[Snort-users] RPC statdx exploit against DNS...
mkettler at ...4108...
Mon Mar 25 13:17:01 EST 2002
Looking at the rule, it will go off for any UDP or TCP packet containing a
particularly odd "/bin/sh" type string..
Thus this is likely a "mislabeling" of an attack on bind (since statdx can
be on any port this is a content-only rule)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx";
classtype:attempted-admin; sid:1282; rev:1;)
there's also a TCP version:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx";
flags: A+; content: "/bin|c74604|/sh";reference:arachnids,442;
classtype:attempted-admin; sid:600; rev:1;)
I can see no reason for a tcp or udp packet sent to a DNS server to contain
that string other than an attempted exploit.
At 12:08 PM 3/25/2002 -0700, Nels Lindquist wrote:
>Every once in a while (between one and five times/month) I get a
>snort alert on "RPC EXPLOIT statdx," directed to UDP port 53 on my
>nameserver. Many of these attacks appear to originate from Asia, but
>I suppose a single UDP packet is quite spoofable, so there are no
>My nameserver isn't running any RPC services, and bind is fully
>patched, AFAIK. I haven't been able to find any references which
>would lead me to believe that named is vulnerable to the RPC statdx
>exploit, so I'm awfully curious as to why anyone would be trying to
>launch this exploit against my nameserver.
>Is this alert actually a misidentification of an attack against bind?
>Or are the script kiddies just getting overzealous and trying every
>known exploit against the only open ports on the box?
More information about the Snort-users