FW: [Snort-sigs] DCom RPC attack response sig

Esler, Joel Contractor joel.esler at ...783...
Wed Jul 30 06:10:10 EDT 2003

-----Original Message-----
From: Esler, Joel Contractor 
Sent: Tuesday, July 29, 2003 10:06 AM
To: 'Michael Anuzis'
Subject: RE: [Snort-sigs] DCom RPC attack response sig

Noticed that the kiddies have already changed the code from 4444 to 3333 so
we might need to do a any any...


-----Original Message-----
From: Michael Anuzis [mailto:michael_anuzis at ...12...] 
Sent: Monday, July 28, 2003 10:00 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] DCom RPC attack response sig

Hey; I noticed there were a few posts in the past regarding this new DCom 
RPC attack + some uncertainty was made regarding the effectiveness of the 
sigs. I haven't checked the old sigs submitted, but I wrote my own sig and 
have tested that it works just fine. It simply watches for the hex used to 
display the command prompt returning to the hacker connecting on port 4444. 
The sig was set up so it would work both on a windows-snort implementation 
on the actual host getting hacked, or in my case detect it also from an 
openbsd-IDS next to it via hub.  The sig is as follows:

alert tcp any 4444 -> any any (msg:"ATTACK-RESPONSE successful DCom RPC 
System Shell Exploit Response"; flow:from_server,established; content:"|3a 
5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65|"; classtype:successful-admin;)

Hope this helps for those that were unsure.


Michael Anuzis, CCNA
Network Security Consultant
CTO, Anuzis Networking Inc.

Protect your PC - get McAfee.com VirusScan Online  

This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data
Reports, E-commerce, Portals, and Forums are available now. Download today
and enter to win an XBOX or Visual Studio .NET.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list