List Info

Thread: Re: possible MS DNS exploit?
Re: possible MS DNS exploit?
country flaguser name
United States		 2007-04-07 17:02:38 
Updated, and split to 2 rules for udp and tcp.

matt

Michael Scheidell wrote:
> More information attacking RPC ports, so it might be
53:  (short for
> 53:65536)
> 
> Or, information I have is its attacking ports
1024:2048, so to be safe:
> 
> 53:2048.  (or 53: '-)
> 
> 
> 
>  
> 
>> -----Original Message-----
>> From: bleeding-sigs-bouncesbleedingthreats.net 
>> [mailto:bleeding-sigs-bouncesbleedingthreats.net] On
Behalf 
>> Of Matt Jonkman
>> Sent: Saturday, April 07, 2007 8:47 AM
>> To: Bleeding Sigs
>> Subject: Re: [Bleeding-sigs] possible MS DNS
exploit?
>>
>> Posted this:
>>
>> # ISC reports a possible active MS DNS exploit.
Please report 
>> any hits.
>> More info as we get it.
>> alert udp 61.63.0.0/18 any -> $HOME_NET 53 (msg:

>> "BLEEDING-EDGE CURRENT EVENTS Possible Unknown
MS DNS exploit 
>> - Please report any hits to bleedingbleedingthreats.net"; 
>>
reference:url,www.dshield.org/diary.html?storyid=2584;
>> classtype:attempted-admin; sid:2003539; rev:1;)
>>
>> Thanks michael!!
>>
>> Matt
>>
>>
>> Michael Scheidell wrote:
>>> Possible sig to start capturing data?
>>>
>>>
>>> alert udp 61.63.0.0 any -> $HOME_NET 53:
(msg: "possible MS DNS 
>>> exploit";  
reference:url,www.dshield.org/diary.html?storyid=2584;
>>> classtype:attempted-admin; 
>>> threshold:type limit, track by_src, count 60,
seconds 60; rev:1;)
>>>
>>> From:
>>>
>>> http:/
/www.dshield.org/diary.html?storyid=2584
>>>
>>> New MS DNS Vulnerability creeping up?
>>> <ht
tp://www.dshield.org/diary.html?storyid=2584>
>>> Published: 2007-04-07,
>>> Last Updated: 2007-04-07 05:33:40 UTC
>>> by Tony Carothers (Version: 1)
>>> We are currently investigating a possible
exploit with MS, Active 
>>> Directory, and DNS.  At this point the
information looks solid, 
>>> provided initially by Bill O. for review. 
Further information has 
>>> been provided by Bill, who is working on
contacting MS, as 
>> things have progressed.
>>> Looking at the description of the attack
method, it looks 
>> solid based 
>>> on my experience with MS.  If anybody has any
scans from the 
>>> 61.63.xxx.xxx range, I would be very interested
in seeing 
>> full captures.
>>> We will keep you posted as things progress.  I
will be 
>> sending on what 
>>> we have discovered as well to MS tomorrow.  It
is 0130EST 
>> right now in 
>>> the US, I will be passing the findings on to
the other Handlers for 
>>> review and input later this morning.
>>>
>>>
>>>
>>>
>>>
>>
------------------------------------------------------------
----------
>>> -- This email has been scanned and certified
safe by 
>> SpammerTrap^(TM).
>>> For Information please see www.spammertrap.com

>>> <http://www.spammertrap
.com>
>>>
>>
------------------------------------------------------------
----------
>>> --
>>>
>>>
>>>
>>
------------------------------------------------------------
----------
>>> --
>>>
>>>
_______________________________________________
>>> Bleeding-sigs mailing list
>>> Bleeding-sigsbleedingthreats.net
>>>
>> http://lists.bleedingthreats.net/cgi-bin/m
ailman/listinfo/bleeding-sig
>>> s
>> --
>> --------------------------------------------
>> Matthew Jonkman
>> Bleeding Edge Threats
>> 765-429-0398
>> 765-807-3060 fax
>> http://www.bleedingthr
eats.net
>> --------------------------------------------
>>
>> PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc
>>
>>
>> _______________________________________________
>> Bleeding-sigs mailing list
>> Bleeding-sigsbleedingthreats.net
>> http://lists.bleedingthreats.net/cgi-bin/mailman/l
istinfo/blee
> ding-sigs
>>
>>
>
____________________________________________________________
_____________
> This email has been scanned and certified safe by
SpammerTrap(tm). 
> For Information please see http://www.spammertrap.com

>
____________________________________________________________
_____________
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthr
eats.net
--------------------------------------------

PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
Re: possible MS DNS exploit?
country flaguser name
United States		 2007-04-07 17:06:38 
Info from ISC notes a dcom-like exploit. Hoping to get some
more payload
info soon....

