FW: [Snort-sigs] DCom RPC attack response sig
Esler, Joel Contractor
joel.esler at ...783...
Wed Jul 30 06:10:10 EDT 2003
From: Esler, Joel Contractor
Sent: Tuesday, July 29, 2003 10:06 AM
To: 'Michael Anuzis'
Subject: RE: [Snort-sigs] DCom RPC attack response sig
Noticed that the kiddies have already changed the code from 4444 to 3333 so
we might need to do a any any...
From: Michael Anuzis [mailto:michael_anuzis at ...12...]
Sent: Monday, July 28, 2003 10:00 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] DCom RPC attack response sig
Hey; I noticed there were a few posts in the past regarding this new DCom
RPC attack + some uncertainty was made regarding the effectiveness of the
sigs. I haven't checked the old sigs submitted, but I wrote my own sig and
have tested that it works just fine. It simply watches for the hex used to
display the command prompt returning to the hacker connecting on port 4444.
The sig was set up so it would work both on a windows-snort implementation
on the actual host getting hacked, or in my case detect it also from an
openbsd-IDS next to it via hub. The sig is as follows:
alert tcp any 4444 -> any any (msg:"ATTACK-RESPONSE successful DCom RPC
System Shell Exploit Response"; flow:from_server,established; content:"|3a
5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65|"; classtype:successful-admin;)
Hope this helps for those that were unsure.
Michael Anuzis, CCNA
Network Security Consultant
CTO, Anuzis Networking Inc.
Protect your PC - get McAfee.com VirusScan Online
This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data
Reports, E-commerce, Portals, and Forums are available now. Download today
and enter to win an XBOX or Visual Studio .NET.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs