RE: [Full-Disclosure] RE: Full-Disclosure digest, Catching Sasser

From: Shashank Rai (shash_at_etisalat-nis.ae)
Date: 05/05/04

Next message: Janek Vind: "[Full-Disclosure] [waraxe-2004-SA#027 - Once again - critical vulnerabilities in PhpNuke 6.x - 7.2]"

Previous message: OpenPKG: "[Full-Disclosure] [OpenPKG-SA-2004.019] OpenPKG Security Advisory (kolab)"
Maybe in reply to: RandallM: "[Full-Disclosure] RE: Full-Disclosure digest, Catching Sasser"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <full-disclosure@lists.netsys.com>
Date: Wed, 5 May 2004 21:00:32 +0400

The number can vary from 1 to 32767. Furthermore, the way sasser ftp is implememented it really doesn't care what file name you provide as argument
to the GET request. It just sends you a copy of the virus. Am sure the manual u r referring to read, mentions all this ;)
The number in my script was an illustration. And may be the manual also mentioned that though you may get TCP SYN packets on port 445 you will not necessarily get the virus. Sasser first tries to determine the remote host OS type. If it windows 2000 or XP then only it attempts infection selecting the return address for the overflow. So starting a netcat listener on port 445 is not going to guaranty a copy of sasser.

But i'm sure THE MANUAL has it all ;)

cheers,
shashank

-----Original Message-----
From: full-disclosure-admin@lists.netsys.com on behalf of Thomas Springer
Sent: Wed 05-May-04 16:12
To: full-disclosure@lists.netsys.com
Cc:
Subject: Re: [Full-Disclosure] RE: Full-Disclosure digest, Catching Sasser
RTFM - the 4digit-number mentioned is random. maybe it'll help to
expand your script to try 9999 combinations or scan 10.000 infected
hosts. It shouldn't be much of a problem to find them - we still
experience >50 different sasser-ips per second hammering our firewall.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Janek Vind: "[Full-Disclosure] [waraxe-2004-SA#027 - Once again - critical vulnerabilities in PhpNuke 6.x - 7.2]"

Previous message: OpenPKG: "[Full-Disclosure] [OpenPKG-SA-2004.019] OpenPKG Security Advisory (kolab)"
Maybe in reply to: RandallM: "[Full-Disclosure] RE: Full-Disclosure digest, Catching Sasser"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Fw: [Full-Disclosure] Sasser author
... most of them running MS OSs). ... I have been aware of MSS bulletins ... > Sasser did nothing to my offices' network. ... Full-Disclosure - We believe in it. ...
(Full-Disclosure)
XP menus
... My computer had a virus, Sasser, But I believe is taken care of. ... whenever a menu comes up it disappears in about 4 seconds. ... No chance to read ...
(microsoft.public.windowsxp.help_and_support)