[Snort-users] Adobe's Ducky

From: Adam Shephard <sfnative33(at)yahoo.com>
Date: Thu Mar 27 2003 - 08:36:48 EST

Hi all,

I'm seeing a number of alerts tagged as "SHELLCODE x86 inc ebx NOOP". Although they are all from and to different IPs, all of them include "Ducky" and "Adobe" in them.

In googling for Adobe, Ducky & shellcode, I found a Sourceforge post from last year identifying that signature as being hooked to JFIF files. Don't know if that's accurate or not.

I suppose I could just create an AG and send all the Ducky stuff there, then ignore that AG. Is there something more, um, intelligent I should be doing?

Thanks,

Adam

---

Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com

---

This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Thu Mar 27 09:01:46 2003