I have a pcap file of XP SP1 being exploited that I ran through snort:
Rules below:
TCP: 176 (100.000%) ALERTS: 0
Rules I just posted to list a second ago:
TCP: 176 (100.000%) ALERTS: 1
I can't vouch for my rules on variations of dcom.c but they seem to work
really well with dcom.c. The problem with using the error messages below
is, and correct me if I'm wrong, but the exploit is a valid bind request...
The only thing this might trigger on would be incorrect offset attempts,
which is good... but it will go totally silent if the attack was successful.
-----Original Message-----
From: Eric Appelboom [mailto:ericat_private]
Sent: Monday, July 28, 2003 11:15 AM
To: incidentsat_private
Yeah, the exploit works way to well for my liking.
The win32 binary didn't seem to work though.
I usually found that one can try once to get the os\sp pair correct
If not the machine carries on its merry way even if you get the os\sp
pair correct.
A nice indicator that a machine has been exploited is that after you
quit from
The shell it causes NTAuthority to panic and shut the machine down after
60 seconds.
Some snort sigs I came across, don't know how good they are.
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC
invalid bind attempt"; flow:to_server,established; content:"|05|";
distance:0; within:1; content:"|0b|"; distance:1; within:1;
byte_test:1,&,1,0,relative; content:"|00|"; distance:21; within:1;
classtype:attempted-dos; sid:2190; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC
invalid bind attempt"; flow:to_server,established;
content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|";
distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|";
nocase; distance:5; within:12; content:"|05|"; distance:2; within:1;
content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative;
content:"|00|"; distance:21; within:1; classtype:attempted-dos;
sid:2191; rev:1;)
On a side note to those in ISP scenarios, any thoughts about blocking
netbios inbound to pops?
Eric
-----Original Message-----
From: morning_wood [mailto:se_cur_ityat_private]
Sent: 27 July 2003 10:17 PM
To: Compton, Rich; incidentsat_private
it is in the wild and very very effective, in random testing im findin
80%
of all XP/2k boxes affected...
Donnie Werner
http://exploitlabs.com
----- Original Message -----
From: "Compton, Rich" <RComptonat_private>
To: <incidentsat_private>
Sent: Friday, July 25, 2003 12:45 PM
Subject: Exploit for Windows RPC may be in the wild!
> FYI,
> ISPs are reporting a dramatic increase in traffic on TCP port 135. No
> exploit code has been captured as of yet but the increase in traffic
on
this
> port probably indicates that exploit code is being executed! Block
ports
> 135 through 139 and 445!
>
> More info:
>
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulleti
n/MS
> 03-026.asp
>
> -Rich Compton
>
>
>
------------------------------------------------------------------------
-
--
>
------------------------------------------------------------------------
-
---
>
>
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 29 2003 - 09:38:56 PDT