Security Incidents mailing list archives
DNS Probe and (?) Exploit Attempt
From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Tue, 6 Mar 2001 13:01:59 -0800
Last night, a skr1pt k1dd13 scan walked across a number of subnets. Some packets did end up getting to real DNS servers but passed by some IDSes in the process. The signature is, [**] MISC-DNS-version-query [**] 03/06-02:49:10.482114 202.39.75.10:1690 -> AAA.BBB.CCC.DDD:53 UDP TTL:47 TOS:0x0 ID:13811 IpLen:20 DgmLen:58 Len: 38 34 EC 00 00 00 01 00 00 00 00 00 00 07 76 65 72 4............ver 73 69 6F 6E 04 62 69 6E 64 00 00 10 00 03 sion.bind..... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] IDS277 - NAMED Iquery Probe [**] 03/06-02:49:11.043605 202.39.75.10:1690 -> AAA.BBB.CCC.DDD:53 UDP TTL:47 TOS:0x0 ID:13826 IpLen:20 DgmLen:493 Len: 473 34 EC 09 80 00 00 00 01 00 00 00 00 3E 41 41 41 4...........>AAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 3E 42 42 42 42 AAAAAAAAAAA>BBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 3E 43 43 43 43 43 BBBBBBBBBB>CCCCC 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 43 43 43 43 43 43 43 43 43 3E 00 01 02 03 04 05 CCCCCCCCC>...... 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 ................ 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 .......... !"#$% 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 &'()*+,-./012345 36 37 38 39 3A 3B 3C 3D 3E 45 45 45 45 45 45 45 6789:;<=>EEEEEEE 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE 45 45 45 45 45 45 45 3E 46 46 46 46 46 46 46 46 EEEEEEE>FFFFFFFF 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 FFFFFFFFFFFFFFFF 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 FFFFFFFFFFFFFFFF 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 FFFFFFFFFFFFFFFF 46 46 46 46 46 46 3D 47 47 47 47 47 47 47 47 47 FFFFFF=GGGGGGGGG 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 GGGGGGGGGGGGGGGG 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 GGGGGGGGGGGGGGGG 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 GGGGGGGGGGGGGGGG 47 47 47 47 00 00 01 00 01 00 00 00 01 00 FF 40 GGGG...........@ 66 f =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ The first one is obvious. But after combing kiddie sites all morning, have not been able to match that second inverse-query to a known tool or exploit method. Anyone recognize that signature and what BIND (I assume) bug that is going after? Before anyone points to IDS277 at whitehats.com, that does not look like the signature of the tool cited in the notes for the rule. Thanks for any help. -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P.
Current thread:
- DNS Probe and (?) Exploit Attempt Crist Clark (Mar 06)