| IP Address | Port | Hostname | |
|---|---|---|---|
| Source | 208.76.112.38 (United States) | http (80) | http://www.montgomerycountymd.gov |
| Destination | (local) | 64860 |
Info: From Wireshark | Analyse | Follow | TCP Stream:
- GET /COUNCIL/Resources/Files/zta/2016/ZTA%2016-11.pdf HTTP/1.1
- Accept: text/html, application/xhtml+xml, */*
- Referer: http://www.montgomerycountymd.gov/council/leg/zta/index.html
- Accept-Language: en-US
- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
- Accept-Encoding: gzip, deflate
- DNT: 1
- Host: www.montgomerycountymd.gov
- Cookie: _ga=GA1.2.72833851.1459860287; __utma=54704695.72833851.1459860287.1472146499.1472214826.68; __utmz=54704695.1470940322.59.7.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); fsr.r=%7B%22d%22%3A60%2C%22i%22%3A%22d13c751-131478546-c884-ca38-520d0%22%2C%22e%22%3A1471975284198%7D; _gat=1; _gat_clientTracker=1; fsr.s=%7B%22v1%22%3A-1%2C%22v2%22%3A-2%2C%22cp%22%3A%7B%22cxreplayaws%22%3A%22true%22%7D%2C%22rid%22%3A%22d13c751-131538676-8664-64f7-b2d80%22%2C%22to%22%3A4.6%2C%22c%22%3A%22http%3A%2F%2Fwww.montgomerycountymd.gov%2Fcouncil%2Fleg%2Fzta%2Findex.html%22%2C%22pv%22%3A7%2C%22lc%22%3A%7B%22d1%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%2C%22d0%22%3A%7B%22v%22%3A5%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22v%22%3A-1%2C%22f%22%3A1472214982877%7D; __utmb=54704695.5.10.1472214826; __utmc=54704695; __utmt=1; __atuvc=17%7C10%2C13%7C11%2C3%7C12%2C18%7C13%2C4%7C14; __atssc=google%3B10
- Connection: keep-alive
- Via: 1.1 HANK
- HTTP/1.1 200 OK
- Content-Type: application/pdf
- Last-Modified: Wed, 03 Aug 2016 18:02:44 GMT
- Accept-Ranges: bytes
- ETag: "03ae03bb1edd11:0"
- Server: Microsoft-IIS/7.5
- X-Powered-By: ASP.NET
- Date: Fri, 26 Aug 2016 12:36:23 GMT
- Content-Length: 317645
- %PDF-1.5
- %....
- 1 0 obj
- <</Type/Catalog/Pages 2 0 R/Lang(en-US) /StructTreeRoot 69 0 R/MarkInfo<</Marked true>>>>
- endobj
- 2 0 obj
- <</Type/Pages/Count 24/Kids[ 3 0 R 18 0 R 24 0 R 26 0 R 28 0 R 30 0 R 32 0 R 34 0 R 36 0 R 38 0 R 40 0 R 42 0 R 44 0 R 46 0 R 48 0 R 50 0 R 52 0 R 54 0 R 56 0 R 58 0 R 60 0 R 62 0 R 64 0 R 66 0 R] >>
much more.....
- \Q.4Hu.N .n
- .h
- .P%.....P........N.0.%MQp/9.*AC........".6..K.a.P.#.[...S.ZO2..I.H.mLUc.....g.........Z;+..Q*..b.....~W.G.*/.!....O.~y..................v..+.K.RP."z..|.pY.RDx..f8....\.Iprp* ...0...b:....Dx.....=6 ...s....~.V.\g....-.+5....lQ.
- D.|:&.%..3.d...[O....:Z]z.....IO3.0a..~..rt......,R.#.V.g(.T.Za......AzJf.Y.....Y..".D.=IVI.......<l?..j......p.$SFd..j.|8g...y?
Description:
- http://telussecuritylabs.com/threats/show/TSL20101006-06
- http://www.zerodayinitiative.com/advisories/ZDI-10-192/
- http://seclists.org/fulldisclosure/2010/Oct/59
False Positive:
- YES
- Did a follow on the TCP stream from the full pcap.
- Searching through that output, there is a coincidental instance of the characters mluc.
- This does not appear as part of any markup, nor if it was present, does it guarantee that an exploit is in play.
- To get this document:
Action:
- None
Comments