|
The Challenge:
-
Can you name the FTP scanning tool?
-
What does this FTP exploit achieve? Does it open a port, create a
shell, add a user account?
-
Is the FTP attack successful?
-
What RPC service is exploited?
-
Where in the exploit code below does he bind a shell to port 39168?
-
What two accounts are created, and what are the UID's?
Bonus Question: What is the password of the first account created?
The Results:
On 17 January, Daniel Martin released
an excellent writeup
on the Ramen worm, which bears a remarkable resemblance to this attack.
Writeups from the Honeynet Project members
Snort signatures, developed by Max Vision, that will detect these scans and
attacks:
alert TCP $EXTERNAL 10101 -> $INTERNAL any (msg: "IDS439/probe-myscan"; ttl: >220; ack: 0; flags: S;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS440/ftp-wuftp260-linux-venglin-parbobek"; flags: AP; content: "|2e2e3131|venglin@";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS442/rpc-statdx-exploit"; flags: AP; content: "/bin|c74604|/sh";)
Writeups from the Security Community
|
