lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: irwanhadi at phxby.com (Irwan Hadi) Subject: Increase probe on UDP port 1026 During the last a few hours, I've seen a huge jump in traffic to UDP port 1026 (Windows Messaging). I know that the exploit for MS03-043 has been released since around 2 weeks ago, but that exploit as far as I know only works by using UDP port 135. One interesting pattern that I found out from the packet that Snort captured are: 1. One attacker host only send one packet to target host. 2. The attackers come from all over the world (which indicates a rapid infection) 3. The packet always contains (00 00 00 00 00) for the message part. Below is the Snort rule that I put in my IDS box alert udp !$USU_NET any -> any 1026 (msg:"MS03-043 PROBE??"; classtype:bad-unknown;) And these are some of the packet that Snort capture: [**] MS03-043 PROBE?? [**] 12/01-15:45:08.986417 0:D0:4:F2:4C:A -> 0:B0:D0:29:D5:40 type:0x800 len:0x3C 200.176.192.151:1042 -> 129.123.x.x:1026 UDP TTL:111 TOS:0x0 ID:33601 IpLen:20 DgmLen:30 Len: 2 0x0000: 00 B0 D0 29 D5 40 00 D0 04 F2 4C 0A 08 00 45 00 ...).@....L...E. 0x0010: 00 1E 83 41 00 00 6F 11 AA 4C C8 B0 C0 97 81 7B ...A..o..L.....{ 0x0020: 13 7E 04 12 04 02 00 0A D9 84 00 00 00 00 00 00 .~.............. 0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 ............ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] MS03-043 PROBE?? [**] 12/01-14:01:19.788400 0:D0:4:F2:4C:A -> 0:2:B3:C9:36:64 type:0x800 len:0x3C 81.74.106.18:26246 -> 129.123.x.x:1026 UDP TTL:106 TOS:0x0 ID:7877 IpLen:20 DgmLen:30 Len: 2 0x0000: 00 02 B3 C9 36 64 00 D0 04 F2 4C 0A 08 00 45 00 ....6d....L...E. 0x0010: 00 1E 1E C5 00 00 6A 11 C8 EA 51 4A 6A 12 81 7B ......j...QJj..{ 0x0020: 2C 48 66 86 04 02 00 0A 2C 32 00 00 00 00 00 00 ,Hf.....,2...... 0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 ............ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] MS03-043 PROBE?? [**] 12/01-09:28:06.146677 0:D0:4:F2:4C:A -> 0:2:B3:E7:49:84 type:0x800 len:0x3C 62.243.125.82:1194 -> 129.123.x.x:1026 UDP TTL:114 TOS:0x0 ID:6633 IpLen:20 DgmLen:30 Len: 2 0x0000: 00 02 B3 E7 49 84 00 D0 04 F2 4C 0A 08 00 45 00 ....I.....L...E. 0x0010: 00 1E 19 E9 00 00 72 11 DD 95 3E F3 7D 52 81 7B ......r...>.}R.{ 0x0020: 13 90 04 AA 04 02 00 0A A5 DD 00 00 00 00 00 00 ................ 0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 ............ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] MS03-043 PROBE?? [**] 12/01-15:47:16.721798 0:D0:4:F2:4C:A -> 0:8:A1:21:91:D8 type:0x800 len:0x3C 140.228.112.8:1478 -> 129.123.x.x:1026 UDP TTL:118 TOS:0x0 ID:43359 IpLen:20 DgmLen:30 Len: 2 0x0000: 00 08 A1 21 91 D8 00 D0 04 F2 4C 0A 08 00 45 00 ...!......L...E. 0x0010: 00 1E A9 5F 00 00 76 11 09 69 8C E4 70 08 81 7B ..._..v..i..p..{ 0x0020: 13 9F 05 C6 04 02 00 0A 64 0B 00 00 00 00 00 00 ........d....... 0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 ............ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] MS03-043 PROBE?? [**] 12/01-13:46:34.522088 0:D0:4:F2:4C:A -> 0:8:A1:B:6F:6A type:0x800 len:0x3C 24.157.247.137:1076 -> 129.123.x.x:1026 UDP TTL:109 TOS:0x0 ID:30415 IpLen:20 DgmLen:30 Len: 2 0x0000: 00 08 A1 0B 6F 6A 00 D0 04 F2 4C 0A 08 00 45 00 ....oj....L...E. 0x0010: 00 1E 76 CF 00 00 6D 11 31 80 18 9D F7 89 81 7B ..v...m.1......{ 0x0020: 13 DE 04 34 04 02 00 0A 52 24 00 00 00 00 00 00 ...4....R$...... 0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 ............ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Any idea?
Powered by blists - more mailing lists