My next class:

Port 10000; ssh brute forcing; yet another bagle?

Published: 2005-06-27. Last Updated: 2005-06-27 21:00:28 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Scans for port 10000/tcp have been increasing ever since the release of the Veritas Backup Exec exploit. This exploit is now available in various easy to use forms, including a Metasploit plug-in.

At this point, we are recommending:

(1) Block traffic to/from port 10000/tcp (note: this may be a bit tricky if you don\'t have a stateful firewall, as port 10000/tcp may be used by various clients as an ephemeral port)

(2) Verify that all your Veritas servers are patched.

(3) Scan your network for overlooked or already exploited Veritas servers.
One reader noted that after a system has been hit with the exploit, it will no longer listen on port 10000, as the service will die. However, it will still listen on port 6101.

Snort Signatures for the exploit as used by Metasploit (from Paul Dokas. Thanks!):


alert tcp $EXTERNAL_NET any -> $HOME_NET 10000
(msg: \"Possible BackupExec Exploit (inbound)\";
content: \"|00 00 03 00 00 02 00 58 58 58|\";
offset: 24; depth: 20; classtype: attempted-admin;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 10000
(msg: \"Possible BackupExec Exploit (outbound)\";
content: \"|00 00 03 00 00 02 00 58 58 58|\";
offset: 24; depth: 20; classtype: attempted-admin;)


Related URLs:

Veritas Announcement:

http://seer.support.veritas.com/docs/276604.htm

Metasploit:

http://www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm

ssh brute forcing



Nothing fundamentally new. Nathaniel Hall observed a shift of attack sources from Asia to the US. Doesn't look like the nature of the attacks changed. Each source attempted to log in using a few hundred different user names.

Yet another Bagle



Frederick Lambany sent a sample of what looks like a newer Bagle version. Most AV products will catch this one using generic bagle signatures. Given the large number of bagle variants, it is hard to figure out if this one is actually new.
According to Virustotal, McAfee and Symantec are not detecting this sample at this point (will resubmit shortly to see if they have new signatures for it now).

---------

Johannes Ullrich, Chief Research Officer, SANS Inst.

jullrich\'; drop table spamaddr;'@sans.org
Keywords:
0 comment(s)
My next class:

Comments


Diary Archives