Análisis de un troyano ¿alguien me puede dar alguna pista?

08/12/2004 - 01:15 por Clavo Oxidado | Informe spam
Hola, os paso una preguntilla que me formula uno de nuestros técnicos :


Hola a todos,
últimamente estoy recibiendo muchos reports de clientes nuestros con este
tipo de alertas (pego report NOD32), necesito información :
(ojo, quien no este bien protegido que no ejecute los enlaces)

== en PCCARLOS: http://www.010402.com//inst//main.chm > CHM > /main.htm


> infectado con VBS/TrojanDownloader.Psyme.NAF Troyano.
> 07/12/04 18:39:09 p.m. - IMON - Proteccion de Internet - Alerta de
> virus
> en PCCARLOS: http://010402.com/java0/classload.jar infectado con
> varias
> infecciones.





Antes de ejecutar los enlaces directamente en mi navegador para investigar
un poquillo, he ejecutado el analizador Ethereal y
he obtenido el fichero adjunto:

195.225.177.26 HTTP GET /inst/main.chm HTTP/1.1

Mira la instrucción GET y el fichero main.chm. Lo que sigue es la típica
secuencia de SYN/ACK y, si se analiza a fondo, cosa que yo no sé, se ven
algún conjunto de instrucciones http interesantes o sospechosas(¿entiendes
http?


¿alguien me puede explicar un poco algo más, pistas, como funcionan estos
ataques a un nivel un poco más técnico (o a el nivel que sea, la información
siempre es bienvenida)?

Muchas gracias y un saludo. (ahora pego el report del analizador Ethereal :


No. Time Source Destination Protocol
Info
5 11.878170 192.168.80.2 195.225.177.26 TCP
3051 > http [SYN] Seq=0 Ack=0 Wine535 Len=0 MSS60

Frame 5 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http (80),
Seq: 0, Ack: 0, Len: 0

No. Time Source Destination Protocol
Info
6 12.050349 195.225.177.26 192.168.80.2 TCP
http > 3051 [SYN, ACK] Seq=0 Ack=1 WinW344 Len=0 MSS60

Frame 6 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol
Info
7 12.050508 192.168.80.2 195.225.177.26 TCP
3051 > http [ACK] Seq=1 Ack=1 Wine535 Len=0

Frame 7 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http (80),
Seq: 1, Ack: 1, Len: 0

No. Time Source Destination Protocol
Info
8 12.078697 192.168.80.2 195.225.177.26 HTTP GET
/inst/main.chm HTTP/1.1

Frame 8 (266 bytes on wire, 266 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http (80),
Seq: 1, Ack: 1, Len: 212
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
9 12.291398 195.225.177.26 192.168.80.2 HTTP
HTTP/1.1 200 OK (text/plain)

Frame 9 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 1, Ack: 213, Len: 1460
Hypertext Transfer Protocol
Line-based text data: text/plain

No. Time Source Destination Protocol
Info
10 12.319446 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 10 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 1461, Ack: 213, Len: 1460
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
11 12.319601 192.168.80.2 195.225.177.26 TCP
3051 > http [ACK] Seq!3 Ack)21 Wine535 Len=0

Frame 11 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http (80),
Seq: 213, Ack: 2921, Len: 0

No. Time Source Destination Protocol
Info
12 12.519099 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 12 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 2921, Ack: 213, Len: 1460
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
13 12.519281 192.168.80.2 195.225.177.26 TCP
3051 > http [ACK] Seq!3 AckC81 Wine535 Len=0

Frame 13 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http (80),
Seq: 213, Ack: 4381, Len: 0

No. Time Source Destination Protocol
Info
14 12.546683 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 14 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 4381, Ack: 213, Len: 1460
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
15 12.573119 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 15 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 5841, Ack: 213, Len: 1460
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
16 12.573268 192.168.80.2 195.225.177.26 TCP
3051 > http [ACK] Seq!3 Acks01 Wine535 Len=0

Frame 16 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http (80),
Seq: 213, Ack: 7301, Len: 0

