[Emerging-Sigs] kazakaza.php trojan communications

evilghost@packetmail.net evilghost at packetmail.net
Fri Oct 1 15:28:48 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/01/2010 02:12 PM, John Dyson wrote:
> Part of the packet is:
> 
> 2010-10-01 12:50:41.543280 IP x.x.x.x.36425 > 193.41.38.122.80: P
> 1:576(575) ack 1 win 65535
>         0x0000:  0066 0800 4500 0267 a46a 4000 7e06 1c02  .f..E..g.j at .~...
>         0x0010:  8f38 c348 c129 267a 8e49 0050 2fb8 ea12  .8.H.)&z.I.P/...
>         0x0020:  19e1 4663 5018 ffff 3fd2 0000 504f 5354  ..FcP...?...POST
>         0x0030:  202f 6b61 7a61 6b61 7a61 2e70 6870 2048  ./kazakaza.php.H
>         0x0040:  5454 502f 312e 310d 0a41 6363 6570 743a  TTP/1.1..Accept:

John, thanks for sharing.  Is there anyway we could see more of the
packet; perhaps set snaplen to 0 or 1500?  I'd like to see all of the
HTTP header.

- -evilghost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMpjZwAAoJENgimYXu6xOHAewP/jwmu5U3rFFDJ8FBUzKSpbPM
Y66368zGD/xd0h0Bqx3r3duLLRfTn+rXQo50Jxe67VGgPpmVW1sEopTSOZuTdy0s
fVOBW8XHpk3scW8QeZ/WfYPi9ohXBr3vrkJZ1wRMWRMXMUMGtYJFfNAnl4ulBqCQ
hOUozdOPALXVNz2ER0M5sbbt+ui0g5PCcMt1Kx967L+Ab8QZK6ngmnVd4EekoQ/O
XbCfgNyQRiAlUoQzuBNWAEJVdTlBCpkp608acSYjew6Xc3wXP+qERFgPHtf+Ykjb
VIvxqBEH/AwmOY8EJbddndy5kaZ/hf03inTKSOpyUKwNkEnzb3kUkpq+7QCc07xj
z5KVpUJ82xn6lEyAFlecnaGuwaIrGwrSK3b5FGWWzIzcn6567Izvf6ISBD5l0KzW
Xobp0niLmf2YMEYzOCFWip2z1hg5ZL3e09iov0DX2FsUQbL/Q0OeoYiT0wvesMfY
FhxrHv+BVy5iSKoxV7yeUkRLRL2pwuO/XJ6v3OoWpV7EyzZ1rT2gcUQd2Bqc2USy
CRG/ybbyHjXy4MwYzbE7sDrj14qo2uiOV7Tq9ge2WLj4/uunLo+Bpzi19dJaCZH0
ooUunR8a+0OlCHziasy8N25Ndp/sntupjtiA3UdE30+s2Qdeea3CCtu5ZGTkP/+T
eTy7WOhPbLwIUAnCCqZa
=W0mu
-----END PGP SIGNATURE-----



More information about the Emerging-sigs mailing list