Security Incidents mailing list archives
Scan of the Month - Two Exploits
From: Lance Spitzner <lance () SPITZNER NET>
Date: Mon, 11 Dec 2000 19:22:24 -0600
As some of you may know, the Honeynet Project sponsors a "Scan of the Month" section. We take scans from the wild and challenge the security community to decode the answers. The results are then archived for the security community. This month's Scan is unique. Several scans and two exploits were ran against a Linux honeypot in the same morning. The challenge to the security community is to review the captured signatures and answer any of the following six questions based on the snort signatures. ### QUESTION 1: Can you name the FTP scanning tool? ### QUESTION 2: What does this FTP exploit achieve? Does it open a port, create a shell, add a user account? ### QUESTION 3: Is the FTP attack successful? ### QUESTION 4: What RPC service is exploited? ### QUESTION 5: Where in the exploit code below does he bind a shell to port 39168? ### QUESTION 6: What two accounts are created, and what are the UID's? The Scan of the Month can be found at http://project.honeynet.org/scans/index.html -- Lance Spitzner http://project.honeynet.org
Current thread:
- Scan of the Month - Two Exploits Lance Spitzner (Dec 13)
- Re: Scan of the Month - Two Exploits Michal Zalewski (Dec 14)
- Re: Scan of the Month - Two Exploits Brent Woodfield (Dec 15)
- Re: Scan of the Month - Two Exploits Michal Zalewski (Dec 14)