No. Time Source Destination Protocol
Info
17 12.714817 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 17 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 7301, Ack: 213, Len: 1460
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
18 12.715020 192.168.80.2 195.225.177.26 TCP
3051 > http [ACK] Seq!3 Ack‡61 Wine535 Len=0

Frame 18 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http (80),
Seq: 213, Ack: 8761, Len: 0

No. Time Source Destination Protocol
Info
19 12.741945 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 19 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 8761, Ack: 213, Len: 1460
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
20 12.770256 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 20 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 10221, Ack: 213, Len: 1460
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
21 12.770418 192.168.80.2 195.225.177.26 TCP
3051 > http [ACK] Seq!3 Ack681 Wine535 Len=0

Frame 21 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http (80),
Seq: 213, Ack: 11681, Len: 0

No. Time Source Destination Protocol
Info
22 12.790823 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 22 (1104 bytes on wire, 1104 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 11681, Ack: 213, Len: 1050
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
23 12.791041 192.168.80.2 195.225.177.26 TCP
3051 > http [ACK] Seq!3 Ack732 Wind485 Len=0

Frame 23 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http (80),
Seq: 213, Ack: 12732, Len: 0

No. Time Source Destination Protocol
Info
24 12.819013 192.168.80.2 80.35.132.39 TCP
3052 > 2222 [SYN] Seq=0 Ack=0 Wine535 Len=0 MSS60

Frame 24 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
80.35.132.39 (80.35.132.39)
Transmission Control Protocol, Src Port: 3052 (3052), Dst Port: 2222 (2222),
Seq: 0, Ack: 0, Len: 0

No. Time Source Destination Protocol
Info
25 15.771561 192.168.80.2 80.35.132.39 TCP
3052 > 2222 [SYN] Seq=0 Ack=0 Wine535 Len=0 MSS60

Frame 25 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
80.35.132.39 (80.35.132.39)
Transmission Control Protocol, Src Port: 3052 (3052), Dst Port: 2222 (2222),
Seq: 0, Ack: 0, Len: 0

No. Time Source Destination Protocol
Info
26 16.608575 192.168.80.2 195.225.177.26 TCP
3051 > http [FIN, ACK] Seq!3 Ack732 Wind485 Len=0

Frame 26 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http (80),
Seq: 213, Ack: 12732, Len: 0

No. Time Source Destination Protocol
Info
27 16.777331 195.225.177.26 192.168.80.2 TCP
http > 3051 [ACK] Seq732 Ack!4 WinX400 Len=0

Frame 27 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 12732, Ack: 214, Len: 0

No. Time Source Destination Protocol
Info
28 16.904216 192.168.80.2 216.239.59.99 TCP
3053 > http [SYN] Seq=0 Ack=0 Wine535 Len=0 MSS60

Frame 28 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
216.239.59.99 (216.239.59.99)
Transmission Control Protocol, Src Port: 3053 (3053), Dst Port: http (80),
Seq: 0, Ack: 0, Len: 0

No. Time Source Destination Protocol
Info
29 17.030090 216.239.59.99 192.168.80.2 TCP
http > 3053 [SYN, ACK] Seq=0 Ack=1 Win90 Len=0 MSS60

Frame 29 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 216.239.59.99 (216.239.59.99), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3053 (3053),
Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol
Info
30 17.030258 192.168.80.2 216.239.59.99 TCP
3053 > http [ACK] Seq=1 Ack=1 Wine535 Len=0

Frame 30 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
216.239.59.99 (216.239.59.99)
Transmission Control Protocol, Src Port: 3053 (3053), Dst Port: http (80),
Seq: 1, Ack: 1, Len: 0

No. Time Source Destination Protocol
Info
31 17.031685 192.168.80.2 216.239.59.99 HTTP GET
/search?client=navclient-auto&chi5674915&freshness_checkBRX1KgzyC-UuWhQ-iQH7&iqrn=XdsC&orig=0J&ie=UTF-8&oe=UTF-8&features=Rank&q=info:http%3A%2F%2Fwww%2E010402%2Ecom%2Finst%2Fmain%2Echm
HTTP/1.1

