Scan of the Month

Scan 10

The scan for December, 2000. This month's challenge was to decode two exploits launched against the same honeypot in the same morning

The Challenge:

Can you name the FTP scanning tool?

What does this FTP exploit achieve? Does it open a port, create a shell, add a user account?

Is the FTP attack successful?

What RPC service is exploited?

Where in the exploit code below does he bind a shell to port 39168?

What two accounts are created, and what are the UID's?

Bonus Question: What is the password of the first account created?

The Results:

On 17 January, Daniel Martin released an excellent writeup on the Ramen worm, which bears a remarkable resemblance to this attack.

Writeups from the Honeynet Project members

Job de Haas
Max Vision

alert TCP $EXTERNAL 10101 -> $INTERNAL any (msg: "IDS439/probe-myscan"; ttl: >220; ack: 0; flags: S;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS440/ftp-wuftp260-linux-venglin-parbobek"; flags: AP; content: "|2e2e3131|venglin@";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS442/rpc-statdx-exploit"; flags: AP; content: "/bin|c74604|/sh";)

Writeups from the Security Community