how-to block ads
|
|
Share Topic
 |
 |
|
|
|
pslossPremium
join:2002-02-24
Alpharetta, GA | reply to Link Logger
Re: New Capture on TCP port 135 said by Link Logger:
Checking one of the honeypots tonight I noticed a very different scan on TCP port 135 and was wondering if anyone else has seen anything like it? The first scan is the standard metasploit/xfocus signature ( »www.linklogger.com/RPC_DCOM.htm ) but the second part of this is very different.
Well, actually, no -- it's just the rest of the xfocus/metasploit code. The code sends the bind packet, eats a reply (without sanity checking it), and then sends a request packet with exploit code (1704 bytes). I'm seeing a handful of these incidents now, followed by the rshell connect on tcp/4444, which is what that proof of concept code used.
Apparently these packages are still depending on tftp, which will keep the propagation down, since it's UDP based. The other "conventional" thing is that this little burst of traffic here is using the break-in like a downloader -- so it sends a command to tftp the file from central server. That will also flood that system and limit propagation, especially given using a UDP-based protocol.
All the activity I'm seeing continues to be infecting systems with bots...still no worm.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org | |
 Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3
 ·Shaw
| While I have seen the first part of the xfocus/metasploit a number of times, this is the first time I've seen the second part, which makes me wonder then what has changed such that I would see the second part on this scan only. I have had a number of xfocus/metasploit scans since and only seen the first part.
Blake | | |
|
|
