NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2001-12

From: Michael Ward (Mwardroseglen.com)
Date: Wed Dec 12 2001 - 09:22:13 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Tim,

There are several well known exploits aimed at port 111. Take a look
and see if any of these fit your scenario.

CA-2001-05, Exploitation of snmpXdmid
IN-2001-01, Widespread Compromises via "ramen" Toolkit
IN-2000-10, Widespread Exploitation of rcp.statd and wu-ftpd
Vulnerabilities
CA-2000-17, Input Validation Problem in rpc.statd
CA-1999-16, Buffer Overflow in Sun Solstice AdminSuite Daemon sadmind
CA-1999-12, Buffer overflow in amd
CA-1999-08, Buffer overflow in rpc.cmsd
CA-1999-05, Vulnerability in statd exposes vulnerability in automountd
CA-1998-12, Remotely Exploitable Buffer Overflow Vulnerability in mountd
CA-1998-11, Vulnerability in ToolTalk RPC service
CA-2001-11, sadmind/IIS Worm

More info can be found here.
http://www.cert.org/current/current_activity.html#ssh

-Mike

-----Original Message-----
From: Tim Brown [mailto:tim.brownncmail.net]
Sent: Tuesday, December 11, 2001 4:21 PM
To: INCIDENTSsecurityfocus.com
Subject: Re: Port 111 Traffic

To clarify- the zeros in the destination address are actually there.
Only the first two octets of the source have been changed to nnn.nnn.

Tim Brown wrote:

