Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

DNS Probe and (?) Exploit Attempt

From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Tue, 6 Mar 2001 13:01:59 -0800
Last night, a skr1pt k1dd13 scan walked across a number of subnets.
Some packets did end up getting to real DNS servers but passed by
some IDSes in the process. The signature is,

  [**] MISC-DNS-version-query [**]
  03/06-02:49:10.482114 202.39.75.10:1690 -> AAA.BBB.CCC.DDD:53
  UDP TTL:47 TOS:0x0 ID:13811 IpLen:20 DgmLen:58
  Len: 38
  34 EC 00 00 00 01 00 00 00 00 00 00 07 76 65 72  4............ver
  73 69 6F 6E 04 62 69 6E 64 00 00 10 00 03        sion.bind.....

  =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

  [**] IDS277 - NAMED Iquery Probe [**]
  03/06-02:49:11.043605 202.39.75.10:1690 -> AAA.BBB.CCC.DDD:53
  UDP TTL:47 TOS:0x0 ID:13826 IpLen:20 DgmLen:493
  Len: 473
  34 EC 09 80 00 00 00 01 00 00 00 00 3E 41 41 41  4...........>AAA
  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
  41 41 41 41 41 41 41 41 41 41 41 3E 42 42 42 42  AAAAAAAAAAA>BBBB
  42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
  42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
  42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
  42 42 42 42 42 42 42 42 42 42 3E 43 43 43 43 43  BBBBBBBBBB>CCCCC
  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
  43 43 43 43 43 43 43 43 43 3E 00 01 02 03 04 05  CCCCCCCCC>......
  06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15  ................
  16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25  .......... !"#$%
  26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35  &'()*+,-./012345
  36 37 38 39 3A 3B 3C 3D 3E 45 45 45 45 45 45 45  6789:;<=>EEEEEEE
  45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
  45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
  45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
  45 45 45 45 45 45 45 3E 46 46 46 46 46 46 46 46  EEEEEEE>FFFFFFFF
  46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46  FFFFFFFFFFFFFFFF
  46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46  FFFFFFFFFFFFFFFF
  46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46  FFFFFFFFFFFFFFFF
  46 46 46 46 46 46 3D 47 47 47 47 47 47 47 47 47  FFFFFF=GGGGGGGGG
  47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47  GGGGGGGGGGGGGGGG
  47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47  GGGGGGGGGGGGGGGG
  47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47  GGGGGGGGGGGGGGGG
  47 47 47 47 00 00 01 00 01 00 00 00 01 00 FF 40  GGGG...........@
  66                                               f

  =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

The first one is obvious. But after combing kiddie sites all morning,
have not been able to match that second inverse-query to a known tool
or exploit method. Anyone recognize that signature and what BIND (I
assume) bug that is going after? Before anyone points to IDS277 at
whitehats.com, that does not look like the signature of the tool cited
in the notes for the rule.

Thanks for any help.
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
Previous By Date Next
Previous By Thread Next

Current thread: