49445B3C3144353333    /ID[<1D533
37433641443643374232    7C6AD6C7B2
31334244414238464145    13BDAB8FAE
443535334139453E3C36    D553A9E><6
46323145334238384342    F21E3B88CB
30453734393941413046    0E7499AA0F
37393334424544344643    7934BED4FC
413E5D3E3E0D0A737461    A>]>>..sta
7274787265660D0A300D    rtxref..0.
0A2525454F460D0A2020    .%%EOF..
20202020202020202020    
202020200D0A31382030        ..18 0
206F626A3C3C2F4C656E     obj<</Len
6774682038302F46696C    gth 80/Fil
7465722F466C61746544    ter/FlateD
65636F64652F49203936    ecode/I 96
2F4C2038302F53203339    /L 80/S 39
3E3E73747265616D0D0A    >>stream..
78DA626060E0626060AA    x.b``.b``.
600002F1C70CA8800988    `.........
5918380E301820097241    Y.8.0. .rA
31038312030F9B429878    1......B.x
E2C6CC0086251BAEF132    .....%...2
688185191918A4A2A1BA    h.........
2D8098958141E339449C    -....A.9D.
E12140800100D0290A24    .!@....).$
0D0A656E647374726561    ..endstrea
6D0D656E646F626A0D37    m.endobj.7
2030206F626A3C3C2F4D     0 obj<</M
65746164617461203420    etadata 4
3020522F506167657320    0 R/Pages
33203020522F54797065    3 0 R/Type
2F436174616C6F672F50    /Catalog/P
6167654C6162656C7320    ageLabels
31203020523E3E0D656E    1 0 R>>.en
646F626A0D382030206F    dobj.8 0 o
626A3C3C2F43726F7042    bj<</CropB
6F785B30203020353935    ox[0 0 595
2E3232203834325D2F50    .22 842]/P
6172656E742033203020    arent 3 0
522F436F6E74656E7473    R/Contents
203132203020522F526F     12 0 R/Ro
7461746520302F4D6564    tate 0/Med
6961426F785B30203020    iaBox[0 0
3539352E323220383432    595.22 842
5D2F5265736F75726365    ]/Resource
732039203020522F5479    s 9 0 R/Ty
70652F506167653E3E0D    pe/Page>>.
656E646F626A0D392030    endobj.9 0
206F626A3C3C2F436F6C     obj<</Col
6F7253706163653C3C2F    orSpace<</
43733620313320302052    Cs6 13 0 R
3E3E2F466F6E743C3C2F    >>/Font<</
54543220313020302052    TT2 10 0 R
2F545434203131203020    /TT4 11 0
523E3E2F50726F635365    R>>/ProcSe
745B2F5044462F546578    t[/PDF/Tex
745D2F45787447537461    t]/ExtGSta
74653C3C2F4753312031    te<</GS1 1
37203020523E3E3E3E0D    7 0 R>>>>.
656E646F626A0D313020    endobj.10
30206F626A3C3C2F5375    0 obj<</Su
62747970652F54727565    btype/True
547970652F466F6E7444    Type/FontD
657363726970746F7220    escriptor
3135203020522F4C6173    15 0 R/Las
7443686172203131382F    tChar 118/
5769647468735B32        Widths[2

DATA
--------
HTTP/1.1 200 OK..Date: Sun, 30 Jul 2006 03:25:01 GMT..Server
: Microsoft-IIS/6.0..p3p: CP=non..X-Powered-By: ASP.NET..X-A
spNet-Version: 1.1.4322..Pragma: no-cache..Content-Dispositi
on: inline;filename="Coversheet.pdf"..Content-Length: 11035.
.Cache-Control: no-cache..Pragma: no-cache..Expires: -1..Con
tent-Type: application/pdf....%PDF-1.4.%......6 0 obj <</Lin
earized 1/L 11035/O 8/E 6910/N 1/T 10869/H [ 556 163]>>.endo
bj.                     ..xref..6 13..0000000016 00000 n..00
00000719 00000 n..0000000795 00000 n..0000000927 00000 n..00
00001047 00000 n..0000001455 00000 n..0000001922 00000 n..00
00003641 00000 n..0000003675 00000 n..0000006344 00000 n..00
00006592 00000 n..0000006834 00000 n..0000000556 00000 n..tr
ailer..<</Size 19/Prev 10859/Root 7 0 R/Info 5 0 R/ID[<1D533
7C6AD6C7B213BDAB8FAED553A9E><6F21E3B88CB0E7499AA0F7934BED4FC
A>]>>..startxref..0..%%EOF..                ..18 0 obj<</Len
gth 80/Filter/FlateDecode/I 96/L 80/S 39>>stream..x.b``.b``.
`.........Y.8.0. .rA1......B.x.....%...2h.........-....A.9D.
.!@....).$..endstream.endobj.7 0 obj<</Metadata 4 0 R/Pages
3 0 R/Type/Catalog/PageLabels 1 0 R>>.endobj.8 0 obj<</CropB
ox[0 0 595.22 842]/Parent 3 0 R/Contents 12 0 R/Rotate 0/Med
iaBox[0 0 595.22 842]/Resources 9 0 R/Type/Page>>.endobj.9 0
 obj<</ColorSpace<</Cs6 13 0 R>>/Font<</TT2 10 0 R/TT4 11 0
R>>/ProcSet[/PDF/Text]/ExtGState<</GS1 17 0 R>>>>.endobj.10
0 obj<</Subtype/TrueType/FontDescriptor 15 0 R/LastChar 118/
Widths[2

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] seeing thousands of hits on COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Exploit, Sig ID, 100000101, Russell Fulton <=
Previous by Date:  Re: [Snort-sigs] bad rule, Justin Heath
Next by Date:  [Snort-sigs] any way to disable these alerts:http_inspect: OVERSIZE REQUEST-URI DIRECTORY, Russell Fulton
Previous by Thread:  [Snort-sigs] Glen Joseph is out of the office., Glen Joseph
Next by Thread:  [Snort-sigs] any way to disable these alerts:http_inspect: OVERSIZE REQUEST-URI DIRECTORY, Russell Fulton
Indexes:  [Date] [Thread] [Top] [All Lists]