[unisog] WINS exploit attack
tsgurgan at eos.ncsu.edu
Mon Jan 3 08:37:24 GMT 2005
Since the WINS exploit went public Friday, I've been monitoring TCP port 42 traffic for shellcode.
I got my first hit Sunday night from a machine inside our campus firewall. The attacking machine
was 0wned by DaG hackers that I know are active on the campuses of several US universities. They
used a connect back shellcode. Exploited victims connected out to 184.108.40.206 and used the rcp.exe
command to copy RA Server and Serv-U FTP server to the local hard drive. In this case, the FTP
server uses ports TCP 965 and 966. They may use other ports at other campuses.
The exploit sequence is fairly long (over 200kb) compared to other network attacks. Only windows
servers running WINS without the MS04-045 patch would be vulnerable. Patched servers will put an
error in the event log about a very large, possibly corrupt message.
Tim Gurganus, NCSU
More information about the unisog