Full Disclosure mailing list archives
Increase probe on UDP port 1026
From: Irwan Hadi <irwanhadi () phxby com>
Date: Mon, 1 Dec 2003 16:40:29 -0700
During the last a few hours, I've seen a huge jump in traffic to UDP port 1026 (Windows Messaging). I know that the exploit for MS03-043 has been released since around 2 weeks ago, but that exploit as far as I know only works by using UDP port 135. One interesting pattern that I found out from the packet that Snort captured are: 1. One attacker host only send one packet to target host. 2. The attackers come from all over the world (which indicates a rapid infection) 3. The packet always contains (00 00 00 00 00) for the message part. Below is the Snort rule that I put in my IDS box alert udp !$USU_NET any -> any 1026 (msg:"MS03-043 PROBE??"; classtype:bad-unknown;) And these are some of the packet that Snort capture: [**] MS03-043 PROBE?? [**] 12/01-15:45:08.986417 0:D0:4:F2:4C:A -> 0:B0:D0:29:D5:40 type:0x800 len:0x3C 200.176.192.151:1042 -> 129.123.x.x:1026 UDP TTL:111 TOS:0x0 ID:33601 IpLen:20 DgmLen:30 Len: 2 0x0000: 00 B0 D0 29 D5 40 00 D0 04 F2 4C 0A 08 00 45 00 ...).@....L...E. 0x0010: 00 1E 83 41 00 00 6F 11 AA 4C C8 B0 C0 97 81 7B ...A..o..L.....{ 0x0020: 13 7E 04 12 04 02 00 0A D9 84 00 00 00 00 00 00 .~.............. 0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 ............ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] MS03-043 PROBE?? [**] 12/01-14:01:19.788400 0:D0:4:F2:4C:A -> 0:2:B3:C9:36:64 type:0x800 len:0x3C 81.74.106.18:26246 -> 129.123.x.x:1026 UDP TTL:106 TOS:0x0 ID:7877 IpLen:20 DgmLen:30 Len: 2 0x0000: 00 02 B3 C9 36 64 00 D0 04 F2 4C 0A 08 00 45 00 ....6d....L...E. 0x0010: 00 1E 1E C5 00 00 6A 11 C8 EA 51 4A 6A 12 81 7B ......j...QJj..{ 0x0020: 2C 48 66 86 04 02 00 0A 2C 32 00 00 00 00 00 00 ,Hf.....,2...... 0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 ............ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] MS03-043 PROBE?? [**] 12/01-09:28:06.146677 0:D0:4:F2:4C:A -> 0:2:B3:E7:49:84 type:0x800 len:0x3C 62.243.125.82:1194 -> 129.123.x.x:1026 UDP TTL:114 TOS:0x0 ID:6633 IpLen:20 DgmLen:30 Len: 2 0x0000: 00 02 B3 E7 49 84 00 D0 04 F2 4C 0A 08 00 45 00 ....I.....L...E. 0x0010: 00 1E 19 E9 00 00 72 11 DD 95 3E F3 7D 52 81 7B ......r...>.}R.{ 0x0020: 13 90 04 AA 04 02 00 0A A5 DD 00 00 00 00 00 00 ................ 0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 ............ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] MS03-043 PROBE?? [**] 12/01-15:47:16.721798 0:D0:4:F2:4C:A -> 0:8:A1:21:91:D8 type:0x800 len:0x3C 140.228.112.8:1478 -> 129.123.x.x:1026 UDP TTL:118 TOS:0x0 ID:43359 IpLen:20 DgmLen:30 Len: 2 0x0000: 00 08 A1 21 91 D8 00 D0 04 F2 4C 0A 08 00 45 00 ...!......L...E. 0x0010: 00 1E A9 5F 00 00 76 11 09 69 8C E4 70 08 81 7B ..._..v..i..p..{ 0x0020: 13 9F 05 C6 04 02 00 0A 64 0B 00 00 00 00 00 00 ........d....... 0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 ............ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] MS03-043 PROBE?? [**] 12/01-13:46:34.522088 0:D0:4:F2:4C:A -> 0:8:A1:B:6F:6A type:0x800 len:0x3C 24.157.247.137:1076 -> 129.123.x.x:1026 UDP TTL:109 TOS:0x0 ID:30415 IpLen:20 DgmLen:30 Len: 2 0x0000: 00 08 A1 0B 6F 6A 00 D0 04 F2 4C 0A 08 00 45 00 ....oj....L...E. 0x0010: 00 1E 76 CF 00 00 6D 11 31 80 18 9D F7 89 81 7B ..v...m.1......{ 0x0020: 13 DE 04 34 04 02 00 0A 52 24 00 00 00 00 00 00 ...4....R$...... 0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 ............ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Any idea? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Increase probe on UDP port 1026 Irwan Hadi (Dec 01)
- Re: Increase probe on UDP port 1026 srenna (Dec 01)
- Re: Increase probe on UDP port 1026 bowwow (Dec 03)
- <Possible follow-ups>
- RE: Increase probe on UDP port 1026 Rodrigues, Philip (Dec 01)
- RE: Increase probe on UDP port 1026 Nicob (Dec 02)
- RE: Increase probe on UDP port 1026 Rodrigues, Philip (Dec 02)
- Re: Increase probe on UDP port 1026 Paul Dokas (Dec 02)
- Re: Increase probe on UDP port 1026 George Capehart (Dec 02)
- Re: Increase probe on UDP port 1026 Nick FitzGerald (Dec 02)
- RE: Increase probe on UDP port 1026 Bill Royds (Dec 02)
- Re: Increase probe on UDP port 1026 Brian Eckman (Dec 03)
- RE: Increase probe on UDP port 1026 Nicob (Dec 02)