[unisog] WINS exploit attack

Tim Gurganus tsgurgan at eos.ncsu.edu
Mon Jan 3 08:37:24 GMT 2005

Since the WINS exploit went public Friday, I've been monitoring TCP port 42 traffic for shellcode. 
I got my first hit Sunday night from a machine inside our campus firewall.  The attacking machine 
was 0wned by DaG hackers that I know are active on the campuses of several US universities.  They 
used a connect back shellcode.  Exploited victims connected out to and used the rcp.exe 
command to copy RA Server and Serv-U FTP server to the local hard drive.  In this case, the FTP 
server uses ports TCP 965 and 966.  They may use other ports at other campuses.

The exploit sequence is fairly long (over 200kb) compared to other network attacks.  Only windows 
servers running WINS without the MS04-045 patch would be vulnerable.  Patched servers will put an 
error in the event log about a very large, possibly corrupt message.

Tim Gurganus, NCSU
Industrial Engineering

More information about the unisog mailing list