Re: [Full-Disclosure] RE: Full-Disclosure digest, Catching Sasser

[Thomas Springer]

RTFM - the 4digit-number mentioned is random. maybe it'll help to 
expand your script to try  combinations or scan 10.000 infected 
hosts. It shouldn't be much of a problem to find them - we still 
experience 50 different sasser-ips per second hammering our firewall.

tom

RandallM wrote:

|-ftp_commands--
|open infected m/c IP 5554
|anonymous
|user
|bin
|get 7584_up.exe
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] RE: Full-Disclosure digest, Catching Sasser

[Jordan Wiens]

It's random, but doesn't matter what it is.  So it'll work with any
number; 7584 sounds just as good as any other 4 digit number.  His script
is meant to download from sasser, and it will, just fine.

If the script was using that as a pattern to match on in some sort of ids
then, yes, it wouldn't be very effective, but that's not what it's trying
to do.

-- 
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061

On Wed, 5 May 2004, Thomas Springer wrote:

 RTFM - the 4digit-number mentioned is random. maybe it'll help to
 expand your script to try  combinations or scan 10.000 infected
 hosts. It shouldn't be much of a problem to find them - we still
 experience 50 different sasser-ips per second hammering our firewall.

 tom

 RandallM wrote:

  |-ftp_commands--
  |open infected m/c IP 5554
  |anonymous
  |user
  |bin
  |get 7584_up.exe

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.netsys.com/full-disclosure-charter.html


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Full-Disclosure digest, Catching Sasser

[RandallM]

Hot dam, can't wait to get to work and try this on our network!


|--__--__--
|
|Message: 19
|From: Shashank Rai [EMAIL PROTECTED]
|Reply-To: [EMAIL PROTECTED]
|To: [EMAIL PROTECTED]
|Organization: Etisalat NIS
|Date: Tue, 04 May 2004 11:40:12 +0400
|Subject: [Full-Disclosure] Catching Sasser
|
|Hi all,
|for people who did have not the priviledge of getting infected with
|sasser ;) because of firewall/AV/patch or they are smart enough to use
|Linux (like me hey now no flame war on this *please*), here is a
|simple way to catch sasser:
|
|Step 1:Scanning for infected machines (from a Linux box):
|-
|Get doscan from:http://www.enyo.de/fw/software/doscan/
|
|compile n run:
|# doscan -A 50 -b 512 -c 100 -i -p 5554 -P tcp -r 200 OK$ -v IP
|RANGE
|
|This will give you list of infected machines.
|
|Step Two: Getting the virus
|---
|Copy the following set of commands into a file (or type them from ftp
|prompt):
|-ftp_commands--
|open infected m/c IP 5554
|anonymous
|user
|bin
|get 7584_up.exe
|bye
|--
|then from cmd prompt of your *windows* machine, run:
|
|c:\ftp -s:ftp_commands
|
|This will fetch you a copy of the virus as 7584_up.exe.
|The ftp_commands, actually logs into the ftp server of sasser on port
|5554 of the infected machine with username anonymous and password
|user, and then issues a PORT command to download the virus.
|
|
|PS: USE THESE SET OF INSTRUCTIONS AT YOUR OWN RISK By EXECUTING THE
|DOWNLOADED FILE YOU WILL INFECT YOUR SYSTEM.
|
|In case you are running any AV with real-time protection features, it
|should immediately detect the virus!!!
|
|cheers,
|--
|Shashank Rai
|
|Network and Information Security Team,
|Emirates Telecommunication Corporation,
|Abu Dhabi, U.A.E.
|Ph: +971-2-6182523   Office
|+971-50-6670648  Cell
|GPG key:
|http://pgp.cns.ualberta.ca:11371/pks/lookup?op=vindexsearch=0x01B7947402
|6E36F5
|
|

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html