Matt

Matt Jonkman wrote:
> Updated, and split to 2 rules for udp and tcp.
> 
> matt
> 
> Michael Scheidell wrote:
>> More information attacking RPC ports, so it might
be 53:  (short for
>> 53:65536)
>>
>> Or, information I have is its attacking ports
1024:2048, so to be safe:
>>
>> 53:2048.  (or 53: '-)
>>
>>
>>
>>  
>>
>>> -----Original Message-----
>>> From: bleeding-sigs-bouncesbleedingthreats.net 
>>> [mailto:bleeding-sigs-bouncesbleedingthreats.net] On Behalf 
>>> Of Matt Jonkman
>>> Sent: Saturday, April 07, 2007 8:47 AM
>>> To: Bleeding Sigs
>>> Subject: Re: [Bleeding-sigs] possible MS DNS
exploit?
>>>
>>> Posted this:
>>>
>>> # ISC reports a possible active MS DNS exploit.
Please report 
>>> any hits.
>>> More info as we get it.
>>> alert udp 61.63.0.0/18 any -> $HOME_NET 53
(msg: 
>>> "BLEEDING-EDGE CURRENT EVENTS Possible
Unknown MS DNS exploit 
>>> - Please report any hits to bleedingbleedingthreats.net"; 
>>>
reference:url,www.dshield.org/diary.html?storyid=2584;
>>> classtype:attempted-admin; sid:2003539;
rev:1;)
>>>
>>> Thanks michael!!
>>>
>>> Matt
>>>
>>>
>>> Michael Scheidell wrote:
>>>> Possible sig to start capturing data?
>>>>
>>>>
>>>> alert udp 61.63.0.0 any -> $HOME_NET 53:
(msg: "possible MS DNS 
>>>> exploit";  
reference:url,www.dshield.org/diary.html?storyid=2584;
>>>> classtype:attempted-admin; 
>>>> threshold:type limit, track by_src, count
60, seconds 60; rev:1;)
>>>>
>>>> From:
>>>>
>>>> http:/
/www.dshield.org/diary.html?storyid=2584
>>>>
>>>> New MS DNS Vulnerability creeping up?
>>>> <ht
tp://www.dshield.org/diary.html?storyid=2584>
>>>> Published: 2007-04-07,
>>>> Last Updated: 2007-04-07 05:33:40 UTC
>>>> by Tony Carothers (Version: 1)
>>>> We are currently investigating a possible
exploit with MS, Active 
>>>> Directory, and DNS.  At this point the
information looks solid, 
>>>> provided initially by Bill O. for review. 
Further information has 
>>>> been provided by Bill, who is working on
contacting MS, as 
>>> things have progressed.
>>>> Looking at the description of the attack
method, it looks 
>>> solid based 
>>>> on my experience with MS.  If anybody has
any scans from the 
>>>> 61.63.xxx.xxx range, I would be very
interested in seeing 
>>> full captures.
>>>> We will keep you posted as things progress.
 I will be 
>>> sending on what 
>>>> we have discovered as well to MS tomorrow. 
It is 0130EST 
>>> right now in 
>>>> the US, I will be passing the findings on
to the other Handlers for 
>>>> review and input later this morning.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
------------------------------------------------------------
----------
>>>> -- This email has been scanned and
certified safe by 
>>> SpammerTrap^(TM).
>>>> For Information please see
www.spammertrap.com 
>>>> <http://www.spammertrap
.com>
>>>>
>>>
------------------------------------------------------------
----------
>>>> --
>>>>
>>>>
>>>>
>>>
------------------------------------------------------------
----------
>>>> --
>>>>
>>>>
_______________________________________________
>>>> Bleeding-sigs mailing list
>>>> Bleeding-sigsbleedingthreats.net
>>>>
>>> http://lists.bleedingthreats.net/cgi-bin/m
ailman/listinfo/bleeding-sig
>>>> s
>>> --
>>> --------------------------------------------
>>> Matthew Jonkman
>>> Bleeding Edge Threats
>>> 765-429-0398
>>> 765-807-3060 fax
>>> http://www.bleedingthr
eats.net
>>> --------------------------------------------
>>>
>>> PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc
>>>
>>>
>>>
_______________________________________________
>>> Bleeding-sigs mailing list
>>> Bleeding-sigsbleedingthreats.net
>>> http://lists.bleedingthreats.net/cgi-bin/mailman/l
istinfo/blee
>> ding-sigs
>>>
>>
____________________________________________________________
_____________
>> This email has been scanned and certified safe by
SpammerTrap(tm). 
>> For Information please see http://www.spammertrap.com

>>
____________________________________________________________
_____________
>> _______________________________________________
>> Bleeding-sigs mailing list
>> Bleeding-sigsbleedingthreats.net
>> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
> 

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthr
eats.net
--------------------------------------------

PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )