[unisog] WINS exploit attack

Doug Pearson dodpears at indiana.edu
Mon Jan 3 13:56:29 GMT 2005


Confirming a significant increase in TCP/42 activity. A graph developed from aggregate Internet2 Abilene netflow is attached. The graph and other ports can be viewed at http://ren-isac.net/monitoring.cgi.

Doug Pearson
Research and Education Networking ISAC
24x7 Watch Desk: +1(317)278-6630, ren-isac at iu.edu
http://www.ren-isac.net



At 03:37 AM 1/3/2005 -0500, Tim Gurganus wrote:
>Since the WINS exploit went public Friday, I've been monitoring TCP port 42 traffic for shellcode. I got my first hit Sunday night from a machine inside our campus firewall.  The attacking machine was 0wned by DaG hackers that I know are active on the campuses of several US universities.  They used a connect back shellcode.  Exploited victims connected out to 24.56.17.45 and used the rcp.exe command to copy RA Server and Serv-U FTP server to the local hard drive.  In this case, the FTP server uses ports TCP 965 and 966.  They may use other ports at other campuses.
>
>The exploit sequence is fairly long (over 200kb) compared to other network attacks.  Only windows servers running WINS without the MS04-045 patch would be vulnerable.  Patched servers will put an error in the event log about a very large, possibly corrupt message.
>
>Tim Gurganus, NCSU
>Industrial Engineering
>
>
>_______________________________________________
>unisog mailing list
>unisog at lists.sans.org
>http://www.dshield.org/mailman/listinfo/unisog
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20050103_tcp_dst_42_packets.png
Type: image/png
Size: 77220 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050103/cb111a75/20050103_tcp_dst_42_packets-0002.png


More information about the unisog mailing list