Re: The x.c worm

[Martin Roesch <roesch () sourcefire com>]

FYI, there are Snort sigs available to pick up this particular exploit. 
Check out SIDs 1252 and 1253 for the rules ('grep TESO
<snortdir>/*.rules').  Once the rules database is up at snort.org, we'll
have more desciptive information... :)

     -Marty

Dave Dittrich wrote:
> On Tue, 4 Sep 2001 niels.heinen () ubizen com wrote:
>
> > I was wondering if anyone has more information about this worm. I mean
> > source, log files anything ;]
> >
> > For those that have not heard about this worm: x.c  expoits the recently
> > discovered buffer
> > overflow in bsd derived telnet daemons. More information can be found
> > here:
> >
> > http://www.nipc.gov/warnings/assessments/2001/01-019.htm
> > http://www.incidents.org/diary/diary.php#012
>
> Niels,
>
> Since the details I've seen on this are not yet public, I'll stick to
> what is to give some hints on how to detect this on the wire.
>
> If you want a fingerprint for your IDS, take a look at the following
> shellcode:
>
>         http://msgs.securepoint.com/cgi-bin/get/bugtraq0107/293.html
>
> /* x86/bsd(i)+solaris execve shellcode
>  * by lorian/teso
>  */
>  unsigned char   x86_bsd_compaexec[] =
>      "\xbf\xee\xee\xee\x08\xb8\xff\xf8\xff\x3c\xf7\xd0"
>      "\xfd\xab\x31\xc0\x99\xb0\x9a\xab\xfc\xab\xb0\x3b"
>      "\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89"
>      "\xe3\x52\x53\x89\xe1\x52\x51\x53\xff\xd7";
>
> For more details on what to look for using nmap, see Bill Stearn's
> "xcfind" program:
>
>         http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/xcfind.htm
>
>         AddedLine /etc/rc.local '/usr/sbin/cron '
>         AddedLine /etc/inetd.conf '^uaac stream tcp nowait root /bin/sh sh -i$'
>         AddedLine /etc/hosts.allow '^sh: ALL$'
>
>         ServicesStopped \
>           inetd
>
>         echo Please note that your system may have had a root shell opened
>         echo on tcp port 145.  You should check the system for any additional
>         echo damage caused via incoming connections on that port.
>
> (Use Bill's "xcfind" tool for local host detection, but realize that
> it may, in future, give false positive results if a rootkit or
> loadable kernel module is used in conjunction with an exploit like
> this.)
>
> --
> Dave Dittrich                           Computing & Communications
> dittrich () cac washington edu             University Computing Services
> http://staff.washington.edu/dittrich    University of Washington
>
> PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
> Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com