Frame 31 (492 bytes on wire, 492 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
216.239.59.99 (216.239.59.99)
Transmission Control Protocol, Src Port: 3053 (3053), Dst Port: http (80),
Seq: 1, Ack: 1, Len: 438
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
32 17.230892 216.239.59.99 192.168.80.2 HTTP
HTTP/1.1 200 OK (text/html)

Frame 32 (223 bytes on wire, 223 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 216.239.59.99 (216.239.59.99), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3053 (3053),
Seq: 1, Ack: 439, Len: 169
Hypertext Transfer Protocol
Line-based text data: text/html

No. Time Source Destination Protocol
Info
33 17.232730 216.239.59.99 192.168.80.2 HTTP
Continuation

Frame 33 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 216.239.59.99 (216.239.59.99), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3053 (3053),
Seq: 170, Ack: 439, Len: 5
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
34 17.232876 192.168.80.2 216.239.59.99 TCP
3053 > http [ACK] SeqC9 Ack5 Wine361 Len=0

Frame 34 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
216.239.59.99 (216.239.59.99)
Transmission Control Protocol, Src Port: 3053 (3053), Dst Port: http (80),
Seq: 439, Ack: 175, Len: 0

No. Time Source Destination Protocol
Info
35 21.790758 192.168.80.2 80.35.132.39 TCP
3052 > 2222 [SYN] Seq=0 Ack=0 Wine535 Len=0 MSS60

Frame 35 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
80.35.132.39 (80.35.132.39)
Transmission Control Protocol, Src Port: 3052 (3052), Dst Port: 2222 (2222),
Seq: 0, Ack: 0, Len: 0

Preguntas similare

Leer las respuestas

#1 Enrique Dutra
08/12/2004 - 14:31 | Informe spam
Te paso info sobre el troyano...

Troj/Psyme-AE is a JavaScript downloader Trojan which exploits the ADODB
stream and CODEBASE vulnerabilties associated with Microsoft Internet
Explorer to silently download a file from a remote server to the local
computer and run it.

Troj/Psyme-AE attempts to download an executable file from the same location
as its own script to C:\Program Files\Internet Explorer\.exe where is a
random character string consisting of 1-8 random characters (typically 8
characters) within the range a-z. It then tries the execute the downloaded
file via the CODEBASE exploit.

Troj/Psyme-AE can arrive on the computer by browsing websites whose HTML
pages contain the script or by loading a HTML page that contains a SRC= link
to an infected page. For example a HTML page may contain:

SRC='http:/psyme.com/index.chm::/Index.html

where index.chm is a compiled HTML help file containing Index.html and
Index.html is a HTML file containing the Troj/Psyme-AE script.

Como removerlo : http://www.sophos.com/support/disin...rojan.html



Saludos



Enrique G. Dutra




"Clavo Oxidado" escribió en el mensaje
news:e8NM$
Hola, os paso una preguntilla que me formula uno de nuestros técnicos :


Hola a todos,
últimamente estoy recibiendo muchos reports de clientes nuestros con este
tipo de alertas (pego report NOD32), necesito información :
(ojo, quien no este bien protegido que no ejecute los enlaces)

==> en PCCARLOS: http://www.010402.com//inst//main.chm > CHM > /main.htm
> infectado con VBS/TrojanDownloader.Psyme.NAF Troyano.
> 07/12/04 18:39:09 p.m. - IMON - Proteccion de Internet - Alerta de
> virus
> en PCCARLOS: http://010402.com/java0/classload.jar infectado con
> varias
> infecciones.




>
Antes de ejecutar los enlaces directamente en mi navegador para investigar
un poquillo, he ejecutado el analizador Ethereal y
he obtenido el fichero adjunto:

195.225.177.26 HTTP GET /inst/main.chm HTTP/1.1

Mira la instrucción GET y el fichero main.chm. Lo que sigue es la típica
secuencia de SYN/ACK y, si se analiza a fondo, cosa que yo no sé, se ven
algún conjunto de instrucciones http interesantes o sospechosas(¿entiendes
http?


¿alguien me puede explicar un poco algo más, pistas, como funcionan estos
ataques a un nivel un poco más técnico (o a el nivel que sea, la
información siempre es bienvenida)?

