[Snort-sigs] DCom RPC attack response sig

Michael Anuzis michael_anuzis at ...12...
Tue Jul 29 06:26:12 EDT 2003

Hey; I noticed there were a few posts in the past regarding this new DCom 
RPC attack + some uncertainty was made regarding the effectiveness of the 
sigs. I haven't checked the old sigs submitted, but I wrote my own sig and 
have tested that it works just fine. It simply watches for the hex used to 
display the command prompt returning to the hacker connecting on port 4444. 
The sig was set up so it would work both on a windows-snort implementation 
on the actual host getting hacked, or in my case detect it also from an 
openbsd-IDS next to it via hub.  The sig is as follows:

alert tcp any 4444 -> any any (msg:"ATTACK-RESPONSE successful DCom RPC 
System Shell Exploit Response"; flow:from_server,established; content:"|3a 
5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65|"; classtype:successful-admin;)

Hope this helps for those that were unsure.


Michael Anuzis, CCNA
Network Security Consultant
CTO, Anuzis Networking Inc.

Protect your PC - get McAfee.com VirusScan Online  

More information about the Snort-sigs mailing list