Full Disclosure mailing list archives
New usages of the RPC exploit (was: quit the dumd chat man!!)
From: malware () t-online de (Michael Mueller)
Date: Fri, 22 Aug 2003 02:28:27 +0200
Hi Robin, you wrote:
We had a honey pot hit by some canny FTP kiddies using the RPC flaw to load up an FTP server that ran as a service and also then execute a predifned further attack on some specific IP's any one else seen this. very similar exploit to nachia "whatever its called" worm
Got something new here too. It used a passworded FTP account leading into the root directory of a Windows machine and tried to download a winupdate.exe there. Does not look like another worm, more like a manned attack, since the exploit did not come from the FTP server, but some slovakian university. It used the open port 4444 of the machine for the command connection as the Blaster worm did. Sending the commands was tried twice since my machine only accepts the commands but does not perform them. My virus scanner (Kaspersky Anti-Virus) does tell me: winupdate.exe archive: Astrum winupdate.exe/data0001 infected: Trojan.BAT.Passer.a winupdate.exe/data0002 infected: Worm.Win32.Randon.r winupdate.exe/data0004 packed: UPX winupdate.exe/data0006 infected: Worm.Win32.Randon.q winupdate.exe/data0007 packed: UPX winupdate.exe/data0008 packed: UPX winupdate.exe/data0008 infected: Trojan.PSW.VB.aq winupdate.exe/data0009 packed: UPX winupdate.exe/data0011 packed: UPX winupdate.exe/data0012 infected: Backdoor.IRC.Zcrew winupdate.exe/data0013 packed: UPX winupdate.exe/data0016 packed: UPX winupdate.exe/data0016 infected: Trojan.Win32.Killav.aj winupdate.exe/data0020 packed: UPX The exploit code shows only a minor change from the blaster worm in the RPC request: --- exploit0186.dmp Fri Aug 22 02:24:49 2003 +++ exploit0595.dmp Fri Aug 22 02:24:30 2003 @@ -57,7 +57,7 @@ 00003a0 0000 0000 0000 0000 0186 0000 0000 0000 00003b0 0186 0000 005c 005c 0046 0058 004e 0042 00003c0 0046 0058 0046 0058 004e 0042 0046 0058 -00003d0 0046 0058 0046 0058 0046 0058 139d 0100 +00003d0 0046 0058 0046 0058 0046 0058 16c6 0100 00003e0 e0cc 7ffd e0cc 7ffd 9090 9090 9090 9090 00003f0 9090 9090 9090 9090 9090 9090 9090 9090 * Michael -- Linux@TekXpress http://www-users.rwth-aachen.de/Michael.Mueller4/tekxp/tekxp.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- quit the dumd chat man!! Ferris, Robin (Aug 21)
- New usages of the RPC exploit (was: quit the dumd chat man!!) Michael Mueller (Aug 21)
- <Possible follow-ups>
- RE: quit the dumd chat man!! Schmehl, Paul L (Aug 21)