Results 1 to 7 of 7

Thread: Wierd Network Traffic

  1. #1
    Senior Member
    Join Date
    Jun 2003
    Posts
    134

    Wierd Network Traffic

    I was just wondering if anyone else was noticing this. I got up today, went to school, and noticed that i was getting a bunch of rpc port probes. Now, this is the same type of traffic that blaster used to put out. While watching my IDS It seemed to be spreading to other hosts on the network at the college and they were probing me also. Has anyone else been seeing traffic like this? I checked my mailing lists and I didn't see any news on a new worm, although I did see some new MS exploits.
    Sysmin Sys73m47ic
    -The Hacker Pimps
    -Development Team {FuxorWRT}
    http://www.AntiOnline.com/sig.php?imageid=563

  2. #2
    Senior Member
    Join Date
    Mar 2003
    Posts
    301
    Ive been getting those probes everyday almost on schedule ever since blaster. So i wouldnt have noticed any new waves of attacks.

    PeacE
    -BoB
    #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL
    ($k,$n)=@ARGV;$m=unpack(H.$w,$m.\"\\0\"x$w),$_=`echo \"16do$w 2+4Oi0$d*-^1[d2%
    Sa2/d0<X+d*La1=z\\U$n%0]SX$k\"[$m*]\\EszlXx++p|dc`,s/^.|\\W//g,print pack(\'H*\'
    ,$_)while read(STDIN,$m,($w=2*$d-1+length($n||die\"$0 [-d] k n\\n\")&~1)/2)

  3. #3
    Senior Member
    Join Date
    Jun 2003
    Posts
    134
    This is definately something new and not Blaster, very similar though. I believe it is attacking in a similar style.
    Sysmin Sys73m47ic
    -The Hacker Pimps
    -Development Team {FuxorWRT}
    http://www.AntiOnline.com/sig.php?imageid=563

  4. #4
    Senior Member
    Join Date
    Mar 2003
    Posts
    301
    It wouldnt surprise me one bit. I will keep an eye on my logs.

    PeacE
    -BoB
    #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL
    ($k,$n)=@ARGV;$m=unpack(H.$w,$m.\"\\0\"x$w),$_=`echo \"16do$w 2+4Oi0$d*-^1[d2%
    Sa2/d0<X+d*La1=z\\U$n%0]SX$k\"[$m*]\\EszlXx++p|dc`,s/^.|\\W//g,print pack(\'H*\'
    ,$_)while read(STDIN,$m,($w=2*$d-1+length($n||die\"$0 [-d] k n\\n\")&~1)/2)

  5. #5
    Senior Member OverdueSpy's Avatar
    Join Date
    Nov 2002
    Posts
    556
    I see one of two probable answers here. The first being that your school systems were never patched and someone inadvertantly/purposely introduced blaster code into the network, thus the RPCs.

    The second is that an exploit has been developed for the latest M$ exploit released last week. (Somewhere in the 48-50 range) From what I have read of the exploit it is very similar to the RPC exploit in blaster. That being the case, compiled with the fact that it uses UDP/TCP 138, 139, and 445, it should be quite easy to modify the existing blaster worm to attack the new exploit. Just a stab in the dark but it would not suprise me.
    The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!

  6. #6
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    have received similar increased traffic over the last week....

    Thought it was ALOT of unpatched machines on the isp subnet?

    mlf
    How people treat you is their karma- how you react is yours-Wayne Dyer

  7. #7
    Senior Member
    Join Date
    Jun 2003
    Posts
    134
    The school's systems were patched against Blaster and it wasn't just a scanning program doing probing for patches not being applied. I don't know, I guess I will have to wait till I go back. Thanks everyone for posting.
    Sysmin Sys73m47ic
    -The Hacker Pimps
    -Development Team {FuxorWRT}
    http://www.AntiOnline.com/sig.php?imageid=563

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •