[Snort-users] DCOM exploit snort signature

jason insidious at ...5190...
Sat Jul 26 23:52:04 EDT 2003


I was amused to see that a perfectly functional linux based DCOM 'sploit
has been available for a few hours now, conveniently drops a command
shell to listen on 4444/TCP ...

The goods are here:


I threw together this signature based upon the shellcode that it fired.
I don't know what kind of false positives it will yield, but it's a

alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"SHELLCODE - DCOM";
content:"|93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF
2E 39 0B D7 3A|"; classtype:shellcode-detect; sid:6666; rev:1;)

Things could get interesting soon...  :(


More information about the Snort-users mailing list