Muchas gracias y un saludo. (ahora pego el report del analizador Ethereal
:


> No. Time Source Destination Protocol
Info
5 11.878170 192.168.80.2 195.225.177.26 TCP 3051 >
http [SYN] Seq=0 Ack=0 Wine535 Len=0 MSS60

Frame 5 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http (80),
Seq: 0, Ack: 0, Len: 0

No. Time Source Destination Protocol
Info
6 12.050349 195.225.177.26 192.168.80.2 TCP http >
3051 [SYN, ACK] Seq=0 Ack=1 WinW344 Len=0 MSS60

Frame 6 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol
Info
7 12.050508 192.168.80.2 195.225.177.26 TCP 3051 >
http [ACK] Seq=1 Ack=1 Wine535 Len=0

Frame 7 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http (80),
Seq: 1, Ack: 1, Len: 0

No. Time Source Destination Protocol
Info
8 12.078697 192.168.80.2 195.225.177.26 HTTP
GET /inst/main.chm HTTP/1.1

Frame 8 (266 bytes on wire, 266 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http (80),
Seq: 1, Ack: 1, Len: 212
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
9 12.291398 195.225.177.26 192.168.80.2 HTTP
HTTP/1.1 200 OK (text/plain)

Frame 9 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 1, Ack: 213, Len: 1460
Hypertext Transfer Protocol
Line-based text data: text/plain

No. Time Source Destination Protocol
Info
10 12.319446 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 10 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 1461, Ack: 213, Len: 1460
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
11 12.319601 192.168.80.2 195.225.177.26 TCP 3051 >
http [ACK] Seq!3 Ack)21 Wine535 Len=0

Frame 11 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http (80),
Seq: 213, Ack: 2921, Len: 0

No. Time Source Destination Protocol
Info
12 12.519099 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 12 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 2921, Ack: 213, Len: 1460
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
13 12.519281 192.168.80.2 195.225.177.26 TCP 3051 >
http [ACK] Seq!3 AckC81 Wine535 Len=0

Frame 13 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http (80),
Seq: 213, Ack: 4381, Len: 0

No. Time Source Destination Protocol
Info
14 12.546683 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 14 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 4381, Ack: 213, Len: 1460
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
15 12.573119 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 15 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 5841, Ack: 213, Len: 1460
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
16 12.573268 192.168.80.2 195.225.177.26 TCP 3051 >
http [ACK] Seq!3 Acks01 Wine535 Len=0

Frame 16 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http (80),
Seq: 213, Ack: 7301, Len: 0

No. Time Source Destination Protocol
Info
17 12.714817 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 17 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 7301, Ack: 213, Len: 1460
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
18 12.715020 192.168.80.2 195.225.177.26 TCP 3051 >
http [ACK] Seq!3 Ack‡61 Wine535 Len=0

Frame 18 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http (80),
Seq: 213, Ack: 8761, Len: 0

No. Time Source Destination Protocol
Info
19 12.741945 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 19 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 8761, Ack: 213, Len: 1460
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
20 12.770256 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 20 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 10221, Ack: 213, Len: 1460
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
21 12.770418 192.168.80.2 195.225.177.26 TCP 3051 >
http [ACK] Seq!3 Ack681 Wine535 Len=0

Frame 21 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http (80),
Seq: 213, Ack: 11681, Len: 0

No. Time Source Destination Protocol
Info
22 12.790823 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 22 (1104 bytes on wire, 1104 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 11681, Ack: 213, Len: 1050
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
23 12.791041 192.168.80.2 195.225.177.26 TCP 3051 >
http [ACK] Seq!3 Ack732 Wind485 Len=0

Frame 23 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http (80),
Seq: 213, Ack: 12732, Len: 0

No. Time Source Destination Protocol
Info
24 12.819013 192.168.80.2 80.35.132.39 TCP 3052 >
2222 [SYN] Seq=0 Ack=0 Wine535 Len=0 MSS60

Frame 24 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
80.35.132.39 (80.35.132.39)
Transmission Control Protocol, Src Port: 3052 (3052), Dst Port: 2222
(2222), Seq: 0, Ack: 0, Len: 0

