Security Incidents mailing list archives
Re: The x.c worm
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 05 Sep 2001 11:11:39 -0400
FYI, there are Snort sigs available to pick up this particular exploit. Check out SIDs 1252 and 1253 for the rules ('grep TESO <snortdir>/*.rules'). Once the rules database is up at snort.org, we'll have more desciptive information... :) -Marty Dave Dittrich wrote:
On Tue, 4 Sep 2001 niels.heinen () ubizen com wrote:I was wondering if anyone has more information about this worm. I mean source, log files anything ;] For those that have not heard about this worm: x.c expoits the recently discovered buffer overflow in bsd derived telnet daemons. More information can be found here: http://www.nipc.gov/warnings/assessments/2001/01-019.htm http://www.incidents.org/diary/diary.php#012Niels, Since the details I've seen on this are not yet public, I'll stick to what is to give some hints on how to detect this on the wire. If you want a fingerprint for your IDS, take a look at the following shellcode: http://msgs.securepoint.com/cgi-bin/get/bugtraq0107/293.html /* x86/bsd(i)+solaris execve shellcode * by lorian/teso */ unsigned char x86_bsd_compaexec[] = "\xbf\xee\xee\xee\x08\xb8\xff\xf8\xff\x3c\xf7\xd0" "\xfd\xab\x31\xc0\x99\xb0\x9a\xab\xfc\xab\xb0\x3b" "\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89" "\xe3\x52\x53\x89\xe1\x52\x51\x53\xff\xd7"; For more details on what to look for using nmap, see Bill Stearn's "xcfind" program: http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/xcfind.htm AddedLine /etc/rc.local '/usr/sbin/cron ' AddedLine /etc/inetd.conf '^uaac stream tcp nowait root /bin/sh sh -i$' AddedLine /etc/hosts.allow '^sh: ALL$' ServicesStopped \ inetd echo Please note that your system may have had a root shell opened echo on tcp port 145. You should check the system for any additional echo damage caused via incoming connections on that port. (Use Bill's "xcfind" tool for local host detection, but realize that it may, in future, give false positive results if a rootkit or loadable kernel module is used in conjunction with an exploit like this.) -- Dave Dittrich Computing & Communications dittrich () cac washington edu University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- The x.c worm niels . heinen (Sep 04)
- Re: The x.c worm Dave Dittrich (Sep 04)
- Re: The x.c worm Dave Dittrich (Sep 04)
- Re: The x.c worm Martin Roesch (Sep 05)
- Re: The x.c worm Dave Dittrich (Sep 04)