[unisog] WINS exploit attack
dodpears at indiana.edu
Mon Jan 3 13:56:29 GMT 2005
Confirming a significant increase in TCP/42 activity. A graph developed from aggregate Internet2 Abilene netflow is attached. The graph and other ports can be viewed at http://ren-isac.net/monitoring.cgi.
Research and Education Networking ISAC
24x7 Watch Desk: +1(317)278-6630, ren-isac at iu.edu
At 03:37 AM 1/3/2005 -0500, Tim Gurganus wrote:
>Since the WINS exploit went public Friday, I've been monitoring TCP port 42 traffic for shellcode. I got my first hit Sunday night from a machine inside our campus firewall. The attacking machine was 0wned by DaG hackers that I know are active on the campuses of several US universities. They used a connect back shellcode. Exploited victims connected out to 220.127.116.11 and used the rcp.exe command to copy RA Server and Serv-U FTP server to the local hard drive. In this case, the FTP server uses ports TCP 965 and 966. They may use other ports at other campuses.
>The exploit sequence is fairly long (over 200kb) compared to other network attacks. Only windows servers running WINS without the MS04-045 patch would be vulnerable. Patched servers will put an error in the event log about a very large, possibly corrupt message.
>Tim Gurganus, NCSU
>unisog mailing list
>unisog at lists.sans.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 77220 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050103/cb111a75/20050103_tcp_dst_42_packets-0002.png
More information about the unisog