No. Time Source Destination Protocol
Info
25 15.771561 192.168.80.2 80.35.132.39 TCP 3052 >
2222 [SYN] Seq=0 Ack=0 Wine535 Len=0 MSS60

Frame 25 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
80.35.132.39 (80.35.132.39)
Transmission Control Protocol, Src Port: 3052 (3052), Dst Port: 2222
(2222), Seq: 0, Ack: 0, Len: 0

No. Time Source Destination Protocol
Info
26 16.608575 192.168.80.2 195.225.177.26 TCP 3051 >
http [FIN, ACK] Seq!3 Ack732 Wind485 Len=0

Frame 26 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http (80),
Seq: 213, Ack: 12732, Len: 0

No. Time Source Destination Protocol
Info
27 16.777331 195.225.177.26 192.168.80.2 TCP http >
3051 [ACK] Seq732 Ack!4 WinX400 Len=0

Frame 27 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051 (3051),
Seq: 12732, Ack: 214, Len: 0

No. Time Source Destination Protocol
Info
28 16.904216 192.168.80.2 216.239.59.99 TCP 3053 >
http [SYN] Seq=0 Ack=0 Wine535 Len=0 MSS60

Frame 28 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
216.239.59.99 (216.239.59.99)
Transmission Control Protocol, Src Port: 3053 (3053), Dst Port: http (80),
Seq: 0, Ack: 0, Len: 0

No. Time Source Destination Protocol
Info
29 17.030090 216.239.59.99 192.168.80.2 TCP http >
3053 [SYN, ACK] Seq=0 Ack=1 Win90 Len=0 MSS60

Frame 29 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 216.239.59.99 (216.239.59.99), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3053 (3053),
Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol
Info
30 17.030258 192.168.80.2 216.239.59.99 TCP 3053 >
http [ACK] Seq=1 Ack=1 Wine535 Len=0

Frame 30 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
216.239.59.99 (216.239.59.99)
Transmission Control Protocol, Src Port: 3053 (3053), Dst Port: http (80),
Seq: 1, Ack: 1, Len: 0

No. Time Source Destination Protocol
Info
31 17.031685 192.168.80.2 216.239.59.99 HTTP
GET
/search?client=navclient-auto&chi5674915&freshness_checkBRX1KgzyC-UuWhQ-iQH7&iqrn=XdsC&orig=0J&ie=UTF-8&oe=UTF-8&features=Rank&q=info:http%3A%2F%2Fwww%2E010402%2Ecom%2Finst%2Fmain%2Echm
HTTP/1.1

Frame 31 (492 bytes on wire, 492 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
216.239.59.99 (216.239.59.99)
Transmission Control Protocol, Src Port: 3053 (3053), Dst Port: http (80),
Seq: 1, Ack: 1, Len: 438
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
32 17.230892 216.239.59.99 192.168.80.2 HTTP
HTTP/1.1 200 OK (text/html)

Frame 32 (223 bytes on wire, 223 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 216.239.59.99 (216.239.59.99), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3053 (3053),
Seq: 1, Ack: 439, Len: 169
Hypertext Transfer Protocol
Line-based text data: text/html

No. Time Source Destination Protocol
Info
33 17.232730 216.239.59.99 192.168.80.2 HTTP
Continuation

Frame 33 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 216.239.59.99 (216.239.59.99), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3053 (3053),
Seq: 170, Ack: 439, Len: 5
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
34 17.232876 192.168.80.2 216.239.59.99 TCP 3053 >
http [ACK] SeqC9 Ack5 Wine361 Len=0

Frame 34 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
216.239.59.99 (216.239.59.99)
Transmission Control Protocol, Src Port: 3053 (3053), Dst Port: http (80),
Seq: 439, Ack: 175, Len: 0

No. Time Source Destination Protocol
Info
35 21.790758 192.168.80.2 80.35.132.39 TCP 3052 >
2222 [SYN] Seq=0 Ack=0 Wine535 Len=0 MSS60

Frame 35 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
80.35.132.39 (80.35.132.39)
Transmission Control Protocol, Src Port: 3052 (3052), Dst Port: 2222
(2222), Seq: 0, Ack: 0, Len: 0


Respuesta Responder a este mensaje
#2 Clavo Oxidado
08/12/2004 - 20:22 | Informe spam
Gracias Enrique,
ya se un poquillo más...

un saludo.

