[Dshield] shellcode detect on port 135

Mike Blomgren mike.blomgren at secode.com
Thu Aug 21 15:11:37 GMT 2003


No offense intended. 'Cry Wolf' was maybe a bit harsh wording from my
point... Using NOOP's as 'Shellcode detection' is just a very common
source of false positives.

Judging by the packet trace in the previous e-mails, there is an attempt
to access a file on an administrative share:
C$\123456111111111111111.doc, represented in unicode.

And searching for the string '123456111111111111111' on Google turns
up...

... shellcode!

"LSD's Buffer Overrun in Windows RPC Interface". Sounde like a problem
heard before...

http://www.securityfocus.com/archive/1/330466/2003-07-23/2003-07-29/0

My bad...

~Mike





More information about the list mailing list