[Snort-sigs] yppasswd exploit

Nathan W. Labadie ab0781 at ...334...
Wed Feb 6 06:09:45 EST 2002


No legitimate traffic at all. The only yppasswd traffic I've been seeing 
is the exploit... it's an older one, but it seems to be gaining 
popularity as of late. I'm guessing it's this one:

http://www.securityfocus.com/bid/2763

On Tuesday 05 February 2002 10:01 pm, Chris Green wrote:
> "Nathan W. Labadie" <ab0781 at ...334...> writes:
> > I've attached a tcpdump of the yppasswd exploit that I've been
> > seeing lately. Currently snort detects it as "SHELLCODE sparc
> > NOOP", usually after "RPC portmap request yppasswd". All of the
> > yppasswd exploits I've seen lately have been identical. It'd be
> > much appreciated if someone could code a rule from this. Can't be
> > based on dst port either... the service (I believe) runs on random
> > ports < 1024.
> >
> > Thanks,
> > Nate
>
> Do you have any legit yppasswd traffic? If its a wee bit sensitve,
> feel free to send to me directly and I'll try to write a rule for it
> but getting anything better than the noops stuff will be difficult
> without seeing more of hte traffic

-- 
Nathan W. Labadie       | ab0781 at ...334...	
Sr. Security Specialist | 313/577.2126
Wayne State University  | 313/577.1338 fax
C&IT Information Security Office: http://security.wayne.edu





More information about the Snort-sigs mailing list