"Enrique Dutra" escribió en el mensaje
news:%
Te paso info sobre el troyano...

Troj/Psyme-AE is a JavaScript downloader Trojan which exploits the ADODB
stream and CODEBASE vulnerabilties associated with Microsoft Internet
Explorer to silently download a file from a remote server to the local
computer and run it.

Troj/Psyme-AE attempts to download an executable file from the same
location as its own script to C:\Program Files\Internet Explorer\.exe
where is a random character string consisting of 1-8 random characters
(typically 8 characters) within the range a-z. It then tries the execute
the downloaded file via the CODEBASE exploit.

Troj/Psyme-AE can arrive on the computer by browsing websites whose HTML
pages contain the script or by loading a HTML page that contains a SRC=
link to an infected page. For example a HTML page may contain:

SRC='http:/psyme.com/index.chm::/Index.html

where index.chm is a compiled HTML help file containing Index.html and
Index.html is a HTML file containing the Troj/Psyme-AE script.

Como removerlo : http://www.sophos.com/support/disin...rojan.html



Saludos



Enrique G. Dutra




"Clavo Oxidado" escribió en el mensaje
news:e8NM$
Hola, os paso una preguntilla que me formula uno de nuestros técnicos :


Hola a todos,
últimamente estoy recibiendo muchos reports de clientes nuestros con este
tipo de alertas (pego report NOD32), necesito información :
(ojo, quien no este bien protegido que no ejecute los enlaces)

==>> en PCCARLOS: http://www.010402.com//inst//main.chm > CHM > /main.htm
> infectado con VBS/TrojanDownloader.Psyme.NAF Troyano.
> 07/12/04 18:39:09 p.m. - IMON - Proteccion de Internet - Alerta de
> virus
> en PCCARLOS: http://010402.com/java0/classload.jar infectado con
> varias
> infecciones.




>>
Antes de ejecutar los enlaces directamente en mi navegador para
investigar un poquillo, he ejecutado el analizador Ethereal y
he obtenido el fichero adjunto:

195.225.177.26 HTTP GET /inst/main.chm HTTP/1.1

Mira la instrucción GET y el fichero main.chm. Lo que sigue es la típica
secuencia de SYN/ACK y, si se analiza a fondo, cosa que yo no sé, se ven
algún conjunto de instrucciones http interesantes o
sospechosas(¿entiendes
http?


¿alguien me puede explicar un poco algo más, pistas, como funcionan estos
ataques a un nivel un poco más técnico (o a el nivel que sea, la
información siempre es bienvenida)?

Muchas gracias y un saludo. (ahora pego el report del analizador Ethereal
:


>> No. Time Source Destination Protocol
Info
5 11.878170 192.168.80.2 195.225.177.26 TCP 3051 >
http [SYN] Seq=0 Ack=0 Wine535 Len=0 MSS60

Frame 5 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http
(80), Seq: 0, Ack: 0, Len: 0

No. Time Source Destination Protocol
Info
6 12.050349 195.225.177.26 192.168.80.2 TCP http >
3051 [SYN, ACK] Seq=0 Ack=1 WinW344 Len=0 MSS60

Frame 6 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051
(3051), Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol
Info
7 12.050508 192.168.80.2 195.225.177.26 TCP 3051 >
http [ACK] Seq=1 Ack=1 Wine535 Len=0

Frame 7 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http
(80), Seq: 1, Ack: 1, Len: 0

No. Time Source Destination Protocol
Info
8 12.078697 192.168.80.2 195.225.177.26 HTTP GET
/inst/main.chm HTTP/1.1

Frame 8 (266 bytes on wire, 266 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http
(80), Seq: 1, Ack: 1, Len: 212
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
9 12.291398 195.225.177.26 192.168.80.2 HTTP
HTTP/1.1 200 OK (text/plain)

