spacer [an error occurred while processing this directive]
Home
About the Project
Research Alliance
Challenges
Presentations
Whitepapers
Tools
Our Book
Funding/Donations
Mirrors

spacer
spacer  
Scan of the Month
spacer

Scan 10

The scan for December, 2000.  This month's challenge was to decode two exploits launched against the same honeypot in the same morning.

The Challenge:

  1. Can you name the FTP scanning tool?
  2. What does this FTP exploit achieve?  Does it open a port, create a shell, add a user account?
  3. Is the FTP attack successful?
  4. What RPC service is exploited?
  5. Where in the exploit code below does he bind a shell  to port 39168?
  6. What two accounts are created, and what are the UID's?

Bonus Question: What is the password of the first account created?

The Results:

On 17 January, Daniel Martin released an excellent writeup on the Ramen worm, which bears a remarkable resemblance to this attack.

Writeups from the Honeynet Project members

Snort signatures, developed by Max Vision, that will detect these scans and attacks:

alert TCP $EXTERNAL 10101 -> $INTERNAL any (msg: "IDS439/probe-myscan"; ttl: >220; ack: 0; flags: S;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS440/ftp-wuftp260-linux-venglin-parbobek"; flags: AP; content: "|2e2e3131|venglin@";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS442/rpc-statdx-exploit"; flags: AP; content: "/bin|c74604|/sh";)

Writeups from the Security Community


Back to Top