[Full-Disclosure] DCOM WORM - preface

From: morning_wood (se_cur_ity_at_hotmail.com)
Date: 08/16/03

Next message: morning_wood: "[Full-Disclosure] Eudora Worldmail Server 2.0 -XSS Injection"

Previous message: Joshua Thomas: "RE: [Full-Disclosure] east coast powergrid / SCADA [OT?]"
Next in thread: sf: "Re: [Full-Disclosure] DCOM WORM - preface"
Reply: sf: "Re: [Full-Disclosure] DCOM WORM - preface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <full-disclosure@lists.netsys.com>, "0day" <0day@nothackers.org>
Date: Fri, 15 Aug 2003 15:31:42 -0700

Remnants of the msblaster "beta test"

note: I just opened up my router and got the following...

--------- snip -------
[01:39:14.744 - 15.08.2003]
Proto: TCP len: 48 24.241.218.230:1619 -> 192.168.0.2:6667

[01:39:14.774 - 15.08.2003]
Proto: TCP len: 48 68.154.196.148:3296 -> 192.168.0.2:6667

[01:39:14.794 - 15.08.2003]
Proto: TCP len: 48 24.241.176.121:1263 -> 192.168.0.2:6667

[01:39:14.794 - 15.08.2003]
Proto: TCP len: 48 68.154.27.21:1960 -> 192.168.0.2:6667

[01:39:14.904 - 15.08.2003]
Proto: TCP len: 48 68.154.77.36:2347 -> 192.168.0.2:6667

[01:39:14.994 - 15.08.2003]
Proto: TCP len: 48 67.33.166.173:3774 -> 192.168.0.2:6667

[01:39:15.015 - 15.08.2003]
Proto: TCP len: 48 24.73.55.232:3748 -> 192.168.0.2:6667

[01:39:15.045 - 15.08.2003]
Proto: TCP len: 48 68.154.79.127:3240 -> 192.168.0.2:6667

[01:39:15.055 - 15.08.2003]
Proto: TCP len: 48 24.73.87.245:4222 -> 192.168.0.2:6667

[01:39:15.055 - 15.08.2003]
Proto: TCP len: 48 68.154.79.109:4726 -> 192.168.0.2:6667

[01:39:15.125 - 15.08.2003]
Proto: TCP len: 48 24.73.39.226:2108 -> 192.168.0.2:6667

------------ snip ---------

Note the pattern in the subnets and that I have not run a server on port
6667 in weeks,
suggests this agent ( proc32.exe = sdbot05b ) is still quite active and
virulent. samples of the log can be found at:
http://exploitlabs.com/attacking.zip <--- log
http://exploitlabs.com/proc32.zip <--- captured sdbot
http://exploitlabs.com/attack/sdbot.txt <--- decompiled sdbot

this infection of the attacking systems was complete and in place
as of July 29, 2003 as recorded in this log preceeding that first attack
http://exploitlabs.com/attack/morning_wood-fun.txt
( this was logged by one of the attackers themselves )

my original paper can be found, here
http://exploitlabs.com/attack/RPC-DCOM-DDoS-attack.txt ( July 31, 2003 )

and is originaly referenced in response to obvious downplay of the DCOM -
RPC
issue, here
http://nothackers.org/pipermail/0day/2003-July/000149.html

Donnie Werner
http://e2-labs.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: morning_wood: "[Full-Disclosure] Eudora Worldmail Server 2.0 -XSS Injection"

Previous message: Joshua Thomas: "RE: [Full-Disclosure] east coast powergrid / SCADA [OT?]"
Next in thread: sf: "Re: [Full-Disclosure] DCOM WORM - preface"
Reply: sf: "Re: [Full-Disclosure] DCOM WORM - preface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]