[Dshield] shellcode detect on port 135

Mike Blomgren mike.blomgren at secode.com
Thu Aug 21 15:11:37 GMT 2003

No offense intended. 'Cry Wolf' was maybe a bit harsh wording from my
point... Using NOOP's as 'Shellcode detection' is just a very common
source of false positives.

Judging by the packet trace in the previous e-mails, there is an attempt
to access a file on an administrative share:
C$\123456111111111111111.doc, represented in unicode.

And searching for the string '123456111111111111111' on Google turns

... shellcode!

"LSD's Buffer Overrun in Windows RPC Interface". Sounde like a problem
heard before...


My bad...


More information about the list mailing list