Security Incidents mailing list archives
Re: Which exploit-tool is this?
From: Jan Muenther <jan () RADIO HUNDERT6 DE>
Date: Tue, 19 Dec 2000 18:50:06 +0000
Hi Johan,
Some lamer in Canada has tried to run an exploit against rpc.statd on a huge number of our computers. Can anyone help me find out exactly which tool he/she has used? For some reason I don't have any TCPDUMP logs. Is there any nice website that lists exploits and what kind of data they send or do I have to read the source for every exploit ever posted at Securityfocus?
Maybe you want to set up a little IDS like snort and check arachNIDS from time to time. Just a suggestion, though. Oh, and while we're on this list: These things are actually listed quite nicely on SecurityFocus, I think.
2000-12-19 02:24:16 24.112.71.38 111 -> 130.241.xxx.xxx 111 - SCAN-SYN FIN 2000-12-19 02:24:17 24.112.71.38 780 -> 130.241.xxx.xxx 111 - Portmap listing 111 2000-12-19 02:24:18 24.112.71.38 780 -> 130.241.xxx.xxx 111 - Portmap listing 111
I bet this is synscan again. Firstly it's syn-fin, second the source and destination ports are identical. I bet the packets all had an ID of 39426 and window size of 0x404. There's a lot of these scans recently, mostly for port 21 (wuftpd is what they're looking for, I assume). ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 *yawn* Yes, rpc.statd. Just check any exploit resource, packetstorm, whatever. Bye, Jan -- Radio HUNDERT,6 Medien GmbH Berlin - EDV - j.muenther () radio hundert6 de
Current thread:
- Which exploit-tool is this? Johan.Augustsson (Dec 19)
- Re: Which exploit-tool is this? Jan Muenther (Dec 19)
- <Possible follow-ups>
- Re: Which exploit-tool is this? Baudendistel Matt Contractor USTC (Dec 19)