Wireshark-users: [Wireshark-users] Novice question about automated exploit tool packet-capture wi
From: William Long <wakeboarder72@xxxxxxxxxxx>
Date: Sun, 1 Feb 2009 15:11:58 -0500
I'm trying to review a .pcap of about 900 packets related to a school assignment in which the "suspect" machine probed and attempted to gain access to the "target". I see many packets in which the suspect tried to GET several files, all of which have the same name, but different file extensions. The target machine responded with "404 Not Found" messages. Later, the suspect tried to PUT and POST and HEAD files, also to no avail. Can anyone tell me whether or not these packets are part of an automated exploit being conducted by the "suspect"? Thanks, a sample of some of the packets is shown below:
 
GET /IG0PMUq2YRoM.html HTTP/1.1
Connection: Keep-Alive
Host: 192.168.1.100
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
 
HTTP/1.1 404 Not Found
Date: Wed, 05 Sep 2007 19:19:51 GMT
Server: Apache/1.3.34 (Debian)
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
 
119
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /IG0PMUq2YRoM.html was not found on this server.<P>
<HR>
<ADDRESS>Apache/1.3.34 Server at 192.168.1.100 Port 80</ADDRESS>
</BODY></HTML>

0
 
GET /IG0PMUq2YRoM.cgi HTTP/1.1
Connection: Keep-Alive
Host: 192.168.1.100
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
 
HTTP/1.1 404 Not Found
Date: Wed, 05 Sep 2007 19:19:51 GMT
Server: Apache/1.3.34 (Debian)
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
 
118
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /IG0PMUq2YRoM.cgi was not found on this server.<P>
<HR>
<ADDRESS>Apache/1.3.34 Server at 192.168.1.100 Port 80</ADDRESS>
</BODY></HTML>

0
 
GET /IG0PMUq2YRoM.sh HTTP/1.1
Connection: Keep-Alive
Host: 192.168.1.100
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8


Windows Live™: E-mail. Chat. Share. Get more ways to connect. Check it out.