spacer [an error occurred while processing this directive]
About the Project
Research Alliance
Our Book

Scan of the Month

Scan 10

The scan for December, 2000.  This month's challenge was to decode two exploits launched against the same honeypot in the same morning.

The Challenge:

  1. Can you name the FTP scanning tool?
  2. What does this FTP exploit achieve?  Does it open a port, create a shell, add a user account?
  3. Is the FTP attack successful?
  4. What RPC service is exploited?
  5. Where in the exploit code below does he bind a shell  to port 39168?
  6. What two accounts are created, and what are the UID's?

Bonus Question: What is the password of the first account created?

The Results:

On 17 January, Daniel Martin released an excellent writeup on the Ramen worm, which bears a remarkable resemblance to this attack.

Writeups from the Honeynet Project members

Snort signatures, developed by Max Vision, that will detect these scans and attacks:

alert TCP $EXTERNAL 10101 -> $INTERNAL any (msg: "IDS439/probe-myscan"; ttl: >220; ack: 0; flags: S;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS440/ftp-wuftp260-linux-venglin-parbobek"; flags: AP; content: "|2e2e3131|venglin@";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS442/rpc-statdx-exploit"; flags: AP; content: "/bin|c74604|/sh";)

Writeups from the Security Community

Back to Top