Fast-Flux Proxy Samples
In our fast-flux case study, this is the server response to a request from the fast-flux agent for the configuration file settings.ini on the remote web server. This appears to be a consistent 197 byte binary/encoded configuration response. We are still attempting to complete reverse engineering of this session:
00000000 4745 5420 2f73 6574 7469 6e67 732f 7765 GET /settings/we 00000010 6279 2f73 6574 7469 6e67 732e 696e 6920 by/settings.ini 00000020 4854 5450 2f31 2e31 0d0a 5573 6572 2d41 HTTP/1.1..User-A 00000030 6765 6e74 3a20 4d53 4945 2037 2e30 0d0a gent: MSIE 7.0.. 00000040 486f 7374 3a20 xxxx xxxx xxxx xxxx 2e69 Host: xxxxxxxx.i 00000050 636f 6e6e 6563 7479 6f75 2e62 697a 0d0a connectyou.biz.. 00000060 4361 6368 652d 436f 6e74 726f 6c3a 206e Cache-Control: n 00000070 6f2d 6361 6368 650d 0a0d 0a47 4554 202f o-cache....GET / 00000080 7365 7474 696e 6773 2f77 6562 792f 7365 settings/weby/se 00000090 7474 696e 6773 2e69 6e69 2048 5454 502f ttings.ini HTTP/ 000000a0 312e 310d 0a55 7365 722d 4167 656e 743a 1.1..User-Agent: 000000b0 204d 5349 4520 372e 300d 0a48 6f73 743a MSIE 7.0..Host: 000000c0 20xx xxxx xxxx xxxx xx2e 6963 6f6e 6e65 xxxxxxxx.iconne 000000d0 6374 796f 752e 6269 7a0d 0a43 6163 6865 ctyou.biz..Cache 000000e0 2d43 6f6e 7472 6f6c 3a20 6e6f 2d63 6163 -Control: no-cac 000000f0 6865 0d0a 0d0a 4854 5450 2f31 2e31 2032 he....HTTP/1.1 2 00000100 3030 204f 4b0d 0a44 6174 653a 2054 7565 00 OK..Date: Tue 00000110 2c20 3033 2041 7072 2032 3030 3720 3037 , 03 Apr 2007 07 00000120 3a35 353a 3430 2047 4d54 0d0a 5365 7276 :55:40 GMT..Serv 00000130 6572 3a20 4170 6163 6865 2f32 2e30 2e35 er: Apache/2.0.5 00000140 3420 2846 6564 6f72 6129 0d0a 4c61 7374 4 (Fedora)..Last 00000150 2d4d 6f64 6966 6965 643a 204d 6f6e 2c20 -Modified: Mon, 00000160 3032 2041 7072 2032 3030 3720 3233 3a33 02 Apr 2007 23:3 00000170 373a 3336 2047 4d54 0d0a 4554 6167 3a20 7:36 GMT..ETag: 00000180 2238 3030 3761 2d63 352d 6234 6263 3730 "8007a-c5-b4bc70 00000190 3030 220d 0a41 6363 6570 742d 5261 6e67 00"..Accept-Rang 000001a0 6573 3a20 6279 7465 730d 0a43 6f6e 7465 es: bytes..Conte 000001b0 6e74 2d4c 656e 6774 683a 2031 3937 0d0a nt-Length: 197.. 000001c0 436f 6e6e 6563 7469 6f6e 3a20 636c 6f73 Connection: clos 000001d0 650d 0a43 6f6e 7465 6e74 2d54 7970 653a e..Content-Type: 000001e0 2074 6578 742f 706c 6169 6e3b 2063 6861 text/plain; cha 000001f0 7273 6574 3d55 5446 2d38 0d0a 0d0a b2b4 rset=UTF-8...... 00000200 0d0a 0d0a 8d8d 869a 958d 8595 819d 9d99 ................ 00000210 d3c6 c6df dcc7 d8d8 d8c7 d8de dfc7 d8de ................ 00000220 ddc6 9e8c 8b90 c699 859c 8e80 87b6 8d8d ................ 00000230 869a c78d 8585 0d0a 0d0a 8d8d 869a 959d ................ 00000240 8a99 9588 848c 9b80 8a88 878d 9f8d c79d ................ 00000250 9f95 d1d9 95d8 d9d9 d9d9 0d0a 8d8d 869a ................ 00000260 959c 8d99 9588 848c 9b80 8a88 878d 9f8d ................ 00000270 c79d 9f95 d1d9 95d8 d9d9 d9d9 0d0a 8d8d ................ 00000280 869a 959d 9b86 8585 9588 848c 9b80 8a88 ................ 00000290 878d 9f8d c79d 9f95 d1d9 95d8 d9d9 d9d9 ................ 000002a0 0d0a 8d8d 869a 9581 9d9d 9995 8884 8c9b ................ 000002b0 808a 8887 8d9f 8dc7 9d9f 95d1 d995 d8d9 ................ 000002c0 d9d9 d9 ...