> This information was generated by snoop on Solaris. Any ideas? See
> bottom of message for a single verbose packet capture.
> nnn.nnn = the not so innocent IP.
>
> nnn.nnn.213.13 -> 0.47.0.205 TCP D=111 S=33399 Syn Seq=2559250306
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.204 TCP D=111 S=33398 Syn Seq=2559160482
> Len=0 Win=8760
> nnn.nnn.213.11 -> 0.181.0.37 TCP D=111 S=59773 Rst Seq=2178778586
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.207 TCP D=111 S=33401 Syn Seq=2559361718
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.208 TCP D=111 S=33402 Syn Seq=2559390097
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.209 TCP D=111 S=33403 Syn Seq=2559476442
> Len=0 Win=8760
> nnn.nnn.213.11 -> 0.181.0.38 TCP D=111 S=59774 Rst Seq=2178892699
> Len=0 Win=8760
> nnn.nnn.213.11 -> 0.181.0.42 TCP D=111 S=59778 Rst Seq=2179194372
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.215 TCP D=111 S=33409 Syn Seq=2559700481
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.214 TCP D=111 S=33408 Syn Seq=2559656916
> Len=0 Win=8760
> nnn.nnn.213.11 -> 0.181.0.43 TCP D=111 S=59779 Rst Seq=2179223246
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.216 TCP D=111 S=33410 Syn Seq=2559772250
> Len=0 Win=8760
> nnn.nnn.213.11 -> 0.181.0.44 TCP D=111 S=59780 Rst Seq=2179342238
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.218 TCP D=111 S=33412 Syn Seq=2559854823
> Len=0 Win=8760
> nnn.nnn.213.11 -> 0.181.0.45 TCP D=111 S=59781 Rst Seq=2179387236
> Len=0 Win=8760
> nnn.nnn.213.11 -> 0.181.0.46 TCP D=111 S=59782 Rst Seq=2179459169
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.219 TCP D=111 S=33413 Syn Seq=2559861661
> Len=0 Win=8760
> nnn.nnn.213.11 -> 0.181.0.48 TCP D=111 S=59784 Rst Seq=2179596754
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.221 TCP D=111 S=33415 Syn Seq=2559922066
> Len=0 Win=8760
> nnn.nnn.213.11 -> 0.181.0.50 TCP D=111 S=59786 Rst Seq=2179755204
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.226 TCP D=111 S=33420 Syn Seq=2560346165
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.227 TCP D=111 S=33421 Syn Seq=2560403095
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.235 TCP D=111 S=33429 Syn Seq=2561000060
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.233 TCP D=111 S=33427 Syn Seq=2560897528
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.237 TCP D=111 S=33431 Syn Seq=2561153509
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.238 TCP D=111 S=33432 Syn Seq=2561195283
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.240 TCP D=111 S=33434 Syn Seq=2561332283
> Len=0 Win=8760
> nnn.nnn.213.13 -> 0.47.0.242 TCP D=111 S=33436 Syn Seq=2561468508
> Len=0 Win=8760
> nnn.nnn.213.32 -> 0.123.0.55 TCP D=111 S=56202 Rst Seq=240026718
> Len=0 Win=8760
> nnn.nnn.213.32 -> 0.123.0.57 TCP D=111 S=56204 Rst Seq=240210073
> Len=0 Win=8760
> nnn.nnn.213.32 -> 0.123.0.58 TCP D=111 S=56205 Rst Seq=240300794
> Len=0 Win=8760
> nnn.nnn.213.32 -> 0.123.0.59 TCP D=111 S=56206 Rst Seq=240409147
> Len=0 Win=8760
> nnn.nnn.213.32 -> 0.123.0.60 TCP D=111 S=56207 Rst Seq=240429542
> Len=0 Win=8760
> nnn.nnn.213.32 -> 0.123.0.61 TCP D=111 S=56208 Rst Seq=240433968
> Len=0 Win=8760
> nnn.nnn.213.32 -> 0.123.0.62 TCP D=111 S=56209 Rst Seq=240477791
> Len=0 Win=8760
> nnn.nnn.213.32 -> 0.123.0.65 TCP D=111 S=56212 Rst Seq=240763588
> Len=0 Win=8760
> nnn.nnn.213.32 -> 0.123.0.72 TCP D=111 S=56219 Rst Seq=241169371
> Len=0 Win=8760
>
> Verbose Output of one packet:
>
> ETHER: ----- Ether Header -----
> ETHER: ETHER: Packet 6 arrived at 14:48:18.30
> ETHER: Packet size = 60 bytes
> ETHER: Destination = 0:10:7:dc:38:60,
> ETHER: Source = 0:e0:3n:nn:nn:nn,
> ETHER: Ethertype = 0800 (IP)
> ETHER: IP: ----- IP Header -----
> IP: IP: Version = 4
> IP: Header length = 20 bytes
> IP: Type of service = 0x00
> IP: xxx. .... = 0 (precedence)
> IP: ...0 .... = normal delay
> IP: .... 0... = normal throughput
> IP: .... .0.. = normal reliability
> IP: Total length = 40 bytes
> IP: Identification = 7932
> IP: Flags = 0x4
> IP: .1.. .... = do not fragment
> IP: ..0. .... = last fragment
> IP: Fragment offset = 0 bytes
> IP: Time to live = 251 seconds/hops
> IP: Protocol = 6 (TCP)
> IP: Header checksum = f5c2
> IP: Source address = nnn.nnn.213.11, nnn.nnn.213.11
> IP: Destination address = 0.57.0.36, 0.57.0.36
> IP: No options
> IP: TCP: ----- TCP Header -----
> TCP: TCP: Source port = 33596
> TCP: Destination port = 111
> TCP: Sequence number = 3073870737
> TCP: Acknowledgement number = 0
> TCP: Data offset = 20 bytes
> TCP: Flags = 0x04
> TCP: ..0. .... = No urgent pointer
> TCP: ...0 .... = No acknowledgement
> TCP: .... 0... = No push
> TCP: .... .1.. = Reset
> TCP: .... ..0. = No Syn
> TCP: .... ...0 = No Fin
> TCP: Window = 8760
> TCP: Checksum = 0x5c23
> TCP: Urgent pointer = 0
> TCP: No options
> TCP:

Tim

------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]