Re: [Capture-HPC] Strange behaviour with malicious URL

Thu, 01 Oct 2009 08:56:33 -0700 

Yes, send you attached the attack log.

Thanks
Emilio



2009/10/1 Christian Seifert <christian.seif...@gmail.com>

> did an attack occur?
> do you see any entries in the 6xxx log file?
>
>
> On Oct 1, 2009, at 8:37 AM, Emilio Casbas <ecas...@gmail.com> wrote:
>
> Hi guys,
>
> I'm playing with a malicious URL and the capture-HPC is having a strange
> behaviour.
>
> This output log came from this URL and is being categorized correctly as
> "Malicious":
>
> --------------------------------------------------------------
> [oct 1, 2009 5:00:50 PM-172.21.1.44:902-31822120] Visited group 605259057
> MALICIOUS
> Received msg from client: <visit-event identifier="605259057"
> program="iexplorebulk" time="1/10/2009 8:0:55.833" algorithm="bulk"
> type="finish" malicious="1"><item url="http%3a%2f%<http://2fefatwkaeni.com>
> 2fefatwkaeni.com%2fld%2fment%2f" processId="1800" program="iexplorebulk"
> major-error-code="0" minor-error-code="0" time="1/10/2009 8:0:55.833"
> visited="1"></item></visit-event>
> [oct 1, 2009 5:00:55 PM-172.21.1.44:902-31822120] Visited group 605259057
> MALICIOUS
>     UrlSetState: VISITED
> --------------------------------------------------------------
>
> A logfile was successfully created with the url name showing several OS
> changes. But the strange thing is that at least, the URL is categorized in
> the safe.log file instead of malicious.log
>
> $more safe.log
> "01/10/2009 
> 08:27:38:982","benign","605259057","hxxp://<http://efatwkaeni.com/ld/ment/>
> efatwkaeni.com/ld/ment/","iexplorebulk","35
>
> $more progress.log
> "01/10/2009 
> 08:26:59.935","visiting","1923666453","hxxp://<http://efatwkaeni.com/ld/ment/>
> efatwkaeni.com/ld/ment/","iexplorebulk","35"
> "01/10/2009 
> 08:27:38.982","visited","1923666453","hxxp://<http://efatwkaeni.com/ld/ment/>
> efatwkaeni.com/ld/ment/","iexplorebulk","35"
>
> and nothing on malicious.log.
>
> Exclusion lists are the default.
> Ubunt 9.04
> Capture-server-2.5.1-389-withLinuxRevert.
>
>
> TIA
> Emilio
>
> _______________________________________________
> Capture-HPC mailing list
> Capture-HPC@public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc
>
>

Attachment: http%3A%2F%2Fefatwkaeni.com%2Fld%2Fment%2F_01102009_082659.log
Description: Binary data

_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Reply via email to