Looks like an exploit attempt for the PCT SSL vulnerability. http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx -Shawn ----- Shawn R. Quillman Robert Bosch Corporation RBNA/CSA1 38000 Hills Tech Drive Farmington Hills, MI 48331 (248) 553-1164 (P) (248) 848-6969 (F) shawn.quillman@xxxxxxxxxxxx -----Original Message----- From: Steve Moffat [mailto:steve@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Monday, July 19, 2004 5:05 PM To: [ISAserver.org Discussion List] Subject: [isalist] OT a little bit http://www.ISAserver.org Has anyone seen this before. No virrii or trojans found on the affected network. ************************************************************************ *********************************** A user, apparently from your network, initiated a network connection to a target computer that we manage. We consider the network traffic inappropriate or hostile. The following data describes the network traffic in question. Times are in UTC. [ 2] Jul-19-2004 12:54:29 2004 UTC 207.228.141.50:2100 -> 172.15.23.10:443 TCP 326 bytes data 0000 80 62 01 02 bd 00 01 00 01 00 16 8f 82 01 00 00 b.............. 0010 00 eb 0f 54 48 43 4f 57 4e 5a 49 49 53 21 32 5e ..THCOWNZIIS!2^ 0020 be 98 eb 25 23 28 45 49 25 53 02 06 6c 59 6c 59 ..%#(EI%S..lYlY 0030 f8 1d 9c de 8c d1 4c 70 d4 03 58 46 57 53 32 5f .....Lp..XFWS2_ 0040 33 32 2e 44 4c 4c 01 eb 05 e8 f9 ff ff ff 5d 83 32.DLL........]. 0050 ed 2c 6a 30 59 64 8b 01 8b 40 0c 8b 70 1c ad 8b ,j0Yd...@..p... 0060 78 08 8d 5f 3c 8b 1b 01 fb 8b 5b 78 01 fb 8b 4b x.._<.....[x...K 0070 1c 01 f9 8b 53 24 01 fa 53 51 52 8b 5b 20 01 fb ....S$..SQR.[