Snort mailing list archives
Re: RPC statdx exploit against DNS...
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 25 Mar 2002 16:04:53 -0500
Looking at the rule, it will go off for any UDP or TCP packet containing a particularly odd "/bin/sh" type string..
Thus this is likely a "mislabeling" of an attack on bind (since statdx can be on any port this is a content-only rule)
rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; content: "/bin|c74604|/sh";reference:arachnids,442; classtype:attempted-admin; sid:1282; rev:1;)
there's also a TCP version:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; flags: A+; content: "/bin|c74604|/sh";reference:arachnids,442; classtype:attempted-admin; sid:600; rev:1;)
I can see no reason for a tcp or udp packet sent to a DNS server to contain that string other than an attempted exploit.
At 12:08 PM 3/25/2002 -0700, Nels Lindquist wrote:
Hi there. Every once in a while (between one and five times/month) I get a snort alert on "RPC EXPLOIT statdx," directed to UDP port 53 on my nameserver. Many of these attacks appear to originate from Asia, but I suppose a single UDP packet is quite spoofable, so there are no guarantees. My nameserver isn't running any RPC services, and bind is fully patched, AFAIK. I haven't been able to find any references which would lead me to believe that named is vulnerable to the RPC statdx exploit, so I'm awfully curious as to why anyone would be trying to launch this exploit against my nameserver. Is this alert actually a misidentification of an attack against bind? Or are the script kiddies just getting overzealous and trying every known exploit against the only open ports on the box? Any ideas?
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RPC statdx exploit against DNS... WTF? Nels Lindquist (Mar 25)
- Re: RPC statdx exploit against DNS... Matt Kettler (Mar 25)