[Snort-users] RPC statdx exploit against DNS...

Matt Kettler mkettler at ...4108...
Mon Mar 25 13:17:01 EST 2002


Looking at the rule, it will go off for any UDP or TCP packet containing a 
particularly odd "/bin/sh" type string..

Thus this is likely a "mislabeling" of an attack on bind (since statdx can 
be on any port this is a content-only rule)

rpc.rules:

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; 
content: "/bin|c74604|/sh";reference:arachnids,442; 
classtype:attempted-admin; sid:1282; rev:1;)

there's also a TCP version:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; 
flags: A+; content: "/bin|c74604|/sh";reference:arachnids,442; 
classtype:attempted-admin; sid:600; rev:1;)

I can see no reason for a tcp or udp packet sent to a DNS server to contain 
that string other than an attempted exploit.


At 12:08 PM 3/25/2002 -0700, Nels Lindquist wrote:
>Hi there.
>
>Every once in a while (between one and five times/month) I get a
>snort alert on "RPC EXPLOIT statdx," directed to UDP port 53 on my
>nameserver.  Many of these attacks appear to originate from Asia, but
>I suppose a single UDP packet is quite spoofable, so there are no
>guarantees.
>
>My nameserver isn't running any RPC services, and bind is fully
>patched, AFAIK.  I haven't been able to find any references which
>would lead me to believe that named is vulnerable to the RPC statdx
>exploit, so I'm awfully curious as to why anyone would be trying to
>launch this exploit against my nameserver.
>
>Is this alert actually a misidentification of an attack against bind?
>Or are the script kiddies just getting overzealous and trying every
>known exploit against the only open ports on the box?
>
>Any ideas?





More information about the Snort-users mailing list