RE: snort: SHELLCODE x86 NOOP

From: Kevin_Butters@NAI.com
Date: 04/09/02 

From: Kevin_Butters@NAI.com
To: loki@fatelabs.com, westphal@secom-consulting.de
Date: Mon, 8 Apr 2002 19:10:26 -0500

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have a question: What if the attacker were using the SHELLCODE
xNOOP in a UDP 53 packet? Would the user simply be trying to perform
a buffer overrun on a Domain server?

Also, how would an attacker initiate an attack using this exploit?
Would the attacker be using a trojan to launch the attack? If so what
trojan?

Kevin Butters
Security Engineer
PGP Fingerprint
7AB4 5B76 5FEB 42FD 13A5 0BA6 6DDF 11A5 6570 CE07

- -----Original Message-----
From: Loki [mailto:loki@fatelabs.com]
Sent: Monday, April 08, 2002 2:28 PM
To: westphal@secom-consulting.de
Cc: focus-ids@securityfocus.com
Subject: RE: snort: SHELLCODE x86 NOOP

*** PGP Signature Status: unknown
*** Signer: Unknown, Key ID = 0xEC920097
*** Signed: 4/8/2002 2:28:20 PM
*** Verified: 4/8/2002 5:05:23 PM
*** BEGIN PGP VERIFIED MESSAGE ***

X86 NOOP code is not a sign of just an SSH attack in particular, it
is a generic alert that the IDS detected 0x90 characters in the
payload of a packet that ingressed or egressed your network.
Typically referred to as a NOOP SLIDE. Find the SNORT/<ip> directory
and take a look at the actual packet it logged that triggered the
alert.

E.g.
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................

Read this following page:
http://www.activeworx.com/arachnids/IDS181/event.html

Eric Hines

==================================================
Eric S. Hines
Chief Technical Officer
E*com Solutions, Inc.
ehines@ecomsolutionsinc.com
- --------------------------------------------------
[w] http://www.ecomsolutionsinc.com
[e] ehines@ecomsolutionsinc.com
[p] (412) 303-3115
- --------------------------------------------------
Corporate Headquarters
400 Travis Street
Suite 408
Shreveport, LA 71101
==================================================

- -----Original Message-----
From: westphal@secom-consulting.de
[mailto:westphal@secom-consulting.de]
Sent: Monday, April 08, 2002 3:36 PM
To: focus-ids@securityfocus.com
Subject: snort: SHELLCODE x86 NOOP

Hello,

running snort i detected the following line in my alert-file.

<snip>
 SHELLCODE x86 NOOP [**] [Classification: Executable code was
detected]
[Priority: 1] {TCP} xx.xx.15.8:80 -> xx.xx.197.175:60139 </snip>

searching in google i found a document that specified this as an
ssh-exploit. Now i'm confused if this was a real attack or just
misinterpreted traffic because of the destination port.

Can somebody please explain this to me or give me a hint where i can
find more information?

Thanks in advance,

M.Westphal

*** END PGP VERIFIED MESSAGE ***

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.1

iQEVAwUBPLIxGG3fEaVlcM4HAQJbGggAp7Ke/r7IIEM/t09RyJuvzjJUPvxtaAbv
REfZBtZiz3dJmcoVkXo8sbEwWD1oOTu/Gc2SnlxyuRCv26AgnatXTSa//8dAzJ0R
w6riETpWW/HH2y2X8ng4EQhXS6LOIV/oePw5aQOmcjU+nC1JNEeOHv7GC0PrFUbI
LoF1s3NhQMO9MxosbwKkBdJOCfXkoCiiEEhihCQ8jFfwiMroFfjZ7vx0rueoCGfG
iuJt/c0Wh6pTwvuQmBDLTlWeFNAZ6NhbRYp/KAG70bJLaHW7ZEbsgDqVYrB0pjUM
2odiFBNkT7ks4VAPpLrwD+rABRSEMhdhn5/mGFYHdFEQpvl16YWkUQ==
=Uu+I
-----END PGP SIGNATURE-----

Loading