| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Law11-OE70KuDiuKCsk00023f6e@hotmail.com> From: se_cur_ity at hotmail.com (morning_wood) Subject: DCOM WORM - preface Remnants of the msblaster "beta test" note: I just opened up my router and got the following... --------- snip ------- [01:39:14.744 - 15.08.2003] Proto: TCP len: 48 24.241.218.230:1619 -> 192.168.0.2:6667 [01:39:14.774 - 15.08.2003] Proto: TCP len: 48 68.154.196.148:3296 -> 192.168.0.2:6667 [01:39:14.794 - 15.08.2003] Proto: TCP len: 48 24.241.176.121:1263 -> 192.168.0.2:6667 [01:39:14.794 - 15.08.2003] Proto: TCP len: 48 68.154.27.21:1960 -> 192.168.0.2:6667 [01:39:14.904 - 15.08.2003] Proto: TCP len: 48 68.154.77.36:2347 -> 192.168.0.2:6667 [01:39:14.994 - 15.08.2003] Proto: TCP len: 48 67.33.166.173:3774 -> 192.168.0.2:6667 [01:39:15.015 - 15.08.2003] Proto: TCP len: 48 24.73.55.232:3748 -> 192.168.0.2:6667 [01:39:15.045 - 15.08.2003] Proto: TCP len: 48 68.154.79.127:3240 -> 192.168.0.2:6667 [01:39:15.055 - 15.08.2003] Proto: TCP len: 48 24.73.87.245:4222 -> 192.168.0.2:6667 [01:39:15.055 - 15.08.2003] Proto: TCP len: 48 68.154.79.109:4726 -> 192.168.0.2:6667 [01:39:15.125 - 15.08.2003] Proto: TCP len: 48 24.73.39.226:2108 -> 192.168.0.2:6667 ------------ snip --------- Note the pattern in the subnets and that I have not run a server on port 6667 in weeks, suggests this agent ( proc32.exe = sdbot05b ) is still quite active and virulent. samples of the log can be found at: http://exploitlabs.com/attacking.zip <--- log http://exploitlabs.com/proc32.zip <--- captured sdbot http://exploitlabs.com/attack/sdbot.txt <--- decompiled sdbot this infection of the attacking systems was complete and in place as of July 29, 2003 as recorded in this log preceeding that first attack http://exploitlabs.com/attack/morning_wood-fun.txt ( this was logged by one of the attackers themselves ) my original paper can be found, here http://exploitlabs.com/attack/RPC-DCOM-DDoS-attack.txt ( July 31, 2003 ) and is originaly referenced in response to obvious downplay of the DCOM - RPC issue, here http://nothackers.org/pipermail/0day/2003-July/000149.html Donnie Werner http://e2-labs.com
Powered by blists - more mailing lists