Frame 9 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051
(3051), Seq: 1, Ack: 213, Len: 1460
Hypertext Transfer Protocol
Line-based text data: text/plain

No. Time Source Destination Protocol
Info
10 12.319446 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 10 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051
(3051), Seq: 1461, Ack: 213, Len: 1460
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
11 12.319601 192.168.80.2 195.225.177.26 TCP 3051 >
http [ACK] Seq!3 Ack)21 Wine535 Len=0

Frame 11 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http
(80), Seq: 213, Ack: 2921, Len: 0

No. Time Source Destination Protocol
Info
12 12.519099 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 12 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051
(3051), Seq: 2921, Ack: 213, Len: 1460
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
13 12.519281 192.168.80.2 195.225.177.26 TCP 3051 >
http [ACK] Seq!3 AckC81 Wine535 Len=0

Frame 13 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http
(80), Seq: 213, Ack: 4381, Len: 0

No. Time Source Destination Protocol
Info
14 12.546683 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 14 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051
(3051), Seq: 4381, Ack: 213, Len: 1460
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
15 12.573119 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 15 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051
(3051), Seq: 5841, Ack: 213, Len: 1460
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
16 12.573268 192.168.80.2 195.225.177.26 TCP 3051 >
http [ACK] Seq!3 Acks01 Wine535 Len=0

Frame 16 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http
(80), Seq: 213, Ack: 7301, Len: 0

No. Time Source Destination Protocol
Info
17 12.714817 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 17 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051
(3051), Seq: 7301, Ack: 213, Len: 1460
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
18 12.715020 192.168.80.2 195.225.177.26 TCP 3051 >
http [ACK] Seq!3 Ack‡61 Wine535 Len=0

Frame 18 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http
(80), Seq: 213, Ack: 8761, Len: 0

No. Time Source Destination Protocol
Info
19 12.741945 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 19 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051
(3051), Seq: 8761, Ack: 213, Len: 1460
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
20 12.770256 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 20 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051
(3051), Seq: 10221, Ack: 213, Len: 1460
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
21 12.770418 192.168.80.2 195.225.177.26 TCP 3051 >
http [ACK] Seq!3 Ack681 Wine535 Len=0

Frame 21 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http
(80), Seq: 213, Ack: 11681, Len: 0

No. Time Source Destination Protocol
Info
22 12.790823 195.225.177.26 192.168.80.2 HTTP
Continuation

Frame 22 (1104 bytes on wire, 1104 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051
(3051), Seq: 11681, Ack: 213, Len: 1050
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
23 12.791041 192.168.80.2 195.225.177.26 TCP 3051 >
http [ACK] Seq!3 Ack732 Wind485 Len=0

Frame 23 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http
(80), Seq: 213, Ack: 12732, Len: 0

No. Time Source Destination Protocol
Info
24 12.819013 192.168.80.2 80.35.132.39 TCP 3052 >
2222 [SYN] Seq=0 Ack=0 Wine535 Len=0 MSS60

Frame 24 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
80.35.132.39 (80.35.132.39)
Transmission Control Protocol, Src Port: 3052 (3052), Dst Port: 2222
(2222), Seq: 0, Ack: 0, Len: 0

No. Time Source Destination Protocol
Info
25 15.771561 192.168.80.2 80.35.132.39 TCP 3052 >
2222 [SYN] Seq=0 Ack=0 Wine535 Len=0 MSS60

Frame 25 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
80.35.132.39 (80.35.132.39)
Transmission Control Protocol, Src Port: 3052 (3052), Dst Port: 2222
(2222), Seq: 0, Ack: 0, Len: 0

No. Time Source Destination Protocol
Info
26 16.608575 192.168.80.2 195.225.177.26 TCP 3051 >
http [FIN, ACK] Seq!3 Ack732 Wind485 Len=0

Frame 26 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
195.225.177.26 (195.225.177.26)
Transmission Control Protocol, Src Port: 3051 (3051), Dst Port: http
(80), Seq: 213, Ack: 12732, Len: 0

