[unisog] FWD: [SECURITY] bugbear variant

Douglas Brown dugbrown at email.unc.edu
Fri Jun 6 17:12:10 GMT 2003


we're just using -d -sT to 1080 as below.  We've found that what amap 
returns is a little different for each system, the common thing that we 
look for is the "sn:(number)" towards the end of each ASCII dump.

# amap -d -sT  1080
Total amount of tasks to perform: 15
Amap v1.2.1b started at Fri Jun  6 12:59:23 2003, stand back and keep 
the children away.

I received an unrecognized response from ip.ip.ip.ip tcp port 1080. 
Please send us this and the application name + version to amap-defs at tink.org
Response received from ip.ip.ip.ip port 1080 tcp (length 308 bytes):
0000:   5d15 3e10 ef27 df82 da69 aa54 86c0 1e33
0010:   e703 301d 9cb0 49e0 fc65 4a7a cbaf 9c02
0020:   65c5 a783 af86 c3de 3556 19bf ab20 7603
0030:   c809 41cd 866f 05ff 1913 e384 5f94 cd7b
0040:   dddd 8645 929f 3fc1 134e 9e32 46c5 d0a0
0050:   1f54 bc21 4644 f106 82b7 3ee0 2797 7486
0060:   5e68 56c4 1751 b89b f062 c21c 9af3 6643
0070:   6876 01c7 7fe5 e6a0 1307 c3bd 11c1 5ebd
0080:   e737 4771 ed9a 1005 8ff2 e642 5704 10c8
0090:   4cbc 9f1c 0e8d fd7d a9b8 9ed8 c30f 5116
00a0:   9d45 3f0c 8572 e0c5 edef b239 92d0 ef2d
00b0:   dfe5 309e 5396 7105 2dca 853c aad3 ccbe
00c0:   85bf 6f87 411a 23e9 6807 ad4c a24c aa98
00d0:   4d1a 320a 67f5 0e70 f5bd 91e1 7f44 6d31
00e0:   58e4 7673 5c8d 50c2 35c2 fc16 2b56 c77c
00f0:   60f1 b9ef 47f0 697d d297 70d5 7ad2 1944
0100:   b0d4 e939 470e 20b5 dbc8 517b 0633 895a
0110:   ed97 f110 eb76 91de 248b 6523 2098 e923
0120:   ef70 392c 515e ffe4 736e 3a31 3331 3230
0130:   3338 3437
ASCII:  "]>'iT30IeJze5V 
v\tAo_E?N2FT!FD>'t^hVQbfChv^7GqBWLQE?r9-0Sq-<oA#hLLM2\ngpDm1Xvs\P5+V`GipzD9G 
Q3Zv$e# #p9,Q^sn:131203847"
Unidentified ports: 1080:tcp (total 1).
Amap v1.2.1b ended at Fri Jun  6 13:00:01 2003

Richard Gadsden wrote:
> On Thu, 5 Jun 2003, Douglas Brown wrote:
> 
> 
>>We've been running Nmap scan for systems with 1080 open, once we got a 
>>list of systems we ran Amap against 1080 on the systems and the infected 
>>ones returned garbage - similar to the following:
>>
>>ASCII: 
>>"+RW"\rx/kDV:d3x\r2Z;)EvbM\r\t3Rk&0XU9\ta!KY7\dH;\nM%3ojTl/\K_'[1k-gF0jzK7&yt)19&*a'N1ys&7yfEQ_MQ[DLXnHaF82E'rLp:jTf^ZGC4O%wsn:71556967"
>>
>>we've found this was this quickest way to find all the bad guys -
>>
>>Hope this helps,
>>-Doug
> 
> 
> Hey Doug,
> 
> Which amap trigger(s) have you found that bugbear.b responds to?
> 
> Thanks,
> Richard
>  --- o ---
>  Richard Gadsden
>  Director of Computer and Network Security
>  Medical University of South Carolina
> 

-- 
Douglas Brown, CISSP
Manager of Security Resources
UNC Chapel Hill
Abernethy 105
"what can Brown do for you?"
      	



More information about the unisog mailing list