Samba - Buffer Overrun, HP Remote Command Execution, Top 15 Worms, Hosts File, Sasser/Dabber Activity

Published: 2004-07-22. Last Updated: 2004-07-23 16:17:20 UTC
by Deborah Hale (Version: 1)
0 comment(s)
Samba - Security Advisory #2004-014

Multiple Potential Buffer Overruns - The internal routine used by the Samba Web Administration Tool (SWAT v3.0.2 and later) to decode the base64 data during HTTP basic authentication is subject to a buffer overrun caused by an invalid base64 character.

http://www.securityfocus.com/archive/1/369700/2004-07-19/2004-07-25/0

HP - Security Advisory
dced Remote Command Execution - A buffer overflow vulnerability was discovered in HP's implementation of the DCE endpoint mapper (epmap) which listens by default on TCP port 135. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary commands on the targeted system
with the privileges of the DCED process which is typically run as the root user.

http://www.securityfocus.com/archive/1/369697/2004-07-19/2004-07-25/0

Top 15 Worms

One of our Handler's, Pedro Bueno, emailed a list of the top 15 items attempting tftp download from his honeypot. Thanks to Pedro for sharing this list with us.

540 wuamgrd.exe; 291 scvhost.exe; 276 demm386.exe; 264 vsmons.exe; 250 lsac.exe; 174 rundll32a.exe; 159 MSlti16.exe; 97 svcohst.exe; 92 Mcafeescn.exe
50 msnetcfgs.exe; 38 msupdate.exe; 34 sxvhost.exe;34 realplayer32.exe; 29 NAVscan32.exe; 27 sys32cfg.exe
Hosts File

The hosts file is being altered or deleted by some viruses/bots. This file contains the mappings of IP addresses to host names. This file is loaded into memory at startup, then Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. The file is located in different directories depending on the version of the Windows Operating System you are using.

Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC;
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC;
Win 98\ME = C:\WINDOWS

http://www.mvps.org/winhelp2002/hosts.htm

(After making changes to the hosts file, you can force Windows to refresh the name cache by running "ipconfig /flushdns") -JW
Sasser and Dabber Still Quite Active

Port 5554 (sasser)
http://isc.sans.org/port_details.php?port=5554&repax=1&tarax=2&srcax=2&percent=N&days=40

Port 1023 (Sasser alternate FTP port)
http://isc.sans.org/port_details.php?port=1023&repax=1&tarax=2&srcax=2&percent=N&days=40

Port 9898 (dabber)
http://isc.sans.org/port_details.php?port=9898&repax=1&tarax=2&srcax=2&percent=N&days=40

Handler on Duty

Deb Hale

haled@pionet.net
Keywords:
0 comment(s)

Comments


Diary Archives