No. Time Source Destination Protocol
Info
27 16.777331 195.225.177.26 192.168.80.2 TCP http >
3051 [ACK] Seq732 Ack!4 WinX400 Len=0

Frame 27 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 195.225.177.26 (195.225.177.26), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3051
(3051), Seq: 12732, Ack: 214, Len: 0

No. Time Source Destination Protocol
Info
28 16.904216 192.168.80.2 216.239.59.99 TCP 3053 >
http [SYN] Seq=0 Ack=0 Wine535 Len=0 MSS60

Frame 28 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
216.239.59.99 (216.239.59.99)
Transmission Control Protocol, Src Port: 3053 (3053), Dst Port: http
(80), Seq: 0, Ack: 0, Len: 0

No. Time Source Destination Protocol
Info
29 17.030090 216.239.59.99 192.168.80.2 TCP http >
3053 [SYN, ACK] Seq=0 Ack=1 Win90 Len=0 MSS60

Frame 29 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 216.239.59.99 (216.239.59.99), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3053
(3053), Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol
Info
30 17.030258 192.168.80.2 216.239.59.99 TCP 3053 >
http [ACK] Seq=1 Ack=1 Wine535 Len=0

Frame 30 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
216.239.59.99 (216.239.59.99)
Transmission Control Protocol, Src Port: 3053 (3053), Dst Port: http
(80), Seq: 1, Ack: 1, Len: 0

No. Time Source Destination Protocol
Info
31 17.031685 192.168.80.2 216.239.59.99 HTTP GET
/search?client=navclient-auto&chi5674915&freshness_checkBRX1KgzyC-UuWhQ-iQH7&iqrn=XdsC&orig=0J&ie=UTF-8&oe=UTF-8&features=Rank&q=info:http%3A%2F%2Fwww%2E010402%2Ecom%2Finst%2Fmain%2Echm
HTTP/1.1

Frame 31 (492 bytes on wire, 492 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
216.239.59.99 (216.239.59.99)
Transmission Control Protocol, Src Port: 3053 (3053), Dst Port: http
(80), Seq: 1, Ack: 1, Len: 438
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
32 17.230892 216.239.59.99 192.168.80.2 HTTP
HTTP/1.1 200 OK (text/html)

Frame 32 (223 bytes on wire, 223 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 216.239.59.99 (216.239.59.99), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3053
(3053), Seq: 1, Ack: 439, Len: 169
Hypertext Transfer Protocol
Line-based text data: text/html

No. Time Source Destination Protocol
Info
33 17.232730 216.239.59.99 192.168.80.2 HTTP
Continuation

Frame 33 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:a0:c5:73:9a:af, Dst: 00:06:5b:ba:ab:af
Internet Protocol, Src Addr: 216.239.59.99 (216.239.59.99), Dst Addr:
192.168.80.2 (192.168.80.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 3053
(3053), Seq: 170, Ack: 439, Len: 5
Hypertext Transfer Protocol

No. Time Source Destination Protocol
Info
34 17.232876 192.168.80.2 216.239.59.99 TCP 3053 >
http [ACK] SeqC9 Ack5 Wine361 Len=0

Frame 34 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
216.239.59.99 (216.239.59.99)
Transmission Control Protocol, Src Port: 3053 (3053), Dst Port: http
(80), Seq: 439, Ack: 175, Len: 0

No. Time Source Destination Protocol
Info
35 21.790758 192.168.80.2 80.35.132.39 TCP 3052 >
2222 [SYN] Seq=0 Ack=0 Wine535 Len=0 MSS60

Frame 35 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:06:5b:ba:ab:af, Dst: 00:a0:c5:73:9a:af
Internet Protocol, Src Addr: 192.168.80.2 (192.168.80.2), Dst Addr:
80.35.132.39 (80.35.132.39)
Transmission Control Protocol, Src Port: 3052 (3052), Dst Port: 2222
(2222), Seq: 0, Ack: 0, Len: 0






email Siga el debate Respuesta Responder a este mensaje
Ads by Google
Help Hacer una preguntaRespuesta Tengo una respuesta
Search Busqueda sugerida