| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: malware at t-online.de (Michael Mueller) Subject: New usages of the RPC exploit (was: quit the dumd chat man!!) Hi Robin, you wrote: > We had a honey pot hit by some canny FTP kiddies using the RPC flaw to load > up an FTP server that ran as a service and also then execute a predifned > further attack on some specific IP's any one else seen this. very similar > exploit to nachia "whatever its called" worm Got something new here too. It used a passworded FTP account leading into the root directory of a Windows machine and tried to download a winupdate.exe there. Does not look like another worm, more like a manned attack, since the exploit did not come from the FTP server, but some slovakian university. It used the open port 4444 of the machine for the command connection as the Blaster worm did. Sending the commands was tried twice since my machine only accepts the commands but does not perform them. My virus scanner (Kaspersky Anti-Virus) does tell me: winupdate.exe archive: Astrum winupdate.exe/data0001 infected: Trojan.BAT.Passer.a winupdate.exe/data0002 infected: Worm.Win32.Randon.r winupdate.exe/data0004 packed: UPX winupdate.exe/data0006 infected: Worm.Win32.Randon.q winupdate.exe/data0007 packed: UPX winupdate.exe/data0008 packed: UPX winupdate.exe/data0008 infected: Trojan.PSW.VB.aq winupdate.exe/data0009 packed: UPX winupdate.exe/data0011 packed: UPX winupdate.exe/data0012 infected: Backdoor.IRC.Zcrew winupdate.exe/data0013 packed: UPX winupdate.exe/data0016 packed: UPX winupdate.exe/data0016 infected: Trojan.Win32.Killav.aj winupdate.exe/data0020 packed: UPX The exploit code shows only a minor change from the blaster worm in the RPC request: --- exploit0186.dmp Fri Aug 22 02:24:49 2003 +++ exploit0595.dmp Fri Aug 22 02:24:30 2003 @@ -57,7 +57,7 @@ 00003a0 0000 0000 0000 0000 0186 0000 0000 0000 00003b0 0186 0000 005c 005c 0046 0058 004e 0042 00003c0 0046 0058 0046 0058 004e 0042 0046 0058 -00003d0 0046 0058 0046 0058 0046 0058 139d 0100 +00003d0 0046 0058 0046 0058 0046 0058 16c6 0100 00003e0 e0cc 7ffd e0cc 7ffd 9090 9090 9090 9090 00003f0 9090 9090 9090 9090 9090 9090 9090 9090 * Michael -- Linux@...Xpress http://www-users.rwth-aachen.de/Michael.Mueller4/tekxp/tekxp.html
Powered by blists - more mailing lists