| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: irwanhadi at phxby.com (Irwan Hadi)
Subject: Increase probe on UDP port 1026
During the last a few hours, I've seen a huge jump in traffic to UDP
port 1026 (Windows Messaging).
I know that the exploit for MS03-043 has been released since around 2
weeks ago, but that exploit as far as I know only works by using UDP
port 135.
One interesting pattern that I found out from the packet that Snort
captured are:
1. One attacker host only send one packet to target host.
2. The attackers come from all over the world (which indicates a rapid
infection)
3. The packet always contains (00 00 00 00 00) for the message part.
Below is the Snort rule that I put in my IDS box
alert udp !$USU_NET any -> any 1026 (msg:"MS03-043 PROBE??";
classtype:bad-unknown;)
And these are some of the packet that Snort capture:
[**] MS03-043 PROBE?? [**]
12/01-15:45:08.986417 0:D0:4:F2:4C:A -> 0:B0:D0:29:D5:40 type:0x800
len:0x3C
200.176.192.151:1042 -> 129.123.x.x:1026 UDP TTL:111 TOS:0x0 ID:33601
IpLen:20 DgmLen:30
Len: 2
0x0000: 00 B0 D0 29 D5 40 00 D0 04 F2 4C 0A 08 00 45 00
...).@....L...E.
0x0010: 00 1E 83 41 00 00 6F 11 AA 4C C8 B0 C0 97 81 7B
...A..o..L.....{
0x0020: 13 7E 04 12 04 02 00 0A D9 84 00 00 00 00 00 00
.~..............
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 ............
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] MS03-043 PROBE?? [**]
12/01-14:01:19.788400 0:D0:4:F2:4C:A -> 0:2:B3:C9:36:64 type:0x800
len:0x3C
81.74.106.18:26246 -> 129.123.x.x:1026 UDP TTL:106 TOS:0x0 ID:7877
IpLen:20 DgmLen:30
Len: 2
0x0000: 00 02 B3 C9 36 64 00 D0 04 F2 4C 0A 08 00 45 00
....6d....L...E.
0x0010: 00 1E 1E C5 00 00 6A 11 C8 EA 51 4A 6A 12 81 7B
......j...QJj..{
0x0020: 2C 48 66 86 04 02 00 0A 2C 32 00 00 00 00 00 00
,Hf.....,2......
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 ............
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] MS03-043 PROBE?? [**]
12/01-09:28:06.146677 0:D0:4:F2:4C:A -> 0:2:B3:E7:49:84 type:0x800
len:0x3C
62.243.125.82:1194 -> 129.123.x.x:1026 UDP TTL:114 TOS:0x0 ID:6633
IpLen:20 DgmLen:30
Len: 2
0x0000: 00 02 B3 E7 49 84 00 D0 04 F2 4C 0A 08 00 45 00
....I.....L...E.
0x0010: 00 1E 19 E9 00 00 72 11 DD 95 3E F3 7D 52 81 7B
......r...>.}R.{
0x0020: 13 90 04 AA 04 02 00 0A A5 DD 00 00 00 00 00 00
................
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 ............
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] MS03-043 PROBE?? [**]
12/01-15:47:16.721798 0:D0:4:F2:4C:A -> 0:8:A1:21:91:D8 type:0x800
len:0x3C
140.228.112.8:1478 -> 129.123.x.x:1026 UDP TTL:118 TOS:0x0 ID:43359
IpLen:20 DgmLen:30
Len: 2
0x0000: 00 08 A1 21 91 D8 00 D0 04 F2 4C 0A 08 00 45 00
...!......L...E.
0x0010: 00 1E A9 5F 00 00 76 11 09 69 8C E4 70 08 81 7B
..._..v..i..p..{
0x0020: 13 9F 05 C6 04 02 00 0A 64 0B 00 00 00 00 00 00
........d.......
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 ............
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] MS03-043 PROBE?? [**]
12/01-13:46:34.522088 0:D0:4:F2:4C:A -> 0:8:A1:B:6F:6A type:0x800
len:0x3C
24.157.247.137:1076 -> 129.123.x.x:1026 UDP TTL:109 TOS:0x0 ID:30415
IpLen:20 DgmLen:30
Len: 2
0x0000: 00 08 A1 0B 6F 6A 00 D0 04 F2 4C 0A 08 00 45 00
....oj....L...E.
0x0010: 00 1E 76 CF 00 00 6D 11 31 80 18 9D F7 89 81 7B
..v...m.1......{
0x0020: 13 DE 04 34 04 02 00 0A 52 24 00 00 00 00 00 00
...4....R$......
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 ............
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Any idea?
Powered by blists - more mailing lists