Port 5000 traffic and snort signature

Published: 2014-03-06
Last Updated: 2014-03-06 15:59:09 UTC
by Mark Baggett (Version: 1)
2 comment(s)

ISC Reader James Lay has captured the mysterious port 5000 traffic and provided us with a copy of the packets and a snort signature.   Thanks James!  Your awesome!

The traffic is scanning TCP port 5000.  After establishing a connection it sends "GET /webman/info.cgi?host='" 

This appears to be a scan for Synology DiskStation Manager installations that are vulnerable to a remote code exection exploit published in October 2013.   There is currently a metasploit module available for the vulnerability.

Thanks to James for the following snort signature.

alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"SERVER-WEBAPP Synology DiskStation Manager Reflected XSS attempt over UPnP"; flow:to_server,established; content:"/webman/info.cgi|3f|host="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, reference:url,www.scip.ch/en/?vuldb.10255; classtype:attempted-admin; sid:10000130; rev:1;)

Follow me on Twitter: @markbaggett

There are a couple of chances to sign up for SANS Python programming course.  The course starts from the very beginning, assuming you don't know anything about programming or Python.  The course is self paced learning and we cover the essentials before we start building tools you can use in your next security engagement.   You will love it!!    Join me for Python for Penetration testers in Reston VA March 17-21 or at SANSFire in Baltimore June 23-27.

http://www.sans.org/event/northern-virginia-2014/course/python-for-pen-testers

http://www.sans.org/event/sansfire-2014/course/python-for-pen-testers

 

2 comment(s)
March's OUCH! Newsletter is out! (The End of Windows XP) https://www.securingthehuman.org/ouch

Gems in the ISC Diary Comments

Published: 2014-03-06
Last Updated: 2014-03-06 02:53:28 UTC
by Mark Baggett (Version: 1)
0 comment(s)

Thanks for reading the ISC Diary!  I hope you find useful information in the diary posts.  I, and the other handlers, work hard to try and bring you the latest news as it develops, as well as point out interesting new research that affects our industry and our ability to protect our networks.  BUT don’t stop with the diary.  Quite often the MOST interesting part of the article is in the comments from the readers.  Consider the following:

About a year ago I did a post entitled “What can you do with funky directory names?”   https://isc.sans.edu/forums/diary/Challenge+What+can+you+do+with+funky+directory+names/12958

The post is about creating a “..  “ (Dot Dot Space) directory.  You can even create a funky directory name that will cause windows to generate an error dialog message and go into an error condition.  This is COOL STUFF right?  Well, yeah but not nearly as interesting as the mostly overlooked last comment on the page.  An anonymous ISC reader posted this comment:

“It's also easy to use similar file name tricks to make your malicious binary appear to be Microsoft signed. Name your malware file "svchost.exe " (note trailing space) and put it in the same folder as the legitimate file. Attempted reads of your malicious file will "miss" your file and instead hit the legitimate (and signed) binary. (This is because win32 will auto-remove the trailing space.)

The nice thing about CreateProcess is that it launches the malicious process just fine.”


What does this mean?  Well, if you create a executable on the hard drive that ends with a SPACE and then execute it some interesting things happen.  Applications such as Microsoft Sigcheck, Mandiant Redline, Process hacker and other tools that will check the digital signatures of the processes in the process list check the incorrect file.  The malware is “svchost.exe  “.  But when these tools turn to the hard drive to read the executable digital signature the underlying API trims the trailing space and they read the signature on the real “svchost.exe”.  The result is that those security tools find a legitimate digital signature and incorrectly believe the file  “svchost.exe   “  has been digitally signed by Microsoft.

Matt Graeber (@mattifestation) did a write up on his testing of the issue here http://www.exploit-monday.com/2013/02/WindowsFileConfusion.html

I have found this technique to be useful for fooling Non-Microsoft tools that rely on digital signatures.  So don't stop with the article!  Read the comments from our brilliant readers.   Please TEST your HIPS, Whitelisting applications, Forensics tools and other digital signature based tools using the process outline by Matt Graeber.   Is it vulnerable?   Post a comment (responsible disclosure is encouraged) and other brilliant insights in the comments! 

Follow me on Twitter: @markbaggett

There are a couple of chances to sign up for SANS Python programming course.  The course starts from the very beginning, assuming you don't know anything about programming or Python.  The course is self paced learning and we cover the essentials before we start building tools you can use in your next security engagement.   You will love it!!    Join me for Python for Penetration testers in Reston VA March 17-21 or at SANSFire in Baltimore June 23-27.

http://www.sans.org/event/northern-virginia-2014/course/python-for-pen-testers

http://www.sans.org/event/sansfire-2014/course/python-for-pen-testers

Keywords:
0 comment(s)
ISC StormCast for Thursday, March 6th 2014 http://isc.sans.edu/podcastdetail.html?id=3879

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives