Re: RPC statdx exploit against DNS...

[Matt Kettler <mkettler () evi-inc com>]

Looking at the rule, it will go off for any UDP or TCP packet containing a 
particularly odd "/bin/sh" type string..

Thus this is likely a "mislabeling" of an attack on bind (since statdx can 
be on any port this is a content-only rule)

rpc.rules:

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; 
content: "/bin|c74604|/sh";reference:arachnids,442; 
classtype:attempted-admin; sid:1282; rev:1;)

there's also a TCP version:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; 
flags: A+; content: "/bin|c74604|/sh";reference:arachnids,442; 
classtype:attempted-admin; sid:600; rev:1;)

I can see no reason for a tcp or udp packet sent to a DNS server to contain 
that string other than an attempted exploit.


At 12:08 PM 3/25/2002 -0700, Nels Lindquist wrote:
> Hi there.
>
> Every once in a while (between one and five times/month) I get a
> snort alert on "RPC EXPLOIT statdx," directed to UDP port 53 on my
> nameserver.  Many of these attacks appear to originate from Asia, but
> I suppose a single UDP packet is quite spoofable, so there are no
> guarantees.
>
> My nameserver isn't running any RPC services, and bind is fully
> patched, AFAIK.  I haven't been able to find any references which
> would lead me to believe that named is vulnerable to the RPC statdx
> exploit, so I'm awfully curious as to why anyone would be trying to
> launch this exploit against my nameserver.
>
> Is this alert actually a misidentification of an attack against bind?
> Or are the script kiddies just getting overzealous and trying every
> known exploit against the only open ports on the box?
>
> Any ideas?


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users